Cycle on May 25, 2026

I will begin by listing the open threads for this topic to understand what specific areas or questions need to be pursued in this research cycle.

I will search the web for recent developments (especially in 2026) regarding cross-border data transfers and data residency requirements in the Asia-Pacific (APAC) region to identify new laws, regulations, or enforcement actions.

Let's perform some more targeted searches for specific APAC jurisdictions, particularly those undergoing active regulatory updates in 2026. Let's look at ASEAN DEFA, Vietnam, Indonesia, India, and Australia, or other major APAC economies (like South Korea, Japan, China, Singapore, Malaysia, Philippines, Thailand). Let's do a search on: - Malaysia PDPA amendments 2025/2026 cross border data transfer - South Korea PIPC cross-border transfer rules 2026 - China cross border data transfer rules 2025 2026 (CAC updates) - Vietnam PDPL decree or guidance 2026 - Indonesia PDP Law compliance deadline October 2026 (the 2-year transition period for Indonesia's PDP Law No. 27/2022 ends in October 2024, but let's check what's happening now in 2026, including implementing regulations or enforcement). Let's see. Let's search for "Malaysia PDPA amendments 2025 2026 cross border".

This is a very important development! Malaysia's PDPA Amendment Act 2024 was implemented in stages starting January 2025, and the Personal Data Protection Commissioner of Malaysia issued the "Guidelines on Cross Border Personal Data Transfer" on April 29, 2025. This represents a major shift: they are removing the old "White List" approach and replacing it with specific transfer mechanisms. Let's fetch the Mayer Brown article and the CMS Law article to get concrete details and quotes. First, let's fetch `https://www.mayerbrown.com/en/insights/publications/2025/07/from-legislative-reform-to-practical-guidance-key-amendments-to-malaysias-pdpa-and-the-launch-of-cross-border-transfer-guidelines`.

This is superb, detailed information on Malaysia's PDPA Amendment Act 2024 (phased implementation starting January 2025 to June 2025) and the Guidelines for Cross Border Personal Data Transfer (CBPDT Guidelines) issued on April 29, 2025. Let's do a search on Vietnam to see what the latest is on the PDPL (Personal Data Protection Law, Law No. 91/2025/QH15) passed on June 26, 2025, which entered into force on January 1, 2026. The prior finding says: "Vietnam Enacts Landmark Personal Data Protection Law (PDPL): Revenue-Based Fines and Stricter Cross-Border Transfer Cont… (slug: vietnam-pdp-law-enactment-2026)" Let's find out more about Vietnam's PDPL and its implementation in 2026, including cross-border transfer requirements (such as the transfer impact assessment dossier or equivalent, or any new decrees). Let's search: `Vietnam PDPL cross border transfer 2026` or `Vietnam PDPL Law No. 91/2025/QH15` or `Vietnam Decree 13 personal data transfer` (Decree 13/2023/ND-CP was the previous decree, but the new PDPL was passed in June 2025 and took effect Jan 1, 2026). Let's search.

Let's look at the PDF for Vietnam's PDPL Law No. 91/2025/QH15 or the Tilleke article or Vietnam Law Magazine. Let's see if we can fetch `https://www.tilleke.com/insights/vietnams-new-personal-data-protection-law-a-closer-look/` first to get detailed information about Vietnam's PDPL cross-border transfer requirements and what compliance teams need to know. Let's write a targeted search or fetch. Let's fetch the Tilleke article.

Ah, the firecrawl fetch timed out or failed. Let's try fetching another URL, like `https://vietnamlawmagazine.vn/new-legal-framework-on-personal-data-protection-in-vietnam-78691.html` or look at other sources. Let's try searching for the specifics of Vietnam PDPL cross-border transfer. Let's search for "Vietnam Law No. 91/2025/QH15 cross-border transfer" to see if there are other articles we can fetch or if the PDF from dpo-india.com can be fetched (wait, let's see if we can fetch it, actually it's a PDF, we might not be able to easily parse it, but let's see. Let's try a web search with more details). Let's search for: `Vietnam "91/2025/QH15" cross-border transfer` or `Vietnam "Decree 13" vs PDPL cross-border transfer`. Let's run a search.

