Galexia

Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations (ASEAN) [UNCTAD/DTL/STICT/2013/1]



UNCTAD Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations (ASEAN) [UNCTAD/DTL/STICT/2013/1]

UNITED NATIONS PUBLICATION
UNCTAD/DTL/STICT/2013/1
© Copyright United Nations, 2013

NOTE

Within the UNCTAD Division on Technology and Logistics, the ICT Analysis Section carries out policy-oriented analytical work on the development implications of information and communication technologies (ICTs). It is responsible for the preparation of the Information Economy Report as well as thematic studies on ICT for Development. The ICT Analysis Section promotes international dialogue on issues related to ICTs for development, and contributes to building developing countries’ capacities to measure the information economy and to design and implement relevant policies and legal frameworks.

The following symbols have been used in the tables:

  • Two dots (..) indicate that data are not available or are not separately reported. Rows in tables have been omitted in those cases where no data are available for any of the elements in the row;
  • A dash (–) indicates that the item is equal to zero or its value is negligible;
  • A blank in a table indicates that the item is not applicable, unless otherwise indicated;
  • A slash (/) between dates representing years, for example, 1994/95, indicates a financial year;
  • Use of an en dash (–) between dates representing years, for example, 1994–1995, signifies the full period involved, including the beginning and end years;
  • Reference to “dollars” ($) means United States dollars, unless otherwise indicated;
  • Annual rates of growth or change, unless otherwise stated, refer to annual compound rates;
  • Details and percentages in tables do not necessarily add up to the totals because of rounding.

The material contained in this study may be freely quoted with appropriate acknowledgement.

UNITED NATIONS PUBLICATION

UNCTAD/DTL/STICT/2013/1

© Copyright United Nations, 2013

All rights reserved.

PREFACE

Leveraging information and communication technologies (ICTs) is recognized as a key priority for the Association of Southeast Asian Nations (ASEAN) regional integration, as reflected in the ICT Masterplan 2015. In this context, an area of high relevance is to ensure that governments, businesses and consumers are able to harness the opportunities for electronic commerce. Seizing its potential requires not only access to affordable ICT infrastructure and services but also the development of trust among users – such as governments, businesses and consumers.

The enactment and enforcement of relevant legislation in a way that promotes regional integration are critical steps in this context. The ASEAN has been pioneering among developing countries the harmonization of such legislation. However, while the legislative process takes time, the ICT landscape continues to evolve at a high pace. This makes it important to continuously take stock of progress made and to identify possible needs for further work and revision.

This Review is a joint initiative by the ASEAN secretariat (ASEC) and UNCTAD. It provides an up-to-date assessment of the current state of e-commerce legislation, maps prevailing gaps, identifies emerging challenges and makes specific recommendations towards furthering harmonization in different areas.

The Review is the result of constructive collaboration between the ASEC and the UNCTAD secretariat as well as active participation by all ASEAN member States. In preparation of the Review, two online surveys were conducted on legal frameworks for e-commerce targeting ASEAN member States’ Government representatives and e-commerce businesses, respectively. Two regional workshops were also organized back-to-back with ASEAN Telecommunications and IT Senior Officials Meetings (TELSOM), to which the outcomes of the workshops were presented.

The recommendations made in the Review are intended to serve as a basis for ASEAN to consider the next steps in its efforts to creating a harmonized legal framework for e-commerce in the region.

I would like to express my sincere appreciation to everyone who has contributed in the process. It is my hope that the analysis and recommendations will be a significant value in the next two years as the establishment of the ASEAN Economic Community approaches. Let me assure you of UNCTAD’s commitment to continue to support the ASEAN and its member countries in this process.

Supachai Panitchpakdi
UNCTAD Secretary-General

ACKNOWLEDGEMENTS

This Review was prepared by the UNCTAD secretariat in close cooperation with the ASEAN secretariat.

The UNCTAD team comprised Torbjörn Fredriksson, Cécile Barayre and Marie Sicat, as well as two international consultants Chris Connolly and Ian Walden. Statistical support was provided by Smita Lakhe and Agnès Collardeau-Angleys. Overall direction was provided by Anne Miroux, Director of the Division on Technology and Logistics.

From the ASEAN secretariat, strategy policy direction was given by Tran Dong Phuong, Budi Yuwono and Sukma Wardhana in the Infrastructure Division.

Contributions by the representatives of ASEAN member States are greatly appreciated. They were actively involved at various stages of the production of the Review. Several private sector representatives also responded to the survey carried out in preparation of this Review.

Valuable comments and inputs were contributed by Luca Castellani (UNCITRAL).

The cover was prepared by Sophie Combette. Desktop publishing and graphics were performed by Nathalie Loriot of UNOG Printing Section.

The Review has not been formally edited. Financial support from the Government of Finland is gratefully acknowledged.

ABBREVIATIONS

  • AEC – ASEAN Economic Community
  • APEC – Asia Pacific Economic Community
  • ASEAN – Association of Southeast Asian Nations
  • ASEC – ASEAN secretariat
  • Convention on Cybercrime – The Council of Europe Convention on Cybercrime
  • ICPEN – International Consumer Protection and Enforcement Network E-commerce – Electronic commerce
  • European Union Data Protection Directive – Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  • INTERPOL – International Criminal Police Organization
  • ITU – International Telecommunication Union
  • M-commerce – Mobile commerce
  • OECD – Organization for Economic Cooperation and Development
  • OECD Privacy Guidelines – OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
  • PKI – public key infrastructure
  • UDRP – Uniform Domain-name Dispute Resolution Policy
  • UNCITRAL – United Nations Commission on International Trade Law
  • UNESCAP – United Nations Economic and Social Commission for Asia and the Pacific
  • United Nations Convention on Electronic Contracts – United Nations Convention on the Use of Electronic Communications in International Contracts
  • UNCTAD – United Nations Conference on Trade and Development
  • USAID – United States Agency for International Development
  • WIPO – World Intellectual Property Organization
  • WTO – World Trade Organization

EXECUTIVE SUMMARY

Towards e-commerce legal harmonization in ASEAN

The Association of Southeast Asian Nations (ASEAN) was the first developing region to prepare a harmonized e-commerce legal framework consistent across jurisdictions, providing guidelines to develop common objectives and principles for electronic (e-commerce) legal infrastructure.

The process of harmonization started more than 10 years ago in support of ASEAN regional economic integration objectives through various initiatives aiming at promoting economic growth, with information and communication technologies (ICT) as a key enabler for the ASEAN’s social and economic integration: the e-ASEAN initiative (1999), the e-ASEAN Framework (2000), the ASEAN Economic Community (AEC) Blueprint (2007). The latest initiative is the ASEAN ICT Masterplan 2015[1] adopted in 2011 by the tenth ASEAN Telecommunications and IT Ministers (TELMIN). It focuses on six strategic thrusts: economic transformation, people empowerment and engagement, innovation, infrastructure development, human capital development, and bridging the digital divide. In support of some of the planned initiatives, the Masterplan envisages the establishment of harmonized e-commerce laws in each member country to create a conducive ICT environment for businesses and to build trust in particular by promoting secure transactions within the ASEAN, developing a common framework for information security, and promoting cybersecurity.

The ASEAN has received support from the international community, including from UNCTAD, in order to meet the objectives set in those plans. With regard to e-commerce harmonization, a joint AusAID/ ASEAN study was commissioned in 2004, resulting in a multi-year (2004-2009) project assisting ASEAN to meet targets set in the Roadmap for Integration of the e-Commerce Sector as part of the e-ASEAN Framework Agreement. The e-commerce legislation harmonization focused on electronic transactions laws, and less on other cyberlaws. The results of the project were positive, with four new electronic transaction laws being implemented during the project timeframe, resulting in 8 out of 10 ASEAN members having e-commerce laws in place by the end of the project in

2009. However, two countries (Cambodia and the Lao People’s Democratic Republic) had, at that time, not passed electronic transaction legislation projects.

From 2003 to 2009, UNCTAD has also supported this process by providing assistance to the Governments of Cambodia and the Lao People’s Democratic Republic. A series of capacity-building and awareness raising workshops were organized for policy and law makers. Two draft e-commerce laws were prepared in coordination with the national working group on e-commerce in both countries. In addition, UNCTAD featured the pioneering role of the ASEAN in this area in its flagship report The Information Economy Report 2007–2008.[2]

Since 2009, no significant regional work has been undertaken on e-commerce law harmonization in the ASEAN. However, various committees and working groups have continued to monitor developments in this field, and individual member countries have made significant progress on updating their laws.

The enacting of laws is only one part of the development of effective legal infrastructure. Even with a law in place, member countries face challenges in implementing, enforcing and promoting the requirements of those laws. The harmonization of laws in the region also depends on countries adopting similar approaches based on international best practice – which has not always been the case as shown in this Review.

The harmonization of e-commerce laws can facilitate development and further regional integration in the ASEAN region in establishing an enabling legal environment which will support e-commerce development as well as other key areas such as:

  • Trade facilitation;
  • Tourism;
  • IT-enabled services/outsourcing;
  • E-government initiatives;
  • Cloud computing;
  • Mobile commerce;
  • Social networking

With regard to e-commerce specifically, the ASEAN Working Group on E-commerce and ICT Trade Facilitation commissioned a study in 2008, entitled ASEAN e-Commerce Database[3], to gather comprehensive information on the state of e-commerce activities within the region. The study acknowledged that there is an untapped potential for e-commerce and identified significant barriers to its take-up. In particular it mentioned the lack of consumer trust, the inability to judge the quality of the product during online shopping, payment fraud, privacy, identity theft, and access to complaints systems. In its conclusions, the study stated that a key challenge for many ASEAN countries is to increase Internet penetration to levels that will make e-commerce a viable venue for business. It also recommended the creation of a trustworthy environment for e-commerce, including the establishment of a harmonized framework for cross-border complaints and dispute resolution to discourage fraud, encourage better customer service and improve online sales.

In 2012, UNCTAD proposed to the ASEAN secretariat (ASEC) to carry out jointly a Review of e-commerce legislation harmonization. The purpose was to support the regional integration process, in particular in the realization of the objectives set by the ASEAN ICT Masterplan 2015 referring to the importance of regional harmonization of ICT-related legislation.

The ASEAN–UNCTAD Review builds on earlier achievements in the region. It takes stock of progress in the adoption and implementation of e-commerce laws in member countries and identifies remaining challenges. It also highlights new legal and regulatory issues arising from evolving technologies and applications, such as e-payment systems, cloud computing and mobile commerce.

The study was prepared with the support of the ASEC and the ASEAN Telecommunications and IT Senior Officials (TELSOM) Working Group. To prepare the study, two regional workshops on Cyberlaw Harmonization were organized (the Philippines, 10–11 November 2012; Viet Nam, 6 May 2013). The workshops discussed advances and remaining challenges in adopting and enforcing e-commerce legislation. They also offered an opportunity for ASEAN delegates to discuss legal and regulatory issues around cloud computing and m-commerce. The discussions and the outcome of the first workshop were reported to the twelfth ASEAN Telecommunications Senior Officials Meeting (TELSOM) in the Philippines in 2012 and the Review was presented at the TELSOM–ATRC Leaders’ Retreat (Viet Nam, 11–12 April 2013).

In addition, two online surveys on legal frameworks for e-commerce targeting ASEAN member State government representatives and e-commerce businesses were conducted in preparation of the Review. The results of the surveys were discussed at the first workshop (see annex 2). A thorough desk review of laws and developments was also undertaken to complement the survey results.

Status of e-commerce law harmonization in ASEAN

The Review reflects the various contributions made by the ASEAN delegates participating in the process, and examines legal developments (see table 1) in the areas of e-transactions; consumer protection; data protection and privacy; cybercrime; content regulation; domain names and dispute resolution; as well as cloud computing policy.

Electronic transactions

Overall, progress towards harmonization has been the strongest in the area of electronic transactions laws, with 9 out of 10 member countries now having relevant legislation in place. Cambodia has not yet passed electronic transaction legislation, although a draft law has been developed.

Consumer protection

Progress to date on appropriate consumer protection legislation for online transactions in the region is mixed. Six out of ten countries have legislation in place. Two countries have partial laws in place (Brunei Darussalam and Indonesia). One country has draft laws (the Lao People’s Democratic Republic) and another has yet to commence work in this area (Cambodia).

Data protection and privacy

After a long period in which no ASEAN member country had privacy legislation in place, there is now a great deal of progress and activity in ASEAN. Malaysia started the ball rolling by passing privacy legislation in 2010, followed by the Philippines and Singapore in 2012. Indonesia and Viet Nam both have partial privacy legislation in place (contained in their omnibus e-commerce laws), but it does not provide the same level of detail and coverage as full privacy legislation. Thailand has been discussing the draft general data protection legislation which will provide the data protection in government and private sectors for many years. Brunei Darussalam has just begun discussing privacy legislation, and is watching developments in Malaysia, Philippines and Singapore closely. Cambodia, the Lao People’s Democratic Republic and Myanmar have not yet begun significant work in this area.

Cybercrime

Cybercrime is one area where ASEAN has made excellent progress towards harmonization, with 8 out of 10 members already having enacted legislation. The laws are generally aligned with the international model contained in the Council of Europe Convention on Cybercrime. Cambodia and the Lao People’s Democratic Republic do not yet have any cybercrime laws, and may need to catch up quickly.

Content regulation

Content regulation is characterized by great diversity within the region. Although 7 out of 10 countries have some form of content regulation in place, the regulatory approaches and the subject matters that can be covered by the regulations vary widely. Two countries (Cambodia and the Lao People’s Democratic Republic) have not yet implemented content regulation and Thailand only has partial regulation in place.

Domain names and dispute resolution

Domain-name regulation is fairly harmonized in the region, with eight out of ten countries having similar regulations for the registration of domain names, and most countries following the international standard for resolving domain-name disputes. Some of the regulations are very recent, with Brunei Darussalam and Malaysia recently reforming their domain-name regulations. However, Thailand still relies on existing trade marks legislation to manage domain names, and the Lao People’s Democratic Republic has yet to implement domain-name regulation.

Cloud computing policy

Cloud computing is a recent development and the majority of ASEAN member States have not adopted yet specific policies for cloud services. However, there are two exceptions. Singapore has provided a range of policy, investment and tax initiatives to facilitate the adoption of cloud services in the country. Meanwhile, Indonesia has recently passed regulations that require some cloud service providers to register their business activities in Indonesia, and if they deal with public sector information they must meet additional regulatory and administrative requirements. This includes requirements to locate data centres and back-ups in Indonesia, and requirements to hire local staff. These contrasting approaches show that ASEAN faces some challenges in developing harmonized policies and regulations to enable cloud computing.

Recommendations

Recognizing the benefits of harmonizing e-commerce legal frameworks in ASEAN countries to promote economic growth and competitiveness, thus contributing to the development of a prosperous and highly competitive AEC, the Review proposes a set of concrete recommendations which could contribute to achieving those goals. These recommendations are put forward to ASEAN and could serve as a basis for future discussion to identify priority actions at the national and regional levels. Supporting assistance from international organizations can be requested depending on the priorities thus defined.

