With effect from 1 January 2021, the FATA was amended to (among other things) introduce the Register of Foreign Ownership of Australian Assets. It was contemplated in the amendments to the FATA that the New Register would come into effect at a later time. That later time was 1 July 2023. [...]
Read the full article here
While obtaining informed and voluntary consent from data subjects, organisations should clearly state the reasons for collecting the data, how it will be handled, and how it will be used.
Being transparent with subjects about data collection and use is especially important as data creation has proliferated across social media, streaming, digital transactions, smart devices, logins and other identifying information on search browsers, and the rise of AI and metadata in files.
In practice, the manner in which informed and voluntary data subject consent is conducted may vary from jurisdiction to jurisdiction.
This article explores guidelines and best practices for informing data subjects and obtaining voluntary consent in countries within Globalaw’s APAC region, including Hong Kong, India, Japan, South Korea, and Taiwan.
Hong Kong
In Hong Kong, where the governing body is the Office of the Privacy Commissioner for Personal Data (PCPD), a data user must expressly inform the data subject of the purpose for which the data is to be used on or before collection of the data.
Provision of personal data pursuant to such information by the data subject shall be deemed sufficient consent, which is implied.
However, new consent from the data subject is required if such personal data shall be used for a new purpose. For example, changing policies to begin sharing data with a third-party partner for direct marketing.
For cross-border transfers, the Personal Data (Privacy) Ordinance stipulates, among other requirements, that the data subject must also provide written consent specifically; however, this requirement has not yet come into effect.
India
In India, where the governing body is the country’s Ministry of Electronics and Information Technology (MeitY), principal data subject consent should be free, specific, informed, unconditional and unambiguous.
Also, while seeking consent from data principals, a notice must be displayed informing them about: (i) the personal data and the purpose for which the same has been processed; (ii) the manner in which they may exercise their rights; and (iii) the manner in which the data principal may make a complaint to the board. These basic requirements also apply to consent for cross-border transfer of personal information.
Japan
In Japan, where the governing body is the country’s Personal Information Protection Commission, business operators must clearly outline the purpose of data collection and obtain specific consent for the cross-border transfer of personal information, with certain exceptions.
South Korea
In South Korea, where the governing body is the country’s Personal Information Protection Commission, informed and voluntary consent is essential for collecting and using personal data, unless a legal exception applies.
Additionally, consent for collection, third-party provision, and cross-border transfers must be obtained separately and clearly distinguished.
Since March 2023, amendments have expanded the grounds for data collection to include cases necessary for fulfilling contracts or implementing measures requested by data subjects during the contract formation process. The practical application of these changes continues to develop and adapt.
Taiwan
In Taiwan, where the Taiwanese government is in the process of forming the Personal Data Protection Commission, organisations must expressly inform data subjects when collecting personal data.
Organisations must detail the purposes of collection, types of data, usage scope (including duration, geography, territory, and methods), data subject rights, and consequences of non-disclosure, unless exempt by law. When collection involves planning for cross-border transfers, intended overseas jurisdictions should also be specified.
--
This article is part of a series by our Globalaw APAC Data Privacy & Protection Taskforce members.
Globalaw’s APAC Data Privacy & Protection Taskforce comprises 15 law firms in the Asia-Pacific region with specialized expertise in advising international companies on how to implement and manage a multijurisdictional data protection program.
Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain sophisticated and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations.
Explore the Globalaw APAC Data Privacy & Protection Taskforce brochure for more information and regional contacts.
Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. Information, including laws and statutes, cited are subject to change and is accurate as of 30 June 2025, but readers should verify such current status. We and our member firms shall not be held liable for any loss and/or damage incurred by any person acting as a result of the information contained in this article. Reliance on this content is at the reader’s own risk, and no attorney-client relationship is formed by reading or acting upon this article. Always seek professional legal counsel to ensure compliance with applicable laws and regulations.
A Data Protection Officer (DPO) ensures that an organisation’s data collection, processing and use complies with applicable data protection rules and regulations. DPOs are generally data protection experts with specialized knowledge and experience. They provide advice and guidance on best practices, compliance, policies and procedures, education and training, risk management and data breach response protocols.
The rapid pace of data creation, accelerated by content generated by AI, social media, streaming, digital transactions and smart technology, has increased government intervention in data governance and protection.
As such, certain jurisdictions require that companies appoint a DPO, while others strongly recommend it. This article explores the DPO requirements, qualifications and responsibilities in countries within Globalaw’s Asia Pacific region, including Hong Kong, India, Japan, South Korea, and Taiwan.
DPO Requirements by Jurisdiction
Appointing a DPO is a recommended practice rather than a requirement in both Hong Kong and Japan. By contrast, South Korea requires most companies to appoint a DPO, except those with fewer than 10 permanent employees.
In India, DPOs are required for significant data fiduciaries. While Taiwan does not require DPOs, certain industries mandate the designation of data protection personnel.
