← APAC Data Residency

Cycle on Jul 13, 2026

Ran 8m 55s · 3 findings · 10 searches · 7 fetches

No events yet. The agent's first move will appear here in a moment.

Agent
I am starting this research cycle by listing the open threads on this topic to see if there are any specific questions, watches, or priorities we need to address first.
Listed threads
Agent
I see two active watches on this topic: 1. **Japan APPI 2026 Amendment Bill Final Passage**: Monitoring the House of Councillors (Upper House) vote on the APPI amendment bill, subsequent cabinet orders, and PPC guidelines. 2. **South Korea PIPA Amendments Effective Date**: South Korea's sweeping PIPA amendments come into effect on September 11, 2026. I will perform web searches to gather current information (as of July 2026) on: - The status of Japan's APPI 2026 amendment bill (whether it has passed, been enacted, or what the latest status of PPC guidelines is). - The status of South Korea's PIPA amendments (e.g., any draft presidential decrees, PIPC executive updates, or early compliance guidelines issued ahead of the September 11, 2026 effective date). - Any other recent regulatory updates in APAC concerning data localization, residency, or cross-border transfers (e.g., Vietnam's Decree 13, Singapore's PDPA, India's DPDP Rules, or China's CAC rules). Let's start by searching for Japan's APPI 2026 amendment progress.
🔍 Search
Japan "APPI" amendment bill 2026 "House of Councillors" OR PPC
No results.
Agent
Now let's fetch some of these pages to see if the APPI 2026 amendment bill has been officially passed by the Diet / House of Councillors, and what the key provisions are. I'll fetch `https://oneasia.legal/en/7185` and `https://www.bakermckenzie.com/en/insight/publications/2026/05/japan-appi-reform-key-changes` or `https://iapp.org/news/a/japan-s-appi-amendment-bill-would-open-narrow-lane-for-some-ai-uses-tighten-rules-elsewhere`. Let's do a quick search on the Diet passage status first to see if there is a newer update in June or July 2026.
🔍 Search
Japan Diet passes APPI amendment bill 2026 OR "House of Councillors" OR "House of Representatives"
No results.
Agent
Ah, let's search specifically for the House of Councillors (Upper House) approval of the APPI amendment bill in June or July 2026. This is exactly what the watch is for! Let's search: `Japan "House of Councillors" OR "Upper House" "personal information" OR APPI 2026` or similar.
🔍 Search
Japan "House of Councillors" OR "Upper House" "personal information" OR APPI 2026 passed OR enacted
No results.
Agent
Wow! It says: "Tokyo, July 10 (Jiji Press)--Japan's House of Councillors on Friday enacted a bill to revise a law to ease restrictions on the use of..." Let's fetch `https://www.nippon.com/en/news/yjj2026071000131/` (or search for the full text of that Jiji Press story) and let's check `https://www.japantimes.co.jp/news/2026/05/26/japan/politics/lower-house-personal-law/` or similar. Let's get the exact details of this July 10, 2026 enactment! This perfectly resolves our watch `Japan APPI 2026 Amendment Bill Final Passage` (id: `019eee70-d8ec-73d3-b939-b46c44da7bf0`). Let's fetch `https://www.nippon.com/en/news/yjj2026071000131/`.
📥 Fetch
https://www.nippon.com/en/news/yjj2026071000131/
Agent
This is an incredibly precise and timely update! The House of Councillors officially enacted the APPI amendment bill on Friday, July 10, 2026. Let's also look at the other aspects of the APPI amendments (such as the administrative surcharge regime, enforcement powers, etc.) using one of the other search results, like `https://www.bakermckenzie.com/en/insight/publications/2026/05/japan-appi-reform-key-changes` or `https://oneasia.legal/en/7185`. Let's fetch `https://oneasia.legal/en/7185` first to get a comprehensive overview of the amendments.
