Ever since the Cambridge Analytica-Facebook incident, the world has become more aware of the potential pitfalls of a highly digitalised economy. Data is the new oil of the modern-day economy and the need to safeguard this new resource has become paramount in recent times. As such, governments across regions have started re-evaluating their existing data privacy regulatory frameworks and drafting new ones to accommodate emerging trends. The governments in the Southeast Asian (SEA) region are also drafting regulations and policies that can ensure the protection and privacy of citizens’ data as platforms of internet giants like Twitter, Facebook and Google become an important part of their lives. Some countries are even looking at policies to levy tax on digital service providers to ensure a level playing field between digital and non-digital players.

Data protection regulations in SEA

SEA countries are gradually catching up with the Western world to establish a stringent and effective regulatory and policy environment for data protection and privacy. The majority have borrowed features and directives from the European Union’s General Data Protection Regulation (GDPR) and incorporated them in their data protection regulatory framework. For instance, Malaysia is in the midst of reviewing its Personal Data Protection Act, 2010 (PDPA) in line with the GDPR. Meanwhile, the Philippines government is working towards amending its Data Privacy Act, 2012, to include rules and regulations mirroring GDPR guidelines. Singapore’s PDPA, 2012 mirrors many GDPR principles such as the requirement of customer consent for all communications regarding data collection, data processing and disclosure of data.

That said, the development of a data protection regime has not been uniform across SEA countries. Until recently, Singapore, Malaysia and the Philippines were the only countries with personal data protection laws in place. Most recently, Thailand joined the list when the country’s parliament passed the Personal Data Protection Act last year. Apart from this, Indonesia has been emphasising the need for a general data protection law and has prepared a draft legislation to this end. The remaining countries in the region do not have an overarching regulatory framework for data protection. In some cases, they do have laws in specific sectors or for electronic media that regulate personal data.

Key features of data protection regulations across SEA countries

In Singapore, the PDPA, 2012 applies to all electronic and non-electronic communications that deal with data collection, processing and disclosure within the country, regardless of whether the company has an actual physical presence in the city-state or not. If a business has any of its users or customers online in Singapore, the PDPA would apply to it. In case of non-compliance, a company would be obligated to pay penalty of up to SGD 1 million and/or face imprisonment for up to three years. Recently, in August 2019, fines totalling $117,000 were imposed on five companies for breaching data privacy laws. The biggest fine, amounting to $54,000, was imposed on Horizon Fast Ferry for failure to appoint a data protection officer, develop and implement data protection policies and practices, and put in place security arrangements for the protection of customers’ personal data.

Like in Singapore, Malaysia’s PDPA applies to data that is processed within Malaysia, regardless of whether the person doing the processing is established in the country or not. As per the terms of Malaysia’s PDPA, 2013, individuals have to be notified if and when their data is being collected. Their consent is essential, and they have to be informed about the purpose for which the data is being collected. Any disclosure of personal information that is not in line with the purpose of collection is strictly prohibited. Further, businesses are mandated to keep the information secure at all times and not retain it for longer than is necessary. Individuals must be allowed access to their information that is collected. However, a loose end in Malaysia’s PDPA is that it does not mandate businesses to report incidents of data breach to authorities. This can be a cause for concern in the long term given the unprecedented rate at which cyberattacks are increasing.

Creating monetary obligation for tech giants

With the growing number of cases of data privacy breach, it seems that merely regulating the data collection practices of internet companies will not be enough. In this regard, there has been an ongoing debate around the need to tax big internet giants such as Facebook, Google and Netflix.

As part of this approach, several SEA countries have come out with regulations that lay down the monetary obligations for such digital service providers selling services to their citizens. For instance, the Philippines government has come out with the Digital Economy Taxation Bill, which seeks to better capture the value created by the digital economy and mandate tech giants like Netflix, Google, Facebook, and Lazada to pay their fair share. The bill seeks to impose a 12 per cent value added tax (VAT) on digital advertising services, subscription-based services, services rendered electronically, and transactions made on e-commerce platforms. Through this act, the government aims to generate additional revenue of around $468.39 million per year. Moreover, the bill would require suppliers of digital services, network orchestrators and e-commerce platforms to set up a representative office in the Philippines.

As per some government executives, this bill will plug loopholes and address the ambiguities in the taxation of digital services. As per government sources, Facebook and Google earned $804.79 million from advertisements that cater to and are paid for by the country’s population. However, since this earning was on the digital domain, they did not have to pay VAT or income tax. Likewise, Netflix earned $80.48 million in subscriptions from its Philippines customers, but did not have to pay VAT, whereas its on-ground competitors (local TV networks) were subjected to VAT and income tax. It is this kind of disparity and ambiguity that the bill seeks to remove. Further, the Philippines government has stated that these are not really new or additional taxes and are already being paid by other non-digital players. Thus, it is only fair that digital service providers also pay these taxes.

In June 2020, Thailand approved a draft bill requiring foreign digital service providers to pay VAT. This bill states that all non-resident companies or platforms that earn more than $57,434.59 per year by providing digital services in the country have to pay 7 per cent VAT on sales. Once this bill gets passed in Parliament, it would enable the government to earn around $95.72 million per annum through taxes on digital services.

Indonesia, too, announced plans, in May 2020, to introduce a 10 per cent VAT on digital services delivered by foreign companies. This came into effect on August 1, 2020. Under the new rules, non-resident foreign firms, which sell digital products and services in Indonesia worth at least $41,667 a year or which generate yearly traffic from at least 12,000 users, will be required to pay the 10 per cent VAT.

The way forward

There are two different schools of thought as far as regulation of large tech giants is concerned. On the one hand there are the proponents of strict regulation of digital service providers, and on the other, there are those who believe that stringent regulation of such players can potentially hamper the growth of the country’s digital economy.

Those in favour of stricter regulation and taxation for tech giants are of the view that such a practice would not only help the government safeguard the interests of its citizens, but would also enable it to tap the country’s internet economy for increasing the revenue. Further, they believe that this would provide a level playing field to their non-digital competitors, which have been paying certain taxes like VAT and are bound by various regulations that do not apply to digital service providers. In addition, there seems to be a general consensus globally that if a company is making money from a particular country’s citizens, then it should also pay taxes to that country’s government. In contrast, those opposing the implementation of a stringent regulatory framework believe that this would derail the efforts of the SEA countries to build a digital economy. Likewise, taxing multinational internet giants may impact investments in the country. Further, various civil society organisations are of the view that over regulation can potentially lead to institutionalised censorship. According to Freedom House’s 2018 Net Freedom survey, all SEA countries are either not free or partly free.

Going forward, it would be in the best interest of governments to adopt a balanced approach towards the regulation of digital service providers, which play a key role in shaping the digital economy of a country.

By Diksha Sharma