This is incredible. Let's look at `https://fpf.org/blog/fpf-releases-updated-issue-brief-on-vietnams-law-on-protection-of-personal-data-and-the-law-on-data/` or the DLA Piper article `https://www.dlapiperdataprotection.com/?t=law&c=VN` or `https://en.siglaw.com.vn/cross-border-transfer-of-personal-data-under-vietnamese-law.html`. Let's try to fetch `https://fpf.org/blog/fpf-releases-updated-issue-brief-on-vietnams-law-on-protection-of-personal-data-and-the-law-on-data/` first. Let's see if we can read it.

This is extremely valuable! It highlights that: 1. Vietnam's Personal Data Protection Law (PDP Law, Law No. 91/2025/QH15) took effect on January 1, 2026. 2. An implementing decree, **Decree 356/2025/ND-CP**, was enacted on **December 31, 2025**, to implement the PDP Law. 3. Vietnam also enacted the **Law on Data** (Law No. 60/2025/QH15) which became effective in July 2025, governing digital data (both personal and non-personal). 4. The PDP Law continues to revolve around Transfer Impact Assessments (TIAs) for cross-border data transfers but provides more nuance and new exceptions, while doubling down on a state-supervised model for such transfers. Let's fetch `https://en.siglaw.com.vn/cross-border-transfer-of-personal-data-under-vietnamese-law.html` to get concrete details about the cross-border transfer rules and Decree 356/2025/ND-CP. Let's see if we can read it.

This is fantastic! We have: - Specific law title and number: **Law on Personal Data Protection No. 91/2025/QH15 (PDPL)**. - Specific implementing decree: **Decree No. 356/2025/ND-CP dated 31 December 2025** (Decree 356) which took effect on **January 1, 2026**. - Specific compliance requirement: The transferring party must prepare and submit a cross-border personal data transfer impact assessment (CTIA) dossier (specifically Article 18 of Decree 356), which includes an impact assessment report in accordance with **Form No. 09** (provided in the Appendix to Decree 356), copies of contracts/agreements, and data protection policies. - Submission deadline: The dossier must be submitted to the competent personal data protection authority (Ministry of Public Security - MPS) via the online system, in person, or by postal service **within 60 days** from the date the cross-border personal data transfer is carried out. (Though legal counsel advises completing it *before* initiating transfers). - Authority review: Competent authority will review the dossier and issue an assessment result within **15 days** from receipt of a complete and valid dossier. If incomplete or non-compliant, the authority may request supplementation within **30 days** before issuing a final decision. - Risks/suspension: If the transferred data is found to pose risks to national security or cybersecurity, the competent authority has the right to request a suspension of the data transfer. Let's do a search on Indonesia. The Siglaw article says: "In Indonesia, Law No. 27 of 2022 on Personal Data Protection regulates cross-border personal data transfers under Article 56... However, in practice, Indonesia adopts a more cautious approach through administrative control mechanisms and close supervision by state authorities, which may require enterprises to fulfill notification obligations or obtain regulatory approvals under implementing regulations." Let's see: what are the latest developments in Indonesia in 2025 and 2026? The Indonesian PDP Law (Law No. 27/2022) had a 2-year transition period ending in October 2024. In late 2024 or 2025/2026, did they issue the implementing government regulation (RPP PDP)? Did they establish the Data Protection Authority (Lembaga Penyelenggara Perlindungan Data Pribadi)? Let's search for: `Indonesia PDP Law implementing regulation 2025 2026` or `Indonesia RPP PDP 2025 2026` or `Indonesia Lembaga PDP 2026`. Let's search.

