Data Privacy and Breach Notification From the Other Side of the World: APAC

Written by Doug Austin, Editor of eDiscovery Today

Last week, I discussed eDiscovery in the Asia Pacific (APAC) region in terms of what each country has in place from a rules and discovery standpoint. eDiscovery isn’t the only discipline where US-based bloggers like me tend to be focused geographically – we also tend to focus our data privacy discussions on the European Union (because of GDPR) and the US.

But other countries around the world have data privacy laws as well, including APAC.

As is the case with eDiscovery, the status of data privacy laws within APAC countries/jurisdictions is quite varied. There are two terrific resources that provide information regarding current data privacy and data protection laws in the APAC region.

Data Privacy in APAC

The first resource, EDRM’s APAC Primer for eDiscovery (available for download here) not only goes into depth about nine countries/jurisdictions judicial system and handling of eDiscovery in the region, but it also discusses the current status of national privacy legislation that exists within each country/jurisdiction.

Here’s a brief look at each country/jurisdiction and where they stand from a national privacy legislation standpoint:

  • Australia: Australia is carrying out a review of the Privacy Act 1988, which is likely to result in a significant strengthening of privacy protections and penalties for breach. Currently, where personal information is being transferred out of Australia, reasonable steps must be taken to ensure the overseas recipient complies with Australia’s Privacy Act and the transferring party remains accountable if the overseas recipient breaches the requirements (subject to exceptions).
  • Mainland China: The 2017 Cybersecurity Law is the foundation of Mainland China’s data protection framework and is being updated and clarified through additional implementing regulations, guidelines, and specifications. Compared with other jurisdictions, the PRC rules are relatively arduous and have restrictions on collecting, processing, retaining, and transferring personal information and other types of protected data without consent or approval. This framework is still under development and the finalization of some key rules, most notably those related to cross-border transfers, is still pending.
  • Hong Kong: The Personal Data (Privacy) Ordinance (Amendment) 2012 (PDPO) protects personal data under the six data protection principles in the collection, holding, accuracy, retention period, security, privacy policy, and access to and correction of personal data. Codes of practice and guidance notes also supplement the data privacy regulatory regime. No specific restriction on cross-border data transfer is in force.
  • India: The Personal Data Protection Bill 2019 was introduced into Parliament in December 2019, which would be its first privacy regulation to govern the transfer of personal data.
  • Japan: Under the Amended Act on the Protection of Personal Information of 2017, data users cannot transfer personal data overseas to a third party unless informed consent is obtained. The data subject should be informed about the receiving country unless the foreign country is whitelisted by the Personal Information Protection Commission of Japan (“PPC”). In January 2019, Japan and the European Commission entered an adequacy arrangement, resulting in the PPC whitelisting the 28 E.U. Member States as well as Norway, Liechtenstein, and Iceland.
  • Korea: Korean data privacy is primarily governed by the Personal Information Protection Act (PIPA), which was originally passed in 2011, and has since undergone several revisions, most recently in 2017. Practitioners in Korea who work with data, or who need to handle data for cross-border litigation, corporate investigations, or arbitration matters, will need to be mindful of Korea’s expansive and strict data protection laws.
  • Malaysia: The Personal Data Protection Act 2010 (PDPA) only applies to commercial transactions. It excludes the government and its agencies. Sections 129 (1) and (2) of the PDPA expressly prohibit the transfer of personal data outside the jurisdiction except with the authorization of the Minister on the recommendation of the Data Protection Commissioner.
  • New Zealand: New Zealand received an adequacy ruling from the European Commission in 2012. However, it also replaced the Privacy Act 1993 with a new Privacy Act 2020. Under the new Privacy Act, businesses and organizations that send personal information overseas need to comply with the privacy principle 12, which set out controls on the disclosure of personal information to overseas organizations and businesses.
  • Singapore: Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA), which sets out to balance the right of individuals to protect their personal data, including rights of access and correction, against the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes. The PDPA allows for cross-border data transfers subject to the transferor ensuring that the recipient has legally enforceable obligations to protect such data comparable to the PDPA.

Breach Notification Requirements in APAC

The second resource that I mentioned above is from DLA Piper, which provides a data protection guide that not only tracks countries’ breach notification requirements, but also their data protection law, definitions, data protection officers (DPOs), transfer, enforcement and more. This resource is not just for the APAC, it covers countries all over the world!

Here are the links to the current data breach notification requirements for countries in the APAC: Australia, China, Hong Kong, India, Japan, South Korea, Malaysia, New Zealand, Singapore.


The data privacy landscape is more complicated than ever. Multi-national organizations have numerous data privacy laws and breach notification requirements that they must comply with, and the laws and rules are changing frequently. We may spend a disproportionate amount of time discussing data privacy laws in the EU, UK and US, but they exist in countries around the globe and they’re changing just as frequently in those countries too. Stay current!

And for more educational topics from me related to eDiscovery, information governance, cybersecurity and data privacy, feel free to follow my blog, eDiscovery Today!

Learn more about how IPRO can help protect data no matter where it resides.