Data protection in ASEAN

The development of data protection regulations in ASEAN (Association of South East Asian Nations) so far has been patchy. ASEAN has committed to harmonize legal infrastructure for e-commerce in the Roadmap for Integration of e-ASEAN Sector. One of the targets in the Strategic Schedule for the ASEAN Economic Community (AEC) is to adopt best practices/guidelines on various cyber law issues including data protection.

Singapore, Malaysia and the Philippines are the only countries with dedicated data protection laws.

Indonesia, Myanmar and Vietnam are countries with data privacy requirements only as part of their respective electronic transaction laws.  It is important to understand certain compliance requirements of the IT laws in these countries particularly where the laws contain state inspection, registration and validations for IT systems that host personal data.  In the case of Indonesia, regulatory developments are changing as the government rows out regulations pursuant to the 2008 Electronic Transaction and Information law.  Thus far, the Indonesia government enacted two regulations on registration requirements for electronic systems operators.  Vietnam's cyber security information law came into effect on 1 July 2016.  The law contains annual inspections of information systems by the state.  The implementation of this requires further regulations. 

One concern is that inspection or registration compliance requirements may be perceived as veiled attempts by the State to pry into stored personal data using the very law that is meant to secure personal data; another concern is the possible effect of clamping down on internet freedom which would stifle development of start-ups. 

Indonesia and Thailand have circulated draft data protection laws.  It is important to watch this space as the bill goes through the legislative process.  One area of confusion is how one reconciles the data protection law (when enacted) with the data protection provisions in the pre-existing IT laws, in the case of Indonesia.  In the case of Thailand, the bill is not likely to be passed into law in the foreseeable future nor is the government infrastructure ready to implement the law yet, even if passed.

Cambodia still has not announced plans to enact data protection regulations. 

It is important for businesses getting ASEAN region internet traffic to monitor regulatory development in this sector.