Asia-Pacific Region at the Privacy Crossroads (2008)

2. Privacy regulation in the Asia-Pacific region

Many Asia-Pacific countries are members of regional groupings and are unlikely to develop privacy regulation without consideration of global and regional standards. Smaller countries in particular are careful to align their domestic regulations with regional and international developments.

The protection of privacy in the region is not uniform, although some clear trends are emerging. This section summarises the general approach being taken in each country (full details appear in Appendix 1 – National Laws).

Seven countries in the Asia-Pacific region have passed privacy legislation that is closely aligned with the broad EU approach. Four countries have draft legislation that is also closely aligned with the EU approach.[4]

Three countries have short privacy clauses in their e-commerce laws that could serve as a foundation for more detailed legislation in the future. This leaves five countries plus the majority of the small Pacific Island countries with no privacy legislation.


Number of Countries


Privacy legislation


Australia, Hong Kong, Japan, Korea, Macau, New Zealand, and Taiwan

Draft privacy legislation


China, Malaysia, the Philippines, and Thailand

Privacy clause in e-commerce legislation


Indonesia, Vanuatu, and Vietnam

No legislation


Brunei, Cambodia, Laos, Myanmar, and Singapore, plus the majority of the small Pacific Islands countries.


The US/APEC approach has less traction in the region. Two countries have trust-mark schemes (Singapore and Japan), although these are effectively restrained to domestic companies. One further country is considering a trust-mark scheme (Vietnam).

One country in the region (Singapore) has adopted a policy of supporting privacy self-regulation rather than legislation, and has developed a Model Data Protection Code. However, this development was intended to be an interim measure on a longer path towards legislation, and Singapore is now considering privacy legislation.

Three countries (China, Malaysia, and the Philippines) have explicitly considered some of the APEC Privacy Framework Principles in the development of their draft legislation. However all three of these countries have chosen comprehensive EU style legislation rather than self-regulatory alternatives.

The dominant trend in the region therefore favours the development of EU style comprehensive legislation. It is important to note that in following the broad EU approach, countries in the Asia-Pacific region have chosen not to adopt exact copies of the EU Directive. For example, the former Hong Kong Privacy Commissioner described Hong Kong’s privacy regime as ‘European inspired but locally oriented, rather than simply a direct copy of what has gone before’.[5]

Privacy laws are also developing some unique characteristics in the Asia-Pacific region that are not based on developments in either the EU or the US. For example, privacy legislation in the region has been the subject of unexpectedly strong sanctions and enforcement.[6] Sanctions have included imprisonment, significant fines, substantial compensation payments and even orders to suspend business operations. This is in contrast to other jurisdictions, for example the US, where there has been no penalties or enforcement action under the specific provisions of the US Safe Harbour regime in its eight years of operation.

[4] For recent legislative developments in the Asia-Pacific region, see Vierboom A, Asia Pacific Privacy Developments 2007, January 2008, <>.

[5] Hong Kong Privacy Commissioner for Personal Data, A View from Asia: Laying the Foundations for a Consolidated Approach towards Privacy to meet the Challenges ahead, keynote address to the 4th IAPP Privacy and Data Security Summit and Expo, <>.

[6] Connolly C, Lim YF, et al, Privacy breach sanctions in the Asia-Pacific region, July 2007, <>.