Grab Conversations on Air: Data Protection in Southeast Asia

Grab Conversations: Data Protection in Southeast Asia Key Takeaways

Southeast Asia is on its path to becoming a $1 trillion digital economy by 2030 and data is its lifeblood. Naturally, this has led to concerns about how the vast amounts of  data being collected are protected from misuse. That begs the questions – what can individuals, companies, and governments do to develop a trustworthy data protection ecosystem? 

To unpack these pressing questions, the Grab Public Affairs team invited regional experts from local businesses, think tanks, and regulators to our podcast, Grab Conversations on Air, to discuss the state of data protection in the region, focusing on cross-border data flows and data governance / privacy.

You can listen to the four episodes here – The Basics; Thailand’s Regulatory Perspective; Singapore’s Regulatory Perspective; Small and Medium Businesses’ Large Challenges and find the transcripts on our blog.

For a summary of the conversations, read on.

What Data Protection and Free Data Flows Mean in Southeast Asia

 

Data privacy and data protection are often referred to as synonymous concepts. However as Josh Lee, MD APAC of the Future of Privacy Forum clarifies in Episode 1, data protection needs to address the personal interests of users/consumers as well as the economic interests of companies to ensure that both privacy and innovation are protected.

Southeast Asian governments have also come to recognise the importance of balancing these two sides. SingaporeMalaysia, and the Philippines enacted comprehensive Personal Data Protection Acts (PDPA) in the early 2010s, while Thailand and Indonesia enacted theirs in 2019 and 2022, respectively. While striving to protect their citizens’ personal data, these countries left space for their digital economy to grow. The region’s digital economy is expected to grow by 20% year-on-year despite the pandemic. 

Cross-border data flows partially have contributed to this growth by allowing businesses in the region to access new markets and customers, increasing efficiency, and improving service delivery. They also improve delivery of services to citizens. 

“The free flow of data across borders, like blood in somebody’s system, is essential to making this digital economy and the benefits of it possible.”

Josh Lee, Managing Director Asia-Pacific of the Future of Privacy Forum

Data Protection in Singapore and Thailand

 

In Episodes 2 & 3, we study Thailand and Singapore’s approaches to examine how they’ve struck a balance between data protection and data innovation. Singapore enacted its PDPA in 2013 in an effort to safeguard the growing digital economy at the time. In parallel, Singapore positioned itself as a regional hub for data storage, analytics, and governance. According to Francis Zhang, Policy Lead at Singapore Personal Data Protection Commission (PDPC), Singapore is keen on being a data-driven economy and supports cross-border data flows. 

“Singapore PDPC focuses not just on data protection but also data innovation. We want businesses to use data, including transferred data, in a safe and legitimate way but also allow them to innovate.”

Francis Zhang, Policy Lead at Singapore PDPC

Thailand has taken a similar approach. Dr. Prapanpong Khumon, Adviser to the Secretary-General of the Thailand PDPC, highlighted that Thailand recognised the importance of being able to mobilise data across borders to foster innovation for economic growth. Data mobilisation aligns with the country’s plan to shift the economy from being labour-intensive to data-driven. 

“Thailand’s economy is made up of a large proportion of small and medium enterprises. Based on research and recent findings, the economic contribution of those enterprises is expected to grow to trillions and lead to economic growth of the Thai economy if SMEs can go fully digital by being able to mobilise data across borders.“

Dr. Prapanpong Khumon, Adviser to the Secretary-General of the Thailand PDPC 

Region-wide Efforts for Harmonisation of Cross-border Data Flows

 

With each country in Southeast Asia enacting their own data protection laws, both – enforcement authorities and industry – face challenges. Regulators need to address challenges posed by (1) extra-territoriality of laws, i.e., the legal ability of other governments to exercise authority beyond their national boundaries, and (2) by forum shopping, i.e., organisations exploiting differences in data protection laws to select a country or territory or jurisdiction with a weaker data protection law while still having a presence in other jurisdictions. Industry players, particularly SMEs, suffer from lack of awareness about regulation, language barriers, unclear implementation guidance, and disparate standards and scope of laws across different countries. 

