EXECUTIVE SUMMARY
- Establishing a comprehensive regulatory framework to build trust in data sharing between stakeholders and to enhance domestic data flows in ASEAN countries are urgent concerns. This is a precondition for enhancing cross-border data flows and promoting e-commerce in the region.
- An analysis of 14 regulatory elements using data from the World Bank’s Global Data Regulation Diagnostic Survey in 2021 reveals that regulatory frameworks to enable domestic data flows are unevenly developed across different enablers and ASEAN countries. These divergences may be exacerbated by different degrees of enforcement of laws and regulations.
- E-commerce and e-transactions-related laws and regulations are the only area in which all ASEAN countries are doing relatively well. Enabling reuse of public intent data is moderately developed, while enabling reuse of private intent data is the weakest area of performance in most ASEAN countries.
- Limited reuse of public and private intent data means that e-commerce firms and consumers in ASEAN have not yet reaped the full benefits of data flows. Unlocking domestic data flows requires a two-pronged approach, i.e. enabling reuse of public intent data and enabling reuse of private intent data.
- The reuse of public intent data should be enhanced by adopting regulatory frameworks of common technical standards and open licensing regime for data; allowing individuals and firms to access public sector data that have not been published on an open data platform; and establishing policies on open data and data classification.
- The reuse of private intent data should be enhanced by encouraging open data licenses among private firms, promoting data portability right for individuals, and strengthening public-private partnership to utilize the digital identification system.
* Sithanonxay Suvannaphakdy is Lead Researcher at the ASEAN Studies Centre, ISEAS – Yusof Ishak Institute, where he undertakes policy-oriented research on ASEAN’s economic integration. He is grateful to valuable comments and suggestions from Tham Siew Yean and Sharon Seah. All remaining errors are his own.
ISEAS Perspective 2022/32, 4 April 2022
* Sithanonxay Suvannaphakdy is Lead Researcher at the ASEAN Studies Centre, ISEAS – Yusof Ishak Institute, where he undertakes policy-oriented research on ASEAN’s economic integration. He is grateful to valuable comments and suggestions from Tham Siew Yean and Sharon Seah. All remaining errors are his own.
INTRODUCTION
The rapid growth of electronic commerce (e-commerce) and availability of digital platforms (e.g. social networks, e-commerce marketplaces) present an opportunity for small and medium-sized enterprises (SMEs) in ASEAN to increase their participation in domestic and international markets. E-commerce is defined as the sale or purchase of goods or services, conducted over computer networks by methods specifically designed for the purpose of receiving or placing of orders.[1] Global retail e-commerce sales have been estimated to grow by 14.3 percent, from US$4.28 trillion in 2020 to about US$4.89 trillion in 2021.[2] About 50 million SMEs use Facebook to find customers; 70 percent of their fans are domestic, and 30 percent are from outside the country.[3] Retail e-commerce sales in ASEAN are estimated to grow faster than those in the world, with a growth rate of 26.1 percent from US$59 billion in 2020 to US$74.4 billion in 2021.[4]
One key towards enabling e-commerce is the enhancement of data flows. The free flow of data reduces transaction costs, accelerates the spread of ideas, and allows users to make use of new research and technologies. This is particularly important for ASEAN, where the e-commerce chapter under the Regional Comprehensive Economic Partnership (RCEP) Agreement aims to create a conducive environment for e-commerce through protection of online consumers and online personal data as well as facilitating cross-border data flows. However, ASEAN countries tend to allow different degrees of domestic data flows, which restrict cross-border data flows in the region. Data flow restrictions can impose costs on local firms as they are not free to use the most convenient data processing provider, and may have to pay for more expensive services when transferring data.
The present study investigates the extent to which regulatory frameworks in ASEAN countries have allowed the use, reuse or sharing of domestic data by the government, e-commerce firms, and e-commerce consumers. Domestic regulatory frameworks serve as a basis to promote regional regulatory cooperation on data. The RCEP provisions on e-commerce may offer an important signal to ASEAN’s e-commerce markets on the future of cross-border data flows. Yet, until policy makers have the confidence that allowing data to leave their borders will not undermine domestic regulatory goals, there will remain a strong incentive to restrict cross-border data flows.
