Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations (ASEAN) [UNCTAD/DTL/STICT/2013/1]

Status of e-commerce law harmonization in ASEAN

[ Galexia Dots ]

The Review reflects the various contributions made by the ASEAN delegates participating in the process, and examines legal developments (see table 1) in the areas of e-transactions; consumer protection; data protection and privacy; cybercrime; content regulation; domain names and dispute resolution; as well as cloud computing policy.

Electronic transactions

Overall, progress towards harmonization has been the strongest in the area of electronic transactions laws, with 9 out of 10 member countries now having relevant legislation in place. Cambodia has not yet passed electronic transaction legislation, although a draft law has been developed.

Consumer protection

Progress to date on appropriate consumer protection legislation for online transactions in the region is mixed. Six out of ten countries have legislation in place. Two countries have partial laws in place (Brunei Darussalam and Indonesia). One country has draft laws (the Lao People’s Democratic Republic) and another has yet to commence work in this area (Cambodia).

Data protection and privacy

After a long period in which no ASEAN member country had privacy legislation in place, there is now a great deal of progress and activity in ASEAN. Malaysia started the ball rolling by passing privacy legislation in 2010, followed by the Philippines and Singapore in 2012. Indonesia and Viet Nam both have partial privacy legislation in place (contained in their omnibus e-commerce laws), but it does not provide the same level of detail and coverage as full privacy legislation. Thailand has been discussing the draft general data protection legislation which will provide the data protection in government and private sectors for many years. Brunei Darussalam has just begun discussing privacy legislation, and is watching developments in Malaysia, Philippines and Singapore closely. Cambodia, the Lao People’s Democratic Republic and Myanmar have not yet begun significant work in this area.


Cybercrime is one area where ASEAN has made excellent progress towards harmonization, with 8 out of 10 members already having enacted legislation. The laws are generally aligned with the international model contained in the Council of Europe Convention on Cybercrime. Cambodia and the Lao People’s Democratic Republic do not yet have any cybercrime laws, and may need to catch up quickly.

Content regulation

Content regulation is characterized by great diversity within the region. Although 7 out of 10 countries have some form of content regulation in place, the regulatory approaches and the subject matters that can be covered by the regulations vary widely. Two countries (Cambodia and the Lao People’s Democratic Republic) have not yet implemented content regulation and Thailand only has partial regulation in place.

Domain names and dispute resolution

Domain-name regulation is fairly harmonized in the region, with eight out of ten countries having similar regulations for the registration of domain names, and most countries following the international standard for resolving domain-name disputes. Some of the regulations are very recent, with Brunei Darussalam and Malaysia recently reforming their domain-name regulations. However, Thailand still relies on existing trade marks legislation to manage domain names, and the Lao People’s Democratic Republic has yet to implement domain-name regulation.

Cloud computing policy

Cloud computing is a recent development and the majority of ASEAN member States have not adopted yet specific policies for cloud services. However, there are two exceptions. Singapore has provided a range of policy, investment and tax initiatives to facilitate the adoption of cloud services in the country. Meanwhile, Indonesia has recently passed regulations that require some cloud service providers to register their business activities in Indonesia, and if they deal with public sector information they must meet additional regulatory and administrative requirements. This includes requirements to locate data centres and back-ups in Indonesia, and requirements to hire local staff. These contrasting approaches show that ASEAN faces some challenges in developing harmonized policies and regulations to enable cloud computing.