Cycle on Jun 8, 2026

I will list the current threads for this topic to understand what open questions or watches have been established in previous cycles.

I will search for recent regulatory updates regarding data residency and cross-border data transfers in APAC, focusing on developments in 2025 and 2026.

The search returned some very interesting results, including: 1. A Malaysian guideline on cross-border data transfers: `https://www.pdp.gov.my/ppdpv1/wp-content/uploads/2025/08/GP_CBPDT_EN-1.pdf` or related developments (there is a PDF listed from pdp.gov.my: "3/2025 CROSS BORDER PERSONAL DATA TRANSFER" from August 2025 or similar). Let's search specifically for Malaysian PDPA amendments, cross-border rules, and other updates. 2. Inside Privacy roundup of cross-border data transfer developments. 3. Pertamapartners' "Cross-Border Data Transfers Asia 2026 Guide". 4. Let's run searches to see if there are any updates in Vietnam (Decree 13 or recent developments in 2025-2026), Indonesia (PDP Law implementation/regulations due in late 2024 or 2025), South Korea (PIPA updates), or Australia. Let's do a search on Malaysia's cross-border data transfer guidelines and PDPA amendments first. Let's do a search for "Malaysia PDPA cross border data transfer 2025 2026".

This is a major and highly relevant development! On April 29, 2025, Malaysia's Personal Data Protection Commissioner issued the Guidelines on Cross Border Personal Data Transfer (CBPDT Guidelines), which came into effect immediately or in early 2025. Let's fetch the article from Hogan Lovells (`https://www.hoganlovells.com/en/publications/malaysias-groundbreaking-cross-border-data-transfer-guidelines-explained`) and Mayer Brown (`https://www.mayerbrown.com/en/insights/publications/2025/07/from-legislative-reform-to-practical-guidance-key-amendments-to-malaysias-pdpa-and-the-launch-of-cross-border-transfer-guidelines`) to understand the details. Let's start with Hogan Lovells.

This is a highly detailed, major regulatory update for Malaysia. Let's research the Mayer Brown article as well to see if there is any additional context, especially about the PDPA amendments (which are mentioned as having been passed or launched around the same time, or coming into effect in 2025/2026). Let's fetch `https://www.mayerbrown.com/en/insights/publications/2025/07/from-legislative-reform-to-practical-guidance-key-amendments-to-malaysias-pdpa-and-the-launch-of-cross-border-transfer-guidelines`.

This is excellent. We have two solid sources detailing the major Malaysian PDPA updates that came into effect in stages from January to June 2025 (with DPO, breach notifications, and data portability starting in June 2025, and the Cross-Border Personal Data Transfer Guidelines (CBPDT Guidelines) issued on April 29, 2025). The PDPA Amendment replaces "data user" with "data controller", introduces direct obligations for data processors under Section 9, increases penalties to RM1,000,000, and revises the cross-border transfer regime (replacing the previous "whitelist" approach with a risk-based framework requiring Transfer Impact Assessments (TIAs) valid for 3 years, consent, or "reasonable precautions" like BCRs, Contractual Clauses, or certifications). Let's now research other APAC jurisdictions to see if there are similar updates in 2025 or 2026. Let's do a search for Indonesia PDP Law implementation. The Indonesian PDP Law (Law No. 27 of 2022) had a two-year transition period ending in October 2024. Let's research what happened in late 2024, 2025, and 2026 regarding the Indonesian PDP Law, its implementing regulations, and cross-border transfer rules.

