The March 2026 edition of our Asia TMT Bulletin arrives at a moment of significant regulatory activity across the region, particularly in the areas of data privacy and cybersecurity.
Singapore is raising the bar on cybersecurity, with new certification requirements for critical infrastructure operators and incoming legislation to regulate data centres and cloud providers. Hong Kong SAR regulators are deepening their collaboration on fraud and data security, with joint bank examinations on the horizon. The Chinese Mainland is bringing greater clarity to its outbound automotive data transfer rules, whilst the Thai regulators have issued a new framework for certifying binding corporate rules for data transfers. Australia’s recent enforcement action against a financial services firm following a major data breach is a useful prompt to review cyber controls.
Data Privacy
Hong Kong: PCPD publishes 2025 workload figures and trends
The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) has published a snapshot of its 2025 caseload and breach trends. The report states the PCPD received 4,228 complaints (up 23% compared to 2024) and 246 data breach notifications (up 21% compared to 2024), with hacking accounting for 81 notified incidents (33% of the total data breach notifications).
Hong Kong: HKMA and PCPD deepen collaboration to combat fraud and safeguard personal data
The Hong Kong Monetary Authority (“HKMA”) and PCPD announced a new collaboration to combat fraud and safeguard personal data. They will conduct joint examinations of selected banks’ anti-fraud systems and controls, with HKMA assessing implementation of anti‑fraud measures, and the PCPD reviewing data‑security and access controls. They will also work with the Hong Kong Police Force, The Hong Kong Association of Banks and the wider industry to raise public awareness of fraud.
China: Guidelines issued on cross-border transfer of automotive data
The Cyberspace Administration of China has issued guidelines to regulate outbound transfers by data controllers in the automotive sector. Transfers above the specified thresholds of important data or personal data (including sensitive data) will trigger mandatory security assessments, standard contract or certification routes.
Singapore: PDPA directs organisations to cease use of NRIC numbers for authentication
The Personal Data Protection Commission has directed private organisations to phase out authentication practices which rely on NRIC numbers (such as including NRIC numbers in default passwords) by the end of the year to avoid enhanced enforcement action from 1 January 2027.
Australia: Tribunal partially accepts retailer’s use of facial recognition technology
The Administrative Review Tribunal partially overturned an Office of the Australian Information Commissioner (“OAIC”) determination that a retailer’s use of facial recognition technology (“FRT”) breached privacy legislation. The use of FRT was a reasonable and proportionate response to a legitimate business concern. However, the retailer breached its obligations to notify customers of the use of FRT, implement appropriate privacy governance and maintain a clear privacy policy.
Thailand: Thai PDPC issues BCR certification framework for intra‑group data transfers
The Office of the Personal Data Protection Committee issued a regulation establishing a framework for certifying Binding Corporate Rules (“BCRs”) for intra‑group transfers. It defines key terms, eligibility and document requirements, filing channels, and a 15‑day completeness check followed by substantive review. BCRs must be legally enforceable, effectively implemented, and ensure data subject rights.
Cybersecurity and critical infrastructure
Singapore: Cybersecurity certification for critical information infrastructure owners increased to highest level
The Cybersecurity Agency of Singapore announced that Critical Information Infrastructure Owners (“CIIOs”) and auditors conducting audits for CIIOs, will need to obtain Cyber Trust Mark (“CTM”) Level 5 by the end of 2027 and the end of 2026 respectively. Licensed cybersecurity service providers will need to obtain CTM Promoter (Tier 3) certification by the end of 2026.
Singapore: Singapore to tighten regulations for data centres and cloud service providers
Singapore will introduce legislation this year requiring current and future operators of data centres and cloud service providers to meet energy efficiency standards, log incident reports and put in place cybersecurity and service disruption measures. There will be a grace period for existing providers to update equipment to meet the new standards.
Australia: Financial services firm penalised approx. US$1.76 million for cyber security failures
The firm was ordered to pay the penalty after the Australian Securities and Investments Commission found it failed to adequately safeguard client data. A 2023 cyberattack led to sensitive information (such as driver’s licences, passport details and bank account numbers) being leaked on the dark web. The firm admitted to breaching its statutory obligations by not implementing identified cyber controls and not allocating sufficient resources to information security. The firm must also complete an independent cyber‑security compliance program. Read more.
Thailand: Proposed amendments to the cyber incident notification requirement
The National Cyber Security Agency launched a public consultation on proposed amendments to the cyber incident notification requirements, which would mandate notification for all incidents regardless of severity, with an initial report within two hours of detection and a full report within 72 hours.
Intellectual Property
Vietnam: Draft decree amending intellectual property law on copyright and related rights proposed
On 3 February 2026, the Ministry of Culture, Sports and Tourism published a draft decree amending the Law on Intellectual Property on copyright and related rights. The draft introduces copyright protection for AI-generated works, clarifies non‑protectable subject matter such as ideas and operational processes, and streamlines certain administrative procedures relating to copyright.
Digital Platform Services
China: Measures for online platforms with significant impact on minors
The Cyberspace Administration of China has issued measures for identifying online platform service providers with a large number of minor users or which have a significant influence on minors. Platforms meeting user or influence thresholds must apply for identification and submit self-assessments.
Artificial Intelligence
UAE: Central Bank issues guidance note on use of AI by licensed financial institutions
The guidance note, which focuses on consumer protection, sets out principles and guidelines for licensed financial institutions (including insurance providers) to consider when adopting AI, including guidelines in relation to governance, accountability, transparency, data privacy, and continuous monitoring and review.
Vietnam: Appraisal of Draft decree guiding Law on Artificial Intelligence
Released on 27 February 2026, the draft decree guiding the Law on Artificial Intelligence introduces detailed regulations on data governance, risk-based classification of AI systems and the implementation of controlled sandbox for sensitive AI solutions. The draft also establishes a list of high‑risk AI systems.
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2026-01-28-11-42-24-951-6979f620da2c44bd51323e05.jpg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2026-03-12-09-51-19-282-69b28c97376c4d8fcdcc8db7.jpg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2026-03-11-12-15-13-723-69b15cd108768067119d84e3.jpg)
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2026-02-10-09-26-10-525-698af9b2b876970f0dcaea7f.jpg)