Qualifications of a DPO
For Hong Kong, Japan, Taiwan, and South Korea, there are no mandatory certifications, licenses, or qualifications required before someone can be appointed as a company’s DPO.
While there are also no legal or technical qualification mandates for India, a DPO shall be (a) based in India, and (b) be an individual responsible to the Board of Directors or similar governing body of the significant data fiduciary.
Responsibilities of a DPO
The responsibilities of a DPO vary by jurisdiction and, in some cases, by industry and are authorized by the governing authority of that jurisdiction.
Hong Kong
Governing Body: The Office of the Privacy Commissioner for Personal Data (PCPD).
The PCPD provides the following recommendations:
India
Governing Body: Government of India, Ministry of Electronics and Information Technology (MeitY)
Under the Digital Personal Data Protection Act (DPDP), the DPO shall represent the significant data fiduciary under the provisions of the legislation and be the point of contact for the grievance redressal mechanism.
Japan
Governing Body: Personal Information Protection Commission
A DPO is not subject to any legally mandated responsibilities.
South Korea
Governing Body: The Personal Information Protection Commission
Under the Personal Information Protection Act (PIPA), the DPO handles personal information for business purposes to comply with the regulations. These responsibilities include:
Taiwan
Governing Body: The Taiwanese government is in the process of forming the Personal Data Protection Commission.
Only specific industries are required to designate responsible personnel, and sector-specific regulations govern their responsibilities.
--
This article is part of a series by our Globalaw APAC Data Privacy & Protection Taskforce members.
Globalaw’s APAC Data Privacy & Protection Taskforce comprises 15 law firms in the Asia-Pacific region with specialized expertise in advising international companies on how to implement and manage a multijurisdictional data protection program.
Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain sophisticated and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations.
Explore the Globalaw APAC Data Privacy & Protection Taskforce brochure for more information and regional contacts.
Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. Information, including laws and statutes, cited are subject to change and is accurate as of 30 June 2025, but readers should verify such current status. We and our member firms shall not be held liable for any loss and/or damage incurred by any person acting as a result of the information contained in this article. Reliance on this content is at the reader’s own risk, and no attorney-client relationship is formed by reading or acting upon this article. Always seek professional legal counsel to ensure compliance with applicable laws and regulations.
October 1, 2025 – Globalaw, a leading network of independent law firms, announces the launch of its APAC Data Privacy & Protection Taskforce, comprising 15 law firms in the Asia-Pacific region with specialised expertise in advising international companies on implementing and managing multijurisdictional data protection programmes.
“International companies face an ever-changing web of data privacy and protection laws," said Globalaw President Peter J. Brown. “Globalaw’s APAC Data Privacy & Protection Task Force provides seamless, cross-border expertise to help clients navigate these issues with clarity and confidence. Our member firms offer strategic advice and legal support to reduce risks, ensure compliance, and build long-term trust.”
Taskforce member firms combine a strategic, business-minded approach with cross-border collaboration to help clients build and maintain responsible and resilient data practices, effectively mitigate and respond to incidents, and provide sophisticated representation to resolve disputes or regulatory investigations. Whether addressing GDPR, CCPA, or emerging data protection frameworks across multiple jurisdictions, our network grants access to the following firms offering consistent, high-quality guidance in the Asia-Pacific region:
Guam: Calvo Jacob & Pangelinan, LLP
Indonesia: Bagus Enrico & Partners
Singapore: Goodwins Law Corporation
Thailand: Legal Advisory Council Limited
Globalaw introduced the Sports Law Taskforce earlier this year, which provides dedicated legal counsel and representation for athletes and stakeholders worldwide. Visit Globalaw Publications & Resources for more information.
About Globalaw
Globalaw is a Chambers Global-ranked Band 1 Leading Law Firm Network of approximately 80 independent law firms and 4,000 lawyers in over 60 countries. Our mission is to foster seamless legal collaboration among member firms and assist them in delivering high-quality, cost-effective solutions to their clients worldwide. We take pride in our commitment to excellence, global reach, and innovative approach to legal services. Visit www.globalaw.net to learn more.
Media Contact:
Jaime Luckey
Globalaw has expanded its coverage in Africa with the addition of two new member firms: Marghany Advocates and ABMAK Associates, Advocates & Legal Consultants.
⎯
Based in Cairo, Egypt, Marghany is recognized as a leading M&A firm with additional expertise in competition and corporate law, compliance and corporate governance, data protection and media and advertising. With a 38-year history, the firm is led by Managing Partner Amir Marghany and is consistently ranked in Legal500.
For more information about Marghany, visit https://www.marghany.com/.
⎯
ABMAK is headquartered in Kampala, Uganda, and is the market leader in energy, mining, and oil and gas. Additional practice areas of specialisation include corporate and finance, tax and revenue, employment, dispute resolution, and environmental and social governance. Managing Partner Aisha Naiga Wamala heads the 16-year-old firm, which has been ranked in Chambers’ Global Guide for 10 consecutive years.
For more information about ABMAK, visit https://abmak.org/.
