Thirty-one jurisdictions.
Every one addressed
with precision and authority.

Digital Personal Data Protection Act 2023 — Data Protection Board of India

The DPDPA received Presidential assent on 11 August 2023. The DPDP Rules 2025 were notified by the Ministry of Electronics and Information Technology on 13 November 2025. The Data Protection Board of India has been constituted as at April 2026, with full enforcement of the Act commencing on 13 May 2027. The Act applies to the processing of digital personal data within India and, by virtue of Section 3(a), to the processing of digital personal data outside India where that processing is in connection with any activity related to offering goods or services to data principals within the territory of India. The geographic scope of the Act is therefore determined by the location of the data principal at the time of the relevant activity, not by the location of the data fiduciary, the location of the processing infrastructure, or the jurisdiction of incorporation of the processing entity. A foreign company with no Indian subsidiary, no Indian servers and no Indian employees nonetheless falls within the Act if it offers a service — a website, an application, an e-commerce platform — that is accessible to Indian residents and that involves the collection of their personal data.

The Act recognises only two lawful bases for the processing of personal data. The first is consent — which must be free, specific, informed, unconditional and unambiguous, and which must be given through an affirmative action that clearly indicates agreement to the processing of personal data for the specified purpose. The notice that must precede consent is required by Rule 3 of the DPDP Rules 2025 to be in clear and plain language, to be available in all official languages of India scheduled under the Constitution, and to specify the personal data to be processed and the purpose for which it is processed, together with a description of the manner in which data principals may withdraw consent, access their personal data, seek correction or erasure, and raise grievances. The second lawful basis is legitimate use — a defined list of circumstances in which processing may take place without consent, including processing necessary for performance of a function of the State, compliance with any law, medical emergencies, employment purposes and public order. There is no general legitimate interests basis of the kind found in Article 6(1)(f) of the GDPR — a data fiduciary that wishes to process personal data without consent must identify a specific legitimate use from the statutory list, not balance its interests against the data principal's rights.

Cross border transfers are governed by Section 16 of the Act. Personal data may be transferred by a data fiduciary to any country or territory outside India, subject to such terms and conditions as may be prescribed, except to countries or territories notified by the Central Government. No such notification has been issued as at April 2026. All international transfers of personal data by Indian data fiduciaries are therefore currently lawful under the DPDPA, subject to the Act's other requirements. This permissive approach — the negative list model — is materially more accommodating than the adequacy-first framework of the GDPR, the security assessment requirements of China's PIPL or the approved-countries mechanism of Malaysia's PDPA. It does not, however, displace the obligations imposed by the data protection law of the receiving jurisdiction on the receiving entity. Breach notification under the Act requires notification to the Data Protection Board and to each affected data principal within seventy-two hours of the data fiduciary becoming aware of a personal data breach, as prescribed by Rule 7 of the DPDP Rules 2025, in the form and with the content prescribed by the DPDP Rules. The maximum penalty under Schedule 1 of the Act is two hundred and fifty crore rupees per violation. The Significant Data Fiduciary classification — determined by the Central Government by notification — imposes additional obligations: a Data Protection Officer drawn from Key Managerial Personnel, periodic Data Protection Impact Assessments, engagement of a Data Auditor registered with the Board, and such additional transparency requirements as the Central Government may specify. AMLEGALS is India's specialist DPDPA firm.

Personal Data Protection Act No. 9 of 2022 — Personal Data Protection Authority

Sri Lanka enacted its Personal Data Protection Act on 19 March 2022, making it the second South Asian jurisdiction after India to have a comprehensive personal data protection statute. The Act applies to the collection, processing and storage of personal data and is extra territorial in its reach — it extends to controllers and processors outside Sri Lanka where they process personal data of individuals in Sri Lanka in connection with the offering of goods or services to them or the monitoring of their behaviour. The Act is modelled on the GDPR in its structure and substance. It establishes the Personal Data Protection Authority as the supervisory body, with jurisdiction to investigate complaints, conduct audits, issue enforcement notices, and impose administrative penalties. The Authority is in the process of becoming fully operational as at April 2026, and systematic enforcement activity is expected to follow its full establishment.

The Act recognises consent as a primary lawful basis and also provides for a range of non consent lawful bases including contractual necessity, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest, and legitimate interests — the last of these being a significant departure from India's DPDPA, which has no equivalent provision. Data subjects have rights of access, rectification, erasure, restriction, portability and objection. Special categories of personal data — health data, biometric data, genetic data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning sexual orientation — are subject to stricter requirements and require explicit consent. Cross border transfers require an adequate level of data protection at the destination, with exceptions for explicit consent, contractual necessity, vital interests and other prescribed derogations. For Indian IT services companies and BPO providers processing Sri Lankan personal data at Indian facilities, the extra territorial provision means they fall within the Act's scope, and their data processing agreements must reflect the Act's processor obligations — notably the requirement to process only on documented instructions of the controller, to implement appropriate technical and organisational measures, and to notify the controller without undue delay upon becoming aware of a breach.

No Comprehensive Statute in Force — Personal Data Protection Bill at Draft Stage

Pakistan does not have a comprehensive personal data protection statute in force as at April 2026. The Personal Data Protection Bill has been through multiple iterations since work began in 2018. The Ministry of IT and Telecommunication released a draft for public consultation in 2023, which proposed a framework with consent and non consent lawful bases, a Personal Data Protection Authority, data subject rights modelled on GDPR-equivalent concepts, cross border transfer restrictions requiring either adequacy or contractual safeguards, and a tiered penalty regime. The Bill was not enacted as at April 2026. In the interim, personal data processing in Pakistan is subject to: the Prevention of Electronic Crimes Act 2016 (PECA), which criminalises unauthorised access to, interception of and damage to data systems and imposes penalties for the transmission of data in specified offensive circumstances; sector specific data governance requirements issued by the State Bank of Pakistan, which regulates data governance for banks and payment system operators; requirements of the Pakistan Telecommunication Authority governing data retained by telecommunications operators; and Securities and Exchange Commission of Pakistan rules applicable to listed entities. For organisations processing Pakistani personal data — whether at Pakistani facilities or at Indian BPO facilities — the current position is that no comprehensive regulatory framework governs that processing at the personal data protection level. Contractual safeguards, data processing agreements and privacy by design architecture are the primary compliance tools in this environment, pending the enactment of the draft Bill.

No Comprehensive Statute in Force — Personal Data Protection Act at Draft Stage

Bangladesh does not have a comprehensive personal data protection statute in force as at April 2026. The Digital Security Act 2018 (DSA) is the primary operative legislation in the digital context, but it is a law enforcement and cybercrime statute rather than a data protection framework. Section 26 of the DSA criminalises the collection, sale and supply of identity information without lawful authority, and Section 32 addresses government digital security, but neither provision constitutes a comprehensive framework for regulating the processing of personal data by organisations. The Bangladesh ICT Division has been working on a Personal Data Protection Act, a draft of which was circulated for stakeholder consultation in 2023. The draft proposed a framework drawing on GDPR concepts — consent and non consent lawful bases, a Data Protection Commission, individual rights, cross border transfer restrictions and a penalty regime. The draft had not been enacted as at April 2026. Bangladesh is a significant country for the Indian IT services, apparel industry supply chain and financial services sectors — substantial volumes of Bangladeshi personal data are processed by Indian entities in the context of outsourcing and supply chain management arrangements. In the absence of a comprehensive statute, organisations processing Bangladeshi personal data should be guided by the contractual data protection obligations imposed by their Bangladeshi counterparties and by the data governance standards applicable to them in their own jurisdiction.

Individual Privacy Act 2018 — Limited Data Protection Provisions

Nepal enacted the Individual Privacy Act 2018, which provides a constitutional right to privacy and establishes some personal data protection principles — including requirements relating to consent for the collection of personal information, restrictions on use of information for purposes other than those for which it was collected, and security obligations. The Act is administered through the general court system rather than through a dedicated supervisory authority. The Individual Privacy Act is not a comprehensive data protection framework in the sense of the GDPR or the DPDPA — it does not establish an independent supervisory authority with enforcement powers, mandatory breach notification obligations or detailed data subject rights. The Electronic Transactions Act 2008 contains provisions relevant to digital data, including some security requirements. Nepal has recognised the need for a more comprehensive data protection framework and reform proposals have been discussed, but no comprehensive statute had been enacted as at April 2026.

No Comprehensive Statute

The Maldives does not have a comprehensive personal data protection statute in force as at April 2026. The Electronic Transactions Act 2002 and its subsequent amendments address some aspects of digital security and electronic commerce, but they do not constitute a comprehensive personal data protection framework. The Maldives Monetary Authority and the Communications Authority of Maldives issue sector specific guidance on data handling in their respective regulatory domains — financial services and telecommunications — but these are limited in scope. The government has recognised the need for data protection legislation in the context of the Maldives' growing digital economy and tourism industry, both of which generate significant volumes of personal data, and the development of a comprehensive framework has been referenced in government digital strategy documents. No draft legislation had been publicly released as at April 2026.

