chevron-down Created with Sketch Beta.

International Law News

International Law News, Summer 2022

Data Privacy in the ASEAN Region

William D Greenlee Jr.

Summary

  • Singapore, Malaysia, and Myanmar; Part three of a special three-part series. Several Asian countries are out in front protecting their residents' data, while others have longer to travel.
  • This article provides key concepts and differences of data protection regimes in Singapore, Malaysia, and Myanmar.
  • It also highlights recent developments in each country and the impact of the GDPR.
Data Privacy in the ASEAN Region
Travel Wild via Getty Images

Jump to:

First of a Three-Part Series

I. Key Concepts and Differences in Singapore, Malaysia, and Myanmar

The information below compares the data protection regimes in Singapore, Malaysia, and Myanmar. You can also view this information in table format.

Main legislation and regulations 

  • Singapore
    • Singapore PDPA
    • Personal Data Protection (PDP) Regulations 2014
    • PDP (Do Not Call Registry) Regulations 2013
    • PDP Notification 2013
    • PDP (Prescribed Healthcare Bodies) Notification 2015
    • PDP (Prescribed Law Enforcement Agencies) Notification 2014
  • Malaysia
    • Malaysia PDPA
    • Malaysia PDP Regulations
    • PDP Registration Regulations
    • PDP Class of Data Users Order
    • Malaysia PDP Standard
  • Myanmar: No specific data protection law. Generally regulated under:
    • the ET Law since the provisions of Privacy Law are presently suspended.

Authority

  • Singapore: PDPC
  • Malaysia: Commission
  • Myanmar: Ministry of Transport and Communications

Application

  • Singapore: The Singapore PDPA applies to all organizations. 
  • Malaysia: Any person who processes and has control over or authorizes the processing of any personal data in respect of commercial transactions; and data users using equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.
  • Myanmar: The ETL applies to all citizens and non-citizens of Myanmar. The ETL has extraterritorial jurisdiction. 

Categories of Data 

  • Singapore: Only personal data. 
  • Malaysia
    • (a) Personal data and
    • (b) Sensitive personal data.
  • Myanmar: Categories of data not clearly specified.

Registration of Data Users

  • Singapore: No registration requirements under the Singapore PDPA.
  • Malaysia: Registration is required for data users in the following sectors: communications; banking and financial institutions; insurance; health; tourism and hospitality; transportation; education; direct selling, services (legal, audit, accountancy, engineering, architecture); real estate; utilities; pawn brokerage; and money lenders.
  • Myanmar: No registration requirements.

Processing of personal data

  • Singapore: The Singapore PDPA sets out the 9 main data protection obligations to be complied with by organizations when handling personal data:
    • Consent obligation;
    • Purpose limitation obligation;
    • Notification obligation;
    • Access and correction obligation;
    • Accuracy obligation;
    • Protection obligation;
    • Retention limitation obligation;
    • Cross-border transfer limitation obligation; and
    • Accountability obligation.
  • Malaysia: Any person who processes personal data must comply with 7 data protection principles:
    • General principle;
    • Notice and choice principle;
    • Disclosure principle;
    • Security principle;
    • Retention principle;
    • Data integrity principle; and
    • Access principle.
  • Myanmar: The provisions relating to the processing of personal data under the Privacy Law has been suspended. The amendment to the ET Law places obligations on the personal data holder to systematically maintain and protect personal data and prevent distribution of personal data without a permit under the law or without the explicit permission of the data subject. 

Cross-border data transfer (e.g. approved whitelists)

  • Singapore: Any organization may transfer personal data across borders if:
    • it complies with the Singapore PDPA; and
    • the recipient is bound by data standard of protection comparable to Singapore PDPA.
  • Malaysia: The transfer of personal data outside Malaysia is prohibited unless to a jurisdiction approved by the Minister. None yet approved. Notwithstanding the above, personal data can be transferred outside Malaysia where the data user has obtained the data subject’s consent, or where one of the other prescribed exceptions apply.
  • Myanmar: No specific provision under the law dealing with or restricting cross-border data transfer

Security of data 

  • Singapore: An organization must make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
  • Malaysia: Data users have to take practical steps to protect personal data, and in so doing, must develop and implement a security policy. 
  • Myanmar: A personal data holder must systematically maintain and protect personal data based on the type of data and confidentiality level. Also, a personal data holder must systematically delete personal data which are collected for a specified time period after the lapse of the said time period.

Data integrity (e.g. access, correction of data by data subjects)

  • Singapore: An organization must make a reasonable effort to ensure that personal data collected is accurate and complete, if the personal data:
    • (a) is likely to be used by the organization to make a decision that affects the individual to whom the personal data relates; or
    • (b) is likely to be disclosed by the organization to another organization.
  • Malaysia: A data user must give a data subject access to his or her personal data held by the data user and correct the personal data on request where it is inaccurate, incomplete, misleading, or not up-to-date, except where compliance with a request for such access or correction is refused under the Malaysia PDPA.
  • Myanmar: No specific mandate under the law.

II. Recent Developments and Impact of the GDPR

Singapore

As the staunchest promoter of data protection and cybersecurity in the ASEAN region, it comes as no surprise that Singapore has the most comprehensive data protection framework among the three jurisdictions, and its regime most closely aligns with international data protection standards. The PDPC has been actively engaging with industry players and has issued advisory guidelines which are fairly extensive and set out step-by-step instructions to businesses on how to comply with the Data Protection Provisions. Although the advisory guidelines are not legally binding,the Commission has indicated that they will illustrate the manner in which the Commission will interpret the Data Protection Provisions.

