Bon Voyage, Maybe: An ASEAN Digital Vaccine Passport

In March 2021, ASEAN Economic Ministers discussed the possibility of launching a regional digital vaccine passport, reviving talk of an intra-ASEAN travel bubble. If successfully launched, the passport will help resuscitate the region’s flailing tourism industry that contributes a significant amount to the GDP of each ASEAN member state.

This border-opening idea comes with several challenges, particularly data privacy ones, that ASEAN’s institutional structures are not presently well-suited to address. Without institutional changes, this timely proposal likely will become another tombstone in the graveyard of beneficial ideas that could not survive ASEAN’s structures and principles.

The vaccine passport system is expected to store large amounts of personal data. If ASEAN is committed to successfully initiating the digital vaccine passport, it cannot ignore the longstanding absence of strong ASEAN agreements that allow for region-wide comprehensive data privacy regulation. Without this, it remains unclear if anyone can be held accountable should there be leaks of personal health data with an ASEAN digital vaccine passport. ASEAN must be transparent about the potential issues of a vaccine passport to let individuals fully understand its utility and risks before it settles on any policy. The recent uproar over data privacy concerns with Singapore’s TraceTogether app indicates that citizens are concerned about data privacy and will impose political costs if their respective governments do not take the issue seriously.

Contrast ASEAN’s absent framework with the European Union (EU). EU member states recently have agreed on a trust framework outline to ensure timely implementation of Digital Green Certificates to facilitate cross-border travel in the EU, their interoperability, and full compliance with personal data protection regulations. This framework obliges entities to determine the purposes and means of processing personal data, and to inform data owners of the access that data controllers have to their personal data. Most importantly, individuals can file lawsuits with the Court of Justice of the European Union and the General Court. 

Alternatives to an ASEAN vaccine passport have been put forward in Southeast Asia. Singapore and Malaysia have recently discussed details of a possible bilateral arrangement.

Unfortunately, under ASEAN’s present institutional arrangements, the establishment of such a framework faces severe challenges and is unlikely to be realised. Unlike the EU where the right to legislate is shared between the Union and the member states based on competencies, ASEAN’s supranational structure is solely based on the principle of member state consensus. Uncertainties like how each member state will monitor the would-be system of personal data collection and processing would likely preclude a full agreement. Addressing ASEAN’s institutional limitations before proceeding with any vaccine passport policy would be necessary to address these personal data privacy concerns. 

Alternatives to an ASEAN vaccine passport have been put forward in Southeast Asia. Singapore and Malaysia have recently discussed details of a possible bilateral arrangement. A series of such arrangements between Southeast Asian countries instead of a common regional vaccine passport might appear to sidestep ASEAN institutional barriers while reaping great regional benefits.

Yet, such an arrangement of arrangements faces different, but not less difficult, challenges. Firstly, participating Southeast Asian states would have to expend considerable effort ensuring that standards are kept constant in each new deal. Secondly, given how data protection regulations in Southeast Asia are very uneven, this arrangement might entail leaving out many regional states and likely cause regional tension. A series of bilateral agreements, if embedded within a regional framework, might well snowball into the de facto application of the controversial “ASEAN minus X” principle where only member states that are ready and welcome by the others will join the regional framework.

Through “ASEAN minus X”, it is possible to rely on members that already have detailed personal data protection legislation, such as Singapore, Malaysia, and the Philippines, to lay the foundation for an eventual ASEAN-wide agreement. However, the opposite could occur instead. Personal data protection laws are extremely thin in Cambodia, Myanmar, and Brunei, and signatory states may not wish to expend the effort to bring others aboard. This would lead to the deepening of intra-regional inequalities and strain regional unity at a crucial period of global geopolitical conflict when regional unity is sorely needed.

ASEAN institutional adjustments to create a common framework, as daunting as they presently appear, remain the best choice, as they would not only address the immediate issue of vaccine passports but other growing issues as well. ASEAN vaccine passport discussions can lead to discussions of a broader common infrastructure that governs regional data privacy. These conversations will soon become, if they are not already, necessary, given growing cybersecurity concerns and the burgeoning regional digital economy. Calls have been made for ASEAN member states to harmonise their national regulations on digital payment and fintech innovation and promote interoperability on the regional level for the regional digital economy to flourish. 

Addressing these institutional limitation questions that have been perpetually kicked down the road will allow ASEAN to tackle both contemporary and future problems, killing two birds with one stone. It remains to be seen if ASEAN will grasp this pandemic-created opportunity or let another chance go by.

2021/93