Key changes in data privacy and cyber security laws across Southeast Asia in 2022

2022 is a milestone year for data privacy and cyber security laws developments across Southeast Asia.  We set out the key changes as follows: The new Personal Data Protection Law in Indonesia became effective on 17 October 2022. Multiple data protection guidelines have been issued to supplement the Personal Data Protection Act in Thailand, which … Read more

New guidance on the CAC security assessment for cross-border data transfer

On 31 August 2022, the Cyberspace Administration of China (“CAC“) published the Guidelines on the Application of Security Assessment of Cross-border Transfer of Data (“Guidelines“) to clarify how organisations in China can apply to CAC for a security assessment for cross-order data transfer, a requirement stipulated under the Measures for Security Assessment of Cross-border Transfer … Read more


On 20 September 2022, Indonesia’s President and House of Representatives (DPR) approved the Personal Data Protection bill following six years of deliberation. However, while the PDP bill has been approved by both the President and DPR, it has not yet been signed by the President, who is required by law to ratify the PDP Law … Read more

Privacy law reform in Malaysia: One step closer to mandatory breach notification

Currently, Malaysia does not have a data breach notification requirement under the Personal Data Protection Act 2010 (“PDPA“). One of the proposed amendments to be tabled for Parliament discussion in October 2022 is the introduction of a mandatory data breach notification regime. Proposed amendments to the PDPA are expected to be tabled at the next … Read more

Future of Consumer APAC: Confronting complexity in cybersecurity trends for the consumer sector

Cameron Whittfield and Peggy Chow discuss the latest cybersecurity trends for consumer-facing companies including external threats which may include working with third parties and complex supply chains through to the malicious targeting of companies with ransomware, current affairs and social engineering, the cryptocurrency marketplace and geopolitical factors. They emphasise the importance of internal stakeholders speaking … Read more


Under the PRC Personal Information Protection Law (“PIPL“) which became effective on 1 November 2021, a transfer of personal information outside of China requires multiple conditions to be met. Personal information can only be transferred overseas upon obtaining separate consent from the data subjects, conducting a personal information protection impact assessment (“PIA“) and complying with … Read more

Future of Consumer APAC: Data privacy in targeted advertising – Current regulatory challenges and future directions

Peggy Chow (Of Counsel, Singapore) and Kaman Tsoi (Special Counsel, Melbourne) discuss the latest regulatory trends and future directions including the use of third party tracing cookies, the overlap between privacy and competition, proposed new laws on targeted advertising and cookies in the EU, the US, Japan and Australia, facial recognition and less privacy intrusive … Read more

Transfer of personal data between Europe/UK and Asia: Key changes and practical tips

Following the publication of the new EU Standard Contractual Clauses (“SCCs“) last year and their UK equivalent at the beginning of this year, any current arrangements for transferring personal data outside of Europe or the UK (e.g. international data transfer agreements involving a European or UK party) should be revisited and updated in the coming … Read more