Event Report from DigitalxADB: Driving Digital Development across Asia and the Pacific

On October 27, the Future of Privacy Forum (FPF)’s Asia-Pacific office and the Asian Development Bank (ADB) co-hosted an online event titled, “Trade Offs or Synergies? Data Privacy and Protection as an Engine of Data Driven Innovation” in the context of DigitalxADB. This edition was the third in ADB’s series of annual knowledge-sharing events for representatives of ADB’s 68 member countries and external partners to learn about and take part in efforts to further integrate “digital” into ADB.

1. Background

By way of a background, ADB was conceived in the early 1960s as a financial institution that would be Asian in character and foster economic growth and cooperation in one of the poorest regions in the world. Despite the region’s many successes, it remains home to a large share of the world’s poor: 263 million living on less than US$1.90 a day and 1.1 billion on less than US$3.20 a day. ADB assists its members, and partners, by providing loans, technical assistance, grants, and equity investments to promote social and economic development. ADB maximizes the development impact of its assistance by facilitating policy dialogues, providing advisory services, and mobilizing financial resources through co-financing operations that tap official, commercial, and export credit sources.

For FPF, the co-organization of this digital policy dialogue with an international organization as important in the region as the ADB was an opportunity to manifest its intention to be useful to the data protection and privacy community in Asia through a large variety of means. FPF Asia-Pacific sees its role as a platform for cooperation that is both expert and neutral capable of supporting all kinds of actions that can contribute to the development of best practices in data protection and privacy, to help bridge the gaps between law and practice, and advance thought leadership and support coherent policy development in this area. Such cooperation must involve a wide variety of stakeholders, whether from the public or private sectors, national or regional, where appropriate in partnership with international organizations.

2. Key takeaways

This event consisted of two panel discussions.

The first, titled “Industry Expectations and Cooperation with Privacy Regulators in Asia,” was moderated by Yoonee Jeong (Senior Digital Specialist, ADB) and attended by panelists Marcus Bartley-Johns (Asia Regional Director, Government Affairs and Public Policy, Microsoft), Yen Vu (Principal and Country Manager, Rouse Vietnam), and Royce Wee (Director, Head of Global Public Policy, Alibaba Group).

The second, titled “To Be or to Become a Privacy Regulator in Asia in the 2020s: What Challenges, What Role for International Cooperation?” was moderated by Dr. Clarisse Girot (Director for Asia Pacific, FPF) and attended by panelists Michael McEvoy (Information and Privacy Commissioner, British Columbia, Canada, and Chair, Asia Pacific Privacy Authorities Forum – APPA), Zee Kin Yeong (Assistant Chief Executive, Infocomm Media Development Agency—IMDA, and Deputy Commissioner, Personal Data Protection Commission – PDPC, Singapore), and Prof Thitirat Thipsamritkul (Faculty of Law, Thammasat University, and Vice President of the Digital Council of Thailand).

This post summarizes the discussions in these two stellar panels and highlights key takeaways:

• There is growing momentum for data protection and privacy in Asia. In 2020/21 alone,Singapore, Japan, South Korea, New Zealand, China and Thailand have upgraded or passed their data protection laws, while Brunei, India, Indonesia, Vietnam, and Sri Lanka among others move closer to adopting data protection frameworks of their own. Panellists Yen Vu and Thitirat Thipsamritkul shared first-hand experiences with development of data protection legislation in Vietnam and Thailand, respectively, while Zee Kin Yeong and Michael McEvoy shared their national and international experience as seasoned regulators in Singapore and British Columbia, Canada.
• A key consideration for data protection law in Asia is finding the right balance between convergence with global standards and adaptation to local conditions. As more data protection laws in Asia tend to be developed with reference to frameworks and policies from outside Asia, policymakers in Asia must find a way to integrate data protection and privacy principles with Asia’s unique histories, cultures, and values to ensure that data protection laws win support from both businesses and citizens.
• Data protection and privacy laws are most effective when made and implemented in partnership with businesses, industry associations, and civil society, as well as data protection regulators. Regulators and organisations can each learn important lessons from one another and, together with other key stakeholders, collaborate on tackling shared challenges and taking advantage of shared opportunities in the digital economy.
• It is fundamental to support the development of the community of data protection regulators in Asia, whether through actions to support the development of national regulators, or regional cooperation networks such as they are developing, in this region as elsewhere. Based on experience, the top priority of regulators must be placed on education of businesses, government, and citizens, and equipping them with the right knowledge, tools and capabilities to ensure the effectiveness of the data protection law.
• Trust, transparency, and accountability are key for businesses operating in Asia. Panellist Marcus Bartley-Johns related how Microsoft has come to recognize that Asian consumers, especially young people, are privacy-conscious and eager to understand how companies use their data. Similarly, panellist Royce Wee explained how trust is a key ingredient for a secure, inclusive, and sustainable digital economy, and increasing trust and transparency can create a win-win situation for consumers and businesses alike. In this regard, data protection laws play an important role to foster that trust.

