What is LawBrain?
It's a living legal community making laws accessible and interactive. Click Here to get Started »

Asia-Pacific Privacy Law

From lawbrain.com

Privacy law in the Asia-Pacific region is concerned with the protection and preservation of the privacy rights of citizens, especially the exchange of citizen data to other countries.

  • This LawBrain entry is a stub. Please help us expand it! Click the 'Edit' tab above to add to this page.



Countries that are members of the Asia-Pacific Economic Cooperation (APEC) encompass the majority of the privacy laws of the Asia-Pacific region.  Due to the variety of nations involved in this organization, the approaches to privacy law development are varied.  Australia is similar to Canada in that it follows a co-regulatory approach where industry develops and enforces the privacy laws, but another privacy agency oversees the enforcement of these laws.  Japan and Singapore are similar to the U.S. by following a self-regulatory model whereby organizations are required to follow a code of practices established by a company or industry body.  Other countries offer a technology based approach by stating what technical security measures must be in place in order to protect personal information of an individual.

Information Privacy Principles

Privacy laws developed in the Asia-Pacific region are primarily based on the APEC Privacy Framework.[1] This privacy framework was based on the OECD privacy guidelines[2] and fair information practices.

The APEC information privacy principles include:

  • Principle 1: Preventing Harm
  • Principle 2: Notice
  • Principle 3: Collection Limitations
  • Principle 4: Uses of Personal Information
  • Principle 5: Choice
  • Principle 6: Integrity of Personal Information
  • Principle 7: Security Safeguards
  • Principle 8: Access and Correction
  • Principle 9: Accountability

Cross-Border Data Flows

Cross-border information flows between economies around the Pacific Rim have dramatically increased in volume as IT businesses globalize their information processing services via the Internet.  Cross-border privacy rules (CBPRs) are a set of rules developed by an organization who commits to apply these rules to its activities involving transfers of personal information across borders. Business, government and consumer organizations utilize the implementation of CBPRs as a way of ensuring accountability of information flows to make organizations keep their original privacy promise to the customer.[3]



Australian privacy laws are based on an early adoption of the Organisation for Economic Cooperation & Development (OECD) Guidelines Governing the Protection of Privacy & Transborder Data Flows of Personal Data.[5]  Like Canada, Australia has multiple states and territories that create their own laws.  Therefore, Australia has a number of comprehensive laws specific to privacy and data protection.

New Zealand[6]

  • Bill of Rights Act, Article 21
  • Privacy Act (1993)[7]

The Privacy Act was influenced by the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.[8]  The Act both promotes and protects the privacy of individuals.  It is applied in both public and private sectors.

There are 12 information privacy principles[9] that make up the Privacy act.  These principles are basic fair information practices and include:

  • Principle 1: Purpose of collection of personal information
  • Principle 2: Source of personal information
  • Principle 3: Collection of information
  • Principle 4: Manner of collection of personal information
  • Principle 5: Storage and security of personal information
  • Principle 6: Access to personal information
  • Principle 7: Correction of personal information
  • Principle 8: Accuracy of personal information to be checked before use
  • Principle 9: Personal information not to be kept for longer than necessary
  • Principle 10: Limits on use of personal information
  • Principle 11: Limits on disclosure of personal information
  • Principle 12: Unique identifiers

The Privacy Act also contains four public register privacy principles.[10]  These principles limit:

  • the manner in which information can be made available from public registers
  • re-sorting or combining public register information for commercial gain
  • electronic transmission of public registers
  • charging for access to public register information

Oversight: New Zealand Privacy Commissioner[11]


  • Constitution, Articles 38, 39 & 40[13]

Article 38: The personal dignity of citizens is inviolable. Insult, libel, false charge or frame-up directed against citizens by any means is prohibited.

Article 39: The home of citizens of the People's Republic of China is inviolable. Unlawful search of, or intrusion into, a citizen's home is prohibited.

Article 40: The freedom and privacy of correspondence of citizens of the People's Republic of China are protected by law. No organization or individual may, on any ground, infringe upon the freedom and privacy of citizens' correspondence except in cases where, to meet the needs of state security or of investigation into criminal offences, public security or procuratorial organs are permitted to censor correspondence in accordance with procedures prescribed by law.

  • P.R.C. Criminal Law Amendment VII, [Article 253][14]
  • P.R.C. Tort Liability Law

Hong Kong[15]

  • Basic Law, Articles 29 & 30
  • Personal Data (Privacy) Ordinance[16]


  • The Information Technology Act[18]


  • Act on the Protection of Personal Information (JPIPA) [20]

Japan's Personal Information Protection Act (JPIPA) requires businesses to communicate their purpose in collecting and using personal information. They must also take reasonable steps to protect personal information from disclosure, unauthorized use or destruction.  The law outlines potential fines and punishments for organizations that do not comply. JPIPA was enacted in order to protect individuals’ rights and personal information while preserving the usefulness of information technology and personal information for legitimate purposes.

  • Act on the Protection of Personal Information Held by Administrative Organs[21]

The Act on the Protection of Personal Information Held by Administrative Organs (public sector/government) protects the rights and interests of individuals while achieving proper and smooth administrative management by providing for the basic matters concerning the handling of personal information in such organs.  The law restricts the retention of personal infomration unless it is required for performing the duties required by law and even then such retention must be specified prior to collection.  Maintaining the accuracy, restrictive use, and security controls of personal information held by the Japanese government falls under this law.  Additionally, notice must be given prior to any personal data being retained in a personal information file held by the government.


  • Personal Data Protection Act[22]

Macau's Personal Data Protection Act applies to the processing of personal data intended to form part of manual filing systems.  This law applies to video surveillance and other forms of capture, processing and dissemination of sound and images allowing persons to be identified.

