Norton Rose Fulbright - Data Protection Report blog

2019 saw continued growth and change in data protection and cyber-security across the Asia-Pacific. Following the implementation of the GDPR in May, 2018, many jurisdictions moved to review and strengthen existing data privacy and cyber-security laws. In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020.

January Singapore

Singapore’s Personal Data Protection Commission (“PDPC”) imposed the highest fines to date in respect of a cyber-attack on SingHealth’s patient database system affecting 1.5 million patients. SingHealth was fined S$250,000 as the data controller, and its contractor was fined S$750,000 for failing to take adequate security measures to protect personal data in its possession.


The European Commission adopted its adequacy decision in respect of Japan, finding that Japan provides a comparable level of protection of personal data to that in the European Union. This decision enables personal data to flow freely between the two jurisdictions without the need for additional safeguards.


Vietnam’s Law on Cybersecurity came into effect giving authorities greater power to investigate users of online content and censor content published online. Data localisation requirements are also imposed on foreign service providers.


Taiwan’s Information and Communication Security Management Act came into effect introducing the regulation of information and communication security management and cyber-security.

February China

China’s Draft of the Information Security Technology – Personal Information Security Specification was issued for public comment. The draft Specification updates the earlier Specification which came into effect on 1 May, 2018 and proposes further requirements in respect of personal data protection including the right to be forgotten and the right to portability. As at the date of this article, the draft Specification has been further revised but not yet been finalised.

May Thailand

  • Personal Data Protection Act was passed with a 12 month grace period (until May 2020). The Act has extraterritorial applicability and draws on the themes of the GDPR e.g. privacy governance framework obligations and individual rights such as data portability and the right to be forgotten. The Act also introduces a mandatory breach notification regime (72 hours).
  • Cybersecurity Act was passed addressing cyber risks and national security. Specifically this Act requires organisations dealing with critical information infrastructure to protect information.


  • Draft Measures on Cybersecurity Review were issued for public comment. The draft Measures demonstrate the Chinese government’s ongoing commitment to enhance cybersecurity and compliance requirements for supply chains in relation to critical information infrastructure.
  • Draft Measures on Administration of Data Security were issued for public comment. The draft Measures provide for a number of implementing provisions concerning aspects of data collection, data usage and processing, and data security administration. Given the specific requirements provided in the draft Measures, the Measures are likely to have a major impact on the data compliance performance of network operators once in force.

As at the date of this article, both draft Measures are yet to be finalised and there is no definitive timeline by which the final version of the Measures will be issued and implemented.


Singapore’s PDPC released a consultation paper to seek feedback on proposed amendments to the Singapore’s Personal Data Protection Act (“PDPA”) including introducing data portability and data innovation provisions. The proposed data portability provisions will give individuals more control over their personal data while the data innovation provisions make clear that organisations will be able to use personal data for appropriate business purposes without consent.

Sri Lanka

Sri Lanka’s  Ministry of Digital Infrastructure and Information Technology published the Cyber Security Bill, 2019. This Bill looks to protect vital information, essential services and critical infrastructure from cyber-attacks and proposes establishing a Cyber Security Agency, Computer Emergency Readiness Team and a National Cyber Security Operations Centre.  Public consultations in respect of the Bill are still ongoing.

June Hong Kong

Hong Kong’s Privacy Commissioner for Personal Data served an enforcement notice in respect of a data incident resulting in unauthorised access to the personal data of approximately 9.4 million individuals.


China’s Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information were issued for public comment. The draft Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security. As at the date of this article, the draft Measures have not yet been finalised.

Sri Lanka

Sri Lanka’s  Ministry of Digital Infrastructure and Information Technology published the Data Protection Bill, 2019, which, if enacted, will be Sri Lanka’s first specific data privacy regime. The aim of this Bill is to protect personal data, enhance consumer confidence and ensure the growth of Sri Lanka’s digital democracy and innovation. Public consultations in respect of the Bill are still ongoing.

July China

China’s revised Draft Cryptography Law was introduced for public comment. The draft Law lays down a number of general requirements in relation to cryptography classification, usage, promotion, and protection. The draft Law also introduces specific requirements for certain Critical Information Infrastructure (CII) operators to use cryptography products or services. The final Law was promulgated on 26 October 2019 and took effect on 1 January 2020.

August New Zealand

New Zealand’s Bill amending the Privacy Act had its second reading in parliament. The Bill proposes stronger powers for the Privacy Commissioner, mandatory breach notifications and increased fines. The Bill is likely to come into force in 2020.

September Singapore

Singapore’s PDPC released a new Guide to Notification under the PDPA which contains information and examples on good practices which organisations may adopt when notifying individuals about personal data protection policies and practices. The Guide is a predecessor to impending amendments to Singapore’s PDPA to introduce a mandatory data breach notification regime in Singapore.

October Singapore

Singapore’s PDPC released a new chapter on cloud services to the Advisory Guidelines to provide clarity on the responsibilities of organisations using cloud services to process personal data in the cloud, as well as the responsibilities of cloud service providers when processing personal data on behalf and for the purposes of organisations.

November Japan

Japan’s data protection authority, the Personal Information Protection Commission, published an outline of proposed amendments to the Act on the Protection of Personal Information. The proposed amendments include extending the rights of individuals in respect of personal data that has been provided to third parties, mandatory breach reporting, and strengthening regulations relating to cross-border transfers. The draft bill is expected to be published in early 2020.

December India

India’s revised Draft Personal Data Protection Act, 2019 was published. The Draft is the subject of much discussion as, while it reflects many themes and safeguards present in the GDPR including the right to data portability and the right to be forgotten, it also permits the government to have an unfettered access to protected personal data in certain circumstances, including for national security purposes.

Reflecting the developments in 2019, the type and level of activity show that the Asia-Pacific region is not only dynamic in terms of changes to data protection laws but it also demonstrates the different stages the various jurisdictions are at in terms of their data privacy and cyber-security regimes. Some, like Sri Lanka, are at the beginning of the journey while other regimes, like Hong Kong, have been in place since before the widespread use of the internet. However, despite these differences, the common denominators for countries in this region are that they are implementing and strengthening data privacy and cyber-security regimes and aligning them with international norms.

2020 is already shaping up to be an important year in terms of developments, with Hong Kong leading the way. Earlier this week, Hong Kong’s Panel on Constitutional Affairs released a discussion paper seeking views on proposed changes to Hong Kong’s long standing data protection law, the Personal Data (Privacy) Ordinance (PDPO).  When the PDPO was first implemented in 1995, no one could have imagined the data driven society and social media ecosystem we live in today nor the challenges that this would bring. The changes to the PDPO proposed in the discussion paper look to address some of these issues as well as introducing mandatory breach notifications, revenue based fines and bringing Hong Kong’s regime more in line with international trends. For more information on the discussion paper, please read our recent article

In addition to the developments in Hong Kong, we are looking forward to watching how data protection law evolves throughout 2020 as countries in the Asia-Pacific region continue to review, develop and strengthen their data privacy and cyber-security regimes, and keeping you updated along the way.