Commission an updated roadmap

The commissioning of a new guidance document/ plan for ASEAN member States, similar to the one prepared for the joint AusAID/ASEAN study commissioned in 2004,[4] should be considered. An up to date ASEAN roadmap or guidance document could help member countries in the development of their domestic e-commerce laws. Components could include guidance on legislation and policy in relevant areas. To reflect international best practice, it is important that the guidance document takes into account work of other international organizations and frameworks, such as APEC and the European Union, on addressing cross-border privacy issues.

The roadmap should help member countries self assess their progress in establishing harmonized e-commerce laws, and the ASEAN secretariat to monitor progress over time towards harmonization and to share the results at regular ASEAN meetings, such as TELSOM or dedicated working group meetings.

Strengthen information sharing within ASEAN

There are opportunities for improving information sharing and exchanges of best practices between member countries. Within ASEAN, countries are at different stages of e-commerce law development. In order to accelerate progress for the region as a whole, countries at a more advanced level could actively share their experiences with other member countries. Particular attention could be given to e-government applications, e-payments and cloud applications. Making resources available for regular regional workshops related to e-commerce and law reform would be required.

The organization of regular regional workshops is an important priority for member State representatives. This could include the development of a schedule of workshops over the 2013–2015 period, where such workshops would be held back-to-back with meetings of TELSOM and/or relevant regional meetings.

Build capacity in key areas

All ASEAN countries have reported in the surveys conducted for this Review a need for strengthening the capacities in certain legal areas. In line with the ASEAN ICT Masterplan 2015, attention should be given not only to building the capacity of policy and law makers but also to creating public awareness of e-commerce legislation among users (citizens, banks, other sectors, etc.). This is important especially from the perspective of addressing cybersecurity concerns and building trust. Calls for more capacity-building were made by all 10 countries as a way to speed up development or implementation of e-commerce laws.

It may be useful to identify opportunities for bilateral assistance, using the gaps outlined in this Review. For example, where a small number of countries have still not implemented a particular law (e.g., cybercrime legislation or consumer protection legislation), they would benefit from bilateral assistance from countries that have experience in these laws. Relevant gaps can be seen in table 2 in the section on the current status of e-commerce law harmonization in ASEAN below.

In addition, ASEAN countries have expressed a need for regional capacity-building in areas such as the enforcement of laws, and the treatment of cross border issues. Once the exact nature of the capacity-building needs has been identified, resources would need to be allocated for the organization of appropriate regional training courses or workshops.

Member countries can also request the assistance of international organizations (UNCTAD, UNCITRAL, UNESCAP, Interpol, ITU, OECD, etc.). UNCTAD, through its E-commerce and Law Reform Programme, could extend its assistance to ASEAN countries by building the capacity of policy and lawmakers, including parliamentarians. UNCTAD offers the leading capacity-building programme within the United Nations system in support of the preparation of legal frameworks for e-commerce, covering virtually all legal issues covered in this Review. UNCITRAL also provides resources and assistance, and has extensive experience in helping countries align their laws and practices with international standards.

Further strengthen cross-border harmonization in three key areas

Further work is recommended on harmonization in cross-border jurisdiction issues, reducing conflicts and improving cooperation among ASEAN regulators and public law enforcement agencies. Harmonization of cross-jurisdiction transactions would facilitate smoother cross-border enforcement in a number of areas.

(a) Cybercrime
One key area is the investigation and enforcement of cybercrime across borders. Regional cooperation between cybercrime law enforcement agencies, including the establishment of a common training and resource centre and 24/7 national contact points, should be a priority for ASEAN.
(b) Consumer protection
The harmonization of cross-border consumer complaints could also enable e-commerce to prosper. This would require an agreement between consumer protection regulators in each country, complemented by appropriate investigation and referral tools. Becoming participants in the International Consumer Protection and Enforcement Network could be a first step in improving regional cooperation. To date, only the Philippines and Viet Nam are members.
Consumers could be provided with relevant links through an ASEAN-wide consumer protection portal, and complaints could be analysed to enable the issuance of public warnings and take steps to reduce the harmful impact of scams and similar conduct, as well as identify regional issues and trends, which can then feedback into responsive legal and regulatory measures.
(c) Recognition of electronic signatures
The legal recognition of electronic signatures at a national level does not address the needs of electronic commerce without the capability to grant recognition and validity to electronic signatures originating from other jurisdictions. While the widespread adoption of electronic signature and related trust services has been limited to date, demand for such technologies and service is likely to grow. As such, another area which could benefit from cross-border harmonization is the mutual recognition of electronic signature transactions. ASEAN has already undertaken some preliminary work on this issue, including a pilot scheme between Thailand and Singapore in 2007.
This task will require a stock-taking exercise of the use of electronic signatures in each country, to identify opportunities for the current use of signatures across borders. This work could be aligned with the provisions of the United Nations Convention on the Use of Electronic Communications in International
Contracts, particularly article 9(3), to ensure regional and international harmonization. In practice, several ASEAN member States already recognize electronic signatures across borders.
Countries may also wish to consider the development of an ASEAN mutual recognition agreement, which would detail minimum acceptable standards for electronic certification and related trust services.

Establish a regional online dispute-resolution facility

Consideration could be given to the establishment of a regional online dispute-resolution scheme for handling domain-name disputes. There are already several schemes in operation, at national and regional levels, and these could be studied to gain insights into possible approaches to establishing a scheme in ASEAN.

In time, this scheme could broaden its coverage to include other types of online disputes, particularly consumer related, building confidence in online transactions, and relieving pressure on the existing court system.

Monitor harmonization of e-commerce laws in ASEAN member countries

Formal, regular reporting against the 2015 target would help to bring up-to-date information to the attention of all stakeholders, and could help to motivate member countries to meet the targets.

The ASEAN secretariat can play a key role in this context. It should ensure necessary coordination intended to harmonize regional and national legal frameworks in order to create an enabling environment for the successful implementation of e-commerce in the 10 countries. A web page dedicated to the harmonization of e-commerce laws showcasing the progress of each country would be valuable.

Focal points in each country will gather the relevant data for information sharing. The information contained in this Review, including relevant legislation, drafts and conventions in English can be the starting point of such a repository of resources. This platform will serve to inform stakeholders about the process and monitor the advances of e-commerce laws in ASEAN. It would help define recommendations for the ASEAN member States to foster the enforcement of domestic e-commerce laws harmonized across the region and, ultimately, to facilitate more cross-border trade.

Embark on a new multi-year project with UNCTAD to contribute to the ASEAN ICT Masterplan 2015

Over the years, ASEAN member States have demonstrated their commitment to creating an enabling legal environment for e-commerce. They have made great advances with regard to the adoption of harmonized e-commerce laws. Various development partners have contributed to this process by providing substantive and/or financial support to some member States in the preparation of e-commerce laws, including awareness-raising actions. At the ASEAN level, internal mechanisms in the form of working groups (such as the Working Group on E-commerce) have been monitoring the progress made. Since 2009, however, such monitoring processes have been lacking. Recognizing the work already done so far, UNCTAD, which has been involved for many years in this work in the region, proposes that the ASEAN revive the process.

This Review could be seen as a first concrete deliverable in this context. It takes stock of advances made by all ASEAN member States, identifies main challenges to harmonization, and from there, highlights priority areas where ASEAN countries may wish to focus attention in the coming years to achieve the goals and priorities set at the regional level (including the ICT Masterplan 2015 and future plans), and at the domestic level.

In order to move forward and achieve greater regional harmonization and integration in this area, ASEAN could benefit from designing and implementing a detailed project on the further harmonization of e-commerce laws. The project could help to tie together different activities, proposals and recommendations within ASEAN in one coordinated package. This could help member States to identify and reduce remaining gaps and overlaps, make the best use of available resources and engage relevant partners and stakeholders.

The project could support efforts by the ASEAN member States to implement key recommendations made in the Review and to overcome key challenges they have identified in terms of skills and training and awareness raising (see annex 2), benefiting from UNCTAD’s support. UNCTAD is engaged in similar regional harmonization work in Latin America, Central America and the East African Community, and is well connected with relevant players in the area of e-commerce law harmonization.

A multi-year project would benefit from a combination of regional and national activities. UNCTAD would serve as a resource to the overall efforts by the ASEAN to promote further e-commerce law harmonization. To this end, UNCTAD would build on its strong partnerships with international organizations, United Nations entities and governmental agencies that complement UNCTAD’s own expertise and activities and that are specialized in specific law areas (e.g., data protection, computer crime, cybersecurity, privacy, intellectual property, etc.). Close cooperation and coordination would help to avoid duplication of work in the interest of securing the most effective support to ASEAN. An indicative list of relevant partners is given below. Their involvement would depend on the priorities agreed upon by the ASEAN member States:

  • Asia–Pacific Economic Cooperation (APEC)
  • European Commission
  • International Telecommunication Union (ITU)
  • International Criminal Police Organization (INTERPOL)
  • Organization for Economic Cooperation and Development (OECD)
  • United Nations Commission on International Trade Law (UNCITRAL)
  • United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP)
  • United States Agency for International Development (USAID)
  • World Bank
  • World Intellectual Property Organization (WIPO) • World Trade Organization (WTO)

In addition, the project would benefit from UNCTAD’s international network of experts, who may, for example, be drawn upon in the context of drafting of e-commerce laws reflecting international best practice. If desired, partner organizations would be invited to be associated with this process when relevant to their field of competence. For instance, UNCTAD and UNCITRAL have a long history of collaboration: UNCTAD uses the UNCITRAL e-commerce texts when preparing e-commerce legislation and UNCITRAL relies on UNCTAD’s technical cooperation programmes in countries and its leading capacity-building programme within the United Nations system in support of the preparation of legal frameworks for e-commerce.

The project could include a regional component with focused activities around information sharing.

This may involve, as per the recommendations, the following activities:

  • Support to a process of regular monitoring of progress in the area of e-commerce law harmonization. This could include the establishment of a dedicated website and a tool for the sharing of knowledge and documentation. It may also support the organization of regular meetings of a working group dedicated to the subject matter.
  • Facilitation of sharing of best practices within the ASEAN.
  • Workshops on specific e-commerce law areas for which advancing harmonization remains a priority (e.g., privacy and cybercrime).
  • Thematic workshops aimed at discussing emerging issues identified by member States (such as e-government, e-payments, cloud computing, etc.). The workshops would call upon sharing best practices in the region as well as globally.
  • One-week training programmes tailored for policy and lawmakers (or study tours) on legal topics of relevance for ASEAN countries at the Geneva based international organizations. UNCTAD’s partner organizations would be invited as well as international experts to discuss e-commerce law harmonization issues. Such occasions would allow ASEAN member States to be exposed to the experience of other regions (such as the European Union, the United States and other OECD countries). The national component of the project could be tailored to the needs of each of the ASEAN member States requesting assistance. Countries would define their priorities through national consultations, based on which UNCTAD would help in the preparation of a targeted action plan in the countries concerned.

UNCTAD has used a number of proven strategies in similar efforts in other developing regions to build capacity to support e-commerce law harmonization:

  • Advisory services for the preparation of national e-commerce laws: such services would be provided based on ASEAN countries’ needs for assistance. They would be delivered through advisory missions and continuous collaboration with the beneficiary country and the ASEAN secretariat. Depending on the needs, country missions could include awareness-raising seminars about the nature and issues related to ICT and e-commerce in ASEAN countries, and assistance to the national working groups in the preparation of cyberlaws.
  • On-site regional and national training courses or briefings: UNCTAD has developed eight training modules on the legal aspects of e-commerce.[5] Training activities would be based on UNCTAD training course and material already developed and up to date, including delivery through UNCTAD’s distance learning platform[6]. Policy and lawmakers (including parliamentarians) as well as the judiciary are potential target audiences of the capacity-building efforts of UNCTAD.
  • Documenting and disseminating proven best practices, including through encouraging intra and interregional support and lessons sharing amongst networks of partners.

If ASEAN decides to invest in a joint ASEAN/UNCTAD proposal, UNCTAD would prepare a more detailed multi-year project to be implemented with relevant partners for a set period (e.g., 2014–2016), with possible extension. The project proposal would include a budget estimation for regional activities. Individual countries could be consulted to tailor proposals under the umbrella of the project or alternatively could individually request UNCTAD’s assistance for separate projects.

INTRODUCTION

Background to the ASEAN e-commerce law harmonization process

ASEAN was created in 1967 to promote regional cooperation among its member countries with the objective (a) to accelerate economic growth, social progress and cultural development and (b) to promote regional peace and stability in the region. It currently has 10 member countries: Brunei Darussalam, Cambodia, Indonesia, the Lao People’s Democratic Republic, Malaysia, Myanmar, Philippines, Singapore, Thailand and Viet Nam.

Recognizing the potential of ICTs, ASEAN member countries endorsed the e-ASEAN initiative in 1999 as a result of the ASEAN Vision 2020 defined two years earlier. The Vision aimed, with regard to economic development, to create a stable, prosperous and highly competitive ASEAN economic region in which there is a free flow of goods, services, investment and a freer flow of capital, equitable economic development and reduced poverty and socioeconomic disparities in year 2020. The purpose of the e-ASEAN initiative was to complement national ICT strategies and to promote economic growth and competitiveness for a better integration of ASEAN countries in the global information economy. The e-ASEAN initiative defined an action plan focusing on physical, legal, logistical, social and economic infrastructure to embrace the development and use of ICT.

In 2000, ASEAN member countries entered into e-ASEAN Framework Agreement to facilitate the establishment of the ASEAN Information Infrastructure and promote the growth of e-commerce in the region. The framework comprised five main elements: information infrastructure, e-society, e-government, common market place for ASEAN ICT goods and services, and the creation of an e-commerce friendly environment.

The e-ASEAN Framework Agreement was to be implemented by a series of measures set out in the Roadmap for Integration of e-ASEAN Sector (the e-ASEAN Roadmap).[7] The two key targets in the Roadmap were:

  • Measure 78: Enact domestic legislation to provide legal recognition of electronic transactions (i.e., cyberlaws) based on common reference frameworks.
  • Measure 79: Facilitate cross-border electronic transactions and the use of digital signatures.

Hence, the process of e-commerce legislation harmonization started more than 10 years ago. ASEAN has been pioneering in the developing world the preparation and implementation of a harmonized e-commerce legal framework consistent across jurisdictions, providing guidelines to develop common objectives and principles for e-commerce legal infrastructure.

In 2007, the AEC Blueprint laid the foundation for realizing the goal of ASEAN as an integrated economic region by 2015. The AEC comprises four pillars: a single market and production base, a highly competitive economic region, a region of equitable economic development, and a region that is fully integrated with the global economy.

Adopted in 2011, the ASEAN ICT Masterplan 2015 provides clear action plans for the region to position its future economic growth, with ICT as a key enabler for the social and economic integration by 2015. It focuses on six strategic thrusts: economic transformation, people empowerment and engagement, innovation, infrastructure development, human capital development and bridging the digital divide. In support of some of the planned initiatives, the Masterplan envisages the establishment of harmonized e-commerce laws in each member country to create a conducive ICT environment for businesses and to build trust in particular by promoting secure transactions within ASEAN, developing a common framework for information security and promoting cybersecurity.

