“Asean businesses will do better without barriers to cross-border data flow” – An Op-Ed by Sanchita Basu Das in The Straits Times

This article was published by Straits Times on 4 May 2018.

Dr Sanchita Basu Das is Lead Researcher (Economic Affairs) ASEAN Studies Centre with ISEAS – Yusof Ishak Institute.

To read the article, click here.

Asean businesses will do better without barriers to cross-border data flow by Sanchita Basu Das For The Straits Times

Asean leaders at their recent summit pledged to build a ‘conducive environment’ for the growth of e-commerce. It is a worthy goal that will help businesses, especially small and medium-sized enterprises, reap the gains to be had from greater regional trade flows.

But much work needs to done to put words into action if Asean is to establish trade rules for online transactions and enhance digital connectivity for the movement of goods and services across borders. Member countries would not only have to upgrade their domestic infrastructure but also to settle on region-wide harmonised policies and regulations for e-payment solutions, online security and data protection.

The issue of data protection has of late come under the spotlight in the wake of the controversy involving Cambridge Analytica and Facebook. Concerns over lax privacy laws and the potential abuse of consumer data has spilled over even in discussions on Grab’s acquisition of Uber’s ride hailing services in Southeast Asia and whether Grab has the necessary safeguards to ensure that the data it now possesses won’t be misused. 

This worry over data protection has added to the difficulties of harmonising e-commerce rules across Asean because of the patchy nature of existing regulations across the grouping. While most of the older members have developed national data protection policies, others like Cambodia and Laos are yet to embrace such regulations. Some ASEAN members – such as Singapore and the Philippines – have crafted more comprehensive regulations than others. Indonesia and Vietnam have data privacy requirements only as part of electronic transactions. 

There is yet another complication. A liberalised e-commerce market in ASEAN requires the free flow of data across borders. But many ASEAN members, such as Malaysia, Vietnam, Indonesia and Brunei, have created barriers to such cross-border flows. They have propagated data localisation laws which require companies to maintain local servers and ensure that data of customers obtained from the host country is used only locally and not transferred overseas. 

The oft repeated argument for such data localisation requirements is the protection of citizens’ privacy or national security. But one cannot overlook political motivations as well, as mandated data localisation can be a way to force companies to set up shop in the host country to help generate tax revenue; it could also create ‘behind-the-border’ barriers to safeguard interests of local players. 

The upshot of limited data movement is that the economic wellbeing of businesses and people takes a hit. The cost of operating a business, particularly for SMEs, goes up as countries insist on having local data centres. Consumers lose access to new and varied products at a lower cost. 

In 2014, the European Centre for International Political Economy estimated that costs to Indonesia and Vietnam from their data localisation regulations : a loss of 0.5% and 1.7% of their GDP and 2.3% and 3.1% of foreign investment. 

Countries need to understand that privacy regulations should not be overly restrictive in nature if emerging digital economies are to take off and flourish.

And there are other ways to manage cross-border data flow. 

Examples include the European Union, which recently introduced  the General Data Protection Regulation (GDPR). It is top-down system that requires all companies dealing with data of EU citizens to be GDPR compliant. 

Another model is the Cross-Border Privacy Rules instituted by the 21-member Asia Pacific Economic Cooperation forum. These depend on mutual recognition and trust. Apec expects businesses to ensure that data collected and used domestically or overseas remain protected, consistent with its privacy principles.

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) has also included provisions to limit data localisation and enable cross-border data flows to encourage e-commerce trade among participating members.
Mandated local data centres is not a good way forward even if in ASEAN’s model of integration, national sovereignty resides in parallel with regional endeavours. The better way is for member countries to follow international best practices while keeping in mind local conditions in shaping national privacy laws that simultaneously allow for cross-border data flows.

Subsequently, such laws should be harmonised across the region, leading to an ASEAN-wide e-commerce regulatory framework. 

As each member country goes about formulating its specific rules and regulations, these should have as their ultimate aim : to ‘promote a favourable and conducive environment’ for the growth of e-commerce in Asean, as promised by its leaders at last month’s summit, and not for creating uncertainties either for firms shifting to digital platforms or for investors looking to establish tech businesses in the ASEAN region. 

Indeed, if ASEAN members work together, there is much to be gained – a US$88 billion e-commerce market by 2025, according to one estimate by Google and Temasek Holdings.

The embrace of opportunities offered by new technology – rather than erecting new barriers – will help ASEAN become more resilient against potential disruptive effects.