Privacy & Data Protection Group Highlights Key Regulatory Developments Across Asia

Privacy and online safety regulations are evolving rapidly across Asia—but what do those changes mean for businesses operating in the region?
That question framed a recent discussion hosted by WLG’s Privacy & Data Protection Group, where lawyers from India, Singapore, and Vietnam shared developments in their respective jurisdictions. Taken together, the updates pointed to a broader regional shift toward more detailed compliance obligations, expanded individual rights, and increased oversight of digital activity.

India: New Data Protection Framework Moves Toward Implementation

In India, Vijay Pal Dalmia of Vaish Associates provided an overview of the Digital Personal Data Protection Act (DPDP Act), which was notified in November 2025 and is expected to become fully effective following an 18-month implementation period. The law establishes a broad data protection framework that distinguishes among "data fiduciaries” (organizations that determine why and how personal data is processed), "significant data fiduciaries” (entities subject to heightened obligations based on the scale, sensitivity, or potential impact of their data processing), and "consent managers” (entities that help individuals manage and communicate consent preferences).

Vijay noted that significant data fiduciaries will be subject to additional requirements, including appointing a data protection officer, conducting annual impact assessments, and engaging independent auditors. He also addressed the Act’s detailed consent requirements, explaining that organizations must clearly identify the personal data being collected, explain the purpose of collection in plain language, and obtain consent specific to those stated purposes.

The breach notification regime is similarly prescriptive. Data breaches must be reported to both affected individuals and the Data Protection Board, India’s designated enforcement authority under the Act, within 72 hours of becoming aware of the breach, with supplemental updates permitted as investigations continue. Cross-border processing remains permissible under the framework, provided overseas processors maintain equivalent protection standards.

Singapore: New Online Safety Framework Broadens Individual Remedies

Turning to Singapore, Kylie Peh of WongPartnership addressed the country’s Online Safety Relief and Accountability Bill (OSRA), passed in November and expected to come into force this year. The legislation is intended to provide individuals with more accessible remedies for harmful online activity without requiring immediate court involvement.

To support that objective, the law establishes a new Online Safety Commission (OSC), a regulatory body empowered to receive complaints relating to 13 categories of online harm and issue directions aimed at stopping or reducing that harm. Those powers include restraining communications, blocking website access, and directing online platforms to remove accounts or content.

The legislation also creates new legal grounds for individuals to bring claims in relation to nine categories of online harm, giving them a clearer basis to pursue relief through the courts where appropriate. In certain circumstances, Kylie noted, the OSC may compel platforms to identify users behind anonymous accounts, enabling harmed individuals to pursue claims where the alleged wrongdoer’s identity would otherwise remain unknown. While implementation guidance is still pending, further enforcement detail is expected once the regime becomes operational.

Vietnam: New Standalone Data Protection Law Significantly Expands Compliance Obligations

Vietnam’s new standalone data protection law was the focus of Esko Cate of VILAF’s update. The law took effect on January 1 and replaces the country’s prior decree-based framework.

He described the legislation as a substantial expansion of Vietnam’s privacy regime, introducing more detailed and prescriptive compliance requirements. The law applies beyond Vietnam’s borders, extending not only to businesses operating in Vietnam but also to foreign entities processing the personal data of Vietnamese citizens outside the country.

Vietnam’s framework distinguishes between general personal data and sensitive personal data, with the latter including financial information, biometrics, location data, criminal records, and certain behavioral data, such as information reflecting user habits or activity patterns. Esko observed that this may be particularly significant for social media and digital platform providers.

Consent remains central to the regime. Organizations must obtain affirmative opt-in consent and provide disclosures regarding the data collected, the purposes of processing, downstream processors, and data subject rights before obtaining that consent. He also addressed Vietnam’s filing-based compliance requirements, including formal impact assessment filings documenting how personal data is processed and protected, which may apply even to offshore entities processing Vietnamese personal data.

These filings require detailed supporting documentation, including data flow information and processing arrangements. Violations may result in penalties of up to 5% of the prior year’s profits, though no enforcement actions under the new law have yet been reported.

Regional Direction: Greater Oversight, More Detailed Compliance Expectations

While each jurisdiction’s approach differs, the discussion reflected a broader trend toward more prescriptive regulation of personal data and online activity. Across India, Singapore, and Vietnam, regulators are expanding individual protections while placing greater emphasis on transparency, accountability, and demonstrable compliance from businesses handling personal data or operating digital platforms.