Galexia

  Research

Article - A new regional approach to privacy in ASEAN (October 2008)


[ Galexia Dots ]

Related Galexia services and solutions

Cite as

The ASEAN commitment to privacy regulation

There is considerable activity in the Asia-Pacific region regarding privacy regulation. Most countries in the Asia-Pacific belong to at least one of the three key regional organisations - APEC, ASEAN and the Pacific Islands Forum. Individual countries are unlikely to develop privacy regulation without consideration of global and regional standards. Smaller countries in particular are careful to align their domestic regulations with regional and international developments.

Many jurisdictions are participating in the development of the APEC Privacy Framework[2] and related APEC Privacy Pathfinder Projects. However, APEC is not the only relevant regional organisation. The Association of South East Asian Nations (ASEAN) has also recognised the importance of harmonised data protection legal infrastructure. The ten Member Countries of ASEAN have a combined population of 575 million and a combined GDP of $US 1.8 trillion, making it one of the largest and most integrated regional organisations outside Europe. Although ASEAN has a lower profile than APEC, it does have a history of the successful harmonisation of laws - something that is absent in APEC.

The Association of South East Asian Nations (ASEAN) has recognised that the absence of harmonised data protection legal infrastructure has the potential to become a barrier to cross-border trade and investment. Significant business opportunities in business process outsourcing may gravitate to jurisdictions with privacy protection that meet these requirements.

ASEAN has committed to the establishment of an integrated ASEAN Economic Community (AEC) by 2015. A significant target within this commitment is the development of a harmonised legal infrastructure for E-Commerce, as set out in the Roadmap for Integration of e-ASEAN Sector.[3]

The Strategic Schedule for ASEAN Economic Community contains the following specific target:

Adopt the best practices / guidelines on other cyber law issues (i.e. data protection, consumer protection, Intellectual Property, ISP liability, etc.) to support regional e-commerce activities (2010-2013).[4]

To date, no ASEAN Member Country has enacted comprehensive privacy legislation. As shown in the following table, three countries have draft legislation and two countries have minor privacy clauses in their e-commerce legislation.

Country

Privacy Legislation

Status

APEC

ASEAN

Brunei

-

None

 [Check Mark]

 [Check Mark]

Cambodia

-

None


 [Check Mark]

Indonesia

Law on Information and Electronic Transactions

Single clause in e-commerce law

 [Check Mark]

 [Check Mark]

Laos

-

None


 [Check Mark]

Malaysia

Personal Data Protection Bill

Draft legislation

 [Check Mark]

 [Check Mark]

Myanmar

-

None


 [Check Mark]

Philippines

Data Protection Bill

Draft legislation

 [Check Mark]

 [Check Mark]

Singapore

-

None

 [Check Mark]

 [Check Mark]

Thailand

Privacy Bill

Draft legislation

 [Check Mark]

 [Check Mark]

Vietnam

Law on E-Transactions

Single clause in e-commerce law

 [Check Mark]

 [Check Mark]

 

The plan to develop harmonised data protection laws by 2015 (almost from a standing start) may sound ambitious to outsiders, but ASEAN has a successful track record in implementing harmonised legal infrastructure in this field. For example, the ASEAN Australia Development Cooperation Program (AADCP) - Electronic Commerce project[5] helped ASEAN to implement harmonised e-commerce laws in eight Member Countries and draft laws in the remaining two Member Countries in just five years.[6]

ASEAN national laws

Brunei

Brunei is one of the smallest countries in the region. It has no current legislation on privacy. Brunei is a Member of APEC. Brunei is also an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Cambodia

Cambodia has no current legislation on privacy. Cambodia is not a member of APEC. Cambodia is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Indonesia

Indonesia is a member of APEC, but is not an active participant in the APEC Privacy Pathfinder Projects. Indonesia is also a member of ASEAN and has committed to the development of harmonised data protection legislation by 2015.

