During the grilling of Facebook co-founder and CEO Mark Zuckerberg by a joint congressional committee in the United States this month, one line of questioning stood out. Republican Senator Lindsey Graham asked the 33-year-old billionaire whether the social media giant he created had an actual competitor.

Zuckerberg – who was in the hot seat regarding revelations that the British political consultancy firm Cambridge Analytica had misused the data of up to 87 million Facebook users – responded by naming tech companies with services that overlap Facebook’s such as Google, Apple, Amazon, Microsoft and Twitter. A truly viable rival – Instagram – was bought by Facebook in 2012 for US$1 billion.

“You don’t think you have a monopoly?” Graham asked. “Ah, it certainly doesn’t feel like that to me” Zuckerberg said, followed by laughter.

The senator then asked whether Facebook should be allowed to continue to self-regulate, and whether Zuckerberg would help lawmakers come up with the necessary regulations for Facebook and its ilk.

“Well senator, my position is not that there should be no regulation … I think the real question as the internet becomes more important in people’s lives, is what is the right regulation, not whether there should be regulation,” Zuckerberg said.

Cambridge Analytica in Asia: modern-day colonialism, or empathy in the digital age?

“But you as a company welcome regulation?” Graham asked again.

“I think if it’s the right regulation, then yes,” Zuckerberg said.

The back-and-forth between Graham and Zuckerberg highlights the challenge faced by regulators around the world in finding the best approach to supervise technology companies such as Facebook, Twitter, and Google, one that still allows innovation as well as data and consumer protections.

Facebook’s mishandling of data shows that even highly regulated nations can’t escape catastrophic data breaches during national elections.

How about the developing world?

Indonesia, Facebook’s third-largest market after India and the US, does not even have rules for companies such as Facebook. It has been struggling to frame a ministerial decree for internet-based service providers since President Joko Widodo’s administration marked it as a priority at the start of his presidency four years ago. This lack of oversight came under public scrutiny this month after it was revealed the personal data of one million Indonesians had been misused by Cambridge Analytica, making Indonesia the third most affected country after the US and the Philippines. Last week, the country’s communications and information technology ministry sent its third letter to Facebook demanding detailed answers and documents on how data was misused by third-party firms, and how the company planned to prevent such breaches in the future. The company has at least 115 million monthly active users in Indonesia, its fourth-largest user base after India, the US and Brazil.

Malaysia’s Najib denies using Cambridge Analytica, accuses Mahathir’s son

The ministry isn’t the only one angered by Facebook’s lack of explanation. In a public hearing between Facebook and the Indonesian parliament, legislators were left with more questions than answers. They asked the company to launch an audit to further investigate the breach. A similar request was filed by the Philippines and Australia.

“[This situation] is a result of a violation of trust and our failure to protect user data, and we are sorry that this happened,” Ruben Hattari, head of public policy at Facebook Indonesia, said during the hearing.

The breach, along with the proliferation of fake news on Facebook, has given grounds for the ministry to revive the possibility of shutting down Facebook.

The social media platform may need to take this threat seriously if it wants to sustain its digital advertising domination in Southeast Asia’s biggest economy – it has previously closed access to Tumblr, Reddit and the video-streaming service Vimeo due to a perceived failure to censor content.

Don’t turn Big Data into a fetish – it missed Trump, Brexit, Duterte

Indonesian regulators say they will issue the latest draft of a ministerial decree on internet companies in May. In the last three years, it has experimented with a number of drafts that include much-criticised potential solutions – having internet companies establish domestic presence and data centres, using a single national payment gateway and applying self-filtering that conforms with the country’s censorship standards. All of these are needed to provide data protection and a level playing field between local and international players, the ministry argues.

Critics, however, say the proposed rules could inhibit innovation and foreign investment at a time when neighbouring countries are vying to host global tech companies. They say Indonesia applies a one-size-fits-all approach for all internet-based companies, from ride-hailing firms such as Grab and Go-Jek to e-commerce companies to content-streaming providers and social media platforms.

“In the latest draft, the definition of [electronic system providers] is still too broad, it even includes search engines and the Internet of Things [IoT] … if passed we could be the first country that regulates IoT,” said Yose Rizal Damuri, head of economics at the Centre for Strategic International Studies (CSIS). “We need regulation that specifically categorises [digital platforms] according to [their services], so further consultation and study is needed.”

Under a more recent draft decree, the ministry seems to give ground on the issue of setting up physical data centres locally, but would still compel companies to register with relevant regulators and keep important user data inside Indonesia.

“If a company does business in Indonesia, they need to register with us … If they can’t set up a permanent establishment, due to a small user base in Indonesia, their business partners in Indonesia can register with us instead. This is important for taxation purposes,” said Semuel Abrijani Pangerapan, director general of information application at the communications ministry, during a recent panel discussion held by CSIS in Jakarta.

China’s credit ratings plan: from social media to medium of social control

Despite the relaxations, social media companies would still be required to filter “illegal” content such as hate speech, pornography, extremist ideology and so-called fake news, which analysts predict could grow rapidly in the next few months due to the country’s local and presidential elections.

“Our digital illiteracy rate is worrying,” Pangerapan said. “[The] number of internet users more than doubled in the past year, but it’s not paralleled with increased digital literacy. That’s why a lot of people are deceived by fake news and hoaxes.”

Pangerapan said the ministry still needed input from all stakeholders before launching the long-awaited decree. Facebook, for one, is happy to help.

“[Facebook] used to choose to self-regulate, but now we feel the need to adjust [our operations] in each of the countries where we operate … we would be happy if our feedback is well-received,” Hattari of Facebook said during the CSIS panel.

“At the end of the day we support a regulation that offers a win-win solution for the people, government and the companies.”