It’s the turn of South-East Asian countries to update their data protection laws. Here is our summary of the proposed new data protection laws in Vietnam, Malaysia and Indonesia. Organisations are advised to update their data protection compliance programmes as soon as possible to reflect these developments.
Vietnam
Vietnam issued its first draft of a new Personal Data Protection Law (“PDPL”) in September 2024, for public consultation. The PDPL is anticipated to be adopted in May 2025, and it is tentatively scheduled to come into effect on 1 January 2026. The draft PDPL aims to create a more robust framework for data protection in Vietnam by unifying, clarifying, enhancing and supplementing the existing data protection rules set out in Vietnam’s existing Personal Data Protection Decree (“PDPD”). It remains unclear how the PDPD and draft PDPL will work together in practice, although some commentators suggest the PDPL will supersede the PDPD.
In addition to setting out eight personal data protection principles, the draft PDPL focuses on discussing specific compliance requirements for a number of processing activities and industries, including direct marketing, behavioural advertising, big data, AI, cloud computing, employee monitoring and recruitment, financial and credit information, health, insurance and social media. Key highlights proposed in the draft PDPL include (this is not a comprehensive list):
- Extra-territorial effect: the draft PDPL extends the scope under PDPD to cover processing of foreigners’ personal data within Vietnam.
- Consent: like the PDPD, consent remains the key legal basis for data processing, and separate consents are required for specific data processing activities.
- Clarified definitions: the draft PDPL clarifies the distinction between ‘basic personal data’ from ‘sensitive personal data’. New definitions are also introduced, including, amongst others, ‘developers’ and ‘personal data protection organization’. The data protection authority – currently known as A05 – would change its name if the draft PDPL is implemented.
- Updates to DPIA/TIA dossier filings: the now-familiar data processing impact assessment dossiers (“DPIA Dossiers”) for controllers and processors and transfer impact assessment for transferors (“TIA”) would have to be updated upon certain material change to the organisation were the draft PDPL to be implemented.
- Data protection department: companies would be required to have a data protection department overseeing personal data processing (although this could be outsourced to external service providers), as well as an expert (like a DPO) meeting certain eligibility criteria, with an initial short-term (two-year) exemption for new small businesses.
- Certification mechanism: the draft PDPL would introduce a data protection certification scheme, whereby certain organisations could earn trust ratings based on an assessment of their personal data protection practices.
- Breach reporting deadlines: the timescale for notifying authorities of breaches of personal data protection regulations is clarified as being 72 hours.
Malaysia
Significant changes to Malaysia’s Personal Data Protection Act (“PDPA”) were recently passed via the Personal Data Protection (Amendment) Act (subject to royal assent), and are anticipated to come into effect soon. The PDPA is now quite old (first passed in 2010), and so the amendments are largely to update the Malaysia data protection framework, to align it with more modern data protection laws elsewhere in Asia. The key amendments are:
- mandatory breach notification;
- mandatory appointment of DPOs;
- direct obligations on data processors;
- data portability rights for data subjects;
- change of “data user” terminology to the more familiar “data controller”;
- expanding sensitive personal data to include biometric data;
- removing rights of deceased individuals re their personal data;
- increased penalties (now fines of up to MYR1,000,000 and/or imprisonment of up to three years); and
- updating the cross-border data transfer framework, to remove the “whitelist” of approved jurisdictions, and instead allowing transfers to jurisdictions with equivalent standards of protection.
Besides the amendments to the PDPA, the Commissioner will develop guidelines to supplement the PDPA. The guidelines will cover areas including data breach notification, appointment of data protection officer, data portability, cross border data transfer, data protection impact assessment, privacy by design, and profiling and automated decision making.
Indonesia
Finally, a reminder that Law No.27 of 2022 on Personal Data Protection (“PDP Law”), Indonesia’s first omnibus data protection law, came into full effect, after a two-year grace period, on 17 October 2024. For further information about the compliance obligations introduced by the PDP Law, please see our earlier updates Indonesia: prepare now for the new Personal Data Protection Law | Privacy Matters and INDONESIA: Personal Data Protection Law PDPL Now in Force | Privacy Matters.