Notes from the Asia-Pacific region: Regulatory developments in full swing

The tournament of regulatory developments in Southeast Asia is in full swing, with Vietnam and Malaysia as the two top contenders this month.

Vietnam

Despite its later kickoff, the release of Vietnam's draft Personal Data Protection Law claims a top spot on the podium.

Its enactment timeline has been accelerated from October to May this year, with the law taking full effect 1 Jan. 2026.

It also knocks the ball out of the park in terms of detail:

• It defines sensitive personal data to include any source of income and geolocation data of an individual.

• Consent must be in a format that can be printed or copied in writing.

• Legitimate interest is not recognized as a lawful basis for processing. Consent is needed for website/app tracking, and employee data processing — even if through a contract.

• Data subject rights must be generally complied with within 72 hours of the request. Aside from the usual suspects, the law will also provide individuals with a right of erasure, but not of portability, of their data.

• For automated processing, the baton of specific notification and an explanation of the impact to them, must be passed to data subjects, as well as the right to opt out.

• For artificial intelligence, blockchain and virtual reality technologies, there are minimum measures organizations must adopt involving for cybersecurity, emergency backups and controls to prevent the misuse of AI that threatens national security and social order.

• Organizations that engage cloud providers must include a specific marker in the contract, for such providers to comply with the law, compensate for damages, and provide audit reports.

• Health care companies can only share personal data with service providers and insurers with express consent of — including via the contract with — the data subject.

• For minors under age 7, consent from their legal representative is required. For children between 7-15, consent from both the child and the legal representative is required — and if there is a conflict, the child's consent prevails.

• There are prescriptive rules for social media and online communication services, including providing a do-not-track option. Calls cannot be recorded without consent. Incidents must be notified to data subjects within 72 hours, along with remedial actions taken and an assessment of risks conducted.

• Biometric data warrants specific physical security measures including strong encryption, access controls and detection systems for potential violations.

Last but certainly not least in the highlights reel is for impact assessments to be filed for any processing or transfer of personal data from Vietnam. This must first be done within 60 days from the start of processing and updated every six months for changes. A merger or dissolution, changes in corporate information, or new services or products requires immediate updating.

The authority, the Ministry of Public Security's Department of Cybersecurity and Prevention of Hi-tech Crimes, can order a cessation of transfers that threaten Vietnam's national security. While state agencies in Vietnam are exempt from these assessments, public service units or state-owned enterprises are not.

Earlier last month, Vietnam also issued a decree which increases the administrative penalties for violations of consumer data processing. The referee will give a red card for infringements involving sensitive personal data. The ground rules of the game include documenting any authorization obtained to process consumer data, requiring clear contractual protections when outsourcing its processing, ensuring sharing of personal data with third parties is with valid consent, addressing consumer complaints properly, and reporting security breaches within 24 hours. 

Malaysia

In a close tie with Vietnam is Malaysia, which has hit a series of homeruns in the regulatory circuit.

In pole position is its data protection officer guideline, which requires a business in Malaysia to appoint, and register, a locally residing, dual language-proficient DPO, if the business processes: personal data of more than 20,000 individuals; sensitive — including financial — data of more than 10,000 individuals; or regularly and systematically monitors personal data.

Sprinting alongside to make the qualifier rounds is Malaysia's new guideline on mandatory personal data breach reporting. If a personal data breach crosses the hurdle of likely causing "significant harm," it must be notified to the Personal Data Protection Commission.

"Significant harm" arises where a breach: could result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property; can be used for illegal purposes; involves sensitive personal data; could lead to identity fraud; or is of significant scale, that is, affecting more than 1,000 individuals. Reporting to the commission must be done within a record time of 72 hours from discovering the breach, and to affected individuals without unnecessary delay.

Also making the qualifiers are three consultation papers.

The first proposes requiring data controllers to conduct a data protection impact assessment if it processes personal data: that is sensitive of more than 10,000 data subjects; for automated decision-making of more than 10,000 data subjects; of more than 20,000 data subjects; that significantly impacts data subjects — for example, their legal rights, financial status, health, etc.; through systematic monitoring, like CCTV with profiling, in a publicly accessible area; through innovative technology use, like combining fingerprints and facial recognition; to track an individual's location or behavior; or to target vulnerable individuals such as children.

Where processing is assessed to be high risk, the controller must notify the commissioner of the data protection impact assessment using a prescribed form. It was clarified, however, that approval is not needed to carry on with the processing. Records of the assessment must be kept for at least two years, and remain available for inspection by the commissioner.

Second, the guideline on data protection by design proposes applying seven foundational principles, including requirements for the protection of children's privacy. The seven principles are: proactive not reactive, preventative not remedial; privacy as the default; privacy embedded into design; full functionality — positive sum, not zero sum; end-to-end security — full life cycle protection; visibility and transparency — openness; respect for user privacy — user-centricity.

Third, the guideline on automated decision-making and profiling proposes to confer on relevant individuals, the right to refuse, the right to information, and the right to human review. There are exceptions to these rights, such as where processing is necessary for contractual performance between the individual and controller, to comply with laws, or where individuals have given prior explicit consent.

The use of AI and generative AI — whether for training or output — will be identified as an "automated decision making" tool, and subject to additional measures and requirements. Similarly, there are further standards that need to be addressed for automated decision-making using biometric data, and/or closed circuit television.

All three consultations close 19 May.

Malaysia has added yet another medal to its tally by announcing a new Data Sharing Act 2025, which imposes requirements on the Federal Government of Malaysia in respect to the sharing of data.  

ASEAN

In the final lap of the race, we see a group huddle from the Association of Southeast Asian Nations, with its launch of the ASEAN Responsible AI Roadmap 2025-2030. This lays down as its goal posts, four assessment pillars, namely: Internal Governance Structures and Measures, Human Centricity and Involvement, Risks and Operations Management, and Stakeholder Interaction and Communication. The roadmap aims to address ethical concerns, misinformation and bias risks of AI, but perhaps most importantly of all, gears the region up for the economic potential and social benefits of responsible AI.

With all the intense activity happening amidst the track and field that is Southeast Asian regulatory developments, it is worth pausing to remind ourselves that what we are all training for is very much a team sport.

Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Hogan Lovells.