There is currently no comprehensive privacy legislation in Indonesia, although their umbrella e-commerce law does contain a privacy commitment. The Law on Information and Electronic Transactions[7] is an ambitious piece of umbrella legislation covering e-government, electronic contracting, privacy, cybercrime, digital copyright and other cyberlaw issues in a single omnibus Law. The legislation contains a single, brief provision on privacy:

Article 26
(1) The utilization of any information by means of electronic media relating to data about private right of anyone shall be carried out with the approval of the person concerned unless otherwise stipulated by the statutory regulation.
(2) Any person whose rights are violated in the manner detailed in paragraph (1) is entitled to compensation for any loss as explained within this legislation.

The privacy measures afforded by Article 26 of the Law on Information and Electronic Transactions are a small step on the road to a more secure e-commerce environment.

Laos

Laos is a small developing country and remains on the UN list of least developed countries. Laos has no current legislation on privacy. Laos is not a member of APEC. Laos is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Malaysia

Malaysia’s Personal Data Protection Bill is now in the final stages of drafting.[8] The Bill is expected to be subject to a further round of stakeholder consultation in late 2008.[9] The Bill provides ambitious, comprehensive privacy protection:

The personal data protection law is envisaged to be a world class leading edge cyberlaw that provides for higher level of personal data protection... and to promote Malaysia as a preferred trading partner that provides international standards of personal data protection.[10]

There are also proposals in Malaysia to establish both a Privacy Commissioner and a Personal Data Protection Tribunal (to hear appeals from decisions of the Commissioner). Malaysia has looked at all options, including the EU and APEC approaches in drafting their legislation.[11]

Malaysia is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Myanmar

Myanmar is a relatively isolated country with a large population. It has surprisingly advanced laws in many areas of e-commerce but there is no current legislation on privacy. Myanmar is not a member of APEC. Myanmar is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Philippines

The Philippines is in the process of developing comprehensive privacy legislation. Several Bills are currently before their Parliament and these are expected to be combined into a final draft Bill in the near future. The legislation aims to:

Establish fair practices in the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, dissemination by any means, merging, linking, blocking, erasure or destruction of personal data of natural persons and to penalise the unauthorised processing and disclosure thereof.[12]

The Philippines is a member of APEC and has been attending some APEC Privacy Framework meetings. The Philippines is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Singapore

Singapore is yet to enact data protection legislation, although a voluntary, industry-based self regulatory model code exists. The Model Data Protection Code[13] was developed by the InfoComm Development Authority. The Model Code is designed to be adopted by businesses in their own data protection policies.

In the absence of specific legislation, the Model Data Protection Code for the Private Sector represents best privacy practice in Singapore.

It is important to note that the Model Code was always intended to be an interim measure on a longer path towards comprehensive legislation:

As an interim measure, voluntary data protection guidelines for the private sector (such as the Model Code) should be given official recognition and adherence invited on a voluntary basis. The exercise will have an educative and harmonising function and should facilitate the introduction of legislation, should Parliament decide in the future to legislate.[14]

In 2006-2007 privacy legislation was the subject of an inter-agency committee study.[15] In 2008, there have been discussions of a new commitment to privacy legislation in Singapore - based on a sectoral approach similar to that used in Japan.

Singapore is a member of APEC. Singapore is hosting the meetings of the Data Privacy Sub Group in 2009. Singapore is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Thailand

Thailand has a draft Privacy Act that strives to protect an individual’s personal information while balancing this with the development of information technology and the promotion of Thailand’s ICT policy. The draft data protection law is based on eight principles: consent, notice, purpose specification, use limitation, accuracy, access, security and enforcement.[16]

Businesses have been encouraging Thailand to develop privacy legislation in order to ‘seize BPO opportunities’.[17] Thailand is in the final stages of consultation on its draft privacy legislation, under the direction of the Council of State. The general approach taken in the draft legislation is closely aligned with the EU Directive.[18]

Thailand is an APEC member. Thailand is also an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Vietnam

Vietnam does not have comprehensive privacy legislation, but it does have a short privacy section in their e-commerce legislation that could serve as a foundation for more detailed legislation in the future. Article 46 of the Law on E-Transactions covers information confidentiality in e-transactions:

1. Agencies, organizations and individuals shall have the right to select security measures in accordance with the provisions of the law when conducting e-transactions.
2. Agencies, organizations and individuals must not use, provide or disclose information on private and personal affairs or information of other agencies, organizations and/or individuals which is accessible by them or under their control in e-transactions without the latter's consents, unless otherwise provided for by law.

