Data-driven tech companies from Google and Facebook to Alibaba are finally coming under regulatory scrutiny for their shortcomings, especially over data privacy. New laws, led by the EU's General Data Protection Regulations (GDPR), are putting constraints on global groups that had grown used to setting their own rules.
But correcting the problems of today's digital economy will depend less on government regulators than on the harnessing of market forces. Already, market-inspired data privacy and cybersecurity services are becoming hot commercial commodities, not least in Asia.
This has given rise to a new "RegTech" sector -- where companies and governments use AI to manage regulatory processes -- which could create opportunities for a wide range of businesses, large and small.
While all nations around the world face data protection challenges, they are particularly acute in Southeast Asia because the region of 600 million people combines high growth in the digital economy with a fragmented regulatory landscape, spread across a dozen different countries. Moreover, Southeast Asia lacks the legal and technical infrastructure of developed states, such as the U.S. and EU members, or the single central authority of governments in countries such as India and China. And, as of now, there are no local tech groups big enough to challenge the global leaders.
So, governments and companies must find innovative ways to handle data protection challenges, including adopting AI-driven risk management processes.
Southeast Asia is leapfrogging ahead with mobile-first technologies that are rapidly expanding e-commerce, social commerce and the sharing economy. This is producing exponential growth in data as well as an explosion of fintech startups.
Take the example of Indonesia, Southeast Asia's largest digital market. The Australia-Indonesia Partnership for Economic Governance (AIPEG), reports that investment in Indonesian startups in 2016 reached $1.4 billion and then jumped to $3 Billion in the first eight months of 2017. So far, so good.
But this money has come largely from a few big overseas investors, with China's tech giants Alibaba and Tencent Holdings and American behemoth Alphabet (Google's parent company) investing billions in Go-Jek, the ride-hailing app and Tokopedia, the e-commerce platform. Japan's SoftBank Internet and Media Inc. (SIMI) has also invested in Tokopedia, while Expedia of the U.S. has poured funding into Traveloka, Indonesia's unicorn travel platform.
That a handful of global tech giants can exert so much influence in one country underscores the importance of effective data protection.
The big question facing Southeast Asia is : can governments, businesses and NGOs work together to create a regulatory environment that protects data but also creates an open and level playing field? There are plenty of cautionary tales from which to learn.
At one extreme is the open system of surveillance capitalism that has prevailed until recently, where data merchants such as Facebook harvest the information of billions of people -- mostly out of sight from regulators. The other extreme: a Big Brother regime, such as in China, that uses increasingly intrusive practices to enforce digital autocracy. Both scenarios must be avoided.
Absent the development of a unified viable regulatory framework, companies will be forced to further localize and nationalize their operations, effectively cutting themselves off from global data value chains.
Meanwhile, the data protection landscape across Southeast Asia is fragmented.
Singapore's Personal Data Protection Act (PDPA), for example, imposes penalties of up to a million Singapore dollars and prison time for violations of an individual's privacy. The PDPA applies to all electronic and non-electronic communications regarding data collection, processing or disclosure and requires companies to obtain customers' consent. Companies must also inform customers regarding the personal data they possess.
Malaysia has a similar PDPA, while Indonesia has drafted data privacy standards that are a virtual cut and paste of the European GDPR. Vietnam, Thailand and the Philippines are in the process of either implementing or drafting variations of PDPAs.
To the north, ASEAN's, largest trading partner, China, recently passed its Cyber Security Law, which, among other things, requires foreign companies to store local customer data on servers located in China- which grants Beijing backdoor access to that data. To date, Malaysia, Indonesia, Vietnam and Brunei all have their own versions of data localization laws in place, with others are looking at new regulations.
With all this complexity, the only answer for tech companies, especially smaller, local, businesses, is technology.
I recently attended the 2018 Fintech Expo in Singapore -- now the largest of its kind -- and noted the impact that data protection laws are having on the banking sector. Most companies in attendance (especially startups) were promoting tools and services relating to data privacy and security.
Oracle, the American multinational that makes Cloud and platform technology, has teamed up with Citigroup, the U.S. bank, to provide an "Open Banking" environment for digital customers. The platform uses AI to connect customer-specific data to other Cloud-based service providers, from financial planners and insurers, to tax advisers and trading exchanges.
The architecture behind all of this must integrate large ecosystems of middleware providers, which make data privacy and security in an Open Banking environment extremely challenging -- especially for smaller companies.
But technology is solving this problem. I spoke with middleware provider Eightwire, based in New Zealand, which addresses exactly these issues as it builds bespoke data exchange platforms, designed with encryption and AI functions that protect personal data.
Another startup, Credolab, based in Singapore, has developed a mobile phone App that hoovers up all the data on a device, including a user's texting, browsing, email strings and entertainment choices and produces a bank-grade credit rating that can be used by lenders, insurers and governments.
This kind of mobile tech is a boost for Southeast Asia's emerging markets, where most people remain unbanked.
These are but a few examples among many. Meanwhile, at a regional level the recent signing of an e-commerce agreement by the Association of Southeast Asian Nations offers hope of regulatory integration, even if this is a only a symbolic first step.
Regulators must hold data capitalism accountable. Governments, businesses and other stakeholders must continue to work together to achieve a regulatory landscape that is fair and open, and gives smaller local companies a chance to compete with global giants.
Alex Capri is a senior fellow in the Business School at the National University of Singapore.