Southeast Asia is on its path to becoming a $1 trillion digital economy by 2030 and data is its lifeblood. Naturally, this has led to concerns about how the vast amounts of data being collected are protected from misuse. That begs the questions – what can individuals, companies, and governments do to develop a trustworthy data protection ecosystem?
To unpack these pressing questions, the Grab Public Affairs team invited regional experts from local businesses, think tanks, and regulators to our podcast, Grab Conversations on Air, to discuss the state of data protection in the region, focusing on cross-border data flows and data governance / privacy.
You can listen to the four episodes here – The Basics; Thailand’s Regulatory Perspective; Singapore’s Regulatory Perspective; Small and Medium Businesses’ Large Challenges and find the transcripts on our blog.
For a summary of the conversations, read on.
What Data Protection and Free Data Flows Mean in Southeast Asia
Data privacy and data protection are often referred to as synonymous concepts. However as Josh Lee, MD APAC of the Future of Privacy Forum clarifies in Episode 1, data protection needs to address the personal interests of users/consumers as well as the economic interests of companies to ensure that both privacy and innovation are protected.
Southeast Asian governments have also come to recognise the importance of balancing these two sides. Singapore, Malaysia, and the Philippines enacted comprehensive Personal Data Protection Acts (PDPA) in the early 2010s, while Thailand and Indonesia enacted theirs in 2019 and 2022, respectively. While striving to protect their citizens’ personal data, these countries left space for their digital economy to grow. The region’s digital economy is expected to grow by 20% year-on-year despite the pandemic.
Cross-border data flows partially have contributed to this growth by allowing businesses in the region to access new markets and customers, increasing efficiency, and improving service delivery. They also improve delivery of services to citizens.
“The free flow of data across borders, like blood in somebody’s system, is essential to making this digital economy and the benefits of it possible.”
Josh Lee, Managing Director Asia-Pacific of the Future of Privacy Forum
Data Protection in Singapore and Thailand
In Episodes 2 & 3, we study Thailand and Singapore’s approaches to examine how they’ve struck a balance between data protection and data innovation. Singapore enacted its PDPA in 2013 in an effort to safeguard the growing digital economy at the time. In parallel, Singapore positioned itself as a regional hub for data storage, analytics, and governance. According to Francis Zhang, Policy Lead at Singapore Personal Data Protection Commission (PDPC), Singapore is keen on being a data-driven economy and supports cross-border data flows.
“Singapore PDPC focuses not just on data protection but also data innovation. We want businesses to use data, including transferred data, in a safe and legitimate way but also allow them to innovate.”
Francis Zhang, Policy Lead at Singapore PDPC
Thailand has taken a similar approach. Dr. Prapanpong Khumon, Adviser to the Secretary-General of the Thailand PDPC, highlighted that Thailand recognised the importance of being able to mobilise data across borders to foster innovation for economic growth. Data mobilisation aligns with the country’s plan to shift the economy from being labour-intensive to data-driven.
“Thailand’s economy is made up of a large proportion of small and medium enterprises. Based on research and recent findings, the economic contribution of those enterprises is expected to grow to trillions and lead to economic growth of the Thai economy if SMEs can go fully digital by being able to mobilise data across borders.“
Dr. Prapanpong Khumon, Adviser to the Secretary-General of the Thailand PDPC
Region-wide Efforts for Harmonisation of Cross-border Data Flows
With each country in Southeast Asia enacting their own data protection laws, both – enforcement authorities and industry – face challenges. Regulators need to address challenges posed by (1) extra-territoriality of laws, i.e., the legal ability of other governments to exercise authority beyond their national boundaries, and (2) by forum shopping, i.e., organisations exploiting differences in data protection laws to select a country or territory or jurisdiction with a weaker data protection law while still having a presence in other jurisdictions. Industry players, particularly SMEs, suffer from lack of awareness about regulation, language barriers, unclear implementation guidance, and disparate standards and scope of laws across different countries.
Since the maturity of PDP laws varies across countries in the region, there have been concerted efforts to harmonise regulatory requirements across the region. Regional solutions include:
- ASEAN Model Contractual Clauses (MCCs) – a set of contractual terms that provide baseline requirements for businesses to transfer data among ASEAN member states.
- APEC Cross-Border Privacy Rules (CBPR) – a government-backed data privacy certification that companies can join to demonstrate compliance with internationally recognised data privacy protections.
- ASEAN Framework on PDP – consists of principles of personal data protection that member states have agreed on.
- ASEAN Data Management Framework (DMF) – provides guidance for businesses and particularly SMEs on how to put in place a data management system.
Additionally, to maintain the privacy and security of data during international transfers, organisations can also use Privacy enhancing technologies (PETs). PETs safeguard personal data using technologies such as differential privacy, homomorphic encryption, federated learning, and multi-party computing, among others. Singapore launched a PET Sandbox in 2022 to help businesses experiment with PETs, match them with qualified PET solution providers, and provide regulatory support.
Practical Challenges for Businesses
Compliance with data protection laws presents different challenges to small versus large-scale businesses (see Episode 4). While large multinational companies generally have sufficient resources to implement comprehensive data protection measures and comply with PDP laws, Small and Medium Enterprises (SMEs) may find it more challenging.
Many SMEs do not have the resources, or a fully developed system in place for protecting and managing personal data according to the requirements of the PDPA. Such a program would include various elements such as data governance, data protection policies, data protection training, incident management, and regular audits. To add to the complexity, companies have to comply with the plethora of sector-specific regulations in addition to omnibus regulations like PDP laws, all of which differ across countries.
“Even if you (SMEs) have a DPO designated already, in 80-90% of these places the DPO is not equipped or knowledgeable enough to understand how to synchronise the data protection requirements or regulation or policies for like three or four different countries.”
Desmond Chow, the Director of P2D Solutions Pte Ltd
Solutions to Strike a Balance between Data Protection and Innovation
Governments may find developing and implementing regulation that balances data protection with promoting innovation challenging. In summary, here are four suggestions made by the expert speakers to help achieve this balance:
- First, regulatory requirements should be harmonised across the region and globally. This will create a level regulatory playing field, reduce compliance burdens, and ensure smooth and efficient data flows.
- Second, regulation should be pragmatic and risk-proportionate. Regulators should focus on the risks most relevant to the specific industry and not impose unnecessary burdens on companies that may stifle innovation.
- Third, regulation needs to be iterative and keep pace with evolving technologies and socio-economic environments. This can be achieved through multi-stakeholder engagement to understand ground concerns and make informed decisions.
- Fourth, two-way education efforts between industry and government are important. Regulators should take the lead in alerting and guiding companies and users about data protection laws, tools, and best practices. Companies should educate regulators about evolving technologies and consult on how to keep regulation relevant.