What challenges to address, and what roles for ADB and FPF?

Thomas F. Abell (Advisor, SDCC and Chief of Digital Technology for Development, ADB) gave the introductory speech to the event and shared his insights into how the COVID-19 pandemic had accelerated the digital economy in Asia Pacific as the region increasingly relies on “digital.” 2020 was a record year in terms of member governments’ demand for ADB’s digital development programmes – roughly 20% of ADB’s projects in 2020 involved a significant digital component. Going forward, ABD is looking to increase support for its member governments in this area, from working on digital programs and security, to seeking thought leaders to drive digital development initiatives, to launching a new program in data analytics early next year.

Dr. Clarisse Girot (Director for Asia Pacific, FPF) explained how global activities have taken on an increasingly important dimension in FPF’s work, with the development of regional offices in Europe, Israel, and most recently, Asia with the recent launch of FPF’s Asia Pacific Office in Singapore. In Asia Pacific, an essential mode of action will be to forge partnerships, run joint events, and bring together businesses, citizens, and international organisations to support governments and regulators in their efforts to adopt laws and policies that address growing privacy expectations, raise the level of data protection, and ultimately, support economic growth and digitalisation in the region, especially in the wake of COVID-19.

From this point of view, the ambitions of FPF and ADB on these issues are completely complementary. This event is an opportunity to explore with the panelists what could be their priority actions in this area, if necessary joint actions.

Dr. Girot further highlighted the tension between Asia’s status as not only the most populous but also most economically dynamic region in the world and the fact that data protection laws, for historical more than for political reasons, tend to be developed with reference to instruments, frameworks, and policies that have been designed and developed elsewhere – the EU’s General Data Protection Regulation (GDPR) being a case in point. Dr. Girot stressed the need to ensure that national frameworks are compatible with global standards that are necessary in a world where data flows are ubiquitous and underlie the digital economy.

But more prosaically, there is also a need to address challenges that have blocked adoption of data protection and privacy laws in some jurisdictions where they have been announced as “imminent” for several years. Passing a data protection law is not easy, even less today than in the past. A major challenge in Asia is how to articulate data protection laws with the “geopolitically loaded” concept of “data sovereignty” – a  concept which has taken root specifically in China and India and looks to spread elsewhere. Another blocking factor is the legitimate concern that data protection and privacy laws would impose administrative constraints and compliance costs for local businesses, thereby restricting innovation and blocking trade. As well, baseline data protection laws intersect with sectoral laws, so that a lot of finetuning is required. Defining the material scope of the law is not easy. Such fear also extends to the decision whether to institute a data protection and privacy regulator and provide it with powers and control over governments, among others.

To address these challenges, regional and international cooperation, and cooperation between the public and private sectors, academia and civil society, is essential. Events like DigitalxADB are thus an opportunity to demonstrate the wealth of resources that international cooperation brings. They also help to identify the multiple ways in which both public and private actors, including FPF and ADB, can contribute by providing support for governments and regulators in Asia to tackle these challenges—be it financial, material, or “intellectual”.

The two panel discussions were set up to approach these subjects from two complementary angles.

