Skip to main content
NOPE
In Effect Regulation Data Protection Context Relevance

Brunei PDPO

Personal Data Protection Order 2025

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

Jurisdiction

Brunei

BN

Enacted

Dec 1, 2025

Effective

Jan 1, 2026

Enforcement

Brunei Personal Data Protection Authority

Who Must Comply

This law applies to:

  • Data controllers and processors in Brunei
  • Entities processing data of Brunei residents

Capability triggers:

dataProcessing (required)
Required Increases applicability

Who bears obligations:

Data ControllerData Processor

Safety Provisions

  • Data Protection Impact Assessment required
  • Consent requirements for data processing
  • Breach notification to authority
  • Cross-border transfer restrictions
  • Security safeguards

Compliance Timeline

Jan 1, 2026

All provisions take effect

Enforcement

Enforced by

Brunei Personal Data Protection Authority

Penalties

BND 1M or 10% revenue (whichever higher)

Max fine: $1,000,000
Revenue %: 10%

Up to 10% of Brunei turnover or BND 1 million, whichever is higher

Quick Facts

Binding
Yes
Mental Health Focus
Yes
Child Safety Focus
No
Algorithmic Scope
No

Why It Matters

Brunei's significant penalties (10% turnover or $1M) create high-stakes compliance environment for AI chatbot platforms serving Brunei users.

Recent Developments

Enacted December 2025, effective January 2026

Cite This

APA

Brunei. (2025). Personal Data Protection Order 2025. Retrieved from https://nope.net/regs/bn-pdpo-2025

BibTeX

@misc{bn_pdpo_2025,
  title = {Personal Data Protection Order 2025},
  author = {Brunei},
  year = {2025},
  url = {https://nope.net/regs/bn-pdpo-2025}
}

Related Regulations

In Effect IN Data Protection

India DPDP Act

STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.

In Effect ID Data Protection

Indonesia PP 17/2025

Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.

In Effect ID Data Protection

Indonesia UU PDP

Indonesia's comprehensive data protection law. Health and children's data = "specific personal data" with enhanced protections. Criminal penalties up to 6 years imprisonment.

In Effect NP AI Safety

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

In Effect PK AI Safety

Pakistan AI Policy

Pakistan's national AI roadmap establishing six strategic pillars: AI Innovation Ecosystem, Awareness and Readiness, Research and Development, Infrastructure, Governance, and International Cooperation. Creates National AI Fund (NAIF), Centres of Excellence in 7 cities, and targets training 200,000 individuals annually.

In Effect MM Online Safety

Myanmar Cybersecurity Law

Myanmar's cybersecurity law requiring platforms with 100,000+ users to register and imposing data retention requirements. Enacted post-2021 coup with uncertain enforcement.

Back to all regulations Check if this applies to you