alunablue - stock.adobe.com

ASEAN regulatory sandbox will promote cross-border data flows

The Regulatory Pilot Space will offer ASEAN businesses a safe test environment to provide digital services across the region while complying with data privacy rules

Global mobile industry group GSM Association (GSMA) has called for businesses to provide details of digital services and applications that require the transfer of personal data across two or more ASEAN countries under a new regulatory sandbox initiative.

Called the Regulatory Pilot Space (RPS), the initiative was conceived to drive the region’s digital economy by giving businesses certainty that the handling of data across borders complies with the ASEAN Framework on Personal Data Protection.

Through the RPS, businesses will get access to a safe test environment though which they can provide services without breaking data privacy rules or facing regulatory sanctions.

The GSMA said this is a necessary pre-condition for innovative projects to become a reality, ranging from using the internet of things (IoT) to track cross-border services to developing loyalty programmes and applications that take advantage of cloud and 5G services.

“This is a clear signal to the rest of the world that ASEAN is open to innovation,” said Emanuela Lecchi, head of public policy at GSMA Asia-Pacific. “By promoting cross-border data flows, the region is set to accelerate economic activity and drive the development of new technologies, platforms, services and infrastructure. This is the culmination of two years of successful collaboration at the ASEAN level, supported by the GSMA.”

Christian Wulff Søndergaard, senior vice-president and head of public and regulatory affairs at Telenor Group, said the RPS will empower businesses to experiment with innovative products and services within a managed environment.

“We believe this initiative will help to build trust with all stakeholders involved, including companies, for governments and, most importantly, for consumers,” he said.

The RPS is part of recent efforts to promote cross-border data flows across ASEAN. It was given the green light at the 19th ASEAN Telecommunications and Information Technology Ministers Meeting, held in Laotian capital Vientiane in October 2019. 

In ASEAN, the requirements around the use of personal data vary from country to country. Some jurisdictions provide a range of mechanisms to transfer personal data legally, while others do not.

Also, some countries may impose localisation or data sovereignty rules that could have unintended consequence that even non-personal, non-sensitive anonymised data could be kept in-country, stifling innovation.

Read more about data protection in APAC

  • Most businesses in ASEAN will be affected by Europe’s GDPR, but awareness of new rules remains low, even in countries with existing data protection laws.
  • A group of universities, certification bodies, law firms and data protection experts have formed an industry network to shore up the data protection capabilities in ASEAN.
  • Apart from some notable exceptions, there are fears that Australian organisations are still largely unprepared for Europe’s GDPR.
  • Companies and data management experts across APAC reveal how they are tackling data management challenges that have been compounded by growing cloud usage and compliance requirements.

The GSMA said the RPS will address these national differences by ensuring that the common set of data privacy principles that underpin the ASEAN framework on digital data governance can be applied to individual projects.

This way, the RPS also allows ASEAN member states to evaluate different ways to address security concerns without delaying the deployment of important projects, while giving businesses leeway to modify their services deemed unacceptable by a regulator before bringing them to market.

In October 2019, Singapore’s Personal Data Protection Commission issued advisory guidelines to help businesses and cloud suppliers stay on the right side of the law under the country’s data protection regime.

Among the guidelines, organisations should ensure their cloud suppliers transfer data only to locations with data protection regimes comparable to Singapore’s or have legal obligations to ensure comparable standards to protect the transferred data.

Read more on Data protection regulations and compliance