ASEAN's ‘New’ Data Privacy Laws: Malaysia, the Philippines and Singapore
Privacy Laws & Business International Report, Issue 116: 22-24, April 2012
5 Pages Posted: 1 May 2012 Last revised: 15 Aug 2012
Date Written: April 20, 2012
Abstract
In the first quarter of 2012, the ASEAN region (Association of South East Asian Nations) has become the most active region in the world for new privacy developments. None of the Bills in Malaysia, the Philippines or Singapore is yet a law, but they all could be within 2012. They have very different strengths and weaknesses in the protections they give to data subjects, and present differing compliance challenges for businesses.
Malaysia’s Personal Data Protection Act of 2010 has not yet been brought into force, primarily because the government has not appointed a Personal Data Protection Commissioner as required by the Act. The Malaysian government has now indicated it is considering bringing the Act into force without a Commissioner. This article considers whether such a move could result in serious enforcement.
The Philippines Senate passed the Data Privacy Act of 2011 on 20 March 2012, but the Senate Bill differs from House Bill 1554 passed in 2011. There must now be a bicameral conference committee to ‘reconcile’ the versions of the two houses, and then the reconciled version will be sent to the President for signature after its passage by both Houses. No timetable has been set. This article examines the main features of the Senate Bill, including its attempt to exempt outsourcing of foreign personal data, which may result in a Phyrric victory for outsourcers if it makes it impossible for the European Union to find that Philippines law is ‘adequate.’
Singapore’s Ministry of Information, Communications and the Arts (MICA) has issued a draft Personal Data Protection Bill, and further consultation paper, while calling for submissions. The data protection principles in the draft Bill are to OECD or better standard in relation to access, correction, data quality, security, notice and deletion/de-identification. However, it does not have specific provisions restricting data exports. Contrary to suggestions in the previous consultation paper, the Bill does not include special protection for some forms of sensitive data; nor an ‘opt-in’ by industry sectors for its more onerous principles; nor an ‘opt-out’ for industry sectors (with DPC permission) from some of the basic principles. The draft Bill therefore appears to be a minimal version of a ‘normal’ data privacy law, rather than the somewhat derisory version promised by the earlier consultation paper.
The article highlights some interesting comparisons: Whereas Malaysia seems intent on abandoning its enacted (but not appointed) data protection authority, both the Philippines and Singapore are going ahead with enacting laws establishing DPAs. Whereas the laws in neither Singapore or Malaysia will cover the public sector, the Philippines law will do so. The Malaysian law does not seem to include a means for complaints to make claims for compensation, but both the Singaporean and Philippnes laws do so. ASEAN member countries have agreed to develop ‘best practices/guidelines’ on data protection (but not to legislate) by 2015, as part of their commitment to establish an integrated ASEAN Economic Community (AEC) by 2015. It is an area to watch.
Keywords: Asia, Singapore, Malaysia, Philippines, ASEAN, privacy, data protection, regulation
Suggested Citation: Suggested Citation