In support of the objectives set by ASEAN, three international initiatives should be mentioned. The first is a joint AusAID/ASEAN study commissioned in 2004, resulting in a multi-year (2004–2009) project assisting ASEAN to meet targets set in the Roadmap for Integration of the e-ASEAN Sector. The e-commerce legislation harmonization focused on electronic transaction laws, and only limited work on other cyberlaws. The results of the project were positive, with four new electronic transaction laws being implemented during the project timeframe, resulting in 8 out of 10 countries having e-commerce legislation by the end of the project in 2009. However, two countries (Cambodia and the Lao People’s Democratic Republic) had still not passed electronic transaction legislation at the end of the project.

As well as identifying key international best-practice frameworks, the AusAID/ASEAN project provided some additional guidance and recommendations to member countries. This included the following recommendations:

  • ASEAN member countries should keep exemptions and exceptions in their laws to a minimum;
  • Laws (including draft laws where possible) should be made available online and in English (the formal recognized language of ASEAN).[8]

The second is an UNCTAD project through which assistance was provided to Cambodia and the Lao People’s Democratic Republic since 2003 and 2006, respectively (see box 1). UNCTAD helped build capacity of policy and law makers, draft the e-commerce legislation and raise awareness among stakeholders. In addition, UNCTAD featured the pioneering role of ASEAN in this area as other developing regions and countries were developing their own e-commerce legal frameworks in its flagship report The Information Economy Report 2007–2008.[9]

The third initiative is the current ASEAN–UNCTAD Review of e-commerce legislation harmonization in ASEAN, which builds on earlier achievements in the Association. This Review takes stock of progress in the adoption and implementation of e-commerce laws in ASEAN and identifies remaining challenges to overcome in the implementation and enforcement of e-commerce laws. It also highlights new legal and regulatory issues arising from evolving technologies and applications, such as cloud computing and mobile commerce. Based on this analysis, it also proposes a set of recommendations for consideration by ASEAN member countries to further e-commerce harmonization.

Since 2009, no significant regional work has been undertaken on e-commerce law harmonization. However, various ASEAN committees and working groups have continued to monitor developments in this field, and individual member countries have made significant progress on updating their laws.

Box 1. UNCTAD’s support on e-commerce legislation harmonization in Cambodia and the Lao People’s Democratic Republic (2003–2009)

In line with the framework of the ASEAN e-Commerce Project, UNCTAD has been assisting Cambodia and the Lao People’s Democratic Republic to build capacity and prepare their e-commerce laws. UNCTAD has been associated to this process notably through the creation of working groups and the provision of advisory services to these two countries. As a result, draft legislation on e-commerce in compliance with the region was prepared and training as well as national roundtables/sensitization workshops organized for the public and private sectors in both Cambodia and the Lao People’s Democratic Republic.

UNCTAD has organized a series of awareness-raising workshops in the Lao People’s Democratic Republic and Cambodia, in cooperation with the Science Technology and Environment Agency of the Lao People’s Democratic Republic and the Cambodian Ministry of Commerce, in an effort to help the countries move forward in passing a law on electronic commerce to meet the recommendations of the e-ASEAN initiative. The objective was to create higher awareness and better understanding of the legal implications of e-commerce among policy makers and the business community. UNCTAD’s project has played a pioneering role in raising awareness of the legal dimension of e-commerce and its regulatory implications for the conduct of e-businesses, and of ICT at large.

As a result, two draft e-commerce laws were prepared in consultations with relevant stakeholders from the Governments and the private sector.

UNCTAD’s E-commerce and Law Reform Programme assists member States preparing legal and regulatory frame-works to facilitate e-commerce/m-commerce and e-government. It has become the leading capacity-building programme within the United Nations system in support of the preparation and implementation of legal frameworks governing the use of ICTs in developing countries. Training workshops and briefing sessions for policy and law makers as well as parliamentarians are organized to facilitate this process.

Source: UNCTAD.

Why is cyberlaw reform important for the region?

ASEAN has around 9 per cent of the world’s population (about 600 million), with countries at various levels of economic development. The disparities in ICT uptake remain substantial, with great varying levels of Internet use and low levels of fixed broadband deployment (table 1 and charts 1 and 2). Mobile penetration is very high, except in Myanmar, and offers considerable potential for m-commerce as well as mobile financial services (e.g., m-payment, m-banking) already well used in some countries, such as Indonesia, the Philippines and Singapore.

According to a regional study commissioned in 2008 by the ASEAN Working Group on E-commerce and ICT Trade Facilitation on e-commerce activity, released in November 2010,[1]0 the region is a formidable economic force because of its size, and the potential for greater e-commerce and m-commerce use is enormous. The most visited websites in ASEAN are mainly United States-based – very few local sites appear in the top 10 most visited sites in each country in ASEAN. Moreover, the study notes significant barriers to the take-up of e-commerce: lack of consumer trust, the inability to judge the quality of the product during online shopping, payment fraud, privacy, identity theft, and limited access to cross-border complaints systems.

The harmonization of e-commerce laws can facilitate development in ASEAN in several key areas.

Trade facilitation

Harmonization of laws and associated requirements for information and documentation can play an important role in facilitating trade through mechanisms such as the ASEAN Single Window system, which enables the submission of transit-related regulatory requirements at a single entry point.

Outsourcing

Outsourcing remains a key growth industry in ASEAN. Opportunities for outsourcing can be facilitated by the development of appropriate privacy laws (so that data containing personal information can be received from countries with strong privacy regulatory requirements) and by the development of best practice cybercrime legislation, to build confidence among potential clients.

E-government initiatives

The area of electronic government is considered to be critical in ASEAN and was a priority of the e-ASEAN Framework Agreement.

Box 2. Chapter 9 of the e-ASEAN Framework Agreement

Member States shall utilize the ICT to improve the provision and delivery of services by the government.

Member States shall take steps to provide a wide range of government services and transactions on-line by usage of ICT applications to facilitate linkages between public and private sector and to promote transparency.

Member States shall work towards enhancing inter-governmental cooperation by: (a) Promoting the use of electronic means in their procurement of goods and services; and (b) Facilitating freer flow of goods, information and people within ASEAN.

Source: e-ASEAN Framework Agreement, http://www.asean.org/asean/asean-summit/item/e-asean-framework-agreement.

Administrative policies and attitudes can sometimes act as an obstacle to the adoption of new technologies. However, well-designed e-government policies can facilitate the take-up of new technologies, through the impact of procurement practices on market developments.

E-payment

The role of electronic payments systems in facilitating electronic and mobile commerce is critical, and this is an area that was identified in the Cebu workshop and in the surveys as requiring further guidance. Although the majority of financial services regulation is managed at the national level, harmonization of regulations is important to facilitate cross-border transactions.

Cloud computing

The growth of cloud computing illustrates how technological developments can present legal and regulatory challenges not contemplated a few years ago, such as the possible mass relocation of user data to server farms located in foreign jurisdictions and the ability to reduce dependency on the deployment of end-user software applications.

Social networking

Internet penetration in ASEAN has partly been driven by the growth in popularity of social networking services.

These interactive services represent a step-up from basic email and website use, and have opened the door to a range of e-commerce opportunities. However, laws have not always kept up with social networking business models, and amended legislation in areas like privacy and cybercrime are now required.

The current status of e-commerce law harmonization in ASEAN

Table 2 summarizes the current status of e-commerce law in each country in key areas and shows progress in terms of legal harmonization within ASEAN.[1]1 Overall, harmonization has advanced the most in the area of electronic transactions laws, with nine out of ten member countries now having electronic transactions legislation in place, and in the area of domain-names legislation with all the countries having some form of legislation.

Progress in other areas has been slower, although the majority of member countries have some form of cybercrime legislation in place, and three countries have recently enacted privacy legislation.

Tables 2 and 3 show that the region has made progress towards the enactment of legislation in all of the key areas identified in this Review. Progress in the enactment of privacy laws remains the weakest area, and this may have the potential to hinder e-commerce and cloud computing if it is not adequately addressed. Developments in all other areas are encouraging.


Source: ASEAN e-Commerce Project, ASEAN secretariat and Galexia, August 2007.

However, simply enacting laws is only one part of the development of effective legal infrastructure in the region. Even with a law in place, member countries may face challenges in implementing, enforcing and promoting the requirements of those laws. Also, the harmonization of laws in the region depends on countries adopting similar approaches based on international best practice.

The country chapters contained in this Review provide a more detailed picture of some of the challenges faced in implementing harmonized laws in ASEAN.

THE CURRENT PROJECT

Objectives of the Review

The current ASEAN/UNCTAD Review builds on the earlier achievements in ASEAN, and includes the following activities:

(a)  Taking stock of progress in the adoption and implementation of e-commerce laws in the 10 ASEAN countries;
(b)  Identifying remaining challenges to overcome in the implementation and enforcement of e-commerce laws;
(c)  Highlighting new legal and regulatory issues arising from evolving technologies and applications, such as cloud computing and mobile commerce;
(d)  Proposing recommendations for ASEAN to further harmonize e-commerce legislation.

The project has conducted two online surveys (one of ASEAN member country government representatives and one of ASEAN e-commerce businesses). A thorough desk review of laws and developments has also been undertaken to complement the survey results. An ASEAN/UNCTAD workshop on the Review of E-commerce Laws Harmonization in ASEAN was organized in Cebu, the Philippines from 10 to 11 November 2012. All 10 ASEAN member countries attended the workshop and shared information about developments in their countries. It was also attended by representatives from ASEC and UNCITRAL.

In October 2012 UNCTAD conducted two online surveys aimed at government officials and at the privacy sector, respectively. The government survey asked each country for a progress update on the drafting, implementation and enforcement of laws in six key areas. The survey also asked for information on challenges that each country faced in drafting, implementing and enforcing their laws (see annex 2). The private sector survey asked enterprises to list priority areas for law reform, and asked for information on key barriers to e-commerce in the region.

The surveys provided some valuable insights. The Government survey confirmed that there was a high level of law reform activity in ASEAN, with many countries drafting new laws or reviewing existing laws. The key drivers for updating laws included a desire to align with international developments, the need to facilitate electronic government activities and to keep up with new technology developments, especially electronic payments systems and cloud computing. Many countries in the survey reported that they faced challenges in enacting laws, due to a lack of skills and training for policy makers and legislators, combined with challenges in enforcing laws, such as funding constraints.

The survey of a small number of businesses in the region uncovered concerns about the potential for e-commerce laws to be too intrusive or burdensome for business. Respondents to the business survey expressed a strong interest in law reform, especially in the areas of e-payments and online taxation.

Issues examined in the Review

As a result of the surveys and the workshop, a number of issues emerged as being of particular importance for the harmonization of e-commerce laws in ASEAN. Member-country representatives generally agreed on the priority legal areas and technology drivers in the region as detailed in the following paragraphs.

Electronic transactions

Electronic transactions laws facilitate e-commerce by providing legal certainty for the recognition of electronic communications, electronic records and electronic signatures. Many jurisdictions divide the laws into separate instruments – for example a broad e-commerce law may be accompanied by specific regulations on electronic signatures.

Electronic transactions laws are often influenced by international agreements such as the UNCITRAL Model Law on Electronic Commerce (1996) which has been followed by around 50 jurisdictions, the UNCITRAL Model Law on Electronic Signatures (2001), which has been followed by around 20 jurisdictions and the United Nations Convention on the Use of Electronic Communications in International Contracts (2005) (which has been signed by 18 States).

ASEAN has already made good progress towards harmonization of basic electronic transactions laws, based on international reference frameworks.

In ASEAN, all member countries already use either one or both of the model laws as a basis for local laws (either implemented or draft). However, there are some variations, sometimes significant, in the text of each law as well as in their interpretation by the courts.

For example, UNCITRAL maintains a database of legal decisions, including those relevant to electronic commerce laws – the Case Law on UNCITRAL Texts (CLOUT).[1]2 This database reveals that there have been a number of relevant decisions in the Philippines and Singapore. However, the Philippines case is a good example of a country making a small divergence from the international model laws.

The more recent Convention on the Use of Electronic Communications in International Contracts (2005) entered into force on 1 March 2013, and it may present an even better opportunity for harmonization in the region. There are 18 signatories to date and more States are planning to become a party. One of the stated goals of the Convention is to reinforce legal uniformity – this is the most relevant goal for ASEAN. In fact, by adopting the Convention, States ensure uniformity for a set of core legal provisions enabling cross-border electronic commerce. To date, Singapore has ratified the Convention, the Philippines has signed it, and several other ASEAN member countries have expressed an interest in adopting it in the near future.

Consumer protection

Consumer protection involves government regulation of transactions between consumers and businesses. It protects the interests of consumers by imposing minimum obligations on businesses and providing

redress in situations where consumers suffer harm. Consumer law covers a range of topics, including product liability, unfair business practices, fraud and misrepresentation.

Consumer protection was highlighted in the surveys and in the Cebu workshop as a key priority. While some member countries have a specific consumer protection law for online commerce, others do not. In the latter case, there is potential for consumer protection issues to be covered through laws in areas such as unfair contract terms and competition laws. Two ASEAN members, Viet Nam and the Philippines, are also members of the International Consumer Protection and Enforcement Network.[1]3

In this Review, both types of consumer protection laws are covered briefly in each country chapter. At this stage there is no general guidance for online consumer protection in ASEAN, although there is an active Consumer Protection Committee that looks at these issues.

Data protection and privacy

Privacy may be defined as the claim of individuals to determine when, how and to what extent information about them is communicated to others. It relates to the right of individuals to control what happens with their personal information. Privacy laws are also known as, or supplemented by, data protection laws.

The issue is particularly challenging in ASEAN. Concerns are arising about what commercial companies do with consumers’ personal data. Information ownership, information rights control and security are at the heart of these concerns. Many countries have established constitutional rights to privacy and this is often embedded in various sectoral laws, but comprehensive privacy legislation in the region is rare. A difficult balance has to be made between data sharing and data privacy. There is also a need for guidance on baseline issues with regard to identification.

Box 3. MCC Industrial Sales Corp. v. Ssangyong Corporation

The case is MCC Industrial Sales Corp. v. Ssangyong Corporation , Philippines Supreme Court, Special Third Division, 17 October 2007. The Court found that the Philippines electronic commerce legislation did not include coverage of fax messages because the legislation had used the words “electronic data message” rather than the term “data message” that is used in the UNCITRAL Model Law on Electronic Commerce. The Philippines law had also removed any reference to example technologies, such as “electronic data interchange, telegram, telex or telecopy” that are included in the Model Law. The Supreme Court therefore presumed that these changes were a deliberate attempt to restrict the electronic commerce legislation to purely electronic messages such as e-mail. Whether this is the case or not remains unclear, as many governments have chosen to remove technology-specific words from their legislation, but the slight divergence in language had a significant impact in the case. It is a good example of the need for harmonization based on international best-practice models.

Source: UNCTAD, UNCITRAL.

In some ASEAN countries which see IT-enabled services as a promising growth sector, such as call centres in the Philippines, data protection laws are also necessary to comply with foreign requirements relating to work involving data processing.

Questions also arise related to whether a special law is needed on cloud computing under data privacy and data protection. ASEAN member countries are also seeking clear guidelines on the most appropriate locations for the data and the pros and cons of regulation versus non-regulation.

In this Review, privacy and data protection laws are covered briefly in each country chapter. There is currently no general guidance on privacy laws in ASEAN.

