With digitisation accelerated by the COVID-19 pandemic, data collection is now a default part of our daily lives and the regulation of data use has become central to the right to privacy. In the past decade, personal data protection (PDP) has emerged as a new and urgent field of legislation across the world. In the Asia-Pacific, countries like Japan, Malaysia, South Korea and the Philippines were the first to frame PDP legislation, followed by China and Thailand. The past two years have witnessed rapid developments with Vietnam, Indonesia, India, Pakistan, Sri Lanka and Bangladesh drafting comprehensive PDP frameworks for the very first time. Whether these legislative developments are actually serving their citizens’ right to privacy and democratic values, however, remains an open question.
Responding to the new PDP acts in Bangladesh and Nepal, Sara Pacia, senior communications manager at EngageMedia, an APC member in Indonesia, warns of “a trend of using digital tools and laws to infringe on human rights.” Supported by the findings in EngageMedia’s recent report on digital rights in six South and Southeast Asian countries, she argues that countries “continue to pit the prioritisation of national security against upholding civil liberties.”
This emerging trend was also the focus of a vibrant discussion at a recent APrIGF session called “To protect or harm?: What the tensions between privacy and civic freedoms in personal data protection laws mean for civil society”, where examples from across the Asia-Pacific region pointed to strategic and selective use of PDP laws to curb public access to information and enable mass surveillance and misuse of personal data by authoritarian governments and corporate entities alike.
Media, dissent and accountability
Press freedom, freedom of expression and the public's right to information (RTI) are interlinked mechanisms for the functioning of democracy. They are crucial for transparency in governance, prevention of corruption and the creation of democratic space for dissent and active public participation. Experiences in the Asia-Pacific show that PDP laws are but the latest weapon in the arsenal of authoritarian governments to attack these fundamental rights.
The most blatant misuse of PDP law can be seen in countries where it is used to clamp down on independent media and press freedom. In the Philippines, on 2 August 2023, radio reporter Jose Rizal Pajares was detained by Iriga city police who claimed that the act of scanning police blotters for news stories was a violation of the Data Privacy Act, 2012. Pajares was released days later on a 10,000-peso bail. In Bangladesh, the Digital Security Act is used to curtail dissent on social media in particular, with over 800 people arrested in just two years, including doctors, students, journalists and others. This is also happening in Sri Lanka, where the International Covenant on Civil and Political Rights (ICCPR) Act and the Computer Crimes Act have enabled arbitrary citizen arrests, including that of YouTuber Sepal Amarasinghe this year and the five-month detention of Ramzy Razeek in 2020.
Less apparent but no less damaging is the use of PDP law to override the right to information. Maristela Miranda, senior associate at LIGHTS Institute in the Philippines, spoke at APrIGF of the long-drawn battle for public access to former president Rodrigo Duterte’s SALN (statement of assets, liabilities and net worth) and the manner in which data privacy laws are being used to enable corruption in the Philippines.
Similarly, the new Digital Personal Data Protection (DPDP) Act, 2023 in India amends the existing RTI law to enable retention of “personal information” by the government, including data related to assets and services. According to Jenny Sulfath, manager at APC member Digital Empowerment Foundation, “The RTI Act gives people immense power to inspect public data. The National Rural Employment Guarantee Act (NREGA) website, for example, shows the number of days people are employed by the scheme, and the names of people who received benefits through schemes like PM Awaz Yojna are publicly displayed. This is an accountability mechanism won through civil society movements to check corruption and nepotism.” The use of vague language in the PDP law now allows for a convenient lack of clarity on what will take place when it is in conflict with the RTI Act.
Inconsistent implementation helps tyranny
PDP laws often come down heavily on civil society organisations (CSOs), but they are rarely used to regulate government activity itself. As noted at APrIGF by Maristela as well as Ferdhi Fachrudin Putra of Combine Resource Institution (CRI) in Indonesia, the categorisation of CSOs as data fiduciaries – entities that process volumes of public data – is being strategically used in the Philippines and Indonesia to raise the financial and bureaucratic burden on non-profits that work in public interest. Disproportionately high penalties for non-compliance, lack of sufficient legal training, mandates for massive documentation and the appointment of a data protection officer are becoming increasingly common aspects of PDP legislation.
Sulfath adds that India, with a data privacy law passed just last month, is not far behind. “Organisations like ours process beneficiary data since we deliver several entitlement services. Sometimes we also do surveys to understand the success or failure of the implementation of a government program, which involves even interviewing people, for whom the collected data may be unfavourable. This data is collected in the public interest for more public accountability. Whether the rules that apply to big techs also apply to us is unclear.”