Panel 1: “Industry Expectations and Cooperation with Data Protection and Privacy Regulators in Asia”

This first panel moderated by Yoonee Jeong was comprised of industry representatives from different backgrounds, who share the same difficulties in complying with fluctuating and variable data protection rules in the region. During the conversation, each panelist was asked how they envision that ADB or FPF could usefully contribute to addressing these challenges.

Below is a synthesis of the main comments made by each panelist in the course of the conversation.

Marcus Bartley-Johns (Asia Regional Director, Government Affairs and Public Policy, Microsoft) opened his comments by lauding the efforts by ADB and FPF for coming together to convene this dialogue, and underlining the great value which lies in the combination of ADB’s unique convening power and ability to work with countries across the region on these issues, and FPF’ capacity to share expertise globally on what’s happening in privacy regulation and a lot of deep connections with the privacy community across Asia. He went on to share two key insights from Microsoft’s view of data protection and privacy issues around the Asia Pacific region.

The first is that privacy is essential for both organisations and individuals across Asia, and therefore, effective privacy regulation is central to growth of the digital economy across Asia. In this respect, Microsoft and research firm IDC conducted a survey of the perceptions and expectations of trust in digital services of more than 6000 consumers in this region in 2019. 53% of those consumers reported feeling that their personal privacy had been compromised or that their trust had been breached when using digital services. A higher share of respondents who reported negative experiences were young people. This challenges the oft-held assumption that because young people – especially in Asia – are high consumers of digital services, they do not care about privacy. A further example is that of the 19 million unique visitors to Microsoft’s privacy dashboard in 2020, Australia, China, Japan, Korea, and India were all in the top 20 countries of visitors who came to view, export, or delete their data.

The second is that opportunities for collaboration on data protection and privacy abound. Organisations like FPF and ADB (among other stakeholders) can play a key role in developing privacy regulation through providing resources and technical assistance to countries that are thinking about privacy regulation and consultation to countries that are drafting new privacy regulations or amending their existing regulations. In particular, regulation needs to be technology-neutral as there is a temptation among regulators in Asia to look for an easy technical fix – such as contractual terms – to demonstrate privacy protection.

There are also opportunities for regional cooperation to counter the trend of countries working in “silos,” leading to a fragmented regulatory framework that will not support trade and investment and will increase costs for local companies – especially Small and Medium Enterprises (SMEs), which unlike large multinational companies (MNCs) cannot invest significant funds and employ hundreds of full-time engineers to transform their data management. In this regard, Singapore has been instrumental in driving greater regulatory coherence in ASEAN. More work on interoperability is needed to ensure that compliance will be as straightforward as possible for SMEs while still keeping a high bar for privacy protection cross the region’s regulatory landscape.

Yen Vu (Principal and Country Manager, Rouse Vietnam) shared the experiences of Vietnam as the country developed its first personal data protection decree, which she hopes will be passed and take effect by the end of this year.

Despite facing technological, economic, and societal challenges, Southeast Asia has an opportunity to become a digital economy hub for Asia. For example, even as large parts of Vietnam were under strict lockdown due to COVID-19, its Internet-based economy still reported growth in transportation, food, e-commerce, and fintech. The challenges come from an ever-shifting regulatory environment in both Vietnam and the region, as well as the need for training and awareness-building for both the public and private sectors.

In 2020, Vietnam became one of the first countries internationally to announce a programme for national digital transformation. Data protection will be key to this digital transformation programme, which aims to develop digital government, economy, and society and to equip Vietnamese digital businesses with global capacity in key areas – including healthcare, education, finance, banking, agriculture, transportation, energy, natural resources, the environment, and industrial protection – over the next decade.

However, the situation on the ground is one of regulatory fragmentation as Vietnam still lacks an omnibus law on data privacy. This has caused confusion and poses challenges for business across all sectors, which must often seek guidance from the government on how to comply with requirements under security laws, such as data localization. There are opportunities for international organisations like FPF and ADB to support Vietnam, especially through capacity-building activities for both the public and private sectors.