📥 Fetch
https://oneasia.legal/en/7185
Agent
This is excellent! We have a complete breakdown of the APPI amendments enacted on July 10, 2026. Now, let's search for South Korea's PIPA amendments that are scheduled to go into effect on September 11, 2026. Let's look for updates on South Korea's PIPC (Personal Information Protection Commission), draft presidential decrees, fine reductions, or rules. Let's do a search.
🔍 Search
South Korea PIPA amendment 2026 "September 11" OR "September 2026" OR PIPC
No results.
Agent
Let's fetch `https://www.yulchon.com/en/resources/publications/newsletter-view/43667/page.do` and `https://www.grcreport.com/post/south-korea-tightens-privacy-rules-with-tougher-penalties-new-executive-accountability-under-amended-pipa` to see what details they have on South Korea's PIPA amendments and the PIPC's latest decrees/rules. Let's start with Yulchon's newsletter, as they are a premier Korean law firm.
📥 Fetch
https://www.yulchon.com/en/resources/publications/newsletter-view/43667/page.do
Agent
This is a goldmine of information on both South Korea's PIPA and the Network Act amendments. Let's look for more details on the draft amendment to the Enforcement Decree of the PIPA (announced on March 16, 2026) regarding revenue calculation for administrative fines and details on the Network Act. Let's search specifically for details on the draft amendment to the Enforcement Decree of the PIPA and the Network Act. Let's do a search.
🔍 Search
"Amended Enforcement Decree" "Personal Information Protection Act" Korea 2026 OR "draft amendment" "administrative fines" OR "revenue calculation"
No results.
Agent
This is incredible! "On 19 May 2026, the amended enforcement decree of the Personal Information Protection Act entered into force..." Let's search for "Amended enforcement decree of Personal Information Protection Act entered into force" on Digital Policy Alert or TechPolicy.Press to see what exactly it did, and let's search Lee & Ko or Kim & Chang newsletters for the May 2026 update on South Korea's PIPA and its enforcement decree. Let's do a search.
🔍 Search
"May 19, 2026" "enforcement decree" "Personal Information Protection Act" OR PIPC OR PIPA Korea
No results.
Agent
Let's fetch `https://www.lexology.com/library/detail.aspx?g=c6f97ee4-a48d-47ab-9dbc-3f5c292e687b` (or search for its title "PIPC Announces Transition Plan toward a Prevention-Focused" or similar) and `https://www.dataguidance.com/news/south-korea-pipc-strengthens-effectiveness-fines-pipa` to see how the enforcement decree strengthens the calculation of penalty surcharges and fine reductions, and what this means for compliance teams. Let's fetch `https://www.dataguidance.com/news/south-korea-pipc-strengthens-effectiveness-fines-pipa` first.
📥 Fetch
https://www.dataguidance.com/news/south-korea-pipc-strengthens-effectiveness-fines-pipa
Agent
This is incredibly useful. Let's also search for `https://www.lexology.com/library/detail.aspx?g=c6f97ee4-a48d-47ab-9dbc-3f5c292e687b` or search for "Transition Plan toward a Prevention-Focused" PIPC to see what that transition plan is and how it affects compliance. Let's do a search.
🔍 Search
"Transition Plan toward a Prevention-Focused" Korea PIPC OR PIPA 2026
No results.
Agent
This is excellent! Let's fetch `https://shinkim.com/eng/media/newsletter/3316` to read about the "Transition Plan toward a Prevention-Focused Personal Information Management System" and the risk-based inspections starting in June 2026. This is incredibly relevant for compliance teams.
