As digitisation and cyber threats rise, countries in Southeast Asia have enacted laws to protect personal data and prevent cyber-attacks. But with varying requirements across jurisdictions, the compliance burden for companies has only increased, and in-house counsel play a critical role in ensuring compliance with these laws by providing guidance on legal requirements and best practices.
Over the past decade, Southeast Asia has seen a rapid evolution of data privacy and cyber security laws, largely due to the rise of digitalisation and the increasing prevalence of cyber threats.
Several countries in the ASEAN region have enacted laws and regulations to protect personal data and prevent cyber-attacks. One notable example is Indonesia, which passed its ﬁrst-ever Personal Data Protection Law in September last year after years of discussion and postponements. Based closely on the European Union’s GDPR, Indonesia’s new law clearly states the legal basis for obtaining and processing personal data. It sets out strict criminal and administrative sanctions for those that break the provisions under the law. These include corporate ﬁnes of up to two percent of a company’s annual revenue.
Also, in 2022, Thailand’s ﬁrst con-solidated law on personal data protection, or the Personal Data Protection Act (PDPA), came into force, even though it had been initially signed in 2019. The PDPA outlines the obligations of data controllers and processors to inform and request data owners of any collection, use, or disclosure of their personal information, and those found violating the law could be liable for civil and criminal ﬁnes.
And there’s more to come. “Apart from recent changes to data protection laws in countries like Indonesia and Thailand, there are also upcoming changes to Vietnam and Malaysia’s personal data protection laws,” says Wilson Ang, partner and head of Asia regulatory compliance and investigations at Norton Rose Fulbright (NRF). “For Vietnam, it is anticipated that the Vietnamese government will introduce, for the ﬁrst time, speciﬁc personal data protection legislation to govern the processing of personal data sometime in 2023.”
“In Malaysia, proposed revisions to the Malaysian Personal Data Protection Act were put on hold in 2022 because of the change in government. However, the new government under PM Anwar Ibrahim has indicated that it intends to table changes to the legislation by the end of 2023,” adds Ang.
Additionally, the under the Personal Data Protection Act that came into effect on Oct. 1 last year, Singapore increased the administrative ﬁne to up to 10 percent of an organisation’s annual turnover, if annual turnover exceeds S$10 million ($7.6 million). Meanwhile, in the Philippines, novel approaches are used to determine ﬁnes under data privacy laws.
As data privacy and cybersecurity laws evolve, companies operating in these jurisdictions have seen a spurt in their compliance burden and varying requirements. However, Desmond Chew, a partner in Dentons Rodyk & Davidson’s intellectual property and technology practice, says there may be speciﬁc nuances concerning each jurisdiction’s data protection and cybersecurity laws in Southeast Asia, “companies can take comfort that there are still common themes in these laws. For example, a consent-based regime, and the need for appropriate security arrangements in how these companies protect personal data.
“What is important is for companies to identify what are the types of data that they handle on a regular basis, who and where these data are being transferred to, and thereafter implement an appropriate baseline data protection and cybersecurity program which can be responsive to the speciﬁc nuances of the local jurisdiction,” Chew notes.
With more Asian countries waking up to protecting their domestic data and articulating laws, implementing comprehensive data compliance programs for global companies has only become more complex. Companies operating in these countries have had to adjust to these new regulations by implementing comprehensive data privacy and cyber security policies and procedures.
As technology continues to advance and new cyber threats emerge, it is crucial for companies to stay vigilant and adapt to changing legal and regulatory landscapes in order to protect their data and assets effectively.
“In Southeast Asia, the APEC Privacy Framework is mostly based on the OECD’s 1980 Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines). However, there are notable differences across different jurisdictions. Although the privacy compliance programme would be similar, it is necessary to conduct jurisdiction-specific review of the privacy notice and privacy policies (for example, breach notification response, data subject rights response, etc.) as well as other jurisdiction-specific obligations (for example, cross-border transmission, data localisation, handling with data breach, data protection officer etc.).”
— Peggy Chow, Herbert Smith Freehills
“Asia is more complex than the European Union (EU) given that EU member states follow GDPR (General Data Protection Regulation), whereas in Asia, each jurisdiction has its own form of data privacy laws which may have been inspired by GDPR but with notable deviations and differences,” says Peggy Chow, an of counsel at Herbert Smith Freehills (HSF) specialising in data and cybersecurity laws.
