Singapore, Malaysia and the Philippines are the only countries with specific data protection laws.
Indonesia, Myanmar and Vietnam are countries with data privacy requirements only as part of their general electronic systems and transaction laws. In the case of Indonesia, change is afoot as the government rolls out regulations pursuant to its 2008 Electronic Transaction and Information law. The Indonesian government has enacted two regulations on registration requirements for electronic systems operators as well. A new national Cyber Agency is proposed.
Vietnam's Information Security law came into effect on 1 July 2016. The law contains annual inspections of information systems by the state. The implementation of this requires further regulations. One concern is that inspection or registration requirements may be perceived as veiled attempts by a State to pry into stored personal data using the very law that is meant to secure personal data; another concern is the possible effect of clamping down on internet freedom.
Indonesia and Thailand have circulated draft data protection laws. It is important to monitor these bills through the legislative process. One area of confusion for Indonesia is how one reconciles the data protection law (when enacted) with the data protection provisions in the pre-existing IT laws. In the case of Thailand, the bill is not likely to be passed into law in the foreseeable future nor is the government infrastructure ready to implement the law yet, even if passed.
Cambodia still has not announced plans to enact data protection regulations.
Businesses operating in the ASEAN region have a tricky task to keep on top of the differing regimes and developments.