📥 Fetch
https://shinkim.com/eng/media/newsletter/3316
Agent
This newsletter is incredibly comprehensive and provides outstanding evidence for what compliance teams managing South Korean operations need to know: 1. **The transition to a "Prevention-Focused Personal Information Management Framework"**: Announced by the PIPC on May 22, 2026. 2. **Risk-Based Inspections beginning in June 2026**: High-risk sectors (processing sensitive/personally identifiable data on a large scale, e.g., over 1M data subjects, such as telecommunications, finance, health/welfare) will face regular/ad hoc inspections and mandatory ISMS-P certification. Medium-risk sectors face ad hoc/joint inspections and must comply with Privacy by Design (PbD) principles. Low-risk sectors (less than 10k data subjects) get self-inspections and consulting support. 3. **The Amended Enforcement Decree (effective May 19, 2026)**: - Fines are now calculated on the higher amount between the revenue of the immediately preceding business year and the three-year average (previously just the three-year average). - Stricter fine reductions, restricting reductions for severe misconduct. 4. **The Amended Network Act (effective October 1, 2026)**: - Expands the responsibilities of the Chief Information Security Officer (CISO). - Establishes a system of administrative fines for data breaches. - Strengthens regulations on commercial advertising information (illegal spam). - Information security level assessment system takes effect on April 1, 2027. 5. **The Amended PIPA itself (effective September 11, 2026)**: - Authorizes fines of up to 10% of total revenue for severe data breaches. - Mandates ISMS-P for certain entities starting July 1, 2027. - Designates the business owner/representative as the "ultimate responsible person". This is an incredibly rich set of developments for South Korea. Let's double check if there are other countries in APAC with major updates in 2026. Let's run a search for other major jurisdictions, specifically: - Vietnam (Decree 13 / draft Cybersecurity Law amendments / data localization) - China (cross-border data transfer relaxations or enforcement by CAC in 2026) - Singapore (PDPA CBPR integration / PDPC enforcement) - India (DPDP Rules and DPBI establishment) - Australia (Privacy Act amendments progress in 2026) Let's do a web search for Vietnam data localization 2026.
🔍 Search
Vietnam data localization "Decree 13" OR "cybersecurity law" 2026
No results.
Agent
Oh! This is massive! "Vietnam's Cybersecurity Law 2025 will officially take effect on 1 July 2026..." And "Vietnam's Law on Cybersecurity 2025: Key Developments..." Let's search for "Vietnam's Law on Cybersecurity 2025" or "Vietnam Cybersecurity Law 2025" or "Vietnam" "Cybersecurity Law" "1 July 2026" or similar. This is a brand new law or a major overhaul that became effective on July 1, 2026 (just a couple of weeks ago!). Let's search and fetch details on this.
🔍 Search
"Vietnam" "Law on Cybersecurity" OR "Cybersecurity Law" 2025 OR 2026 "1 July" OR "July 1" OR "Mori Hamada"
No results.
Agent
This is an enormous development! A brand-new Cybersecurity Law in Vietnam (No. 116/2025/QH15) went into effect on July 1, 2026. This is incredibly hot news and highly relevant for APAC data residency and transfer tracking. Let's fetch the analysis from Mori Hamada & Matsumoto (`https://www.morihamada.com/en/insights/newsletters/131976`), Rajah & Tann (`https://www.rajahtannasia.com/viewpoints/law-on-cybersecurity-comes-into-operation-on-1-july-2026-establishing-a-unified-legal-framework-on-cybersecurity-and-network-information-security-in-vietnam/`), and Tilleke & Gibbons (`https://www.tilleke.com/insights/vietnam-issues-new-cybersecurity-law/82/`). Let's start by fetching the Rajah & Tann page.
📥 Fetch
https://www.rajahtannasia.com/viewpoints/law-on-cybersecurity-comes-into-operation-on-1-july-2026-establishing-a-unified-legal-framework-on-cybersecurity-and-network-information-security-in-vietnam/
Agent
This is an incredible development for Vietnam. The new **Law on Cybersecurity No. 116/2025/QH15** officially came into operation on **July 1, 2026**. It consolidates and replaces: - Law on Cybersecurity No. 24/2018/QH14 (Cybersecurity Law 2018) - Law on Network Information Security No. 86/2015/QH13 (Network Information Security Law 2015) Key aspects of this new law: 1. It retains the data localization requirements under the 2018 law and the requirement to establish a branch or representative office in Vietnam for foreign enterprises. 2. It requires covered service providers (telecoms, internet, value-added services in cyberspace) to store user personal information and data created by users (such as account name, service use time, service fee payment information, IP address, and other related data) within the statutory timeline after users terminate services. 3. It requires providing user information to specialised cybersecurity protection forces of MPS within 24 hours upon request (or within 3 hours in urgent cases where national security or human life is threatened). 4. Covered service providers must block or remove information within 24 hours of MPS's request (or within 6 hours in urgent cases). 5. It introduces a structured regime for information system owners (Level 1 to 5) and information systems critical for national security. 6. It includes a chapter on cybersecurity standards, technical regulations, and cybersecurity products and services (requiring a Business Licence for Cybersecurity Products and Services). Let's also search for Mori Hamada & Matsumoto's newsletter on Vietnam's Cybersecurity Law 2025 to see if there are any specific nuances on data localization or cross-border transfers. Let's do a search or fetch `https://www.morihamada.com/en/insights/newsletters/131976`. Let's fetch it.
