7 min read

Writen by Ana Mishova

Posted on: November 30, 2023

Comparing GDPR with Asia’s Data Protection Legislation

What are the similarities and differences between GDPR and the data protection regulations enacted in some Asian states? We look at the situation in Singapore, Japan and APEC.

Data is a global concern. When an individual in Tokyo can have their data processed in Dusseldorf by a company incorporated in Austin, knowing which data protection laws affect – and how – becomes critical to global trade.

Across Asia, several countries and states have enacted their own legislation to safeguard personal data.

In this post, we explore Asia’s data protection laws – Japan, Singapore and APEC, the Asia-Pacific Economic Cooperation forum, ask what similarities are shared with the EU’s General Data Protection Regulation (GDPR), and explore how they differ.


APEC CBPR is a framework established by the APEC to facilitate the cross-border flow of personal data among member economies while ensuring privacy protection.

GDPR Consistency:

While not directly aligned with GDPR, the APEC CBPR shares a common goal of safeguarding personal data.

As you might expect from a forum which includes the US, Russia and China among its 21 signatories, complete alignment is often challenging, something you can clearly see in the application of CBPR. Whilst all APEC signatories have expressed an intention to join the CBPR at some point, only nine (including the US but not China and Russia) have done so to date.

Perhaps as a consequence, CBPR isn’t as joined up, prescriptive or comprehensive as GDPR, acting more as a standard than a regulation. CBPR-certified organizations are bound to comply with it, however, and compliance is enforceable, but the CBPR sits alongside domestic law.

The legal starting point for the two is also different, with GDPR a rights-based piece of legislation, while CBPR stems from securing data privacy in data transfers.


The PDPA aims to regulate the collection, use and disclosure of personal data by organizations in Singapore. It emphasizes transparency, consent, and accountability in data handling practices.

GDPR Consistency:

PDPA and GDPR share similar principles such as data subject rights, purpose limitation, and data breach notification. There are, however, numerous differences.

The rights conferred by the PDPA are more generalized than the GDPR. In particular, the PDPA contains no right to erasure, no right to object to the processing of personal data (although individuals can withdraw consent), and originally no right to data portability. This has since been altered by the Personal Data Protection (Amendment) Act 2020.

The PDPA, with just one or two exceptions, contains no requirement for organizations to maintain records of processing activities.

GDPR defines pseudonymized data (that is, data which could not be attributed to an individual without additional, separate information) and confirms that such data is subject to GDPR. PDPA makes no mention of it.


APPI sets rules for handling personal information in Japan, and emphasizes the importance of obtaining consent, maintaining accuracy, and protecting against unauthorized access.

GDPR Consistency:

There are numerous parallels between APPI and GDPR in terms of consent, purpose limitation, and security measures. Yet there are specific cultural and legal nuances that differentiate it from GDPR. These include:

GDPR makes a distinction between data controllers and data processors. APPI does not, placing all “personal data handling operators” together.

GDPR makes distinct provision for data used in connection with scientific or historical research. APPI does not.

APPI does not recognize any right to data portability. GDPR does.


GDPR has an extraterritorial reach, applying to organizations worldwide if they process EU residents’ data. APEC, PDPA, and APPI primarily regulate within their respective jurisdictions.


GDPR imposes substantial fines for non-compliance.

APEC, PDPA and APPI have their own enforcement mechanisms. While fines are included in the sanctions, they are typically smaller than the GDPR’s maximum penalty. The notable exception is CBPR, where the fine of 4% of global turnover is a direct match for GDPR. With APPI, however, the maximum single fine is JPY 1 million (around €6,000 at time of writing). Here though, imprisonment is also a possible sanction.

Does complying with Asia’s data protection laws guarantee compliance with GDPR?

No. Inevitably, compliance with any of the Asia’s data protection standards will make it easier to align with GDPR requirements (you can find a complete guide to the General Data Protection Regulation here), because many of the building blocks of compliance will already be in place.

But as the above summary demonstrates, the differences are sufficient to ensure that compliance with one standard does not automatically mean compliance with another (whether that’s the GDPR or another Asian standard).

GDPRLocal can help ensure that, wherever you operate and wherever you process data, you meet the compliance standards required of your organization, and keep your customers and reputation protected. Get expert support in managing your data protection here, or call +1 303 317 5998.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy