Skip to main content

A look at APAC Data Privacy Laws in the second half of 2021

This article covers the key latest data privacy regulations for Australia, China, Hong Kong, India, Japan, Singapore and South Korea for the second half of 2021. We continue to witness changes in APAC's data privacy laws with new regulations coming into effect in China and India.


Discussion Paper on the Review of the Privacy Act 1988 and Exposure Draft of Online Privacy Bill

In October 2021, the Australian government released a discussion paper containing proposals for the future reform of the Privacy Act 1998 (“Privacy Act”). They also released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2011 (“Online Privacy Bill”) which is aimed at improving the protection of personal information, and expanding the extra-territorial scope of the Privacy Act and improving penalties for non-compliance.

The proposals under the discussion paper on the Privacy Act covers the following areas:

  • Expansion of key definitions such as personal information and collection
  • Addition of new definitions such as reasonably identifiable, consent, primary & secondary purpose and disclosure
  • Changes to privacy notes requirements such as express requirement
  • Probability of a standardised privacy notice in terms of layout, wording or consent taxonomies
  • Supplementary rules and limitations related to high risk acts and practices
  • Pro-privacy default settings on a sectoral or other specified basis
  • Proposals to protect children and individuals related to those under Online Privacy Bill
  • Express rights for an individual to object or withdraw their consent to the handling of their personal information
  • A right of erasure of personal information in certain circumstances (subject to exceptions)
  • Various changes relating to overseas disclosures such as adopting a structure to define which countries qualify as substantially similar to the Australian Privacy Principles

The Online Privacy Bill is applicable to social media services, data brokerage firms and certain large online platforms operating in Australia and covers the following areas [1] [2]:

  • Social media services are required to take reasonable steps to verify the age of the users and obtain the parental consent of personal information of users under the age of 16
  • Stipulates how privacy policies, notices and consents are to be drafted and delivered
  • Specify when the consent is valid and, for sensitive information, when it is required to be renewed
  • Handling process for when the user requests to cease the handling of their personal information
  • Introduction of tougher penalties such as a fine of AUD10 million or more
  • Increased powers for the Office of the Australian Information Commissioner (OAIC)

The Australian government is currently receiving comments and questions with regards to the Discussion paper or any other relevant matter until 10th January 2022. 


The Personal Information Protection Law (“PIPL”) passed by the Standing Committee of the National People’s Congress of the People Republic of China on 20th August 2021, came into force on 1st November 2021. In our previous article, some key aspects of the PIPL were mentioned.

In addition, to assist the general public and businesses in Hong Kong to better understand the personal information protection regime in Mainland China, the Office of the Privacy Commissioner for Personal Data (“PCPD'') published a booklet on 18th November 2021, entitled “Introduction to the Personal Information Protection Law of the Mainland'' (''Introduction”). [3] [4] 

On 15th November 2021, the Cyberspace Administration of China (“CAC”) released their draft data security laws designed to strengthen the security of its internet data.

The draft covers the following areas:

  1. Classification of data into 3 categories: common, important and core  - depending on its importance to national security, public interest, individual privacy.
  2. Definition of how data is to be collected inside China in the event of an overseas data transfer.
  3. Scope of application to include: (i) Data processing activities and the supervision and management of network data security within the territory of the People’s Republic of China  (ii) Application to individuals and organisations outside of China that provide products or services within China.
  4. Definition of a data security emergency response mechanism in the event of a data breach.

Not to mention that companies trying to list in Hong Kong maybe also required to undergo a cybersecurity review if the listing may affect national security. 

The draft security law is currently opened to the public for comments until 13th December 2021.

Hong Kong

On 8th October 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 (the “Amendment Ordinance”) was published to combat doxxing acts that are intrusive to personal data privacy.

The objectives of the Amendment Ordinance include the criminalisation of doxxing acts, empowering the Privacy Commissioner for Personal Data (“Privacy Commissioner”) to perform any criminal investigations and institute prosecutions for doxxing acts and related offences, granting the Privacy Commissioner statutory powers to order the cessation of disclosure of doxxing messages. PCPD has also published the Implementation Guidelines for the Amendment Ordinance and a hotline has been setup to handle any inquiries or complaints related to doxxing. 