Personal Data Protection Act 2012 — Personal Data Protection (Amendment) Act 2020 — Personal Data Protection Commission

Singapore's PDPA is the most mature, most comprehensively documented and most transparently enforced privacy statute in the ASEAN region. The Personal Data Protection Commission administers the Act with an active enforcement practice, publishing its decisions in sufficient detail to provide reliable guidance on the standards it applies. The PDPC maintains a library of published enforcement decisions, a set of advisory guidelines covering every substantive aspect of the Act, an active programme of public guidance and sector specific advisory notes for financial services, healthcare, social services and other industries. This combination of active enforcement and detailed public guidance makes Singapore's PDPA practice more predictable than most regional counterparts — a meaningful consideration for organisations seeking to structure their compliance programmes with confidence in what the regulator will accept.

The 2020 amendments made three substantive changes that materially affected the compliance landscape. First, mandatory breach notification was introduced: where a data breach is assessed by the organisation as notifiable — meaning it resulted in or is likely to result in significant harm to affected individuals, or involved personal data of 500 or more individuals — the PDPC must be notified within three calendar days of that assessment, and affected individuals must be notified where the breach is likely to result in significant harm to them. The three-calendar-day notification deadline is the shortest in the ASEAN region. Second, a legitimate interests exception was introduced — allowing organisations to collect, use or disclose personal data without consent where the legitimate interests of the organisation or a third party clearly outweigh any adverse effect on the individual — bringing Singapore closer to the GDPR model and materially expanding the lawful basis available for data processing. Third, the financial penalty regime was strengthened — the maximum financial penalty is now SGD 1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher, eliminating the fixed-cap penalty that had applied previously. Cross border transfers under the Personal Data Protection (Cross Border Transfers) Regulations 2021 are permitted where the receiving entity is bound by binding corporate rules approved by the PDPC, by standard contractual clauses in a form approved by the PDPC, or by such other binding contractual arrangements as the PDPC approves. The APEC Cross Border Privacy Rules certification is also available, providing an alternative mechanism for organisations that are participants in the CBPR system. For the India-Singapore transfer corridor, which is one of the most active in the Asia-Pacific region, the Transfer Regulations' standard contractual clauses mechanism is the most commonly used instrument on the Singapore side. The Indian receiving entity's DPDPA data processor obligations must also be reflected in the combined agreement.

Personal Data Protection Act B.E. 2562 (2019) — Personal Data Protection Committee — Fully Effective 1 June 2022

Thailand's Personal Data Protection Act is the most comprehensively GDPR aligned statute in the ASEAN region. It was enacted in 2019 with an implementation period during which organisations were expected to bring their processing into compliance. The COVID-19 pandemic delayed the commencement of full enforcement, and the Act came into full effect on 1 June 2022. It is administered by the Personal Data Protection Committee, supported by the Office of the Personal Data Protection Committee as the administrative body. The Personal Data Protection Expert Committee provides technical advice to the PDPC on specific issues. The Act's substantive framework is closely modelled on the GDPR. The lawful bases for processing — consent, contractual necessity, legal obligation, vital interests, public task and legitimate interests — replicate the GDPR structure. The individual rights — access, rectification, erasure, restriction, portability and objection — do the same. The provisions governing sensitive personal data — which include health and medical information, biometric data, genetic data, racial and ethnic origin, political opinions, religious and philosophical beliefs, sexual orientation, criminal records and trade union membership — require explicit consent and cannot be processed on any other lawful basis absent a specific statutory exception. The cross border transfer provisions require that the destination country provides adequate personal data protection standards comparable to those under the PDPA, with exceptions for consent, contractual necessity, vital interests and public interest. The PDPC may issue adequacy determinations. Breach notification to the PDPC is required within 72 hours of becoming aware of a breach that is likely to affect the rights and freedoms of data subjects — a deadline consistent with the GDPR. Where there is a likely high risk to the rights and freedoms of data subjects, notification to affected individuals is also required. Criminal sanctions are available alongside administrative fines — the maximum criminal penalty is imprisonment for one year or a fine of one million baht or both, and for intentional collection or disclosure of sensitive personal data the maximum is three years or a fine of three million baht or both. The PDPC has commenced enforcement proceedings in a number of cases since 2024. For Indian companies processing Thai personal data — whether as a data controller of Thai employee data or as a data processor of Thai customer data for a Thai client — the PDPA imposes direct obligations including data processing agreement requirements, security measures, data subject rights management and breach notification.

Decree 13/2023 on Personal Data Protection — Ministry of Public Security — Effective 1 July 2023

Vietnam's Decree 13/2023 on Personal Data Protection came into force on 1 July 2023. It was issued by the Government of Vietnam — meaning by the Cabinet rather than by the National Assembly — and is therefore technically subordinate legislation rather than a primary statute. This distinction matters because it means the Decree can be amended more readily than a statute and may be replaced by a comprehensive law. A Personal Data Protection Law was under development as at April 2026, and its provisions are expected to strengthen rather than weaken the Decree's framework. The Decree is administered by Department A05 — the Department of Cybersecurity and High-Tech Crime Prevention — within the Ministry of Public Security. This institutional arrangement gives the Decree a law enforcement character that distinguishes it from the consumer protection or regulatory authority frameworks found in Singapore, Thailand and most other APAC jurisdictions. The Ministry of Public Security is not merely a compliance regulator — it is an agency with investigatory and enforcement powers derived from the law enforcement domain. The Decree applies to all Vietnamese and foreign organisations and individuals processing personal data in Vietnam and to processing outside Vietnam where it directly affects or is related to organisations and individuals in Vietnam. The extra territorial provision is real and is enforced through the Ministry's investigatory powers.

The Decree classifies personal data into two categories. Basic personal data covers standard identification information — name, date of birth and death, gender, nationality, ethnicity, marital status, family relationships, digital account information, personal data reflecting activities and history of activities in cyberspace, and other personal information. Sensitive personal data covers political views and political party membership, religious and philosophical beliefs, health, medical and genetic data, sexual orientation, crimes and criminal records, financial data, precise geolocation data, social relationships, racial and ethnic origin, biometric data used to identify a specific person, and personal data of children. The distinction is significant because sensitive personal data is subject to stricter requirements, including mandatory impact assessment before collection or processing begins, and specific cross border transfer controls. Processing of personal data requires the data subject's consent. The Decree identifies limited circumstances in which processing may occur without consent — emergency situations involving the data subject's life or health, publicly available data, performance of obligations under a contract, and in accordance with a competent authority's decisions. These non consent bases are narrower than those available under the GDPR, the Thai PDPA or Singapore's PDPA. Cross border transfers of personal data are one of the Decree's most operationally significant provisions for Indian organisations. Where the data to be transferred falls within categories designated as sensitive personal data, or as personal data important to national security, or as personal data of large numbers of individuals, a personal data impact assessment must be prepared and filed with the Ministry of Public Security before the transfer takes place. The Ministry may review the assessment and may prohibit a transfer that it considers presents unacceptable risks. This requirement directly affects Indian BPO providers and IT services companies that process Vietnamese personal data at Indian facilities on behalf of Vietnamese or multinational clients — the transfer from Vietnam to India of prescribed categories of Vietnamese personal data requires an impact assessment and Ministry notification before the transfer occurs. Breach notification under the Decree requires notification to the Ministry of Public Security without delay and notification to affected data subjects without delay. This without-delay standard is not time-quantified — it means as quickly as the facts can be established — but it does not allow for extended investigation before notification occurs. Penalties under the Decree for violations include administrative fines and, in severe cases, referral for criminal prosecution. The Vietnamese government's development of a comprehensive Personal Data Protection Law is expected to introduce a more structured penalty regime and a dedicated supervisory authority.

Personal Data Protection Law 2022 — Personal Data Protection Authority — Fully Operative 17 October 2024

Indonesia enacted its Personal Data Protection Law on 17 October 2022. The Law provided a two-year transition period during which organisations were required to bring their data processing practices into compliance with the new framework. That transition period expired on 17 October 2024 — at which point all obligations under the Law became fully operative and enforceable. With a population of approximately 280 million, Indonesia is the fourth most populous country in the world, the largest economy in South-East Asia, and one of the fastest-growing digital markets in the region. The obligations the Law imposes therefore affect a substantial volume of personal data processing and a correspondingly large number of organisations — domestic and foreign — that process Indonesian personal data.