This is highly relevant! Let's examine the details: - DLA Piper's entry for Indonesia says: "The draft regulation is currently in the so-called “harmonization stage” at the Ministry of Law, which commenced in October 2025 and is ongoing..." Let's see what else they say. - Chambers and Partners 2026 Indonesia Trends says: "The Indonesian government has been working on the Draft Implementing Regulation for Law No 27 of 2022 on Personal Data Protection (“Draft GR PDP..."). Let's fetch this or search further to see if the Draft Government Regulation on PDP (RPP PDP) has been finalized or what its status is in 2026. - Lexology says: "despite the PDP Law taking full effect in October 2024, its enforcement remains limited due to the absence of the PDP Body..." - Cisometric says: "The Personal Data Protection Agency (Lembaga PDP) is still in the works and is expected to be operational by 2026 (Abhitech, 2025); No final..." Let's fetch `https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2026/indonesia/trends-and-developments` to get concrete details about the status of Indonesia's PDP Law implementing regulations (Draft GR PDP) and the establishment of the PDP Body in 2026. Let's make a fetch call.

It seems that the firecrawl scrape failed again. No problem, let's look for other articles on Indonesia's Draft GR PDP or search more specifically. Let's search: `Indonesia "Draft GR PDP" 2026` or `Indonesia "implementing regulation" "PDP Law" 2026` or `Indonesia "harmonization stage" "Ministry of Law" 2025 2026`. Let's run a search.

Let's fetch `https://ssek.com/blog/data-protection-in-indonesia-a-brief-overview/` or `https://www.makarim.com/news/update-on-the-implementing-regulation-for-indonesia-s-personal-data-protection-law` to see what they say about the progress and status of the Draft GR on PDP. Let's try fetching Makarim & Taira S. Law Firm's update or SSEK Law Firm's blog. Let's try fetching `https://ssek.com/blog/data-protection-in-indonesia-a-brief-overview/` first.

This is very helpful and provides a highly practical perspective on Indonesia! Let's analyze the Indonesian situation: - The main framework is Law No. 27 of 2022 on Personal Data Protection (PDP Law). - The transition period technically expired in October 2024. However, the Draft Government Regulation on the Implementation of the PDP Law (Draft GR on PDP) is still being finalized (as of mid-to-late 2025/early 2026, it is in the "harmonization stage" at the Ministry of Law). - The Data Protection Authority (DPA) / Lembaga PDP is still not fully operational or established. - Because there is no DPA in place yet, the cross-border transfer requirements under Article 56 of the PDP Law (adequacy, binding safeguards, or consent) are "not yet fully in effect" or fully enforceable in their final form. - Instead, in practice, Electronic System Providers (ESPs) must notify the Ministry of Communication and Digital Affairs (MOCDA, formerly Kominfo) both *before* and *after* any cross-border data transfer. MOCDA provides an internal template for this notification letter. - In addition, under MOCDA Regulation No. 5 of 2020 and MOCDA Regulation No. 5 of 2025 (which is a new regulation in 2025!), ESPs in public and private sectors must register with MOCDA to get an ESP registration certificate. Let's do a search on other major APAC jurisdictions to see what else has developed in late 2025 or 2026. Let's search for: - South Korea PIPC cross-border transfer rules 2025 2026 - China CAC cross-border transfer rules 2025 2026 (such as the Greater Bay Area Standard Contractual Clauses or the relaxed CAC rules from March 2024, and any 2025/2026 updates) - Singapore PDPC cross-border transfer updates 2025 2026 - Japan APPI cross-border transfer updates 2025 2026 - India DPDP Rules 2025/2026 (the prior finding mentions: "India's Ministry of Electronics and Information Technology (MeitY) officially notified the final Digital Personal Data Protection Rules, 2025 (DPDP Rules) on November 13, 2025. This crucial..."). Let's check if there are any updates or enforcement actions in India in 2026. Let's search for "South Korea PIPC cross border transfer 2025 2026". South Korea's Personal Information Protection Commission (PIPC) passed major amendments to the PIPA in 2023, which took effect in stages, including new cross-border transfer mechanisms (such as certifications, treaties, or PIPC approval). Let's see what is happening in 2025 and 2026.