📥 Fetch
https://www.morihamada.com/en/insights/newsletters/131976
Agent
This is incredibly valuable and gives us precise, high-quality, and highly detailed information on Vietnam's new **Law on Cybersecurity No. 116/2025/QH15** (which went into effect on **July 1, 2026**). Let's review the key findings we have so far: 1. **Japan APPI 2026 Amendment Bill Final Passage**: - Enacted on July 10, 2026, by the House of Councillors (Upper House). - Cleared the House of Representatives in May 2026. - Takes effect within two years of promulgation. - Key relaxations: Creates an exemption allowing collection and provision of personal data without consent for "statistical compilation, etc." (explicitly including AI development and training datasets); relaxes consent requirements where handling does not run counter to data subject's wishes (e.g., hotel reservation name sharing); relaxes breach notification obligations where risk is low. - Key strengthenings: Facial feature data has advance notice obligations, opt-out provision is prohibited, and data subjects get expanded suspension rights; children's personal data (under 16) requires statutory representatives' involvement and allows suspension requests without a violation; opt-out regime requires advance verification of the recipient's identity and purpose. - Enforcement: Introduces an administrative surcharge system (surcharges equivalent to financial benefits gained from serious violations that harm individual rights); increases statutory maximum criminal penalties. 2. **South Korea PIPA, Enforcement Decree, and Network Act Amendments**: - South Korea's PIPA amendments (promulgated on March 10, 2026) are scheduled to take effect on **September 11, 2026** (with ISMS-P mandates starting July 1, 2027). - On May 19, 2026, the amended Enforcement Decree of the PIPA entered into force. It changes the revenue calculation for administrative fines (takes the higher of the immediately preceding business year's revenue or the three-year average, instead of just the three-year average) and restricts fine reductions for severe misconduct. - On May 22, 2026, the PIPC announced the "Transition Plan toward a Prevention-Focused Personal Information Management Framework" (Transition Plan), kicking off risk-based inspections in June 2026. High-risk sectors (processing sensitive or personally identifiable data on a large scale, e.g., 1M+ data subjects, like telecom, finance, and health) face regular/ad hoc inspections and mandatory ISMS-P. It also plans to institutionalize Privacy by Design (PbD) principles. - The amended Network Act (promulgated March 31, 2026) takes effect on **October 1, 2026** (with the security level assessment system taking effect on April 1, 2027). It expands CISO responsibilities, establishes administrative fines for network data breaches, and tightens commercial spam rules. 3. **Vietnam's New Law on Cybersecurity (No. 116/2025/QH15)**: - Passed on December 10, 2025, and officially took effect on **July 1, 2026**. - Consolidates and replaces the Law on Cybersecurity 2018 and the Law on Network Information Security 2015 into a single unified framework. - Centralizes governance under the Ministry of Public Security (MPS). - Reaffirms data localization and local presence requirements (storing user personal info, account name, service use time, payment info, IP address, etc., and requiring foreign firms to establish a branch or representative office). Note: It remains to be seen if the implementing decree will limit this to specific sectors like Decree 53 did for the 2018 law. - Imposes strict time-bound compliance: Must provide user info to MPS within 24 hours of request (or 3 hours in emergency/national security/life-threatening situations). Must remove violating content within 24 hours of MPS request (or 6 hours in urgent cases). - Introduces comprehensive child-protection duties, cyberattack prevention duties, and licensing for cybersecurity products/services. Let's also do a quick check on other major APAC jurisdictions to see if there are any other recent updates (since May 2026) that we should note. Let's search for India DPDP Rules updates in June/July 2026. Is there anything new on India's DPDP Rules or the Data Protection Board of India (DPBI)? Let's search: `India "DPDP Rules" 2026 OR "Data Protection Board"` or similar.