After two years since its introduction in 2019, the Joint Parliamentary Committee (“JPC”) has finally adopted the draft report of the JPC on the Personal Data Protection (“PDP”) Bill introduced in 2019. In our previous article, we mentioned some key aspects of the draft report.


In August 2021, Japan’s Personal Information Protection Commission (“PPC”) published Guidelines related to the 2020 Amendments on its Act on the Protection of Personal Information (“APPI”). The Guidelines aim to provide clarity on previously identified unclear aspects in both the existing Act and 2020 amendments.

The Guideline covers the following areas:

Extraterritorial Application

The 2020 Amendment Guidelines specify that the APPI’s application will be extended to all entities in a foreign country handling any personal information, Personally Referable Information, Pseudonymously Processed Information or Anonymously Processed Information that relates to data subjects in Japan, in relation to the supply of goods or services to any data subjects in Japan.

Mandatory Breach Reporting

Mandatory breach reporting to the PPC or designated authority and data subjects is a new regulation under the 2020 Amendments. As such, the Guidelines try to define as much as possible the conditions that would require reporting and indicate the measures to be taken in the event of the breach.

New Categories of Information

The Guidelines provide supervision regarding the definition, usage, processing and sharing of Pseudonymously Processed Information and Personally Referable Information, both of which were previously introduced in the 2020 Amendments.

Data Transfer Obligations

The Guidelines provide more information regarding the new obligations for third party data transfer both domestically and internationally. For example, listing out the relevant verification obligations before the commencement of data transfer and transparency involved when obtaining the consent of the data subject.

Expanded Rights of Data Subjects

The Guidelines also explain the claims process based on the extended individual rights introduced in the 2020 Amendment.

On 19th May 2021, the Japanese government released its 2021 Amendments to its APPI (“2021 Amendments”). The amendments seek to consolidate various individually enacted data protection laws across different governmental and national agencies including independent administrative institutions with the APPI and designate nationwide rules for local governments. The 2021 Amendments have been enacted but its effective date is to be decided.


On 14th September 2021, the Personal Data Protection Commission (“PDPC”) has published its revised guides: (1) Guide on developing a Data Protection Management Programme – so as to incorporate best practices in accountability to support organisations' personal data protection policies and processes (2) Guide on Data Protection Impact Assessments.


South Korea

On 16th June 2021, the European Commission launched the process towards the adoption of the adequacy decision for the transfer of personal data to the Republic of Korea. This means that additional safeguards would not be required when transferring European Union personal data to South Korea. The draft adequacy decision assumes that there is a certain level of data protection to be provided under the GDPR. Additional safeguards to be enforced by the Personal Information Protection Committee (“PIPC”) were also discussed and they are focused on strengthening the data protection level


For previous updates on data privacy laws in China, Hong Kong, Japan, South Korea and Singapore, please refer to our previous articles Covid-19 Has Not Stopped Regulators Progressing on Data Privacy Laws and An Update on Data Privacy Laws in the APAC Region in 2021

How can Sia Partners help?

With nearly 100 data privacy projects already delivered, Sia Partners has a strong understanding of both the regulations and the challenges when implementing them. Sia Partners also has an experienced team with complementary profiles and global coverage.

The main areas where Sia Partners can support your company are:

Data Maturity Assessment and Implementation

  • Make an inventory of personal data processing activities to be implemented in the record of processing activities
  • Assess the maturity level of the company with data privacy regulations using Sia Partners’ tool
  • Develop an action plan (structuring of the work to be done and list of actions for each theme)
  • Implementation support to close the compliance gaps
  • Support data privacy projects with strong project management capabilities


Data Protection Officer Support

  • Provide data compliance advice on complex issues
  • Represent your company in dealings with third parties
  • Perform BAU work and animate the data privacy network inside the company


Data Privacy Training

  • Define data privacy training and communication plans
  • Conduct training on data privacy compliance (e-learning, in-class, blended learning etc.)


For details of our offerings, please visit our GDPR page.

Find out how we can help

Sia Partners integrates this data in its client database to send you marketing communications (invitations to events, newsletters and new commercial offers).
This data will be kept for 3 years before being deleted and you can withdraw your consent to the processing of your data at any time.
To learn more about the management of your personal data and to exercise your rights, please consult our Data Protection Policy.


Your data are used by Sia Partners to process your contact request. Please note that you have rights regarding your personal data. For more information, we invite you to read our data protection policy