2025 is germinating into an extremely ripe and robust year for privacy globally. Many of us in Asia will soon usher in the Year of the Snake with a mushrooming of regulatory developments in data protection, cybersecurity and artificial intelligence governance. Thankfully, we have these IAPP notes and digests to take root from, which water us with up-to-date news as they flower across the region and beyond.
As the sun rose 1 Jan., we saw Malaysia's amended Personal Data Protection Act come to fruition. A second harvest of requirements will blossom 1 April, including the cultivation of "sensitive" biometric data, the term "data controller" in lieu of "data user," obligations for data processors to comply with the security principle, as well as rules affecting cross border personal data transfers from Malaysia overseas.
By 1 June, we will see mandatory requirements become fertile pertaining to the appointment of a data protection officer, breach notification and data portability. Regulatory guidelines are likely to shed light on how organizations are expected to comply ahead of the sprouting of these amendments. Noncompliance could sow fines of up to MYR250,000, imprisonment for up to two years, or both. With this burgeoning of a new landscape in Malaysia data privacy, organizations have less than six months to get their garden plots in order for the revised law.
Meanwhile, as we continue to wait for Indonesia's implementing regulation to its Personal Data Protection Law to form buds, an official English version of the law itself has surfaced in publication.
Following the planting of seeds in October 2024, with a public consultation on proposed exemptions from the need to create records of processing activities, January saw the blooming of these rules in Thailand. These are grounded in a data controller or processor not crossing certain small and medium enterprise thresholds based on sector, headcount and revenue, or stem from its being a social enterprise, cooperative union, nonprofit organization, household business or other similarly exempted entity.
The turn of the year also saw the emergence of guidelines in the Philippines on the applicability of its Data Privacy Act to AI. These rules sprung up the need for transparency toward data subjects when using their personal data for AI development or deployment, accountability via demonstrable measures and governance mechanisms, fairness, accuracy, data minimization, and adherence to lawful bases and honoring data subject rights.
When it rains, it pours. Just two days ago, Singapore issued a code of conduct for online safety applicable to designated app platforms. A sprinkling of obligations imposed by this code include implementing age assurance measures to ascertain if a user is a child, and system-level measures such as community guidelines and user reporting mechanisms, as well as reviewing apps to address specified online harms such as sexual content, cyberbullying, self-harm and violence. When directed by the Infocomm Media Development Authority, the platform must disable access by its Singapore users' to the offending content. This code will pollinate from 31 March.
We wish all our readers a flourishing year ahead.
Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Squire Patton Boggs.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