This is highly relevant! There are major updates in Indonesia: 1. Constitutional Court ruling on January 19, 2026, regarding the Indonesian PDP Law and cross-border personal data transfers. 2. AHP client update (March 11, 2026) or Rajah & Tann Asia viewpoints on "Indonesia's PDP Law Updates: DPA, U.S. Trade-Related Data Transfers, and Recent Court Rulings." 3. The Personal Data Protection Agency (Lembaga PDP) operational status by 2026. Let's fetch `https://conflictoflaws.net/2026/cross-border-personal-data-transfers-the-remaining-issues-following-the-indonesian-constitutional-court-decision/` and `https://www.ahp.id/clientalert/AHPClientUpdate-11March2026.pdf` (or `https://www.rajahtannasia.com/viewpoints/indonesias-pdp-law-updates-dpa-u-s-trade%E2%80%91related-data-transfers-and-recent-court-rulings/` if we can fetch it, let's fetch both). Let's start with the Conflict of Laws post.

This is extremely valuable. The Indonesian Constitutional Court issued a final and binding decision on January 19, 2026 (Case Number 137/PUU-XXIII/2025) rejecting a petition that sought to restrict cross-border data transfers (specifically targeting transfers to the US under an upcoming US-Indonesia Reciprocal Trade Agreement Negotiation Framework) by requiring parliamentary approval. The court ruled that cross-border data transfers are administrative and technical executive measures, not international treaties requiring legislative consent. The ruling confirms that the PDP Law's tiered mechanism (adequacy -> contractual safeguards -> explicit consent) is constitutionally settled. Furthermore, it highlights that the Personal Data Protection Authority (PDPA) is still not yet established or operational but is expected to be by 2026, and that final implementing regulations are still pending. Let's search for the actual PDF or content of the AHP client update or Rajah & Tann Asia viewpoints on "Indonesia's PDP Law Updates: DPA, U.S. Trade-Related Data Transfers, and Recent Court Rulings" to see if there's any other details. Let's do a search.

Let's fetch `https://www.ahp.id/clientalert/AHPClientUpdate-11March2026.pdf`. Wait, let's see if we can read the PDF or if the tool can fetch it. If it's a PDF, `web_fetch` might convert it or fail. Let's try fetching it.

This is fantastic! The AHP Client Update from March 11, 2026, provides a highly detailed, extremely current (March 2026) snapshot of the Indonesian data protection landscape. Let's summarize the key items: 1. **Data Protection Authority (DPA)**: A draft Presidential Regulation on the DPA was made public in late February 2026. The DPA will be a non-ministerial government agency reporting to the President through the Ministry of Communication and Digital Affairs (MOCD), but operational control will remain independent. It will have a Head and three deputies (policy, dispute resolution, compliance/enforcement). It will incorporate the existing personal data protection unit of the MOCD to ensure immediate operational capacity. 2. **U.S.-Indonesia Reciprocal Trade Agreement**: Signed on February 19, 2026. Article 3.2 of Annex III requires Indonesia to recognize the US as a jurisdiction offering adequate data protection under Indonesian law. It is subject to ratification by the Indonesian House of Representatives (DPR) and it is still unclear how the government will reconcile this with Article 56 of the PDP Law (which requires adequacy assessments by the DPA). 3. **Litigation and Enforcement Activity**: Since the PDP Law's enactment in October 2022, there have been at least 23 criminal cases, 7 civil cases, and 6 constitutional court decisions. - *Criminal*: Courts have actively applied Articles 65(1) and 65(3) (unlawful collection and misuse of personal data) in district courts in 2025 (e.g., Telegram OTP monetization, dark web employee data sales). - *Civil*: A civil case filed in West Jakarta District Court in January 2026 by former contract employees against a data controller for conducting credit/background checks without consent or contractual basis, highlighting HR compliance risks. - *Constitutional Court*: Multiple challenges rejected in 2025/2026. This includes Case Number 137/PUU-XXIII/2025 (on cross-border transfers/US trade agreement, decided Jan 19, 2026) and another challenge on Article 20(2)(a) (demanding consent via certified electronic signatures, which the court rejected, leaving technical details to implementing regulations). This is a goldmine of concrete information. Let's write two distinct findings: 1. One on Malaysia's groundbreaking new Cross-Border Personal Data Transfer Guidelines (issued April 29, 2025) and the phased implementation of the PDPA Amendment Act 2024 (January to June 2025). 2. One on Indonesia's 2026 updates: the draft Presidential Regulation establishing the independent DPA, the new US-Indonesia Reciprocal Trade Agreement (Feb 2026) committing to US adequacy, and the recent judicial developments (including the Jan 19, 2026 Constitutional Court ruling and district court cases). Let's do a search to see if there are any other recent (2025/2026) updates across other APAC jurisdictions, such as: - Vietnam (Decree 13 / Draft Law on Personal Data Protection) - Thailand (PDPA enforcement, cross-border transfer rules under Section 28/29) - South Korea (PIPA updates, cross-border transfer requirements) - China (CAC cross-border transfer rules, standard contract filings in 2025/2026) - Australia (Privacy Act reforms) Let's search for "Vietnam Personal Data Protection Law draft 2025 2026".

