Fostering digital economy integration by having interoperable cross-border data flow mechanisms may help mitigate impact from rising geopolitical fragmentation. However, within ASEAN, the issue of lacking uniform cross-border data transfer mechanism persists. Besides the need of a transparent system that can provide certainty to businesses operating in the region, the design of cross-border data flow mechanisms in ASEAN should also be viewed in conjunction with developments in the rest of the world.

In this webinar on “Facilitating Data Flows Across ASEAN: Challenges and Policy Directions”, we discuss the role of cross-border data flows in ASEAN’s growing digital economy, outline the challenges businesses face as they navigate the region’s diverse data regulatory landscape, assess the effectiveness of regional mechanisms, and explore how trade agreements have facilitated cross-border data flows. Finally, we discuss the significance of ASEAN’s Digital Economy Framework Agreement (DEFA) that’s still under negotiation.

Key Highlights

1. Lack of interoperability and data localization are two key challenges

• There generally is a lack of interoperability between data regulations adopted by different countries in the region. Data classification and data handling requirements often differ from country to country. Firms may therefore have to sign multiple contracts to comply with different data regulations, hampering business fluidity.
• For SMEs, they may not have the resources to understand the different legal requirements across countries.
• Ex-ante impact assessment and data localization requirement of Vietnam may add uncertainty and increase operating costs for businesses. Firms are unsure if the submission of impact assessment is equivalent to de-facto approval and may choose to err on the side of caution and not export data.
• Businesses subject to data localization may have to set up data centers locally, requiring infrastructure investment and trained human capital, lifting operating costs.

2. Trade agreements offer another channel facilitating cross-border data flows

• The number of data-related provisions in trade agreements is on the rise and offers one avenue for countries to overcome disparities in national data regulations by laying a common foundation for data transfers.
• Singapore and Australia have emerged as key region-internal and region-external influencers, respectively. Singapore especially has not only signed the most data-related agreements within ASEAN but also drives the agenda and content of other bilateral and regional agreements.
• However, relevant clauses in trade agreements are often riddled with exceptions, that both exclude whole countries through giving long grace periods and make it easy for countries to find loopholes and thus waiver the need for compliance. This significantly limits their effectiveness in harmonizing data regulations within and beyond ASEAN.

3. Reducing ambiguity is critical

• Businesses adapting to the diverse regulatory environments in the region oftentimes struggle to interpret data regulations, as there often is no clear guide on how firms can successfully become compliant.  
• Engaging industry consultations in the legislative process, providing sufficient grace period and regulatory sandboxes to create a safe space to test what compliance looks like are helpful measures. 
• Formally endorsing ASEAN Model Contractual Clauses (MCCs) will elevate the status of ASEAN MCCs to the same level as EU Standard Contractual Clauses (SCCs), increasing certainty and trust in ASEAN’s business environment.

4. Nuanced approaches needed to govern emerging fields like AI

• Deceptively, it may seem that less regulation in emerging technology fields is beneficial for businesses, but this is usually not the case: No regulations may indicate that the infrastructure and capacity are not in place to build a trusted digital environment. However, too restrictive regulations, of course, also have a potential to stifle business activity and innovation.
• One approach that has emerged with regulating AI and similar emerging fields compared to more traditional data policy is the focus on output and impact instead of inputs. So rather than focusing on the type of processing, the volume of data involved, or the sensitivity of imputed data, a key question is what the potential harms and threats of the output are.
• Additionally, when regulating such emerging technologies, it is important to note that SMEs are more likely to require guidance and regulatory support: Larger companies typically have more resources in place for controls that help maintain a certain level of user trust and security, such as more human reviews of AI outcomes, while SMEs struggle with this more. 

5. What to expect and hope for from DEFA

• DEFA should be seen as laying the foundation or the groundwork for national laws that subsequently follow from the agreed principles.  
• The ideal outcome of the DEFA negotiations would be for all ASEAN member states to agree to one trusted and open framework, especially regarding cross-border data transfers. These should draw on existing mechanisms like the ASEAN Model Contractual Clauses or the APEC CBPR framework. 
• Importantly, we should not copy and paste from EU regulations – ASEAN is not looking for harmonization to the extent of a single market. Instead, the key lesson we should learn from EU policy making in the digital space is to create business certainty in all member states. 

By LIU, Jingting, SENGSTSCHMID, Ulrike

View and download the presentation materials below:

1. Traversing ASEAN’s Cross Border Data Transfer Policies: Challenges for Business
2. Enhancing Cross-Border Data Flows: Assessing Regional Mechanism and Trade Agreements

View and download the Research Paper: Facilitating Data Flows Across ASEAN: Challenges and Policy Directions