New laws, led by the European Union’s (EU) General Data Protection Regulations (GDPR), are putting constraints on global groups that had grown used to setting their own rules. Consequently, data-driven tech companies from Google and Facebook to Alibaba and Amazon are finally coming under regulatory scrutiny for their shortcomings, especially over data privacy.
But correcting the problems of today’s digital economy will depend less on government regulators than on the harnessing of market forces. Already, market-inspired data privacy and cybersecurity services are becoming hot commercial commodities, not least in Asia.
This has given rise to a new “RegTech” sector—where companies and governments use artificial intelligence (AI) to manage regulatory processes—which could create opportunities for a wide range of businesses, large and small.
While all nations around the world face data-protection challenges, they are particularly acute in Southeast Asia because the region of 600 million people combines high growth in the digital economy with a fragmented regulatory landscape, spread across a dozen different countries. Moreover, Southeast Asia lacks the legal and technical infrastructure of developed states, such as the US and EU members, or the single central authority of governments in countries, such as the Philippines, India and China. And, as of now, there are no local tech groups big enough to challenge the global leaders.
So, governments and companies must find innovative ways to handle data-protection challenges, including adopting AI-driven risk-management processes, without killing the data markets. Remember, data is wealth!
Southeast Asia is leapfrogging ahead with mobile-first technologies that are rapidly expanding e-commerce, social commerce and the sharing economy. This is producing exponential growth in data, as well as an explosion of fintech start-ups.
The big question facing Southeast Asia is: Can governments, businesses and nongovernment organizations (NGO) work together to create a regulatory environment that protects data but also creates an open and level playing field? In my view, the Philippine Competition Commission (PCC) and the National Privacy Commission (NPC) need to work together closely to achieve that.
There are plenty of cautionary tales from which to learn.
At one extreme is the open system of surveillance capitalism that has prevailed until recently, where data merchants such as Facebook harvest the information of billions of people—mostly out of sight from regulators. The other extreme: a Big Brother regime, such as in China, that uses increasingly intrusive practices to enforce digital autocracy. Both scenarios must be avoided.
Absent the development of a unified viable regulatory framework, companies will be forced to further localize and nationalize their operations, effectively cutting themselves off from global data value chains.
Meanwhile, the data-protection landscape across Southeast Asia is fragmented.
Singapore’s Personal Data Protection Act (PDPA), for example, imposes penalties of up to a million Singapore dollars and prison time for violations of an individual’s privacy. The PDPA applies to all electronic and nonelectronic communications regarding data collection, processing or disclosure and requires companies to obtain customers’ consent. Companies must also inform customers regarding the personal data they possess.
Malaysia has a similar PDPAs, while Indonesia has drafted data privacy standards that are a virtual cut and paste of the European GDPR. Vietnam, Thailand and the Philippines are in the process of either implementing or drafting variations of PDPAs.
To the north, Aseans, largest trading partner, China, recently passed its Cyber Security Law, which, among other things, requires foreign companies to store local customer data on servers located in China—which grants Beijing backdoor access to that data. To date, Malaysia, Indonesia, Vietnam and Brunei Darussalam all have their own versions of data localization laws in place, with others looking at new regulations.
With all this complexity, the only answer for tech companies, especially smaller, local businesses, is technology.
At the 2018 Fintech Expo in Singapore —now the largest of its kind—the impact that data-protection laws are having on the banking sector became obvious. Most companies in attendance (especially start-ups) were promoting tools and services relating to data privacy and security.
Meanwhile, at a regional level, the recent signing of an e-commerce agreement by the Asean offers hope of regulatory integration, even if this is only a symbolic first step.
With Southeast Asia becoming a testing ground for high-tech solutions to privacy challenges, regulators must hold data capitalism accountable. Governments, businesses and other stakeholders must continue to work together to achieve a regulatory landscape that is fair and open, and gives smaller local companies a chance to compete with global giants.
As said above, in the Philippines, a close cooperation between the PCC and the NPC, including the private sector, is desirable to protect the Philippines’s potential in Big Data.
Feedback is more than welcome; contact me at Schumacher@eitsc.com.