Following the World Bank (2021),[5] regulatory frameworks for data sharing are assessed against three enablers, namely electronic transactions (e-transactions), public intent data, and private intent data. Public intent data refers to data collected with the intent of serving the public good by informing the design, execution, monitoring, and evaluation of public programmes and policies. Such data include administrative, census and survey data produced by government agencies, citizen-generated data produced by individuals, and machine-generated data produced without human interactions.[6] Private intent data refers to data collected by the private sector as part of routine business processes. Such data include transaction and browsing histories, mode of payments, internet protocol (IP) addresses, and smartphone app logs. These three enablers aim to capture policies, laws, regulations, and standards that facilitate the use, reuse, and sharing of data within and between stakeholder groups through openness, interoperability, and portability.
The enablers of domestic data flows are further broken down into 14 regulatory elements. Enabling e-transactions involves four elements, namely legal basis for e-commerce or e-transactions, legal equivalence, legal recognition of electronic signatures, and digital identification (ID) system for online service access. Enabling public intent data consists of six elements, namely mandatory use of common technical standards for data, open data policies, data classification policy, mandatory use of common data classification, individuals’ right to access government data, and adoption of open licensing regime. Enabling private intent data consists of four elements, namely individuals’ right for data portability, individuals’ right to obtain machine-readable data, private sector’s ability to digitally verify ID, and mandatory licensing of essential data.
This study focuses on nine ASEAN countries, namely Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand, and Vietnam, and utilizes the World Bank’s Global Data Regulation Diagnostic Survey in 2021.[7] The survey collected information on attributes of the regulatory framework in 80 countries, which provides details on regulatory status of data-related laws and regulations in sample countries as of June 1, 2020. This study does not include Brunei because of data unavailability; that country was not included in the survey.
Findings in this study reveal that regulatory frameworks to enable data flows in ASEAN are unevenly developed across different enablers and countries. These divergences may be exacerbated by different degrees of enforcement of laws and regulations. E-commerce and e-transactions-related laws and regulations are the only area in which all ASEAN countries are doing relatively well. Enabling reuse of public intent data is moderately developed. Enabling reuse of private intent data is the weakest area of performance in ASEAN countries, except in Malaysia and the Philippines (Table 1).
ENABLING ELECTRONIC TRANSACTIONS
Data are used or transferred via electronic transactions. Laws and regulations governing e-commerce and e-transactions create trust in both public and private sectors that engage in online data transactions. Adoption of e-commerce and related legislation is widespread across ASEAN countries. Indonesia, Malaysia, Singapore and Thailand have constituted all e-commerce and related legislation. Cambodia, Laos, Myanmar, and Vietnam have not yet established government-recognized digital ID systems that enable people to remotely authenticate themselves to access online services. The Philippines have not yet established the government-recognized digital ID system and legal recognition of e-signatures (Table 2).
Establishing e-commerce laws and legal equivalence of paper-based and electronic communications
All nine ASEAN countries in this study have constituted their e-commerce laws, which is an essential condition to enable e-commerce. They have also established legal equivalence of paper-based and electronic communications (Table 2). Such legal equivalence allows the online transaction, contract, or communication to have the same legal value to physical transactions such as a signature on a paper contract or physical evidence.
Establishing legal recognition of electronic signatures
E-signatures are signatures that are expressed in an electronic form. Fully recognized and enforced e-signatures are essential to allow for remote electronic contracts and transactions as businesses engaged in e-commerce expand their network of clients and suppliers both within and across borders. Some examples of e-signatures include clicking the ‘Agree’ button of a website’s Terms and Conditions, a scanned image of a handwritten signature, a tick-box at the end of an online form, and a drawn signature using mobile device.[8] Except for the Philippines, ASEAN countries have established the legal recognition of e-signatures (Table 2).
