Privacy Enforcement in APAC: Privacy Breach Penalties by APAC Regulators

Privacy breaches and enforcement in Europe, the US, and Australia garner much media attention in Australia. But there are many countries in the Asian-Pacific region (APAC) with privacy laws – and regulators that are enforcing them. Let’s take a look at privacy enforcement in APAC: 

Privacy Enforcement in APAC  

Japan’s Privacy Law 

Japan’s comprehensive data protection act, known as APPI, was amended in 2020 and came into effect on 1 April 2022. This law brings Japan’s data subject rights into close alignment with Europe’s GDPR, including requiring (amongst other things):  

  • Mandatory data breach notifications;  
  • Consent to transfer personal data outside Japan; and 
  • Pseudonymisation in certain circumstances. 

Privacy Enforcement in Japan 

Privacy enforcement in Japan is overseen by the Personal Information Protection Commission (PPC). Under the amended law, the potential financial penalty was increased to up to 100 million yen (or just over $1 million AUD) for privacy breaches.  

The PPC issued 198 guidance notes to businesses under the APPI between 1 April 2020 and 31 March 2021, as well as 357 requests for information 

However, one of the most notable privacy enforcement decisions in Japan came just prior to the amendments. The Rikunabi scandal arose when an online platform service was found to be sharing the personal data of students to customer companies without the students’ consent. The personal data being shared related to profiles created by the online platform that calculated the ‘possibility [by percentage] of declining job offer’. These scores were calculated based on the students’ browsing histories and this information was supposed to be de-identified. However, the customer companies could (and did) reidentify the information.  

The issues in this matter led to Japan’s PPC drafting new rules regarding data transfers in 2020. The company was ordered to improve privacy protections, too but it doesn’t appear that a penalty was imposed (possibly because of the deficiencies in Japan’s previous privacy law).

Read more on OneTrust.

South Korea Privacy Law 

South Korea’s constitution recognises the right to privacy and privacy of communications as fundamental rights. Additionally, South Korea has a comprehensive privacy law called the Personal Information Protection Act 2011. The law centres heavily around consent from the data subject and is very prescriptive in terms of the handling of personal data throughout its lifecycle. It is enforced by multiple bodies, including the Korean Communications Commission (KCC), Korean Financial Services Commission (FSC), Personal Information Protection Commission (PIPC), and Korean Internet and Security Agency (KISA).  

Privacy Enforcement in South Korea 

The regulators in South Korea are not averse to imposing significant financial penalties for privacy breaches. For example, the KCC imposed a penalty of 186 million KRW ($207,000 AUD) against TikTok in 2020 for collecting the personal information of minors under 14 without parental consent. TikTok was also hit with a further $6,700 AUD fine for failing to disclose overseas transfers of personal information.  

Read more about Data Privacy in South Korea on OneTrust. 

Singapore Privacy Law 

Singapore’s Personal Data Protection Act 2012 (PDPA) is enforced by the Personal Data Protection Commission (PDPC). The 2012 bill was comprehensively revised in 2020 and came into effect in 2021. The changes included introducing mandatory data breach notification requirements, as well as the ability for the PDPC to impose financial penalties of up to 10% of an organisation’s annual turnover in Singapore where the organisation’s turnover exceeds 10 million SGD. For other organisations, the available penalty is up to 1 million SGD. That said, the changes to the financial penalties do not come into effect until October 2022.  

Singapore Privacy Enforcement 

The PDPC’s highest penalty to date was imposed on SingHealth Services Pte Ltd and Integrated Health Information Systems Pre Ltd in the wake of a 2019 cyber-attack on a patient database. The cyber-attack was enabled by the failure of security controls, including unpatched servers, and delays in responding to evidence of cyber-attacks. The intrusion resulted in the personal information of 1.5 million individuals being breached (including that of Singapore’s Prime Minister). As a result, the companies were fined 250,000 SGD (or $257,000 AUD) and 750,000 SGD (or $772,000 AUD) respectively. 

Read more about data protection in Singapore on OneTrust or review the PDPC’s recent decisions here 

Privacy 108 and OneTrust 

Privacy 108 is a OneTrust partner. Our team can help you configure your OneTrust platform and create a bespoke solution that works for your organisational needs and obligations. We can help you to align your privacy program with your business processes and operationalise a solution that accelerates your path to compliance, whilst maximising your return on investment.  

Whether you have already implemented OneTrust, or you wish to start soon, we can help you create enduring value and get the most from the tool by building a customised solution for your organisation and optimising your implementation in accordance with legislation applicable to your organisation.  

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.


At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.