Wow, this is an incredible, highly significant update! Vietnam officially enacted Law No. 91/2025/QH15 on Personal Data Protection (PDPL) on June 26, 2025, which entered into effect on January 1, 2026. Let's fetch the Baker McKenzie PDF or Tilleke & Gibbons article to understand the details, specifically focusing on cross-border data transfers and how it interacts with Decree 13 (which previously regulated cross-border transfers). Let's fetch `https://www.tilleke.com/insights/new-decree-provides-guidance-for-vietnams-personal-data-protection-law/`. Wait, let's also fetch the Baker McKenzie insight if possible, or another article like `https://vietnam-business-law.info/blog/2025/10/1/key-highlights-on-the-vietnam-new-personal-data-protection-law-pdpl-2025`. Let's fetch the Tilleke & Gibbons first.

This is outstanding! Vietnam's Personal Data Protection Law (PDPL) was enacted in June 2025 and entered into force on January 1, 2026. Simultaneously, Decree No. 356/2025/ND-CP was promulgated on December 31, 2025, detailing the implementation of the PDPL and replacing the previous Decree No. 13/2023/ND-CP. Let's see what else we can find on the cross-border data transfer rules under the new PDPL and Decree 356. Let's do a search for "Vietnam PDPL cross border data transfer Decree 356/2025/ND-CP".

This is highly detailed. Let's fetch the Mori Hamada & Matsumoto newsletter `https://www.morihamada.com/en/insights/newsletters/131901` and/or Vietnam Briefing `https://www.vietnam-briefing.com/news/vietnam-personal-data-protection-regulation-decree-356.html/` to get the exact details on cross-border data transfer rules under Decree 356. Let's fetch Mori Hamada first.

This is incredibly clear and directly relevant. Let's look at the cross-border transfer details: 1. Under the new Personal Data Protection Law (PDPL, Law No. 91/2025/QH15, enacted June 26, 2025) and Decree No. 356/2025/ND-CP (effective January 1, 2026), the cross-border data transfer framework has been updated and formalized. 2. It replaces the previous Decree 13/2023/ND-CP. 3. For cross-border data transfers, organizations must prepare and submit a Cross-border Data Transfer Impact Assessment (CDTIA). 4. However, Decree 356 introduces expanded CDTIA **exemptions**, including: - Cross-border HR management (this is huge for multinational companies!). - Transfers necessary for signing contracts or conducting procedures relating to cross-border transport, logistics, payments, travel, visas, or scholarships. - Journalism, publicly disclosed data, and emergencies. 5. For those required to file, the CDTIA templates have been overhauled, requiring highly detailed technical descriptions (data flows, system architecture, security measures, risk assessment, and overseas recipient safeguards). 6. A major change is the shift to a **substantive review mechanism**: the Ministry of Public Security (MPS) has a 15-day timeline to assess dossiers on a pass/fail basis, with a 30-day remediation period if the dossier is deemed incomplete or non-compliant. Under the old Decree 13, it was a purely filing-based regime. 7. Also, small enterprises and startups have a 5-year grace period for DPIA filing and appointing a DPO (unless they process sensitive data, process data of 100,000+ subjects, or provide data processing services). This is a fantastic update that directly answers how multinational compliance teams are affected (e.g. HR transfer exemption is a massive relief, but the shift from simple filing to substantive MPS pass/fail review for other transfers is a tightening). Let's look at another APAC country: Singapore or South Korea. Wait, let's look at the relevant prior findings. One of them is: `singapore-pdpa-amendment-regulations-global-cbpr-2026` (Singapore Formally Integrates Global CBPR and GPRP Systems into PDPA Cross-Border Transfer Rules (March 2026)). Let's see if we can find any more details on this or if we should check China. What about China? Let's search for "China CAC cross-border data transfer 2025 2026". Wait, in March 2024, the CAC released new provisions on promoting and regulating cross-border data flows (which eased some requirements). Let's see if there are any updates in late 2025 or 2026. Let's do a search.

