New Zealand clarifies info-sharing rules for child safety, China issues draft network data security risk assessment measures, and South Korea orders Starbucks to fix data compliance failures – plus other key updates.
Lexology PRO looks at the latest updates and developments across key segments of data protection in the Asia-Pacific region to help businesses stay abreast of the most pressing issues.
This key update was produced with the assistance of generative AI.
Shutterstock.com/VideoFlow
Regulatory and industry updates
On 10 December 2025, the New Zealand Office of the Privacy Commissioner issued new information-sharing guidance for the children’s sector after ongoing concerns that agencies were withholding critical information out of fear of breaching privacy laws. The Privacy Commissioner stressed that there is no legislative barrier to sharing information when a child’s wellbeing or safety is at risk, and that a child’s protection must always come first.
On 9 December 2025, the Office of the Australian Information Commissioner announced that from 2026, it will launch its first-ever privacy compliance sweep, targeting businesses that collect personal information in person. Entities found with non-compliant privacy policies may face infringement notices and penalties of up to AU$66,000 (US$43,798) under expanded enforcement powers introduced in 2024.
On 8 December 2025, the Australian Cyber Security Centre (ACSC) issued a public alert warning of a sharp rise in information-stealing malware targeting victims globally, with thousands of Australians already affected. The ACSC explained that these malware strains covertly extract sensitive data such as login credentials and system information, which cybercriminals use for identity theft, financial fraud, account takeovers, or sell to other criminals for further exploitation.
On 6 December 2025, China’s Cyberspace Administration issued (simplified Chinese language only) draft measures to standardise network data security risk assessment activities and strengthen oversight of network data processing. Key proposals include annual risk assessments for important data processors, triennial assessments for general data processors, and detailed requirements for assessment methods. The consultation ends on 5 January 2026.
On 3 December 2025, the Philippines’ Bangko Sentral ng Pilipinas (BSP) and the Securities and Exchange Commission signed a memorandum of agreement to strengthen the protection of Filipinos’ retirement savings. The agreement establishes secure data-sharing arrangements, clear procedures for reporting and handling operational issues, and regulated access to sensitive information from PERASys, the BSP-managed central database of all Personal Equity and Retirement Account contributors.
On 1 December 2025, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) issued a public alert following the Tai Po fire disaster, warning that fraudsters are stealing highly sensitive personal data, including names, Hong Kong Identity Card numbers, phone numbers, and bank and credit-card details. The PCPD also reported phishing SMS messages claiming to be from charitable organisations and directing recipients to fraudulent websites to donate money.
On 26 November 2025, Indonesian lawmakers considered updating the Broadcasting Law 2022 to address media convergence during a Focus Group Discussion. They highlighted regulatory gaps between digital platforms and traditional broadcasters, rising disinformation, declining trust, data privacy risks, overlapping regulatory mandates, platform transparency, and integration of the Personal Data Protection Law 2022.
Enforcement actions
On 26 November 2025, South Korea’s Personal Information Protection Commission (PIPC) issued correction orders and recommendations to coffee company Starbucks and supply chain service provider Elevate. The PIPC found that Starbucks failed to properly manage and supervise its Ethical Sourcing Program, which was entrusted to Elevate without a legally compliant data-processing agreement. The PIPC also filed a criminal complaint against Paraguayan IT service company umanle, who operates Namuwiki, a Korean-language wiki, for violating the Personal Information Protection Act 2020.