Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations (ASEAN) [UNCTAD/DTL/STICT/2013/1]
Issues examined in the Review
- Electronic transactions
- Consumer protection
- Data protection and privacy
- Content regulation
- Domain names and dispute resolution
- Cloud computing policy
- Other issues
As a result of the surveys and the workshop, a number of issues emerged as being of particular importance for the harmonization of e-commerce laws in ASEAN. Member-country representatives generally agreed on the priority legal areas and technology drivers in the region as detailed in the following paragraphs.
Electronic transactions laws facilitate e-commerce by providing legal certainty for the recognition of electronic communications, electronic records and electronic signatures. Many jurisdictions divide the laws into separate instruments – for example a broad e-commerce law may be accompanied by specific regulations on electronic signatures.
Electronic transactions laws are often influenced by international agreements such as the UNCITRAL Model Law on Electronic Commerce (1996) which has been followed by around 50 jurisdictions, the UNCITRAL Model Law on Electronic Signatures (2001), which has been followed by around 20 jurisdictions and the United Nations Convention on the Use of Electronic Communications in International Contracts (2005) (which has been signed by 18 States).
ASEAN has already made good progress towards harmonization of basic electronic transactions laws, based on international reference frameworks.
In ASEAN, all member countries already use either one or both of the model laws as a basis for local laws (either implemented or draft). However, there are some variations, sometimes significant, in the text of each law as well as in their interpretation by the courts.
For example, UNCITRAL maintains a database of legal decisions, including those relevant to electronic commerce laws – the Case Law on UNCITRAL Texts (CLOUT).2 This database reveals that there have been a number of relevant decisions in the Philippines and Singapore. However, the Philippines case is a good example of a country making a small divergence from the international model laws.
The more recent Convention on the Use of Electronic Communications in International Contracts (2005) entered into force on 1 March 2013, and it may present an even better opportunity for harmonization in the region. There are 18 signatories to date and more States are planning to become a party. One of the stated goals of the Convention is to reinforce legal uniformity – this is the most relevant goal for ASEAN. In fact, by adopting the Convention, States ensure uniformity for a set of core legal provisions enabling cross-border electronic commerce. To date, Singapore has ratified the Convention, the Philippines has signed it, and several other ASEAN member countries have expressed an interest in adopting it in the near future.
Consumer protection involves government regulation of transactions between consumers and businesses. It protects the interests of consumers by imposing minimum obligations on businesses and providing
redress in situations where consumers suffer harm. Consumer law covers a range of topics, including product liability, unfair business practices, fraud and misrepresentation.
Consumer protection was highlighted in the surveys and in the Cebu workshop as a key priority. While some member countries have a specific consumer protection law for online commerce, others do not. In the latter case, there is potential for consumer protection issues to be covered through laws in areas such as unfair contract terms and competition laws. Two ASEAN members, Viet Nam and the Philippines, are also members of the International Consumer Protection and Enforcement Network.3
In this Review, both types of consumer protection laws are covered briefly in each country chapter. At this stage there is no general guidance for online consumer protection in ASEAN, although there is an active Consumer Protection Committee that looks at these issues.
Data protection and privacy
Privacy may be defined as the claim of individuals to determine when, how and to what extent information about them is communicated to others. It relates to the right of individuals to control what happens with their personal information. Privacy laws are also known as, or supplemented by, data protection laws.
The issue is particularly challenging in ASEAN. Concerns are arising about what commercial companies do with consumers’ personal data. Information ownership, information rights control and security are at the heart of these concerns. Many countries have established constitutional rights to privacy and this is often embedded in various sectoral laws, but comprehensive privacy legislation in the region is rare. A difficult balance has to be made between data sharing and data privacy. There is also a need for guidance on baseline issues with regard to identification.
Box 3. MCC Industrial Sales Corp. v. Ssangyong Corporation
The case is MCC Industrial Sales Corp. v. Ssangyong Corporation , Philippines Supreme Court, Special Third Division, 17 October 2007. The Court found that the Philippines electronic commerce legislation did not include coverage of fax messages because the legislation had used the words “electronic data message” rather than the term “data message” that is used in the UNCITRAL Model Law on Electronic Commerce. The Philippines law had also removed any reference to example technologies, such as “electronic data interchange, telegram, telex or telecopy” that are included in the Model Law. The Supreme Court therefore presumed that these changes were a deliberate attempt to restrict the electronic commerce legislation to purely electronic messages such as e-mail. Whether this is the case or not remains unclear, as many governments have chosen to remove technology-specific words from their legislation, but the slight divergence in language had a significant impact in the case. It is a good example of the need for harmonization based on international best-practice models.
Source: UNCTAD, UNCITRAL.
In some ASEAN countries which see IT-enabled services as a promising growth sector, such as call centres in the Philippines, data protection laws are also necessary to comply with foreign requirements relating to work involving data processing.
Questions also arise related to whether a special law is needed on cloud computing under data privacy and data protection. ASEAN member countries are also seeking clear guidelines on the most appropriate locations for the data and the pros and cons of regulation versus non-regulation.
In this Review, privacy and data protection laws are covered briefly in each country chapter. There is currently no general guidance on privacy laws in ASEAN.
Finding an international reference framework for privacy and data protection is somewhat more complex than for e-transactions or cybercrime. Three key frameworks are the OECD Privacy Guidelines,4 the European Union Data Protection Directive5 and the APEC Privacy Framework.6 All three have had an influence in the region, although to date only three ASEAN member countries have passed comprehensive privacy laws (two countries have partial privacy laws and two more countries have draft privacy laws).
