With the year 2022 firmly in the rear view, and as we look to start the new year in 2023, Norton Rose Fulbright’s Regulatory Compliance and Investigations team looks back and rounds up the five key cyber and data protection developments that took place in Southeast Asia in 2022.
- Privacy developments in Singapore – enhanced financial penalties under Personal Data Protection Act 2012 (Singapore PDPA), Singapore Court of Appeal clarifies right to private action under PDPA and Singapore High Court holds IT vendor liable and awards SGD 8.7m in damages to its customer over data leak
Enhanced financial penalties under the Singapore PDPA
On 1 October 2022, the enhanced financial penalties under the Singapore PDPA, which were first introduced with the amendments to the PDPA in 2020, came into effect.
Under section 48J of the Singapore PDPA, the Personal Data Protection Commission (PDPC) can now impose financial penalties on organisations of up to SGD 1 million or 10% of an organisation’s annual turnover in Singapore, whichever is higher, for breaches of the Data Protection Provisions under the Singapore PDPA.
Previously, the PDPC could only impose financial penalties of up to SGD 1 million for breaches of the Data Protection Provisions under the Singapore PDPA.
With the coming into force of the enhanced financial penalties, the PDPC also issued updates to its Advisory Guidelines on Enforcement of Data Protection Provisions and Guide on Active Enforcement on 1 October 2022.
Singapore Court of Appeal clarifies right to private action under the Singapore PDPA
In a related development, in September 2022, the Court of Appeal in Singapore handed down a significant decision in Reed, Michael v Bellingham, Alex (Attorney-General, intervener)  SGCA 60, clarifying that emotional distress can constitute “loss or damage” required to found a statutory right to private action under the Singapore PDPA. Read more about this development in our article: Singapore’s Court of Appeal Clarifies Right of Private Action under Singapore’s Personal Data Protection Act | Global law firm | Norton Rose Fulbright
Singapore High Court holds IT vendor liable and awards SGD 8.7m in damages to its customer over data leak
In November 2022, the Singapore High Court found an IT vendor liable for a data leak suffered by its customer, a major gaming company, and awarded SGD 8.7 million in damages to the customer.
The data breach involved shipping information and order details of thousands of customers worldwide being leaked online. Among other things, the Singapore High Court held that the losses incurred by the IT vendor’s customer from paying the cyber-security consultant who discovered the breach, appointing a cyber forensic expert to investigate the incident, and engaging global law firm Norton Rose Fulbright to deal with data protection authorities, were recoverable by the customer.
- Review of Singapore’s Cybersecurity Act 2018 and publication of report by Singapore government task-force on ransomware
In March 2022, the Cyber Security Agency of Singapore (CSA) announced that it was embarking on a review of the Cybersecurity Act 2018. Among other things, the CSA indicated that it would consider expanding the Cybersecurity Act 2018 to “improve awareness of threats over Singapore’s cyberspace, protect virtual assets (e.g. systems hosted on the cloud) as CII if they support essential services”. The review would also cover “foundational digital infrastructure and key digital services” in addition to focusing on critical information infrastructure (CII) sectors. The CSA indicated that it will conduct a public consultation on proposed changes to the Cybersecurity Act 2018 in 2023.
In a related development, in November 2022, the Singapore government’s inter-agency Counter Ransomware Task Force (CRTF) published its first report setting out its findings and recommendations for the Singapore government to effectively deter and secure Singapore from ransomware attacks. Among other things, the CRTF’s report established Singapore’s national position on ransom payments, which is that payment of ransom to ransomware attackers is strongly discouraged. The report also noted that the payment of ransom to ransomware attackers could, under certain circumstances, contravene the Terrorism (Suppression of Financing) Act 2022, which criminalises the financing of terrorist acts. Accordingly, CRTF recommends that government agencies and CII owners notify the CSA and Singapore Police Force immediately in the event of a ransomware attack before any ransom payment is made.
- Malaysia announced changes on personal data protection
In August 2022, Malaysia announced that it would be introducing amendments to Malaysia’s Personal Data Protection Act 2010 (Malaysia PDPA). Among other things, the amendments to the Malaysia PDPA were expected to include an obligation for all data users to appoint a data protection officer, and a mandatory data breach notification obligation. These changes were announced following the recent spate of high profile data breaches in Malaysia.
These amendments were intended to be tabled before the Malaysia Parliament in October 2022. However, this did not occur and Malaysia has since seen a change of government following a general election held in November 2022. It is unclear if the proposed changes to the Malaysia PDPA will be adopted and put before the Malaysian Parliament by the new government.
- Thailand enacts new data privacy law and expands cybersecurity laws
In June 2022, Thailand’s Personal Data Protection Act B.E. 2562 (2019) (Thai PDPA) came into effect.
The Thai PDPA stipulates the rights of, and the general protections afforded to, data subjects, as well as the requirements for the collection and cross-border transfer of personal data. Breaching the Thai PDPA could result in civil liabilities, criminal penalties or administrative fines. Read more about this development in our article: Overview of Thailand Personal Data Protection Act B.E.2562 (2019) | Global law firm | Norton Rose Fulbright
In a related development, Thailand’s National Cyber Security Agency (NCSA) announced plans to expand the enforcement of its standard framework of security requirements. 120 organisations linked with CII stipulated by the Cybersecurity Act will be directed to comply with the standard framework by the end of 2023, a significant increase from the current 60 organisations required to do so.
- Indonesia enacts new data privacy law
After years of deliberation and a spate of high-profile data breaches in recent months, Indonesia has enacted the Personal Data Protection Law (PDP Law) in September 2022. This piece of legislation is closely modelled after the European Union’s General Data Protection Regulations and modernizes Indonesia’s privacy landscape.
The PDP Law has a far-reaching scope and applies to individuals, corporations, public institutions and international institutions that control and/or process personal data. It sets out the rights of personal data subjects, the lawful grounds for the processing of personal data and the requirements for cross-border personal data transfer.
The PDP Law also holds local businesses and international companies liable for the improper handling of the data of Indonesian customers. A corporate fine of up to 2% of a company’s annual revenue can be imposed for data leaks. Additionally, individuals can face a fine of up to 6 billion rupiah (USD 400,000) for violating the PDP Law provisions.
While the PDP Law includes a two-year adjustment period after its enactment i.e. by October 2024, no details are provided as to how violations will be addressed during this period.
Read more about this development in our article: Indonesia passes the long awaited Personal Data Protection Law | Indonesia | Global law firm | Norton Rose Fulbright
Looking forward to 2023
With cyber-attacks increasing in frequency and severity, states as well as corporates are becoming increasingly cognizant of the need to implement adequate safeguards to protect data – both personal data and business sensitive information. The trend of threat actors targeting high-profile targets, becoming more organized and employing increasingly sophisticated methods to conduct cyber-attacks will likely continue.
Managing cyber and data risk will need to be the priority of all boards of directors for 2023 – if it is not already front of mind. This will nevertheless be a challenge for corporates as they navigate economic headwinds while facing the need to continue to invest in resources in order to develop and improve on robust cybersecurity and data protection programs.
Therefore, it is time for corporates to start devising strategies with trusted advisors and consultants (including legal advisors) to implement and execute roadmaps to achieve cyber resilience and safeguard data entrusted to them by their business partners, customers and employees.
 Razer (Asia-Pacific) Pte Ltd v Capgemini Singapore Pte Ltd  SGHC 310
 The CRTF comprises senior government representatives from cybersecurity, financial regulation, technology and law enforcement domains whose mandate is to develop and make recommendations on countering ransomware.