MoFo PE Briefing Room
Southeast Asia is developing its own rich ecosystem of ecommerce marketplaces, fintech service providers, ride-sharing companies and gig-economy platforms similar to, but distinct from, the global platforms that dominate North America and Europe.
The collection, collation and processing of personal data is fundamental to the operation and success of these businesses. In addition to their immediate use in individual transactions, customer datasets can provide keen market insights to help a business develop new products, identify third party synergies and focus marketing efforts. Indeed, while technological innovation remains important, for many companies in this sector, customer databases are the most valuable asset on the balance sheet and the size, quality, currency and transferability of data assets are increasingly the focus of interest (and careful diligence) by PE investors and potential acquirers when assessing value and growth potential.
However, amassing and deploying large databases of personal data can be a double-edged sword. The collection, processing, retention, protection and sharing of personal data are regulated in many Southeast Asian jurisdictions, under regimes that are inconsistent, often idiosyncratic and, in many cases, rapidly evolving. This can give rise to serious potential pitfalls for companies and investors who do not proactively consider and manage compliance-related risks.
The increase in the perceived value of personal data has been matched by an intensified effort to regulate data collection and processing in Southeast Asian jurisdictions. In the last seven years, Singapore, Malaysia, Thailand, and the Philippines have all introduced new data privacy regimes or updated existing regulations. Indonesia is expected to enact a new data protection law this year and India has taken steps toward imposing a national statutory data protection law in the near future.
The net effect is a patchwork of different data regulatory regimes across Southeast Asia. Some countries have enacted broadly-drafted laws with much of the important detail left to interpretation by the regulator under policies that can be difficult for businesses to determine. Other jurisdictions (such as Singapore) have implemented very detailed rules, which, while admirably thorough, require businesses to be aware of and comply with rather idiosyncratic local processes. Moreover, the substantive prescriptions and restrictions imposed on data users vary widely from jurisdiction to jurisdiction, particularly in important areas such as:
This is compounded by the extra-territorial reach of the EU’s General Data Privacy Regulation (“GDPR”) which can apply to Southeast Asia companies that interact with customers in Europe.
This absence of harmonization can be a challenge for businesses operating across multiple jurisdictions in the region. In the interests of efficiency and consistency, many companies try to identify the operating jurisdiction with the strictest regulations and apply that “high water mark” across all of their local operations. Similarly, some PE investors will use GDPR-compliance as the benchmark in their diligence exercises. However, for data-driven businesses, the sheer diversity of data protection regimes in the region makes this a poor substitute for working with specialist counsel to properly understand the requirements and restrictions applicable in each key jurisdiction in which the business operates.
A specialist review can identify material issues with the current or proposed operations of a target business that arise from local requirements that may differ in substance or process from the chosen “high water mark”. For example, a need to obtain express consents from customers in order to transfer databases in a restructuring, or the need to adapt the business’ back-office arrangements to address the sector-specific data localization requirements that are starting to emerge in countries such as Indonesia, Malaysia and India.
The infrastructure and manpower costs of achieving regulatory compliance when operating a platform across multiple jurisdictions can be substantial. Given the relatively light policing and minor penalties imposed by many Southeast Asian jurisdictions, some early-stage, data-driven platforms have taken the view that it is cheaper to ask for forgiveness than to foot the costs of compliance. However, this is a false economy. It merely stores up the problem for the future, where the costs and difficulty of rectification are likely to outstrip the growth of the business. A database of millions of customers may be effectively worth nothing if its contents have not been acquired lawfully or if the business has not obtained the consents necessary to use or transfer that data in accordance with its business plans. Moreover, a platform’s hard-earned goodwill and reputation might easily be destroyed by a single data breach (see below).
Given the rapidly evolving nature of data privacy regimes in the region, operations that were compliant when the business launched may no longer be so. PE investors should assess whether the business is reliant on a stale understanding of data privacy rules or has continued to evolve its compliance and risk management arrangements to address developments in the regulatory regimes in which it operates as well as changes to its business operations.
Data breaches are becoming a fact of life for many companies. In addition to the operational fallout arising from any data breach, many jurisdictions are now imposing mandatory breach-reporting obligations. A data-driven business with operations in more than one jurisdiction may find itself required to report a breach to multiple regulators. The lack of harmonization between Southeast Asian jurisdictions on key matters such as materiality thresholds, processes and report forms can make it difficult for an unprepared business to ensure compliance, particularly in the light of the very short prescribed statutory notification deadlines.
Many jurisdictions in the region regulate transfers of personal data between affiliated entities in exactly the same manner as arms’ length transfers. This may result in need to obtain express consents from, or give notices to, customers in order to transfer databases in a restructuring. Response rates from consumers to requests for consents are often very low and this may have a material adverse impact on the size (and hence value) of the database in the hands of the transferee. An initial review of any restructuring proposals may catch such issues early and afford the parties time to consider alternative, more benign, structures.