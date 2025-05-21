Summary of the series so far:

In our first blog, we explored an overview of privacy laws in Singapore, Malaysia, and Thailand, setting the foundation for understanding the regulatory landscape in the ASEAN region.

On our second blog, we have discussed the applicability of the Data Protection Acts in Singapore, Malaysia, and Thailand.

On our third blog, we have dealt with the definitions and the categories of personal data and data controllers across the Personal Data Protection Act's in Singapore, Malaysia, and Thailand.

Summary of the series so far:

Singapore's Personal Data Protection Act (PDPA) provides a comprehensive framework for safeguarding personal data, balancing privacy rights with data processing needs. It emphasizes consent, accountability, and data retention. The Act applies to organizations handling personal data in Singapore, excluding individuals acting in personal capacities or employees within their employment scope. Personal data is defined to include information identifying an individual, whether alone or with other data, excluding certain private communications and outdated data.

Malaysia's Personal Data Protection Act (PDPA) governs personal data processing in Malaysia, focusing on notice, security, retention, and integrity. It applies to commercial transactions involving personal data, excluding NGOs and archival purposes. It covers individuals and entities in Malaysia, including foreign data processors using Malaysian equipment. Further "personal data" and "sensitive personal data" is regulated separately. Sensitive data requires explicit consent for processing, while personal data only needs documented consent, with fewer obligations for controllers.

Thailand's Personal Data Protection Act (PDPA) regulates the collection, use, and disclosure of personal data within Thailand or for Thai citizens, covering both physical and digital records. It applies to businesses, including those outside Thailand, offering goods/services to Thai residents. Exemptions include personal use, media activities, and credit bureaus. Personal data is defined as information enabling individual identification. It mandates explicit consent for sensitive data collection. The law applies domestically and internationally for entities targeting individuals in Thailand.

In this instalment, we will detail the mandate of notice and consent under the Personal Data Protection Act's in Singapore, Malaysia, and Thailand.

Notice & Consent

Singapore

Under Singapore's Personal Data Protection Act (PDPA) prior to the collection of personal data, data controllers bear the obligation to apprise data subjects of the purpose behind data collection, disclose any additional intentions for utilizing or disclosing their data, and furnish contact details for inquiries. Consent must be procured for specific purposes, and the provision of services should not be contingent upon consent beyond what is essential. Data controllers are further prohibited from resorting to deceptive tactics to secure consent. The PDPA also provides that an individual can withdraw consent by providing "reasonable notice" following which personal data of that individual cannot be collected, used or disclosed. The organisation must also ensure that its data intermediaries and agents cease to use the data. Singapore also provides for the concept of "deemed consent" where the individual voluntarily provides the information. However, exceptions are there with regards to obtaining consent under the PDPA – Singapore. These exceptions include instances where data is provided voluntarily or where it is indispensable for contractual purposes. Similarly, consent is inferred under the PDPA – Singapore when data subjects voluntarily furnish data, and subsequent sharing is deemed reasonably necessary. Consent is not mandated when data is divulged by a public agency or for certain public policy objectives, such as education or healthcare. Additionally, written authorization may obviate the necessity for consent in specific law enforcement scenarios.

Malaysia

Similar to other jurisdictions, Malaysia's Personal Data Protection Act (PDPA) imposes obligations on data controllers concerning notification and consent. Unlike countries such as Singapore and India, in Malaysia, data controllers have the option to notify data subjects prior to utilizing the data instead of at the point of collection. However, the Malaysian PDPA differentiates between personal data and sensitive personal data, with the latter (including biometric data from April 2025 onwards) requiring the data subject's express consent under Section 40 for its use. Data users must ensure compliance with this requirement when handling sensitive personal data. Further, the Notice and Choice Principle under Section 7 of the PDPA necessitates data users to provide information to data subjects in both English and Malay concerning various aspects of their personal data. This encompasses specifying the purpose of personal data collection, elucidating with whom the data is shared, informing data subjects of their rights to access and rectify their personal data, delineating whether data collection is voluntary or mandatory, furnishing details on how data subjects can restrict the processing of their personal data, and supplying contact details for further inquiries. The PDPA also provides under Section 38 that an individual can withdraw consent by providing "a notice in writing" following which personal data of that individual cannot be processed.

Thailand

Under Section 19 the Personal Data Protection Act (PDPA) – Thailand, securing consent from a data subject necessitates clear communication, either through a written statement or electronically, unless such means are impractical by their very nature. Additionally, the data controller is obligated to furnish information regarding the purpose of collecting, using, or disclosing personal data when soliciting consent. This request must be presented in a lucid, easily accessible, and understandable manner in plain language. The Act also mandates that withdrawal of consent must also be made as easy a process as that of giving consent Notably, the data controller retains the prerogative to collect personal data from sources other than the data subject, provided that the data subject is promptly notified of such collection from alternative sources within thirty days and grants consent. Collection from alternative sources is permissible if the purpose aligns with the list of purposes for which data may be collected without prior consent of the data subject, as provided under Section 24 or 26 of the PDPA – Thailand.

Next in the series

In the next instalment, we will be discussing the regulation of data transfer, localisation and data breach under the Personal Data Protection Act's in Singapore, Malaysia, and Thailand.

Links:

Singapore: https://sso.agc.gov.sg/Act/PDPA2012?WholeDoc=1#top

Thailand: https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf

Malaysia: JW515839 Act 709.indd (kkd.gov.my)

Originally published February 14, 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.