The APAC region has witnessed significant regulatory changes when it comes to data protection. Companies operating in this region face a complex myriad of different approaches from country to country.

In our recently launched Asia Data Protection Podcast Series we invite specialists on the ground from India, Thailand, Vietnam, Indonesia and the Middle East to talk about the most recent developments on data protection regulation in these jurisdictions.

1| India - Insights into its new Data Protection Act

The new Digital Personal Data Protection Bill sets out the first comprehensive data protection law for India. The DPDP Act was published in 2023, with the government expected to communicate the date of its entry into force in due course. However, questions on how the new law will be implemented in practice remain at the forefront of organisations’ minds. 

2| Thailand - First Data Protection Law - one year on

Thailand’s data protection regulation has been one of the most dynamic in the region, with multiple subordinate regulations being issued under the Thailand PDPA. This trend continues and new regulations are expected soon.

Despite being in effect since 2023, the Personal Data Protection Committee, Thailand's data protection regulator, has not yet taken any enforcement measures. However, other regulators have urged organisations to adhere to the new regulations, and companies, especially those in regulated industries, are already taking steps to comply.

3| Vietnam - Navigating Vietnam’s Emerging Data Protection Landscape

Vietnam issued its’ long-awaited Personal Data Protection Decree on 17 April 2023. Taking effect on 1 July 2023, this decree seeks to compile existing provisions on data protection from various other laws into one instrument.

Similar to the European data protection regulation, the Decree has a wide territorial reach and applies to both Vietnamese organisations and foreign entities that are directly involved in or have a connection to data processing in Vietnam.

4| Indonesia - Window for data compliance narrows

Indonesia’s first overarching legislation on data protection, the Personal Data Protection Law, was enacted on 17 October 2022. A year on, questions on how the law will be enforced remain.

The PDP law is the first overarching data protection regulation to be adopted in Indonesia. Existing sector-specific regulations will remain in effect unless they conflict with the new data protection regulation, which is set to be fully enforced by October 2024. 

5| Kingdom of Saudi Arabia - What multinationals should know about the Middle East data protection regimes

After two years of public consultations and amendments since its initial publication, the KSA Personal Data Protection Law was finally approved on 14 September 2023. Pending its formal effective date, organisations are currently bracing for full enforcement of the law.

The KSA PDP Law is to a large extent modeled after the EU GDPR and shares similarities with data protection legislations of other Gulf Cooperation Council countries. Nevertheless, there are notable differences that set the KSA PDP Law apart from the approach taken in the EU and other GCC countries. 

What next? 

It is more important than ever for companies to ensure that their data protection strategy is fit for purpose and reflects the evolving regulatory landscape: consequences and sanctions for not doing so are rapidly increasing. 

Listen to our Asia Data Protection Podcast Series: The Current State of Data Protection in Asia