Introducing digital identification system
The digital ID system provides reliable authentication and enables delivery of a range of services via web or mobile applications that require proof of identity. It collects and validates attributes to establish a person’s identity, which can be used by identity-holders to prove their identity, for example to employers, financial institutions or government agencies.
Four of nine ASEAN countries included in the survey have established government-recognized digital ID systems that enable people to remotely authenticate themselves to access online services. They are Indonesia, Malaysia, Singapore, and Thailand. The remaining five countries, namely Cambodia, Laos, Myanmar, the Philippines, and Vietnam, do not have such systems (Table 2).
In e-commerce, the use of digital ID reduces time and costs for business transactions by securing digital payments and streamlining processes of registration, authentication, corporate registrations, permits, and authorizations. An empirical study by McKinsey Global Institute[9] reveals that countries implementing full digital ID coverage, namely Brazil, China, Ethiopia, India, Nigeria, the United Kingdom and the United States, could create economic value equivalent to 3 to 6 percent of GDP by 2030. ASEAN countries should also gain from the digital ID system if they fully implement and interoperate it across private and public service providers both within and across countries.
ENABLING REUSE OF PUBLIC INTENT DATA
Regulations enabling access and reuse of public intent data are unevenly developed across ASEAN countries. Indonesia and Thailand have established all necessary regulations to enhance access and reuse of public intent data, while Cambodia and Laos have not yet established any of them. The Philippines needs to constitute the mandatory use of common technical standards for exchanging data across governments’ entities. Malaysia needs to introduce regulatory frameworks on the mandatory use of common data classification and individuals’ right to access government data. Singapore needs to establish regulatory frameworks on data classification, mandatory use of common technical standards, and individuals’ right to access government data. Vietnam needs to constitute regulatory frameworks on open data, mandatory use of common technical standards, and open licensing regime for data (Table 3).
Establishing open data policies
A country’s public sector data being prepared for publication can be classified on a spectrum from closed to open. The degree of data openness depends on four factors, namely accessibility, machine readability, cost and rights for reuse and redistribution.[10] According to Open Knowledge Foundation,[11] a piece of data is open if anyone is free to use, reuse, or redistribute it – subject only, at most, to the requirement to attribute and share-alike. Using this definition, five out of nine ASEAN countries have established an open data act or open data policy applicable across the entire public sector. They are Indonesia, Malaysia, the Philippines, Singapore, and Thailand. The remaining four countries, namely Cambodia, Laos, Myanmar, and Vietnam, have not yet done so (Table 3).
Establishing open data policies serve as a stepping stone to enable value creation for boosting economic growth. Such value benefits governments, firms and consumers in three channels, including decision making, new products and services, and transparency. Open data enables decision makers to use a fact base for making more informed and objective choices using information that is often available in real time. It also enables firms to better understand potential markets and to design new data-driven products. Moreover, it enables citizens to monitor government activities such as tracking public expenditures and impacts. An empirical study by McKinsey Global Institute[12] reveals that the combination of three value channels of open data – decision making, new products and services, and transparency – can generate more than US$3 trillion annually for the global economy.
Ensuring unified data classification standards
Data classification policies typically require the classification of data based on their sensitivity such as classified, confidential, or business use only. In ASEAN, six out of nine countries have established policies or directives on government data classification. These include Indonesia, Malaysia, Myanmar, the Philippines, Thailand, and Vietnam. The practical effect of data classification policies in some countries such as Malaysia tends to be limited because it is not mandatory to use the common data classification categories across all government database applications or document management systems. The remaining three countries, namely Cambodia, Laos and Singapore, have not yet established data classification policies (Table 3).
Allowing access to information
Access to information (ATI) legislation enables individuals or firms to access public sector data that have not been published on an open data platform. The degree of the ATI legislation for enabling public data access depends on the scope of the exemption categories for disclosure. Greater scope of the exemption categories reduces the degree of public data access.