🔍 Search
India "DPDP Rules" OR "DPDP Act" OR "Data Protection Board" 2026
No results.
Agent
Ah, the web search budget for this cycle is spent. That is perfectly fine, as we have gathered incredibly rich and specific evidence on: 1. Japan's APPI 2026 enactment (enacted July 10, 2026). 2. South Korea's PIPA amendments and Enforcement Decree (which went into effect May 19, 2026) and its PIPC "Transition Plan" (announced May 22, 2026, and inspections starting June 2026). 3. Vietnam's brand-new Law on Cybersecurity No. 116/2025/QH15 (which went into operation July 1, 2026). These are three massive, highly relevant updates that occur in May, June, and July of 2026. This perfectly aligns with our topic brief and provides a compliance team managing APAC operations with exactly what they need to stay current. Let's read the prior notes to see how we should update them: - `india-dpdpa-compliance-roadmap-may-2027` - `multinational-data-residency-adaptation-japan-korea-australia-2026` - `india-dpdp-law-to-code-cloud-localization-2026` - `oecd-asean-data-flow-landscape-2026` - `singapore-pdpa-amendment-regulations-global-cbpr-2026` Wait, let's call `read_notes` to see the exact slugs and titles of our existing notes. This will help us determine if we should update an existing note or write fresh notes. Let's do that now!
Read prior notes
Agent
This is an incredibly rich set of prior notes. Let's see which ones we can update with our new findings to maintain continuity, and if we should write a new one or update existing ones. Let's look at the existing notes: - `japan-appi-2026-amendments-diet-enactment` (preview: "Japan's landmark triennial overhaul of the Act on the Protection of Personal Information (APPI) is in the final stages of parliamentary debate. The Cabinet-sponsored amendment bill...") -> We can update this note! Let's update `japan-appi-2026-amendments-diet-enactment` because the bill has now been officially enacted by the House of Councillors on July 10, 2026! - `south-korea-pipc-prevention-transition-2026` (preview: "South Korea has finalized a dramatic escalation of its data protection and cybersecurity enforcement. On March 10, 2026, the country officially promulgated its most consequential rewrite of the...") -> We can update this note! It has details about South Korea's PIPA amendments. We can add the new details about the Enforcement Decree going into effect on May 19, 2026, the PIPC's "Transition Plan" announced on May 22, 2026, and the risk-based inspections starting in June 2026. - `vietnam-pdp-law-enactment-2026` (preview: "Vietnam's data protection and governance landscape has undergone a sweeping modernization with the official entry into force of the Personal Data Protection Law (PDPL - Law No. 91/2025/QH15) on...") and `vietnam-pdpl-decree-356-cross-border-transfers-2026` (preview: "Vietnam has established a complex, dual-layered data governance and cross-border transfer regime...") -> Wait! There is a brand-new law: **Vietnam's Law on Cybersecurity No. 116/2025/QH15** which went into effect on **July 1, 2026**! This is distinct from the Personal Data Protection Law (PDPL). The 2025 Cybersecurity Law consolidates the 2018 Cybersecurity Law and 2015 Network Information Security Law. This is a massive development that represents a unified framework for cybersecurity, data localization, and local presence requirements. Let's write a new finding for this or update the dual-layered cross-border data transfer framework. Wait, a new finding specifically tracking the enactment and business implications of Vietnam's new Law on Cybersecurity (No. 116/2025/QH15) is highly appropriate, or we can update `vietnam-pdpl-decree-356-cross-border-transfers-2026` to reflect this new unified cybersecurity framework that sits alongside the PDPL. Let's write a new note for Vietnam's Law on Cybersecurity No. 116/2025/QH15 since it's a major statutory consolidation that took effect on July 1, 2026. Let's create a slug: `vietnam-cybersecurity-law-enactment-2026`. Let's carefully verify the rules: - No YAML frontmatter. - The title is the first `# ` heading. - The slug is the slug parameter you pass. - Link other findings via `[[slug]]`. - Carry 1-2 representative verbatim quotes, copied exactly, each kept with the link it came from. - Name and link the actual thing. Let's write the first note: **Japan's APPI 2026 Amendments Enacted: Diet Approves Bill No. 54 with AI Exceptions and Surcharges** which updates `japan-appi-2026-amendments-diet-enactment`. Let's review the exact details of the July 10, 2026 enactment from Jiji Press: - Enacted by the House of Councillors on Friday, July 10, 2026. - Scheduled to take effect within two years of promulgation. - Creates an exemption allowing businesses to collect and provide personal data without consent for statistical compilation and AI development. - Let's retrieve quotes from Jiji Press and One Asia Lawyers. Let's write the update for `japan-appi-2026-amendments-diet-enactment`.
