Data PrivacyData Protection Laws and Reforms in the APAC Region

May 4, 20220


With the advancement of technology, establishing barriers in today’s cultural climate is not a straightforward job. To develop a structure in which the disclosure, distribution, and utilization of personal data is properly regulated and governed is the need of the hour.

In the digital era, the concept of data privacy has been gaining importance rapidly. The Governments have addressed the need of robust data privacy regulations and data management systems in order to safeguard the personal data of the common people.

Data privacy adherence is widely recognised as a major corporate concern throughout the Asia-Pacific (hereinafter referred to as APAC) region. Failure to adhere can have far-reaching effects that go past monetary penalties as well as other regulatory disciplinary actions, such as reputational difficulties, negative impact on goodwill, loss of customer trust, etc.


Right to privacy was given proper recognition in 1948 when the United Declaration of Human Rights (hereinafter referred to as UDHR) was adopted and Right to Privacy was acclaimed as a fundamental right. Later on, the European Union (hereinafter referred to as EU) Convention on Human Rights included the concept of ‘Right to Private Life’ inspired by the UDHR, which further led to development of one of the most comprehensive data privacy regulations, i.e., the General Data Protection Regulation (hereinafter referred to as GDPR).

Since then, several countries have adopted new and advanced data protection laws. As far as the APAC region is concerned, the countries have few common themes and other significant differences. Countries like Australia, Singapore, Japan, and Malaysia already have comprehensive data protection laws in place. Other countries like India, have data protection laws in the pipeline, which is soon to be enacted.


According to United Nations Conference on Trade and Development, approximately 137 nations out of 194 nations have data protections laws in place. The APAC contains several of the world’s fastest nations and enterprises, making it a vital component in the international data economy and distribution network.

In the borderless digital world, organisations in the APAC region is rapidly transferring data across countries as they seek to harness varied technical skills and competencies across the region and offer clients worldwide.

To limit their privacy concern, retain and create loyalty with consumers, and develop efficient and resilient business connections, organisations need to stay abreast of the evolving and diversified privacy regulatory framework now more than before.

The Asia-Pacific Economic Cooperation (hereinafter referred to as Cooperation) participating states settled on a Privacy Framework in 2005, which served as a statutory stimulus for continuing regulation progress throughout the area. The policy justification for the Cooperation is unmistakably commercial and trade-related, as Asian authorities aim to maintain the region’s phenomenal rise in e-commerce as well as provide the companies both locally and internationally enhanced security in handling their information in Asia’s overseas and local service centres.


In Australia, privacy is essentially governed through a robust federal statute based on the Australian Privacy Principles (hereinafter referred to as APP). Additionally, private sector companies with yearly revenue of at least AU $3 million, as well as all Federal Government bodies, are subject to the Commonwealth Privacy Act 1988. The majority of Australian provinces have their separate privacy rules that apply to State Government bodies.


Cambodia currently lacks a specific law that particularly addresses the safeguarding of personal data. Presently, only sector-specific regulations safeguard data privacy, which include rules safeguarding user and confidential information but not particularly personal information.


China has a complicated network of regulations and procedures that vary based on jurisdictions. Other standards can be found in sector-specific legislation. The People’s Republic of China Cybersecurity Law, 2017 (hereinafter referred to as CSL) governs the handling of personal data. The CSL covers network operators and vital data operators.

Hong Kong

Hong Kong boasts of Asia’s one of the most extensive privacy regimes. The principal privacy law was passed in 1996 in connection to the EU Data Protection Directive, and it was significantly revised in 2012 to include new measures.

The Personal Data (Privacy) Ordinance (hereinafter referred to as PDPO) is the primary legislation in Hong Kong which governs the protection of personal data and also regulate the processing of personal data.


Presently, there is no explicit privacy law in India. The Information Technology Act, 2000 currently controls the safeguarding of personal data, particularly digital information and operations. Because of the importance of information, confidentiality and data security have risen to the top of the national conversation and are critical to India’s progress and expansion.

The Personal Data Protection Law is expected to be enacted in the near future which shall govern the cross-border data transmission, user privacy rights, and several other aspects.


The Act on the Protection of Personal Information (hereinafter referred to as APPI) governs data privacy in Japan. The Personal Information Protection Commission (hereinafter referred to as PPC) is in charge of enforcing the APPI, which is a robust and comprehensive data protection law.

In an interim drafting proposal, the PPC disclosed that Japan intends to modify its present personal data protection law and the amended data protection law shall lay emphasis on establishing the Right to be Forgotten, which will also extend beyond Japan’s national jurisdictions.

New Zealand

The Privacy Act, 1993 (hereinafter referred to as the Privacy Act) governs data privacy in New Zealand. The Privacy Act sets guidelines as to how entities should acquire, handle, reveal, keep, preserve, and allow access to personal information. This arrangement is both thorough and founded on global standards.


Hereunder, is a comparative study of the various data privacy legislations of some of APAC countries on the basis of the following three aspects:

  1. Constitutional Right to Privacy
  2. Personal Information
  3. Individual Rights

Constitutional Right to Privacy

Right to Privacy has been constitutionally recognised in various nations. Even though in some instances, Right to Privacy was not expressly provided in the Constitution, it was recognised through various rulings.

In Australia and New Zealand, Right to Privacy has not been constitutionally recognised. Regardless of this, both Australia and New Zealand have comprehensive laws and regulations in place that govern data protection.

Article 40 of the Cambodian Constitution, Article 40 of the Constitution of People’s Republic of China and Article 13 of the Japanese Constitution provide for Right to Privacy.

In India, Article 21 of the Constitution which provides for right to life and personal liberty, has brought Right to Privacy within its ambit after the historic judgment of Justice K.S. Puttaswamy (Rtd.) v. UOI [(2017) 10 SCC 1], wherein the Supreme Court of India recognised the Right to Privacy as a fundamental right under  Article 21 of the Constitution of India.

Personal Information

Definition of personal information is different in different countries. The major difference lies in whether or not the different countries include sensitive data within the definition of personal information.

Since Cambodia does not have specific data protection law, the question of personal information does not arise. However, in Australia, India and Japan, the definition of personal information includes both personal and sensitive personal data, whereas, in China, Hong Kong and New Zealand, the definition of personal information only includes personal data and not sensitive personal data.

Individual Rights

There are several individual rights contained in the data protection legislations. For instance, Right to Request Access, Right to Erasure, Right to be Forgotten, etc., are the varied kind of individual rights entitled to the citizens.


The phrase “data is the new oil” is extremely relevant in the contemporary era as data economy has penetrated almost every sector, at an increasing rate. Due to the borderless nature of the Internet, safeguarding personal data and regulating the storage and transfer of such personal data is of pivotal importance.

Even though a lot of countries in APAC region have data protection laws, there is still a lot of room for growth and development in comparison to EU wherein a regulation like GDPR is in place.

APAC countries should also aim to table a uniform regulation that will lead to growth and development and also, help in proper regulation of cross border transfers.

-Team AMLEGALS assisted by Ms. Deepali Maheshwari

For any queries or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.