In order to provide various services overseas, it is essential to strictly comply with each country's personal information protection laws. The ideal method is to set up a database (DB) for each country to store customer information, but this is a difficult case in reality You must meet the laws and regulations relating to 'overseas transfer of personal information'.

The Overseas Transfer of Personal Information Act is a law that specifies the requirements necessary for moving or storing personal information of citizens overseas, and is aimed at protecting personal information. Although some countries, particularly communist countries such as China and Russia, apply these regulations very strictly. Most countries guarantee a certain level of data protection or allow international transfers if certain conditions are met.

Korea's Personal Information Protection Act

Korea's Personal Information Protection Act was revised in 1980 based on the OECD Personal Information Protection Guidelines. This guideline is a standard that also influenced the EU's Personal Information Protection Directive (the predecessor of the current GDPR (General Data Protection Regulation))), and Korean law also reflects international standards.

Accordingly, Korea's personal information protection law is designed to meet the personal information protection lifecycle, including the right to read, correct, delete, and restrict processing. This is coming soon This means that complying with personal information protection laws in Korea has the same consequences as complying with international standards.

Furthermore, Korea is assessed as applying stricter standards than other countries in some areas, such as managing access records and preparing a privacy policy.

US and Southeast Asian Privacy Laws

Not every country in the world has privacy laws.

For example, the United States does not have a unified privacy law at the federal level. Instead, In the United States, NIST (National Institute of Standards and Technology) proposes standards related to the protection of personal information, and companies are required to comply with them autonomously. In the US, due to the large amount of compensation due to civil lawsuits, companies tend to establish and operate strong security policies on their own.

In this article, I'm going to look at Southeast Asia's privacy laws rather than the GDPR (General Data Protection Act), which is commonly discussed. There are a total of 5 countries in Southeast Asia that have adopted independent privacy laws: Singapore, Malaysia, Thailand, the Philippines, and Indonesia. In other countries, there are only enforcement ordinances relating to the protection of personal information, or only some of them are specified in the Constitution, and there are many cases where independent laws have not been enacted.

For more information on personal information protection laws and related laws in Southeast Asia, see the World Legal Information Center (https://world.moleg.go.krYou can check it through).

1. Singapore

Singapore enacted the Personal Information Protection Act in 2012 and amended it in 2020 to strengthen the responsibilities of personal data processors. One of the main features of this law is that it does not explicitly stipulate some rights, such as the right to erasure, the right to object, and the right to restrict processing.

Furthermore, Singapore's privacy laws have relatively limited penalties for violations. Penalties are imposed only when personal information leakage incidents occur, and it is known that there are no cases where legal sanctions have been imposed in other situations. This is assessed as a practical and realistic approach that considers that there is no offense unless a personal data breach occurs.

Furthermore, the Singapore Privacy Act applies strict conditions relating to the transfer of personal data. To transfer personal data, the transfer is only permitted if the country provides a level of data protection equal to or greater than Singapore.

💡Transfer of personal data outside Singapore 26. — (1) An organization must not transfer any personal data to a country or territory outside Singapore except in circumstances with requirements under this Act to ensure that provides a standard of protection to personal data so comparable to the protection under this Act. (2) The Commission may, on the application of any organization, by written notice exempt the organization from any requirement considerations to subsection (1) in respect of any transfer of personal data by that organization. (3) An exemption under subsection (2) — (a) may be considered subject to such conditions as the Commission may specify in writing; and (b) need not be published in the Gazette and may be revoked at any time by the Commission. (4) The Commission may at any time add to, vary or revoke any condition under this section.

2. Malaysian

Malaysia enacted the Personal Information Protection Act in 2010 and implemented it in earnest in November 2013. Subsequently, an amendment was announced in July 2024 to meet global standards, and this amendment included relaxed regulations on the international transfer of personal information. In particular, it is characterized by the fact that it is modeled after the EU Personal Information Protection Directive, which is the predecessor of the GDPR, and further details the procedures for exercising personal information rights and the obligations of businesses.

Key changes include:

1. Obligation to appoint a data protection officer (DPO): Companies entering Malaysia must appoint a DPO.
2. Obligation to clearly notify when providing personal information: If personal data is provided to a third party, this must be clearly notified in the native language and English.
3. Increased penalties for violating the law: If you violate the law, you may be fined up to 300,000 ringgit (approximately 90 million won) or imprisoned for up to 2 years.
4. Relaxation of regulations on the international transfer of personal information: Previously, the transfer of personal information overseas was completely prohibited, but this was abolished through an amendment in 2024. Currently, the transfer of personal information is permitted only if the Malaysian government recognizes it as a country with an “adequate level of protection.”

These changes reflect Malaysia's efforts to keep up with global data protection standards and create a business-friendly environment.

💡Transfer of personal data to places outside Malaysia 129. (2) For the purposes of subsection (1), the Minister may specify any place outside Malaysia if— (a) there is in that place in force any law which is similar to this Act; or (b) that place argues an appropriate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by this Act.

