Data Privacy Laws In The Asian Continent – A Disintegrated Subject

The article here deals with the issue about the data privacy laws that are already in existence in the Asian continent, what further changes they are planning to make in accordance with the changing scenarios. It states that the now organizations and companies must initiate some stringent rules and regulation for data protection and security, and must amend the existing one.  The data is now only restricted to the home country, so having proper knowledge about the laws practised in other countries is important to have a broad-based view of their situation in an expanded realm.


Data Privacy or information privacy refers to a specific kind of privacy linked to the personal information that is provided to every individual based on a variety of contexts. It is quite astonishing that there is no broad-based federal law for regulating it. On the contrary, it is a disintegrated legal concept.[1] It ensures the practice of sharing information that is meant only for the intended purpose. Taking into consideration the contemporary scenario mammoth data are now part of daily life, and an issue of scrutiny, that have started raising questions on privacy. 

Data privacy is considered as the most important component now as the digital world has surged to a great extent, besides it is one of the most remarkable consumer protection subject matter. The factor which adds on to this is the increasing technological sophistication, and whose consequence is different types of data get collected. At the paramount level, privacy is the right of citizens which must be free from all kinds of intrusion.

Data privacy is the right of citizens to have autonomy over how personal information is collected and used. Data protection is an important subset of privacy. And the reason behind it is the protection of user data, and conscious information is the first step towards keeping the data safe and protected.[2]

Data Privacy Law In India – A Fragmented Scenario

The past three to four years are witnessed by many jurisdictions that are associated with the protection of personal data for their citizens. In India, there is no inclusive and systematic data protection law is in practice until now. All the legal aspects of data related provisions are dealt with the Information Technology Act, 2000 (IT Act), and its related regulations. Various attempts were taken to initiate an overarching data regulation, but it does not reach its culmination level.

After the emergence of the EU’s General Data Protection Regulation (GDPR) and on the same line different statutes created awareness among the people of the importance of protecting their data. In the last few years, many associations and companies came forward with multiple jurisdictions to prevent the violation of privacy rules, and put efforts to safeguard their rights.

The historic judgment in K.S Puttaswamy and Anr v. Union of India and Ors. case[3] where it was stated that right to privacy is a fundamental right under Article 21 of the Indian Constitution, was the main reason behind when the legislators understood they require rules and regulations for the data protection, provide citizens with the mandatory rights concerning their data. The Ministry of Electronics and Information Technology established a nine-member experts committee presided by Justice B.N Shrikrishna in July 2017, which drafted a bill, known as Personal Data Protection Bill on 27 July 2018.

The bill was improved marginally and was launched in the Lok Sabha of the Indian Parliament as the Personal Data Protection Bill (PDP Bill). The bill then was sent to the Select Parliamentary Committee and till the time it gets the ratification and does not come into practice, the IT Act and the associated rules will guide the protection of personal data in India. Currently, the provisions of IT Act apply, and mainly the Information Technology Rules 2011, will be the guiding principles for data protection. But these rules apply only to the body corporate and person of the respective country. This states that it will not appeal to the clarification of data related to data subjects prevalent overseas. It deals with all the protection of data that comes under the realm of sensitive information.

The PDP bill will allow access to the analysis of data by the state, any Indian company, citizen or associations introduced within Indian law. Although it does not have the permission to have access to anonymized data, there is an exception that some part of it must be shared by the government. It defines the concept of “data principal” and “data fiduciary”. The personal data of natural persons are termed as the data principal, and data fiduciary explains the entity that regulates the means or purpose of processing the data.[4]

The loopholes that have been deducted about the bill is that it asks to collect ‘at least one serving copy’ of private data on a data centre located in India. Hence, they can declare the data critical and prevent all the foreign intermediaries now have to host them physically all the user data in India.

It increased the surveillance power of law enforcement to have easy accessibility to the personal data. It further adds the second problem that it provides the state unprecedented power to get the personal data for prevention, analyzing, and for introspection of data, it gave huge intimidation to the right to privacy, which reflects the existing weak system prevalent in India against the state surveillance.[5]

Data Privacy Law In Other Asian Countries

The relevance of data privacy is expanding across Asia, as people are more involved in the digital world. Every sphere from social media, delivery of food, and mobile banking, the digital world is revolutionizing the idea of people’s lives.

The maturity of data privacy laws are different according to the region, and for multinational organizations nowadays, compliance is an important component, which stands for comprehension related to the demand of different countries and cultures. The data privacy law in different regions of Asia are given below:


The China Internet Security law is implemented to enlarge the national security, and cybersecurity. It is applicable for all the network operators and businesses in critical sectors, in practice it is applicable for all the businesses in China that handle their email or data related networks. Network operators are anticipated to look after the cybersecurity responsibilities, prevention of data leaks, report of cybersecurity cases to the individuals as well as to the relevant government for that respective sector.

New provisions were added in 2018, which was a controversial issue as it gives the state agencies the power to undertake inspections of the companies that operate in China without their knowledge. Foreign businesses are told to store data on the Chinese directed local servers and collaborate with them and which ultimately made them expose to compromise with the business secrets and critical information and eliminate foreign-made goods from the market.