In fact, rather than protect the interests of public-spirited CSOs, India’s DPDP Act provides convenient loopholes for the private sector, including exemption of start-up data fiduciaries from select provisions. Exemptions are also provided for companies that process data of loan defaulters. As digitisation researcher Srinivas Kodali wrote recently, “This will lead to the creation of loan defaulter databases that will be used for the further economic exclusion of marginalised people in India.”
PDP laws are often inconsistently implemented specifically to provide immunity for government and corporate activity. Jam Jacob at the Foundation for Media Alternatives, an APC member in the Philippines, says, “This was evident when law enforcement authorities engaged in illegal profiling activities against lawyers, teachers, government employees and other individuals they had branded as supportive of terrorist groups. The most that the DP authority did was to remind law enforcement about the need to comply with the law. It did not carry out any investigation, let alone hold parties administratively accountable!”
In this maiden issue, privacy and data protection issues surfaced or highlighted by the ongoing COVID-19 pandemic take center stage.
Read more and download the copy here: https://t.co/p1jtzJpgYY#PushPrivacyForward #DataRightsAreHumanRights— FMA (@FMA_PH) July 19, 2021
In Indonesia, the PeduliLindungi app was used during the COVID pandemic to link public facilities and services with one’s vaccination status, seriously limiting access for immunocompromised individuals. In Bangladesh as well, the pandemic exacerbated unchecked mass surveillance by the government. Mandatory registration on the Movement Pass app from April to July 2021 led to widespread collection of personal data as well as disproportionate detentions, punishments and fines on uninformed citizens, including those without access to smartphones and internet services. Provisions in the country’s upcoming DP Act 2023 that provide immunity for law enforcement and national security agencies further enable such misuse. In the aftermath of the February 2021 coup, Myanmar experienced similar misuse, while the unchecked sharing of personal data over Telegram enabled fatal doxing campaigns against citizens and businesses with an anti-military stance.
Data collection needs to come under much heavier public scrutiny, especially in countries where policy consultations rarely include the public and fail to provide effective recourse for affected communities. Lack of sufficient anti-surveillance legislation in such cases leaves the personal data of millions of citizens vulnerable to third-party misuse, as witnessed in Indonesia where 35 cases of data leak occurred in the first six months of 2023 alone. “Only those with adequate resources are able to assert their rights,” says Jacob, “and others are left with no other recourse but to rely on their own abilities or simply choose to be resigned to their fate.”
Cross-border transfers and data localisation
Data localisation and cross-border data flows are also significant issues swept up by PDP laws in the region. When the European Union formulated the General Data Protection Regulation (GDPR) in 2016, it introduced “data protection by design and by default” whereby systems were intended to keep data private unless authorised otherwise by users or overruled by public interest. Pressure from Big Tech and global North nations has led to several countries amending this aspect of PDP law. Both US and UK envoys in Bangladesh, for instance, announced that the provisions for strict data localisation in the upcoming DP Act could force foreign companies to leave the market, affecting the business of over 2,000 start-ups. It was similar opposition to India’s DP Bill in 2022 that led to withdrawal of the draft and replacement of provisions in the Act, switching the default to allow for cross-border data transfer unless specified otherwise.
On the flip side, there is also a danger that insistence on strict data localisation might be motivated by the authoritarian interests of ruling government regimes. In Pakistan, the draft Personal Data Protection Bill (PDPB), 2023, raises concerns that provisions mandating local data storage might enable government censoring of dissent on social media platforms and access to user data for the creation of psychological voter profiles. As seen with the 2016 presidential campaigns in the US and Hungarian political party Fidesz’s data-driven campaigning during the 2022 elections, this can have serious consequences for electoral democracy.
In a 2022 study of PDP laws in India and South Korea, Evan Feigenbaum and Michael Nelson note that it is “difficult to distinguish between measures designed for protection and those designed for control”. They argue that attempts by countries in the Asia-Pacific to counter Western domination of the market further complicate the matter, as “reverse discrimination” to boost domestic companies might be an additional motivation of governments.
At the APrIGF session, Deborah Christine, project manager at Tifa Foundation, referred to PDP laws in the Asia-Pacific as a “Brussels effect” of the GDPR. Considered a global standard, the GDPR is itself an example of how PDP laws can be severely misused to curb civic freedoms. In Hungary, a manufacturing giant won cases against both Forbes and Magyar Narancs, an independent weekly, thereby setting a dangerous precedent of limiting press freedoms in the name of privacy. In Greece, the PDP law was used in 2017 against journalist Stavroula Poulimeni for reporting on environmental damage caused by a gold mining company, while in Romania, the first GDPR case was filed against journalists for media reports on a corruption scandal.
Regional experiences in the Asia-Pacific must therefore be placed in a larger context. Concerns emerging from these countries raise troubling questions about the overarching global framework on personal data protection and the interests it ultimately serves.
Image: Surveillance by Aaron Guy Leroux via Flickr (CC BY-NC-ND 2.0)