The Asia-Pacific (APAC) region has a diverse and rapidly evolving data privacy landscape, with countries implementing and updating regulations to protect personal data and regulate cross-border transfers. As data privacy regulations continue to evolve across this wide region, organizations must stay informed and agile to ensure compliance. Our leading privacy and legal experts will discuss APAC’s key regulations, enforcement trends, and compliance strategies: China’s PIPL, India’s DPDPA, Japan’s APPI, Singapore’s PDPA, Australia’s Privacy Act, South Korea’s PIPA Thailand’s PDPA, and more. Moreover, the launch of the Global Cross-Border Privacy Rules (CBPR) on June 2, 2025, introduces significant implications for companies based in the Asia-Pacific (APAC) region, particularly those engaged in cross-border data transfers. Indeed, it offers APAC companies a structured and internationally recognized approach to managing cross-border data transfers, enhancing their global competitiveness and compliance posture. Whether you operate in APAC or work with global data flows, this session will provide the essential knowledge you need to navigate compliance confidently. This webinar will review: - An overview of major APAC privacy laws - The consequences of the recent Global CBPR launch on your business - Compliance challenges and enforcement trends - Practical steps to mitigate risks and align with regional requirements

1. © 2025 TrustArc Inc. Proprietary and Confidential Information.
Navigating APAC Data Privacy Laws:
Compliance & Challenges

2. 2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.

3. 3
Speakers
Josh Lee Kok Thong
Managing Director, Asia-Pacific
Future of Privacy Forum
Joanne Furtsch
VP, Privacy Knowledge
TrustArc
Mark Smith
Senior Manager, Privacy & Data Policy
Centre for Information Policy
Leadership (CIPL)

4. Agenda
• Update on laws in the APAC region
• Regulator priorities
• Global CBPR Forum
• DOJ rules impact on data transfers
• Q&A

5. DATA PROTECTION IN APAC:
KEY PRIORITIES FOR 2025
TRUSTARC APAC LAWS WEBINAR
JOSH LEE KOK THONG
MANAGING DIRECTOR, APAC
FUTURE OF PRIVACY FORUM

6. fpf.org
ABOUT FPF
The Future of Privacy Forum (FPF) is a global
non-profit organization that brings together
academics, civil society, government officials,
and industry to evaluate the societal, policy,
and legal implications of data uses; identify
the risks; and develop appropriate
protections.
FPF Global Offices:
Washington, D.C.
Brussels
Singapore
Tel Aviv
fpf.or
g

7. fpf.org
FPF MEMBERS AND TEAM
FPF Workstreams
200
45+
20+
50+
Companies Civil Society
Academics Staff & Fellows
Ad Tech Digital Identity Open Banking
AI & Machine Learning Ethics Policymaker Education
AR/VR Global & Europe Research
Biometrics Health Smart Communities
De-Identification Mobility & Location Youth & Education
fpf.or
g

8. OVERVIEW: APAC’S DATA PROTECTION LANDSCAPE
fpf.or
g
fpf.or
g
JAPAN (2003)
HONG KONG
(1996) /
MACAU (2005)
TAIWAN (2015)
PHILIPPINES
(2012)
BRUNEI (2025)
PAPUA NEW
GUINEA
AUSTRALIA
(1998)
NEW ZEALAND
(1993) (Replaced
in 2020)
SOUTH KOREA
(2011)
MONGOLIA
(2021)
CHINA (2021)
NEPAL
PAKISTAN
BANGLADESH
INDIA (2023)
SRI LANKA
(2022)
THAILAND
(2019)
CAMBODIA
LAOS (2017) VIETNAM (2023) TIMOR LESTE
MYANMAR
MALAYSIA
(2010)
SINGAPORE
(2012)
INDONESIA
(2022)
NO DRAFT
LEGISLATION
RELEASED TO DATE
DRAFT LEGISLATION
RELEASED BUT NOT
ENACTED
EXISTING
LEGISLATION
*Map not to scale

9. fpf.org
China Japan South Korea Malaysia Philippines Singapore Thailand Indonesia Vietnam Lao PDR
Adequacy No Yes Yes Yes Yes Yes Yes Yes No No
Certification Yes Yes Yes Yes Yes Yes Yes Possible No No
Consent No Yes Yes Yes Yes Yes Yes Yes No Yes
Filing a
security
assessment
with the
regulator
Yes No No No No No No No Yes No
Necessity
for
performance
of a contract
with the
data subject
No No Yes Yes Yes Yes Yes No No No
Other
necessity
No Yes No Yes Yes Yes Yes (similar to
GDPR)
No No No
NAVIGATING CROSS-BORDER DATA TRANSFERS IN APAC

10. Identifies key priorities for 10 APAC data protection
authorities (DPAs), based on key strategic documents,
recent regulatory actions, and enforcement activities.
fpf.org
AUSTRALIA
CHINA
JAPAN
HONG KONG SAR
MALAYSIA
NEW ZEALAND
THE PHILIPPINES
SOUTH KOREA
SINGAPORE
THAILAND
REPORT: APAC DPA STRATEGIES, 2024 AND BEYOND
fpf.or
g

11. CYBERSECURITY AND
DATA BREACH
RESPONSE
CROSS-BORDER DATA
TRANSFERS
AI GOVERNANCE AND
REGULATION
REGULATING USE OF
BIOMETRIC DATA
PROTECTING
CHILDREN’S
PERSONAL DATA
90% of DPAs prioritized
combating cyber
threats and enhancing
breach response.
80% of the DPAs
prioritized facilitating
secure international
data flows.
70% of the DPAs
emphasized addressing
the privacy implications
of AI technologies,
especially generative AI.
60% of the DPAs
prioritized regulating
the use of biometric
data and facial
recognition
technology.
50% of the DPAs
highlighted
children's privacy
safeguards.
fpf.org
fpf.org
REPORT: APAC DPA STRATEGIES, 2024 AND BEYOND
fpf.or
g

12. KEY TRENDS
● Rise of AI, IoT, and cloud computing increasing attack
surfaces.
● Mandatory breach notifications are established in many
jurisdictions (Australia, Singapore) but expanding in
others (Malaysia).
● A major concern across APAC, but actual enforcement
varies:
○ Singapore and South Korea impose major fines.
○ Japan takes a graduated, advisory approach.
ACTIONS FOR ORGANISATIONS
● Conduct regular security assessments.
● Strengthen governance frameworks.
● Implement clear breach response plans.
fpf.org
fpf.or
g
PRIORITY 1: CYBERSECURITY AND DATA BREACHES

13. fpf.org
fpf.or
g
PRIORITY 2: CROSS BORDER DATA TRANSFERS
KEY TRENDS
● Data flows are critical for cloud computing, AI, and global
business.
● China and Thailand focusing on implementation. Rapid
progress.
● Mature jurisdictions, like Japan and Singapore, promoting
regional and global interoperability.
ACTIONS FOR ORGANISATIONS
● Adopt risk-based compliance frameworks.
● Leverage transfer mechanisms (ASEAN MCCs, Global
CBPR).
● Build adaptable governance structures.

14. fpf.org
fpf.or
g
PRIORITY 3: AI GOVERNANCE AND REGULATION
KEY TRENDS
● Generally, “soft law” (e.g., Singapore’s Model Generative
AI Governance Framework).
● However, South Korea’s Basic AI Act signals a shift
toward direct regulation.
○ China has binding regulations and is looking to enact
a comprehensive law.
○ Japan moving towards direct regulation.
○ Australia considering regulation for high-risk AI.
● Regulatory responses to DeepSeek highlight
regulatory and geopolitical concerns.
ACTIONS FOR ORGANISATIONS
● Implement risk-based AI impact assessments.
● Ensure transparency and documentation in AI models.
● Monitor evolving APAC AI policies.

15. fpf.org
fpf.or
g
PRIORITY 4: BIOMETRICS AND FACIAL RECOGNITION
KEY TRENDS
● Some jurisdictions introducing biometric-specific rules.
○ New Zealand
■ Dedicated biometrics code
■ Proportionality assessments
■ Enhanced transparency
○ Japan
■ Guidance on facial recognition
■ Possible amendments to strengthen protections
ACTIONS FOR ORGANISATIONS
● Conduct biometric privacy impact assessments.
● Strengthen consent and security measures.
● Ensure compliance with local frameworks.

16. fpf.org
fpf.or
g
PRIORITY 5: PROTECTING CHILDREN’S PERSONAL DATA
KEY TRENDS
● Digital native youth.
● New Zealand, Singapore, and Philippines advancing
guidance.
● China: Unique approach with comprehensive regulations
(2024).
● Australia working on a Children’s Privacy Code. Strict age
verification requirements for social media (16+) likely to be
influential in APAC.
ACTIONS FOR ORGANISATIONS
● Implement privacy-preserving age verification.
● Design child-friendly privacy notices.
● Minimize data collection for youth services.

17. fpf.org
fpf.or
g
BALANCING INNOVATION AND DATA PROTECTION
TECHNICAL MEASURES
• Having a clear data inventory, so that you know
what data the organisation is processing, for what
purpose
• Conducting risk assessments to understand legal,
reputation or financial risks these data types carry
• Effective protection controls corresponding to risk
levels
CULTURE
• Striking the balance starts from the top – a culture
that sees innovation and protection as mutually
reinforcing and mutually important
ORGANISATIONAL POLICIES
• Clear and consistent policies across the organisation
on how to use data responsibly
• Appropriate and sufficient training so policies are
understood in proper context by all employees, and
employees can act in line with organizational policies
• Evaluating and assessing to adjust to new business
needs
STAKEHOLDERS
CORPORATE CORPORATE
OPERATIONS
TECHNICAL
PRIVACY-ENHANCING TECH
• Considering the use of PETs – a broad set of
emerging techniques / tools / approaches,
primarily based on cryptographic techniques and
structural changes to data processing, with the
aim of enhancing and / or preserving privacy
POLICY

18. WORKSHOP
fpf.org
AI GOVERNANCE AND
REGULATION
More AI governance and
possible new AI laws
(Japan, Australia).
CROSS-BORDER DATA
TRANSFERS
Increasing cross-border
data flow fragmentation.
IMPLEMENTATION OF
DATA PROTECTION
FRAMEWORKS
Implementation of data
protection laws in India,
Indonesia, Malaysia.
Possible amendments in
Australia and Hong Kong.
YOUTH PROTECTION
Growing focus on the
intersection between
protecting children’s privacy
and online safety.
PREDICTIONS FOR 2025
fpf.or
g

19. THANK YOU
Josh Lee Kok Thong
jlee@fpf.org
fpf.org
@futureofprivacy

20. Add a footer 20
Navigating APAC Data Privacy
Laws: Compliance & Challenges
June 26, 2025

21. 21
Partner of business leaders, regulators, and policy makers developing solutions for
responsible and beneficial data use
Global Data & Privacy Policy Think & Do Tank
85+
Member
companies
30+
Papers, projects
and initiatives
50+
Events annually
20+
Years of trusted
experience
We
SHAPE
the future of data policy
and strategy
We
CREATE
innovative solutions and
elevate best practices
We
INFORM
via publications, member
events, and public fora
We
CONNECT
global industry and
government leaders
BRIDGING PRIVACY AND DATA-DRIVEN INNOVATION | BRIDGING INDUSTRY & REGULATORS | BRIDGING REGIONS
2200 Pennsylvania Ave NW
Washington, DC 20037
Avenue des Arts 47-49
1000 Brussels, Belgium
30 St Mary Axe
London EC3A 8EP
ABOUT US
Trusted partners and digital diplomats:
• Anticipating policy and regulatory challenges and
opportunities
• Advancing accountability and best practices for
strategic and innovative use of data
• Facilitating knowledge sharing and dialogue among
stakeholders since 2001
• Based in London, Brussels and Washington, DC
• Founded by industry leaders and Hunton
www.informationpolicycentre.com

22. Add a footer 22
Global CBPR and Global PRP

23. 23
▪ CROSS-BORDER PRIVACY RULES (CBPR)
▪ PRIVACY RECOGNITION FOR PROCESSORS (PRP)
• Developed by APEC in 2011 (CBPR) and 2015 (PRP)
• Operationalize Privacy Principles
DATA TRANSFER MECHANISMS AND
PRIVACY COMPLIANCE PROGRAMS
What are Global CBPR & Global PRP?
▪ Established in 2022
▪ Includes all nine members of the APEC CBPR System: Australia,
Canada, Japan, Republic of Korea, Mexico, Philippines,
Singapore, Chinese Taipei, and the United States
▪ Enables other, non-APEC countries to join
▪ Associates: Bermuda, DIFC, Mauritius, United Kingdom
▪ Officially launched June 2025

24. Add a footer 24
AT A GLANCE
Global CBPR & Global PRP Systems
The GLOBAL CBPR AND GLOBAL PRP SYSTEMS are certified compliance programs that
facilitate trusted personal information flows from and between participating jurisdictions
and organizations.
Certifications ensure that organizations have implemented practical measures — called
PROGRAM REQUIREMENTS — that fulfill overarching data protection and privacy
principles.
The GLOBAL CBPR FORUM is a group of jurisdictions with administrative, operational,
and oversight functions with respect to the Global CBPR and Global PRP Systems.
Participation by JURISDICTIONS forms the foundation of the Global CBPR and Global
PRP Systems. Jurisdictions may apply for Forum membership by accepting the principles
and objectives of the Global CBPR Declaration and Framework and demonstrating how
their domestic legal system enables enforcement of the Program Requirements or
recognize the Systems under their domestic legal system.

25. Add a footer 25
AT A GLANCE
Global CBPR & Global PRP Systems
Domestic laws and regulations provide participating jurisdictions with the legal basis for
enforcing the Systems. A participating jurisdiction must have at least one PRIVACY
ENFORCEMENT AUTHORITY (PEA). The PEA, in turn, joins the Global Cooperation Arrangement
for Privacy Enforcement (Global CAPE), which facilitates enforcement cooperation among PEAs.
A participating jurisdiction must identify, and the Forum must recognize, a third-party
certification body — known as an ACCOUNTABILITY AGENT — which assesses whether an
applicant organization may be certified as satisfying the Program Requirements of the Global
CBPR or Global PRP Systems.
An ORGANIZATION “primarily located” in a participating jurisdiction may seek certification from
an Accountability Agent recognized in that jurisdiction, starting with a self-assessment of its
policies and practices against the applicable Program Requirements. The Accountability Agent
evaluates the self-assessment and assists the company to come into compliance. Certifications
are subject to annual attestation and re-certification.
The Global CBPR and Global PRP Systems provide complaint and dispute resolution
mechanisms for CONSUMERS that might otherwise not be available.

26. 26
CERTIFICATION PROCESS
How do the Global CBPR/Global PRP Systems work?
APPLY
COMPANY
ACCOUNTABILIT
Y AGENT
ASSESS
POLICIES &
PRACTICES
CBPR/PRP
PROGRAM
REQUIREMENTS
DP
A
DATA
PROTECTION
AUTHORITY
ENFORCEMENT
DATA
PROTECTION
LAW
ALIGNMENT/
ENFORCEABILITY
CERTIFICATION

27. Add a footer 27
GENERAL BENEFITS
Global CBPR & Global PRP Systems
▪ Voluntary Implementation: Organizations choose to implement these standards
voluntarily, allowing flexibility in adoption.
▪ Enforceable Standards: They provide enforceable data protection and privacy
standards endorsed by multiple jurisdictions.
▪ Flexible Application: These programs can be tailored to fit different
organizational needs and jurisdictions.
▪ Multilateral Recognition: Certifications are recognized across participating
jurisdictions, facilitating seamless data transfers.
▪ Accountability-Based Structure: Ensures that organizations are accountable
for maintaining compliance with privacy principles.
▪ Co-existence with Other Transfer Mechanisms: They can be used alongside
other data transfer mechanisms, providing more options for organizations

28. Add a footer 28
ADDITIONAL BENEFITS
Global CBPR & Global PRP Systems
BENEFITS FOR JURISDICTIONS
∙ Trusted Data Flows: Facilitates secure and trusted data flows, boosting the economy and
enabling innovation.
∙ Improved Enforcement Actions: Enhances the ability of jurisdictions to enforce data
protection laws effectively
BENEFITS FOR BUSINESSES
∙ Compliance Facilitation: Helps businesses comply with international data protection laws.
∙ Trustmark for Data Transfer: Acts as a mark of trust for secure data transfers across
borders.
∙ Support for SMEs: Provides small and medium enterprises (SMEs) with guidelines to
implement effective data protection practices
BENEFITS FOR CONSUMERS
∙ Enhanced Data Protection: Ensures stronger data protection and privacy measures.
∙ Complaint Mechanisms: Provides consumers with mechanisms to lodge complaints and
resolve disputes