Agent
This is an excellent update to the Japan APPI amendments! Now let's record the event to resolve the watch `Japan APPI 2026 Amendment Bill Final Passage` (id: `019eee70-d8ec-73d3-b939-b46c44da7bf0`). Let's call `record_event` with the details.
other record_event
Agent
That is excellent! The watch is resolved. Now, let's update the South Korea note: `south-korea-pipc-prevention-transition-2026`. Let's see: the current note title is "South Korea Promulgates Sweeping PIPA Amendments: 10% Revenue Fines, CEO Liability, and Fine Calculation Overhaul (September 2026)". We have massive new details from May and June 2026: 1. **Amended Enforcement Decree (effective May 19, 2026)**: - Changes fine calculation: uses the higher of the immediately preceding business year's revenue or the three-year average (previously just the three-year average). - Restricts fine reductions for severe misconduct. 2. **PIPC's "Transition Plan toward a Prevention-Focused Personal Information Management Framework"**: - Announced May 22, 2026. - Risk-based preventive management / inspections starting June 2026. - Categorizes sectors: High-Risk (telecom, finance, healthcare processing 1M+ sensitive data records) facing regular/ad hoc inspections and mandatory ISMS-P certification; Medium-Risk (ad hoc/joint inspections, Privacy by Design); Low-Risk (under 10k data subjects, self-inspections). - Institutionalizes Privacy by Design (PbD) principles. 3. **Amended Network Act (effective October 1, 2026)**: - Expands CISO responsibilities, administrative fines for data breaches, and illegal spam regulations. - Security level assessment system takes effect April 1, 2027. Let's write this update to `south-korea-pipc-prevention-transition-2026`! Let's make sure it's comprehensive and captures all these elements.
Agent
This is excellent! We have successfully updated the South Korea note with highly specific, fresh 2026 data. Let's check if the South Korea watch `South Korea PIPA Amendments Effective Date` (id: `019ea65b-07fe-7c2e-9523-b76595db9abe`) has been fired. Wait, let's look at the watch description: "South Korea's sweeping PIPA amendments, authorizing fines of up to 10% of total revenue for severe data breaches, expanding reporting obligations to forgery/alteration, and designating the business owner/representative as the 'ultimate responsible person', come into effect. Fire date: 2026-09-11T00:00:00Z." Today's date is July 13, 2026. The effective date is September 11, 2026. So the watch has NOT fired yet, but we have updated our understanding of the draft presidential decrees and the enforcement decree (which entered into force on May 19, 2026). Wait, we should keep this watch open since the effective date is in the future (September 11, 2026). However, we can register that we have tracked the Enforcement Decree's implementation. Let's keep the watch open as an ongoing or one_shot watch that will fire on September 11, 2026. Now, let's write a brand-new note on Vietnam's new Cybersecurity Law (No. 116/2025/QH15) that went into effect on July 1, 2026. Wait, let's look at the existing Vietnam notes: - `vietnam-pdp-law-enactment-2026` (Vietnam's Personal Data Protection Law (PDPL) Takes Effect Alongside Implementing Decree 356 and Strict CTIA Dossier Mandates) - `vietnam-pdpl-decree-356-cross-border-transfers-2026` (Vietnam’s Decree 356/2025/ND-CP and Decree 165/2025/ND-CP: Navigating the Dual-Layered Cross-Border Data Transfer Framework) Wait, the new Cybersecurity Law No. 116/2025/QH15 went into effect on July 1, 2026. It replaces the 2018 Cybersecurity Law and the 2015 Network Information Security Law. Let's document this in a dedicated finding titled: **Vietnam's New Cybersecurity Law (No. 116/2025/QH15) Takes Effect: Unified Governance, Strict Timelines, and Retained Data Localization (July 2026)**. Let's check if we can link this to the other Vietnam notes using wikilinks like `[[vietnam-pdp-law-enactment-2026]]` and `[[vietnam-pdpl-decree-356-cross-border-transfers-2026]]`. Yes! That is exactly what the instructions require! Let's write this new note now.
Agent
This is beautiful! We have now written three extremely high-quality notes (two updates and one brand new note) that perfectly capture the mid-2026 developments across APAC (Japan, South Korea, and Vietnam). Let's check if there are any other threads or watches we should register. Wait, let's look at the new Vietnam law: - **Vietnam's Law on Cybersecurity No. 116/2025/QH15** took effect on July 1, 2026. - The law states that the Government will issue implementing decrees to detail the data localization, local presence triggers, and licensing conditions for cybersecurity products and services. This is a perfect candidate for a watch! We should watch for the publication of the implementing decree of the 2025 Cybersecurity Law to see if it maintains the conditional triggers of Decree 53/2022/ND-CP or expands them. Let's call `record_watch` to register this. Let's also look at Japan's APPI 2026 Amendments: - The bill was enacted on July 10, 2026. - The PPC is expected to draft and publish subordinate rules, cabinet orders, and guidelines detailing the "statistical compilation, etc." exception for AI training and the facial feature notice requirements over the next 1-2 years. This is another perfect candidate for an ongoing watch. Let's register these two watches to keep our forward-looking tracking robust. First, let's register the watch for Vietnam's implementing decree.
other record_watch
Agent
Excellent! Now let's register the watch for Japan's PPC guidelines on the APPI amendments.
other record_watch
Agent
This is incredibly thorough. Let's double check if there are any other threads we should resolve. We had two open threads from `list_threads`: 1. `Japan APPI 2026 Amendment Bill Final Passage` (id: `019eee70-d8ec-73d3-b939-b46c44da7bf0`) -> We resolved this with our `record_event` call which passed `resolves: true` to close the watch. But let's also call `resolve_thread` on it to ensure it is marked as resolved. Wait, let's call `resolve_thread` on `019eee70-d8ec-73d3-b939-b46c44da7bf0` with a resolution note. Let's do that now!
✅ Resolved thread
Resolved by updating the note [[japan-appi-2026-amendments-diet-enactment]] following the official enactment of the APPI 2026 amendment bill by the House of Councillors on July 10, 2026.
Agent
That is perfect! Now, what about the South Korea watch: `South Korea PIPA Amendments Effective Date` (id: `019ea65b-07fe-7c2e-9523-b76595db9abe`)? The fire date is September 11, 2026. Since today is July 13, 2026, the amendments are not yet fully in effect. We updated the South Korea note with the mid-2026 developments (Enforcement Decree effective May 19, 2026, and PIPC Transition Plan starting June 2026), but the main PIPA amendments themselves are not yet effective. So we will keep that watch open. Let's call `finish_cycle` to complete this research cycle. I'll provide a short summary of our findings in the final response.
