Forbes magazine recently declared data privacy as the most important issue of the decade. Since the introduction of the European Union’s General Data Protection Regulations (GDPR) in 2018, Facebook’s implication in the Cambridge Analytica scandal, coupled with increased data security breaches year-on-year, it’s no surprise that data privacy and security is at the forefront of the minds of businesses, governments, and individuals.
A global perspective on data regulations
Data regulation is complex. Unlike countries, the internet is or at least has the potential to be, borderless. This borderless state, however, has multiple players with different agendas and interests. Increasingly cities, states, countries and international organisations, such as ASEAN or the EU, are introducing or updating their data regulation legislation.
Businesses tend to favour a more open approach to user data, hoping to use it to develop their service or monetise by selling it on. However, all organisations, be they a local business, a multinational, or a country, must be in line with the legislature of their governing body. For example, the EU’s GDPR applies to any enterprise handling the data of an EU citizen, resident or company, and consequently operates beyond the boundaries of the EU. Businesses should have their own data security measures in place to prevent hacking, and increasingly they are developing data privacy policies to explain their data usage.
And then there is the individual who ultimately wants to feel in charge of their data, adequately protected by data privacy laws, and not at risk from data security breaches.
What does data regulation look like in Southeast Asia?
Currently, Japan is the only Asian country to have a data privacy policy equivalent to the EU’s standards. However, in Southeast Asia, it is hard to measure data regulations by the same standards as Europe as businesses tend to be structured differently. GDPR mainly applies to large multinationals, whereas in Southeast Asia, micro, small and medium-sized enterprises (MSMEs) make up 97-98% of businesses. Unfortunately, MSMEs, especially tech startups, are particularly vulnerable to cyber-attacks. Companies must put cyber-security measures in place, and improved national data security policies could also help.
The current system dominating the region is the Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR), last updated in 2015. Individual countries are increasingly strengthening their privacy and data protection policies, with Singapore and Malaysia having the most robust policies. Thailand finally passed a policy last year, but similar to Vietnam, from a global perspective, it is considered moderate. Other countries in the region have either limited to nonexistent data protection policies.
Current data regulation trends
In the decade ahead, expect increased regulations, more transparency and some unexpected innovations in regards to data privacy and security.
Increased privacy and security training in companies is considered essential, but not only can we expect further education of employees, but public transparency over how data is used is vital. Government regulation must align with this, continuing to shift the balance from company-controlled to user-controlled data, similar to GDPR and California’s new legislation. This also supports further transparency, as you can request your data from companies, and take greater control over it.
Data sovereignty is a term to keep an eye on as countries attempt to wrest their data back from businesses. It is the buzzword of France and Germany’s Gaia-X cloud initiative and loosely aligns with China and Russia’s policies of keeping citizen data within country borders. Expect to see a conflict between nations and businesses, as these endeavours could potentially stymie global business innovation and the sharing of security intelligence, as recently demonstrated by the US threats towards Britain for using Huawei for 5g development.
Third-parties are arguably the Achilles heel for data security breaches, making third-party risk management another priority. Even if a company has robust security measures in place, their affiliates may not. Hackers often choose to target this point of weakness, so organisations are under increasing pressure to evaluate whom they work with and ensure they also have robust data regulation policies.
There are some exciting potentials on the forecast too, but it is too early to say if they will become realities. The latest vision of Jaron Lanier, the computer scientist and philosopher who always seems to be one step ahead when it comes to digital innovation, is Data Dignity. Not only would we control our data, but we could profit from it, as we decide its usage with a financial kickback.
There is also speculation about data utilities, a means of streamlining how individuals manage their data across multiple marketplaces, which is potentially financially beneficial to the user too. Data utilities, if run by firms, could help with privacy and security by only sharing aggregate data gathered from its users. The Sovrin Foundation is worth watching as they continue developing their ‘self-sovereign identity’, akin to a digital ID card.
*****
There is a lot at stake in the next decade regarding data regulation and security. Southeast Asian tech companies must keep up to speed, but it will be interesting to see how individuals, corporations and nations navigate this evolving data landscape.