This is also a major area of active development in late 2025 and 2026! Let's look at the insights from: 1. Arnold & Porter: "China Issues Further Clarifications on Cross-Border Data Transfer Rules" (November 2025), which discusses the CAC's October 2025 FAQ. 2. King & Wood Mallesons: "China's Cross-Border Data Regime: Key Points on Personal Information Export Certification" (October 2025 / January 2026). 3. Hunton Andrews Kurth: "China CAC Issues Guidance on CBDT Security Management" (January 30, 2026). 4. China Briefing: "China's Cross-Border Data Transfer: Key Insights from Official Q&A (III)" (October 2025). Let's fetch `https://www.arnoldporter.com/en/perspectives/advisories/2025/11/china-issues-clarifications-cross-border-data-transfer-rules` first. This will give us excellent primary source details.

This is incredibly detailed and highly relevant to multinational compliance teams. Let's look at the key details from the Arnold & Porter advisory: 1. **CAC's October 31, 2025 FAQ**: Follows previous guidelines, clarifying the "Provisions on Promoting and Regulating Cross-Border Data Flows" (effective March 22, 2024). 2. **Narrow Construction of Exemptions**: - **Contract Performance**: Illustrative examples are not exhaustive, but must meet two criteria: (1) contract performance to which the individual is a party, and (2) necessary to transfer the personal information abroad. - **HR Management**: Narrowly construed. It must be necessary for HR management, limited to personal info directly relevant to HR, and minimized in impact. Companies should NOT transfer higher-risk data like ID number, passport info, or bank accounts without checking if they meet these three criteria. Note that basic obligations like separate consent and PIA (Personal Information Impact Assessment) still apply. 3. **Important Data Security Assessments**: - If a company is notified that it holds "Important Data" (as defined by relevant industry authorities) or a public announcement is made, the company **must apply for a Security Assessment within 2 months**, and **transfers must stop** until the assessment is complete. There is no grace period. 4. **Overseas Access vs. Local Access**: - The Guidelines for Data Export Security Assessment (Version 3), effective June 27, 2025, state that overseas personnel accessing data stored in mainland China is a cross-border transfer. However, the FAQ clarifies that if overseas personnel travel to mainland China and access data locally, it is NOT a cross-border transfer. 5. **SCC Filing for Continuous Transfers / Re-filing**: - Continuous transfers to the same recipient within the thresholds can be filed once based on a reasonable annual estimate, without repeated filings. However, if cumulative volumes exceed thresholds (e.g. 1 million individuals' personal info or 10,000 individuals' sensitive personal info since January 1 of that year), they must apply for a Security Assessment. - Re-filing is required for "substantial" changes. Engagement in new transfers requires filing an updated version of the entire package (no simplified process currently). - Onward transfers by the overseas recipient must be explicitly disclosed in Appendix I of the SCC filing. 6. **PIP Certification**: - The CAC released the *Measures on Certification for Cross-Border Transfer of Personal Information* on October 14, 2025 (effective January 1, 2026). - National standard GB/T 46068-2025 (*Data Security Technology — Security Certification Requirements for Cross-Border Processing Activity of Personal Information*) was issued. - The CAC will publish a list of approved professional Certification Institutions, making PIP Certification a more practical pathway for intra-group transfers. Let's do a quick search on South Korea's PIPA cross-border data transfer rules or Australia's reforms in 2025/2026. Let's search for "South Korea PIPA cross border data transfer 2025 2026".