This is incredible! Let's check these results: - DLA Piper's entry for South Korea says: "Notably, on September 3, 2025, the PIPC formally recognized the EU's data protection standards as equivalent to Korea's. Consequently, personal..." - "In January 2025, the PIPC imposed one of its largest administrative sanctions to date in connection with cross-border data transfer..." Let's search for this case! - "Additionally, in August 2025, the PIPC imposed an administrative penalty of approximately KRW134.7billion and an administrative fine of KRW9..." Let's check what this massive fine was for! - "South Korea's PIPC flexes its muscles: What to know about AI model deletion, cross-border transfers and more" published June 4, 2025 by the IAPP. Let's fetch this. Let's fetch `https://iapp.org/news/a/south-korea-s-pipc-flexes-its-muscles-what-to-know-about-ai-model-deletion-cross-border-transfers-and-more`. This will be highly informative.

This is extremely rich! Let's fetch the rest of this page or search for details about the Kakao Pay / Alipay / Apple Pay case. Wait! The IAPP article is only partially fetched (it cut off after "A new playbook in three acts / Model deletion becomes real" because the page has more content, or let's search for "Kakao Pay Alipay PIPC cross-border transfer" or "South Korea PIPC Kakao Pay Alipay"). Let's search.

This is incredibly rich and detailed. Let's fetch the PIPC Press Release PDF or read other sources to get exact quotes and details. Let's look at `https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2772` or fetch the dpo-india.com PDF if it can be searched, or we can fetch `https://mjtsai.com/blog/2026/02/02/apple-and-kakao-pay-fined-over-privacy/` or do a web search for the PIPC press release text. Let's search for: `"The PIPC Sanctions Kakao Pay and Apple for Unlawful Cross-Border"`. Let's search.

Let's search for some of the text inside the PDF by doing a web search for: `"Kakao Pay" "Alipay" "Apple" PIPC "correction order" OR "fines" 2025` to see if we can get the text of the press release. Let's do that.

We have some excellent details here. Let's look at the details of the Kakao Pay / Apple / Alipay case: - On **January 23, 2025**, the PIPC fined Kakao Pay and Apple a combined **KRW 8.37 billion** (about $5.8 million) for unauthorized overseas data transfers. - Specifically, Kakao Pay was fined **KRW 5.97 billion** and Apple was fined **KRW 2.4 billion**. - The case centered around Apple's App Store payment system, where Apple used Alipay as an intermediary to process payments and calculate "NSF (Non-Sufficient Funds)" scores. - Kakao Pay sent the personal data of approximately 40 million users (including both Apple and Android users, even those who had never registered Kakao Pay as a payment method on an Apple device) to Alipay without user notice or consent, and without establishing proper cross-border transfer mechanisms. - The PIPC found that Apple did not disclose Alipay as an overseas trustee (or subcontractor) for processing personal information. - Crucially, the PIPC issued a **correction order to Alipay** to **delete the algorithm/AI model** (specifically the "NSF scores" and the data model built on this unlawfully transferred data). This represents a major global precedent of "model deletion" or "algorithmic disgorgement" as an enforcement remedy for unlawful cross-border data transfer! Let's do a search on other major PIPC enforcement actions or updates in 2025/2026, such as: - The August 2025 fine of KRW 134.7 billion. Let's search for "South Korea PIPC fine August 2025 KRW 134.7 billion" or "South Korea PIPC KRW 134.7 billion". Let's run a search.

