How ASEAN Can Effectively Address the Data Privacy Conundrum

Without a doubt, ASEAN is one of the fastest technology adopting regions on the planet! The region's internet use base has grown from 260 million people in 2015 to 350 million people in 2018 and is forecasted to reach 480 million people by 2020.

This rapid growth coupled with headline-grabbing data breaches, fake news scandals, and the political mainstreaming of social media have resulted in a flurry of regulatory activity among ASEAN rule makers. Many, if not all, ASEAN member states have or are in the process of developing privacy and cyber security laws. Singapore's 2018 ASEAN Chairmanship resulted in the adoption of the ASEAN Framework on Personal Data Protection and the ASEAN Framework on Digital Data Governance, a starting point for ASEAN's version of internet governance and especially for privacy regulation.

Yet as governments begin the admirable task of developing such privacy regulations, caution must be taken to adhere to some common principles and avoid conflating privacy and security. Privacy refers to rights of personal information while security refers to the protection of personal information.

Keeping these things in mind, ASEAN has several potential models as reference. These include the Organization for Economic Cooperation and Development (OECD) Privacy Framework, the European Union's General Data Protection Regime (GDPR) and the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR). The GDPR and CBPR both align with the OECD Framework, however the CBPR, crafted by APEC, has seven ASEAN member states as members, and may be more compatible with the "ASEAN Way."

I hear about the GDPR from our member companies as they figure out how to adapt to its requirements since coming into effect in May 2018. Fulfilling the GDPR's complex and extensive reporting requirements may be possible for multinational corporations (MNCs) with large compliance offices, but for countries with 97-98 percent micro, small and medium sized enterprises (MSMEs), cost of compliance and adaptation can be disproportionate and prohibitive. Some MSMEs may not even realize they are violating a European designed requirement.

While comprehensive, the GDPR model takes a "top-down" approach - the European Union sets regulations for national data protection authorities under it. This may be challenging to replicate in ASEAN, which emphasizes sovereignty and consensus and has consistently shied away from a European-style integration model. The GDPR's imposed costs for both compliance and doing business may hinder the ability of entrepreneurs and MSMEs to grow, innovate and scale regionally and result in innovation arbitrage by larger businesses.

The CBPR, in contrast, through a "bottom-up" approach, sets out fundamental principles from which to base national standards. Whereas commitments are legally enforceable once a member economy or company is included in the system, participation is voluntary. The CBPR sets up a network of reciprocal, mutually agreed privacy regulations which preserve individual nations' privacy regulations. To this end, the CBPR regime may be more compatible in ASEAN as these standards are separate from, and do not supersede, domestic legal requirements.

The CBPR's self-regulation model and bottom-line principles would allow ASEAN economies a reference point from which to develop national privacy regulations and ensure personal data protections while avoiding overly prescriptive guidelines.

Recognition of the CBPR as a valid data privacy compliance mechanism in the recent United States-Mexico-Canada Agreement (USMCA) reinforces the framework's viability as an interoperable, data transfer standard.

In addition, the multi-stakeholder nature of the CBPR would be appropriate for ASEAN given the varying levels of privacy regulation development in Member States. A multi-stakeholder process can provide a platform for potentially harmonizing regulatory practices through an exchange of expertise and best-practices.

ASEAN governments have an opportunity to strike a balance in developing privacy rules and regulations in their ecosystems which enable both private sector led innovation and growth and alongside inclusive digital developmental efforts to reduce digital divides.

This approach has been a hallmark of how the members of the US-ASEAN Business Council have sought to partner with and engage ASEAN stakeholders.

Next week, the Council will host our first 2019 Digital Policy Consultative Forum in Manila, Philippines alongside the first 2019 ASEAN Telecommunications and Information Technology Senior Officials Meeting (TELSOM)-ASEAN Telecommunication Regulators' Council (ATRC) Leaders' Retreat to engage senior officials in a dialogue on enabling environment for increased investment and growth of the data ecosystem in ASEAN.

Privacy is expected to be one component of the discussion, but the emphasis will be on addressing broader ecosystem challenges and developing mutually beneficial solutions with a spectrum of stakeholders at the table.

If regulations are done right, ASEAN can unlock astronomical growth - a projected US$1 trillion add to ASEAN GDP - from the digital economy. Materializing this potential will rest upon how regulators mold the regional ecosystem, and ASEAN's ability to continue positioning itself as a hub for innovation and investment while having practicable regulatory frameworks for personal data protection in place.

Ambassador Michael Michalak is Senior Vice President & Regional Managing Director at the US-ASEAN Business Council.