8.2 Japan, South Korea & Singapore

Three nations in Asia have established some of the region's most rigorous and internationally respected data privacy frameworks: Japan, South Korea, and Singapore. Each takes a distinct approach — but all three have moved steadily toward stronger protections, higher penalties, and greater international interoperability.

Japan: Act on Protection of Personal Information (APPI)

Japan's APPI has been in force since 2005, but substantial revisions in 2017 and 2022 have brought it into modern alignment with international standards. The Personal Information Protection Commission (PPC) is the independent regulator.

Key features of the revised APPI (effective April 2022) include:

• Cross-border transfer restrictions: transfers to third countries now require the recipient to maintain equivalent protection, with the data subject informed of the destination country's privacy regime.
• Opt-out rights: individuals may opt out of third-party data sharing even where legitimate interest would otherwise apply.
• New rights: stricter obligations for breach notification (to the PPC within 30 days of becoming aware), and rights to request deletion and suspension of use where privacy is being violated.
• Pseudonymously processed information: a new category allowing companies to use data for internal analysis without the same obligations, provided re-identification is prohibited.

Japan has been granted adequacy by the EU under GDPR, and participates in the APEC Cross-Border Privacy Rules (CBPR) system.

South Korea: Personal Information Protection Act (PIPA)

South Korea's PIPA is frequently cited as one of the strictest data protection regimes in Asia. Enforced by the Personal Information Protection Commission (PIPC), it has a strong history of enforcement including significant fines against technology companies.

PIPA's standout features include:

• Extraterritorial scope: applies to overseas organisations that process data of Korean residents to provide goods or services.
• Sensitive data: special categories (health, biometric, criminal, political views, union membership) require explicit consent.
• Breach notification: mandatory notification to the PIPC and affected individuals within 72 hours.
• Right to data portability and stricter rules on automated decision-making.
• The Information and Communications Network Act (ICNA) supplements PIPA for online service providers.

Singapore: Personal Data Protection Act (PDPA)

Singapore's PDPA came into force in 2012 and was substantially amended in 2021. The Personal Data Protection Commission (PDPC) enforces it.

The 2021 amendments introduced:

• Mandatory breach notification: organisations must notify the PDPC within 3 business days of becoming aware of a notifiable data breach.
• Data portability: individuals can request their data be transferred directly to another organisation in a machine-readable format.
• Deemed consent: if a person voluntarily provides data for a clear purpose, deemed consent applies — reducing friction for low-risk processing.
• Increased fines: up to SGD 1 million or 10% of annual Singapore turnover.

Singapore is an active participant in the APEC CBPR system and ASEAN data governance frameworks.

Your takeaway

Japan, South Korea, and Singapore each have mature, internationally aligned privacy frameworks with real enforcement records. Organisations operating across Asia-Pacific cannot treat the region as a uniform, low-regulation environment — each jurisdiction demands careful compliance planning.