Ah! The web search budget is exhausted. No problem! We have gathered a massive amount of very high-quality, concrete, current evidence from our successful search queries. Let's list the key areas we have uncovered and confirm we have enough details to write highly authoritative, evidence-backed findings: 1. **Malaysia's Sweeping PDPA Reforms and the New Cross-Border Transfer Guidelines (April 2025 - June 2025):** - The Personal Data Protection (Amendment) Act 2024 was implemented in stages from January to June 2025. - It replaces "data user" with "data controller," introduces direct liability for data processors (Security Principle), increases maximum fines to RM 1,000,000, mandates Data Protection Officers (DPOs), establishes mandatory data breach notification (within 3 days or "as soon as practicable" and without delay to individuals if significant harm), and introduces data portability. - Crucially, it removes the old "White List" approach and replaces it with a risk-based cross-border transfer regime under Section 129. - The Personal Data Protection Commissioner of Malaysia released the **Guidelines on Cross Border Personal Data Transfer (CBPDT Guidelines)** on **April 29, 2025**. - Under the guidelines, transfers are allowed based on: 1. *Similar Law or Adequate Protection:* Requires a Transfer Impact Assessment (TIA), valid for up to 3 years. 2. *Consent:* Explicit written/recorded consent. 3. *Contractual Necessity or Vital Interests.* 4. *Legal Purposes.* 5. *Reasonable Precautions and Due Diligence:* Evidenced by Binding Corporate Rules (BCRs), Contractual Clauses (e.g., ASEAN Model Clauses or GDPR SCCs), or Certifications (APEC CBPR, Europrivacy). 2. **Vietnam's Landmark Personal Data Protection Law (PDPL) and Implementing Decree 356 (Effective January 1, 2026):** - Vietnam's Personal Data Protection Law (Law No. 91/2025/QH15 - PDPL) was passed on June 26, 2025, and took effect on **January 1, 2026**. - It was accompanied by **Decree No. 356/2025/ND-CP (Decree 356)**, enacted on **December 31, 2025**, providing detailed implementation measures. - Vietnam also enacted the **Law on Data (Law No. 60/2025/QH15)**, which took effect in **July 2025**, regulating digital data (personal and non-personal) and creating a state-supervised model. - For cross-border data transfers, the transferring party must prepare and submit a **Cross-Border Transfer Impact Assessment (CTIA) dossier** under Article 18 of Decree 356. - The dossier must include: - An impact assessment report following **Form No. 09** (Appendix to Decree 356). - Copies of contracts/agreements on cross-border transfer establishing responsibilities. - Internal data protection policies and procedures. - The dossier must be submitted to the competent authority (Ministry of Public Security - MPS) **within 60 days** from the date the initial transfer is carried out (though counsel advises doing it before). - The authority reviews the dossier within **15 days** of receiving a complete/valid dossier. - Competent authorities can suspend transfers if they find risks to national security or cybersecurity. 3. **South Korea's PIPC Muscular Enforcement and Algorithmic Disgorgement (January 2025):** - On **January 23, 2025**, the Personal Information Protection Commission (PIPC) issued a landmark decision, fining Kakao Pay and Apple a combined **KRW 8.37 billion** (about $5.8 million) for unauthorized overseas data transfers. Kakao Pay was fined KRW 5.97 billion and Apple was fined KRW 2.44 billion. - Kakao Pay had sent personal data of approximately 40 million users to Alipay (including non-Apple users) without user consent or establishing proper transfer mechanisms, to calculate "NSF (Non-Sufficient Funds)" scores for Apple's App Store payment system. Apple failed to disclose Alipay as an overseas trustee/subcontractor. - Crucially, the PIPC issued a **correction order to Alipay** to **delete the algorithm/AI model** (the "NSF scores" and the data model built on this unlawfully transferred data). This represents a major global precedent of "model deletion" or "algorithmic disgorgement" for cross-border data transfer violations. - In addition, on **September 3, 2025**, the PIPC formally recognized the EU's data protection standards as equivalent to South Korea's, facilitating mutual recognition and smoother cross-border data flows. 4. **Indonesia's PDP Law Implementation and Transitional Realities (2025 - 2026):** - Indonesia's Personal Data Protection Law (Law No. 27/2022 - PDP Law) transitioned to full effect in October 2024. - However, the Draft Government Regulation on the Implementation of the PDP Law (Draft GR on PDP / RPP PDP) is still in the "harmonization stage" at the Ministry of Law (as of late 2025/early 2026). - The formal Data Protection Authority (DPA / Lembaga PDP) is still in the works and not yet fully operational. - Because the DPA is not yet established, the formal cross-border transfer requirements under Article 56 (adequacy, binding safeguards, consent) are not yet fully operational in their final form. - In practice, Electronic System Providers (ESPs) must notify the Ministry of Communication and Digital Affairs (MOCDA, formerly Kominfo) both *before* and *after* any cross-border data transfer, using MOCDA's internal template. - ESPs are also subject to registration requirements under MOCDA Regulation No. 5 of 2020 and the new **MOCDA Regulation No. 5 of 2025** to obtain an ESP registration certificate. Let's double-check the existing findings to see which ones we should update or refine: - "OECD Digital Trade Review Maps ASEAN Cross-Border Data Flow Regulation (May 2026) (slug: oecd-asean-data-flow-landscape-2026)" - "Australia Privacy Act Reform: Tranche 2 AML/CTF Rollout, Children's Privacy Code, and Broader Statutory Reforms (slug: australia-privacy-reform-data-residency-2026)" - "ASEAN DEFA: Indonesia Urges Completion in 2026, Negotiations at ~20 Rounds (slug: asean-defa-2026-completion-negotiations)" - "India DPDP Act: Final Rules Notified and 18-Month Phased Compliance Roadmap (slug: india-dpdp-law-to-code-cloud-localization-2026)" - "Vietnam Enacts Landmark Personal Data Protection Law (PDPL): Revenue-Based Fines and Stricter Cross-Border Transfer Cont… (slug: vietnam-pdp-law-enactment-2026)" We should update the Vietnam finding to reflect the latest details of the PDPL taking effect on **January 1, 2026**, the enactment of **Decree No. 356/2025/ND-CP** on **December 31, 2025**, and the specific **Form No. 09 / CTIA dossier** requirements and submission deadlines. We will reuse the slug `vietnam-pdp-law-enactment-2026`. We should write new findings for: 1. **Malaysia's New Cross-Border Guidelines & PDPA Amendments (April - June 2025):** Slug: `malaysia-pdpa-amendments-cross-border-guidelines-2025`. 2. **South Korea's PIPC Kakao Pay/Alipay Enforcement & Algorithmic Disgorgement (January 2025):** Slug: `south-korea-pipc-kakao-pay-alipay-enforcement-2025`. 3. **Indonesia's PDP Law Implementing Regulations & Notification Realities (2025-2026):** Slug: `indonesia-pdp-law-compliance-transitional-realities-2026`. Let's write these findings carefully, following all guidelines. Each finding must have a clear title as the first heading, use the correct slug, cite the exact source(s) with links, and contain 1-2 representative verbatim quotes. Let's prepare the bodies for the notes. ### Finding 1: Malaysia's PDPA Amendments and Cross-Border Personal Data Transfer Guidelines We will write a finding for Malaysia. Slug: `malaysia-pdpa-amendments-cross-border-guidelines-2025` Let's draft the body: - Title: Malaysia Implements Major PDPA Overhaul and Launches Risk-Based Cross-Border Transfer Guidelines - Quotes: "Malaysia’s data protection landscape has recently undergone a profound transformation, with the phased implementation of the Personal Data Protection (Amendment) Act 2024 (“ PDPA Amendment”) and the official launch of the Guidelines for Cross Border Personal Data Transfer (“ CBPDT Guidelines”)." "The Amendment removes the previous “whitelist” approach to cross-border transfers (requiring recommendation by the Commissioner and approval by the Minister), replacing it with a risk-based framework that allows transfers to jurisdictions with substantially similar laws or adequate protection, or under specified exceptions." - Source: - [From Legislative Reform to Practical Guidance: Key Amendments to Malaysia’s PDPA and the Launch of Cross-Border Transfer Guidelines](https://www.mayerbrown.com/en/insights/publications/2025/07/from-legislative-reform-to-practical-guidance-key-amendments-to-malaysias-pdpa-and-the-launch-of-cross-border-transfer-guidelines) — Mayer Brown insights on Malaysia's PDPA amendments and CBPDT Guidelines. Let's call `write_note` for Malaysia.