The Law establishes a two-tier classification of personal data. General personal data — defined to include name, gender, nationality, religion, marital status and other personal identification data — is subject to the standard framework of consent or lawful basis, security measures, data subject rights and breach notification. Specific personal data — defined to include health and medical data that could harm the data subject if disclosed, biometric data used to identify a specific individual, genetic data, children's personal data, financial data including bank account information, personal communications data, and such other personal data as the supervisory authority designates — requires explicit consent and is subject to stricter handling and security requirements. Lawful bases for the processing of general personal data include consent, contractual necessity, compliance with a legal obligation, protection of vital interests, fulfilment of tasks in the public interest, and legitimate interests — a comprehensive set of bases aligned with the GDPR model. Cross border transfers of personal data are permitted where the destination country provides a level of personal data protection at least equivalent to that under Indonesian law, or where appropriate contractual safeguards have been approved by the supervisory authority. Breach notification is required within fourteen working days of the personal data controller becoming aware of a breach, both to the supervisory authority and to affected data subjects. The fourteen-working-day deadline is the longest of any APAC jurisdiction that has a mandatory notification requirement — but it is a hard deadline, not an aspirational target. The Personal Data Protection Authority mandated by the Law was, as at April 2026, still in the process of formal establishment. In the interim, enforcement was conducted through the existing sector specific regulatory frameworks — OJK for financial services, Kominfo for digital communications, BPJPH for halal certification, and others. The maximum penalty is IDR 35 billion, equivalent to approximately USD 2.2 million. For Indian technology companies and BPO providers with Indonesian clients, the Law's extra territorial provision — which applies to controllers and processors outside Indonesia that process personal data of Indonesian residents — means they fall within the Law's scope regardless of where their processing infrastructure is located.

Data Privacy Act 2012 (Republic Act 10173) — National Privacy Commission

The Philippines Data Privacy Act 2012 is one of the oldest comprehensive personal data protection statutes in the Asia-Pacific region — and unlike several statutes of that era, it has been actively enforced since the National Privacy Commission was constituted in 2016. The NPC has issued implementing rules and regulations, issued circular advisories on specific compliance topics, conducted investigations, accepted complaints, and published enforcement decisions in a volume that provides meaningful guidance on the standards it applies. The DPA applies to any natural or juridical person involved in personal information processing in the Philippines and, on an extra territorial basis, to any natural or juridical person not found or established in the Philippines that controls or processes personal information of Philippine citizens or residents. The extra territorial reach of the DPA is therefore keyed to the nationality of the data subject — a characteristic that extends it to the processing of Filipino diaspora personal data wherever in the world that processing occurs. Registration of personal information controllers that process personal information of at least 1,000 individuals with the NPC is required. The Act distinguishes personal information and sensitive personal information. Sensitive personal information — which includes racial or ethnic origin, marital status, age, colour, religious, philosophical or political affiliations, health, education, genetic or sexual life, court proceedings where a person has been charged, and any government-issued identification number — is subject to stricter requirements including explicit consent. Cross border transfers require either that the destination country has been determined by the NPC to have comparable personal data protection standards, or that the transfer is made pursuant to contractual arrangements between the Philippine entity and the overseas recipient that provide enforceable data protection obligations equivalent to those under the DPA — binding corporate rules or standard contractual clauses are the typical instruments used. The NPC must be notified of data breaches within 72 hours of the controller becoming aware of a breach reasonably believed to require notification. Notification to affected data subjects follows where the breach is likely to give rise to a real risk of serious harm. Criminal penalties under the Act include imprisonment of one to six years and fines of PHP 500,000 to PHP 4 million depending on the specific violation, in addition to administrative fines. The NPC's enforcement record includes actions against government agencies, telecommunications companies, financial institutions and digital platforms — making it one of the most active enforcement authorities in the ASEAN region.

Personal Data Protection Act 2010 — Personal Data Protection (Amendment) Act 2024

Malaysia's Personal Data Protection Act 2010 was, for most of its operative life, one of the less demanding personal data protection regimes in the ASEAN region — notable in particular for its absence of mandatory breach notification and its restriction to personal data processed in connection with commercial transactions. The Personal Data Protection (Amendment) Act 2024 changed this significantly. The 2024 amendments introduced mandatory breach notification to the Commissioner within 72 hours of the data user becoming aware of a breach that meets the notification threshold — a development that aligns Malaysia's regime with the Singapore, Philippine and Thai notification standards. Where a breach is likely to cause significant harm to data subjects, notification to affected individuals is also required without undue delay. The 2024 amendments also imposed direct obligations on data processors for the first time — a departure from the previous model in which processors were regulated only through their contractual obligations to data users. Data processors must now implement security measures equivalent to those of the data user and must notify the data user without undue delay upon becoming aware of a breach. The cross border transfer mechanism under the PDPA remains unchanged by the 2024 amendments — personal data may not be transferred to a country not listed in a schedule approved by the Minister of Communications and Digital, except with data subject consent or pursuant to another prescribed condition. India is not on the approved countries schedule as at April 2026. This is a compliance obligation of direct relevance to Indian IT services companies, BPO providers and technology companies processing Malaysian personal data at Indian facilities. The data processing agreement between a Malaysian client and an Indian processor must explicitly address the transfer basis — typically data subject consent or a contractual arrangement with appropriate safeguards — in addition to the direct processor security and notification obligations imposed by the 2024 amendments and the DPDPA data processor requirements applicable on the India side. Maximum penalties are MYR 500,000 and up to three years' imprisonment for specified violations.

Personal Data Protection Order 2021 — Autoriti Perlindungan Data Peribadi

Brunei enacted the Personal Data Protection Order 2021, establishing a comprehensive personal data protection framework for a jurisdiction with a population of approximately 450,000 people. The Order is administered by the Autoriti Perlindungan Data Peribadi (APDP), established by the Order itself as the supervisory authority. The Order covers the collection, processing, storage and transmission of personal data by organisations — defined to include companies, partnerships and unincorporated associations. Data subjects have rights of access and correction. Consent requirements apply before collection, and security obligations require appropriate measures proportionate to the sensitivity of the data. Cross border transfers require that the receiving country provides comparable data protection standards to those under the Order, or that one of the prescribed exceptions applies including data subject consent. Breach notification is required, with timelines and procedures to be prescribed by the APDP. Enforcement activity by the APDP has been limited as at April 2026 — the small scale of Brunei's economy and the relatively limited volume of personal data processing subject to the Order mean that the APDP is building its enforcement practice incrementally. For organisations with Brunei operations or processing relationships, the Order is operative law and must be addressed in data processing agreements even in the absence of active enforcement.

Electronic Transactions Law 2004 · Cybersecurity Law 2021 — No Comprehensive Privacy Statute

Myanmar does not have a comprehensive personal data protection statute in force as at April 2026. The Electronic Transactions Law 2004, as amended in 2014 and further amended in 2021, addresses electronic commerce, electronic signatures and some aspects of digital data security but is not a comprehensive personal data protection framework. The Cybersecurity Law, enacted by the State Administration Council in February 2022 following the military coup of February 2021, is primarily a state surveillance and law enforcement instrument — it imposes obligations on internet and digital service providers to cooperate with government data access requests and has been widely criticised by international human rights organisations for its potential to facilitate mass surveillance. The law is not a personal data protection framework in the sense of a statute regulating the collection and processing of personal data by private sector organisations for commercial purposes. Legislative development of a comprehensive personal data protection framework was underway before the February 2021 military coup — the Ministry of Transport and Communications had been developing a framework with stakeholder engagement. That legislative process has been suspended since the coup, and any assessment of when it might resume or what it might produce is inherently uncertain given the current political situation. Organisations processing Myanmar personal data operate without a comprehensive regulatory framework governing that processing and are guided by their own policies, their counterparties' contractual requirements, and any applicable international standards.

Sub-Decree on E-Commerce 2019 — Personal Data Protection Law Under Development

Cambodia does not have a comprehensive personal data protection statute in force as at April 2026. The Sub-Decree on E-Commerce of 2019 contains provisions relating to consumer data protection in the context of electronic transactions — it imposes obligations on e-commerce operators in relation to the collection and use of consumer personal information and requires transparency about data practices. But it is not a comprehensive personal data protection framework and does not establish a supervisory authority with general jurisdiction over personal data processing. The Royal Government of Cambodia has been developing a Personal Data Protection Law through the Ministry of Interior, and a draft was circulated for stakeholder consultation drawing on ASEAN privacy frameworks as reference points. The draft proposed a framework with consent and non consent lawful bases, individual rights, a data protection authority, cross border transfer restrictions and an administrative penalty regime. As at April 2026 that law had not been enacted. Cambodia's digital economy is growing rapidly, and the government has recognised the need for a comprehensive framework both to protect Cambodian citizens' data and to facilitate the digital trade relationships that require adequate data protection standards at the destination.