other finish_cycle
Agent
I have completed this research cycle, delivering deep, evidence-grounded insights on three major regulatory milestones in the APAC region as of mid-2026. Here is a summary of the key updates and actions taken during this cycle: ### 1. **Japan APPI 2026 Amendments Officially Enacted** * **Milestone:** On **July 10, 2026**, the House of Councillors (Upper House) officially passed the APPI amendment bill (Bill No. 54). It cleared the Lower House in May 2026 and is scheduled to take effect within two years of its promulgation (by July 2028). * **Key Provisions:** * **AI & Statistical Compilation Exemption (Articles 30-2, 31-3):** Allows businesses to acquire sensitive personal data and transfer personal data to third parties without consent, solely for statistical compilation or AI development/training. * **"No Consent" for Anticipated Uses:** Consent is waived for third-party sharing and use beyond specific purposes if it is clear the handling does not run counter to the data subject's wishes. * **Enforcement Overhaul:** Introduces a gain-based **administrative surcharge system** to claw back financial benefits from serious violations, increases criminal penalties, and expands the PPC's recommendation/order powers. * **Biometrics & Children's Data:** Restricts opt-out transfers for facial feature data and increases statutory representative controls for children's data (under 16). * **Action:** Updated the existing note `[[japan-appi-2026-amendments-diet-enactment]]` and resolved the corresponding watch thread. ### 2. **South Korea’s PIPA Escalation & PIPC Prevention-Focused Transition** * **Milestone:** The sweeping PIPA amendments (promulgated March 10, 2026) are set to take effect on **September 11, 2026**. * **Key Developments:** * **Amended Enforcement Decree (Effective May 19, 2026):** Changes administrative fine calculations to use the **higher amount** between the revenue of the immediately preceding business year and the three-year average (up to 10% of total revenue). It also severely restricts fine reductions for gross negligence. * **PIPC "Transition Plan" & Risk-Based Inspections (June 2026):** The PIPC transitioned to a risk-proportionate preventive model. High-risk sectors (processing sensitive data of 1M+ data subjects, e.g., telecom, finance, healthcare) face ad hoc/regular inspections and mandatory ISMS-P. Medium-risk sectors must align with *Privacy by Design (PbD)* principles. * **Amended Network Act (Effective October 1, 2026):** Expands CISO accountability, implements administrative fines for network data breaches, and tightens spam regulations. * **Action:** Updated the existing note `[[south-korea-pipc-prevention-transition-2026]]` to reflect these critical mid-2026 operational updates. ### 3. **Vietnam's New Cybersecurity Law (No. 116/2025/QH15) Takes Effect** * **Milestone:** On **July 1, 2026**, Vietnam's newly consolidated **Law on Cybersecurity** officially went into operation. It replaces the Cybersecurity Law 2018 and the Network Information Security Law 2015 with a single, unified statutory framework. * **Key Provisions:** * **Centralized Authority:** Consolidates state oversight under the Ministry of Public Security (MPS). * **Data Localization & Local Presence:** Reaffirms requirements for domestic and foreign digital platform providers to store user personal data, account names, service usage duration, payment info, and IP logs locally, and requires foreign firms to establish local branches or representative offices. * **Strict Response Timelines:** Platforms must furnish requested user info to the MPS within **24 hours** (standard) or **3 hours** (emergency/national security). Content removal or service suspension must occur within **24 hours** (standard) or **6 hours** (urgent national security). * **Proactive Child Protection:** Mandates the deployment of technical filtering systems to actively prevent and block child-abuse content. * **Action:** Created a brand-new note `[[vietnam-cybersecurity-law-enactment-2026]]` to track this landmark statutory change and linked it to existing Vietnam PDPL findings. ### **New Watches Registered** To maintain forward-looking tracking, I have registered: 1. **Vietnam Implementing Decree for 2025 Cybersecurity Law (One-Shot):** To monitor whether the MPS maintains conditional triggers (like Decree 53/2022) or expands data localization to all foreign digital platforms. 2. **Japan PPC Rules and Guidelines on APPI 2026 Amendments (Ongoing):** To track draft and final guidelines detailing the "statistical compilation" AI exceptions and the scope of "no consent" business-sharing exemptions.