Regulation for Cross-Border Privacy in Southeast Asia: An Institutional Perspective

Free flow of cross-border data is important for a creation of a data-driven innovation. There is a global challenge on balancing business gains from unrestricted cross-border data flows with protection of personal data. While cross-border privacy is a global subject of regulation, only few countries in Southeast Asia have implemented data privacy laws. There have been initiatives in the region to harmonize rules on cross-border data transfers such as the APEC, the RCEP, and a newly proposed ASEAN e-commerce Agreement but they have not been concrete enough to offer a harmonization. The main challenge in the region is fragmentation since countries in the region accede to different instruments that have different principles on cross-border data privacy. Each jurisdiction still employs different standards on privacy protections. The lack of harmonized practices creates hurdles for intra-regional data transfers and protection of data privacy. The paper proposes a unifying approach for the region to avoid duplication with existing mechanisms. Rather than creating a new mechanism, the new approach will need to recognize and supplement compatibility with different frameworks. The proposed ASEAN Agreement on E-Commerce, expected to be finalized by the end of 2018, should carry out this unifying function to promote interoperability. In principles, it needs to be aligned with APEC's Cross Border Privacy Rules. A regional recognition scheme should be established to verify that a given country meets a sufficient level of personal data protection. There needs to be a technical assistance to developing countries that have limited resources in enacting and implementing data protection regulation.