Global Developments: New Actions in the Asia-Pacific
Publication | 05.14.24
Across the Asia-Pacific (APAC), the past year has brought defining developments for privacy and cybersecurity regulations in the region. A number of countries have implemented new or updated existing policy instruments—a testament to the growing relevance of a strong privacy and cybersecurity framework in the face of rapid global digital transformation. Topline 2023 changes and actions across APAC have included Vietnam’s Decree on Personal Data Protection; Bangladesh’s Cyber Security Act and draft Data Protection Act; amendments to Taiwan’s Cyber Security Management Act; and Indonesia’s Presidential Regulation Number 47 of 2023 on Cyber Crisis Management and National Cyber Security Strategy.
Australia and India stood out for their pivotal moves on privacy and cybersecurity with the potential to set important precedents for the region. Prompted in part by a spate of significant cybersecurity incidents, the new Australian Cyber Security Strategy 2023-2030 signifies the country’s intent to become a world leader in cybersecurity by 2030. Its “all of country” approach ambitiously tackles a range of issues, from critical infrastructure protection to cyber workforce skilling and international cooperation. Central to these efforts is the expectation that the strategy will usher in landmark legislation on cybersecurity standards and incident reporting, to be significantly informed by industry input. The government began implementation efforts on this Strategy in early 2024, by opening a round of public consultation to revise the Security of Critical Infrastructure Act 2018. This step aims to improve the country’s security and resilience, with cyber response and prevention at the forefront. On the privacy end, the Australian government is negotiating revisions to its Privacy Act, which is poised for legislative amendments in 2024 after the latest round of public consultation closed in March 2024. Chief among those amendments could be a new standard where—regardless of the terms of any consent—the collection, use, and disclosure of personal information would need to be “fair and reasonable,” rather than the current standard of “reasonably necessary.”
Meanwhile, stronger legislation on data protection has been a key theme for India, with what is now the world’s most populous country finally passing its Digital Personal Data Protection Bill in 2023. This long-awaited bill had been in the making for five years, drawing on fundamental concepts found in the EU’s General Data Protection Regulation but with key distinctions in its applicability. Still, questions remain about the new law’s resources and enforcement, especially after a contentious path through the country’s Parliament. In 2024, we should learn the answers to many of these questions, in part due to the Central Government’s publication of implementing rules and the establishment of the Data Protection Board of India, which will be charged with enforcement. However, the publication of these rules is likely to be delayed until after the country’s general elections conclude in June 2024.
Singapore is another country often benchmarked for keeping good pace with evolving technology through its policy and regulatory landscape. In December 2023, it released the first draft of amendments to its Cybersecurity Act 2018, containing novel provisions to enhance the cyber resilience of not only its critical infrastructure, but also other entities with implications for the country’s national interests. Public consultation on these amendments concluded in January 2024, followed by the first reading of the Bill in the Parliament in early April, and now expected to be passed later this year. Overall, Singapore continues to establish a robust regulatory ecosystem for privacy and cybersecurity, particularly where those issues intersect with today’s buzz word – artificial intelligence. The summer of 2023 saw the Personal Data Protection Commission publishing proposed guidelines on the use of personal data in AI systems, which received substantial private sector feedback on how personal information is used in AI’s development and deployment. And in December 2023, the Prime Minister’s Office released the National Artificial Intelligence Strategy (NAIS) 2.0, aiming to set regional standards for AI’s use in detecting and mitigating cyberattacks, among other goals. In 2024, we will likely see AI increasingly interwoven into privacy regulations and cybersecurity infrastructure by both APAC governments and businesses to support the region’s growing digital economy.