Recent moves to increase regulatory oversight of online publishing in Indonesia and Thailand underscore a rising trend in Southeast Asia -- using legislation typically meant to enforce data privacy or cybersecurity to serve domestic political aims.
It is worrisome that Southeast Asian governments feel increasingly comfortable hiding their efforts to exert state control over information behind cybersecurity mandates. These moves will be ineffective in raising internet security capabilities and will dampen internet investment in the region, one of the world's most significant markets for digital business.
These trends are unfortunate, but far from new. Freedom House rates the internet market of every member of the Association of Southeast Asian Nations as either "not free" or "partly free," with the sole exception of the Philippines.
Indonesia recently amended its Electronic Information and Transactions Law to allow for a "right to be forgotten," allowing citizens to petition for the removal of online material they consider defamatory or simply wish to keep private. The Thai government, which has steadily restricted online speech since the 2014 military coup, amended the decade-old Computer Crime Act on Dec. 16 to grant the state access to personal internet usage data without a warrant and expand the definition of what is considered counter to national security.
Certainly ASEAN is far from the only region where cybersecurity legislation masks nationalistic or political agendas. But as opposed to concerns in the U.S., where cybersecurity worries are directed at external actors, the actions of Indonesia and Thailand are aimed at combating internal threats.
Singapore and Malaysia have also been bulking up policy frameworks and security infrastructure to deal with cyberattacks, but in both instances this appears to have been driven by their respective efforts to attract global digital business.
Indonesia's "right to be forgotten" edict echoes similar legislation introduced in Europe. Driven in large part by the European Union's hostility toward global internet companies and the control they hold over personal data, these laws have proven nearly impossible to enforce. While complying with EU demands, Google recently warned that such rules can encourage less democratic jurisdictions to bend the internet to the will of the state.
VALID CONCERNS This seems a plausible threat in Indonesia. While the country enjoys one of the highest levels of press freedom in Asia, digital freedom advocates worry that the influence of politically powerful individuals and institutions could exploit the new rules to rewrite history and obscure the activities of the corrupt. These are valid concerns, given the struggle to get more information released about authoritarian-era atrocities and current corruption.
Right to be forgotten legislation will do little to foster digital economy development, if this was even a motivating factor. More likely, Indonesia's digital law revision is of a piece with its push to maintain domestic control over internet businesses, similar to its earlier efforts to bring so-called over-the-top internet media services to heel by requiring in-country business registration and a physical presence. It also pairs well with the government's tendency to see technology adoption as containing threats to social harmony; a recent flurry of "fake news" reports, many anti-China in sentiment, have spurred Indonesian President Joko Widodo to commission a state-level investigation to combat the phenomenon.
Indonesia's moves on the right to be forgotten seem to overlook that what the country's growing internet commerce business ecosystem needs is just the opposite: It needs to be remembered by global businesses and investors. The authorities in Jakarta seem to have realized that they have, in some sense, gone too far. In early December, the Ministry of Communication and Information Technology backpedaled slightly on the new rules, stating that the media will be exempt from right to be forgotten petitions.
Indonesia has rightly looked at its large, youthful and steadily growing domestic consumer market as it has any other natural resource: a national asset to be protected from global exploitation. But nationalistic cyber-legislation does not do this but rather distracts woefully underresourced policymakers from making progress on substantive cybersecurity issues. More fundamentally, restrictive internet markets can scare off digital businesses, which would rather set up shop in countries which combine robust cybersecurity infrastructure with friction-free access to information.
Ross O'Brien is a technology analyst and managing director of the Hong Kong office of Intercedent, an investment and business advisory group.