The PDPC is a highly active regulator in Singapore. As of June 2020 there have already been 17 enforcement cases where PDPC initiated and took enforcement actions (for example, by imposing a financial penalty or issuing compliance directions) on persons found in breach of the Singapore PDPA. The PDPC also adopts a “name and shame” policy where it publishes on its official portal all of its enforcement actions against companies found to have breached the Data Protection Provisions under the Singapore PDPA.

In 2019, the PDPC imposed a penalty of SGD 1 million (approximately US$ 720,000), its highest penalty ever levied since the legislation’s entry into force. The penalty was levied on SingHealth and IHiS (in the public healthcare sector), which were determined by the PDPC to have failed to establish adequate security arrangements to protect their patients’ personal data.

The incident was dubbed “the worst breach of personal data in Singapore’s history” as, due to a cyberattack on SingHealth’s patient database system, it led to the theft of 1.5 million patients’ personal data records and nearly 160,000 patients’ outpatient prescription records.

The PDPC’s vigorous enforcement actions since the coming into force of the Singapore PDPA have created high public awareness of data protection issues among businesses in Singapore. Compliance is also made easier for businesses as they are guided almost every step of the way by the PDPC through its extensive guidelines which are regularly review and updated in line with global trends and business practices.

The concepts in the GDPR are not unfamiliar to Singapore, as existing data protection regulations are in line with the predecessor of the GDPR, the 1995 EU Data Protection Directive. To keep pace with the very latest standards, in May 2020 the PDPC issued an amendment bill to include data subjects’ rights to data portability, as well as mandatory data breach notification, in the Singapore PDPA. Singapore’s progressive attitude can be seen in that even the public was invited to contribute feedback via the PDPC’s online consultation forum.

Malaysia

The key principles in the Malaysia PDPA are also akin to those in the 1995 EU Data Protection Directives. Data users have to comply with the seven Processing Principles, which align with those set out in the ASEAN Framework on Personal Data Protection adopted by all ASEAN Member States in 2016.The regulator’s focus in the first few years since the entry into force of the Malaysia PDPA has been on educating and fostering awareness among businesses. The shift to enforcement actions has only recently begun, the majority of which has focused on ensuring registration by the specific class of data users required to register with the Commission. Based on its updates publicized on various platforms, the Commission has been conducting inspections in the form of “audits” at business premises to assess levels of compliance.

After almost a decade since the passage of the Malaysia PDPA, the Minister of Communications and Multimedia announced in 2019 that a series of consultations would be held to discuss possible amendments to the Malaysia PDPA. The proposed amendments aim to strengthen data protection in Malaysia and align with international requirements of personal data protection, with the goal of keeping up with the rapidly evolving digital economy and the pace of technology development.

The Commissioner subsequently published a consultation paper in February 2020 to seek feedback from the general public (the “Paper”). The Paper took the laws of various jurisdictions into consideration including the Philippines, Singapore, Japan, and the EU. More than half of the proposals in the Paper are concepts included in the GDPR, including:

  • data subjects’ right to data portability in order to move their data across different service providers;
  • obligation to appoint a DPO;
  • obligation to report any data breach;
  • introduction of the concept of “Privacy by Design,” requiring consideration of privacy by data users at the development stage of any products or services;
  • direct liability of data processors;
  • expansion of the application of Malaysia PDPA to data users outside of Malaysia that monitor and profile the personal data of Malaysian data subjects; to non-commercial activities; and to federal and state governments; and
  • data subjects’ rights to pursue civil litigation against a data user.

Some key concepts in the Singapore PDPA, for example the establishment of the Do-Not-Call Registry and exemption of business contact information from the data protection provisions, are also introduced in the Paper for public feedback.

Considering the fast-paced development of technology in the past ten years, the review of this legislation is a commendable effort. The proposals in the Paper, if passed, will completely change how businesses in Malaysia handle data, as they envisage a data protection standard that is much higher than the country’s current existing regime. In general, businesses in Malaysia, small and medium-sized enterprises in particular, tend to take a more lax approach to handling personal data given that the regulator only began taking enforcement actions fairly recently, and these actions have thus far been focused only on specific data users. It will therefore be a huge step for businesses in Malaysia, involving considerable costs and resources to comply with the new standard by rolling out a compliant data protection program and IT security arrangements.

Whether or not these proposals will have the intended effect of becoming enforceable laws in Malaysia remains to be seen.

Myanmar

In Myanmar, data privacy obligations are scattered across several pieces of legislation protecting data through confidentiality provisions and consent requirements. This means that personal information will primarily remain protected as confidential information through contractual obligations or through private claims being brought by individuals for breaches of confidentiality.

In comparison to Singapore and Malaysia, Myanmar still has a relatively old-fashioned legal framework in respect of privacy and data protection laws. The absence of a specific legislation on data protection and the lack of a dedicated data protection authority has to date resulted in limited or no opportunities for individuals to seek information on their privacy rights or the protection of their personal data, and it also hampers their ability to seek redress or compensation in cases where such rights are violated. While the concept of personal data and protection thereof has been added to the ET Law, such addition is not comprehensive considering the changing times. We hope to see a dedicated law on data protection in line with international standards in the coming years.

With the continuous progress of society and technology, the concept of privacy has significantly transformed and evolved. From using internet services to social interactions to cloud computing, every activity requires revealing personal data. The public in Asia as in the rest of the world has increasing concern about how their personal data is being used and stored. This heightens the importance of adequately protecting personal data, which calls for legislation and enforcement.

The increased dependence on technology and an ever-increasing information boom calls for the establishment of a sound data protection regime. As this discussion has noted, several Asian countries are out in front protecting their residents’ data, while others have longer to travel. To adequately protect the interests of all stakeholders – citizens, companies, as well as the government - the enactment and proper enforcement of data protection laws is essential.

    Author