ASEAN regulatory sandbox will promote cross-border data flows

Global mobile industry group GSM Association (GSMA) has called for businesses to provide details of digital services and applications that require the transfer of personal data across two or more ASEAN countries under a new regulatory sandbox initiative.

Called the Regulatory Pilot Space (RPS), the initiative was conceived to drive the region’s digital economy by giving businesses certainty that the handling of data across borders complies with the ASEAN Framework on Personal Data Protection.

Through the RPS, businesses will get access to a safe test environment though which they can provide services without breaking data privacy rules or facing regulatory sanctions.

The GSMA said this is a necessary pre-condition for innovative projects to become a reality, ranging from using the internet of things (IoT) to track cross-border services to developing loyalty programmes and applications that take advantage of cloud and 5G services.

“This is a clear signal to the rest of the world that ASEAN is open to innovation,” said Emanuela Lecchi, head of public policy at GSMA Asia-Pacific. “By promoting cross-border data flows, the region is set to accelerate economic activity and drive the development of new technologies, platforms, services and infrastructure. This is the culmination of two years of successful collaboration at the ASEAN level, supported by the GSMA.”

Christian Wulff Søndergaard, senior vice-president and head of public and regulatory affairs at Telenor Group, said the RPS will empower businesses to experiment with innovative products and services within a managed environment.

“We believe this initiative will help to build trust with all stakeholders involved, including companies, for governments and, most importantly, for consumers,” he said.

The RPS is part of recent efforts to promote cross-border data flows across ASEAN. It was given the green light at the 19th ASEAN Telecommunications and Information Technology Ministers Meeting, held in Laotian capital Vientiane in October 2019. 

In ASEAN, the requirements around the use of personal data vary from country to country. Some jurisdictions provide a range of mechanisms to transfer personal data legally, while others do not.

Also, some countries may impose localisation or data sovereignty rules that could have unintended consequence that even non-personal, non-sensitive anonymised data could be kept in-country, stifling innovation.

The GSMA said the RPS will address these national differences by ensuring that the common set of data privacy principles that underpin the ASEAN framework on digital data governance can be applied to individual projects.

This way, the RPS also allows ASEAN member states to evaluate different ways to address security concerns without delaying the deployment of important projects, while giving businesses leeway to modify their services deemed unacceptable by a regulator before bringing them to market.

In October 2019, Singapore’s Personal Data Protection Commission issued advisory guidelines to help businesses and cloud suppliers stay on the right side of the law under the country’s data protection regime.

Among the guidelines, organisations should ensure their cloud suppliers transfer data only to locations with data protection regimes comparable to Singapore’s or have legal obligations to ensure comparable standards to protect the transferred data.