On 25 April 2025, at the Globalaw Asia Pacific Regional Meeting in Osaka, Japan, our Partner and Head of Tax and Private Client, Anna Chan, joined Uday Singh Ahlawat of Ahlawat & Associates (India), Han Sung Kang of DLG Law Corporation (South Korea), Ariel Hung of Stellex Law Firm (Taiwan) and Yusaku Akasaki of Chuo Sogo LPC (Japan) for an insightful roundtable discussion on the evolving landscape of data privacy laws across key APAC jurisdictions.

The recent decade has seen an increase of phishing attacks and data breaches. With the introduction of the new cybersecurity law in Hong Kong which will come into effect next year, there is heightened concerns over data security and rights of data subjects. The roundtable discussion therefore offered a timely forum to visit topics such as obtaining consent from data subjects, protecting the rights of data subjects and data breaches reporting practices, as well as on recent legislative developments in in Hong Kong, India, Japan, South Korea, and Taiwan. This article summarises each of the participants’ inputs in the roundtable discussion, each speaking from their respective jurisdictions, on these topics.

Obtaining consent from data subjects

• In Hong Kong, a data user must expressly inform the data subject the purpose for which the data is to be used on or before collection of the data. Provision of personal data pursuant to such information by the data subject shall be deemed sufficient consent which is implied. However, new consent from the data subject is required if such personal data shall be used for a new purpose. So far as cross-border transfer is concerned, the Personal Data (Privacy) Ordinance (“PDPO”) provides, among others, that data subject should also consent in writing specifically but this requirement has not come into effect yet.
• In India, when seeking consent from data principals, it is crucial to sufficiently disclose that their personal information will be transferred to another entity. The details of such third-party entity (to which the data will be transferred) as well as the purpose of such transfer also needs to be disclosed. In the case of cross-border transfer of personal information, the manner of seeking consent from data principals remains the same.
• In Japan, business operators must clearly outline the purpose of data collection and obtain specific consent for the cross-border transfer of personal information with certain exceptions.
• In South Korea, informed and voluntary consent is essential for collecting and using personal data, unless a legal exception applies. Also, consent for collection, third-party provision, and cross-border transfers must be clearly distinguished and obtained separately.
• In Taiwan, organizations must expressly inform data subjects when collecting personal data, detailing the collection purposes, data types, usage scope (duration, geography, territory, and methods), data subject rights, and consequences of non-disclosure, unless exempt by law. When collection involves planning for cross-border transfers, intended overseas jurisdictions should also be specified.

Is there a “right to be forgotten”?

• In Hong Kong, while there is no express “right to be forgotten”, under the PDPO, data users must ensure personal data is retained only as long as necessary, and generally must take practicable steps to erase the personal data held by them where it is no longer required unless the statutory exemptions apply.
• In India, there is no clear statutory provision for the “right to be forgotten” but the Indian courts have recognized the “right to be forgotten” in some judicial pronouncements. The Indian judiciary has also attempted to clarify the distinction between “right to be forgotten” and the “right to erasure” in their judicial pronouncements. Further, the forthcoming Digital Personal Data Protection Act (“DPDPA”) will provide for a statutory “right to erasure” (unless the statutory exemptions apply).
• In Japan, while there is no express “right to be forgotten”, the Act on the Protection of Personal Information (“APPI”) recognises the right of data subjects to correct, add, or delete their personal data only on the ground that the retained personal data is contrary to the fact.
• In South Korea, data subjects have the rights to access, correct, delete, and suspend the processing of their data, as well as to withdraw consent. While there is no express “right to be forgotten”, it is being increasingly recognised in practice as a separate right from the general deletion right. In common practice, business operators in South Korea often establish a defined retention period and periodically re-request consent.
• In Taiwan, while there is no explicit “right to be forgotten”, similar protections exist under the Personal Data Protection Act (“PDPA”) through various data subject rights, including rights to access, correct, delete data and demand cessation of data processing and use. In practice, certain Taiwan courts have interpreted constitutional principles of informational self-determination and privacy to support this right, balancing individual rights against public interest when assessing removal requests, thus adapting to emerging digital privacy challenges.

Data breaches reporting practices

• In Hong Kong, business operators are encouraged to voluntarily report data breaches in accordance with the best practices published by the Office of the Privacy Commissioner for Personal Data. For now, there are no specific criminal penalties for data breaches while civil liabilities may arise from breaches of contract, confidentiality, and negligence. That said, the newly enacted Protection of Critical Infrastructures (Computer Systems) Ordinance, expecting to take effect on 1 January 2026, will require the operators of crucial infrastructures in Hong Kong in the eight industries including energy, information technology, banking and financial services, transportation, telecommunications and broadcasting services and healthcare services to, among others, implement security plans and protocols, and report on security incidents. Failure to comply will result in fines ranging from HK$500,000 to HK$5 million.
• In India, the forthcoming DPDPA prescribes that data breaches shall be reported to both the Data Protection Board of India and the data principal without delay. Failure on the part of data fiduciaries in providing such a notice could result in severe criminal penalties (as prescribed under the DPDPA).
• In Japan, in the event of serious data security breaches, business operators are required to notify both the Personal Information Protection Commission (“JPIPC”) and data subjects. The APPI imposes criminal penalties for various improper handling of personal data as well as failure to comply with the JPIPC rectification requests and orders.
• In South Korea, in the event of any leak involving sensitive personal data, business operators should notify the Korean Personal Information Protection Commission and data subjects within 24 hours of identifying such leak. Criminal penalties are imposed for intentional or severe negligence (e.g. illegal data sales or leaks), alongside with administrative fines, corrective orders, potential suspension of processing and public disclosure.
• In Taiwan, the PDPA currently mandates that organisations are required to notify affected individuals of data breaches only after the relevant facts have been clarified. Criminal penalties apply for intentional misconduct, with a tiered system of administrative fines for other non-compliance. Notably, proposed amendments to the PDPA announced in March 2025 include heightened reporting requirements, and business operators should monitor these upcoming developments closely.

Disclaimer: This article is for reference only. Nothing herein shall be construed as Hong Kong legal advice or any legal advice for that matter to any person. Oldham, Li & Nie shall not be held liable for any loss and/or damage incurred by any person acting as a result of the materials contained in this article.