In addition, the Law on Information technology stipulate that more detailed regulations regarding information protection in the environment such as regulations on collection, process, use, storage and provision of personal information, may be developed in the future (Articles 21 and 22).[19]

Vietnam is also considering the development of a trust-mark scheme, and has made specific references to the APEC Privacy framework in relation to their trust-mark proposal.[20] Vietnam is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.



[ Galexia Dots ]


[1] Chris Connolly is a Director of Galexia, an independent consultancy specialising in privacy and electronic commerce. <http://www.galexia.com.au>.

[2] APEC Secretariat, APEC Privacy Framework, 2005, <http://www.apec.org/content/apec/publications/free_downloads/2005.html>.

[3] Roadmap for Integration of e-ASEAN Sector, appendix to the ASEAN Framework Agreement for the Integration of Priority Sectors, November 2004, <http://www.aseansec.org/16689.htm>.

[4] ASEAN Secretariat, Strategic Schedule for ASEAN Economic Community, 2007, <http://www.aseansec.org/21161.pdf>.

[5] Galexia, Harmonisation of E-Commerce Legal Infrastructure in ASEAN, April 2008, <http://www.galexia.com/public/research/articles/research_articles-art53.html>.

[6] Connolly C, Harmonizing Cyber Legislation At The Regional Level: The Case Of ASEAN, in United Nations Conference on Trade and Development, Information Economy Report 2007-2008, February 2008, <http://www.unctad.org/Templates/WebFlyer.asp?intItemID=4462&amp%3Blang=1>.

[7] Galexia, Indonesian Parliament passes e-commerce law, March 2008, <http://www.galexia.com/public/about/news/about_news-id127.html>.

[8] The Star, Act to keep personal data private, 6 November 2007, <http://thestar.com.my/news/story.asp?file=/2007/11/6/parliament/19387238>.

[9] The New Straits Times, After 10 years in limbo, your privacy remains at stake, 13 January 2008, <http://www.nst.com.my/Current_News/NST/Sunday/National/2131002/Article/index_html>.

[10] Minister of Energy, Communications & Multimedia (Malaysia), Presentation of Personal Data Protection Bill to Participants of the Asian Personal Data Privacy Forum (Hong Kong), 27 March 2001, <www.pcpd.org.hk/misc/malaysia/Malaysia.ppt>.

[11] Bernama, Ministry Finalising Draft of Personal Data Protection Bill, 5 November 2007, <http://www.ktak.gov.my/template03.asp?tt=news&newsID=375>.

[12] Stakeholders are currently consulting on the version of the Bill located at: <http://www.senate.gov.ph/lisdata/54754855!.pdf>.

[13] TrustSG, Model Data Protection Code, 2003, <http://www.trustsg.com.sg/downloads/Data_Protection_Code_v1.3.pdf>.

[14]The National Internet Advisory Committee Legal Subcommittee, Report On A Model Data Protection Code For the Private Sector, 2002, <http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN012665.pdf>.

[15] Wong M, Committee reviewing data protection regime in Singapore, Channel NewsAsia, 16 February 2006, <http://www.infowar-monitor.net/modules.php?op=modload&name=News&file=article&sid=1319&mode=thread&order=0&thold=0>.

[16] Privacy International, Privacy and Human Rights 2006 - Kingdom of Thailand, 18 December 2007, <http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-559484>.

[17] Bangkok Post, We need data privacy act to attract BPO, 7 February 2007, <http://www.bangkokpost.net/20th_database/07Feb2007_data52.php>.

[18] Raksirivorakul W, Introducing Thailand’s Data Protection Law, Mayer Brown, 26 June 2008, <http://www.mayerbrown.com/>.

[19] Hoang Minh D, Data Privacy and Data Protection in E-Commerce In Vietnam, Technical Assistance Seminar - APEC Privacy Framework (Lima, Peru), 18 February 2008, <http://aimp.apec.org/Documents/2008/ECSG/SEM1/08_ecsg_sem1_013.pdf>.

[20] Vietnam Business Finance, Data privacy poses obstacle to e-commerce development, 30 March 2008, <http://www.vnbusinessnews.com/2008/03/data-privacy-poses-obstacle-to-e.html>.