02 February 2020
Southeast Asia is a rapidly changing and growing economic area, and with economic growth comes new pressures and needs for legal guidance.
Privacy is becoming increasingly important to consumers, and if you are operating a website or app in Southeast Asia, there are a number of recently introduced pieces of legislation that you need to be sure you comply with.
I'll go through the laws in Singapore, Malaysia, South Korea, and Vietnam so that you have a good idea of what kinds of laws are being put into place in the region. When you know what is required by these laws, you can ensure that you follow them.
In Singapore, the Personal Data Protection Act 2012 (PDPA) is the primary governing law for protecting individual privacy.
The PDPA applies to all electronic and non-electronic communications that deal with data collection, processing, or disclosure within Singapore, regardless of whether they have an actual physical presence in Singapore.
This means that if any of your customers or users online are in Singapore, the PDPA applies to you and your business.
Generally speaking, the PDPA requires that when you collect, process, or disclose this kind of personal data, you must only do so if:
Once the data is collected, you need to ensure that the personal data is accurate, protected and secure.
If you receive individual requests to see or correct what personal data you hold on users, you must allow users to do so unless you have reasonable grounds otherwise. Penalties for non-compliance include fines of up to $1 million Singapore dollars and/or imprisonment for up to 3 years, which indicates that breaches will be taken very seriously.
You can see that Paktor has clearly outlined what kind of information is collected, to notify their users:
Paktor also clearly outline the purposes and uses of the information they collect. Their legal agreement is very comprehensive.
Now let's take a look at Malaysia.
Malaysia's legislation is also called the Personal Data Protection Act (PDPA), but it came into force in November 2013.
Its requirements are similar to the Singapore's PDPA, as they are both heavily based on the European Data Protection Directive. Like the Singapore PDPA, it applies to data that's processed in Malaysia, regardless of whether the person doing the processing is established in Malaysia or not.
The Malaysian PDPA requires that individuals be notified of data collection, give consent, and be informed about the purposes for which the data is being collected. The PDPA also prohibits any disclosure of the personal information that's not in line with the purpose of the collection, and the information must be kept secure and not retained for longer than is necessary.
Individuals must also be allowed access to their information that is held.
KFIT, a Malaysian company, has a great section about the purposes for which they use customer data:
You can see that their section clearly sets out the different purposes for which they collect the data. It's structured well, and very easy to read.
Both the Malaysian and Singapore PDPAs also require that data must not be transferred to a jurisdiction that has lesser protections in place for personal data.
South Korea's privacy legislation is thought to be the strictest in the Southeast Asia region.
The Personal Information Protection Act (PIPA) came into force in 2012 and distinguishes between personal data and sensitive personal data.
Malaysia's PDPA also makes this distinction, and for both Acts, this means that sensitive personal data requires higher standards such as specific consents being obtained for that type of data and restrictions on that data being processed or transferred overseas.
Sensitive personal data for the purposes of South Korea's PIPA is information relating to an individual's thoughts, religious beliefs, political affiliations or views, as well as health, medical, and sexual information.
For the purposes of most websites and mobile apps this information would not be collected, but if you are in any business that collects this sensitive information, be aware that consent needs to be obtained separately for this information.
The South Korea's PIPA is thought to be stricter than other privacy legislation in the region because:
... only the minimum collection of data necessary for the purposes is allowed and a data processor cannot refuse to provide goods or services to a data subject because they do not consent to the collection of data exceeding this minimum requirement.
You can see that 11ST clearly states how it's complying with PIPA and that it does not collect any sensitive personal information. Individuals are also given the right to access their data at any time and request that changes be made, as well as being able to suspend or withdraw the consent for the use of their data.
If any breach of PIPA is alleged, the responsibility is also always placed on the data processor (rather than the individual) to prove that there was no breach.
Finally, Vietnam's law is another important piece of legislation to consider, particularly with the huge increase in economic development in Vietnam.
Vietnam's privacy law is part of a broader piece of legislation, the Law on Information Technology 2006.
Article 21 of the Law on Information Technology covers the collection, processing, and use of personal information online, and sets out similar requirements to the laws discussed above in Singapore, Malaysia, and South Korea.
Article 21 requires that individuals need to be informed that their information is being collected, processed, or used, as well as the purpose for which it is being collected. Collected information must only be used for the stated purposes, and shall be protected and kept secure.
The individual can request to examine, correct, or delete the information, and the information holder must immediately take the necessary measures.
Vietnam's Ministry of Industry and Trade has also set out regulations under which a commercial website owner must inform visitors to its home page of its policy on privacy and information confidentiality.
Any request for consent to use an individual's private data must give the individual the ability to accept or decline. The regulation also states that the website is prohibited from using any mechanism by which consumers are deemed to provide consent by default.
Here's an example from Vietnamese website Antoree of how they have implemented what is required under the Law on Information Technology 2006:
Antoree has clearly set out that they are collecting information, as well as the purpose for which that information was collected.
These new privacy laws mean that if you have any customers or users in these jurisdictions, you need to ensure that you're up to speed with the new legislation.
Privacy laws throughout the Southeast Asian region are clear and simply state what is required to comply: get consent, state your purpose, keep information secure, and allow the individual concerned to access it.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.