“In Southeast Asia, the APEC Privacy Framework is mostly based on the OECD’s 1980 Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines). However, there are notable differences across different jurisdictions. Although the privacy compliance programme would be similar, it is necessary to conduct a jurisdiction-speciﬁc review of the privacy notice and privacy policies (e.g. breach notiﬁcation response, data subject rights response, etc.) as well as other jurisdiction-speciﬁc obligations (e.g. cross-border transmission, data localisation, handling with data breach, data protection ofﬁcer etc.),” says Chow.
With these laws’ increasing complexity and breadth, developing, and implementing a comprehensive data compliance program is essential to protect a company’s sensitive information and prevent data breaches.
And with rising complexities, the role of in-house counsel in companies operating in Southeast Asia has increased too. From predicting future pitfalls to playing the ﬁrst line of defence for any legal action, the in-house counsel is now required to ensure compliance with these laws that have varied and often complex requirements.
“In-house counsel will need to have conversations with their business stakeholders and understand the lay of the land when it comes to the type and volume of data and technologies handled by the organisation. Thereafter, such in-house counsels can establish basic rules and parameters as the baseline standards for its data compliance program, allowing for speciﬁc adaptation to local laws within each Southeast Asian jurisdiction. The most successful data compliance program we have seen are those in which organisations have addressed the requirements in the context of the business operations and needs,” says Chew.
Navigating laws can be challenging for in-house counsel, who must also understand their company’s internal data handling practices to develop effective compliance programmes.
“Apart from navigating the complex, broad and changing data privacy and cybersecurity laws across Southeast Asia, which may have inconsistent requirements, in-house counsel needs to develop a sufﬁcient understanding of the internal data handling practices. From there, in-house can counsel identify the relevant risks arising out of such practices and develop an appropriate data compliance program to manage and govern such risks,” says Ang.
Developing and implementing a comprehensive data compliance program requires signiﬁcant investment from companies, including allocating sufﬁcient resources.
“Therefore, in-house counsel will need top-level commitment from their company to invest in the resources required to develop and implement a comprehensive data compliance program. In-house counsel can also be supported by competent external counsel who are not only able to advise on legal requirements across the relevant jurisdictions, but also project manage an undertaking of this scale and provide recommendations that are ﬁt-for-purpose and appropriate for the business,” says Ang.
As digitalisation continues to transform industries across Southeast Asia, companies must prioritise data privacy and cybersecurity to protect their sensitive information and prevent data breaches.
“The starting point of an effective data compliance program is an appropriate governance structure, with support from senior management to invest in sufficient resources to establish and maintain a comprehensive and tailored data compliance program. Once in place, the company will need to conduct risk assessments and a data mapping exercise. Thereafter, policies and procedures can be developed to cater to, and manage, these risks. Effective maintenance and monitoring in the form of periodic reviews and audits are required to test the effectiveness and robustness of the data compliance program, as well as identify key changes that may affect the risk profile (e.g., changes brought about by new technology) of the company and necessitate changes to existing policies and procedures.”
— Wilson Ang, Norton Rose Fulbright
Developing and implementing a comprehensive data compliance program is essential for businesses operating in this region, but the complexity and breadth of data privacy and cyber-security laws can make this a daunting task.
“The starting point of an effective data compliance program is an appropriate governance structure, with support from senior management to invest in sufﬁcient resources to establish and maintain a comprehensive and tailored data compliance program. Once in place, the company will need to conduct risk assessments and a data mapping exercise. Policies and procedures can be developed to cater to and manage these risks. Effective maintenance and monitoring in the form of periodic reviews and audits are required to test the effectiveness and robustness of the data compliance program, as well as identify key changes that may affect the risk proﬁle (e.g., changes brought about by new technology, such as generative AI) of the company and necessitate changes to existing policies and procedures,” says Ang.
“Data privacy is an organisational issue (not just a legal or IT issue), so we need support from the top down, i.e., involvement of leadership or C-Suite executives - show leadership the true value of new privacy policies and procedures, especially when compared to the ﬁnancial and reputational risks at stake. A designated data protection ofﬁcer and data laws compliance committee with the requisite skillsets and experience,” says Chow.
However, could be some key elements to this.
“There are many key components in an effective data compliance program. Most in-house counsels often focus on policies, including privacy policies, data breach management plans, and data retention policies. These policies are no doubt important – but what is more often overlooked is the effective implementation and operationalisation of these policies,” says Chew.
“For example, what are the appropriate SOPs that a business unit can adopt in order for them to operationalise the data privacy practices? How would a staff effectively notify the chain-of-command if he or she were to discover suspicious activities?” asks Chew.
In-house counsel plays a crucial role in this process, providing guidance on legal requirements and ensuring that employees are educated on data privacy and cybersecurity best practices.
“In-house counsel should understand that there is no one-size-ﬁts-all solution when it comes to an effective data compliance program. Every data compliance program must be carefully tailored to suit the needs of the organisation, especially its business activities,” adds Chew.
But even as they rush to comply with the regulations, there is one more crucial element. Staying up to date with the latest regulatory developments.
“In-house counsel may stay up to date on the latest legal and regulatory developments by, for example, subscribing to newsletters. There is a wide range of useful resources available, and the key lies in taking the initiative to gain access to these resources,” says Chew.
“It is a constant challenge for in-house counsel to stay up to date on the latest legal and regulatory developments. Apart from subscribing to commercial databases and getting onto mailing lists of service providers, in-house counsel should consider solutions that are available on the market to help them stay abreast of key developments and how such developments may impact their business,” says Ang.
For many companies, the balancing act could pose a challenge.
Not only are the frameworks across countries different, but they could often create complexities in coordination and legal challenges for the in-house counsel.
“Unlike the EU, Southeast Asia does not have a harmonised data protection law framework. This creates certain challenges for companies in implementing data compliance programs in the region, as it also means considering if there are speciﬁc nuances associated with each Southeast Asian country’s data protection laws that need to be addressed. For example, data localisation and transfer requirements are often an issue for organisations with regional presence,” says Chew of Dentons Rodyk.
The inconsistency in laws across countries and the rapid pace at which technological advancements are being made only adds to the complexity.
“The second challenge is cultural attitude towards data protection and cybersecurity. In Singapore, the Personal Data Protection Act has been in place for some time now, and there is a general awareness of the importance of data protection and cybersecurity. This also means that stakeholders would be aware of the risks associated with privacy in implementing any new business processes,” says Chew.
“But other Southeast Asian jurisdictions, including Indonesia and Thailand, are still relatively nascent in their data protection journey. Some Southeast Asian jurisdictions, such as Vietnam, do not even have an omnibus data protection law in effect yet. This also means for in-house counsels, they will need to educate their stakeholders on the importance of data protection and cybersecurity in their business operations,” says Chew.
Another challenge comes along with the growing volume of data and the way in-house counsels manage this. “The lack of sufﬁcient resources
is one common challenge companies face in implementing data compliance programs across Southeast Asia. In this regard, the issue of resourcing funda-mentally boils down to a question of priority for companies,” says Ang of NRF. “Therefore, it is critical that boards recognise the risks arising out of non-compliance with data privacy and cyber-security laws and identify the management of data privacy and cybersecurity risks as a key priority. Boards should also see having a robust data protection compliance program as a mark of distinction to distinguish their companies from their competitors. Customers, both consumers and business customers, are increasingly aware of data privacy and cybersecurity risks and will not hesitate to reﬂect their preference for companies with robust data protection compliance programs,” adds Ang.
“The most practical way for in-house counsels to do so isto establish relationships with their business users and imbue an awareness of the importance of data protection and cybersecurity in them. Where possible, in-house counsels should be roped in very early to understand the data flows and designs that the business users intend to embark on, so that any privacy and cybersecurity risks can be dealt with immediately. Most importantly, in-house counsels should raise awareness that privacy and cybersecurity issues are continuously evolving, and there is always a need to review the data designs and flows in order to ensure that the organisation remains compliant with privacy and cybersecurity laws.”
— Desmond Chew, Dentons Rodyk
The question is, how could in-house counsel address these challenges?
“The most practical way for in-house counsels to do so is to establish relationships with their business users and imbue an awareness of the importance of data protection and cybersecurity in them. Where possible, in-house counsels should be roped in very early to understand the data ﬂows and designs that the business users intend to embark on, so that any privacy and cybersecurity risks can be dealt with at the outset. Most importantly, in-house counsels should raise awareness that privacy and cybersecurity issues are continuously evolving, and there is always a need to review the data designs and ﬂows in order to ensure that the organisation remains compliant with privacy and cybersecurity laws,” says Chew.