The Metaverse and the Importance of Personal Data Protection in Southeast Asia

Like many countries across the globe, Southeast Asian countries have been embracing the idea of creating alternate realities in the ‘metaverse’. The concept, envisaged as a seamless network of artificial virtual worlds, had been the stuff of science-fiction but has been gaining mainstream popularity since Mark Zuckerberg announced in October 2021 his decision to rebrand Facebook to Meta and bring the concept to reality. 

Seeing the vast commercial potential, property players in Singapore and Thailand have recently adopted metaverse virtual reality technology to improve the user experience in buying or selling virtual assets. 

Governments have also been welcoming the concept. The metaverse is set to contribute a vital role in the Thailand 4.0 programme, which seeks to bring about a digital and tech-driven value-based economy. 

Meanwhile, in Indonesia, the metaverse is being massively developed through a strategic partnership with WIR Group for Jakarta’s Smart City and a virtual-based consultative platform (Kovi Otda) for the regional economy. The Indonesian government also plans to unveil Indonesia’s metaverse ecosystem at the upcoming G20 Summit in November.

Given that 70 per cent of the population residing in ASEAN member states now have internet access, embracing this digital-led innovation makes sense. 

In the future, metaverse technology may invigorate people-centric governance through a technology-mediated relationship between the government and its citizens in the metaverse. For example, public services can be made more accessible and convenient through the metaverse. As for the business sector, the metaverse holds enormous opportunities and potential to enrich the consumer experience and introduce virtual products and services.

According to the latest report by Estonia’s National Cyber Security Index (NCSI), ASEAN member states scored an average score of 44.02 out of 100 in the overall index rating. In particular, the index found a glaring gap in the indicator of ‘protection of personal data,’ where five out of ten countries still had low ratings …

Earlier this year, a survey by a consumer profiling platform, Milieu, reflected Southeast Asia’s excitement about embracing the metaverse. The survey polled 6,000 respondents from six ASEAN member states, namely Malaysia, the Philippines, Thailand, Indonesia, Singapore, and Vietnam, and showed that most respondents (72 per cent) welcomed using the metaverse in their daily interactions. 

However, the survey also revealed that most respondents (60 per cent) were concerned about data security and privacy when using the metaverse. Malaysia ranked at the top (70 per cent), followed by Singapore and Indonesia (63 per cent respectively), the Philippines (60 per cent), Thailand (55 per cent), and Vietnam (47 per cent). 

This survey result is not surprising since data privacy has become a long-standing concern regarding Southeast Asia’s cyberspace. 

According to the latest report by Estonia’s National Cyber Security Index (NCSI), ASEAN member states scored an average score of 44.02 out of 100 in the overall index rating. In particular, the index found a glaring gap in the indicator of ‘protection of personal data,’ where five out of ten countries still had low ratings, indicating an uneven development of personal data protection legislation and regulatory authority among the ten ASEAN member states. These countries include Indonesia (scoring 25 on the index), while Vietnam, Laos, Cambodia, and Myanmar all scored zero on the index. 

Though Malaysia had the highest overall index rating among Southeast Asian countries (scoring 79.22 out of 100 overall and a perfect 100 out of 100 on the indicator of ‘protection of personal data’), cybercrimes still threaten Malaysian citizens’ data. The most striking case was the alleged data trade of the details of four million Malaysians from myIDENTITY in 2021. Singapore, which ranked second to Malaysia (scoring 71.43 on the overall index and 100 on the indicator of ‘protection of personal data’), is also threatened by data leaks, including a data trade of the details of 400,000 Singaporean Fullerton Health customers in 2021. 

The situation is more alarming in Indonesia, the country with the highest rank for internet penetration (91 per cent) in Southeast Asia. Its overall index score was 38.96 and 25 for the indicator for protection of personal data. Citizens’ data owned by the government agencies at the national to local level remains prone to leaks, even commercialised publicly. One of the most severe data breach incidents in 2021 includes the data leaked from the Social Insurance Administration Organisation (BPJS) database consisting of the personal data of 279 Indonesians which was allegedly sold online. At the same time, two cases at the local level were highlighted by SAFENet, such as the leaking of the personal data of 815 teachers in Tangerang District and that of more than 1,000 athletes on the Riau Provincial Youth and Sports Office. 

It should be noted that without the presence of personal data protection laws, there would be no explicit guidelines for law enforcement agencies to prosecute the illegal use of citizens’ data. 

Although the ASEAN member states already adopted the ASEAN Framework on Personal Data Protection in 2016, most ASEAN member states remain less committed to implementing the guidelines. Only a few have implemented data privacy laws, including the Philippines, Malaysia, Singapore, and Thailand, while Indonesia is still grappling with enacting the draft Bill on the Protection of Private Personal Data, and Vietnam still has no comprehensive data privacy regulation. 

As the metaverse is likely to continue to take shape in Southeast Asia’s public and business sectors, implementing the ASEAN Digital Masterplan 2025 would be a pathway to devise more harmonised principle-based data protection and privacy regulations and frameworks. But the implementation also requires tangible actions and solemn commitments to fulfil the Masterplan’s “Desired Outcome 3” (DO3) on delivering trusted digital services and preventing consumer harm.

Amidst all the enthusiasm for the metaverse in the region, authorities and other stakeholders should urgently prioritise cyber resiliency and the protection of citizens’ data as prerequisites before jumping on the bandwagon of any digital-led innovation. 

2022/184