Josh Lee, Managing Director, Asia-Pacific of the Future of Privacy Forum, joined Grab’s public policy podcast series, Grab Conversations on Air, for a mini four-part series on Data Protection. Speaking with Shivi Anand, Grab’s Regional Public Policy Manager, they discuss what Data Protection entails in the Southeast Asia region.
Transcript of podcast
Today we have with us Josh Lee – Managing Director, Asia-Pacific of the Future of Privacy Forum, a global think tank that aims to foster best practices in data protection and catalyse trust in the use of emerging technologies. Josh graduated with a LLM from Berkeley Law with a specialisation in law and technology. Prior to his studies, he served for half a decade in the Singapore Government, which included a role at the Trusted AI and Data Division in the Personal Data Protection Commission. Josh is also the first Chairperson of the Asia-Pacific Legal Innovation and Technology Association, which is a pan-regional industry platform driving legal innovation and technology initiatives. Welcome Josh.
Hi Shivi, and hi everyone listening to this podcast. It’s a great pleasure to be here.
Thanks so much for joining us today. It’s great to have you here. Could you give us a quick background of your work in data protection and specifically in the Southeast Asia region?
Absolutely. So the Future of Privacy Forum set up its APAC office mid last year and we are just past our one year mark of operation. Our signature project so far is a series of 14 jurisdiction reports on the consent regimes in these jurisdictions and alternative legal basis for data processing. The last report was on Japan, and we’ve covered about 6 or 7 ASEAN jurisdictions as well. Building off of that, we will be releasing a report that comparatively analyses the regimes in these different jurisdictions and comes up with recommendations and policy ideas that regulators can take into consideration when looking at advancing data protection regimes. Another thing that we are doing are the APAC landscape privacy calls which we do on a monthly basis, and the idea of these calls is to get a better sense of the developments in this region, which are advancing so quickly. We cover jurisdictions such as Thailand, Vietnam, Japan, Indonesia, and we will be covering more jurisdictions both in Southeast Asia and the rest of Asia going forward. We will be doing other pieces of work as well on topics such as AI, immersive technologies, and cross-border data transfers and so on, and we look forward to partnering with all stakeholders to advance this important work in the Asia Pacific.
Thanks so much for that background, Josh. Since this is more of an introductory episode to data protection, we wanted to start right at the beginning with the basics for our listeners. So could you talk a little bit about what data protection really means?
Of course. Now, data protection is often mentioned alongside privacy, and I think as compared to privacy, which has many different definitions and perspectives from which it can be viewed, data protection is a more neutral and narrower term that can overlap but does not necessarily mean data privacy. While the latter deals with more than just personal information but also private life, data protection is putting in place measures to protect certain rights or interests through the balance of economic and personal interests that need not be based on the notion of privacy. An additional difference is that while privacy can be seen as limiting government powers that might otherwise interfere with private life, data protection typically requires an expansion of government powers to monitor compliance of both government and third parties that collect news or disseminate personal data.
Beyond the definition and moving to what it means, I see data protection as having two halves – (1) Control and limits over the collection, use, and dissemination of personal data covering rules pertaining to consent and purpose of the transfer of data across borders, rules pertaining to data accuracy and security, and (2) Data innovation: This is about how individuals, organisations, and jurisdictions can leverage on the trusted flow of data to increase economic value, foster greater efficiency, and improve quality of life through better goods and services. Both halves demonstrate that data protection is about the balance between organisations’ need to use data with the individual’s need to safeguard his/her personal information, and encouraging responsible data use and custodianship without stifling innovation.
What animates the link between these two sides is the notion of accountability. This is about exercising responsibility over personal data in one’s care, and being answerable to people who entrust their personal data to an organisation. This focus on accountability has seen growing recognition and adoption in Southeast Asian jurisdictions as seen in Malaysia, Philippines, and Singapore. And also, ASEAN documents as well like the ASEAN Framework for Personal Data Protection and ASEAN Digital Governance Framework. This accountability engenders trust amongst all stakeholders and results in a healthy and vibrant digital ecosystem.
