A warm hello to my fellow privacy professionals.

When it rains, it pours.

This is not just true of the torrential downpours we experienced here in Singapore over December and a good half of January — but also with recent privacy developments across the Asia-Pacific region.

I wanted to flag just a couple coming out of Southeast Asia — or ASEAN.

On 16 Jan., Singapore released a consultation paper to elicit feedback on a proposed updated model governance framework for generative AI. The framework covers nine "dimensions" which intersect closely with data and privacy. At the turn of the year, we saw Singapore publish a public consultation on a seminal health information bill, which proposes to impose a slew of data security and incident reporting obligations on health care institutions. This follows an earlier update to its privacy guidelines for the health care sector last year, to guide Singapore's Personal Data Protection Commission's interpretation and enforcement of the nation's comprehensive privacy law, the Personal Data Protection Act, as applicable to its thriving health care industry. The sector is highly digital — in fact, it is in the process of fully rolling out its National Electronic Health Records system, which will centralize patient records across health care providers while maintaining high privacy and security standards. The updated guidelines reflect the impact of digitalization on health care and provide specific case examples for when express patient consent is needed, versus when it may be implied, as well as when alternative bases to consent, particularly legitimate interests and business improvement, could apply — whether that be for medical care, referrals, quality assurance, teaching, marketing, emergencies or even corporate transactions.

The Philippines' proactive regulator, the National Privacy Commission, published consultation papers seeking public feedback on any privacy concerns pertaining to automated data scraping which involves collecting publicly accessible personal data, as well as on a proposed circular on closed-circuit television systems. Another circular was issued clarifying the NPC's guidelines on legitimate interests as a basis for processing personal data. The release follows a recent NPC enforcement decision related to a publicly listed company that successfully sought to rely on legitimate interests in processing employee information in certain statements of disclosure for purposes of corporate regulatory compliance monitoring — in this case, for potential conflicts of interest concerning its shareholders.

In a similar vein, Thailand, too, has been bustling with activity in recent months. The Personal Data Protection Commission published a circular setting out "suitable measures" for protecting data subjects' rights and freedoms in cases where their data is processed without consent, including where such processing is of sensitive data necessary for compliance with the law or for scientific, historical, or research purposes in the public interest. Thailand's commission also published a set of Guidelines for Safeguarding Personal Data relating to Criminal Records, which are slated to take effect 8 April. Among other things, these guidelines require explicit consent prior to processing certain sensitive criminal records of individuals. The PDPC also issued guidelines on requirements for collecting personal data for research and statistical purposes, which will become effective 7 April. On Christmas day 2023, a regulation was unveiled for cross border data transfers from Thailand, requiring an adequate level of protection by the recipient country or organization, or appropriate safeguards to be in place such as intragroup binding corporate rules, standard contractual clauses or specified certification.

Finally, on 17 Jan., Malaysia's Digital Minister announced the country's Personal Data Protection Act 2010 will be amended significantly this year to introduce requirements and implementing guidelines pertaining to cross border data transfers, notification of data breaches, data protection officer appointments, data portability, privacy impact assessments, privacy by design and automated decision-making.

Needless to say, 2024 is once again looking to be a hotbed of activity for APAC. Here's to a rejuvenating year ahead.