A complete overview of data protection regulations across the Asia-Pacific region. Every jurisdiction, every key obligation — updated March 2026.
APPI triennial revision underway: PPC Interim Summary June 2024 — biometrics & children's data reform expected late 2026.
Very restrictive international transfers: adequacy mechanism OR explicit consent required. No SCCs equivalent available.
Breach notification: notify PPC + affected individuals within 72h if "probable harm". Mandatory since 2022.
Pseudonymisation: lighter regime for pseudonymised data — but offshore transfer prohibited even when pseudonymised.
3rd party sharing opt-out: mandatory individual prior notice before any sharing with third parties.
Fines up to 3% of global revenue + criminal penalties (up to 5 years imprisonment for serious violations).
Basic AI Act: first APAC country to legislate specifically on AI — transparency and risk assessment obligations.
Jan. 2025: PIPA AI bill submitted to Parliament — broadens legal bases to train AI models on personal data.
Mandatory local representative for foreign operators processing Korean residents' data (2023 amendments).
Transfers: CBPRs recognised + bilateral agreements. Korea is an "adequate" country per PIPC decision.
Triple regulatory layer: PIPL (Nov 2021) + DSL (Sept 2021) + CSL (2017). Compliance requires alignment with all three texts.
Mandatory localisation: "important" and "core" data must be stored in China. Sensitive data = local copy minimum.
Export security assessment (CAC) mandatory if >100K individuals/year or sensitive data — long and unpredictable process.
GenAI Regulation 2023: models trained on Chinese data require CAC approval before commercial deployment.
DPO mandatory if >1M individuals processed. Local representative required if headquartered outside China. Minors <14: ultra-strict rules.
POLA 2024 (Royal Assent 10 Dec 2024): Tranche 1 in force. New OAIC powers, graduated fines, immediate cyber uplift obligations.
Statutory tort "serious invasion of privacy": in force since 10 June 2025 — individuals can sue directly (damages up to AUD 478K).
Automated Decision Making (ADM): mandatory disclosure in privacy policy — in force 11 December 2026. Prepare now.
Children's Online Privacy Code: OAIC consultation underway — code to be registered before 10 Dec 2026.
Tranche 2 expected 2026: removal of SME exemption, "fair and reasonable" test, new definitions of consent & personal data.
PDPA 2021: 3-day breach notification to PDPC if "significant harm" + strengthened individual rights (portability, correction).
Global CBPRs: Singapore is a founding member. Recognised international transfer mechanism — simplifies cross-border data flows.
AI Verify framework v2 (2024): 9 AI governance dimensions (fairness, transparency, accountability…). Voluntary but market standard.
Health Information Bill 2024: strengthens security obligations & reporting for health data — consultation at advanced stage.
"Trust-based" approach: regulatory sandbox, proactive PDPC dialogue, detailed sector guidelines. Most accessible regulator in APAC.
DPDP Rules 2025 published after public consultation (closed March 2025) — Data Protection Board of India (DPBI) now operational.
DPBI fines: ₹250 Cr (~$30M) for security failures, ₹200 Cr for breach non-notification, ₹250 Cr for violations involving children.
Significant Data Fiduciaries (SDF): India-resident DPO + annual DPIA + independent audit. SDF criteria defined by government order.
Consent Managers: accredited entities managing consent on behalf of individuals — unique and innovative infrastructure.
Transfers conditional — list of approved countries to be published by government. Full enforcement expected May 2027.
Biometrics Code 2024: first dedicated biometrics regulatory code in APAC — governs facial recognition and biometric data use.
Privacy Act 2020: 13 IPPs, active NDB scheme. Notification to OPC + affected individuals if "significant harm" is likely.
Offshore transfers: equivalent protection required (adequacy or contract). List of "adequate" countries published by OPC.
2026 reform under discussion: stronger GDPR alignment, extended individual rights, increased OPC enforcement powers.
2024 amendments in force (July 2024): mandatory DPO, breach notification, data portability — full application from 2025.
DPO: mandatory appointment. PDPD guidelines on role, responsibilities and qualifications published during 2025.
Breach notification: 72h to PDPD + notification to individuals if "significant harm". Detailed rules operational since 2025.
Transfers outside Malaysia heavily restricted: only to countries listed by the Minister (short list). Developments expected 2026.
PDPA modelled on GDPR: same legal bases (consent, legitimate interest, legal obligation…). Full individual rights framework.
Dual sanctions: civil (THB 5M) + criminal (THB 1M + 1 year imprisonment). Both can apply for intentional violations.
DPO mandatory for large-scale processing, sensitive data or systematic monitoring. Must be qualified.
Individual rights: access, rectification, erasure, objection, portability — 30-day response deadline.
PDPC TH very active since 2024: sector decisions (health, banking), guidelines published regularly. Enforcement rising in 2026.