That was really comprehensive and clear as well, thanks. You mentioned accountability and related to this, we are seeing data protection regulations coming up rapidly across the entire Southeast Asia region. So Singapore, Malaysia, Philippines, and Thailand already have data protection laws, while Vietnam and Indonesia are in the midst of finalising comprehensive data protection bills. But do you think there is awareness among the general population about what these laws mean for their personal data? And do you think they should care to invest the time and energy required to understand them?
The general sentiment amongst the public in Southeast Asia in particular, in the jurisdictions that you mentioned that have an omnibus data protection regime, is that they are aware of the notion of data protection but do not necessarily appreciate what it entails or what it seeks to achieve. People, or the general public, are more concerned about ensuring compliance and avoiding penalties than necessarily always advancing the spirit of data protection. Anecdotally, we have heard stories of jurisdictions focusing and allocating a large amount of time and resources towards generating awareness about data protection and privacy, and in jurisdictions where there is no omnibus data protection regulation, it is likely that the understanding of data protection remains largely in the province of lawyers, policymakers, and those involved in the digital sector of the economy.
Yet, this is not to say that there has been no progress. During the COVID-19 pandemic, we saw concerns raised by the public over the use of personal data, sensitive personal data, for contact tracing efforts. This awareness has likely arisen from the efforts of both government and regulators, as well as continuing media and social media coverage about data breaches, data security and data protection and privacy. I think this reflects the picture that data protection remains a still maturing field in Southeast Asia, given that the region only began earnestly embarking on this journey about 10 years ago. There is still a ways to go before the level of maturity on data protection reaches the same level as elsewhere in the world such as the US or EU.
On the question as to whether people should care, I think people should increasingly care about data protection because as I mentioned earlier, it is not just about protecting one’s birth data but also in this part of the world where economic value and economic growth is so important, it is increasingly important to see data protection as another pillar of ensuring that there is good economic growth in this region, and how we can tap on the intrinsic value of data that is stored within many organisations and by people, and how to how to build on that, and how to leverage on that to deliver innovative services and goods.
Got it. Yeah, completely agree. Data protection and privacy are all becoming important topics for the end user and the general public to understand. So my next question is as an end user of a number of online and digital services, could you break down to me what aspects of personal data protection I should specifically be aware of and how data protection regulation affects me? And maybe we can start by having you explain to us how the free flow of data across borders translates to an end-user’s experience as well.
It is often said that the free flow of data across borders allows businesses to better serve customers, improves efficiency, and drives the creation of innovative tools and models. But under the hood, what does it really mean? As an example, when you think of a small firm, you may think of it working from an office but beyond the brick and mortar facade you see, there are more functions within the digital ecosystem that help provide services. This ecosystem includes the company, customers, banks, warehouses, suppliers, and more. It could also include intermediary platform companies, ad tech companies, call centres, delivery companies and so on. It could also go through regulators to ensure integrity of the service. If the data servers are located overseas, then it might make more economic sense to house the data there. So, in order for the good you have ordered to reach you, the data you enter, which includes your address, how much you want to order, your financial information, etc. may well need to travel outside the country, sometimes multiple times. And all this happens in a split second through high bandwidth fibre networks and undersea cables so we don’t often know that it’s there. But it happens every day, every second. So imagine, if for some physical business or regulatory reason that the cross-border transfer of data could not go through; it would invariably affect some part of your transaction – perhaps the payment doesn’t go through or the company can’t check if the warehouse has enough stock to deliver to you or the delivery man may not receive the order to get the delivery to your house.
Beyond physical delivery of goods, companies also use the data to innovate on their services. They may analyse for example, which country is ordering more of a good and prepare enough stock for customers, or train recommendation engines to recommend other goods to you. This is just a snapshot of the modern digital economy. The free flow of data across borders, like blood in somebody’s system, is essential to making this digital economy and the benefits of it possible.
I just wanted to highlight that at the Future of Privacy Forum, one of the things that we do constantly is to put up infographics that map out technology and the underlying regulations in an easily viewable and understandable way, and these are available on our website. And I encourage our listeners today to have a look at them.