Finding an international reference framework for privacy and data protection is somewhat more complex than for e-transactions or cybercrime. Three key frameworks are the OECD Privacy Guidelines,[1]4 the European Union Data Protection Directive[1]5 and the APEC Privacy Framework.[1]6 All three have had an influence in the region, although to date only three ASEAN member countries have passed comprehensive privacy laws (two countries have partial privacy laws and two more countries have draft privacy laws).

Cybercrime

Cybercrime refers to criminal activities committed by means of computers and the Internet, such as hacking and the distribution of viruses. Cybercrime laws represent an upgrade from basic criminal law and even basic computer crime laws, as they are designed to address criminal behaviour and security issues in online commerce.

As cybercrime covers a wide scope of activities, the focus of this Review is on commercial aspects of cybercrime rather than on terrorism and other focuses of criminal activity. Each country chapter includes a brief discussion of local cybercrime laws.

The key international reference framework for cybercrime is the Council of Europe Convention on Cybercrime. This is open to ratification by non-European states, and to date the United States, Japan and Australia have all ratified the Convention.

No ASEAN member country has yet joined it but the majority of national laws include the same basic offence provisions as those that appear in the Convention.

The Commonwealth has also developed a Model Law on Computer and Computer Related Crime.[1]7 This provides a template for countries wishing to adopt best practice in their cybercrime laws, and also incorporates the key elements of the Council of Europe’s Convention on Cybercrime. This has some influence as three ASEAN member countries are also members of the Commonwealth (Brunei Darussalam, Malaysia and Singapore).

Content regulation

Online content regulation refers to any type of regulation by governments or regulatory authorities directed at controlling access to information over the Internet based on its subject matter; and/or controlling, or attempting to control, access to Internet sites based on subject matter. Many jurisdictions manage Internet content through a mixture of legislation and other regulatory tools (such as codes of conduct or licensing requirements for ISPs).

Online content regulation has not always been considered a priority in ASEAN, and member countries have been left to make their own decisions about the appropriate regulation of online content. However, businesses operating in the region have expressed some concerns about having to operate within multiple content regulatory frameworks, some of which they view as burdensome, such as requirements to redesign complex networks to implement filtering systems to control user access to illegal content, from child sexual abuse images to copyright infringing material. This Review includes a brief summary of local content regulation in each country.

Domain names and dispute resolution

A domain name is the unique name (corresponding to an IP address) that identifies and locates an Internet address (such as a website). Domain-name regulation refers to standards and requirements for the obtaining of Internet names and addresses. This usually involves the establishment of an online dispute resolution service for managing domain-name disputes, or an agreement with an international dispute-resolution service.

Domain-name regulation has become more settled at the international level, with most countries adopting standard domain-name registration policies complemented by a requirement for disputes to be resolved using the Uniform Domain-Name Dispute-Resolution Policy (UDRP).[1]8 In ASEAN, most member countries have adopted this approach, and the relevant laws and regulations are discussed in each country chapter. Two countries are still working to develop appropriate domain-name regulation.

Cloud computing policy

Cloud computing is the provision of a mix of software enabled services and resources that can be delivered to users over the Internet. Services are in principle available worldwide and on demand, backed up by shared resources including networks, servers, storage and applications. Some Government and industry bodies have begun to develop frameworks, standards and regulations to facilitate the development of cloud computing, while providing protection in key areas such as security, privacy and intellectual property protection.

While there is a broad range of laws and regulations that are relevant to cloud services, but there is no specific stand-alone section on cloud computing in the country chapters. Where countries have initiatives that are designed to have a specific impact on cloud services (e.g., Indonesia and Singapore), these are noted.

Several ASEAN member countries are keen to embrace the opportunities provided by cloud computing, and are developing their laws, regulations and policies in a way which will facilitate cloud services. However, some countries also see cloud services as a potential threat to security and to the sovereign control of vital information. Cloud services can be seen as a threat to local businesses as the majority of current cloud service providers are multinational companies based typically outside ASEAN.

Cloud computing is still a relatively new phenomenon and there is not yet a consensus in ASEAN on how to address these issues. However, it will be important for jurisdictions to find a balance between protecting the interests of users and harnessing the potential for cloud computing through appropriate policy settings.

ASEAN member countries have expressed strong interest in developing a better understanding of the pros and cons of cloud computing, and how to apply and regulate it within e-government and the public sector. Issues of data protection, privacy and security are closely interlinked with the implementation of cloud-based solutions.

Member countries are asking whether there is a need for special laws or regulations on cloud services. The technology could be handled either by establishing cloud-computing-specific laws or by integrating cloud-based services into existing laws.

Other issues

Several other issues were identified during the project that could be the subject of future work in ASEAN. These include:

  • E-payment regulation: Effective e-payment is crucial to promoting e-commerce in the ASEAN region. Some country representatives have expressed security concerns with regard to e-payment. Public key infrastructure (PKI) has reportedly not delivered the promised ultimate solution to resolve security and identification issues. To date, there is no general guidance on e-payment issues in ASEAN. E-payment regulations have not been the subject of detailed study in this current Review – this may become a future work item for the ASEAN/UNCTAD project, especially in relation to cross-border issues.
  • E-government: While there is a strong trend among ASEAN countries to improve e-government services, their implementation poses many questions and challenges. ASEAN governments face challenges such as how to implement e-government initiatives with limited resources, finances and capabilities. Member countries expressed a need for guidance on such issues including for trusted online identification services. In this Review, e-government is covered briefly in each country report under the general heading of electronic transactions laws, and it is noted where particular countries have specific laws on e-government (i.e., Indonesia and Malaysia).

TOWARDS E-COMMERCE LEGAL HARMONIZATION IN ASEAN

Identification of key challenges

Several key challenges to e-commerce legal harmonization were identified in the project surveys (see annex 2), in ASEAN member country presentations at the workshop in Cebu, in group discussions at the workshop, and in the detailed research and analysis undertaken for the country chapters. The main challenges to harmonization are discussed below.

Differences in legal approach

There are significant differences in the overall legal approach that has been taken in each country. For example, omnibus laws have been developed in Indonesia, the Lao People’s Democratic Republic and Viet Nam versus specific laws in the other jurisdictions. This can make it difficult to identify and compare legal requirements in the 10 jurisdictions for businesses who wish to operate in the region. It is generally important for all laws to be transparent to the community who will need to abide by them.

Omnibus laws sometimes suffer from a lack of focus and of specific regulatory agencies. At the same time, it is understandable that some jurisdictions which face difficulties in developing and passing legislation have chosen to start the process with this approach. Hopefully, these laws will be strengthened by additional specific regulations over time.

While there is variation in the legal system in the region, to date these do not appear to have had a negative impact on the harmonization of laws in this field. ASEAN member countries that have common law systems benefit from being able to consider precedents from other common law jurisdictions when interpreting legislation. Over time this has clear potential benefits for harmonization.

Absence of independent, well-resourced regulators

In practice, many legal issues require the attention of a specific, focused regulator – and this is missing in some jurisdictions. A regulator with adequate funding and secondary rule-making powers is especially important in the new technology field, characterized by rapid changes. A well-resourced, flexible regulator can usually address emerging issues through developing guidelines or using test cases – and this process is much faster than waiting for parliament to update legislation.

Lack of skills and training

Some member countries face a lack of skills and training, especially in drafting, interpreting and enforcing laws. As noted above, there have been several capacity-building projects in the region, resulting in the training of parliamentarians, the judiciary and policy makers. However, staff turnover and promotion rates are often considerable, raising the need for additional training.

Slow legislative process

Member countries reported frustration at the slow pace of the legislative process (including significant backlogs) in some jurisdictions. Cambodia and the Lao People’s Democratic Republic have faced this issue for many years, although the recent passage of the e-commerce law in the Lao People’s Democratic Republic is a positive development.

Low levels of awareness in government

Several member country representatives at the Cebu workshop reported a continued low level of awareness of e-commerce and cyberlaw issues in government.

Resource constraints

Member country representatives at the Cebu workshop reported that resource constraints and gaps in funding have caused some concerns in ASEAN. For example, there was a significant gap in funding between the end of the AusAID funded project in 2009 and the current study.

Lack of continuity

Member country representatives at the Cebu workshop also reported a lack of continuity in personnel with knowledge of the ASEAN harmonization project/ objectives and personnel with relevant technical knowledge about cyberlaws. This may have been exacerbated by the lengthy gaps between regional workshops on e-commerce law harmonization.

Rapid emergence of new issues

The rapid emergence of new issues (such as offshore outsourcing, e-payment, social networks and cloud computing) has required several countries to amend and redraft legislation, for instance pertaining to privacy and data protection.

Recommendations

Recognizing the benefits of harmonizing e-commerce legal frameworks in ASEAN countries to promote economic growth and competitiveness, thus contributing to the development of a prosperous and highly competitive AEC, the Review proposes a set of concrete recommendations which could contribute to achieving those goals. These recommendations are put forward to ASEAN and could serve as a basis for future discussion to identify priority actions at the national and regional levels. Supporting assistance from international organizations can be requested depending on the priorities thus defined.

Commission an updated roadmap

The commissioning of a new guidance document/ plan for ASEAN member States, similar to the one prepared for the joint AusAID/ASEAN study commissioned in 2004,[1]9 should be considered. An up-to-date ASEAN roadmap or guidance document could help member countries in the development of their domestic e-commerce laws. Components could include guidance on legislation and policy in relevant areas. The guidance document should reflect work of other international organizations and frameworks, such as APEC and the European Union, for example, on addressing cross-border privacy issues.

The roadmap should help member countries self-assess their progress in establishing harmonized e-commerce laws, and the ASEC to monitor progress over time towards harmonization and to share the results at regular ASEAN meetings, such as TELSOM or dedicated Working Group meetings.

Strengthen information sharing within ASEAN

There are opportunities for improving information sharing and exchanges of best practices between member countries. Within ASEAN, countries are at different stages of e-commerce law development. In order to accelerate progress for the region as a whole, countries at a more advanced level should actively share their experiences with other member countries. Particular attention should be given to e-government applications, e-payments and cloud applications. Making resources available for regular regional workshops related to e-commerce and law reform would be required.

The organization of regular regional workshops was regarded as a priority for member country representatives. This could include the development of a schedule of workshops over the 2013–2015 period, where the workshops are attached to existing meetings (such as TELSOM and working-group meetings). The advantage of this approach is that member countries would be able to allocate appropriate staff to attend the entire series of meetings, building continuity over the three years.

Build capacity in key areas

All ASEAN countries have reported in the surveys conducted for this Review a need for strengthening the capacities in certain legal areas. In line with the ASEAN ICT Masterplan 2015, attention should be given not only to building the capacity of policy and law makers but also to creating public awareness of e-commerce legislation among users (citizens, banks, other sectors, etc.). This is important especially from the perspective of addressing cybersecurity concerns and building trust. Calls for more capacity-building were made by all 10 countries as a way to speed up development or implementation of e-commerce laws.

It may be useful to identify opportunities for bilateral assistance, using the gaps outlined in this Review. For example, where a small number of countries have still not implemented a particular law (e.g., cybercrime legislation or consumer protection legislation), they would benefit from bilateral assistance from countries that have experience in these laws. Relevant gaps can be seen in table 2 in the section on the current status of e-commerce law harmonization in ASEAN.

In addition, ASEAN countries have expressed a need for regional capacity-building in areas such as the enforcement of laws and the treatment of cross border issues. Once the exact nature of the capacity-building needs has been identified, resources would need to be allocated for the organization of appropriate regional training courses or workshops.

Member countries can also request the assistance of international organizations (UNCTAD, UNCITRAL, UNESCAP, Interpol, ITU, OECD, etc.). UNCTAD, through its E-commerce and Law Reform Programme, could extend its assistance to ASEAN countries by building capacity of policy and law makers, including parliamentarians. UNCTAD offers the leading capacity-building programme within the United Nations system in support of the preparation of legal frameworks for e-commerce, covering virtually all legal issues covered in this Review. UNCITRAL also provides resources and assistance, and has extensive experience in helping countries align their laws and practices with international standards.

Take steps to further cross-border harmonization in three key areas

Further work is recommended on harmonization in cross-border jurisdiction issues, reducing conflicts and improving cooperation among ASEAN regulators and public law enforcement agencies. Harmonization of cross-jurisdiction transactions would facilitate smoother cross-border enforcement in a number of areas.

(a) Cybercrime
One key area is the investigation and enforcement of cybercrime across borders. Regional cooperation between cybercrime law enforcement agencies, including the establishment of a common training and resource centre and 24/7 national contact points, should be a priority for ASEAN.
(b) Consumer protection
The harmonization of cross-border consumer complaints could also enable e-commerce to prosper. This would require an agreement between consumer protection regulators in each country, complemented by appropriate investigation and referral tools. Becoming participants in the International Consumer Protection and Enforcement Network could be a first step in improving regional cooperation. To date, only the Philippines and Viet Nam are members.
Consumers could be provided with relevant links through an ASEAN-wide consumer protection portal, and complaints could be analysed to enable the issuance of public warnings; take steps to reduce the harmful impact of scams and similar conduct; as well as identify regional issues and trends, which can then feedback into responsive legal and regulatory measures.
(c) Recognition of electronic signatures
The legal recognition of electronic signatures at a national level does not address the needs of electronic commerce without the capability to grant recognition and validity to electronic signatures originating from other jurisdictions. Table 4 shows the variations in the types of electronic signatures recognized by the law in ASEAN.
While the widespread adoption of electronic signature and related trust services has been limited to date, demand for such technologies and service is likely to grow. As such, another area which could benefit from cross-border harmonization is the mutual recognition of electronic signature transactions. ASEAN has already undertaken some preliminary work on this issue, including a pilot scheme between Thailand and Singapore in 2007.
This task will require a stock-taking exercise of the use of electronic signatures in each country, to identify opportunities for the current use of signatures across borders. This could be followed by the development of an ASEAN mutual recognition agreement, which would detail minimum acceptable standards for electronic signatures and related trust services.

Establish a regional online dispute resolution facility

Consideration should be given to the establishment of a regional online dispute resolution scheme for handling domain-name disputes. There are already several schemes in operation, at a national and regional level, and these could be studied to gain insights into possible approaches to establishing a scheme in ASEAN.

In time, this scheme could broaden its coverage to include other types of online disputes, particularly consumer related, building confidence in online transactions, and relieving pressure on the existing court system.

Monitor harmonization of e-commerce laws in ASEAN member countries

Formal, regular reporting against the 2015 target would help to bring up-to-date information to the attention of all stakeholders, and could help to motivate member countries to meet the targets.

The role of the ASEC in this regard will be instrumental. It should ensure necessary coordination intended to harmonize regional and national legal frameworks in order to create an enabling environment for the successful implementation of e-commerce in the 10 countries. It is proposed that the ASEC develops a web page dedicated to the harmonization of e-commerce laws showcasing the progress of each country.

Focal points in each country will gather the data and send it to the ASEC to facilitate information sharing. The information contained in this Review, including relevant legislation, drafts and conventions in English, can be the starting point of such a repository of resources. This platform will serve to inform stakeholders about the process and monitor the advances of e-commerce laws in ASEAN. By so doing, the ASEC would help define recommendations for the ASEAN member countries to foster the enforcement of domestic e-commerce laws harmonized across the region and, ultimately, to facilitate more cross-border trade.