Law on Electronic Data Protection 2017 — No Comprehensive Statute

Laos does not have a comprehensive personal data protection statute in force as at April 2026. The Law on Electronic Data Protection 2017 addresses the protection of data stored and transmitted in electronic systems and imposes obligations on electronic service providers in relation to data security and the prevention of unauthorised access. It is primarily a cybersecurity and electronic commerce instrument rather than a comprehensive personal data protection framework — it does not establish individual rights of access, rectification and erasure, does not prescribe a consent model for data collection, and does not establish a supervisory authority with general enforcement powers. The government has referenced the need for a more comprehensive framework in national ICT strategy documents and has engaged with ASEAN technical assistance programmes on data protection law development, but no draft legislation had been released for public consultation as at April 2026. Laos' digital economy is at an early stage of development compared to most other ASEAN members.

No Comprehensive Statute

Timor-Leste does not have a comprehensive personal data protection statute as at April 2026. The Constitution of the Democratic Republic of Timor-Leste, adopted in 2002, contains provisions protecting the right to privacy, and the Penal Code contains provisions criminalising certain breaches of personal information. The government has been developing an ICT regulatory framework, and engagement with ASEAN dialogue partners and Pacific Island Forum members on digital governance has increased. No draft personal data protection law had been publicly released as at April 2026. Organisations processing Timorese personal data operate without a comprehensive personal data protection framework and should be guided by constitutional privacy principles, the Penal Code's criminal provisions, and the data protection requirements of their counterparties.

Personal Information Protection Law 2021 · Data Security Law 2021 · Cybersecurity Law 2017 — Cyberspace Administration of China

China's personal data protection framework is the product of three interlocking statutes that must be read together and against the growing body of implementing regulations and national standards issued by the Cyberspace Administration of China and the National Institute of Standards and Technology of China. The Cybersecurity Law 2017 established the foundational framework for cyberspace governance in China, introduced the concept of Critical Information Infrastructure Operators and their enhanced security obligations, and imposed data localisation requirements on CIIO operators and on operators of network products and services. The Data Security Law 2021 extended that framework to data processing across all sectors and established a graduated classification of data based on its importance to national security, economic development and social interests — creating obligations that differ in their intensity depending on where a given dataset falls in the classification hierarchy. The Personal Information Protection Law 2021, which came into force on 1 November 2021, is the statute that most directly parallels the comprehensive personal data protection frameworks of other APAC jurisdictions. It applies to the processing of personal information of natural persons within China and, under Article 3, to processing outside China where the purpose is to provide products or services to persons in China, to analyse or evaluate the behaviour of persons in China, or falls within other circumstances specified by law.

The PIPL recognises consent as a primary lawful basis and provides for a range of non consent bases including contractual necessity, compliance with statutory duties and obligations, response to public health incidents, protection of vital interests, legitimate interests of the processor where not overriding the individual's interests, and processing of publicly disclosed personal information within a reasonable scope. Sensitive personal information — which includes biometric recognition information, religious beliefs, specifically identified status, medical health, financial accounts, personal location tracking information and personal information of minors below the age of fourteen — requires separate explicit consent and is subject to stricter obligations. The cross border transfer provisions are the PIPL's most operationally consequential element for organisations with international data flows. Article 38 prescribes three mechanisms, only one of which is available without prior regulatory approval: the standard contract mechanism, which requires conclusion of a standard data export agreement with the overseas receiving party in a form prescribed by the CAC and filing of the agreement with the competent authority within ten working days of the agreement taking effect. The security assessment mechanism — which requires submission of a detailed assessment to the CAC for review and approval before the transfer takes place — is mandatory for CIIO operators, for processors that process personal information of more than one million individuals, and for processors that have transferred personal information of more than 100,000 individuals or sensitive personal information of more than 10,000 individuals to overseas parties cumulatively since 1 January of the preceding year. The certification mechanism requires certification by a professional institution accredited by the CAC. Breach notification to the competent authority is required immediately upon the organisation becoming aware of a personal information security incident that has or may have caused harm to affected individuals. Civil penalties for serious violations may reach RMB 50 million or 5% of the preceding year's annual turnover, whichever is higher. Responsible persons within the infringing organisation — including directors, senior managers and directly responsible employees — may be fined personally and prohibited from serving as directors or senior managers of personal information processors for a period prescribed by the CAC. The PIPL is enforced by the CAC as the primary regulatory body, with sector specific enforcement by the People's Bank of China, the National Medical Products Administration, the China Securities Regulatory Commission and other sector regulators in their respective domains.

The China-India data transfer dimension is addressed in the India and APAC tab. The critical point for this jurisdiction summary is that China's PIPL imposes the most complex and administratively burdensome cross border transfer requirements of any APAC jurisdiction — requirements that do not simply require a contractual mechanism but in many cases require prior regulatory approval of the transfer by the CAC. For multinational organisations with both Chinese and Indian operations, the China-India transfer corridor requires careful and jurisdiction-specific legal analysis rather than a generic data processing agreement approach.

Act on Protection of Personal Information — Personal Information Protection Commission — Amended April 2022

Japan's APPI, as amended with effect from 4 April 2022, is the third major revision of a statute that has been in force since 2003. It is administered by the Personal Information Protection Commission, constituted as an independent administrative organisation in 2016. The PPC administers the APPI with a combination of legally binding enforcement, active guidance publication and a well-developed practice of issuing requests for improvement to organisations whose practices do not meet the Act's standards. This graduated enforcement approach — guidance, improvement request, order, penalty — reflects the PPC's preference for regulatory dialogue before formal enforcement, though the 2022 amendments substantially increased the maximum penalties to make formal enforcement more meaningful.

The 2022 amendments removed the former 5,000-individual threshold that had exempted smaller businesses — all businesses handling personal information are now covered. The Act distinguishes personal information (any information that can identify a specific individual), special care-required personal information (sensitive categories including race, belief, social status, medical history, criminal records, disability, and other categories specified by Cabinet Order), pseudonymously processed information (personal information processed to the point where it cannot be re identified without additional information) and anonymously processed information (personal information processed beyond re identification). Each category carries different obligations. Mandatory breach notification was introduced by the 2022 amendments and applies to four categories of breach: those involving special care-required personal information, those that may result in property damage to data subjects, those caused by a malicious third party, and those affecting more than 1,000 individuals. Notification to the PPC is required within approximately 30 days of the organisation becoming aware of the breach; notification to affected individuals is required without delay. Cross border transfers of personal information to a foreign third party require either the data subject's consent — which must include disclosure of the name of the destination country and the content of the personal information protection system in that country, or a statement that the PPC has been unable to confirm the content of the system — or that the overseas recipient is bound by contractual or other measures requiring it to handle the personal information in a manner equivalent to the protections required by the APPI, continuously verified by the Japanese entity. Japan holds an EU adequacy decision — the PPC and the European Commission issued a Joint Statement in January 2019 confirming mutual adequacy — which facilitates Japan-EU personal data flows without the need for standard contractual clauses or other supplementary measures. Japan is also an APEC Cross Border Privacy Rules participant, providing CBPR certification as an alternative cross border transfer mechanism for intra-APEC flows. Penalties for organisations were increased by the 2022 amendments to a maximum of JPY 100 million — a tenfold increase from the previous maximum of JPY 10 million.

Personal Information Protection Act — Personal Information Protection Commission — Amended September 2023

South Korea's PIPA is, by any objective measure, one of the most technically demanding personal data protection regimes in the world. Its granular consent requirements, its active and well resourced enforcement authority, its criminal sanctions, its substantial administrative fines and its willingness to pursue enforcement actions against major international companies collectively make it a compliance priority for any organisation operating in South Korea or processing South Korean personal data. The Personal Information Protection Commission, established as a fully independent central administrative agency in August 2020 with jurisdiction over all sectors — previously divided between the Ministry of the Interior and the Korea Communications Commission — administers the Act with an enforcement practice that includes investigations initiated both on complaint and on the PIPC's own motion, substantial administrative fines, public naming of violators and regular public reporting on enforcement trends.

