With the publication of the ASEAN Digital Masterplan 2025 (ADM 2025), member states of the Association of Southeast Asian Nations (ASEAN) have endeavored to promote the digitalization of the region. In this digital transformation process, data is essential because every interaction in the digital world produces and relies on data.
Realizing the significance of data, Southeast Asian countries have intensified their efforts to develop their own data governance strategies. For instance, Thailand, Singapore, and Indonesia have enacted comprehensive data protection legislation. Vietnam is also aiming to unveil its full data privacy law by 2024.
However, even though digitalization is powered by data flows, several ASEAN member states have increasingly restricted cross-border data flows and even enacted data localization requirements. For example, Vietnam mandates that foreign tech and telecom companies store user data domestically. In addition to mandating that all public sector data be stored in Indonesia, Indonesia also requires data localization in certain sectors, such as the financial sector. Although Thailand and the Philippines have not explicitly addressed data localization, a broader interpretation of their data privacy laws may allow for data localization to be covered. Cambodia is also reportedly about to issue data localization requirements soon.
This article notes that the spread of data localization norms among Southeast Asian countries is mainly driven by their common concerns over national security and digital sovereignty. Restrictions on cross-border data flows may not necessarily impede the digitalization process; rather, they could be a double-edged sword for the region.
Although the data protection efforts of many Southeast Asian countries resemble the European Union’s General Data Protection Regulation (GDPR), their reasons for imposing restrictions on international data transfers differ from those of the EU. The EU treats data privacy as an essential part of human rights and restricts cross-border data transfers on this basis. Unlike the EU, Southeast Asian countries view data through the lens of statehood rather than the perspective of individual rights. They argue that the right to control and maintain the data generated in their countries and owned by their citizens is crucial to national security and state sovereignty.
For instance, Johnny G. Plate, Indonesia’s minister for communication and information technology has stated unequivocally that control over data is a question of national sovereignty. During the celebration of Indonesia’s Independence Day, he also argued that maintaining digital and data sovereignty and preventing the creation of a digital colony were fundamental to bolstering and maintaining Indonesia’s independence. Similarly, Mohammad Mentek of Malaysia’s Ministry of Communications and Multimedia has also indicated that preserving data sovereignty is a major goal for his country to develop the existing legal and policy frameworks on data. When structuring its data governance, Vietnam has also placed national sovereignty protection at the forefront of its priorities. To enhance its internet sovereignty, Vietnam has enacted laws to ensure that the Vietnamese people’s data remains within and under its control.
Southeast Asia has become one of the regions with the most rapid expansion of data centers. As of this month, there are a total of 195 data centers in Southeast Asia. Recent market research by Arizton shows that the region’s data center market was worth $8.71 billion in 2021 and is projected to reach $12.34 billion by 2027. Moreover, Southeast Asia will soon surpass North America as the largest region for co-location data centers worldwide.
This rapid expansion is in part attributable to restrictions on the free flow of data across national borders. For example, the introduction of the data localization law has been a major driving factor for the rapid development of the Vietnamese data center market. Similarly, the increase in demand for local data centers in Indonesia is also a result of the government’s data localization requirements.
Importantly, the proliferation of data centers in Southeast Asia will accelerate the region’s digitalization process. As essential components of the IT infrastructure, data centers play a key role in digital transformation. These facilities constitute the physical backbone of digital life. With the increasing support of data centers, people living in Southeast Asia will likely enjoy faster and more reliable internet connections, technology innovation will be further encouraged, and businesses in the region will find it easier to interconnect, migrate to the cloud, and digitalize their processes and services.
Although restricting cross-border data flows drives the growth of data centers, which may promote digitalization, these data localization norms and requirements may in other ways impede the region’s ability to realize its digitalization objective. Cross-border data flows are the lifeblood of a digital economy. In particular, because any rules and regulations limiting cross-border data flows are considered key barriers to digital trade, they could also impede ASEAN’s transition to a digital economy. Furthermore, rules limiting international data flows also prevent ASEAN from developing into a digital society. The Internet of Things (IoT) is regarded as the foundation of a digital society as it enables the digitalization of almost every aspect of daily life, from education and entertainment to healthcare and transport. Since rules restricting international data flows undermine the deployment of IoT, they may also inevitably slow Southeast Asia’s digital transformation.
ASEAN has committed to establishing a digital economy and society throughout the region by 2025. Although Southeast Asian countries have increased their efforts to regulate data, which is viewed as the new oil in today’s world, many of them prefer to restrict the free flow of data across their national borders. In addition, since the limitations on international data transfers are the result of concerns over national security and state sovereignty, it is more difficult for Southeast Asian countries to compromise and relax the rules. Even though the rules are currently a double-edged sword for the region’s digitalization, they will inevitably present more challenges than opportunities in the future.