Data Processing Consent Amid AI Advancements in Asia-Pacific: Crucial Developments Highlighted
In recent months, several Asian countries have taken significant strides towards strengthening their data protection laws, with a focus on enhancing consent requirements and expanding legal bases for data processing.
In India, the Digital Personal Data Protection (DPDP) Act, 2023, which was passed in August 2023, is set to implement a revolutionary Real-time Consent Management System (CMS). This system requires companies to verify user consent through real-time API calls before processing personal data, ensuring that consent is an active, current, specific, and purpose-bound signal rather than a one-time checkbox. Consent must be granular, purpose-specific, time-bound, and revocable, with bundled or implied consent banned. The system logs every consent action immutably, creating a digital audit trail accessible to users (called Data Principals) and regulators. A user-facing dashboard will allow individuals granular control over their personal data, including managing permissions, raising grievances, and requesting corrections or deletions. The concept of Consent Managers is introduced as registered entities facilitating individuals’ management of consent on a transparent and interoperable platform.
Vietnam's Law on Data, effective July 2025, introduces significant new data governance obligations. It establishes property rights for data owners and includes strict requirements for data governance, including cross-border data transfers. Although specific updates on consent are not detailed in the search results, the law overall signals a strong regulatory focus on data control and governance.
The Philippines' National Privacy Commission (NPC) has published Circular No. 2023-04, providing updated guidelines on consent for personal data processing. This circular aims to clarify requirements for obtaining consent from Personal Information Controllers (PICs). However, details on alternative legal bases or real-time consent verification are not specified in the results.
As for Indonesia, South Korea, and Malaysia, no specific updates on consent requirements or alternative legal bases for data processing have been found as of August 2023. However, it is known that Indonesia's Personal Data Protection Law (PDPL) was enacted in October 2022, and the PDPL introduces a unified national privacy law with an extended transition period. Vietnam's Decree on Personal Data Protection took effect in July 2023, and once in force, the DPDPA will provide a comprehensive framework for processing personal data in India. South Korea amended PIPA (in force since September 2023) to promote easy-to-understand consent practices and recognize additional legal grounds, particularly in the context of AI.
In summary, India is leading the way with its innovative Real-time Consent Management System, while Vietnam and the Philippines are focusing on establishing strong data governance and clarifying consent guidelines, respectively. Meanwhile, Indonesia, South Korea, and Malaysia are continuing to evolve their data protection laws, with further updates expected in the future. As the APAC region shifts from fragmented, sector-specific rules to unified legal frameworks, improving user-friendly consent mechanisms is becoming essential. Strengthening enforcement and expanding lawful processing grounds is a key aspect of the more flexible and accountable approach to data protection across the region.
- The DPDP Act, 2023 in India is set to implement a Global Real-time Consent Management System, requiring technology-based verifications of user consent for personal data processing, promoting privacy and transparency in the Digital Lifestyle.
- Vietnam's Law on Data, effective in 2025, introduces stringent Data Governance policies, including property rights for data owners, and a focus on cross-border data transparency and compliance.
- The Philippines' National Privacy Commission has updated guidelines on consent for Personal Data Processing, focusing on policy clarification for Personal Information Controllers, yet specifics regarding real-time consent verification and alternative legal bases remain unspecified.
- In Indonesia, South Korea, and Malaysia, the most recent updates indicate ongoing evolution of data protection laws, with Indonesia's Personal Data Protection Law introducing a national privacy law and an extended transition period, Vietnam's Decree on Personal Data Protection taking effect in 2023, and South Korea amending PIPA to promote user-friendly consent practices and recognize additional legal grounds in the context of AI.
- As Asia continues to establish robust data protection policies to strengthen transparency and compliance, Education-and-self-development in the field of technology becomes increasingly necessary, ensuring regional cooperation and the creation of more flexible, accountable, and user-friendly consent mechanisms.