This is another major and critical development! 1. South Korea's PIPA was amended on March 10, 2026, with most provisions set to take effect on September 11, 2026. 2. The National Assembly passed amendments (on February 12, 2026, promulgated on March 10, 2026) authorizing fines of up to 10% of total revenue or similar? Let's check this. The Hunton Andrews Kurth title says: "South Korea Amends Privacy Law to Authorize Fines of Up to 10%...". Let's verify the percentage and details. 3. Also, there are updates on data portability rights (effective March 13, 2025) and foreign businesses operating in Korea appointing a domestic representative. 4. Let's fetch the Hunton Andrews Kurth post: `https://www.hunton.com/privacy-and-cybersecurity-law-blog/south-korea-amends-privacy-law-to-authorize-fines-of-up-to-10-of-total-revenue` or look up the LinkedIn digest. Let's search for "South Korea PIPA amendments 2026 cross border transfer". Let's fetch the Hunton article first.

This is very helpful. South Korea's PIPA amendments passed on February 12, 2026, and were promulgated on March 10, 2026. The key update is that the Personal Information Protection Commission (PIPC) may seek administrative fines of up to 10% of a company's total revenue in certain high-severity data breach cases (e.g., intentional/gross negligence repeated within 3 years, affecting 10 million+ individuals, or failing to comply with a PIPC corrective order). It also expands reporting obligations and designates the business owner or representative as the "ultimate responsible person" for data protection. It takes effect six months after enactment (September 11, 2026). Let's see if there are any other specific updates on South Korea's cross-border transfers. The previous PIPA amendment in 2023 introduced a broader set of transfer mechanisms (like contract, certification, adequacy, in addition to consent), and gave the PIPC power to order suspension of transfers. Let's do a search to see if there are other specific updates on South Korea's cross-border transfers in 2025/2026. Let's search for "South Korea PIPC cross border data transfer 2025 2026".

I will list the current notes for this topic to see if any of our findings refine the existing prior findings.