Since the maturity of PDP laws varies across countries in the region, there have been concerted efforts to harmonise regulatory requirements across the region. Regional solutions include:

  • ASEAN Model Contractual Clauses (MCCs) – a set of contractual terms that provide baseline requirements for businesses to transfer data among ASEAN member states.  
  • APEC Cross-Border Privacy Rules (CBPR) – a government-backed data privacy certification that companies can join to demonstrate compliance with internationally recognised data privacy protections. 
  • ASEAN Framework on PDP – consists of principles of personal data protection that member states have agreed on. 
  • ASEAN Data Management Framework (DMF) – provides guidance for businesses and particularly SMEs on how to put in place a data management system. 

Additionally, to maintain the privacy and security of data during international transfers, organisations can also use Privacy enhancing technologies (PETs). PETs safeguard personal data using technologies such as differential privacy, homomorphic encryption, federated learning, and multi-party computing, among others.  Singapore launched a PET Sandbox in 2022 to help businesses experiment with PETs, match them with qualified PET solution providers, and provide regulatory support.

Practical Challenges for Businesses

 

Compliance with data protection laws presents different challenges to small versus large-scale businesses (see Episode 4). While large multinational companies generally have sufficient resources to implement comprehensive data protection measures and comply with PDP laws, Small and Medium Enterprises (SMEs) may find it more challenging. 

Many SMEs do not have the resources, or a fully developed system in place for protecting and managing personal data according to the requirements of the PDPA. Such a program would include various elements such as data governance, data protection policies, data protection training, incident management, and regular audits. To add to the complexity, companies have to comply with the plethora of sector-specific regulations in addition to omnibus regulations like PDP laws, all of which differ across countries.

“Even if you (SMEs) have a DPO designated already, in 80-90% of these places the DPO is not equipped or knowledgeable enough to understand how to synchronise the data protection requirements or regulation or policies for like three or four different countries.”

Desmond Chow, the Director of P2D Solutions Pte Ltd

Solutions to Strike a Balance between Data Protection and Innovation

 

Governments may find developing and implementing regulation that balances data protection with promoting innovation challenging.  In summary, here are four suggestions made by the expert speakers to help achieve this balance:

  • First, regulatory requirements should be harmonised across the region and globally. This will create a level regulatory playing field, reduce compliance burdens, and ensure smooth and efficient data flows. 
  • Second, regulation should be pragmatic and risk-proportionate. Regulators should focus on the risks most relevant to the specific industry and not impose unnecessary burdens on companies that may stifle innovation. 
  • Third, regulation needs to be iterative and keep pace with evolving technologies and socio-economic environments. This can be achieved through multi-stakeholder engagement to understand ground concerns and make informed decisions. 
  • Fourth, two-way education efforts between industry and government are important. Regulators should take the lead in alerting and guiding companies and users about data protection laws, tools, and best practices. Companies should educate regulators about evolving technologies and consult on how to keep regulation relevant.

Related Articles

Grab Conversations: Data Protection in SEA Ep 3 (SG perspective)

Francis Zhang, who leads the Policy team at the Personal Data Protection Commission (PDPC) of Singapore, joined Grab’s public policy podcast series, Grab [..]

Read More >

Grab Conversations: Data Protection in SEA Episode 4 (SME perspectives)

Desmond Chow, Director with P2D Solutions Pte Ltd. P2D is a specialist in Personal Data Protection compliance, and a Data Protection Consultancy and Advisory Se [..]

Read More >

Grab Conversations: Data Protection in SEA Ep 2 (Thai perspective)

Dr. Khumon, Vice Dean at the School of Law, University of the Thai Chamber of Commerce, Thailand, and Advisor to the Secretary-General of the Personal Data Prot [..]

Read More >

Komsan Chiyadis

GrabFood delivery-partner, Thailand

Komsan Chiyadis

GrabFood delivery-partner, Thailand

COVID-19 has dealt an unprecedented blow to the tourism industry, affecting the livelihoods of millions of workers. One of them was Komsan, an assistant chef in a luxury hotel based in the Srinakarin area.

As the number of tourists at the hotel plunged, he decided to sign up as a GrabFood delivery-partner to earn an alternative income. Soon after, the hotel ceased operations.

Komsan has viewed this change through an optimistic lens, calling it the perfect opportunity for him to embark on a fresh journey after his previous job. Aside from GrabFood deliveries, he now also picks up GrabExpress jobs. It can get tiring, having to shuttle between different locations, but Komsan finds it exciting. And mostly, he’s glad to get his income back on track.