Thanks, Josh. I’ll definitely check them out later. To switch gears and talk a little bit about the regulatory aspects of data protection, what are some of the challenges faced by regulators as well as digital platform companies or tech companies in implementing global data protection regulations like the GDPR and personal data protection regulations elsewhere? And how do we avoid concerns around over-regulation and balancing them against digital innovation and efficiency like you mentioned right at the beginning?
These are tough questions, and let me try to take them in turn. Data protection authorities worldwide are increasingly encountering difficulties in enforcing national data protection or privacy laws. This is due to the changing nature of cross-border data flows as a result of the globalised nature of the economy, big data, IOT, cloud technologies, social media, and forum shopping. And when I say forum shopping, I don’t mean going to a forum to shop. It means organisations exploiting differences in data protection laws to select a country or territory or jurisdiction with a weaker data protection law while still having a presence in other jurisdictions. Data protection authorities (DPAs), therefore, increasingly find that they are unable to pursue complaints or conduct investigations relating to the activities of organizations outside their borders. And there is a gap between the applicable data protection laws and the ability of these DPA to enforce those laws.
Some of the common issues really include:
- Limits on notification and sharing of information – Without legislative frameworks providing for the sharing of information, there is uncertainty about the legality of enforcement agencies carrying out certain types of information or evidence gathering pertaining to investigations.
- Extraterritoriality and effective sanctions – Although many governments may hope to ensure that overseas data activities comply with their own domestic data protection laws, there is little or no chance of the law being enforced even if a DPA asserts that the data activities abroad should be conducted under its own law because such an imposition is presumably in breach of international law unless the state concerned gives consent. Therefore, any organisation located overseas without a local presence can technically ignore a regulator’s request for information if the data breach occurs entirely in the overseas jurisdiction even though the affected persons were in this jurisdiction.
Companies face many issues too:
- Language barriers are commonplace, especially in countries where English is not the first language.
- Guidance from regulators on compliance may not be forthcoming or shared too late in the day causing a rush at the eleventh hour.
- Problems in understanding the scope of data protection regulations. In Southeast Asia for example, while data protection laws may share broad similarities in conceptual logic, specific rules in laws may be underpinned by different logic or where there are differences in regulatory structures that affect the compliance process. One way to get around these is through cross-border platforms and mechanisms and these can be crucial for effective cross-border transfers. So there are some tools available to regulators when it comes to cross-border data enforcement, notably the APEC CBPR or Cross-Border Privacy Rules, and the Global Privacy Enforcement Network or GPEN. Yet these are all non-binding platforms and may have different members and operating procedures thus limiting interoperability and reciprocity because it is just a messy network of different players, different rules, and different processes.
The next question that you asked is also a very good one. It’s the question of how to avoid over-regulation and stifling innovation. Although each regulator will have their own regulatory imperative and objectives, I think in broad, regulators should consider the following approaches when regulating data protection and for that matter, any sort of emerging technology out there.
- The first is that regulations should ideally be pragmatic, proportionate and risky. That means taking a hard look at what are some of the concerns and risks that arise from the use of data or from the use of data-driven technologies, and seeing whether there is a need to actually regulate those areas, and where there is a need to assess how probable the risks and harms are, and putting in place measures that are proportionate to the level of risk.
- Regulators should also ensure timely and regular multi-stakeholder engagement to understand ground concerns and views, avoiding the situation where regulation that comes out is viewed by the industry as not sufficiently well-informed.
- Regulators need to really understand the tech they are trying to regulate for the regulations to make sense. Regulators should ask themselves if there are sufficient capabilities to understand data protection obligations and ensure compliance from organisations and the broader public. Additionally, regulations should ideally be tech agnostic and future-proof against tech advancements.
Thanks, Josh. Yeah, It sounds like a very complex ecosystem, and there are a lot of different interests that need to be balanced in the mix. One thing that you mentioned really struck a chord with me, and that was that regulation should take into account market conditions. To extrapolate that a little bit, should regulation also take into account social and cultural preferences as well as context in the region? I ask this because regulators in Southeast Asia, as well as in other parts of the world, have been known to adopt clauses and principles from the GDPR in local data protection regulations. Do you think that the development of laws has been sufficiently adapted to a local cultural context?