In ASEAN, four out of nine countries have established ATI legislation that grants individuals the right to access government records or data. These include Indonesia, the Philippines, Thailand, and Vietnam. However, these countries have placed significant exceptions on an individual’s rights to access public information under such legislation. These exceptions include sensitive information on national security, defence, or foreign policy grounds; trade secrets or other commercial interests; personal data; law enforcement; and privileged information. The remaining five countries, namely Cambodia, Laos, Malaysia, Myanmar, and Singapore, have not yet established ATI legislation to allow public data access (Table 3).
Adopting an open licensing regime for data
An open license for data grants rights to anyone and is subject to certain minimal conditions like attribution of the data’s owner. If data is not licensed legally, it cannot be used by anyone else. In ASEAN, five out of nine countries have adopted some forms of open licensing regime for public intent data. They are Indonesia, Malaysia, the Philippines, Singapore, and Thailand (Table 3).
The Government of Singapore, for example, launched the one-stop portal called ‘data.gov.sg’ in 2011 to communicate government data and analysis through visualizations and articles, and to facilitate analysis and research. Such a portal contains publicly-available datasets from 70 public agencies and more than 100 apps created by the use of government’s open data.[13] By accepting the license, users can use, access, download, copy, distribute, transmit, modify and adapt the datasets, or any derived analyses or applications.
Adopting a legal framework of common technical standards for data
According to the Federal Enterprise Data Resources of the United States,[14] a technical standard for data refers to a specification that describes the way in which data should be stored or exchanged for the consistent collection and interoperability of that data across different systems, sources and users. The legal framework of common technical standards for data aims to ensure that all government entities connect to and use the government’s interoperability platform as a vehicle for exchanging data.
In ASEAN, three out of nine countries have adopted a full range of common technical standards, such as the principles of FAIR (findable, accessible, interoperable, and reusable), that enable the interoperability of systems, registries, and databases. These include Indonesia, Malaysia, and Thailand (Table 3). Malaysia and Thailand have established standards for open application programming interfaces (APIs) for government to government (G2G), government to business (G2B), and government to consumer (G2C) services; standardized communications protocols for accessing metadata; and developed semantic catalogues for data and metadata. Indonesia has standardized communications protocols for accessing metadata; and developed semantic catalogues for data and metadata.
ENABLING REUSE OF PRIVATE INTENT DATA
Regulations enabling access and reuse of private intent data are lagging those for public intent data across ASEAN countries. Four out of nine ASEAN countries have not yet established any necessary regulations to enable access and reuse of private intent data. These include Cambodia, Laos, Myanmar, and Thailand. Malaysia has not yet established a regulatory framework to allow individuals to access data portability, while the Philippines needs to constitute a regulatory framework on mandatory licensing of essential data. Indonesia, Singapore and Vietnam need to establish regulatory frameworks on mandatory licensing of essential data, individuals’ right for data portability, and individuals’ right to obtain portable data in a machine-readable format (Table 4).
Mandatory licensing of essential data
Open data licenses allow users to freely share, modify, and use a database without regard to copyright or other intellectual property rights (IPR) or limitations around data ownership. Open licenses of non-personal data could be done voluntarily by IPR holders, or implemented on a compulsory basis by regulators to avoid market distortions. In ASEAN, only Malaysia (e.g. standard-setting organizations) has mandated IPR holders to provide voluntary licensing access to critical data or applications based on FRAND (fair, reasonable, and non-discriminatory) terms. Other ASEAN countries have not yet done so (Table 4).
Promoting open data licenses based on FRAND terms can be a useful mechanism in enhancing technological innovation such as development of e-commerce platforms or websites in ASEAN. IPR holders do not necessarily share their data or applications for free, but they should offer them on reasonable and non-discriminatory terms. This means that they can control access to licensed products and receive returns on their investments. This should reduce costs of access to licensed products of dominant platforms incurred by micro, small, and medium-sized enterprises (MSMEs), and hence promote more inclusive growth of e-commerce in the region.