The 2023 amendments to the PIPA — effective from September 2023 — were the most substantive since the Act's enactment in 2011. They introduced a right of data subjects to refuse automated decision-making that produces a significant effect on their rights or duties, and a right to request explanation of the grounds for an automated decision — provisions that go meaningfully beyond what any other APAC framework currently requires in the automated decision-making domain. They imposed enhanced obligations on mobile application providers, including mandatory disclosure of the personal information collected, the purpose, the processing periods and the recipients at the point of initial execution of the application. They strengthened protections for children under 14, requiring separate consent processes that are accessible to children. They also introduced provisions on pseudonymisation and on the legitimate processing of pseudonymised information for statistical, scientific research and archiving purposes — a recognition of the legitimate value of data processing in controlled environments. Consent under the PIPA must be specific — a separate, freely given and unambiguous consent is required for each distinct purpose of processing. There is no legitimate interests carve-out that dispenses with consent for commercial data processing purposes. Special categories of personal information — ideological and political views, trade union membership, political party membership, medical health and genetic information, biometric data used for identification, criminal records and related judicial matters — require separate explicit consent. Cross border transfers require consent of the data subject, or an agreement or binding corporate rules providing equivalent protection to the PIPA, or an adequacy determination by the PIPC, or membership of an international framework approved by the PIPC. South Korea holds an EU adequacy decision. Maximum administrative fines for violations of the PIPA are substantial — calculated as a percentage of turnover rather than a fixed maximum in many cases — and criminal sanctions, including imprisonment of up to five years or fines of up to KRW 50 million for the most serious violations, are available and have been imposed.

Personal Data (Privacy) Ordinance (Cap. 486) — Office of the Privacy Commissioner for Personal Data

Hong Kong's PDPO has been in operative force since 1996 and remains, as at April 2026, the only major financial centre in the Asia-Pacific region without mandatory data breach notification and without a statutory cross border transfer mechanism. This position is anomalous given Hong Kong's status as a major international financial centre, a hub for regional headquarters and financial services operations, and a jurisdiction that handles very substantial volumes of personal data from across Asia, Europe and North America. The anomaly reflects the pace of legislative reform rather than any principled objection to mandatory notification or statutory transfer controls — both have been proposed by the government and both remain outstanding. The Ordinance is built around six Data Protection Principles set out in Schedule 1. DPP1 governs the purpose and manner of collection of personal data, requiring that collection be for a lawful purpose directly related to the data user's function or activity, and that the collection be necessary for or directly related to that purpose. DPP2 governs accuracy and duration of retention. DPP3 governs use — personal data must not be used for a purpose other than the purpose for which it was collected without the prescribed consent. DPP4 governs security. DPP5 governs openness — data users must make publicly available the kinds of personal data held and the main purposes for which the data is or is to be used. DPP6 governs access and correction. Section 33 of the Ordinance, which would impose statutory controls on cross border data transfers including a requirement for comparable protection at the destination, was enacted in 1996 but has never been brought into force. The PCPD administers a recommended data transfer mechanism — model contractual clauses — but adherence to these is not legally required. The government published a public consultation paper on proposed PDPO amendments in 2020, which proposed the introduction of mandatory data breach notification with a specified notification timeline, a statutory mandatory minimum security standard for personal data, enhanced enforcement powers for the PCPD including increased financial penalties, and commencement of Section 33 or an equivalent statutory cross border transfer mechanism. As at April 2026 those amendments had not been enacted, though the government has indicated that reform legislation remains a legislative priority. The PCPD administers the current Ordinance with an active complaints practice and a published enforcement decision library. The direct marketing provisions — which impose strict requirements on the use of personal data for direct marketing and require an opt-in from data subjects before their personal data is used or provided to third parties for that purpose — have been the most frequently enforced provisions of the Ordinance.

Personal Data Protection Act — Law 8/2005 — Gabinete para a Protecção de Dados Pessoais

Macau enacted its Personal Data Protection Act (Law 8/2005) in 2005, modelling it closely on the EU Data Protection Directive 95/46/EC. The Act is administered by the Gabinete para a Protecção de Dados Pessoais (GPDP), established as the independent supervisory authority under the Act. Macau has not been granted a formal EU adequacy decision by the European Commission, despite its law being closely modelled on the EU Directive 95/46/EC. Japan, South Korea and New Zealand are among the APAC jurisdictions that hold such decisions. Organisations transferring personal data from the EU to Macau must rely on standard contractual clauses or other appropriate transfer mechanisms. The Act covers the processing of personal data by automatic or non-automatic means, applies to data controllers established in Macau and to those outside Macau that use equipment situated in Macau for processing. The Act recognises consent and non consent lawful bases including contractual necessity, legal obligations, vital interests, public interest and legitimate interests — the EU Directive model. Sensitive personal data categories are subject to stricter requirements and in principle may only be processed with explicit consent or pursuant to specific statutory grounds. Cross border transfers to countries that do not provide adequate protection are restricted — the adequacy of protection must be assessed by the GPDP, which may authorise specific transfers subject to conditions including contractual safeguards. Breach notification obligations exist under the Act, though the specific implementation reflects the 2005 framework rather than the more prescriptive 72-hour notification models introduced in EU member states by the GDPR. The GPDP is an active supervisory body that issues guidance, handles complaints and conducts investigations. Macau's small population of approximately 680,000 people means that the overall volume of enforcement activity is modest in absolute terms, but the legal framework is substantive and the EU Directive-aligned status means it is taken seriously by EU data controllers engaging in Macau data flows.

Personal Data Protection Act — Personal Data Protection Office under the Executive Yuan

Taiwan's Personal Data Protection Act applies to the collection, processing and use of personal data by government agencies and non government organisations, including foreign organisations that collect personal data of individuals in Taiwan or that use equipment in Taiwan for personal data processing. The Act is administered at the central level by the Personal Data Protection Office under the Executive Yuan, with sector specific enforcement conducted through the competent authority for each industry — the Financial Supervisory Commission for financial institutions, the Ministry of Health and Welfare for medical entities, the Ministry of Digital Affairs for digital service providers, and so on. This distributed enforcement model has historically resulted in varying interpretations of the PDPA's provisions across sectors and a somewhat fragmented enforcement landscape. The PDPA requires that personal data be collected for a specific, explicit and legitimate purpose, that processing not exceed what is necessary for that purpose, that data subjects be notified of the identity of the collector, the purpose of collection, the categories of data collected, the data subject's rights and the consequences of refusing to provide data. Security obligations require appropriate technical and organisational measures. Special categories of personal data — medical records, health examination results, genetic information, sexual life, health examinations, criminal records and the data subjects' registered or domicile addresses in certain contexts — are subject to stricter handling requirements. Cross border transfers may be restricted by the competent authority where the transfer is contrary to the interests of data subjects or poses risks to national security. The government has been engaged in developing comprehensive reforms to the PDPA that would introduce an independent supervisory authority with cross-sector jurisdiction, mandatory breach notification with prescribed timelines, enhanced data subject rights aligned with GDPR-equivalent standards, and a strengthened penalty regime. Those reforms had not been enacted as at April 2026, though the Ministry of Digital Affairs has indicated that a revised framework is a legislative priority. The semiconductor and technology supply chain significance of Taiwan means that the data processing relationships between Taiwanese technology companies and their international partners — including Indian IT services providers — are subject to PDPA requirements that will become more demanding when the proposed reforms are enacted.

Law on Personal Secrecy 1995 · Law on Information Transparency and Right to Information 2011

Mongolia does not have a comprehensive personal data protection statute in force as at April 2026. Two statutes contain provisions relevant to personal information. The Law on Personal Secrecy 1995 protects specified categories of personal information in the context of government records — it establishes that personal data held by government bodies is secret and may not be disclosed without legal authority, but it is not a framework governing the collection and processing of personal data by private sector organisations. The Law on Information Transparency and Right to Information 2011 establishes transparency obligations for government entities and rights for citizens to access government-held information, but again it is not a personal data protection framework for private sector processing. Mongolia's digital economy is at an early stage of development. The government has engaged with the APEC Data Privacy Subgroup and has been following regional developments in personal data protection legislation. No draft personal data protection statute has been publicly released as at April 2026. Organisations processing Mongolian personal data operate without a comprehensive regulatory framework and should be guided by the constitutional right to privacy, the limited provisions of the 1995 Law, and the data protection obligations imposed by their counterparties.

Privacy Act 1988 — Privacy and Other Legislation Amendment Act 2024 — Office of the Australian Information Commissioner

Australia's Privacy Act 1988 applies to Australian Government agencies and to private sector organisations — referred to as APP entities — with annual turnover above AUD 3 million, together with certain smaller organisations in specified categories including health service providers, operators of residential tenancy databases, credit reporting bodies, contractors to the Australian Government, and operators of services declared to be social media services or relevant electronic services under the Online Safety Act. The Privacy and Other Legislation Amendment Act 2024, which received royal assent on 12 December 2024, was the most significant reform to Australia's privacy framework since the Privacy Amendment (Enhancing Privacy Protection) Act 2014. The 2024 amendments introduced three major changes of substantive significance. First, a statutory tort of serious invasion of privacy was created — for the first time, individuals have a direct cause of action in the courts against any person who seriously invades their privacy by intruding on their seclusion or misusing their private information, without needing to engage the OAIC complaints process. Second, the Online Privacy Code was enacted, applicable to operators of social media services, relevant electronic services and designated internet services that are likely to be accessed by children — a specific and enhanced framework for the protection of children's personal data that goes beyond the general APP obligations. Third, the overseas disclosure accountability provisions were strengthened, with additional requirements on APP entities disclosing personal information to overseas recipients and enhanced penalties for failures in that context.

