Lawthentic Loop

Stay updated, stay in the loop

Lawthentic Loop

Stay updated, stay in the loop

There's substantial consensus in data privacy laws throughout APAC, but not all requirements and protections are the same in every country. The key? Obtain advice before doing business overseas or sending data off-shore.

Data Protection and Privacy Laws Throughout APAC

Author: Katie Akpinar, Principal Lawyer

5 April 2022

There's substantial consensus in data privacy laws throughout APAC, but not all requirements and protections are the same in every country. The key? Obtain advice before doing business overseas or sending data off-shore.

Cross border data sharing is a necessity in a highly globalised, pandemic-impacted world. But is your organisation aware of how data is protected overseas?

Privacy laws provide the regulatory framework for the protection of data, but these are not created equal across jurisdictions, even within the same region.

Let’s take a look at some of the similarities and differences in data protection and privacy laws in APAC countries Australia, New Zealand, Singapore and Malaysia.


In Australia, privacy law is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles, which require personal information to be managed in a transparent way. This includes detailing how and why the information is collected, what impact it will have if the information is not provided, how the information can be accessed and by who. Complaints involving personal information and data, including the inappropriate dissemination or release, can be made to the Australian regulator of privacy, the Office of the Australian Information Commissioner (OAIC).

So how best can organisations avoid falling foul of these requirements? Have a detailed privacy policy in place, which is readily available to clients, and comply with the mandatory data breach notification regime. Under the Notifiable Data Breach Scheme, organisations must notify the OAIC and impacted individuals about an eligible data breach. The criteria for this includes:

  • Unauthorised access (such as a hacking attack) or unauthorised disclosure (for example, inadvertent release) of personal information held by an entity;
  • Which is likely to result in serious harm to one or more individuals; and
  • The organisation hasn’t been able to prevent the risk of serious harm by taking any remedial steps.

An example would be somebody gaining access to your clients’ bank details and either using these or posting them on a public forum.

If the criteria are met, a data breach report must be made. One notable incident was the leaking of personal information of those who used the Ashley Madison dating site. You can read more about the Ashley Madison data breach and the findings from the joint investigation conducted by the Australian Privacy Commissioner and the Privacy Commissioner of Canada in their joint report.

New Zealand

In New Zealand, the privacy framework is governed by the Privacy Act 2020, which came into force on 1 December 2020 and replaced the Privacy Act 1993. The legislation contains 13 Privacy Principles that govern how organisations collect, store, use and share information.

The new Privacy Act includes an additional Privacy Principle relating to the disclosure of information outside the country. Principle 12 (on extraterritoriality) only permits the disclosure of information outside New Zealand in certain circumstances. These include a requirement that the receiver of the information is party to a contractual agreement containing a specific clause guaranteeing reciprocal privacy rights.

Since its introduction, the Privacy Act 2020 has made the notification requirement mandatory when an organisation has a privacy breach that causes harm or is likely to cause serious harm to anyone. In such cases notification must be made to the people affected as well as to the Privacy Commissioner. Clear guidance on dealing with a privacy breach is provided by New Zealand’s privacy regulator, the Office of the Privacy Commissioner (OPC).

On balance, organisations based in New Zealand and Australia share broadly reciprocal privacy rights and obligations.


In Singapore, protections are available under the Personal Data Protection Act 2012, and its various regulations, which include amendments made in 2021 that closer align Singapore’s data protection with international standards.

Along with Australia, Singapore participates in APEC’s Cross-Border Privacy Rules (CBPR) system, which implements the APEC Privacy Framework. Organisations must have policies and procedures in place for the transfer of data that meet the framework standards, and compliance is assessed.

Although improving in thoroughness and accountability for organisations which deal with individual data, protections in Singapore are not as strong as they are in Australia and New Zealand.


In Malaysia, personal data is protected by the Personal Data Protection Act 2010 as well as the Personal Data Protection Standard 2015. Importantly, the scope of the Personal Data Protection Act 2010 does not extend to organisations without a physical presence in Malaysia, the Malaysian Government, state government or credit reporting agencies.

Amendments were proposed to the Personal Data Protection Act 2010 to bring Malaysian legislation into line with laws around the world. Areas under consideration include obligations of data processors, data portability rights, mandatory data breach notifications and processing of personal data in cloud computing.

Some caution should be taken when dealing with businesses located in Malaysia and Singapore, as well as the need to clearly spell out in contractual documents or other agreements how data will be dealt with.

The key takeaways

There’s substantial consensus in data privacy laws throughout APAC, but not all requirements and protections are the same in every country. The key? Obtain advice before doing business overseas or sending data off-shore. Ensure your organisation is compliant by either having local data processing centres, or at the least by enforcing a privacy policy which is in line with laws in that jurisdiction.

You should also take into account where and how third party service providers are storing and handling your clients’ data. If those providers are off-shore, it is important that your clients are aware of this arrangement and of the potential impact local laws may have on the security of their information.

For further information on any of the matters raised in this article, please get in touch with the Lawthentic team.

About Lawthentic | Commercial Lawyers

Based in Sydney, Lawthentic provides high-level, specialist, commercial and corporate legal advice to business Australia-wide and across APAC. We deliver progressive end-to-end commercial law services that address the full spectrum of legal issues a business may encounter, driving “Real Progress for Enterprise”. Our legal services cover all areas of Commercial law, Corporate law, Intellectual Property law, Data and Technology law, Regulatory Compliance, and Dispute Resolution. We work with medium to large corporate businesses looking for friendlier and more cost-efficient legal services without compromising on expertise. We provide in-house, face-to-face, or remote support from our offices in Sydney.

About the Author

Katie Akpinar, Principal Lawyer

Katie is a Principal Lawyer and Founder at Lawthentic. She is an accomplished commercial and corporate lawyer with considerable experience working with organisations in Australia and across the Asia Pacific region. Katie has a simple philosophy, to consistently apply a commercial approach in delivering practical, considered, and specialist legal guidance. Combining her top-tier law firm experience with corporate acumen and a wealth of industry insight, she provides strategic solutions, whilst playing a meaningful role in her clients’ mission and purpose, helping business to do business. Read more about Katie >

Get in touch