Promoting data portability right for individuals
According to the Information Commissioner’s Office of the United Kingdom,[15] the right to data portability allows individuals to obtain and reuse their personal data provided to data controllers (e.g. e-commerce stores) for their own purposes across different services. This facilitates the movement or transfer of personal data from one e-commerce store to another in a safe and secure way. In ASEAN, only the Philippines has allowed individuals to request the transfer of their personal data from one data controller to another service or product provider. The remaining ASEAN countries have not yet done so (Table 4).
Accessing a machine-readable format of data portability
Transferring personal or nonpersonal data from one e-commerce firm to another requires the use of a standard machine-readable format. In ASEAN, only Malaysia and the Philippines have granted the right of individuals to access their data processed by data controllers in a machine-readable format. The remaining seven ASEAN countries have not yet done so (Table 4). The lack of standard data format restricts the potential benefits of data portability right for individuals as data provided in one e-commerce firm may not be compatible with those of other firms.
Strengthening public-private partnership to utilize the digital ID system
Digital ID systems play an important role in promoting e-commerce development. Firms — including banking and financial services, mobile operators and e-commerce platforms — must verify and authenticate the identities of their users at various points in the customer lifecycle. The key data source to validate customer identity is typically a government-provided or recognized credential, such as national ID or passport. Lack of authoritative proof of identity reduces customer pools and increases administrative overhead and risks of fraud for e-commerce firms.
In ASEAN, only four out of nine countries have allowed private sector service providers to digitally verify or authenticate the identity of a person against data stored in the ID system. These include Indonesia, Malaysia, Singapore, and Vietnam. The remaining five countries have not yet done so (Table 4).
CONCLUSION AND POLICY IMPLICATIONS
The findings in this study confirm that establishing a comprehensive regulatory framework to increase trust on data sharing between stakeholders is an urgent priority to enhance domestic data flows in ASEAN countries. This is a precondition to enhance cross-border data flows and to promote e-commerce in the region. Regulatory frameworks to enable data flows are unevenly developed across different enablers and countries. These divergences may be exacerbated by different degrees of enforcement of laws and regulations. E-commerce and e-transactions-related laws and regulations are the only area in which all ASEAN countries are doing relatively well. Enabling reuse of public intent data is moderately developed, while enabling reuse of private intent data is the weakest area of performance in most ASEAN countries.
At the domestic level, limited reuse of public and private intent data means that e-commerce firms and consumers in ASEAN countries have not yet reaped full benefits of data flows. Unlocking potential benefits of data flows requires a two-pronged approach, including enabling reuse of public intent data on the one hand and enabling reuse of private intent data on the other. Reuse of public intent data should be enhanced by adopting a legal framework of common technical standards and an open licensing regime for data; allowing individuals or firms access to public sector data that have not been published on an open data platform; and establishing open data policies as well as policies or directives on government data classification. Reuse of private intent data should be improved by encouraging open data licenses between private firms, promoting data portability right for individuals, and strengthening public-private partnership to utilize the digital ID system.
At the regional level, there are a number of multilateral arrangements to facilitate cross-border data flows. These include the RCEP provisions on e-commerce and the ASEAN e-Commerce Agreement. The effectiveness of these arrangements depends on the extent to which regulatory frameworks on data sharing are coherent across countries. Regulatory divergence reduces cross-border data flows, while regulatory convergence increases them. Since ASEAN countries are in the early stage of developing their regulatory frameworks for sharing public and private intent data, policymakers and regulators should embed international best practices into their domestic rule-making procedures and prevent regulations creating unnecessary barriers to cross-border data flows in the future. Meanwhile, ASEAN countries should explore the possibility to establish mutual recognition arrangements and/or harmonize their data-related regulations both within and outside the region. Greater coherent data-related policies should boost e-commerce in regional and international markets.