Embark on a new multi-year project with UNCTAD to contribute to the ASEAN ICT Masterplan 2015

Over the years, ASEAN member States have demonstrated their commitment to creating an enabling legal environment for e-commerce. They have made great advances with regard to the adoption of harmonized e-commerce laws. Various development partners have contributed to this process by providing substantive and/or financial support to some member States in the preparation of e-commerce laws, including awareness-raising actions. At the ASEAN level, internal mechanisms in the form of working groups (such as the Working Group on E-commerce) have been monitoring the progress made. Since 2009, however, such monitoring processes have been lacking. Recognizing the work already done so far, UNCTAD, which has been involved for many years in this work in the region, proposes that ASEAN revive the process.

This Review could be seen as a first concrete deliverable in this context. It takes stock of advances made by all ASEAN member States, identifies main challenges to harmonization, and from there, highlights priority areas where ASEAN countries may wish to focus attention in the coming years to achieve the goals and priorities set at the regional level (including the ICT Masterplan 2015 and future plans), and at the domestic level.

In order to move forward and achieve greater regional harmonization and integration in this area, ASEAN could benefit from designing and implementing a detailed project on the further harmonization of e-commerce laws. The project could help to tie together different activities, proposals and recommendations within ASEAN, in one coordinated package. This could help member States to identify and reduce remaining gaps and overlaps, make the best use of available resources and engage relevant partners and stakeholders.

The project could support efforts by the ASEAN member States to implement key recommendations made in the Review and to overcome key challenges they have identified in terms of skills and training and awareness raising (see annex 2), benefiting from UNCTAD’s support. UNCTAD is engaged in similar regional harmonization work in Latin America, Central America and the East African Community, and is well connected with relevant players in the area of e-commerce law harmonization.

A multi-year project would benefit from a combination of regional and national activities. UNCTAD would serve as a resource to the overall efforts by ASEAN to promote further e-commerce law harmonization. To this end, UNCTAD would build on its strong partnerships with international organizations, United Nations entities and governmental agencies that complement UNCTAD’s own expertise and activities and that are specialized in specific law areas (e.g., data protection, computer crime, cybersecurity, privacy, intellectual property, etc.). Close cooperation and coordination would help to avoid duplication of work in the interest of securing the most effective support to ASEAN. An indicative list of relevant partners is given below. Their involvement would depend on the priorities agreed upon by the ASEAN member States:

  • Asia–Pacific Economic Cooperation (APEC)
  • European Commission
  • International Telecommunication Union (ITU)
  • International Criminal Police Organization (INTERPOL)
  • Organization for Economic Cooperation and Development (OECD)
  • United Nations Commission on International Trade Law (UNCITRAL)
  • United Nations Economic and Social Commission for Asia and the Pacific (UNESCAP)
  • United States Agency for International Development (USAID)
  • World Bank
  • World Intellectual Property Organization (WIPO)
  • World Trade Organization (WTO)

In addition, the project would benefit from UNCTAD’s international network of experts, who may, for example, be drawn upon in the context of drafting of e-commerce laws reflecting international best practice. If desired, partner organizations would be invited to be associated with this process when relevant to their field of competence. For instance, UNCTAD and UNCITRAL have a long history of collaboration: UNCTAD uses the UNCITRAL e-commerce texts when preparing e-commerce legislation and UNCITRAL relies on UNCTAD’s technical cooperation programmes in countries and its leading capacity-building programme within the United Nations system in support of the preparation of legal frameworks for e-commerce. The project could include a regional component with focused activities around information sharing. This may involve, as per the recommendations, the following activities:

  • Support to a process of regular monitoring of progress in the area of e-commerce law harmonization. This could include the establishment of a dedicated website and a tool for the sharing of knowledge and documentation. It may also support the organization of regular meetings of a working group dedicated to the subject matter.
  • Facilitation of sharing of best practices within ASEAN.
  • Workshops on specific e-commerce law areas for which advancing harmonization remains a priority (e.g., privacy and cybercrime).
  • Thematic workshops aimed at discussing emerging issues identified by member States (such as e-government, e-payments, cloud computing, etc.). The workshops would call upon sharing best practices in the region as well as globally.
  • One-week training programmes tailored for policy and law makers (or study tours) on legal topics of relevance for ASEAN countries at the Geneva-based international organizations. UNCTAD’s partner organizations would be invited as well as international experts to discuss e-commerce law harmonization issues. Such occasions would allow ASEAN member States to be exposed to the experience of other regions (such as the European Union, United States and other OECD countries).

The national component of the project could be tailored to the needs of each of the ASEAN member States requesting assistance. Countries would define their priorities through national consultations, based on which UNCTAD would help in the preparation of a targeted action plan in the countries concerned.

UNCTAD has used a number of proven strategies in similar efforts in other developing regions to build capacity to support e-commerce law harmonization:

  • Advisory services for the preparation of national e-commerce laws. Such services would be provided based on ASEAN countries’ needs for assistance. They would be delivered through advisory missions and continuous collaboration with the beneficiary country and the ASEAN secretariat. Depending on the needs, country missions could include awareness-raising seminars about the nature and issues related to ICT and e-commerce in ASEAN countries, and assistance to the national working groups in the preparation of cyberlaws.
  • On-site regional and national training courses or briefings. UNCTAD has developed eight training modules on the legal aspects of e-commerce.[2]0 Training activities would be based on UNCTAD training course and material already developed and up to date, including delivery through UNCTAD’s distance learning platform.[2]1 Policy and lawmakers (including parliamentarians) as well as the judiciary are potential target audiences of the capacity-building efforts of UNCTAD.
  • Documenting and disseminating proven best practices, including through encouraging intra and interregional support and lessons sharing amongst networks of partners.

If ASEAN decides to invest in a jointASEAN/UNCTAD proposal, UNCTAD would prepare a more detailed multi-year project to be implemented with relevant partners for a set period (e.g., 2014–2016), with possible extension. The project proposal would include a budget estimation for regional activities. Individual countries could be consulted to tailor proposals under the umbrella of the project or alternatively could individually request UNCTAD’s assistance for separate projects.

REPORT ON THE LEGAL FRAMEWORKS OF ASEAN COUNTRIES

BRUNEI DARUSSALAM

In Brief

Summary

Brunei Darussalam has the Electronic Transactions Act 2004 (revised in 2008) and the Computer Misuse Act (revised in 2007). The government is currently developing draft data protection legislation, with a focus on the protection of personal information collected in commercial transactions.

Although Brunei Darussalam has high levels of Internet use, the full potential of e-commerce has not yet been realized. The country is pursuing a number of key e-government applications and is also taking a strong interest in cloud computing.

Electronic transactions law

Brunei Darussalam’s Electronic Transactions Act 2004 (revised and updated in 2008) is intended to facilitate e-commerce by eliminating barriers resulting from the legal uncertainties over writing and signature requirements as well as promoting public confidence in the integrity and reliability of electronic records and e-commerce generally. The Act embodies the main principles of the UNCITRAL Model Law on Electronic Commerce (1996) such as functional equivalence.[2]2

The Act is intended to act as comprehensive electronic transaction legislation, regulating:

  • Electronic contracts;
  • Liability of network service providers;
  • Retention of records by electronic means;
  • Electronic signatures;
  • Duties of certification authorities and subscribers;
  • Government use of electronic records.

Brunei Darussalam is currently considering further revisions to the law, as they are looking to make the legislation more technology neutral, especially in relation to authentication. They are considering removing all references to PKI in the legislation, although in practice this has not been a significant barrier to e-commerce as one of the main technology specific clauses in the Act is not in force. During the ASEAN/UNCTAD workshop in 2012 (Cebu), Brunei Darussalam reported that challenges are faced in developing a strong e-commerce business sector in Brunei Darussalam. In particular, there is a need to improve coordination across multiple ministries and agencies – as many sectors and areas of responsibility are impacted by e-commerce. Currently efforts are being made to identify business and government champions to provide leadership and guidance relating to e-commerce.

At this stage there is no overall strategic blueprint for updating laws, providing training, or undertaking public awareness initiatives, although these are all recognized as important steps in Brunei Darussalam. To date efforts have been made on a case by case basis and this may not always be as effective.

Brunei Darussalam is also interested in updating laws in several complementary areas, such as electronic court evidence, and the regulation of electronic payments. Courts have experienced difficulties in dealing with computer records as evidence because these are perceived as vulnerable to deliberate alteration. An example of the challenge faced in this area is where current legislation requires proof that the computer producing the evidence to be relied upon is functioning properly at the time the record is created before such evidence is admissible – this test can be very difficult to apply in practice.

Consumer protection

Brunei Darussalam recently introduced the Consumer Protection (Fair Trading) Order 2011 (CPFTO) which came into force on 1 January 2012. Claims made by consumers under the CPFTO may be dealt with by the Small Claims Tribunal which was also set up to accommodate speedy resolution of claims up to the value of B$10,000. Other than the CPFTO, product warranties as well as limitations on manufacturer’s liability are contained in the Sale of Goods Act 1999 and the Unfair Contract Terms Act 1999. The protections offered in these Acts can be applied generally to electronic transactions in the same way they apply to paper-based transactions.

Privacy and data protection

Brunei Darussalam has taken a very strong interest in the development of privacy legislation. A National Data Protection Policy has been drafted and is currently being reviewed by relevant stakeholders and this may in turn form the basis for the drafting of legislation.

The concept of privacy is challenging in Brunei Darussalam. There is no omnibus legislation providing protection for privacy. Such legislation is found in industry specific laws such as the Banking Act and the Tabung Amanah Pekerja Act. The introduction of data protection on the premise of privacy protection therefore has its challenges. However, the Government has been studying models in Malaysia and Singapore, and will be monitoring carefully the implementation of similar laws in those jurisdictions.

Online content regulation

Online content regulation in Brunei Darussalam is provided by a combination of a class licence scheme for relevant providers and the Internet Code of Practice. The model for online content regulation is based on the Singapore regime.

The Code of Practice came into effect in 2005 and requires all Internet Service Providers (ISPs) and Internet Content Providers (ICPs) licensed under the Broadcasting (Class Licence) Notification 2001 to use their best efforts to ensure that nothing is made available on the Internet which is against the public interest or national harmony or which offends good taste or decency. Internet Access Service Providers (IASPs) and ICPs are automatically licensed under the Notification.

Matters prohibited under the Code to be published on the Internet include:

If an ISP or ICP is informed by the Broadcasting Authority that material is contrary to the Code of Practice or against the public interest, public order or national harmony, they are required to remove or prohibit the broadcast of such material. There are also a number of general laws which limit the presentation of online material. These include the Censorship of Films and Public Entertainments Act 1963, the Undesirable Publications Act 1982, the Penal Code 1952 and the Sedition Act 1983. Brunei Darussalam has one of the broadest content-regulation schemes in the region, covering a wider

range of prohibited material than other jurisdictions. However, in practice the regulation has been implemented in a light touch manner.

Cybercrime and cybersecurity

Brunei Darussalam’s Computer Misuse Order 2000 (revised and updated in 2007) is closely modelled on the 1993 Singapore Act of the same name. The provisions in the Brunei Act centre on prosecuting those who access or modify information in a computer without authorization. The computer offences contained in the Act are:

  • Unauthorized access to computer material (section 3);
  • Access with intent to commit or facilitate the commission of an offence (section 4);
  • Unauthorized modification of computer material (section 5);
  • Unauthorized use or interception of a computer service (section 6);
  • Unauthorized obstruction of use of a computer (section 7);
  • Unauthorized disclosure of an access code or password (section 8);
  • Abetting or attempting to commit any of the above offences (section 10).

Penalties under the Order can include prison sentences and heavy fines. Other legislation of general application, for example the Penal Code, can also be applied to digital crime. Brunei Darussalam’s legislation is broadly consistent with the Council of Europe Convention on Cybercrime, although the country has not signed the Convention itself. A Council of Europe analysis of Brunei Darussalam’s laws noted that it does not address the issues of misuse of devices to commit offences (article 6(1)(i) of the Convention). However, it does include provisions on misuse of passwords (article 6(1) (ii) of the Convention).[2]3

Online dispute resolution and domain-name regulation

Regulation of domain names in Brunei Darussalam is managed through a provision in the Authority for Info-Communications Technology Brunei Darussalam Order 2001 which provides that the Authority for Info-Communications Technology Industry of Brunei Darussalam (AITI) has the power to authorize or regulate the registration, administration and management of domain names in the country.

In September 2012 the AITI released a public consultation paper on a proposed Domain Name Management Framework of .bn domains.[2]4 Consultations were still ongoing at the time of preparing this Review.

The consultation paper proposes that Brunei Darussalam will adopt a dispute-resolution policy named Brunei Darussalam Domain-name Dispute-resolution Policy (BDRP) that is modelled after the Uniform Domain-name Dispute-resolution Policy (UDRP) developed by the World Intellectual Property Organization (WIPO).

CAMBODIA

In Brief

Summary

E-commerce law initiatives in Cambodia have been encouraged by WTO membership (2004), the eASEAN initiative, an increase in international trade, and rising Internet penetration. An Inter-ministerial Working Group on E-commerce has been established and draft e-commerce legislation has been slowly moving through the various processes that will lead to its enactment. The draft law contains provisions for e-government and e-payment. It is based on the UNCITRAL Model Law on E-commerce, but also includes some broader issues such as cybercrime, consumer protection in online transactions and content regulation. No significant work has been undertaken at this stage on data protection.

Cambodia has a high level of mobile phone penetration but relatively low degrees of Internet and fixed broadband access represent a bottleneck for greater uptake of e-commerce.

Electronic transactions law

Draft e-commerce legislation is being developed by the Ministry of Commerce. This draft law takes account of Cambodia’s requirements as a member of both the WTO and ASEAN.

The development of the law is guided by the Inter-ministerial Working Group on E-commerce, consisting of the Ministry of Commerce, the Ministry of Justice, the Ministry of Posts and Telecommunications, and other key parties. The Ministry of Commerce acts as secretariat.

Cambodia is still engaged in some of the preliminary activities in the development of e-commerce law, such as awareness raising amongst key stakeholders and the study of international legal models.

The first phase of development of the draft legislation was supported by UNCTAD. This included brainstorming with stakeholders, the circulation of questionnaires on specific issues, and the development of an early draft of the legislation based largely on the UNCITRAL Model Law on Electronic Commerce.

The second phase of the development of the laws has been supported by the World Bank. A plan of action has been submitted to the Cambodia Trade Development Support Programme (TDSP).[2]5 At the time of writing Cambodia was in the process of recruiting consultants to assist with implementation of this phase of work. A broader project proposal relating to capacity-building is also being developed.

The current draft legislation being considered in phase two is broader than the original phase one model. It is a comprehensive, omnibus-style law, with 10 parts and 62 articles, covering a wide range of cyberlaw issues. These include:

  • Part 1: General provisions;
  • Part 2: Validity of electronic communications;
  • Part 3: Communication process;
  • Part 4: Security service providers;
  • Part 5: Intermediaries and electronic commerce service providers;
  • Part 6: Consumer protection;
  • Part 7: Government acts and transactions;
  • Part 8: Offences against confidentiality, integrity and availability;
  • Part 9: Evidence;
  • Part 10: Electronic funds transfer.

Cambodia is also preparing for a phase three – it is looking for resources and support to prepare for the implementation of e-commerce law, including training for business and government stakeholders and the commissioning of studies on enforcement issues.