Royce Wee (Director, Head of Global Public Policy, Alibaba Group) highlighted that now is a very interesting time to be in Asia because more and more Asian countries are coming up with data protection laws. Thailand recently joined Singapore, the Philippines, and Malaysia as jurisdictions which already have data protection laws in place, and Brunei, Indonesia, Vietnam, and India move closer to adopting new data protection laws. China is also a major mover in this space, having passed a trio of data-related laws in a short time – the Cybersecurity Law, Data Security Law, and most recently, the Personal Information Protection Law (PIPL) which came into effect at the start of November 2021.

These data protection laws are not homogeneous but rather, reflect each country’s philosophies, outlooks, and values as well as its unique needs and circumstances. Data protection is not a solely European construct, and each country has to strike a balance between individual rights and control on the one hand and reasonable/legitimate business needs on the other hand.

This can create significant challenges for MNCs like Alibaba Group, whose compliance policies must be localized to meet each jurisdiction’s standards and requirements. In this respect, MNCs typically adopt a “high watermark” say set by the EU GDPR as a starting point and then make adjustments based on specificities in local data protection laws.

However, this is only a narrow view of data protection. Trust remains an overarching objective for these laws and is a key ingredient for a secure, inclusive, and sustainable digital economy. For organisations, trust helps to build long-term relationships with customers in which customers will be more willing to provide more and better-quality data, and organisations will be better placed to provide high-quality services and value-for-money products to meet their customers’ needs.

For regulators, trust in the digital economy allows for greater economic development and dynamism and can help to bridge the digital divide, opening the digital economy to greater participation from all segments of society while also creating better jobs with higher incomes by matching skills and demand and enabling better policy implementation.

The road to trust is one of constant, iterative improvement because – due to fast-paced changes in technology, business models, consumer expectations, and even societal values – the journey never really has an end in sight.

Regulators play an important role in pushing businesses to do more and to do better in a spirit of partnership and goodwill, rather than adversity. At the same time, businesses play an important role in uplifting data protection standards across the board. While MNCs have an important signalling effect, the real power to “move the needle” for data protection standards and processes comes from SMEs as they represent the vast majority of businesses in Asia. Regulators can do a lot to bring SMEs on board by issuing guidelines, providing clarity on their regulatory intent, and supplying tools and technological solutions. For example, in Singapore, the Infocomm Media Development Authority (IMDA) come up with “tech packs” containing solutions that SMEs can easily adopt and adapt to meet their business needs while ensuring at least a minimum baseline data.

Cooperative partnership between regulators and businesses is a prerequisite to develop the right culture of data accountability for organizations. Regulators should explain their regulatory objectives, concerns, and priorities but also understand the constraints and limitations in businesses’ daily operations. Similarly, businesses should understand these regulatory objectives, concerns, and priorities, but also provide feedback as part of the consultation process before new laws are passed, to ensure that the laws are practical and effective and that businesses can comply with them. For example, if left to their own devices, some regulators in Asia have a strong tendency to include data localisation into their laws. However, as the digital economy is essentially borderless, this can harm cross-border data flows necessary for e-commerce and the adoption of cloud solutions.

International organisations like FPF and ADB can, through their thought leadership and convening power, play an important role by contributing to the law-making process, especially through innovative projects such as sandboxing schemes, exploring different models for data processing, innovation, and even valuation, promoting harmonisation of baseline global principles and standards for data protection, to work with/across regulators and businesses to create mechanisms to allow/facilitate greater trusted and secure border data flows, and promoting discussion and agreement on an ethical framework for data processing that includes emerging technologies such as artificial intelligence, machine learning, and the Internet of Things.

By sharing resources and expertise, regulators and businesses can build trust and solve common problems and achieve common objectives – from improving the transparency of data processing, to putting in place adequate security standards and agreeing on common criteria/list of reasonable and legitimate uses of personal data, to reskilling and upskilling workers for new jobs in the digital economy.

Panel 2: “To Be or to Become a Privacy Regulator in Asia in the 2020s: What Challenges, What Role for International Cooperation?”

This second panel moderated by Dr. Clarisse Girot was comprised of two data protection regulators (Yeong Zee Kin and Michael McEvoy) and of an expert involved in the lawmaking process in Thailand (Prof Thitirat Thipsamritkul). Below is a synthesis of the main comments made by each panellist in the course of the conversation.