Oversight: Office for Personal Data Protection[23]


  • Personal Data Protection Bill (PDP)


  • Law of Mongolia on Telecommunications[25]


  • Constitution: Bill of Rights, Sections 2, 3 & 7
  • Government Data Privacy Protection Act[27]


  • Model Data Protection Code[29]

Singapore has not yet enacted a data protection/privacy legislation.  However, a voluntary, industry-based self-regulatory model code exists called the Model Data Protection Code.  This code establishes minimum standards for electronic data protection that is based on 10 principles that guide on issues of use, collection, accuracy and dissemination of personal data.  The Model Data Protection Code incorporates international standards of data protection regimes within its guidelines. Under this data protection regime, the flow of personal data to countries without adequate data protection schemes is restricted.[30]  The application of this code is specific to those private sector organizations that collect and install personal data in electronic form, online or offline, using the Internet or any other electronic media.[31]  While the Model Code is not a compulsory compliance requirement for businesses, it is useful for businesses that are expanding their international outsourcing activities.[32]

The Model Code was not intended to replace a comprehensive data protection/privacy law, but rather to be used as an interim measure until such legislation was enacted.

  • Electronic Transactions Act [33]

Oversight: Infocomm Development Authority of Singapore (IDA)[34]

South Korea[35]

  • Constitution, Articles 16, 17 & 18[36]

Article 16: All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented.

Article 17: The privacy of no citizen may be infringed.

Article 18: The secrecy of correspondence of no citizen may be infringed.

  • Act on Promotion of Information and Communications Network Utilization and Data Protection[37](Information Protection Act)

The Information Protection Act is a law that applies to the private sector.  However, this law only applies to the information and telecommunications industries that are providers of information and communications services (e.g. common carriers, Internet service providers, content providers, etc.). The Act also covers specific offline service providers (e.g. travel agencies, airlines, hotels, and educational institutes).

  • Act on the Protection of Personal Information Maintained by Public Agencies[38]

The Act on the Protection of Personal Information Maintained by Public Agencies was endacted to protect the rights and benefits of all citizens by the establishment of necessary guidelines concerning the protection of private information managed by computers of public agencies.

Sri Lanka[39]

  • Information and Communication Technology Act (ICTA)[40]
  • Electronic Transaction Act[41]


  • Constitution, Article 12[43]
  • Computer-Processed Personal Data Protection Law (CPPDPL)[44]


  • Constitution, Articles 34, 37 & 58
  • Official Information Act[46]


  • Electronic Transaction Bill[47]


  1. http://www.apec.org/apec/apec_groups/committee_on_trade/electronic_commerce.MedialibDownload.v1.html?url=/etc/medialib/apec_media_library/downloads/taskforce/ecsg/pubs/2005.Par.0001.File.v1.1
  2. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
  3. http://www.apec.org/apec/enewsletter/mar_vol12/onlinenewsd.html
  4. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559550
  5. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
  6. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559512
  7. http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html
  8. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
  9. http://www.privacy.org.nz/information-privacy-principles
  10. http://www.privacy.org.nz/privacy-act-summary/
  11. http://www.privacy.org.nz/
  12. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559508
  13. http://english.people.com.cn/constitution/constitution.html
  14. http://www.npc.gov.cn/englishnpc/Law/Frameset-page6.html
  15. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559532
  16. http://www.legislation.gov.hk/blis_pdf.nsf/6799165D2FEE3FA94825755E0033E532/B4DF8B4125C4214D482575EF000EC5FF/$FILE/CAP_486_e_b5.pdf
  17. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559529
  18. http://www.dsci.in/images/stories/it_act_amendment_2008.pdf
  19. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559524
  20. http://www.japaneselawtranslation.go.jp/law/detail/?id=130&vm=04&re=02
  21. http://www.japaneselawtranslation.go.jp/law/detail/?id=131&vm=04&re=02
  22. http://www.gpdp.gov.mo/cht/forms/lei-8-2005_en.pdf
  23. http://www.gpdp.gov.mo/en/?page=http://www.gpdp.gov.mo/en/news.html
  24. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559517
  25. http://www.itu.int/ITU-D/treg/Legislation/Mongolia/Mongolia_law.htm
  26. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559506
  27. http://www.senate.gov.ph/lisdata/72395832!.pdf
  28. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559494
  29. http://www.wwlegal.com/module-subjects-viewpage-pageid-48.html
  30. http://www.trustsg.com.sg/downloads/Data_Protection_Code_v1.3.pdf
  31. http://www.ida.gov.sg/Policies%20and%20Regulation/20060627155443.aspx
  32. http://www.ida.gov.sg/Sector%20Development/20090319164535.aspx
  33. http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN025623.pdf
  34. http://www.ida.gov.sg/home/index.aspx
  35. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559490
  36. http://korea.assembly.go.kr/res/low_01_read.jsp?boardid=1000000035
  37. http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN025694.pdf
  38. http://www.kca.go.kr/jsp/eng/info_02.jsp
  39. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-83781
  40. http://www.icta.lk/pdf/ICTA_Act(e).pdf
  41. http://www.icta.lk/pdf/ElectronicTransactionAct-Parliamentver(E).pdf
  42. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559485
  43. http://www.taiwandocuments.org/constitution01.htm
  44. http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/documents/national%20laws/1Taiwan-CP-DPLaw.pdf
  45. http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559484
  46. http://www.ocpb.go.th/file_document/act_eng_40.pdf
  47. http://www.legco.gov.hk/yr98-99/english/bills/c179_e.htm

Related Content on FindLaw

External Links

See Also


FindLaw Michelle, FindLaw Nira