This list of notes is extremely comprehensive and already covers many of the exact things I found, showing how past cycles have structured them. Let's see: 1. `vietnam-pdp-law-enactment-2026` is "Vietnam's Personal Data Protection Law (PDPL) Takes Effect Alongside Implementing Decree 356 and Strict CTIA Dossier Mandates". 2. `vietnam-pdpl-decree-356-cross-border-transfers-2026` is "Vietnam’s Decree 356/2025/ND-CP and Decree 165/2025/ND-CP: Navigating the Dual-Layered Cross-Border Data Transfer Framework". 3. `south-korea-pipc-prevention-transition-2026` is "South Korea Promulgates Sweeping PIPA Amendments: 10% Revenue Fines, CEO Liability, and Privacy Investment Incentives (September 2026)". 4. `singapore-pdpa-amendment-regulations-global-cbpr-2026` is "Singapore Formally Integrates Global CBPR and GPRP Systems into PDPA Cross-Border Transfer Rules (March 2026)". 5. `malaysia-pdpa-amendments-cross-border-guidelines-2025` is "Malaysia Implements Major PDPA Overhaul and Launches Risk-Based Cross-Border Transfer Guidelines". 6. `malaysia-pdpa-cross-border-transfer-guidelines-2025` is "Malaysia Launches Cross-Border Personal Data Transfer Guidelines, Shifting Adequacy Burden to Data Controllers". 7. `indonesia-pdp-law-dpa-us-trade-agreement-2026` is "Indonesia: Draft DPA Regulation, Constitutional Court Rulings, and US Trade Agreement Reshape PDP Law Landscape". 8. `indonesia-pdp-law-constitutional-court-decision-2026` is "Indonesia PDP Law: Constitutional Court Affirms Executive Authority Over Cross-Border Transfers and Adequacy (January 2026)". 9. `china-pipl-cross-border-transfer-pathways-2026` is "China PIPL Five Years On: Cross-Border Transfer Pathways Mature, Certification Closes the Gap (2026)". Wait, are there any other notes? The note `china-pipl-cross-border-transfer-pathways-2026` covers China PIPL. Let's see if we should refine any of these notes based on the new and more precise evidence we've found in this cycle. Specifically: - For China, we found the October 31, 2025 FAQ which clarifies the narrow construction of exemptions (especially HR management and contract performance), the 2-month deadline for Important Data security assessments, the distinction between overseas access and local access, and the PIP Certification national standard (GB/T 46068-2025). This is super precise and directly refines `china-pipl-cross-border-transfer-pathways-2026`. Let's read `china-pipl-cross-border-transfer-pathways-2026` first to see if it already contains this or if we should update it. Let's search for the content of `china-pipl-cross-border-transfer-pathways-2026` or fetch it if we can find its exact slug. Actually, let's fetch it via a web search or check if there is a tool to read the note. Wait, the `read_notes` tool returns the list of notes with slugs and previews. Is there a tool to read the full body of a note? No, there is no `read_note` tool in the declarations. The declarations are: - `list_threads` - `read_notes` - `record_event` - `record_thread` - `record_watch` - `resolve_thread` - `write_note` - `finish_cycle` - `web_fetch` - `web_search` Ah! There is no tool to read the full body of a note, but we can write/update a note by reusing its slug. Wait, let's look at what we've discovered: 1. **Malaysia**: The CBPDT Guidelines came into effect on April 29, 2025. This is covered in `malaysia-pdpa-cross-border-transfer-guidelines-2025` and `malaysia-pdpa-amendments-cross-border-guidelines-2025`. 2. **Indonesia**: The Draft DPA Regulation was made public in late February 2026. The US-Indonesia Trade Agreement was signed on February 19, 2026. The Constitutional Court Case 137/PUU-XXIII/2025 was decided on January 19, 2026. This is covered in `indonesia-pdp-law-dpa-us-trade-agreement-2026` and `indonesia-pdp-law-constitutional-court-decision-2026`. 3. **Vietnam**: PDPL was passed in June 2025 and effective Jan 1, 2026. Decree 356 was promulgated Dec 31, 2025, and effective Jan 1, 2026. This is covered in `vietnam-pdp-law-enactment-2026` and `vietnam-pdpl-decree-356-cross-border-transfers-2026`. 4. **South Korea**: PIPA was amended in Feb/March 2026, effective Sept 11, 2026 (10% revenue fines, CEO liability, chief privacy officer reporting). This is covered in `south-korea-pipc-prevention-transition-2026`. 5. **China**: The CAC released an FAQ on October 31, 2025, which clarifies the narrow construction of exemptions, Important Data security assessment deadlines, overseas vs. local access, SCC continuous filings, and PIP Certification under GB/T 46068-2025. This is covered in `china-pipl-cross-border-transfer-pathways-2026` but let's see if we can provide a detailed update to `china-pipl-cross-border-transfer-pathways-2026` or if we should write a new note specifically for the October 2025 FAQ and PIP Certification regulations. The prompt says: "One finding = ONE thing that's happening (a single story, article, paper, launch, or debate). NEVER write a note that summarizes the cycle... If the finding refines one of the prior findings auto-injected above, reuse that slug to