Now I will write a finding for South Korea's PIPC enforcement action and the landmark "model deletion" (algorithmic disgorgement) remedy. Slug: `south-korea-pipc-kakao-pay-alipay-enforcement-2025` Let's draft the body: - Title: South Korea PIPC Pioneer "Model Deletion" Remedy in Landmark Kakao Pay/Alipay Cross-Border Enforcement Action - Quotes: "The 2021 Scatter Lab case confirmed the Personal Information Protection Act's reach into AI training data, but the January 2025 Kakao Pay decision brought teeth. After finding the wallet provider sent 40 million users' data to Alipay, which in turn built "NSF scores" for Apple Pay without notice or consent, the PIPC not only levied KRW8.3 billion in fines — it ordered Alipay to erase the algorithm itself." "Apple faced a 2.4 billion won penalty for disclosure failures. But it's the order to Alipay that breaks new ground — the company must destroy the algorithm/AI model." - Sources: - [South Korea's PIPC flexes its muscles: What to know about AI model deletion, cross-border transfers and more](https://iapp.org/news/a/south-korea-s-pipc-flexes-its-muscles-what-to-know-about-ai-model-deletion-cross-border-transfers-and-more) — IAPP article on South Korea's PIPC Kakao Pay decision and algorithmic erasure. - [Personal Information Protection Commission fined Kakao Pay, Apple, and Alipay for unauthorised overseas data transfers](https://digitalpolicyalert.org/event/26224-personal-information-protection-commission-fined-kakao-pay-apple-and-alipay-for-unauthorised-overseas-data-transfers) — Digital Policy Alert on the combined KRW 8.37 billion administrative fine. Let's call `write_note` for South Korea.

