Headlines about data breaches, anti-competitive practices and fake news have turned public goodwill toward tech companies into suspicion.
This applies particularly in Asia. From the spreading of religion-based hate messages in Sri Lanka, and the role of WhatsApp in Indian lynchings, to the murder of two women passengers in China using Didi Chuxing, the ride-hailing app, Asian lawmakers face challenges protecting consumers and holding tech companies accountable.
In the west, the authorities have started to crack down hard. France, for example, used the EU's newly-drafted General Data Privacy Rules (GDPR) in January to fine Google 50 million euros ($57 million) for not fully informing users how it collects personal information, and for failing to obtain their consent for personalized ads. Meanwhile, the U.S. Congress is drafting a data privacy law, amid widespread concern over data privacy.
The authorities in Asia are struggling to catch up, even though social media in the region often plays an even bigger role than in the west.
The states of Southeast Asia face particular challenges, as compared to the large jurisdictions of the U.S., the EU, China and even Japan, because their citizens live in a tightly-linked regional economy.
The Association of South East Asian Nations must build trust between consumers, companies and governments in a healthy digital ecosystem. Cooperation among ASEAN members is essential for the cross-border management of the digital economy, and to avoid regulatory arbitrage, in which companies seek to game regional variations in corporate law.
ASEAN needs frameworks that ensure clarity for tech companies on handling user data, and transparency for customers on how their data is being used. The two big dangers are irresponsible data collecting and sharing, and anti-competitive actions.
Consumer-facing tech companies, such as Google and Facebook, have come under fire for their seemingly indiscriminate personal data collection practices. These tech titans harvest user data by aggregating and selling it to third parties for use in targeted advertising. While some may argue that, in exchange for their data, users benefit from tech companies' services, companies end up extracting a lot more value from the relationship than their customers.
Without adequate data privacy laws, user data is vulnerable to theft and companies fail to act, as exemplified by the data breaches that have occurred in Southeast Asia. Last year, for example, a researcher found that the personal information of 46,000 mobile customers with Thai mobile operator, True Corp, was publicly available on Amazon Web Services. In response, True Corp defended its security measures, and accused the researcher of hacking its customers' data.
In a far bigger case, Malaysia in 2017 investigated an attempt by hackers to sell the personal information of 46.2 million mobile customers online. This huge data breach may have affected nearly all Malaysia's citizens.
To address the region's patchwork of data privacy laws, ASEAN must work on two levels. At the regional level, it needs a consensus on the concepts underpinning data protection, using the ASEAN Framework on Personal Data Protection and the recently endorsed Framework on Digital Data Governance as starting points.
At the national level, ASEAN states should develop comprehensive data privacy laws while consulting each other, with guidelines for companies on responsible personal data collection and on handling breaches.
ASEAN members need robust and interoperable data privacy frameworks. At present, a few states such as Brunei and Myanmar lack data privacy laws, while, at the other extreme, Indonesia and Vietnam have sweeping legislations. The gaps need closing so that all are on the same regulatory page.
Singapore, for its part, has recognized the importance of having sound laws that balance user privacy and business innovation, and its Personal Data Protection Commission (PDPC) actively reviews laws in light of new tech developments. The PDPC recently issued a Model Artificial Intelligence (AI) Governance Framework, the first effort in Asia to address the possibilities and ethics of AI applications.
Meanwhile, ASEAN regulators should also look out for anticompetitive behavior, enabled by the tech companies' data monopolies. In the U.S. and China, Big Tech has profited from big network effects, meaning that the value of their services has increased as more customers use them. Network effects help to entrench tech platforms, making it necessary for customers to use their services to shop, travel, and bank. Companies further solidify their market dominance by monetizing their services, manipulating customer behavior through data analytics, and profiting from user data.
In China, the rise of Alibaba and Tencent can be credited to the massive data sets they have accessed in their many services. As super apps, Alibaba and Tencent consolidate diverse features capturing their consumer base through market integration. Aided by aggressive tech acquisitions at home and abroad, these two giants dominate markets not only within China, but in the wider region.
In the ASEAN context, anticompetitive practices may become an issue with the rise of the super app. Emerging markets within Southeast Asia are primed for super apps, because their consumers tend to be unbanked, mobile-first internet users. Home-grown Grab and Indonesian Go-Jek, which both started as ride-hailing apps, have ambitions of becoming Southeast Asia's first super app.
While customers may find the integrated services of super apps convenient, they ultimately lose out if the company engages in anticompetitive behavior that drives prices up and blocks rival businesses. Last year, Grab was fined by the Competition and Consumer Commission of Singapore (CCCS) for acquiring Uber's Southeast Asia operations, because the competition watchdog deemed that the merger would result in higher prices for ride-hailing customers.
It is imperative to build a trustworthy digital ecosystem, while ASEAN's digital economy is still nascent. Once advanced tech such as the internet of things and fifth-generation networks are introduced in the region, exponentially larger volumes of data will be generated, and companies can profit from them even more.
As holder of ASEAN rotating chair for 2019, Thailand has prioritized Industry 4.0, cultivating digital talent, and digitizing small businesses as part of its agenda. It is well-placed to begin the conversation on data governance. ASEAN must ask big questions about tech and establish principles for creating trust among consumers, business and tech. Following the proven success of ASEAN's consensus approach, lawmakers should boost the synergies between government, businesses and consumers, without favoring any party at the expense of others.
Chen Chen Lee is Director of Policy Programs, and Erin Low is Policy Research Analyst (ASEAN) at the Singapore Institute of International Affairs.