update; otherwise pick a fresh slug." Let's update `china-pipl-cross-border-transfer-pathways-2026` with the highly detailed, precise findings from the October 31, 2025 FAQ and the PIP Certification measures of October 14, 2025. This directly refines how the cross-border pathways have matured. Let's carefully construct the updated note for `china-pipl-cross-border-transfer-pathways-2026`. Let's write down the details: - **Exemptions Narrowly Construed**: - The CAC's October 31, 2025 FAQ clarifies that the contract-performance exemption is illustrative but must meet two strict criteria: (1) contract performance to which the individual is a party, and (2) necessary to transfer the personal information abroad. - The HR management exemption is also strictly limited: (1) must be necessary for HR management, (2) limited to personal info directly relevant to HR, and (3) minimized in impact. Transferring higher-risk data like ID numbers, passport info, or bank accounts must be checked against these three criteria, and basic obligations (individual notification, separate consent, and PIA) still apply. - **Important Data Security Assessments**: - If a company is notified that it holds "Important Data" or a public announcement is made, it must apply for a Security Assessment within 2 months, and transfers must stop until the assessment is complete (no grace period). - **Overseas vs. Local Access**: - The June 27, 2025 Guidelines for Data Export Security Assessment (Version 3) establish that remote access from overseas to data in mainland China is a cross-border transfer. However, the FAQ clarifies that if overseas personnel travel to mainland China and access data locally without exporting it, it is NOT considered a cross-border transfer. - **SCC Filing for Continuous Transfers**: - Continuous transfers within the thresholds can be filed once based on a reasonable annual estimate, without repeated filings. If cumulative volumes exceed thresholds (e.g. 1 million individuals' personal info or 10,000 individuals' sensitive info since January 1 of that year), they must apply for a Security Assessment. Engagements in new transfers require filing an updated version of the entire package (no simplified process). Onward transfers must be explicitly disclosed in Appendix I of the SCC filing. - **PIP Certification**: - The CAC released the *Measures on Certification for Cross-Border Transfer of Personal Information* on October 14, 2025 (effective January 1, 2026). - National standard GB/T 46068-2025 (*Data Security Technology — Security Certification Requirements for Cross-Border Processing Activity of Personal Information*) was issued. - The CAC will publish a list of approved professional Certification Institutions, making PIP Certification a more practical pathway for intra-group transfers. Let's check if there are other threads or watches we should register. There are no current threads. Let's register a watch for any upcoming developments or enforcement actions we've identified. Wait, let's see if there are any other notes we should update. Is there anything else on South Korea? South Korea's PIPA amendments take effect on September 11, 2026. This is a great candidate for a dated catalyst watch! Let's see: South Korea's PIPA amendments (10% total revenue fines, CEO liability, expand reporting to forgery/alteration) take effect on September 11, 2026. We can register a watch for this. What about Indonesia's DPA establishment? The draft Presidential Regulation was made public in late February 2026, and the DPA is "expected to be operational by 2026". We can register a watch for the official establishment/operationalization of the Indonesian DPA. What about the ratification of the US-Indonesia Trade Agreement? The trade agreement was reached on February 19, 2026, and is subject to ratification by the House of Representatives. We can register a watch for this. Let's write the note updating `china-pipl-cross-border-transfer-pathways-2026`. Let's prepare the markdown body for `china-pipl-cross-border-transfer-pathways-2026`. No YAML frontmatter. The title is the first `# ` heading. We must include citable sources, representative verbatim quotes, and interpretations. Let's write the note.

Now, let's register the forward-looking watches we've identified. 1. South Korea's PIPA amendments (including 10% total revenue fines and CEO liability) taking effect on September 11, 2026. This is a `dated_catalyst` and is `one_shot`. 2. Indonesia's Personal Data Protection Authority (DPA) becoming fully operational. The draft regulation was public in late February 2026, and the agency is expected to be operational by late 2026. This is a `live_process` and is `one_shot`. 3. Ratification of the US-Indonesia Reciprocal Trade Agreement (signed Feb 19, 2026) by the Indonesian House of Representatives (DPR) and how the DPA operationalizes the US adequacy commitment. This is a `live_process` and is `one_shot`. Let's register these watches. Let's make sure we call `record_watch` for each. Let's start with South Korea's PIPA amendments.