Data and AI Regulations
A concise overview of principles, rights and compliance requirements of key regulations on data and AI.
Summary:
The General Data Protection Regulation (GDPR) is a comprehensive privacy and security law passed by the European Union (EU) that imposes strict obligations on organizations anywhere in the world, so long as they target or collect data related to people in the EU. Enforceable since May 25, 2018, the regulation fundamentally shifted the ownership of personal data back to the individual (the "data subject"), granting them expansive rights such as the right to access, correct, and erase their data ("the right to be forgotten"). It mandates that organizations process data lawfully, transparently, and with specific purpose limitation, backed by a severe penalty structure where non-compliance can result in fines of up to €20 million or 4% of global annual turnover, establishing it as the global "gold standard" for data protection legislation.
Summary:
The Singapore Personal Data Protection Act (PDPA) is a comprehensive data protection framework enacted in 2012 that governs the collection, use, and disclosure of personal data by private organizations. Grounded in a standard of reasonableness, the Act aims to balance the right of individuals to protect their personal information with the need for organizations to use such data for legitimate business purposes. It mandates compliance with several key obligations—including obtaining informed consent, notifying individuals of data usage purposes, ensuring data accuracy and security, and limiting data retention—while also establishing a "Do Not Call" (DNC) Registry to regulate telemarketing. Enforced by the Personal Data Protection Commission (PDPC), the PDPA is designed to foster consumer trust and strengthen Singapore’s position as a secure global hub for data flows and innovation.
Summary:
Malaysia’s Personal Data Protection Act 2010 (PDPA) is a regulatory framework designed to protect the integrity and security of individuals' personal data in commercial transactions. Originally enforced in 2013 and significantly updated by the Personal Data Protection (Amendment) Act 2024, the law governs how private organizations (now termed "Data Controllers") collect, use, and process personal information based on seven core principles, including Notice and Choice, Security, and Data Integrity. The 2024 amendments modernized the Act to align closer with international standards like the GDPR, introducing mandatory data breach notifications, the appointment of Data Protection Officers (DPOs), the right to data portability, and stricter penalties for non-compliance, all aimed at boosting consumer confidence in the digital economy.
Summary
Thailand’s Personal Data Protection Act B.E. 2562 (2019), fully enforced on June 1, 2022, is the country’s first consolidated law governing data privacy, designed to align Thailand’s digital economy with international standards like the GDPR. It regulates how "Data Controllers" and "Data Processors" handle personal information, establishing a consent-based framework with specific lawful exceptions and granting individuals extensive rights, such as the right to access, object, and delete their data. The Act applies extraterritorially to foreign entities offering goods or services to individuals in Thailand and introduces a strict three-tiered penalty regime—comprising administrative fines, criminal imprisonment for unauthorized disclosure of sensitive data, and civil punitive damages—overseen by the Personal Data Protection Committee (PDPC).