The thirteen Australian Privacy Principles, set out in Schedule 1 to the Privacy Act, govern the handling of personal information through the full data lifecycle. APP 1 requires a clearly expressed, up to date privacy policy. APP 2 provides for anonymity and pseudonymity in dealings with organisations where practicable. APP 3 and APP 4 govern the collection of solicited and unsolicited personal information respectively. APP 5 requires notification of the identity of the collector and the circumstances of collection. APP 6 restricts use and disclosure to the primary purpose of collection or a secondary purpose that is related to the primary purpose or falls within one of the prescribed exceptions. APP 7 governs the use of personal information for direct marketing. APP 8 — the overseas disclosure provision — is the most directly consequential for organisations with Indian processing relationships: an APP entity that discloses personal information to an overseas recipient is accountable under the Privacy Act for a breach by that overseas recipient as if the APP entity itself had committed the breach, unless the APP entity took reasonable steps before and during the disclosure to ensure the overseas recipient would not breach the APPs in relation to the information. The reasonable steps standard requires more than a contractual provision — it requires a substantive assessment of the overseas recipient's data handling practices, contractually binding commitments to comply with the APPs, and monitoring mechanisms capable of detecting and addressing non compliance. India is not on any approved overseas recipient list and there is no adequacy arrangement between Australia and India. APP 9 governs the adoption, use and disclosure of government-related identifiers. APP 10 requires that APP entities take reasonable steps to ensure that personal information is accurate, up to date and complete. APP 11 requires appropriate security measures to protect personal information. APP 12 provides data subjects with a right of access to their personal information. APP 13 provides a right to correct inaccurate personal information. The Notifiable Data Breaches scheme, introduced in 2018, requires APP entities to notify the OAIC and affected individuals as soon as practicable where a data breach involving personal information is reasonably likely to result in serious harm to one or more individuals. The maximum civil penalty for serious or repeated interference with privacy was increased to AUD 50 million — or if higher, three times the value of the benefit obtained from the conduct, or 30% of the adjusted turnover of the body corporate during the breach turnover period. The OAIC is an active enforcement authority that has pursued substantial enforcement actions against major domestic and international organisations including telcos, technology platforms and financial services providers.

Privacy Act 2020 — Office of the Privacy Commissioner

New Zealand's Privacy Act 2020, which replaced the Privacy Act 1993 in December 2020, applies without any size, sector or turnover threshold to all agencies — defined broadly to include any person or body of persons, whether corporate or unincorporate and whether in the public or private sector — that collect, hold, use or disclose personal information about individuals. This universal application distinguishes the NZ Act from Australia's, which has a AUD 3 million turnover threshold for private sector organisations, and makes it one of the most comprehensively scoped personal data protection statutes in the world. The Act is built around thirteen Information Privacy Principles (IPPs). IPP 1 governs the purpose of collection. IPP 2 requires that personal information be collected directly from the individual concerned unless specific exceptions apply. IPP 3 requires that individuals be informed of the purposes of collection, the identity of the collector and the agencies to which the information may be disclosed. IPP 4 requires that personal information not be collected by unlawful means or means that are unfair or intrude on privacy to an unreasonable extent. IPP 5 requires appropriate security safeguards against loss, access, use, modification or disclosure. IPP 6 provides an individual right of access to personal information held about the individual. IPP 7 provides a right of correction. IPP 8 requires that personal information not be used unless the agency is satisfied that it is accurate, up to date, complete, relevant and not misleading. IPP 9 limits the retention of personal information to what is necessary for the purpose. IPP 10 restricts the use of personal information to the purpose for which it was collected. IPP 11 restricts the disclosure of personal information to third parties. IPP 12 — the transborder data flow principle — prohibits agencies from disclosing personal information to persons or bodies in a foreign country unless they are satisfied that the recipient is subject to privacy safeguards that are comparable to those in the NZ Act, the individual has expressly authorised the disclosure after being informed that the recipient is not required to protect the information in a comparable manner, the disclosure is necessary to prevent or lessen a serious threat to life or health, or one of the other prescribed exceptions applies. IPP 13 restricts the use of unique identifiers. The Notifiable Privacy Breaches scheme, introduced by the 2020 Act, requires agencies to notify the Privacy Commissioner as soon as practicable where they are aware of or have reasonable grounds to believe that a privacy breach has occurred that has caused or is likely to cause serious harm to one or more individuals. The Commissioner may, after the agency has provided relevant information, direct the agency to notify affected individuals. The Privacy Commissioner's powers under the 2020 Act are more extensive than under the 1993 Act — the Commissioner can conduct investigations of the Commissioner's own motion, can access premises and documents, and can make compliance orders and award compensation through the Human Rights Review Tribunal process. New Zealand holds an EU adequacy decision. For Indian data processors receiving New Zealand personal data — a category that includes Indian IT services providers, BPO operators and technology companies working for New Zealand financial institutions, healthcare providers and government agencies — IPP 12's comparable safeguards standard requires that the Indian processor's data governance practices, including its DPDPA compliance programme, be demonstrably equivalent to what the thirteen IPPs require. A DPDPA compliant data processing agreement is a necessary but not always sufficient foundation for this assessment — the agreement must also address the specific IPPs that the DPDPA does not cover in the same terms, particularly the access and correction rights in IPP 6 and IPP 7.

Cybercrime Code Act 2016 — No Comprehensive Privacy Statute

Papua New Guinea does not have a comprehensive personal data protection statute in force as at April 2026. The Cybercrime Code Act 2016 addresses computer-related criminal conduct including unauthorised access, data interference, misuse of devices and computer fraud, with provisions that incidentally protect certain aspects of personal data security. It is primarily a criminal law instrument rather than a regulatory framework for personal data processing. The Constitution of PNG contains privacy protections in Section 49, which provides for the right to privacy of the person and property and the right to the free flow of information — but this constitutional provision has not been given effect through specific personal data protection legislation. The National ICT Policy 2021-2025 references the need for data protection legislation, and the government has engaged with Pacific Islands Forum and Commonwealth discussions on digital governance. No draft personal data protection legislation had been publicly released as at April 2026. Organisations processing PNG personal data operate without a comprehensive regulatory framework and should be guided by constitutional principles, the Cybercrime Code's criminal provisions, and the data protection requirements imposed by their counterparties.

Online Safety Act 2018 — No Comprehensive Privacy Statute

Fiji does not have a comprehensive personal data protection statute as at April 2026. The Online Safety Act 2018 establishes the Online Safety Commission and addresses online harm — harmful electronic communications — through a reporting and investigation mechanism. It is not a personal data protection framework and does not impose general obligations on organisations in relation to the collection, processing and security of personal data. The Constitution of Fiji 2013 contains a right to privacy provision in Section 24, and the Fiji Crimes Act and other legislation address specified data-related criminal conduct. The government's Digital Economy roadmap, published in 2021, referenced the development of a data protection framework as a future legislative priority, but no draft legislation had been released as at April 2026. Fiji's digital economy is primarily driven by the tourism, financial services and business process outsourcing sectors — all of which generate significant personal data flows. The absence of a comprehensive regulatory framework creates compliance uncertainty for organisations processing Fijian personal data and makes contractual data protection provisions and privacy by design approaches the primary tools for managing that uncertainty.

Vanuatu, Solomon Islands, Samoa, Tonga, Kiribati, Micronesia, Palau, Marshall Islands, Nauru, Tuvalu and the Cook Islands

None of the remaining Pacific Island states — Vanuatu, Solomon Islands, Samoa, Tonga, Kiribati, the Federated States of Micronesia, Palau, the Marshall Islands, Nauru, Tuvalu or the Cook Islands — has a comprehensive personal data protection statute in force as at April 2026. Several have enacted cybercrime legislation containing limited provisions relating to data security and computer-related offences. Several have constitutional privacy provisions. Some have engaged with the Pacific Islands Forum's discussions on digital governance and data protection. The Cook Islands, as a territory in free association with New Zealand, is subject to New Zealand law in certain respects but the Privacy Act 2020 does not automatically apply to Cook Islands agencies — the Cook Islands has its own legislative framework for most purposes. Organisations processing personal data originating from any of these jurisdictions operate without a comprehensive regulatory framework specific to that jurisdiction. The absence of a domestic framework does not eliminate compliance obligations — the data protection requirements of the exporting jurisdiction, the contractual obligations imposed by counterparties, and the governance standards of any relevant international frameworks continue to apply to the processing regardless of whether the source country has its own statute. For Indian data processors, this means that Australian or New Zealand personal data that is attributed to an individual in a Pacific Island state is still subject to Australian APP 8 or NZ IPP 12 when it is transferred to India — the absence of a local statute in the Pacific Island state is irrelevant to the obligations of the exporting Australian or New Zealand entity.

