Notes from the Asia-Pacific region: Check-up reveals new prescriptions for compliance

For data professionals in the Asia-Pacific region, the regulatory landscape can feel like a hospital emergency ward — new patients arriving daily, some requiring quick triage and bandaging, others needing intensive care and long-term treatment.

Over recent weeks, the region has seen a series of significant operations in the data privacy and cybersecurity space. Below is your extended medical chart on the latest developments.

Cambodia — First comprehensive privacy law undergoes initial surgery

On 23 July, Cambodia unveiled the draft Law on Personal Data Protection, its first ever comprehensive personal data protection framework. Once admitted into the statute books, the LPDP will join the medical team of seven other jurisdictions in the Association of Southeast Asian Nations already armed with comprehensive privacy laws.

The LPDP is expected to come into full effect after a two-year rehabilitation period following its promulgation — tentatively projected for later this year or early next — giving controllers and processors time to sanitize processes, apply compliance bandages, and prepare the right prescriptions for risk treatment.

Much like a doctor borrowing a proven treatment protocol, the LPDP's architecture borrows heavily from the EU General Data Protection Regulation, aiming to treat the disease of irresponsible data handling by introducing clear rules, guidelines and protective mechanisms. The LPDP applies to both domestic patients — entities in Cambodia — and foreign patients — entities outside Cambodia offering goods or services to Cambodian residents. The law exempts natural persons acting in a personal capacity and public authorities performing official duties.

The LPDP defines personal data broadly as information relating to an identifiable natural person, while sensitive personal data includes biometric and genetic data, health status, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and sexual orientation. Interestingly, unlike the GDPR's precise genetic data definition, which limits the diagnosis to specific physiological or health contexts, Cambodia's LPDP covers all genetic data linked to identity or characteristics.

Data subjects are prescribed a full suite of rights similar to the GDPR:

• Right to information
• Right to access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to portability
• Right to object
• Right to remedy
• Right to request human review of automated decisions

Treatment obligations for controllers and processors include:

• Establishing a lawful basis for processing — consent, contractual necessity, legal obligation, legitimate interests, etc.
• Implementing appropriate technical and organizational measures.
• Maintaining detailed records of processing.
• Conducting data protection impact assessments for high-risk operations.
• Following strict procedures for cross-border transfers.
• Notifying the regulator and affected individuals of eligible breach injuries.

One strong dose in the LPDP's treatment plan is its mandatory appointment of a certified data protection officer for all controllers and processors — no matter the size or severity of their case file. This is more aggressive than the GDPR's targeted approach and is akin to assigning a dedicated doctor to every patient, even for minor scrapes. Noncompliance could bring both regulatory injections and criminal surgical interventions.

Malaysia — Expanding the patient intake list

Malaysia's data protection authority recently circulated a reminder of its ward admission protocol: certain classes of data controllers must be locally registered and display their registration certificate prominently.

Licensed telecommunications and financial institutions, insurers, registered education providers, tourism and hospitality businesses, legal and professional services, housing developers, utilities, specified airlines, and direct selling/multilevel marketing companies are pursuant to a Class of Data Users Order, required to register locally as personal data controllers.

Failure to comply could leave them facing a compliance wound that demands more than a simple gauze wrap — with fines, possible imprisonment, or both as the available treatments.

Indonesia — Constitutional court performs critical procedure

On 30 July, the Indonesian Constitutional Court issued Decision No. 151/PUU-XXII/2024, performing what can only be described as a key legal surgery on the criteria for mandatory DPO appointments.

Previously, the law required a DPO only if all three of these conditions were met: Processing for public services; core activities involving regular and systematic monitoring on a large scale; and core activities involving large-scale processing of sensitive data or criminal data.

The court found the "and" between these conditions unconstitutional, replacing it with "and/or."

Now a patient showing any one of these three symptoms triggers the prescription for a DPO. This transforms the DPO appointment from a rare, complex operation into a more routine check-up — increasing the number of entities that will need to hire a compliance doctor.

Myanmar — Cybersecurity Law enters the hospital ward

Myanmar's Cybersecurity Law, enacted earlier this year, went into effect 30 July. It introduces a broad infection-control protocol for digital platform operators and cybersecurity service providers, including foreign ones serving local patients.

Key prescriptions include: Ministry approval for all VPNs; licensing for cybersecurity services and digital platforms with over 100,000 users; licenses valid for three to 10 years; and criminal penalties for non-compliance, acting as a strong antibiotic against unlicensed activities.

These measures aim to treat the spread of cyber infections in Myanmar's digital bloodstream, ensuring early detection and containment.

Vietnam — Stronger medication for data protection

Vietnam's new Law on Personal Data Protection takes effect 1 Jan. 2026, replacing the temporary bandage of Decree 13 with a more comprehensive, long-term solution.

The law applies to foreign entities processing Vietnamese citizens' data — even without a local operation in the country — making it a far-reaching vaccine against cross-border misuse.

Key features include:

• Consent must be voluntary, clear and expressed in text or verifiable electronic format.
• A new narrow exception for processing without consent to protect "legitimate or justifiable" rights or benefits.
• Relaxation of the strict 72-hour deadline for responding to data subject requests, pending guidance from an upcoming decree.
• Heavy administrative fines, with possible criminal sanctions and damages compensation.
• Sector-specific prescriptions for employment, finance, advertising, artificial intelligence, blockchain, cloud computing and more.
• Expanded rules on children, biometrics, location data, individuals with limited or lost capacity, and public surveillance activities.

This is a multi-specialist treatment plan aimed at preventing the spread of high-risk infections in data protection — the lifeblood of Vietnam's booming digital economy.

Singapore — Retiring an outdated prescription

An advisory from the Personal Data Protection Commission and the Cyber Security Agency of Singapore urges organizations to stop using full or partial national identification numbers for authentication — much like discontinuing a medicine whose side effects outweigh its benefits. This move reduces the risk of contagious identity fraud and forces organizations to sanitize their authentication procedures, finding healthier verification medications.

The APAC region's privacy environment continues to be a busy hospital ward. Data professionals are the doctors, nurses and triage teams — diagnosing risks, applying legal antiseptic, monitoring patient vitals like breach reports and DPIAs, and administering vaccines in the form of updated policies and robust governance structures.

The key takeaway from this regional check-up is to keep your compliance crutches ready, your legal wounds dressed, and your procedural heart rate monitored — because in the APAC region , the next emergency patient could arrive any minute.

Charmian Aw, AIGP, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Hogan Lovells.