Cybercrime refers to criminal activities committed by means of computers and the Internet, such as hacking and the distribution of viruses. Cybercrime laws represent an upgrade from basic criminal law and even basic computer crime laws, as they are designed to address criminal behaviour and security issues in online commerce.
As cybercrime covers a wide scope of activities, the focus of this Review is on commercial aspects of cybercrime rather than on terrorism and other focuses of criminal activity. Each country chapter includes a brief discussion of local cybercrime laws.
The key international reference framework for cybercrime is the Council of Europe Convention on Cybercrime. This is open to ratification by non-European states, and to date the United States, Japan and Australia have all ratified the Convention.
No ASEAN member country has yet joined it but the majority of national laws include the same basic offence provisions as those that appear in the Convention.
The Commonwealth has also developed a Model Law on Computer and Computer Related Crime.7 This provides a template for countries wishing to adopt best practice in their cybercrime laws, and also incorporates the key elements of the Council of Europe’s Convention on Cybercrime. This has some influence as three ASEAN member countries are also members of the Commonwealth (Brunei Darussalam, Malaysia and Singapore).
Online content regulation refers to any type of regulation by governments or regulatory authorities directed at controlling access to information over the Internet based on its subject matter; and/or controlling, or attempting to control, access to Internet sites based on subject matter. Many jurisdictions manage Internet content through a mixture of legislation and other regulatory tools (such as codes of conduct or licensing requirements for ISPs).
Online content regulation has not always been considered a priority in ASEAN, and member countries have been left to make their own decisions about the appropriate regulation of online content. However, businesses operating in the region have expressed some concerns about having to operate within multiple content regulatory frameworks, some of which they view as burdensome, such as requirements to redesign complex networks to implement filtering systems to control user access to illegal content, from child sexual abuse images to copyright infringing material. This Review includes a brief summary of local content regulation in each country.
Domain names and dispute resolution
A domain name is the unique name (corresponding to an IP address) that identifies and locates an Internet address (such as a website). Domain-name regulation refers to standards and requirements for the obtaining of Internet names and addresses. This usually involves the establishment of an online dispute resolution service for managing domain-name disputes, or an agreement with an international dispute-resolution service.
Domain-name regulation has become more settled at the international level, with most countries adopting standard domain-name registration policies complemented by a requirement for disputes to be resolved using the Uniform Domain-Name Dispute-Resolution Policy (UDRP).8 In ASEAN, most member countries have adopted this approach, and the relevant laws and regulations are discussed in each country chapter. Two countries are still working to develop appropriate domain-name regulation.
Cloud computing policy
Cloud computing is the provision of a mix of software enabled services and resources that can be delivered to users over the Internet. Services are in principle available worldwide and on demand, backed up by shared resources including networks, servers, storage and applications. Some Government and industry bodies have begun to develop frameworks, standards and regulations to facilitate the development of cloud computing, while providing protection in key areas such as security, privacy and intellectual property protection.
While there is a broad range of laws and regulations that are relevant to cloud services, but there is no specific stand-alone section on cloud computing in the country chapters. Where countries have initiatives that are designed to have a specific impact on cloud services (e.g., Indonesia and Singapore), these are noted.
Several ASEAN member countries are keen to embrace the opportunities provided by cloud computing, and are developing their laws, regulations and policies in a way which will facilitate cloud services. However, some countries also see cloud services as a potential threat to security and to the sovereign control of vital information. Cloud services can be seen as a threat to local businesses as the majority of current cloud service providers are multinational companies based typically outside ASEAN.
Cloud computing is still a relatively new phenomenon and there is not yet a consensus in ASEAN on how to address these issues. However, it will be important for jurisdictions to find a balance between protecting the interests of users and harnessing the potential for cloud computing through appropriate policy settings.
ASEAN member countries have expressed strong interest in developing a better understanding of the pros and cons of cloud computing, and how to apply and regulate it within e-government and the public sector. Issues of data protection, privacy and security are closely interlinked with the implementation of cloud-based solutions.
Member countries are asking whether there is a need for special laws or regulations on cloud services. The technology could be handled either by establishing cloud-computing-specific laws or by integrating cloud-based services into existing laws.
Several other issues were identified during the project that could be the subject of future work in ASEAN. These include:
- E-payment regulation: Effective e-payment is crucial to promoting e-commerce in the ASEAN region. Some country representatives have expressed security concerns with regard to e-payment. Public key infrastructure (PKI) has reportedly not delivered the promised ultimate solution to resolve security and identification issues. To date, there is no general guidance on e-payment issues in ASEAN. E-payment regulations have not been the subject of detailed study in this current Review – this may become a future work item for the ASEAN/UNCTAD project, especially in relation to cross-border issues.
- E-government: While there is a strong trend among ASEAN countries to improve e-government services, their implementation poses many questions and challenges. ASEAN governments face challenges such as how to implement e-government initiatives with limited resources, finances and capabilities. Member countries expressed a need for guidance on such issues including for trusted online identification services. In this Review, e-government is covered briefly in each country report under the general heading of electronic transactions laws, and it is noted where particular countries have specific laws on e-government (i.e., Indonesia and Malaysia).
 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), http://www.oecd.org/internet/interneteconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT
 APEC Privacy Framework (2005): http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx.
 Commonwealth secretariat, Model Law on Computer and Computer Related Crime (2002), http://www.thecommonwealth.org/shared_asp_files/uploadedfiles/%7BDA109CD2-5204-4FAB-AA77-86970A639B05%7D_Computer%20Crime.pdf.