Japan’s Act on the Protection of Personal Information (APPI) is one of the advanced laws in the Asiatic region i.e, 2003. In the year 2017, Japan took a major step towards the global trend which concerns about data privacy. The aforementioned act states that it applies to the analyzing of information for business purposes before the 2017 amendment businesses had the right to transfer the private data to the third parties without the direct consent of individuals, later on, Japanese companies were asked to take permission from Japan’s Personal Information Protection Committee before using, and information is provided to the third party anonymously.

The Japanese Government and the European Commission have been doing work together on data privacy to make the global business operationally efficient. They have formulated a proper structure for the efficient and smooth transfer of personal data between the two countries. Penalties for deviating the data for unlawful gain is charged with an imprisonment of one year or fine of 5,00,0000.

South Korea

South Korea has one of the strictest on data protection and privacy conformity in the world. The Personal Information Act gives the broad-based guidance, that is augmented by the laws that are specific to sectors. In 2016, the punishment for data breaches increased. Telecom and online service are liable for marginal damages, gains after a breach, or have to pay a fine of around 3% of the revenue if the breach includes a restricted overseas transfer. In some circumstances, senior officers of companies are held liable, and if required could be personally disclosed to penalities.

The Philippines

The Philippines also set inflated standards for protecting the privacy of its citizens, from the rules and regulations that came into existence in September 2016. The law made mandatory to seek consent, followed by the subject of data closures, for any kind of private-sector data exchange.

All the organizations are asked to appoint a data protection officer who will look after the privacy and data security. If the data process is going on, the third party are told to use appropriate defence to guard personal data. According to GDPR, the Philippines has the 72-hour data breach demand, which states the data subjects’ rights to be notified of describing and mechanized decision making, and a right of data efficiency.

Hong Kong

Hong Kong emerged as a figurehead in the province for data privacy as it has one of the best-evolved privacy laws. The Personal Data Privacy Ordinance was set up in 1995, and it shields the data protection of individuals. Personal data is broadly explained. It refers to any data that is associated with an individual. The law is applicable for all organization that regulates, directs, or operates in or for Hong Kong and data breach information is on their discretion.


In Malaysia, the Personal Data Protection Act (PDPA) 2010, managed by the Department of Data Protection, is understood as the architects of protection for aggregated details from an individual. Primarily, the PDPA protects only the ill-suited use of confidential data for commercial purposes. Although, it has several gaps in the data controller and no proper provisions to address the issues of online privacy. If the personal data if is of outside Malaysia then it is not applicable. [6]

Businesses Must Take Step Towards The Protection Of Data

The need for compliance is immensely affecting how businesses must take manage personal data and handle their business process. Security and protection of sensitive information are one of the primary responsibilities of the businesses. All businesses need to be aware of major regional data legislation that is applicable. They need to analyze their environments to ensure that they can meet the contemporary or upcoming guidelines. Non-compliance can be harmful in the long run and can cause serious damages to their corporate reputation.

If the businesses have not seriously mulled over the strict regulation of data, they must as it is a correct time to do so with an information audit to begin developing awareness and promulgate a plan to put in place. Cybersecurity is one important component of data protection compliance. Organizations must make sure that they have the ability to prevent network invasion and minimize the risk or influence of a serious breach by decreasing the time taken to identify the new threats. They must be effective and quick in response.[7]


There are different jurisdictions according to their region based on having diverse priorities for the wholesome growth of data privacy laws, what is quite comprehensible is a constant heightening of data protection laws throughout the Asiatic region, and particularly a step towards the set standards of GDPR. Many of the characteristics of new laws amended in this region are inspired or borrowed from GDPR. GDPR is the faithful data protection law in the world and has the exceptional calibre which the worldwide legislators copy.

It is now very important and increasingly more troublesome to balance obedience with the region’s data protection laws. It is not only limited for the businesses to home jurisdiction, as now more jurisdictions acquire data protection laws with extraterrestrial impact, and they will also have to follow the laws from where the consumer or employees resides. Some are opting for data localization and some are restricting the data to move outside their jurisdiction.[8]

[1] Christopher Hart, “What is Data Privacy ?, NORTHERN UNIVERSITY, (Nov 26, 2019), available at  https://

[2] Data Privacy, EMOTIV, available at

[3] K.S Puttuswamy and Anr. V. Union of India and Ors., WRIT PETITION (CIVIL) NO 494 OF 2012.

[4] A regional comparison of data privacy law, ASIAN BUSINESS LAW JOURNAL,(2020).

[5] Chinmayi Arun & Berkman Klein, Three problems with India’s Draft Data Protection bill, COUNCIL ON FOREIGN RELATIONS, (Oct 3, 2018), available at

[6] Data Privacy Laws in APAC: What You Need to Know, ARUBA BLOGS, (December 06, 2019), available at

[7] Alvin Rodrigues, “The Data Protection Landscape in APAC, FORTINET, (May 30, 2018), available at

[8] Nicholas Blackmore, “Moving towards Europe: recent trends in Asia-Pacific data protection law, KENNEDYS, (October 07, 2019),”.

Anjali Kumari from Rajiv Gandhi National University of Law, Punjab

“I have a keen interest in the field of research, writing, and reading. I am quite proficient in the work related to Ms word and excel also have good interaction skills.”

Editor: Shailza agarwal

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: