As Southeast Asia’s eCommerce market continues to exhibit Southeast Asia eCommerce Outlook 2024This free PDF takes a broad view of eCommerce across five of Southeast Asia's most exciting markets: statisics, market structure, trends, entry strategy.huge consumption potential and rapid growth, many foreign brands are seeking to expand their eCommerce presence in the main markets of Indonesia, Thailand, the Philippines, Vietnam, and Malaysia.

For brands conducting business through third-party marketplaces like Shopee and Lazada, it might be relatively easier to abide by local regulations as they can rely on the respective platforms’ policies. On the other hand, companies establishing self-operated branded eCommerce stores face significant compliance challenges when operating their own cross-border eCommerce platforms.

Especially when it comes to regulations on the direct collection and processing of user data, Southeast Asian countries each have their own particularities, and brands need to ensure compliance throughout their full operation in order to avoid legal liability and penalties. In this article, we will give you an overview of the key compliance points in each country so you can reduce legal risks and operate smoothly.

TMO has rich experience in helping global brands enter Southeast Asia with full compliance and strategies tailored to different business models.

Indonesia’s PDPL: Comply to avoid harsh penalties

As the largest economy in Southeast Asia, Indonesia results extremely attractive to foreign brands. However, with it comes strict requirements for personal data protection. Article 28G (1) of the 1945 Indonesian Constitution stipulates that everyone has the right to protect his or her person, family, respect, dignity, and property under his or her control. In addition, the Electronic Information and Transactions Law in its 2016 amendment stipulates that the use of any information involving personal data through electronic media requires the consent of the person.

Based on the previous legal documents, the Indonesian government promulgated the Personal Data Protection Law (PDPL) in 2022, which applies to personal data processed by electronic and non-electronic means (including data in cross-border eCommerce transactions). It is worth noting that Indonesian regulations have relatively severe penalties for violations of data protection regulations, including high fines and imprisonment—such as illegal disclosure of personal data of others, a prison sentence of not more than four years, and/or a fine of up to 400 million rupiah (about US $254,655).

It can be seen that for eCommerce companies operating in the Indonesian market, compliance is not only a basic requirement to comply with the law but also a necessary measure to maintain corporate reputation and avoid commercial losses.

Since eCommerce—especially branded self-operated eCommerce websites—involves the collection and processing of a large amount of personal data, companies must pay special attention to complying with the provisions on personal data protection in the PDPL and the Personal Data Protection Laws specific to electronic systems. Some key points of the regulations that brand eCommerce companies need to pay attention to are:

• The PDPL provides businesses with a two-year grace period to adapt to the new regulatory requirements, which is a valuable opportunity for you to adjust and optimize your data protection measures.
• Companies are required to notify data subjects* and regulators within 72 hours of a data breach.
• They shall conduct data protection impact assessments before engaging in certain high-risk data processing activities.
• Law requires companies to appoint a Data Protection Officer (DPO) in certain circumstances, which is more specific and mandatory than the laws of other Southeast Asian countries. A DPO is a professional or consultant appointed by the data controller or data processor to ensure that the organization complies with data protection regulations.
• PDPL also has stricter requirements for cross-border data transfer. According to the draft implementing regulations of PDPL, Indonesia's Data Protection Agency will have the right to assess whether the data protection level of the receiving country meets the requirements.
• This Law imposes harsh penalties for data protection violations, including high fines and imprisonment—such as unlawful disclosure of another person's data, which can result in a prison sentence of up to four years and/or a fine of up to IDR 400 million (approximately US $254,655).

* "Data Subject" refers to an individual who can be directly or indirectly identified by personal data. In layman’s terms, it refers to an ordinary web browser.

Malaysia’s PDPA: Strict restriction on overseas data transfer

Another important economy in Southeast Asia, Malaysia has attracted the attention of many international brands with its unique cultural integration, steady economic growth, and active digital market. Before the Personal Data Protection Act, the protection of personal data was mainly regulated by laws in specific industries. In May 2010, the Malaysian Parliament passed the Personal Data Protection Act (PDPA), which received royal assent in June and came into effect on November 15, 2013. Five supporting legislations came into effect along with the PDPA, including the 2013 Personal Data Protection Ordinance, which covers fees, settlement of violations, etc.

PDPA also has clear provisions for violations of data protection regulations, including administrative and even criminal penalties and penalties on companies and legal representatives. For example, companies that violate regulations may face a fine of up to 10 times the amount of the individual's fine, confiscation of illegal gains, suspension of all or part of the business, and more. In addition, Malaysia's multicultural background requires companies to take into account the privacy concepts and expectations of different cultural and religious backgrounds when processing personal data.

The key regulatory points that brand eCommerce companies need to pay attention to are as follows:

• Ensuring your business is registered as a data user* under the PDPA as the first step to legally operating, and you can do so through the official portal of the Department of Personal Data Protection.
• Malaysia has also established industry-specific data user forums and industry-specific codes of practice guided by the Data Protection Commissioner. Participating in these forums can help you better understand compliance requirements.
• Businesses have ongoing responsibility for data, and even if the data subject withdraws consent, you are still responsible for the secure processing and deletion of personal data.
• Businesses must keep data processing records of all applications, notifications, requests, or other information related to the processing of personal data, which shall be available for inspection by supervisory authorities.
• The PDPA prohibits the transfer of personal data outside of Malaysia except in the following circumstances: the transfer is to a third party with the explicit consent of the data subject; the transfer is for the performance of a contract with the data subject; the transfer is required in response to a national emergency, public order and security, or for the performance of the functions of a public authority.

*"Data users" here refer to entities that collect, process, or control personal data—typically businesses or organizations.

Thailand’s PDPA: Extraterritorial effect

As one of the important economic and cultural centers in Southeast Asia, Thailand has a growing demand for the protection of personal data in society. The Constitution of the Kingdom of Thailand recognizes the right to privacy, and individuals have the right to be protected from the improper use of personal data related to their personality. With the support of the Constitution, Thailand's Personal Data Protection Act (PDPA) was passed in 2019, marking a new era of data protection in Thailand. The PDPA requires data controllers and processors to comply with data protection principles and provides for extensive rights for data subjects.

The PDPA provides for administrative fines for data protection violations. Data controllers may be fined for failure to comply with the legally required security measures, data processing records, Data Protection Impact Assessment (DPIA), and other requirements. In addition, in theory, individuals may be entitled to claim tort damages under the Thai Civil and Commercial Code if their personal data is used in a way that violates or affects their constitutional right to personal data.

The key regulatory points that brand eCommerce companies need to pay attention to are as follows:

• Your business should be aware that Thailand’s PDPA has an extraterritorial effect and applies to data processing activities of foreign entities concerning data subjects in Thailand.
• Thailand’s PDPA explicitly stipulates that a Data Protection Officer (DPO) must be appointed in certain circumstances. When processing sensitive data, the mandatory appointment of a Data Protection Officer (DPO) will help your business avoid the risk of non-compliance.
• When companies collect personal data, they must inform data subjects of the period for which the data will be retained.
• Thailand’s PDPA takes special measures for the data of minors (defined as those under the age of 20), requiring your business to obtain parental consent when processing the data of minors.

Vietnam’s PDPD: Data to be stored within the country

As one of the fastest-growing economies in Southeast Asia, Vietnam is actively integrating into the global digital economy, which makes personal data protection an important part of Vietnam's social and economic development. The Vietnamese Constitution stipulates the right to personal privacy and the protection of personal secrets, which is the constitutional basis for the Personal Data Protection Decree.

For many years, Vietnam's data protection regulations had mainly relied on several existing laws and decrees, such as the Cybersecurity Law, the Civil Code, and the Electronic Transactions Law. Among them, the Electronic Transactions Law generally prohibits the use, provision, or disclosure of data related to electronic transactions without consent. On July 1, 2023, Vietnam's Personal Data Protection Decree (PDPD) officially came into effect, emphasizing that the processing of personal data must be based on a legal basis and requiring data controllers and processors to take technical and organizational measures to ensure data security.

Only by paying attention to compliance can enterprises avoid penalties for violating data protection provisions in the PDPD. For serious violations, fines may range from 10 million VND (about US $430 US) to 20 million VND (US $850), including collecting personal information without the consent of the data subject, providing personal information to third parties without consent, etc. In addition, anyone who suffers damage due to infringement of data protection regulations has the right to obtain compensation from the infringing party (according to Article 13 of the Civil Code).

Among them, the key points that enterprises need to pay attention to in Vietnam’s data regulations are as follows:

• In Vietnam, a data Transfer Impact Assessment (TIA) is an important step in cross-border data transfer compliance. Your business needs to prepare a TIA when conducting cross-border transfers involving the personal data of Vietnamese citizens. Vietnam also requires data controllers and data processors to submit a data protection impact assessment (PDPIA) to the Cybersecurity Department.
• Vietnam's PDPD stipulates that when a data breach occurs, the data controller (i.e. your company) must promptly notify the cybersecurity department and the affected data subjects.
• Vietnam's Cybersecurity Law requires that certain types of data be stored in Vietnam, such as personal data of Vietnamese users, user-generated data, eCommerce data, etc. Companies engaged in cross-border eCommerce may need to establish data centers in Vietnam or use local data storage services.