Thanks for that question, Shivi. I think it is hard to answer whether something is efficient here in Southeast Asia because the data protection landscape continues to evolve rapidly in this region. What I can say is that the GDPR has had a notable impact on regulatory thinking in SEA. When the GDPR came into force in May 2018, it brought with it higher standards, stricter laws and tougher sanctions, with extraterritorial application and transparency, not just in the EU but also to organisations worldwide that process or hold the data of EU residents. As ASEAN trades heavily with Europe, it therefore became important for businesses to comply with the GDPR and this in turn influenced many ASEAN countries to review their own data protection law and to develop regulatory frameworks to protect their citizens while enabling local businesses to operate globally through some level of alignment with global regulatory approaches. Let me give some examples. Thailand’s PDPA draws various concepts from the GDPR including alternative legal bases for collecting personal data without the data subject’s consent. However, compliance with the GDPR is not the same as complying with the Thai PDPA. Malaysia’s PDPA, which came into force in 2013 is currently being reviewed to streamline it with international development including key takeaways from the GDPR. Third, Singapore’s PDPA was also amended in 2020 to introduce new concepts like data portability and the legitimate interest exception which are similar to rights under the GDPR.
There is also the question of what it means to be adapted to a South Asian context. And here I think we must take a step back because Southeast Asia is an incredibly diverse region with different cultures, legal systems, economies, and legislative priorities. In other words, even as data protection as a field matures in the region, there is much learning to be done both without and within. Certain initiatives like the ASEAN Framework on Data Protection, the ASEAN Digital Data Governance Framework, and Model Contractual Clauses all point to a growing awareness on the importance of harmonisation and interoperability. There remains a long way to go to give colour at a regulatory level to these principles.
Got it. To round off this conversation, you’ve already touched on some of these frameworks and benchmarks in your previous responses, but could you talk a little bit about the different data protection frameworks and benchmarks which are used at both a regional level in Southeast Asia, as well as a global level to harmonise data protection across these different countries?
Sure, I think my assessment of this first and foremost is that it’s still described as a work in progress, even though important steps have been taken so far. Let me say at the start that from FPF’s conversations with our stakeholders, our sense is that regulators understand the importance of having open data flows and that they are important to a thriving digital economy, but yet there is also a recognition of (1) the need for data to be transferred across borders in a trustworthy and accountable manner, and (2) that there are legitimate regulatory and policy objectives amongst the different Southeast Asian economies that may require some restrictions on cross-border data flows.
While convergence may be difficult given different regulatory priorities, what we can work towards is greater interoperability. Now to that end, contracts, binding corporate rules, and certification would allow for such interoperability of regimes.
- Contract – While consent is adequate for residual circumstances, it is not ideal for systematic or recurrent transfers especially when it is common for businesses to change service providers periodically. Contractual clauses are widely used by businesses around the world, and they allow a business to impose data protection requirements on the receiving party. A widely known example is the EU Standard Contractual Clauses, first promulgated in 2001, and updated recently. And in ASEAN, we have the MCCs which are more flexible templates recognised by all ten ASEAN member states and ready for use since January 2021.
- Certification – In the longer term, the use of certification as a mechanism holds good promise going forward. It’s a tried and tested system for cross-border transfers and I’m referring to the APEC CBPR and PRP which are comprehensive certification mechanisms for cross-border data transfers. They have the advantage of allowing for intra and inter-company transfers between certified companies and participating APEC member countries. There are currently a few participating economies in Southeast Asia including Singapore and the Philippines. The total population of these participating countries is over 600 million with a combined value of over USD 3 trillion. There is also a new initiative called the Global CBPR that could become a global certification mechanism with a single approval process.
These are some frameworks in place for the development and cross-implementation and interoperability of regional data protection laws. And the jury remains out to see whether or not these mechanisms in their current form will be sufficient or whether more work needs to be done to build them up and grow alongside the growing number of regulations in Southeast Asia.
Thanks, Josh. That was really really interesting. I think we’re out of time. So I will round this up. I learned a lot about the essentials, and a lot more than just the essentials of data protection. So thanks so much for bringing your expertise on this topic and taking the time to chat with us.
Not at all. Thank you so much for having me.