This article will provide an overview of what has changed and what to expect in Asia in the future. We'll start with laws that go into effect in 2023 and work our way up to those that could be passed soon. Finally, we'll go over the laws that may need to be changed this year in order to be better prepared for 2024.
Some Asian countries have had difficulty enacting and enforcing comprehensive data protection legislation. After a few delays due to COVID-19, the Thailand PDPA, for example, went into effect in 2022.
In 2022, Japan, China, Singapore, and the UAE updated their data protection laws.
Nonetheless, some major economies, such as India and Indonesia, lack comprehensive legislation.
In some countries, this has changed. It is about to change in other countries.
This article will provide an overview of what has changed and what to expect in Asia in the future. We'll start with laws that go into effect in 2023 and work our way up to those that could be passed soon. Finally, we'll go over the laws that may need to be changed this year in order to be better prepared for 2024, including Japan's APPI.
Explore more privacy compliance insights and best practices
Currently, Saudi Arabia is the only country with a new data protection law set to take effect in 2023.
Saudi Arabia's Personal Data Protection Law (PDPL) goes into effect on March 17, 2023. It was supposed to go into effect sooner, but it has been delayed until later this year.
It is a comprehensive law that imposes stringent requirements on Saudi and foreign businesses that sell or provide services to Saudi citizens.
Unlike most other data protection laws, Saudi law requires businesses to register with the government as data controllers and pay a registration fee. Furthermore, they must register their processing activities.
Other obligations include:
Violations may result in a monetary fine of up to one million Saudi riyals ($250,000) and up to one year in prison.
India and Malaysia are on the verge of enacting new privacy laws or revising existing ones.
India's Digital Personal Data Protection Bill could be passed in 2023. The Indian government has made numerous unsuccessful attempts to pass a comprehensive data protection law.
The current draft is still under consideration by the legislative bodies. It has been criticized, but it has also received a lot of positive feedback.
Businesses will be required to obtain explicit consent, similar to the GDPR standard in Europe. Businesses will be allowed to consider the consent given by customers in some cases.
It also provides access, deletion, correction, portability, and other privacy rights.
The law's effective date is still unknown. If it is passed in 2023, it is unlikely to go into effect before 2024, because privacy laws typically provide a grace period for companies to adjust.
Update: Discover the India Digital Personal Data Protection Act – India's first comprehensive data protection law and understand the differences between the GDPR and DPDPA.
Malaysia's Personal Data Protection Act of 2010 is still in effect, but it may be updated soon. Data subjects already have legal rights to data protection. In many cases, consent is also required for data processing.
Among the proposed changes are the following:
The changes bring Malaysian law up to date, but the requirements for consent and other processing are not as stringent as in Thailand's, Indonesia's, Japan's APPI, and possibly India's new laws.
Some data protection laws will go into effect in 2024, but you should start planning for them now. (Read about Japan's APPI)
For a long time, the Indonesian government, like India, has been attempting to pass a comprehensive data protection law.
In 2022, the Indonesian Personal Data Protection Law was enacted.
You'll have time to adjust your privacy practices to the new requirements by 2023. It goes into effect in 2024. Penalties for noncompliance could range from 4 to 6 billion Indonesian rupiahs, or $250,000 to $390,000. Some offenses may result in a 4-6 year prison sentence.
The following are the most important requirements:
The Indonesia PDPL is similar to the EU's GDPR, but also to Thailand's PDPA, which was also modeled after EU law that sets global standards.