A key limitation in the present study is that it focuses only on the regulatory frameworks of data enablers to promote trust on data sharing between stakeholders. There are other factors that affect trust on data sharing such as regulatory frameworks of data safeguards. Data safeguards promote trust in the data governance and data management ecosystem by avoiding and limiting harm arising from the misuse of data or breaches affecting their security and integrity. Building safeguards for trusted data use in ASEAN will be a subject for future research.
ENDNOTES
[1] OECD, Glossary of Statistical Terms: https://bit.ly/3qZZRQF. Accessed February 25, 2022.
[2] eMarketer, Global E-commerce Update 2021: https://www.emarketer.com/content/global-ecommerce-update-2021. Accessed February 25, 2022.
[3] McKinsey Global Institute. 2016. Digital Globalization: The New Era of Global Flows. McKinsey & Company.
[4] eMarketer: https://www.emarketer.com/content/southeast-asia-ecommerce-forecast-2022. Accessed March 3, 2022.
[5] World Development Report. 2021. World Development Report 2021: Data for Better Lives. Washington, DC: World Bank.
[6] World Bank, Data as a Force for Public Good: https://wdr2021.worldbank.org/stories/data-as-a-force-for-public-good. Accessed March 6, 2022.
[7] World Bank, Global Data Regulation Diagnostic Survey Dataset 2021: https://microdata.worldbank.org/index.php/catalog/3866. Accessed February 20, 2022.
[8] Sleek: https://sleek.com/sg/resources/electronic-signatures-are-legal-in-singapore. Accessed February 20, 2022.
[9] McKinsey Global Institute. 2019. Digital Identification: A Key to Inclusive Growth. https://www.mckinsey.com/~/media/mckinsey/business%20functions/mckinsey%20digital/our%20insights/digital%20identification%20a%20key%20to%20inclusive%20growth/mgi-digital-identification-executive-summary.pdf
[10] Chui, M., Farrell, D., Jackson, K. 2014. How Government Can Promote Open Data. McKinsey Global Institute. https://www.mckinsey.com/~/media/mckinsey/industries/public%20and%20social%20sector/our%20insights/how%20government%20can%20promote%20open%20data/how_govt_can_promote_open_data_and_help_unleash_over_$3_trillion_in_economic_value.pdf
[11] Open Knowledge Foundation, Open Data Handbook: http://opendatahandbook.org/guide/en/what-is-open-data. Accessed February 20, 2022.
[12] Chui, M., Farrell, D., Jackson, K. 2014. How Government Can Promote Open Data. McKinsey Global Institute. https://www.mckinsey.com/~/media/mckinsey/industries/public%20and%20social%20sector/our%20insights/how%20government%20can%20promote%20open%20data/how_govt_can_promote_open_data_and_help_unleash_over_$3_trillion_in_economic_value.pdf
[13] Government of Singapore: https://data.gov.sg/about. Accessed February 20, 2022.
[14] Federal Enterprise Data Resources of the United States: https://resources.data.gov/standards/concepts/. Accessed on February 23, 2022.
[15] Information Commissioner’s Office of the United Kingdom, Right to Data Portability: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability. Accessed on February 23, 2022.
| ISEAS Perspective is published electronically by: ISEAS – Yusof Ishak Institute 30 Heng Mui Keng Terrace Singapore 119614 Main Tel: (65) 6778 0955 Main Fax: (65) 6778 1735 Get Involved with ISEAS. Please click here: /support/get-involved-with-iseas/ | ISEAS – Yusof Ishak Institute accepts no responsibility for facts presented and views expressed. Responsibility rests exclusively with the individual author or authors. No part of this publication may be reproduced in any form without permission. © Copyright is held by the author or authors of each article. | Editorial Chairman: Choi Shing Kwok Editorial Advisor: Tan Chin Tiong Editorial Committee: Terence Chong, Cassey Lee, Norshahril Saat, and Hoang Thi Ha. Managing Editor: Ooi Kee Beng Editors: William Choong, Lee Poh Onn, Lee Sue-Ann, and Ng Kah Meng Comments are welcome and may be sent to the author(s). |