Professor Thitirat Thipsamritkul (Faculty of Law, Thammasat University, Vice President of the Digital Council of Thailand) shared her experience with the development of a draft personal data protection law in Thailand, which was ultimately passed in 2019.

Historically, data protection and privacy had been seen as a side issue which was not as essential to Thailand’s digital economy as, for example, cybercrime, cybersecurity, and intellectual property law. Little by little, privacy law became more central to the discussion with the emergence of the EU GDPR and efforts by the public sector, academia, and civil society to bring privacy into legislative discussions around the digital economy. By 2019, with the passage of the Cybersecurity Law, the zeitgeist was that if Thailand needed a cybersecurity law, then it also needed a data protection law.

The legislative process for the resultant Personal Data Protection Act (PDPA) was unique in that it involved extensive collaboration between the public and private sectors, academia, and civil society. In particular, academia was instrumental in shaping the PDPA as it had already created “shadow regulation” in the form of the Thailand Data Protection Guidelines (TDPG) to help Thai companies to comply with the EU GDPR and do business with Europe. The Guidelines were widely used by Thai businesses and drew not only on international standards but also input from local businesses and organisations on the practicality of data protection measures. Even after the PDPA was passed, the Guidelines remained influential for businesses designing their compliance schemes.

Thai society is now ready to comply with the PDPA but has been occupied with the response to COVID-19 for the last year. Due to resistance to the PDPA from certain sectors of the economy, the Thai government postponed the PDPA’s entry into effect twice. There is generally a fear that the PDPA gives too wide a discretion to regulators and the courts and that the courts’ interpretation would be uncertain as the PDPA introduces an entirely new framework into Thai law, also because due to stringent provisions on criminal liability for breach of the Act.

The postponements have sparked a debate in Thailand as to whether privacy laws should be strengthened or whether the compliance burden should be reduced as a result of the pandemic. However, at the same time, many businesses, including those in the financial and health insurance sectors, have been declaring new privacy protective measures and policies even before the PDPA takes effect.

On a broader note, many of the data practices in Asia differ significantly from those in Europe or America – for example, Asia has a lot of online shopping livestreams, which are much less common in Europe and Asia. This means that each region must adopt different methods for implementing data protection and privacy principles, even if these core principles remain the same around the world. However, a shared problem for regulators around the world is capacity-building – this is where international cooperation can be most effective.

Zee Kin Yeong (Deputy Commissioner, PDPC, Singapore) started with a word of encouragement for Thailand and explained that even Singapore’s journey to enacting data protection legislation started with a voluntary, industry-created model code, which was introduced in 2001-2002 – a decade before Singapore enacted its own PDPA in 2012. This was a necessary and helpful step to full legislation as local online businesses voluntarily adopted the code and began to prepare for full data protection legislation.

Yeong Zee Kin had three areas of advice for governments and policymakers who are data protection and privacy:

• the necessity for convergence with global norms when designing laws;
• equipping businesses and companies with practical tools to implement the principles within their organisations; and
• valuing partnerships with the data protection community and data protection officers, who can act as champions to help to build the data protection ecosystem.

On convergence with global norms, he stressed that nowadays, data “can’t be kept in a bottle” as it flows everywhere – both within and between economies around the globe – especially as companies operate in multiple jurisdictions. Therefore, it is essential to design laws to adhere to accepted global principles to the greatest extent possible because such familiarity is important from the perspectives of both compliance and the expectation of consumers and data subjects. An example of such a global principle is the admonition against localisation of computing facilities. Other relevant global principles can be found in the OECD Privacy Guidelines, the APEC Privacy Principles, and for Southeast Asia, the ASEAN Principles for Data Protection, as well as free-trade agreements like the CPTPP and RCEP.

At the same time, it is also necessary to adapt laws to local conditions – society, culture, and history. The recent amendments to Singapore’s PDPA, which were passed a year ago, illustrate the importance of convergence as well as adaptation to local conditions. In the amendments, Singapore adopted the concept of “legitimate interests” because it had become common in multiple data protection regimes worldwide. However, Singapore also recognized that its local businesses wanted clarity and found a concept as broad and generous as legitimate interests difficult to work with. In implementing the concept, Singapore therefore took a slightly different approach to other regimes and listed out specific examples of legitimate interests in the Schedule to the PDPA. Singapore also took the unique step of creating a “business improvement exception” based on suggestions by local companies but still required express consent, rather than legitimate interests or business improvement, for direct marketing based on feedback from local consumers.

Between convergence with global norms and adaptation to local conditions, we will probably see more regional groupings in data protection laws as factors like geographical proximity heavily influence culture and history, which in turn influence expectations of and approaches to data protection. We should encourage these regional groupings and cooperation – if regulators and policymakers can come together and find a common level, then we might end up with three or four regional groupings, which could then start building bridges between regions to encourage global consistency and convergence.

On equipping businesses with practical tools, Yeon Zee Kin recommended that regulators place themselves in the shoes of local business owners and managers who would need to implement principles in legislation. Regulators can use the kinds of common business objectives that companies care about, such as inventory management, analysis of sales performance, and management of customer and HR records, as an entry point for discussing how data can be used to achieve those objectives while also embedding good data protection principles into the process. It is also important to recognize that businesses often need external help. To that end, Singapore’s PDPC curated a brief list of core data protection practices and provided a list of outsourced data-protection-as a-service providers who could help business owners and managers with compliance.

Michael McEvoy (Information and Privacy Commissioner, British Columbia, and Chair, APPA Forum) agreed that there are many examples in which jurisdictions go through a transition period from having voluntary standards, guidelines, and principles to having full data protection legislation but added that in some cases, legislation may be a result of pressure from civil society, a shift to a more reformist government, or even simply a fluke of circumstances. However, even where the legislation seems to come to fruition suddenly, it is usually the product of many years of work and efforts to educate legislators.

Voluntary industry efforts in British Columbia – such as data breach notification although there is not yet a legal obligation making notification mandatory in the province– can be the start of good practice as they create a culture and environment of compliance. In experience, businesses generally want to “do the right thing” but  they might not be able to figure out how to do it. As well, it is also certain that there is a fear. Misplaced fear on the part of businesses about regulator enforcement powers and in general that regulators may not understand the nature of innovative businesses may delay the adoption of a complete regulatory framework in some jurisdictions. Enforcement is certainly important. But the solution to address such concerns is first and foremost for regulators to go out and educate businesses and in some cases, governments, on what the “right thing” is and provide guidance, education, and assistance.

As personal data follows the flow of trade, more and more countries are waking up to the need for effective, sustainable, and trustworthy regulation for an increasingly digital world. This idea underpins the work of the Asia Pacific Privacy Authorities (APPA) Forum over the past 30 years to nurture and promote data protection in the Asia Pacific region. While initially there was not a lot of interest in APPA’s work, there definitely is now: British Columbia, which is home to APPA’s Secretariat and does approximately $14 billion worth of export trade with Pacific Rim countries, has come to recognize the importance of data protection to digital trade, and its legislature now supports APPA financially.

APPA’s 19 members – all data protection regulators in Asia Pacific – assist one another and share information and techniques to enhance their regulatory expertise. APPA has also extended a hand to other jurisdictions outside this region, such as recently in the Cayman Islands. Countries that are now considering implementing new data protection laws, where none previously existed, are fortunate in that these countries can learn from the experiences of jurisdictions that have gone through this process, adapting what is useful and avoiding the regulatory missteps that unfortunately happen from time to time. No two countries’ data protection laws will ever be identical because country is informed by its own history and culture. However, countries across the globe share a commitment to have at least some commonality, especially in allowing data to flow more freely and securely. In this respect, the GDPR and the concept of adequacy have been very helpful in the search for common ground and convergence on principles for protecting citizens’ data while encouraging trade, innovation, and flow of data.

The session thus ended on a very encouraging note.

To conclude, ADB and FPF thanked the speakers and announced that they would consider joint actions to support positive data protection developments in the region, in the spirit of cooperation which animated the whole of this session.

This blog was written with the support of the Global Privacy team of the Future of Privacy Forum.