Philippines’ DPA: Follows the principle of data minimization

As a multicultural country, the Philippines' legal system is deeply influenced by Western legal traditions, especially in terms of data privacy. The formulation of laws has been influenced by international data protection regulations such as the EU’s General Data Protection Regulation (GDPR). The Philippines' Data Privacy Act (DPA), specifically known as the Republic Act No. 10173, is the first law in the Philippines to comprehensively cover data privacy and is regarded as the Philippines' pioneering legislation in data privacy protection. The law provides clear guidance for companies to handle personal data, requiring companies to follow the principles of transparency, legality, and data minimization when processing data.

If a company violates the provisions of the DPA, it may face administrative penalties ranging from 0.5% to 3% of its annual revenue in the previous fiscal year. The DPA and its IRR (Implementing Rules and Regulations) also provide for criminal penalties ranging from 6 months to 7 years in prison and fines ranging from PHP 100,000 (approximately US $1,755) to PHP 5,000,000 (approximately US $87,733), depending on whether personal information or sensitive personal information is involved.

Key points that companies engaged in cross-border eCommerce need to pay attention to in Philippine data regulations:

• The Philippines' DPA requires your business to follow the principle that data should not be retained permanently and should only be retained when necessary, which reflects respect for user privacy.
• The DPA’s definition of sensitive personal information may be broader than that of other Southeast Asian countries, including race, religious beliefs, health, etc. Your business must obtain the data subject’s explicit consent when processing this data.

• The DPA has specific requirements for the international transfer of personal information, including ensuring that the recipient provides a level of protection comparable to that under the DPA.
• When personal data is illegally processed or misused by a company, the data subject (the owner of the personal data) has the right to seek compensation. The data subject can file a lawsuit in court.
• The principle of data minimization requires your business to collect and retain only the minimum amount of personal data necessary to achieve a specific purpose.

Commonalities of Data Compliance Regulations in Southeast Asia

When doing business across Southeast Asia, there are some basic data protection principles that should be followed. These principles are the foundation for building trust and compliance.

• First, make sure your privacy policy and user agreement are up to date and reflect the latest legal requirements for data processing. This will not only help avoid legal risks but also show your customers that your company takes customer privacy seriously.
• It is also crucial to recognize the rights of data subjects. In practice, eCommerce websites should establish simple processes to enable data subjects to easily exercise their rights to access, correct, and delete their personal data. This reflects respect for customer rights.
• In addition, companies need to take necessary measures to ensure data security, including encryption, access control, network security, and data backup to protect personal data from illegal access, leakage, or abuse, and conduct security audits and vulnerability assessments on a regular basis.
• Cross-border data transfer is an inevitable part of cross-border eCommerce business, so it is crucial to understand and comply with the regulations of the target country regarding data transfer. Using data transfer agreements or standard contractual clauses to ensure the legality of data flows not only helps protect your business from legal risks but also protects the data security of your customers.
• Finally, as regulations are constantly updated, adapting to legal changes is key to ensuring long-term compliance, and companies need to continue to pay attention to the latest legal developments—compliance is an ongoing process, not a one-time task.

Ensuring Legal Compliance with TMO

Compliance is not a cost, but the cornerstone of sustainable development of enterprises. When enterprises go overseas to the Southeast Asian market through models such as cross-border eCommerce, they must have a deep understanding of and comply with local data protection laws and regulations. By establishing a strong data compliance system, enterprises can not only avoid legal risks but also gain the trust and support of consumers in the fierce market competition.

TMO has many years of experience in implementing brands’ overseas eCommerce projects and works with legal professionals with expertise in eCommerce and specific operating jurisdictions to ensure compliance and minimize the legal risks of the enterprise.

If your company is considering overseas operations, you can learn about our Southeast Asia eCommerce Solutions and Scale to Asia Solutions for international eCommerce brands going global.

If you want to know more detailed regulations of various countries and their implementation in cross-border eCommerce, our eCommerce legal compliance services cover the interpretation of laws and regulations in your target market, including Consumer Protection, Data Compliance, Privacy, and eCommerce regulations to assist you in formulating appropriate compliance strategies. You can also directly contact our eCommerce specialists!