Finally, Cambodia changed its regulatory structure in 2012, and has established an independent Telecom Regulator of Cambodia. This regulator is expected to play a key role once Cambodia’s e-commerce laws are in place.

Consumer protection

There is no general consumer protection law in Cambodia that applies to e-commerce. However, the proposed omnibus e-commerce law will include a section on online consumer protection.

Privacy and data protection

There is no general privacy law in Cambodia. However, the proposed omnibus e-commerce law will include a section on confidentiality that might provide some limited online privacy protection.

Online content regulation

Article 12 of Cambodia’s press law forbids the publication of “any information which may affect national security and political stability”. While not directly targeted at the online environment the article does place a limitation on material that can be published online.

Cybercrime and cybersecurity

The draft omnibus e-commerce law includes sections on offences against the confidentiality, integrity and availability of information systems and computer data which captures the usual offenses such as unlawful interference and interception, as well as new offenses such as stalking, malware and invasion of privacy. The take-down procedures are also articulated in the law and it is intended to be supplemented by regulations for enforcement.

Online dispute resolution and domain-name regulation

Regulations have been issued on the use of the .kh country-level domain. The Regulations on Registration of Domain Names for Internet under the Top Level “kh” 1999 set out the rules and naming structure for any first or second-level domain under the .kh domain, and also contain the rules and regulations that apply in the case of conflict, revocation and transfer of a .kh domain name. The regulations are administered by the Ministry of Posts and Telecommunications.

INDONESIA

In Brief

Summary

In Indonesia, the legal infrastructure for e-commerce is built around the Electronic Information and Transactions Act 2008, an omnibus law which includes e-commerce, cybercrime, domain names and other issues. This act was complemented in 2012 by more detailed regulations concerning electronic system and transaction operation.[2]6

Indonesia is going through a process of significant legal and regulatory reform in the sector, as they implement plans to converge laws, licensing and regulation across areas that were previously separately regulated (i.e., telecommunications, broadcasting and the Internet).

Indonesia has a high rate of mobile phone penetration and has started to take advantage of mobile commerce, particularly in the banking sector. The country’s low level of fixed broadband connectivity represents a challenge to e-commerce and overall Internet use in the population is still relatively low compared with some of the other ASEAN member countries.

Electronic transactions law

The Law on Information and Electronic Transactions 2008 is an omnibus Act that includes general e-commerce provisions, along with more specific provisions on privacy, cybercrime and content issues.

Article 11 of the Law on Information and Electronic Transactions 2008 provides legal recognition for electronic signatures that meet certain requirements. Recent regulations (Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation) have established a more detailed regulatory system relating to digital signatures, including the licensing of signature providers.

The new Regulation also introduces some unique and onerous security and registration requirements for electronic service providers (which include cloud providers). For example article 17(2) requires operators to place their data centres in Indonesia. Other provisions require firms to hire local Indonesian staff when dealing with sensitive public-sector data.

There are very few details available about the new audit requirements contained in the Indonesian Regulation, but article 18 appears to require providers to supply regular audit records on “all provision of electronic systems activities” to a government agency. The law is very new and has not yet been tested in practice.

Overall, Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation appears to introduce onerous requirements that are likely to act as barriers to many cloud service providers. For example, providers will have to register with a Government agency and comply with requirements to establish data centres in Indonesia. There is also a requirement to provide source code (or to place source code in escrow) for certain types of applications in Indonesia. The full impact of these new policies is difficult to assess at this early stage.

Consumer protection

Indonesia’s Law on Consumers’ Protection 1999 is not expressly designed to regulate electronic commerce transactions; however, the official Elucidation on Law on Consumers’ Protection contemplates the relevance of the Act to electronic and cross-border transactions. Where the provisions of the Law permit, the consumer protections offered within the Act can be applied to electronic transactions.

Some protection may be offered to consumers engaging in an electronic transaction under the Law on Electronic Information and Transactions. Several sections provide that consumers have the right to obtain accurate and complete information with respect to contract requirements and manufacturer and product details for goods that are offered electronically.

Privacy and data protection

The Law on Information and Electronic Transactions 2008 contains a very brief section on privacy (article 26). However, it is expected that this section will be complemented or even replaced by more detailed privacy legislation in the future. Indonesia is yet to establish a data protection regulator. While the legislation is silent on the establishment of a regulator, this may be covered in future regulations.

The Indonesian approach is not based on any international model, although the future regulations are likely to be influenced by the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and perhaps the APEC Privacy Framework. (Indonesia is an active member of the APEC Data Privacy Subgroup).

Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation provides more detailed privacy requirements, including:

“Electronic Systems Providers must ensure the protection of any personal data that they process. Such protection broadly includes obtaining necessary consent and ensuring that personal data are only used in accordance with the purpose communicated to data subjects.”

The new Regulation also includes a requirement that providers must notify data subjects in writing in the event that there is any unauthorized disclosure or processing of personal data. “Personal data” is not limited to information which by itself enables the identification of individuals and is broadly defined under the Regulation as any information of individuals that is kept, stored and protected as confidential information.

Online content regulation

Articles 27 and 28 of the Law on Information and Electronic Transactions 2008 prohibit the publication and distribution of certain categories of material, including “immoral” material and material that promotes gambling. However, the detailed regulations necessary to implement these censorship requirements have not yet been developed. In practice, no comprehensive filtering currently occurs.

The Pornography Law No. 44/2008 (Undang-undang No. 44/2008 ttg Pornografi) is also relevant for some content providers, and there have been recent attempts to impose restrictions on online content using this legislation.[2]7

Cybercrime and cybersecurity

The Law on Information and Electronic Transactions 2008 contains a number of key cybercrime provisions (articles 29–37). Those provisions are almost an exact mirror of the key provisions in the Convention on Cybercrime. However, the law only provides limited details relating to enforcement and international cooperation.

Online dispute resolution and domain-name regulation

The Law on Electronic Information and Transactions contains some restrictions on the acquisition of a domain name. It recognizes that domain names are to be registered on a first come first served basis. The Law does not allow a domain name to be registered in bad faith, in a manner that trespasses on competition law or in a manner that infringes the rights of others in the name.

Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation now includes more detailed rules for domain-name registration and domain-name disputes.

Indonesia has not yet developed any law or regulation on online dispute resolution.

THE LAO PEOPLE’S DEMOCRATIC REPUBLIC

In Brief

Summary

The Government of the Lao People’s Democratic Republic has developed an E-Policy and an E-Government Roadmap and is keen to encourage both e-commerce and e-government applications. Meanwhile, significant work remains in the Lao People’s Democratic Republic in order to develop an appropriate legal infrastructure, although the recent passage of the Law on Electronic Transactions in 2012 is encouraging. There are also proposals to develop consumer protection and data protection laws.

While mobile penetration has risen significantly to reach 87 subscriptions per 100 inhabitants in 2011, low levels of Internet, especially at broadband speed, remains a significant barrier to e-commerce developments in the Lao People’s Democratic Republic.

Electronic transactions law

The Lao People’s Democratic Republic received assistance from UNESCAP, UNCTAD and USAID to develop its e-commerce legislation. The law was passed by the National Assembly in December 2012.

The legislation is generally consistent with international models including the UNCITRAL Model Law on Electronic Commerce (1996). It contains provisions that create greater legal certainty when contracting electronically, including provision on functional equivalence and on the formation of electronic contracts.

The new law comprises 9 parts and 55 articles. A full English language translation is not yet available, but the basic content includes:

  • Part 1: Objectives and definitions;
  • Part 2: Electronic documents and contracts;
  • Part 3: Electronic licences;
  • Part 4: Electronic transactions within government;
  • Part 5: Mediation;
  • Part 6: Offences and prohibited acts;
  • Part 7: Dispute resolution;
  • Part 8: Management and inspection;
  • Part 9: Sanctions.

This new development is designed to help the Lao People’s Democratic Republic capture the benefits of e-commerce and e-government. It should also assist the Lao People’s Democratic Republic with the proposed membership of the WTO and integration into the AEC.

Consumer protection

There is no general consumer protection law in the Lao People’s Democratic Republic. However, the new Law on Electronic Transactions may contain some limited online consumer protection requirements.

Privacy and data protection

There is no relevant privacy law in the Lao People’s Democratic Republic.

Online content regulation

The Lao Government controls all domestic Internet servers and retains the ability to block access to Internet sites deemed pornographic or critical of government institutions and policies. The Lao National Internet Committee under the Prime Minister’s Office administers this system, based on a series of regulations.

The primary regulation is the Ministry of Information and Culture, Special Provisions (416/IC) for Control of the Content and the Information and Data Obtained via the Internet System. This states that permissible content of material on the Internet is “beneficial to society...with no impact upon political issues, is not in conflict with the laws and regulations of the Lao People’s Democratic Republic and is not contrary to the fine Lao national culture, customs and traditions”. The regulations include procedures for requesting approval for the content of information and data available on the Internet and for punishment of violations. However, in practice the Government does not appear to block local or foreign sites, and registration of content is not required.

The new Law on Electronic Transactions may also include some provisions relating to online content.

Cybercrime and cybersecurity

The new Law on Electronic Transactions may include some provisions relating to cybercrime.

Online dispute resolution and domain-name regulation

The Telecommunication Law 02/NA of 2001 provides some basic rules for registration and ownership of domain names in the Lao People’s Democratic Republic.

The new Law on Electronic Transactions may include some further provisions on dispute resolution.

MALAYSIA

In Brief

Summary

Malaysia boasts a comprehensive suite of e-commerce laws in place, based on a combination of the Electronic Commerce Act 2006 and the Electronic Government Activities Act 2007. With the introduction of the Personal Data Protection Act in 2010, Malaysia also became the first ASEAN member country to pass privacy legislation. The Government considers that some provisions of its e-commerce legislation may need to be updated in view of technological change and the emergence of social networking and mobile applications.

Malaysia has a very high number of mobile subscriptions per 100 inhabitants (127 in 2011), and is also equipped with a moderate level of fixed broadband connectivity. Overall Internet use in Malaysia stood at 61 per cent of the population in 2011, one of the highest rates in the region.

Electronic transactions law

The Electronic Commerce Act 2006 is the key source of electronic commerce regulation for the private sector. It is complemented by the Electronic Government Activities Act 2007, which applies similar rules to the public sector. The Electronic Commerce Act 2006 closely mirrors the United Nations Electronic Communications Convention.

Malaysia also has specific legislation for digital signatures – the Digital Signature Act 1997. The legal framework of the Act was strengthened to encourage future use, by way of the Digital Signature (Amendment) Act 2001. In addition, the Electronic Commerce Act 2006 contains broad (technology-neutral) provisions on electronic signatures.

Consumer protection

Malaysia’s general consumer legislation, the Consumer Protection Act 1999 protects consumers against a range of unfair practices and enforces minimum product standards. Recent years have seen amendments made to the Act – in 2007 to widen its scope to cover electronic commerce transactions and in 2010 to introduce, among others, a new provision on general safety requirement for services and the protection to consumers from unfair terms in a standard form contract.

Malaysia has also introduced Consumer Protection (Electronic Trade Transactions) Regulations 2012, to be enforced in 2013. These Regulations impose certain obligations on online traders and online marketplace operators, with the objective to increase the consumers’ confidence to shop and trade online, which will further spur the growth of e-commerce in the country.

There are also some limited consumer provisions incorporated into part 8 of the Communications and Multimedia Act 1998. Part 8 deals with the relationship between consumers and licensees under the Act, and applies regardless of whether the transaction is electronic or not. Subsection 188(1) provides that all licensed service providers must deal reasonably with consumers and adequately address consumer complaints. Part 8 also contains provisions on the handling of consumer complaints.

A voluntary consumer protection code has also been created in accordance with the provisions of the Act. It deals with the provision of information to consumers, the handling of personal information and complaints handling.

Privacy and data protection

The Personal Data Protection Act 2010 covers the private sector only – government agencies are exempt. The Personal Data Protection Act 2010 closely mirrors the principles in the European Union directive, with some variations that appear to adopt parts of the APEC Privacy Framework. However, the Act does not contain any European Union style registration requirements.

A new government department has been established to facilitate the implementation of Malaysia’s Personal Data Protection Act – the Personal Data Protection Department.

The Act came into full force on 1 January 2013.

Online content regulation

The Communications and Multimedia Act 1998 established the Malaysian Communications and Multimedia Commission (MCMC),[2]8 which is empowered to regulate the information technology and communications industries. The Act empowers the Commission with broad authority to regulate online speech, providing that “no content applications service provider, or other person using a content applications service, shall provide content which is indecent, obscene, false, menacing, or offensive in character with intent to annoy, abuse, threaten or harass any person”. Publishers of media content in violation of this provision may face criminal penalties.

The Act also enabled the establishment of the Communications and Multimedia Content Forum of Malaysia[2]9, which formulates and implements the Content Code – voluntary guidelines for content providers concerning the handling of content deemed offensive or indecent.

In practice, the Malaysian Government has pledged not to censor the Internet. There is no evidence of technological Internet filtering in Malaysia. However, state controls on traditional media spill over to the Internet at times, leading to self-censorship and occasional investigation of bloggers and online commentators.

Cybercrime and cybersecurity

The Computer Crimes Act 1997 prohibits 4 categories of activities related to unauthorized entry into computer systems, which are:

  • Section 3: acts committed with intent to secure unauthorized access to programs or data stored in any computer;
  • Section 4: acts committed with intent to secure unauthorized access to programs or data stored in any computer in order to commit an offence involving fraud or dishonesty;
  • Section 5: acts committed with the knowledge that the act will cause unauthorized modification of the contents of any computer;
  • Section 6: wrongful communication of any password, code or means of access to a computer to any person who is not authorized to receive the same.

These provisions are more aligned with computer crimes, rather than cybercrimes. However, provisions contained in e-commerce laws and copyright laws (updated and amended in 2012) complement Malaysia’s cybercrime legislation and make it more compatible with international standards.

Online dispute resolution and domain-name regulation

Three sections have been incorporated into Malaysia’s Communication and Multimedia Act to deal with the regulation of domain names.

Section 179 of the Act specifies that the MCMC is responsible for the planning, control and administration of electronic addresses (i.e., domain names). Section 180 gives the MCMC the power to develop a numbering and electronic addressing plan, which among other things sets out the rules for assigning and transferring electronic addresses.

The functions contained in sections 179–181 appear to be delegated to MYNIC, the registrar of Malaysia’s country code top-level domain (ccTLD). In addition to acting as registrar, MYNIC is the registry and administrator of the .my domain.

During the workshop in Cebu, delegates mentioned that the government faces some challenges with the coordination of law and policy in this field, as they have four different agencies with a role in the promotion of e-commerce.

MYANMAR

In Brief

Summary

Myanmar has several key e-commerce laws in place, including the Computer Science Development Law (1996) and the Electronic Transaction Law (2004). A Communications Law has also been drafted. The country has indicated strong interest in e-government initiatives and is encouraging electronic payments for several government services, such as those related to imports and exports.

The very low level of access to virtually all kinds of ICT infrastructure represents a huge barrier to the development of e-commerce in Myanmar.