The Region's Most Active Transfer Corridor — DPDPA and PDPA

The India-Singapore corridor is the highest-volume personal data transfer corridor in the Asia-Pacific region. Indian IT services companies and BPO providers process substantial volumes of Singapore personal data — financial services data, insurance data, healthcare records, customer relationship data — at Indian facilities. Singapore multinationals engage Indian subsidiaries and third party processors for a wide range of data functions. Singaporean financial institutions, technology companies and professional services firms engage Indian IT providers on long term outsourcing arrangements involving continuous personal data flows. For transfers from India to Singapore, Section 16 of the DPDPA permits the transfer — Singapore is not a restricted destination. The Singapore-side obligation requires that the Indian receiving entity execute a data intermediary agreement with the Singaporean data controller, under which the Indian entity processes the data only on documented instructions and implements appropriate security measures. For transfers from Singapore to India, the PDPA Transfer Regulations 2021 require a mechanism — standard contractual clauses in the form approved by the PDPC, binding corporate rules, or another means approved by the PDPC. The Indian receiving entity's DPDPA processor obligations must be reflected in the same agreement. AMLEGALS prepares combined instruments that address the PDPA Transfer Regulations requirements on the Singapore side and the DPDPA data processor requirements on the India side in a single document, avoiding the inconsistencies that arise when two separate agreements attempt to regulate the same processing relationship.

APP 8 Accountability and the Reasonable Steps Standard — The Most Consequential Obligation for Indian Processors

Australian Privacy Principle 8 imposes the most consequential obligation in the India-Australia data transfer relationship — and it is an obligation that falls on the Australian disclosing entity but can only be discharged through the conduct of the Indian receiving entity. An APP entity that discloses personal information to an overseas recipient — including an Indian IT services provider, technology company or BPO operator — remains accountable under the Privacy Act for a breach of the APPs by that overseas recipient as if the APP entity itself had committed the breach, unless the APP entity took reasonable steps before and during the disclosure to ensure the overseas recipient would not act in breach. India is not on any approved overseas recipient list. There is no adequacy arrangement between Australia and India. The reasonable steps required to satisfy APP 8 therefore require a positive due diligence exercise: an assessment of the Indian recipient's data governance framework, contractually binding commitments to comply with all thirteen APPs in relation to the disclosed information, monitoring mechanisms sufficient to detect non compliance, and — where non compliance occurs — remediation obligations. For Indian data processors serving Australian clients, the practical implication is direct and material: their DPDPA compliance programme must be documented in a manner that supports an Australian client's APP 8 reasonable steps assessment. A DPDPA programme that is compliant but undocumented does not satisfy APP 8. The documentation must address each of the thirteen APPs specifically — not merely the DPDPA's requirements, which do not track the APPs in identical terms. The penalty for a serious or repeated failure to comply with APP 8 — up to AUD 50 million — falls on the Australian disclosing entity but is triggered by the Indian processor's non compliance. This creates a powerful commercial incentive for Australian clients to impose audit rights, monitoring obligations and termination triggers in their data processing agreements with Indian providers. AMLEGALS advises Indian processors on structuring their data governance documentation to support Australian clients' APP 8 compliance and on the combined DPDPA plus APP-compliant data processing agreement frameworks that the corridor requires.

IPP 12 Comparable Safeguards and the DPDPA — What the Standard Actually Requires

New Zealand's Information Privacy Principle 12 requires that an agency disclosing personal information to a person or body in a foreign country take reasonable steps to ensure that the recipient is subject to privacy safeguards comparable to those provided by the NZ Privacy Act 2020. Where comparable safeguards cannot be established, the disclosure may proceed only with the express consent of the individual, who must be informed that the NZ Act will not apply. New Zealand's Privacy Commissioner has published guidance on what IPP 12 requires. The guidance is substantive — a paper assessment of whether a foreign country has a privacy statute that is notionally similar to the NZ Act is not adequate. What is required is an assessment of whether the Indian recipient's actual data governance practices — its policies, procedures, contracts, technical measures and training — provide protection comparable to the thirteen IPPs across the specific personal information being disclosed. The DPDPA provides a statutory framework that addresses a number of the IPPs — particularly the security obligations (analogous to IPP 5), the breach notification obligations (related to IPP 11), and the data subject rights for access and correction (analogous to IPP 6 and IPP 7 respectively). But the DPDPA does not address all thirteen IPPs in identical terms, and in some respects — particularly IPP 2 (direct collection preferred), IPP 4 (collection not by unfair or intrusive means) and IPP 9 (retention limits) — the DPDPA's provisions are expressed differently or in some cases not addressed at all. For Indian processors serving New Zealand clients, the combined data processing agreement must address the IPP 12 comparable safeguards obligation by demonstrating how each of the relevant IPPs is addressed by the Indian processor's governance framework, in addition to the DPDPA data processor obligations. AMLEGALS advises on this combined framework and on the documentation that Indian processors need to support New Zealand clients' IPP 12 assessments.

APPI Third-Country Transfer Requirements and DPDPA Combined Documentation

Transfers from Japan to India require the Japanese transferring entity to either obtain the individual's consent — with disclosure of the name of India and the content of India's personal information protection system, or a statement that the PPC has been unable to confirm the content of the system — or to ensure that the Indian receiving entity has in place contractual measures requiring it to handle the personal information in a manner equivalent to the protections required by the APPI, continuously verified by the Japanese entity. In practice, the contractual equivalent-protection mechanism is the standard approach for business-to-business transfer relationships. The Indian receiving entity's data processing agreement must commit it to handling the Japanese personal information in a manner equivalent to the APPI's requirements — which requires mapping the APPI's obligations onto the contractual terms and ensuring no gap exists between what the APPI requires and what the agreement provides. The DPDPA data processor requirements must also be incorporated in the same agreement. Transfers from India to Japan — a corridor significant for Indian IT companies serving Japanese technology and manufacturing clients — are permitted under Section 16 of the DPDPA with no Japan-side adequacy requirement imposed by the DPDPA. The APPI governs the Japanese receiving entity's handling of the data once received. Japan holds EU adequacy status, which facilitates Japan-EU data flows and may be a useful reference point in assessing the comparability of Japan's framework with India's DPDPA for the purposes of the APPI equivalent-protection assessment.

Granular Consent Architectures — The PIPA Consent Standard Versus the DPDPA Standard

The combination of India's DPDPA and South Korea's PIPA creates consent architecture challenges that go beyond what any other India-APAC pairing presents. India requires a single free, specific, informed, unconditional and unambiguous consent for each processing purpose. South Korea requires a separate, specific and freely given consent for each distinct purpose — collection, use, provision to third parties and cross border transfers each require separate consents. For cross border transfers from South Korea to India, the PIPA requires either the data subject's consent — with specific disclosure of the purpose of the transfer, the recipient's identity and contact information, the categories of personal information being transferred, the retention period at the destination, and the data subject's right to refuse consent to the transfer — or an agreement with the Indian receiving entity providing equivalent protection to the PIPA, or a PIPC adequacy determination. No PIPC adequacy determination for India has been issued. For organisations with both Indian and South Korean users — technology platforms, digital service providers, financial services companies — the consent framework for South Korean users must be designed to the PIPA's granular, purpose-by-purpose standard, which is significantly more demanding than the DPDPA's consent requirement. The two frameworks can co-exist in a single consent architecture only if the architecture is designed to the more demanding South Korean standard, with the DPDPA's requirements satisfied as a subset of that architecture. AMLEGALS advises on this combined consent architecture and on the data processing agreement documentation required for India-South Korea processing relationships.

The Most Complex Bilateral APAC Data Transfer Position — DPDPA and PIPL

The India-China data transfer position is the most legally complex bilateral corridor in the APAC region for organisations with operations in both countries. The complexity arises from the asymmetry between the two frameworks — India's DPDPA imposes no transfer restriction on outbound flows from India to China (Section 16 permits the transfer, no restriction notification has been issued), while China's PIPL imposes substantial requirements on outbound flows from China to India. For transfers from China to India, the applicable PIPL mechanism depends on whether the Chinese transferring entity is a Critical Information Infrastructure Operator, whether it has reached the prescribed volume thresholds (personal information of one million or more individuals, or cumulative transfers of 100,000 or more individuals since 1 January of the preceding year), and whether the transfer involves personal information that falls within categories attracting security assessment. CIIO operators and high-volume processors must undergo a CAC security assessment before the transfer can proceed — a process that requires submission of detailed documentation to the CAC for review, takes time, and is capable of being refused or deferred. Below the volume thresholds, the standard contract mechanism is available — the Chinese entity concludes a standard contract in CAC-prescribed form with the Indian receiving entity and files it with the competent authority within ten working days of the contract taking effect. The Indian receiving entity's DPDPA obligations as a data processor must also be reflected in the documentation. From an India risk perspective, China is the jurisdiction most frequently identified in policy discussions as a candidate for early designation as a restricted destination under the DPDPA's negative list mechanism. Organisations with India-China data flows should structure their transfer compliance framework now in a way that can accommodate a restriction notification without operational disruption — which means maintaining documentation of transfer flows, having contractual mechanisms in place on both sides, and building the ability to route around a China restriction if one is issued.

