Having just buoyed home from the IAPP Global Privacy Summit 2025 in Washington, D.C., this week's edition will be anchored on the haul of treasure gathered.
This year's conference offered an ocean of deep and vast topics that swept me away. I had the pleasure of participating in sessions most directly relevant to Southeast Asia, one titled "Headwinds from the East: the Now and Future of Data Protection in APAC," and another on artificial intelligence in Asia with excellent speakers, including a regulator and policy think tank the Future of Privacy Forum.
Our audience was fully on board, and we got a strong wave of questions. We dove deep into areas involving regulatory developments in Indonesia, the Philippines, Singapore and Vietnam, including data protection officer registration requirements, cross-border data transfers, breach notification, and enforcement against U.S. multinational corporations given the current shifting sands of geopolitics and geoeconomics.
Other noteworthy developments in Southeast Asia that have surfaced recently:
• Thailand's Office of Insurance Commission set sail 11 April a public consultation on draft principles to amend its Notifications on Guidelines for Customer Personal Data Protection for life and non-life insurance businesses. These companies need to obtain consent for requesting the OIC to: disclose personal data on a customer's insurance policy for an underwriting or claims consideration; disclose sensitive personal data on a customer's insurance policy for an underwriting or claims consideration; or disclose sensitive data on a customer's behavior for fraud monitoring, risk management, and assessing and preventing insurance fraud risk for underwriting or claims payment. Non-life insurance companies are further required to publish on their websites a privacy notice and summary for each type of insurance policy. The manifest also contains prescribed forms for obtaining consent for processing sensitive data.
• Malaysia made a splash earlier this week with the docking of its Cross Border Personal Data Transfer Guidelines. These specify that overseas transfers are only permitted if made to a destination with a substantially similar law or that accords an adequate level of protection comparable to Malaysia's, or an exception applies — such as with consent or for contractual necessity — so long as there are contractual, certification or impact assessment safeguards. Also, Malaysia's Data Sharing Act, which lays down a charter for sharing of data among public agencies, took effect 28 April.
As we drift further into the second quarter of a year with undercurrents of high tidal activity rippling across Southeast Asia, it's important to keep afloat, at times over calm, but other times choppy, waters.
Yet, like the beacon of a lighthouse that is GPS25, our growing global community is a trusty crew on a ship, well-equipped with life jackets and rescue boats that enable us to navigate and steer into what lies ahead.
Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Hogan Lovells.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.