Brunei PDPO

Personal Data Protection Order 2025

Flag of BN
BruneiOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
January 8, 2025
Enacted
January 8, 2025
Enforcing Authority
Authority for the Information and Communication Technology Industry of Brunei Darussalam (AITI)
Consent Model
Opt-in
Applies To
Private sector organizations processing personal data in Brunei Darussalam

Overview

Brunei's PDPO 2025 is the country's first comprehensive data protection law for the private sector, modeled on Singapore's PDPA. It makes Brunei the last major ASEAN economy to enact such legislation. Organizations have a one-year grace period from enactment to achieve full compliance.

What This Means for Your Website

  • Consent is required for collection, use, and disclosure of personal data of Brunei visitors
  • DPIAs are required for processing activities
  • Reasonable security measures must be implemented
  • Cross-border transfers are restricted to jurisdictions with equivalent protection
  • Organizations have until approximately January 2026 to achieve compliance

Key Requirements

AITI enforces the PDPO with fines starting at BND 10,000 plus 3 years imprisonment. Organizations with turnover above BND 10 million face up to 10% of Brunei turnover; smaller organizations face up to BND 1 million. Advisory Guidelines will be published to support implementation.

How ConsentStack Handles This

ConsentStack applies consent-based processing for Brunei visitors, aligning with the PDPO's Singapore-inspired requirements.

Penalties

Fines from BND 10,000 and/or 3 years. Turnover >BND 10M: up to 10% of Brunei turnover. Turnover <BND 10M: up to BND 1M.

Revenue-based
10% of annual revenue

Key Requirements

  • Consent required for collection, use, and disclosure of personal data
  • Data Protection Impact Assessment required
  • Reasonable security measures required
  • Cross-border transfers only to equivalent jurisdictions
  • Assess and update practices during grace period

Notable Provisions

  • Last major ASEAN economy to enact DP legislation
  • Modeled on Singapore PDPA
  • One-year grace period for compliance
  • 10% of Brunei turnover for large organizations

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

Is Brunei's PDPO new?

Yes. Enacted January 2025, it is Brunei's first comprehensive data protection law for the private sector and the last major ASEAN economy to enact such legislation.

What model does Brunei follow?

The PDPO is modeled on Singapore's PDPA framework, reflecting regional best practices.

What are Brunei's penalties?

Fines from BND 10,000 and/or 3 years. Large organizations face up to 10% of Brunei turnover.

Stay compliant with Brunei PDPO

ConsentStack helps you implement Opt-in consent for Brunei automatically.

Get started free