Now I will write the finding for Indonesia. Slug: `indonesia-pdp-law-compliance-transitional-realities-2026` Let's draft the body: - Title: Indonesia's PDP Law Compliance Realities: Delayed Implementing Regulations and Interim Transfer Procedures - Quotes: "The above requirements are not yet fully in effect, mainly because there is no Data Protection Authority ( DPA ) in place. For now, in cases of cross-border data transfers involving electronic systems, ESPs must notify the MOCDA both before and after the transfer. The MOCDA has provided an internal template for the notification letter to help guide the process." "Following the enactment of the PDP Law, the Indonesian Government, through the Ministry of Communication and Digital Affairs (formerly the Ministry of Communication and Information) ( MOCDA ) and the National Cyber and Crypto Agency ( Badan Siber dan Sandi Negara or BSSN ), is drafting several new regulations addressing data protection, privacy, and the broader cybersecurity landscape." - Sources: - [Data Protection in Indonesia: A Brief Overview - SSEK Law Firm](https://ssek.com/blog/data-protection-in-indonesia-a-brief-overview/) — Detailed brief on the current state of Indonesia's PDP Law, implementing regulations (Draft GR on PDP), and the interim cross-border transfer notification process. - [Data protection laws in Indonesia - DLA Piper](https://www.dlapiperdataprotection.com/?t=law&c=ID) — Notes that the Draft Government Regulation on the Implementation of the PDP Law is in the "harmonization stage" at the Ministry of Law. Let's call `write_note` for Indonesia.

