Data rules in SEA - regional v national
Data privacy in SE Asia is growing in importance. The Philippines, Malaysia, and Singapore have data protection laws, as well as an established a data privacy regulation authority. Thailand has its own data protection law, while Indonesia is awaiting its Parliament’s approval, and in the meantime issuing regulations to fill the gaps in data protection and data privacy.
The ASEAN Framework on Digital Data Governance is the structure under which the 10 ASEAN member states handle cooperation on data issues. Current proposals include a data classification framework and a cross-border data flow mechanism for ASEAN. ASEAN data privacy authorities have started regular meetings.
Beyond this in the region the Asia-Pacific Economic Cooperation (APEC) is a growing force in data privacy. Asia Pac. has 45 percent of the world’s online citizens, 2 billion people and growing fast. APEC operates its Cross-Border Privacy Rules (CBPR) allows participating businesses and other organizations to develop internal rules and policies under the CBPR program. The organisation then seeks a seek a certification within the country, which enables them to demonstrate data security within ACEC CBPR countries. It’s purpose is to help organisations achieve higher levels of security. It doesn’t guarantee comply with any country’s laws but protects in the case of a breach by showing a high level of security. Singapore has now joined, the first SE Asian country to do so. Only the US, Japan and Singapore are operating the system, but other APEC countries are planning to join. For example the National Privacy Commission (NPC) recently submitted the Philippines’ letter of intent to join the CBPR System.
So in SE Asia data officers need to keep an eye on national and regional developments. A patchwork of regional overlays is likely to sit above national laws.