Electronic transactions law

The Electronic Transactions Law of Myanmar 2004 adopts a media-neutral approach in regulating electronic contracts. In addition to creating electronic legal equivalents for the concepts of records, signatures and communications, the Law creates some cyber-offences and sets up a number of regulatory bodies including the Central Body of Electronic Transactions entrusted with implementing the legislation and the Electronic Transactions Control Board to look after the day-to-day regulation of electronic signatures.

While no particular technology is given a higher status, PKI is enabled by the provisions on certification authorities and licensing.

Consumer protection

There is no general consumer protection law in Myanmar at this stage. However, in November 2012 the Ministry of Commerce reported that it was developing a draft Consumer Protection Bill which it hoped to publish for public comment in 2013.

Privacy and data protection

There is no privacy law in Myanmar at this time.

Online content regulation

There are a number of provisions under Myanmar law that have the effect of restricting access to the Internet and limiting the publication of information online.

  • Section 28 of the Computer Science Development Law prohibits an individual from setting up access to a computer network without the approval of the Ministry of Communications, Posts and Telegraphs.
  • Section 26 of the Computer Science Development Law limits access to computers by only allowing access to a computer if the prior sanction of the Ministry is obtained. Computers used as an aid for teaching or business are exempted from this section.
  • Subsection 34(d) of the Electronic Transactions Law also makes it an offence to create, modify or distribute information by electronic technology that is detrimental to the interest or lowers the dignity of a person or organization.

Cybercrime and cybersecurity

Chapter XII of the Electronic Transactions Law of Myanmar 2004 contains a number of offences that can be committed using technology used to complete electronic transactions. These include:

  • Hacking or the dishonest modification or destruction of electronic records (section 34(a));
  • Intercepting a communication or giving access to a communication without the permission of the originator (section 34(b));
  • Communicating with another person using the electronic signature of that person without their consent (section 34(c));
  • Creating or modifying information or distributing this information such that it causes detriment to the interest or lowers the dignity of an organization or person (section 34(d)).

The Computer Science Development Law 1996 also creates a number of cyberoffences. The Law was created with the intention of increasing and promoting the take-up of technology in Myanmar. Offences under the Law are contained in chapter X and include:

  • Importing or possessing a computer without the approval of the Myanmar Computer Science Development Council, subject to some conditions (section 31);
  • Setting up a network or access to a network without the approval of the Ministry of Communications, Posts and Telegraphs (section 32);
  • Obtaining or sending information that undermines state security, the prevalence of law and order and community peace and tranquillity, national unity, state economy or national culture (section 34).

Online dispute resolution and domain-name regulation

There is no specific domain-name regulation in Myanmar. This may be addressed in the new Communications Law that is currently being drafted.

THE PHILIPPINES

In Brief

Summary

The Philippines was an early adopter of e-commerce legislation, having passed the Electronic Commerce Act in 2000. The law has been complemented by administrative orders in areas such as electronic evidence, e-consumer protection, digital signatures, e-banking and e-payment in government. In 2012, the Philippines passed the Data Privacy Act and the Cybercrime Prevention Act, of which the latter is currently the subject of a constitutional challenge to the Supreme Court.

E-commerce and mobile commerce has a significant potential in the Philippines with its high level of mobile penetration, rapid uptake of mobile banking services and strong encouragement of business process outsourcing as a growth sector. However, the country’s low level of fixed broadband connectivity remains a bottleneck for more widespread uptake of e-commerce.

Electronic transactions law

The Electronic Commerce Act 2000 is based on the UNCITRAL Model Law on Electronic Commerce (1996). It provides that no electronic document or message shall be denied legal effect because it is in electronic form and it does not discriminate between different types of technology. The Act extends to electronic data messages and documents created for both commercial and non-commercial purposes.

The Implementing Rules and Regulations of the Electronic Commerce Act 2000 provide extra clarification and further information on a number of key aspects of the Act.

The Act also sets out legal rules for the admissibility of electronic documents or messages into evidence, the onus of proof of providing an electronic document has not been tampered with, and other procedural matters relating to using electronic data as evidence.

The Supreme Court of the Philippines promulgated the Rules of Electronic Evidence in 2001, paving the way for the speedy trial of the violators of this Act.

The Philippines has signed, but not yet ratified, the United Nations Convention on the Use of Electronic Communications in International Contracts (2005).

Consumer protection

The Philippines does not have dedicated consumer protection legislation for e-commerce. However a section in the Electronic Commerce Act 2000 provides some recognition of the need for consumer protection in the electronic environment.

Section 33(c) of the Act notes that violations of the Consumer Act 1991 and other “relevant or pertinent laws” committed using electronic data messages or electronic documents are to be penalized according to the same penalties available under those laws. The Consumer Act is the Philippines’s main consumer law focusing on protection against deceptive, unfair and unconscionable sales practices as well as ensuring consumers have adequate access to redress.

Technically, the provision does not add tailored or further consumer protections for e-commerce, but reaffirms the applicability of consumer legislation to electronic transactions, which has already been facilitated by the functional equivalence provisions in the Act.

In 2008, the Government issued Joint Department Administrative Order 01 which prescribes the “Rules and regulations for consumer protection in a transaction covered by the Consumer Act of the Philippines (R.A. 7394) through electronic means under the E-Commerce Act (R.A. 8792)”. The regulations aim at protecting consumers doing online transactions, specifically on the purchase of products and services. It covers both local and foreign-based retailers and sellers engaged in e-commerce.

Privacy and data protection

The Philippines has a comprehensive privacy law in place – the Data Privacy Act (2012). This is one of the most modern privacy laws in the region, incorporating a mix of guidance from the European Union, APEC and OECD. One interesting feature of the law is the large number of criminal offences that it creates – most privacy legislation is based on administrative or civil infringements and mediation/conciliation rather than criminal offences.

Online content regulation

Some basic provisions regulating online content are included in the cyber-crime legislation. These include provisions restricting access to materials promoting prostitution and child pornography with the aid of a computer or computer networks.

However, at the time of preparing this Review, this legislation has not yet entered in force.

Cybercrime and cybersecurity

Comprehensive and detailed provisions are contained in the Republic Act No. 10175, the Cybercrime Prevention Act 2012. This Act is the subject of a constitutional challenge to the Supreme Court, so it was at the time of drafting this Review not yet in force.

Cybercrime is also partly dealt with in a provision of the Electronic Commerce Act, stating that hacking, cracking, or unauthorized access using a computer in order to corrupt, alter, steal or destroy electronic data are all offences.

Online dispute resolution and domain-name regulation

A circular issued by the Philippine Intellectual Property Office (IPO) provides that domain names are registrable with the IPO in the same manner that service marks can be registered. The standard used to register domain names is the same standard used to determine the registrability of marks under section 123 of the Intellectual Property Code. This includes that the domain name cannot resemble another registered domain name in a manner that is confusing or likely to deceive, and the domain name cannot be identical or confusingly similar to a well-known (internationally or locally) domain name.

DotPH is the official domain registry of the Philippines ccTLD. A number of conditions contained in DotPH’s policies and standard form agreements are imposed by DotPH on those wishing to use a .ph domain. An institutionalized system for alternative dispute resolution has been created in the Philippines by the Alternative Dispute Resolution Act 2004. The Act also creates an Office of Alternative Dispute Resolution whose objective is to promote and expand the use of this method of settling disputes among the public and private sectors.

SINGAPORE

In Brief

Summary

Singapore has been very active in updating its laws and regulations to meet international best practice standards in relation to e-commerce. The Electronic Transactions Act and the Electronic Transactions Regulations were updated in 2010 in order to align them with the 2005 United Nations Convention on the Use of Electronic Communications in International Contracts. Singapore was the first ASEAN member country to ratify that Convention (which came into force only in March 2013). Singapore also passed the Personal Data Protection Act in 2012, and has begun work on policies and strategies to facilitate the growth of cloud computing.

ICT uptake in Singapore has been accompanied by the development of a highly competitive ICT sector, and significant use of e-commerce and m-commerce. The country enjoys the highest levels of Internet, mobile phone and fixed broadband use in the region.

Electronic transactions law

The Electronic Transactions Act 2010 replaces the previous Electronic Transactions Act 1998. It provides for the recognition of electronic signatures and digital signatures in Singapore. Section 8 provides that where a rule of law requires a signature, an electronic signature satisfies that rule of law, subject to some simple requirements.

The Electronic Transactions Act 2010 closely matches the provisions of the United Nations Convention on the Use of Electronic Communications in International Contracts – a Convention that Singapore has both signed and ratified.

Consumer protection

Singapore does not have consumer protection laws specifically for e-commerce. However, a number of general consumer laws are in place. These apply generally to all transactions including electronic transactions, but do not address specifically consumer protection issues raised by the online environment. These consumer laws include the Consumer Protection (Fair Trading) Act 2003.

Privacy and data protection

Singapore passed the Personal Data Protection Act in 2012. This is comprehensive privacy legislation, modelled on the OECD Privacy Guidelines. The privacy law appears broadly compatible with the European Union Data Protection Directive. Singapore is also a member of APEC and the new law has been influenced by the APEC Privacy Framework.

The new law includes the establishment of a Data Protection Commission, which will be an independent authority, with oversight provided by a new appeals tribunal.

Online content regulation

Singapore has a three-pronged approach to content regulation:

(a) Government regulation through a class licensing scheme;
(b) Industry self-regulation;
(c) A public education programme.

Singapore’s Media Development Authority (MDA)[3]0 maintains license and registration requirements that subject Internet content and service providers to penalties for non-compliance with restrictions on prohibited material. The MDA is charged with ensuring that “nothing is included in the content of any media service which is against public interest or order, or national harmony, or which offends good taste or decency”. The core of this framework is a class licence scheme stipulated under the Broadcasting Act and by industry policies and regulations issued by the MDA.

Under the class license scheme, all ISPs and those ICPs determined to be political parties or persons “engaged in the propagation, promotion or discussion of political or religious issues relating to Singapore” must register with the MDA. As licensees, ISPs and ICPs are also bound by the MDA’s Internet Code of Practice. The Code defines “prohibited material” broadly, specifying only a few standards for sexual, violent, and intolerant content. Where filtering is not mandated at the ISP level, the Code requires that ICPs deny access to material if so directed by the MDA. Licensees that fail to comply with the Code may face sanctions, including fines or licence suspensions or terminations

Cybercrime and cybersecurity

The Computer Misuse Act 1993 includes provisions to protect computers, computer programmes and data stored in computers from unauthorized access, modification, interception and interference. The Act intentionally defines “computer” very widely and is not technology-specific. It applies to any person, irrespective of his physical location, who does any act that relates to any computer, programme or data located within Singapore at the material time.

The Act specifies a number of offences that can be committed using a computer. These are:

  • Unauthorized access to computer material (section 3);
  • Accessing a computer with the intent of committing or facilitating the commission of an offence (section 4);
  • Unauthorized modification of the content of data within a computer (section 5);
  • Unauthorized use or interception of a computer function or process (section 6);
  • Unauthorized obstruction of the lawful use of a computer (section 7);
  • Unauthorized disclosure of a computer access code or password (section 8);
  • Abetting or attempts to commit any of the above offences (section 10).

The offences contained in the Computer Misuse Act are compatible with the Convention on Cybercrime.

Singapore plans to amend the Act to cover a wider range of cybercrime and cybersecurity issues, including attacks on national infrastructure and cyberbullying. The first of these amendments was introduced to the Singapore Parliament in November 2012.

Other legislation of general application, for example the penal code, can also be applied to digital crime.

Online dispute resolution and domain-name regulation

The .sg domain space is administered by the Singapore Network Information Centre, which imposes conditions on the granting to an individual, business or organization use of a .sg domain name. These conditions are contained in the standard form contracts the Centre uses to register domain names and the registration polices the Centre implements.

THAILAND

In Brief

Summary

The Electronic Transactions Act 2001, one of the core cyberlaws, has been complemented by numerous Subordinated Laws (Royal Decrees) and other Government notifications, including a regulation for e-payment service providers, security policy and practice guidelines for the government sector, and data protection policy and practice guidelines for the government sector. Thailand is interested in joining the United Nations Convention on the Use of Electronic Communications in International Contracts and in 2008 Thailand revised and updated the Electronic Transactions Act.

In 2007 Thailand enacted the Computer Crime Act. Thailand has still to advance on draft data protection legislation and there are some challenges in relation to skills and funding for law enforcement agencies and the courts in relation to the implementation of e-commerce laws.

E-commerce in Thailand is promising with an overall Internet use of 24 per cent in 2011. Online payment methods are being developed to support the development of e-commerce. Thailand also enjoys a high level of mobile penetration.

Electronic transactions law

The Electronic Transactions Act 2001 sets out the legal framework for the validity of electronic signatures and electronic transactions. The Act addresses such issues as legal formalities and evidentiary status. The Electronic Transactions Act, which entered into force in April 2002, governs both civil and commercial transactions made electronically, with exceptions only as may be prescribed by Royal Decree pursuant to the Act. It does not override laws and regulations intended for consumer protection.

The Act includes a mix of provisions from several international models, but the key sections follow the UNCITRAL Model Law on Electronic Commerce (the electronic signatures sections cover the Model Law on Electronic Signatures). A draft bill with amendments aimed at aligning the law with the United Nations Convention on the Use of Electronic Communications in International Contracts, to which Thailand is considering becoming a party.

Consumer protection

The Consumer Protection Act 1979 and other legislations such as the Unfair Contract Terms Act 1997, the Direct Sales and Direct Marketing Act 2002, the Civil and Commercial Code and the Panel Code may afford consumers engaging in e-commerce some protections and avenues of redress. While the provisions in these laws are not tailored to the unique circumstances encountered in the electronic environment, they may nevertheless apply to afford consumers some protection online.

Privacy and data protection

Draft legislation (the Personal Data Protection Bill), has been under development for many years. Once this Personal Data Protection Bill passes, it will be the comprehensive data protection legislation in Thailand and apply to government and private sectors. Although Thailand does not currently have comprehensive data protection or privacy laws, the principles of privacy and data protection are fundamental to several specific data protection legislation providing personal information protection and prohibiting unauthorized disclosure in certain circumstances as follows:

  • The Constitution of Thailand 2007 provides the basic protection of a person’s family rights, dignity, reputation and the right of privacy (section 35 of the Constitution). Some breaches could also be subject to restrictions on disclosure of pictures or statements which violate or affect a person’s privacy, reputation or dignity (section 34 of the Constitution).
  • The Official Information Act 1997 protects personal information of Thai people and foreigners resident in Thailand which are maintained by the state agencies.
  • The Penal Code provides the restrictions on disclosure of secret information in certain relationships (sections 323 and 324 of the Penal Code).
  • Furthermore there are other specific regulations to protect personal information under the Credit Information Business Act 2002, the National Health Act 2007, the Statistics Act 2007 and the Broadcasting and Television Business Operations Act 2008. The sale or disclosure of personal information without the consent of the relevant person could be subject to the privacy related provisions of section 37 of the Constitution and section 74 of the Telecommunications Business Act.
  • Data protection policy and practice guideline for state agencies[3]1 modelled on the OECD Privacy Guidelines is also available to provide the preliminary guideline for state agencies to use in setting the policy and practice in personal information protection in electronic transactions.

Online content regulation

Thailand carefully considers measures to control content on the Internet which may affect the national security ground. The Ministry of Information and Communication Technology provides software for preventing inappropriate contents which is publicly available to the users.