Now I will update the Vietnam finding (`vietnam-pdp-law-enactment-2026`). Let's see what the previous finding was about: "Vietnam Enacts Landmark Personal Data Protection Law (PDPL): Revenue-Based Fines and Stricter Cross-Border Transfer Cont… (slug: vietnam-pdp-law-enactment-2026, score 0.53): On June 26, 2025, Vietnam officially enacted Law No. 91/2025/QH15 on Personal Data Protection (PDPL), which entered into force on January 1, 2026. This landmark legislation elevates Vietnam's…" Let's refine it with the new details we have gathered: - Title: Vietnam's Personal Data Protection Law (PDPL) Takes Effect Alongside Implementing Decree 356 and Strict CTIA Dossier Mandates - Key details to add: - The PDPL (Law No. 91/2025/QH15) took effect on **January 1, 2026**. - On **December 31, 2025**, Vietnam enacted **Decree No. 356/2025/ND-CP (Decree 356)**, which details the implementation measures of the PDPL. - Vietnam also enacted the **Law on Data (Law No. 60/2025/QH15)**, which took effect in **July 2025**, establishing a state-supervised data governance framework for both personal and non-personal digital data. - Under Article 18 of Decree 356, any cross-border transfer of personal data requires the transferring party to prepare and submit a **Cross-Border Transfer Impact Assessment (CTIA) dossier**. - The CTIA dossier must include: - An impact assessment report following **Form No. 09** (Appendix to Decree 356). - Copies of transfer contracts/agreements defining roles and responsibilities. - Internal data protection policies and procedures. - The dossier must be submitted to the competent personal data protection authority (Ministry of Public Security - MPS) via online, in person, or postal channels **within 60 days** of carrying out the first transfer (though counsel recommends completing it beforehand). - The authority reviews the dossier within **15 days** of receiving a complete/valid dossier, and can request updates/supplementation within **30 days**. - National Security & Cybersecurity: The competent authority has the power to suspend data transfers if they pose a risk to national security or cybersecurity. Let's write this updated note.

This is remarkable! We have written three highly substantive, evidence-backed findings and updated an existing one with precise regulatory details for 2025/2026. Let's review what we've accomplished in this cycle: 1. Updated `vietnam-pdp-law-enactment-2026` with details of Vietnam's PDPL taking effect on January 1, 2026, implementing Decree 356/2025/ND-CP, and the 60-day CTIA dossier (Form No. 09) submission requirements. 2. Created `malaysia-pdpa-amendments-cross-border-guidelines-2025` covering Malaysia's PDPA Amendment Act 2024 and the new Cross Border Personal Data Transfer Guidelines issued on April 29, 2025. 3. Created `south-korea-pipc-kakao-pay-alipay-enforcement-2025` covering South Korea's landmark PIPC Kakao Pay/Alipay enforcement action (January 2025) which established the "model deletion" (algorithmic disgorgement) remedy, as well as South Korea's mutual recognition of EU standards in September 2025. 4. Created `indonesia-pdp-law-compliance-transitional-realities-2026` covering Indonesia's delayed Draft GR on PDP (currently in harmonization as of early 2026), the absence of a fully operational DPA, and the interim pre- and post-transfer notification procedures to MOCDA. Let's check if there are any open threads or if we need to record a new thread. We should record a thread for tracking the finalization of Indonesia's Draft GR on PDP and the operational establishment of its DPA (Lembaga PDP), as this will trigger the full enforcement of Indonesia's formal cross-border transfer requirements (adequacy, binding safeguards, and consent) under Article 56 of the PDP Law. Let's call `record_thread` to establish this open question for future cycles.

Ah! The thread kind "research" is invalid. Let's see what kinds are valid or try a different kind, such as "research_question" or "follow_up". Let's check what kinds of threads are supported. Usually, the kinds are "tracking", "question", or similar. Let's try "question". Let's search or use a simple kind like "question" or "tracking". Let's call with kind "question".

Excellent! The thread was successfully recorded with ID `019e5e2c-a586-7de0-be3c-c157550e063b` and kind "question". Let's double-check if we need to resolve any threads. Since `list_threads` returned an empty list of open threads at the start of our cycle, there are no existing threads to resolve. Let's call `finish_cycle` to complete this research cycle. This is the only way to complete a cycle. We will pass no parameters since we have written findings.

Completed a comprehensive research cycle on APAC cross-border data transfers and residency requirements, updating 1 existing finding for Vietnam and creating 3 new findings for Malaysia, South Korea, and Indonesia, with 1 open tracking thread recorded for Indonesia. Notes and threads are fully updated and listed below.