29. Add a footer 29
DOJ Bulk Transfers Rule

30. Add a footer 30
• Implements Executive Order 14117 of February 28, 2024 (Preventing Access to
Americans' Bulk Sensitive Personal Data and United States Government-Related Data
by Countries of Concern)
• Designed to restrict access to “U.S. Sensitive Personal Data” (SPD) and
“Government-Related Data” (GRD) when access would pose an unacceptable risk to
U.S. national security
• Published Jan. 8, 2025 (90 FR 1636)
• Entered into effect April 8, 2025
• Three-month enforcement reprieve until July 8, 2025
• Due diligence, audit, and reporting obligations take effect Oct. 6, 2025
• Compliance Guide, FAQs, Implementation & Enforcement Policy issued April 11,
2025
90 FR 1636
DOJ Bulk Transfers Rule

31. Add a footer 31
• Prohibits or restricts U.S. persons from engaging in certain covered data
transactions that could result in access to bulk SPD or any GRD by a country of
concern or a covered person
KEY TERMS
DOJ Bulk Transfers Rule
U.S. Person
Covered Data
Transaction
Covered
Person
Country of
Concern

32. Add a footer 32
COVERED DATA TRANSACTIONS
DOJ Bulk Transfers Rule
Data
Brokerage
Investment
Agreements
Employment
Agreements
Access to
Bulk Human
‘Omic Data
PROHIBITED TRANSACTIONS RESTRICTED TRANSACTIONS
Vendor
Agreements
The Rule prohibits or restricts “covered data transactions” that could provide “access” to bulk SPD or
GRD to a country of concern or a covered person
The term “access” under the rule is broadly defined.

33. Add a footer 33
DATA TYPES
DOJ Bulk Transfers Rule
GOVERNMENT-RELATED DATA SENSITIVE PERSONAL DATA
• Certain precise geolocation data
• Any sensitive personal data (regardless of
volume) that a transaction party markets
as linked or linkable to current or recent
former employees or contractors, of
former senior officials, of the U.S.
government, including the military and
intelligence community
• Covered personal identifiers
• Precise geolocation data
• Biometric identifiers
• Human ‘omic data
• Personal health data
• Personal financial data

34. Add a footer 34
BULK THRESHOLDS
DOJ Bulk Transfers Rule
DATA TYPE BULK THRESHOLD
Human ‘omic data
> 100 U.S. persons (human genomic data)
> 1,000 U.S. persons (all other human ‘omic data)
Biometric identifiers > 1,000 U.S. persons
Precise geolocation data > 1,000 U.S. persons or devices
Personal health data > 10,000 U.S. persons
Personal financial data > 10,000 U.S. persons
Covered personal identifiers > 100,000 U.S. persons

35. Add a footer 35
INTERNATIONAL AGREEMENTS
DOJ Bulk Transfers Rule
“The … exemption contained in § 202.507(a) for sharing data pursuant to
international agreements would not allow for the sharing of government-related
data or bulk U.S. sensitive personal data with a country of concern ….
“As explained in the NPRM, digital-trade agreements and arrangements that
merely facilitate international commercial data flows—such as the Global
Cross-Border Privacy Rules and Global Privacy Recognition for Processors
Systems of the Global Cross-Border Privacy Rules Forum …—are outside the
scope of the exemption for international agreements.
“As the NPRM explained, these arrangements consist of frameworks for
coordinating national regulatory measures, prohibit data localization, and do not
facilitate the sharing of data between the United States and a country of concern.”
90 FR at 1680

36. Add a footer 36
Thank You
Mark Smith
Senior Manager, Privacy & Data Policy
CIPL
msmith@hunton.com
Centre for Information Policy Leadership
www.informationpolicycentre.com
Hunton Andrews Kurth Privacy and Information Security Law Blog
www.huntonprivacyblog.com
Follow us
LinkedIn: https://www.linkedin.com/showcase/centre-for-information-policy-leadership/
X: https://twitter.com/the_CIPL
@the_cipl

37. 37
Thank You!