Cybercrime and cybersecurity

In 2007, the Act on Commission of an Offence relating to Computer 2007, commonly known as the Computer Crime Act, came into force in Thailand. It contains provisions for offences committed against computer system and computer data and provisions regarding the use of computer to commit computer crimes. The key provisions follow the text of the Budapest Convention on Cybercrime. In addition to the Computer Crime Act, other legal measures under the Electronic Transactions Act are also issued to increase public awareness of information security as follows:

(a)  The Notification of Electronic Transactions Commission on Policy and Practice in the Information Security of a State agency 2010;[3]2
(b)  The Notification of Electronic Transactions Commission on Category of Electronic Transactions and Rules on Assessment on the Scale of Impact of Electronic Transactions Pursuant to Security Techniques 2013;[3]3
(c)  The Notification of Electronic Transactions Commission on Information Security Standards in accordance with Security Techniques 2013.[3]4

Online dispute resolution and domain-name regulation

In order to regulate domain names, Thailand relies on the Trademark Act 1991, which is the legislation providing the protection to all trademarks and service marks registered in Thailand.

VIET NAM

In Brief

Summary

Viet Nam cyberlaws include the Law on E-transactions 2005 and the Law on Information Technology 2006, supplemented by several laws and decrees on the regulation of digital signatures. The Law on Protection of Consumers’ Rights was enacted in 2010 and provides basic protection to consumers engaging in electronic transactions.

The country also has a Decree on Management, Supply and Use of Internet Services and Information on Internet 2008, which contains some limited cybercrime provisions. Now Viet Nam is drafting the Law on Information Security which intends to be enacted in 2014.

Viet Nam faces a number of challenges in implementing laws, including a lack of skills and training for law enforcement agencies, and difficulties dealing with cross-border issues.

The ICT infrastructure in Viet Nam has improved considerably, and there is today a relatively high level of Internet use as well as mobile penetration. Nevertheless, there is still significant potential for greater use of e-commerce in the country.

Electronic transactions law

The Law on E-transactions 2005 includes broad provisions on e-commerce and e-signatures. It is based on the UNCITRAL Model Law on Electronic Commerce (1996).

The Law on E-transactions contains functional equivalence provisions including for electronic signatures and electronic communications. It also contains provisions creating legal rules which govern the circumstances surrounding when an electronic contract is formed, such as time and place of dispatch and receipt of an electronic message.

On 15 February 2007, the Government issued Decree No. 26 providing detailed Regulations on the implementation of the Law on E-transactions on digital signature and digital signature certification services – applicable to agencies and organizations providing such services as well as agencies, organizations and individuals seeking to use digital signature and digital signature certification services in electronic transactions. In addition, this Decree enacts most of the substantive provisions of the United Nations Convention on the Use of Electronic Communications in International Contracts, to which, however, Viet Nam has not yet become a party.

Consumer protection

The Law on Protection of Consumers’ Rights was enacted in 2010 and provides basic protection to consumers engaging in electronic transactions. It requires suppliers to provide certain information about the transaction to the consumer and establishes a right to have complaints resolved by arbitration.

Privacy and data protection

The Law on Protection of Consumers’ Rights 2010 includes some limited data protection requirements for organizations collecting information from consumers online.

Online content regulation

Viet Nam currently regulates access to both Internet infrastructure and content.

Internet users in Viet Nam are required to connect to the Internet via a licensed ISP. Paragraph 3.2(c), section II of circular 04 on Internet prohibits any access to foreign ISPs by direct dialling of international telephone numbers.

Internet users are not permitted to use Internet application services to the extent that the use of those services is prohibited or is not expressly permitted by law pursuant to paragraph 3.2(e), section II of circular 04 on Internet.

Article 47 of the Law on E-transactions also contains a requirement for ISPs to cooperate with authorities in relation to online content regulation.

Cybercrime and cybersecurity

In 2001, the Management and Use of Internet Services Decree was issued which created a number of cyberoffences. Offences under the Decree include:

  • Use of software tools, passwords, encryption codes or personal information to access Internet services illegally;
  • Stealing a password, access code or private information of an organization and publishing it;
  • Using the Internet with the intention to harass, threaten or defame another person;
  • Creating and disseminating computer viruses on the Internet.

Cybercrime laws in Viet Nam only cover a limited range of activities, and are not as extensive as the offences contained in the Convention on Cybercrime.

Online dispute resolution and domain-name regulation

While there are no laws regulating the use of domain names, the Viet Nam Internet Network Information Centre is the administrator for domain names in the

country. It was established under an administrative decision of the Secretary General of the General Department of Posts and Telecommunications. The Centre is responsible for managing, allocating and supervising the use of Viet Nam’s domain names. Another administrative order, Decision No 92/2003/ QD by the Ministry of Posts and Telematics also sets out some principles governing the issuing of domain names.

ANNEX 1. Compendium of e-commerce laws in ASEAN member States (as of March 2013)

Brunei Darussalam

Cambodia

Indonesia

The Lao People’s Democratic Republic

  • Electronic Transactions Law 2012.
  • Ministry of Information and Culture, Special Provisions (416/IC) for Control of the Content and the Information and Data Obtained via the Internet System.
  • Telecommunication Law 2001
    http://www.wipo.int/wipolex/en/text.jsp?file_id=180335.

Malaysia

Myanmar

The Philippines

Singapore

Thailand

Viet Nam

ANNEX 2. Challenges to the enactment and enforcement of e-commerce laws within ASEAN based on the responses from the questionnaire

ANNEX 3. List of ASEAN delegates who contributed to the Review

Brunei Darussalam

  • Mr. Camran Nadeem Riaz Legal Officer
    E-government National Centre Prime Minister’s Office
  • Mr. Ahmad Jefri Abd. Rahman
    Senior Counsel Attorney General’s Chambers

Cambodia

  • Mr. Sar Ratana
    Director of International Cooperation Department Ministry of Posts and Telecommunications of Cambodia
  • Mr. Troeung Douma
    Deputy Director of Telecom Policy and Regulation Department
    Ministry of Posts and Telecommunications of Cambodia
  • H.E. Mr. Sorasak Pan
    Secretary of State of Ministry of Commerce
    Chairman of the E-commerce Drafting Law Working Group
    Ministry of Commerce
  • Mr. Om Dararith
    Director, Legal Affairs Department Ministry of Commerce
  • Mr. Yim Chamnab Pheakdey
    Secretary of the E-commerce Drafting Law Working Group
    Department of Legal Affairs,
    Ministry of Commerce

Indonesia

  • Mrs. Ary Fitria Nandini
    Legal and Cooperation Analyst
    Directorate General of ICT Applications, Ministry of Communication and Information Technology
  • Ms. Nanci Laura Sitinjak
    Legal Analyst Information Technology Directorate General of ICT Applications, Ministry of Communication and Information Technology

The Lao People’s Democratic Republic

  • Mr. Somchith Anouvong
    Director of Legal Division
    Ministry of Posts and Telecommunications
  • Mr. Souliya Sengdalavong
    Director of Promotion and Development Division
    Ministry of Science and Technology

Malaysia

  • Mr. Mohamad Farid Mohd Aris
    Principal Assistant Director of E-logistics Unit
    Ministry of International Trade and Industry
  • Mr. William Lee
    International Affairs
    Malaysian Communications and Multimedia Commission

Myanmar

  • Ms. Aye Aye Soe
    Deputy General Manager (Finance)
    Myanma Posts and Telecommunications
  • Ms. Ni Ni Han
    Assistant Director
    Posts and Telecommunications Department

Philippines

  • Undersecretary Louis Napoleon C. Casambre
    Executive Director, Information and Communications Technology Office
    Department of Science and Technology
    and ASEAN TELSOM Leader
  • Ms. Maria Lourdes Yaptinchay
    Director, Office of Policy Research E-commerce Office
    Department of Trade and Industry
  • Mr. Philip Varilla
    Director III, Officer-in-Charge
    Policy, Planning and Research Support Service Information and Communications Technology Office
  • Mr. Dustin Andaya
    President
    Superius Corporation

Singapore

  • Mr. Mike Ong
    Manager (International)
    Infocomm Development Authority of Singapore

Thailand

  • Mr. Jakkrapong Chavong
    Director of Supervision Group, Office of the Electronic Transaction Commission
    Ministry of Information and Communication Technology
  • Ms. Orachat Leingpeboon
    Director Policy and Promotion
    Office Electronic Transactions Development Agency
  • Ms. Usanisa Khun-Ekanan
    Legal Compliance Manage
    Electronic Transactions Development Agency

Viet Nam

  • Mr. Phuc Nguyen Thanh
    Director General
    Authority of Information Technology Application,
    Ministry of Information and Communications of Viet Nam
  • Mr. Tuyen Nguyen Thanh
    Deputy Director General
    Department of Information Technology Ministry of Information and Communications of Viet Nam

ASEAN secretariat

  • Mr. Sukma Wardhana
    TO Information Communication Technology
    ASEAN Secretariat
  • Mr. Budi Yuwono
    Senior Officer,
    ICT Sector, Infrastructure Division ASEAN Secretariat

ANNEX 4. List of selected UNCTAD publications in the area of ICT and legal issues

  • UNCTAD (2012). Harmonizing Cyberlaws and Regulations: The experience of the East Africa Community. UNCTAD/UNCTAD/DTL/STICT/2012/4
  • UNCTAD (2012). Mobile Money for Business Development in the East African Community: A Comparative Study of Existing Platforms and Regulations. UNCTAD/UNCTAD/DTL/STICT/2012/2
  • UNCTAD (2009). Study on prospects for harmonizing cyberlegislation in Latin America. UNCTAD/DTL/ STICT/2009/1 (available in Spanish)
  • UNCTAD (2009). Study on prospects for harmonizing cyberlegislation in Central America and the Caribbean. UNCTAD/DTL/STICT/2009/3 (available in Spanish)
  • UNCTAD. Information Economy Report 2007–2008: Harmonizing cyber legislation at the regional level: the case of the ASEAN
  • UNCTAD. Information Economy Report 2006: Laws and contracts in an e-commerce environment
  • UNCTAD. Information Economy Report 2005: Addressing the Phenomenon of Cybercrime
  • UNCTAD. Electronic Commerce and Development Report 2004: Protecting Privacy Rights in an Online World
  • UNCTAD. Electronic Commerce and Development Report 2003: Domain Name System and Issues for Developing Countries
  • UNCTAD. Electronic Commerce and Development Report 2002: Online Dispute Resolution
  • UNCTAD. Electronic Commerce and Development Report 2001: Overview of Selected Legal and Regulatory Developments in E-commerce

Printed at United Nations, Geneva – GE.13-51102 – August 2013 – 1,134 – UNCTAD/DTL/STICT/2013/1

UNCTAD


[1] ASEAN ICT Masterplan, 2015, http://www.asean.org/resources/publications/asean-publications/item/asean-ict-masterplan-2015.

[2] http://unctad.org/en/Docs/sdteecb20071_en.pdf.

[3] ASEAN e-Commerce Database, 2009 : http://www.asean.org/resources/item/asean-e-commerce-database-project-2.

[4] ASEAN Internal Document: AADCP E-Commerce Project – Harmonization of E-Commerce Legal Infrastructure in ASEAN, Implementation Progress Checklist (2007).

[5] A Khmer version of the training course was developed in 2006.

[6] UNCTAD’s TrainForTrade platform: http://learn.unctad.org/.

[7] ASEAN secretariat, Roadmap for Integration of e-ASEAN Sector, 29 November 2004, http://www.aseansec.org/16689.htm.

[8] ASEAN Internal Document: AADCP E-Commerce Project – Harmonization of E-Commerce Legal Infrastructure in ASEAN, Implementation Progress Checklist (2007).

[9] http://unctad.org/en/Docs/sdteecb20071_en.pdf.

[10] ASEAN e-Commerce Database, 2009, http://www.asean.org/resources/item/asean-e-commerce-database-project-2.

[11] A compendium of e-commerce laws in ASEAN member States is presented in annex 1.

[12] http://www.uncitral.org/uncitral/en/case_law.html.

[13] International Consumer Protection and Enforcement Network (ICPEN), https://icpen.org/.

[14] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), http://www.oecd.org/internet/interneteconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

[15] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT

[16] APEC Privacy Framework (2005): http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx.

[17] Commonwealth secretariat, Model Law on Computer and Computer Related Crime (2002), http://www.thecommonwealth.org/shared_asp_files/uploadedfiles/%7BDA109CD2-5204-4FAB-AA77-86970A639B05%7D_Computer%20Crime.pdf.

[18] Uniform Domain-Name Dispute-Resolution Policy (UDRP), http://www.icann.org/en/help/dndr/udrp.

[19] ASEAN Internal Document: AADCP E-Commerce Project – Harmonization of E-Commerce Legal Infrastructure in ASEAN, Implementation Progress Checklist (2007).

[20] A Khmer version of the training course was developed in 2006.

[21] UNCTAD’s TrainForTrade platform: http://learn.unctad.org/. [2-9]

[22] The Act is also partly based on the Singapore Electronic Transactions Act, although it does not include provisions that are equivalent to the recent amendments to the Singapore legislation.

[23] Council of Europe, Cybercrime legislation – Brunei country profile, 2008, http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/documents/countryprofiles/cyber_cp_Brunei_%202008_November.pdf.

[24] AITI, Domain-name Management Framework – Consultation, 2012, http://www.aiti.gov.bn/form/public_consoltation/1_PublicConsultDoc_20120827-FINAL-%20SGNIC%20final.pdf.

[25] World Bank, Trade Development Support Programme, http://www.worldbank.org/projects/P109648/cambodia-trade-development-support-program-retf093573?lang=en.

[26] Regulation Number 82 of 2012 Concerning Electronic System and Transaction Operation, http://rulebook-jica.ekon.go.id/english/4902_PP_82_2012_e.html.

[27] http://www.itu.int/ITU-D/asp/CMS/Events/2012/socialmedia/S6.3_Indonesia.pdf.

[28] Malaysian Communications and Multimedia Commission, www.skmm.gov.my

[29] Communications and Multimedia Content Forum of Malaysia, http://cmcf.net/.

[30] Singapore Media Development Authority, http://www.mda.gov.sg.

[31] The Notification of the Electronic Transactions Commission on Policy and Practice Statement on Personal Data Protection of a State Agency 2010 (B.E. 2553) is issued under the Royal Decree Prescribing Rules and Procedures of Electronic Transactions in the Public Sectors 2006 (B.E. 2549).

[32] The Notification of Electronic Transactions Commission on Policy and Practice in the Information Security of a State Agency 2010 (B.E. 2553) is issued under the Royal Decree Prescribing Rules and Procedures of Electronic Transactions in the Public Sectors 2006 (B.E. 2549).

[33] The Notification of Electronic Transactions Commission on Category of Electronic Transactions and Rules on Assessment on the Scale of Impact of Electronic Transactions Pursuant to Security Techniques 2013 (B.E. 2555) is issued under the Royal Decree regarding Security Techniques in Performing Electronic Transactions 2010 (B.E. 2553).

[34] The Notification of Electronic Transactions Commission on Information Security Standards in accordance with Security Techniques 2013 (B.E. 2555) is issued under the Royal Decree regarding Security Techniques in Performing Electronic Transactions 2010 (B.E. 2553).