3. Thailand

Thailand enacted the Personal Information Protection Act in 2019, and it began full-scale implementation in June 2022. Since then, regulations related to the protection of personal information have been further strengthened and refined as it was revised in January 2024 using the GDPR as a model.

Thailand's Personal Information Protection Act stipulates various rights such as the right to read, delete, restrict processing, right to object, and right to movement. The names of each right are set in accordance with Thai law, but in terms of content, they are similar to concepts commonly used in Korea and internationally.

In particular, the consent of the data subject is essential when collecting personal information, but in some exceptional cases, collection without consent is possible. Personal information may be collected without consent if action is required in response to a data subject's request before execution of a contract or conclusion of a contract.

When transferring personal data overseas, the relevant country or international organization must have sufficient standards of privacy protection. However, if the following specific conditions are met, transfers are also permitted to countries that do not meet the criteria.

1. When necessary for the execution of a contract to which you are a party or to take action in response to a request from the data subject before entering into a contract
2. When necessary to comply with a contract between other persons for the benefit of the data subject

Thailand's Personal Information Protection Act does not include criminal penalties, and a fine of up to 3 million baht (approximately 110 million won) may be imposed if the law is violated.

💡Section 28 In the event that the data controller collects or transfers the personal data to a foreign country, the destination country or international organization that personal data shall have been carried out with the rules for the protection of personal data by the Committee in section 16 (5), except in the following circumstances: (3) where it is considered for the performance of a contract to which data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;

4. Philippines

The Philippine Constitution guaranteed individual privacy rights, but the Personal Information Protection Act, which was finally approved in 2012, was enacted in August of the same year for more comprehensive protection of personal information. This law was designed using the EU Personal Information Protection Directive, the predecessor of the GDPR, as a model, and the Enforcement Rules of the Personal Information Protection Act were introduced in 2016 to establish specific operating standards. Enforcement rules include various details such as how to obtain consent when collecting personal information, guaranteeing the rights of data subjects, and security measures.

The characteristic of the Philippine Personal Information Protection Act is that there are no specific restrictions on the transfer of personal information overseas. However, while it is recommended to comply with the overseas transfer conditions of the ASEAN Digital Data Management Framework (DMF) and Model Contract Clauses (MCC), it is not enforced.

5. Indonesia

In Indonesia, legal provisions relating to the protection of personal information were distributed among the laws of each industry. In order to consolidate these distributed regulations, the General Personal Information Protection Act was enacted in 2022, and it has been implemented in earnest since 2024.

However, the new Personal Information Protection Act does not abolish or replace all existing laws applied in each sector, and in the event of a conflict between laws and regulations, the newly enacted Personal Information Protection Act takes priority.

This law specifically requires the appointment of a data protection officer (DPO) when processing personal data for public services. The characteristic of DPOs is that they can be designated as internal employees or selected from outside.

Also, Indonesia's regulations on transferring personal information overseas are relatively strict. International transfers are permitted only if the legislation of the country transferring personal data is equal to or exceeds the level of protection required by the Indonesian Personal Information Protection Act. If these requirements are met, overseas transfers are only possible with the express consent of the data subject.

Not long after it was implemented in 2024, no cases of administrative action have been reported to date. Future law enforcement trends and case accumulation are attracting attention.

💡 Article 56(1) A Personal Data Controller may transfer Personal Data to Personal Data Controllers and/or Personal Data Processors outside the consent of the Republic of Indonesia in relation to this Law. (2) In considering the transfer of Personal Data as considering to in paragraph (1), the Personal Data Controller must ensure that the country where the Personal Data Controller and/or Personal Data Processor affects the Personal Data Transfer is located a level of Personal Data Protection that is equivalent to higher or than that provided by this Law. (3) In cases where the transfer of personal data shall be obtained in paragraph (2) are not met, the personal data controller must ensure that personal data protection is in place. (4) in cases where the consent to the personal data subject (2) and (3) are not met, the personal data controller must accept the consent of the personal data subject. (5) further consideration of the transfer of personal data shall be considered by the government

At the end

Around the world, personal information protection laws are evolving in various forms to reflect the legal and social environment of each country. Southeast Asian countries have introduced privacy laws by referring to international standards such as GDPR, but there are differences in the level of regulation and application from country to country. For example, while Singapore and Malaysia emphasize a pragmatic approach and operate relatively flexible legislation, Indonesia strictly regulates overseas relocation requirements.

Companies that want to enter the global market must thoroughly analyze each country's personal information protection laws and design data processing and management methods in advance based on this. In particular, in countries with strong international transfer regulations, it is necessary to match the level of data protection with applicable laws or consider establishing a database within that country. Additionally, it is important to establish technical and administrative measures to meet legal requirements, such as designating a data protection officer (DPO), strengthening consent procedures, and data encryption.

therefor In addition to collaborating with local legal experts, it is only possible to operate a stable business by continuously monitoring each country's regulatory trends and formulating response strategies.