Decree 13/2023 and the BPO Industry's Direct Compliance Obligation

Vietnam's Decree 13/2023 is the APAC framework with the most direct and immediate compliance implications for India's IT services and business process management industry. Indian BPO providers process Vietnamese personal data at Indian facilities in connection with financial services, customer service, healthcare administration and other functions for Vietnamese and multinational clients with Vietnamese operations. The Decree applies extra territorially — it governs processing outside Vietnam that directly affects or is related to individuals in Vietnam. Indian BPO providers processing Vietnamese personal data are within its scope. The cross border transfer provisions of the Decree require, for prescribed categories of Vietnamese personal data, a data impact assessment to be prepared and filed with the Ministry of Public Security before the transfer from Vietnam to India takes place. The Ministry may prohibit a transfer that it considers presents unacceptable risks. This is not a standard contract filing — it is a regulatory submission to a law enforcement ministry with the power to prohibit the transfer. For Indian BPO providers processing sensitive Vietnamese personal data, this means that before the Vietnamese client can lawfully transfer personal data to the Indian processing facility, a data impact assessment must be prepared, filed and not prohibited by the Ministry of Public Security. The Indian provider's data processing agreement with the Vietnamese client must address this obligation on the Vietnam side, in addition to the DPDPA data processor requirements on the India side. Breach notification under the Decree — without delay to the Ministry of Public Security and to affected data subjects — imposes a notification timeline that is more demanding in practice than the DPDPA's own standard, because the Ministry of Public Security is a law enforcement body that expects immediate response to data incidents.

The Approved Countries Gap and Direct Processor Obligations — PDPA and DPDPA

Malaysia's PDPA creates a specific compliance challenge for Indian data processors that is not replicated in most other India-APAC corridors. India is not on the list of countries approved by the Malaysian Minister of Communications and Digital for the purposes of cross border personal data transfers under the PDPA. A Malaysian company wishing to transfer personal data of Malaysian individuals to an Indian processing facility therefore cannot rely on the standard approved-country mechanism. The transfer must be conducted on the basis of the data subject's consent — meeting the PDPA's consent requirements and obtained before the transfer takes place — or pursuant to another prescribed condition. The 2024 Amendment Act's imposition of direct obligations on data processors is a separate development that affects the Indian processor independently of the transfer basis. Indian processors that receive Malaysian personal data must now implement security measures equivalent to those of the Malaysian data user and must notify the data user without undue delay upon becoming aware of a breach. These direct processor obligations coexist with the DPDPA's processor requirements on the India side. The data processing agreement between a Malaysian client and an Indian processor must address all three dimensions: the PDPA transfer basis (consent or alternative condition), the 2024 Amendment Act's direct processor security and notification obligations, and the DPDPA's data processor requirements. An agreement that addresses only the DPDPA obligations without addressing the Malaysian transfer basis and processor obligations is legally inadequate on the Malaysia side and creates enforcement exposure for both the Malaysian client and the Indian processor.

PDP Law Equivalent Protection and the 14-Working-Day Breach Notification Timeline

Indonesia's PDP Law imposes an equivalent-protection standard for cross border transfers — personal data may only be transferred to a country or territory that provides a level of personal data protection at least equivalent to that under the Indonesian Law, or pursuant to contractual safeguards approved by the supervisory authority. An assessment of whether India's DPDPA framework provides equivalent protection to the Indonesian PDP Law requires a comparison of the two frameworks across the principal dimensions — lawful basis, individual rights, security obligations, breach notification, processor obligations and enforcement. The DPDPA and the PDP Law share a number of common features — both impose consent requirements, both establish breach notification obligations, both provide for individual rights including access and correction, both impose security obligations on processors. They differ in the range of lawful bases recognised — Indonesia has a broader set including legitimate interests — and in the breach notification timeline, where Indonesia's 14-working-day standard is more permissive than the DPDPA's without-undue-delay standard in terms of the available window, though both require substantive action as quickly as facts can be established. For Indian data processors receiving Indonesian personal data, the equivalent-protection assessment by the Indonesian controller before the transfer proceeds is a compliance prerequisite that cannot be avoided by contractual means alone. The combined data processing agreement must address both the PDP Law's processor obligations and the DPDPA's processor requirements, and must demonstrate compliance with both frameworks sufficiently to support the Indonesian controller's equivalent-protection assessment.

Emerging South Asian Corridor — PDPA 2022 and DPDPA

Sri Lanka's Personal Data Protection Act 2022 is the most recent significant personal data protection statute enacted in South Asia. Its extra territorial reach — applying to controllers and processors outside Sri Lanka that process personal data of Sri Lankan residents — means Indian IT services companies and BPO providers processing Sri Lankan personal data at Indian facilities fall within the Act's scope from the date of its commencement. The Act is more flexible in its lawful basis approach than India's DPDPA — it recognises a full range of lawful bases including legitimate interests — which may simplify some compliance questions for Sri Lankan data controllers seeking to engage Indian processors. Cross border transfers under the Act require adequate protection at the destination, with exceptions for explicit consent, contractual necessity, vital interests and other prescribed derogations. For the India-Sri Lanka corridor, the question of whether India's DPDPA provides adequate protection within the meaning of the Sri Lanka Act will be assessed by the Personal Data Protection Authority once it is fully operational. In the interim, the most reliable approach is to use a combined data processing agreement addressing the Sri Lanka Act's processor obligations and cross border transfer requirements alongside the DPDPA's processor requirements — ensuring adequate protection at the contractual level regardless of whether a formal adequacy determination is eventually issued. This corridor is expected to grow in significance as Sri Lanka's digital economy develops and as the PDPA Authority becomes operational and begins enforcing the Act.

Extra Territorial Reach and the Filipino Diaspora — DPA 2012 and DPDPA

The Philippines Data Privacy Act has an extra territorial reach keyed to the nationality of the data subject — it applies to the processing of personal information about Filipino citizens wherever in the world that processing takes place. This means that an Indian entity processing personal data of Filipino employees, contractors or customers is within the DPA's scope regardless of where the processing occurs. The practical implications for Indian BPO providers processing Filipino personal data — whether in the context of financial services, healthcare, retail or other sectors — are significant: the DPA's security, consent, rights management and breach notification obligations apply in full to that processing. Cross border transfers from the Philippines to India require either that the NPC has determined India provides comparable standards, or that appropriate contractual safeguards are in place. The combined data processing agreement for a Philippines-India processing relationship must address the DPA's processor obligations — processing only on documented instructions, implementing appropriate security measures, notifying the controller without undue delay of a breach — alongside the DPDPA's processor requirements. The NPC's active enforcement practice means that non compliance by Indian processors with the DPA's requirements creates genuine enforcement risk for the Philippine data controller that engaged them, providing a strong commercial incentive for Philippine clients to impose rigorous data processing obligations on their Indian providers.

PDPA Adequacy Assessment and the India-Thailand Technology Corridor

Thailand's PDPA requires that cross border transfers be made only to countries providing adequate personal data protection standards, or pursuant to specified exceptions including consent. The Personal Data Protection Committee may issue adequacy determinations. As at April 2026, no PDPC adequacy determination for India had been issued. Transfers from Thailand to India therefore require either explicit consent from each affected data subject or contractual safeguards ensuring adequate protection. The contractual safeguards approach — standard contractual clauses or binding corporate rules in a form recognised by the PDPC — is the standard commercial mechanism. For Indian technology companies and IT services providers serving Thai clients, the combined documentation must address the PDPA's processor obligations — processing on written instructions, implementing security measures, notifying the Thai controller of breaches, ensuring sub processor compliance — alongside the DPDPA's processor requirements. The India-Thailand technology corridor is growing in significance as Thai digital economy development accelerates, as Indian IT companies expand their ASEAN client bases, and as Thai financial institutions and technology platforms engage Indian BPO providers. The PDPA's GDPR-alignment means that the documentation frameworks developed for Europe-India transfers can be adapted for Thailand-India transfers more efficiently than for jurisdictions with divergent frameworks.