The lifeblood of the digital economy is data. Both personal and nonpersonal data are used for fulfilling business purposes, such as digital marketing, online purchase order fulfillment, employee management and data-driven innovations.
In fact, many digital products and services (e.g. e-commerce, payment services, online learning) have gained greater momentum during this pandemic. In the long run, Indonesia’s digital economy is expected to be a champion, as The Jakarta Post has stated that in the next five years as of 2018, or even sooner, Indonesia will become a powerhouse in the digital economy in Asia, or at least the Southeast Asia’s next digital payments battleground (the Post editorial on Nov. 29, 2018, and Kelvin Phua’s opinion in the Post on July 13, 2020).
The volume of data being transferred country by country keeps increasing. That figure is expected to be US$7.4 billion by 2021 as a result of the increased prevalence of mobile apps and cloud adoption (Techinasia, Aug. 7). Another report shows that the amount of data transfer over the internet would achieve 150,700 gigabytes (Gb) per second by 2022 (UNCTAD, Digital Economy Report 2019).
Even more, as of the pandemic hits businesses, a wake-up call to maintain business cash flows by stepping into digital transformation is inevitable, particularly for small and medium enterprises (SMEs) due to their 61 percent contribution to the national gross domestic product (Dec. 9, 2019, Cooperatives and Small and Medium Enterprises Ministry). Currently, there are approximately 65 million SMEs but only 8 percent are online.
Communications and Information Ministry has also created a program to bring 8 million SMEs online in 2020. Of course, this will exponentially increase the inflow and outflow of data transfers.
In those circumstances, it is no wonder that cross-border data flows have been gaining traction among stakeholders because data flows are a vital component of digital trade for all kind of businesses (such as online hotel reservations and e-commerce). We believe that tapping the digital economy in the region actually means facilitating cross-border data flows to meet business certainty and growth by the establishment of less restrictive requirements thereof.
From the outset, imposing requirements or restrictions in data flows should be understood to ensure that there are safeguard to accord the necessary protection for the data being transferred to effectuate a positive impact on data innovation and fostering a vibrant data ecosystem. This would mean building trust by ensuring an adequate level of protection is implemented to the transferred data amid ASEAN members states (AMS) and global stake.
As of 2019, the ASEAN Working Group on Digital Data Governance (WG-DDG) established two voluntary mechanisms offered to AMS in facilitating intra-ASEAN data flows, particularly, (1) the certification mechanism and (2) the Model Contractual Clauses (MCCs), which both are similar and has been practiced as part of the legitimate basis of data transfer mechanisms in the European Union.
The ASEAN Certification is a seal or mark accorded to an organization that has demonstrated good data protection policies and practices, including compliance with data transfer requirements (such as safeguarding subject data rights and appropriate security measures). In comparison, the MCCs are a contractualbased instrument to be included in agreements between data importers and exporters.
The MCCs spell out the responsibilities, data protection measures and other obligations for transferring and receiving data, such as how data subjects can uphold their right of erasure, access and data portability, as well as what supervisory authority to be reported when a data breach arises. SMEs can adopt the ASEAN MCCs whenever made available/endorsed by WG-DDG through its official website.
Since Indonesia is in the process of enacting its domestic legal and enforcement system of data protection (specifically data protection authority or enforcement agency), the MCCs are encouraged to be adopted as a legitimate basis for data transfer within AMS. Whenever such an enforcement agency exists, Indonesia may participate in the ASEAN Certification for data transfers.
SMEs need agile rules accommodating their growth overseas and data-driven sales. Apart from the MCCs and ASEAN certification, they can use other instruments for a data transfer basis. In a preferred order, the other instruments include the approved codes of conduct (CoC) composed by SME associations for the purpose of specifying the application of data protection rules (such as fair and transparent processing, and the exercise of rights of the data subjects), the binding corporate rules (BCR) for an intra-group data transfer agreements of an SME, and seeking guidance from relevant authorities having established free trade agreements in force (such as the Indonesia-Australia Comprehensive Economic Partnership Trade Agreement).
This article was published in The Jakarta Post with the title "Cross border data flows for SMEs within ASEAN". on Mon, September 14, 2020