The fragmentation of the cross-border data transfer regime between the ASEAN member states is widely regarded as a significant challenge to developing the digital economy in Southeast Asia. Governments have made efforts to support businesses by facilitating data transfers across borders, such as the ASEAN Model Contractual Clauses (MCCs) and various regional trade agreements, but more needs to be done.

The varying levels of development and different priorities of personal data protection regulations across ASEAN countries pose challenges for businesses. Recent years have seen notable developments in Southeast Asia’s data protection landscape, with new laws enacted in Vietnam and Indonesia. However, Brunei, Cambodia, Laos, and Myanmar remain without a legal framework governing data, contributing to business uncertainty. Additionally, the content of existing regulations in the region varies significantly due to diverse national interests. For instance, the Philippines adopts a business-friendly approach with minimal cross-border data transfer restrictions, while Vietnam prioritises national security and mandates data localisation.

Even among countries with comparable cross-border data transfer requirements, like binding contracts, there are variations in specific provisions, posing compliance difficulties. Companies operating across diverse markets must engage in and uphold multiple contracts. This demands extensive legal expertise and disrupts operational agility. Consequently, businesses face hurdles navigating the increasingly intricate and diverse regulatory landscape on personal data, stunting the digital economy’s growth potential in the region.

To tackle these challenges, countries are implementing regional initiatives to ease international data transfers for companies. However, existing efforts like MCCs, the APEC Cross-Border Privacy Rules (CBPR), and trade agreements fall short of harmonising national regulations, which impedes the development of a business-friendly regional data landscape. The ASEAN MCCs have limitations because countries need to adjust the rules based on their domestic contexts. This again increases the legal burden as multiple modifications must be added for different transfers. Also, not all countries have fully endorsed the MCCs – with only Singapore, the Philippines, and Thailand explicitly mentioning them in legal sources – making it uncertain for companies to use them for data transfers across ASEAN.

Even if companies use these mechanisms correctly, they still face problems transferring data smoothly because of interoperability issues between different definitions and requirements based on domestic regulations. For example, different countries have different rules about why data can be collected and how sensitive data should be handled. Therefore, firms must change how they handle data depending on the country where it was collected. For instance, Vietnam’s new data protection rules demand that businesses report data transfers, assess impacts, and potential data localisation to the Ministry of Public Security, complicating operations in ASEAN. Jeth Lee from Microsoft ASEAN comments, “Many companies may hold off on overseas data transfers until they have Ministry of Public Security approval.” Restricted data processing abroad could hinder Vietnamese access to services needing overseas servers or staff unless specific conditions are met.

Singapore is a major player within ASEAN and on the international stage in using trade agreements to promote free data flows. Additionally, multilateral trade agreements that ASEAN countries are party to increasingly contain provisions promoting the free cross-border flow of data, including the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Regional Comprehensive Economic Partnership (RCEP). However, trade agreements cannot be seen as immediate remedies due to numerous exceptions included in relevant clauses.

Based on the above assessment, the authors suggest that ASEAN governments should prioritise clarity and awareness of compliance with personal data regulation in the short term. Specifically, formalising rules and guidelines, providing SME-specific support through awareness-raising and training workshops, and enhancing government-industry collaboration are essential steps. This can help mitigate negative impacts on business activities most effectively in the short term. In the long term, the goal should be coherent cross-border data transfer mechanisms across the region, and possibly on a larger scale. This can be facilitated by interim solutions such as harmonising existing national regulations and signing bilateral agreements.

By XU, Ni Scarlet

Researchers: LIU, Jingting, SENGSTSCHMID, Ulrike and GE, Yixuan