In the attempts to keep the COVID-19 pandemic under control, Southeast Asia governments introduced contact-tracing applications to help manage people’s movement and decrease the risk of infection. Their enforcement however was met with criticism and concerns over state surveillance and infringement on the right to privacy.
Understandably, this fear was attributed to the poor human rights record of countries in the region when protection of individual rights is concerned. Online internet users worried that the contact tracing apps would add on tools governments use to keep tap on social critics and human rights defenders.
In some instances, the usage of collected data went beyond the originally stated purposes. Singapore is a case in point on this issue. The government walked back on their own promise that it would only use the data for public health emergencies. In 2021, it was revealed that the government has shared the data to police forces and allowed them to use it for criminal investigations on serious offences.
In the Philippines, “StaySafePh” was classified as a surveillance unit, rather than just a contact-tracing application. This implies that government agencies that are tasked with surveillance could get hold of the data, essentially leaving open the possibility of police and armed forces utilising the data.
Meanwhile, the inadequacy of existing legal framework to safeguard the right to privacy, when combined with governments’ lack of clarity when questioned on data management, did not alleviate the situation.
In Malaysia, “MySejahtera” is owned by a private entity which is reportedly involved in high-level corruption through which it was hired by the government to develop the application. There has also been conflicting information from the government as to who owns and has access to the data that the application collects.
In Thailand, the personal data of allegedly 55 million Thai citizens was traded and sold in a black market for call centre scammers. It was later confirmed that the data was leaked from the government vaccination application ‘Morprom’.
These incidents call into question the security of data storage and government measures to protect the data. Indonesia’s data protection laws and reporting mechanisms are under-equipped. No specific entity is assigned to oversee data security. Exemptions from liability were made for public authorities who assess or use the collected data for public safety and national security. These were the case for Malaysia and Thailand. In Singapore, there is no law that specifies the time limit in which data can be stored.
This lack of a strong privacy framework has afforded governments to ignore measures necessary to keep data secured. Moreover, it can also set governments at ease to misuse the data, knowing that legal consequences would be limited.
While we are moving on to the post-pandemic world, and contact-tracing applications are now a thing of the past, one should not assume the concerns over the right to privacy have become obsolete, as it remains unclear what kind of data governments have at their disposal.