PDPL in force 1 January 2026: replaces and reinforces Decree 13. Formalises individual rights, controller obligations, transfer restrictions.
Export security assessment mandatory before any international transfer — modelled on China's approach. Process via MPS.
Data classification: parallel legislation introduces classification tiers (ordinary, sensitive, core, important) + security obligations.
Localisation: local copy mandatory for certain data even when offshore storage is permitted. Precise rules to be clarified in 2026.
Consent is the primary legal basis: legitimate interest is very limited. High risk for organisations processing without explicit consent.
NPC (National Privacy Commission): one of ASEAN's most active regulators — constant enforcement, many decisions in 2024–2025.
Jan. 2024: scraping guidance — governs collection of public data. Clarifies that public data ≠ freely usable data.
CCTV Circular 2024: privacy obligations for video surveillance — collection notice, restricted access, defined retention periods.
Cumulative criminal penalties: up to 6 years imprisonment + fines stackable per violation. Natural persons also exposed.
DPO mandatory for all Data Controllers — DPO registration with NPC required. Annual registry update mandatory.
PDPL in force October 2024 but implementing regulations still missing in early 2026 — significant operational uncertainty.
No independent DPA yet: Ministry of Kominfo acting provisionally. Permanent DPA expected to be established in 2026.
GDPR-like structure: legal bases, individual rights, DPO, DPIA — but operational details not yet published.
2-year transition until October 2026: action window to build compliance before full enforcement begins.
Fines: up to IDR 60B + 6-year criminal penalties for unlawful processing of sensitive data + security breaches.
| Country | Main law | Max fine | Breach deadline | DPO required | Int'l transfers | Localisation | AI regulated |
|---|---|---|---|---|---|---|---|
| 🇯🇵 Japan | APPI 2022 | ¥100M / criminal | 72h (PPC) | Partial | Restrictive / no SCCs | No | In progress |
| 🇰🇷 South Korea | PIPA 2023 | 3% global revenue | 72h (PIPC) | Yes | CBPRs / agreements | No | AI Act ✓ |
| 🇨🇳 China | PIPL + DSL | ¥50M / 5% rev. | 72h (CAC) | If >1M users | Very restrictive | Yes | GenAI Reg. ✓ |
| 🇦🇺 Australia | Privacy Act 2024 | AUD 50M / 30% AU rev. | ASAP (OAIC) | No | Contract required | No | Guidelines |
| 🇸🇬 Singapore | PDPA 2021 | SGD 1M / 10% rev. | 3 days (PDPC) | Recommended | CBPRs / contract | No | AI Verify ✓ |
| 🇮🇳 India | DPDPA 2023 | ₹250 Cr (~$30M) | ASAP (DPBI) | SDF only | Gov. approved list | SDF data | Not yet |
| 🇳🇿 New Zealand | Privacy Act 2020 | NZD 10K | 72h (OPC) | No | Equivalence | No | No |
| 🇲🇾 Malaysia | PDPA 2010/2024 | RM 500K | 72h (PDPD) | Yes | Short list only | No | No |
| 🇹🇭 Thailand | PDPA 2022 | THB 5M civil | 72h (PDPC TH) | Yes | Adequacy / SCCs | No | No |
| 🇻🇳 Vietnam | PDPL Jan 2026 | VND 100M | 72h (MPS) | No | Assessment required | Partial | No |
| 🇵🇭 Philippines | DPA 2012 | PHP 5M + criminal | 72h (NPC) | Yes | Contract required | No | No |
| 🇮🇩 Indonesia | PDPL 2024 | IDR 60B | 14 days (Ministry) | TBD 2026 | TBD 2026 | No | No |
The legislative cycle is slowing down. 2026 will be the year regulators (OAIC, PIPC, NPC, PDPC TH) enforce what was passed. Expect investigations, not new statutes.
Korea (AI Act), Singapore (AI Verify v2), China (GenAI Reg.), Australia (ADM disclosure Dec 2026): AI obligations are integrating into existing privacy frameworks. AI DPIA is the 2026 norm.
Australia (Children's Code Dec 2026), China (<14), India (verifiable parental consent), Korea, NZ: each jurisdiction imposes its own rules. No single APAC standard.
Vietnam PDPL in force Jan 2026. Indonesia PDPL: transition until Oct 2026. Acting now = avoiding being non-compliant when the first enforcement cycle begins.
China & Vietnam = restrictive model (assessment). Singapore & Korea = CBPRs model. Australia = contract. No APAC harmonisation — each data corridor requires dedicated legal analysis.
NZ (Biometrics Code active), Japan (biometrics reform 2026), Australia (OAIC facial recognition enforcement), Korea: biometric data is moving from "sensitive" to "hyper-regulated" across APAC.