On September 3, the Association of Southeast Asian Nations (ASEAN) officially launched negotiations on the ASEAN Digital Economy Framework Agreement (DEFA). DEFA aims to provide “a coherent, harmonized, collaborative, and rules-based approach” to establish a “competitive and inclusive regional digital economy.” A high-quality DEFA is expected to double the value of the ASEAN digital economy, from $1 trillion to $2 trillion, by 2030.
DEFA builds on the ASEAN Digital Integration Framework, among other ASEAN policy milestones, which recognizes digital integration as a “critical enabler” for ASEAN to compete more effectively in the global economy. A core aspect of DEFA, and ASEAN’s long-term commitment to digital integration, is the facilitation of seamless and secure data flows across ASEAN member states.
A push for harmonization of data regulatory frameworks could not be more timely amidst the headwinds in global data governance, where distinctive models of data regulation are emerging. The potential bifurcation of the data governance regime, where ASEAN member states are made to choose among divergent – even competing – models of data regulation, does not bode well for ASEAN’s end goal of fostering an ASEAN Economic Community.
ASEAN has an urgent task at hand to overcome the disparate data regulatory frameworks across its member states. Fostering a coherent data regulatory environment in the region is imperative to avoid being vulnerable to potential fragmentary pressures in global data governance.
Uneven Data Regulatory Frameworks Within ASEAN
Despite ASEAN’s prioritization of digital integration in its policy milestones, progress on data regulation among ASEAN member states remains limited and slow.
Dedicated frameworks and plans on data governance by ASEAN remain at the level of broad principles and guidelines. The ASEAN Framework on Personal Data Protection adopted in 2016 established a set of principles to guide the development of personal data protection measures at the national and regional level. The ASEAN Framework on Digital Data Governance that followed in 2018 is non-binding and sets out only broad guiding principles for data governance.
Not only do data regulatory frameworks across ASEAN member states reveal different preferences for data governance, but the extent of harmonization of cross-border data regulation with other trading partners also varies greatly.
Some countries have developed comprehensive legislation on restrictions of data flows and others have focused on data protection and data privacy laws. Indonesia and Vietnam have implemented data localization laws which mandate the storage of data generated locally within their territories. In terms of data protection and data privacy laws, only Indonesia, Malaysia, Philippines, Singapore, and Thailand have enacted comprehensive legislation. Vietnam’s revised Law on Protection of Consumers’ Rights, which includes new obligations for the protection of consumers’ information, comes into effect in 2024.
The adoption of data rules in free trade agreements (FTAs), which serve to harmonize cross-border data regulations between signatories, are likewise highly uneven across ASEAN member states. Some are moving quickly to ink digital economy agreements and upgrade existing FTAs to include data rules, while others have made only limited progress.
Compared to the rest of ASEAN, Singapore is signatory to an outsized number of FTAs that include data-related provisions or introduce novel ones. Based on the number of novel provisions introduced in Singapore’s agreements, it stands out as one of the rule-makers in global data governance.
Commitments to data rules by other ASEAN member states are otherwise limited, with data-related provisions largely absent in their FTAs. Where present, data rules are weakly legalized or emphasize exceptions. Behind Singapore, Vietnam has the most commitments on data regulation in its FTAs. This includes broad clauses on the maintenance of data protection measures or legally binding provisions that ensure data protection according to domestic law. Provisions that permit the transfer of data related to financial services, computer services, and telecommunications are also encoded in Vietnamese agreements.
Indonesia, Malaysia, Philippines, Thailand, and Cambodia also include similar provisions in their FTAs.
However, some of the most stringent and prevalent provisions across ASEAN member states’ FTAs pertain to exceptions. These exceptions retain a signatory’s right to implement restrictions to protect personal data notwithstanding obligations to ensure the free flow of data. Provided these measures do not constitute a means of discrimination among signatories, the grounds for these exceptions include but are not limited to national security.
With participation in FTAs across regional states already varying significantly, uneven progress in meeting the norms of data governance further widens the gap in the levels of integration of ASEAN member states with the global economy.
Divergent data regulatory frameworks across Southeast Asia jeopardize ASEAN’s goal to foster an integrated and competitive regional digital economy. It also increases the vulnerability of the region to potential fragmentary pressures in global data governance.
The Specter of Fragmentation
The different data regulatory models of China, the European Union (EU), and the United States have the potential to translate into distinct regimes in global data governance. As data rules proliferate in FTAs, the systematic convergence of countries toward preferred models could lead to the emergence of distinct regimes at the international level.
Already, the FTAs signed by China, EU, and the U.S. respectively are characterized by different priorities. China’s FTAs prioritize legally binding provisions on the protection of personal data and information in accordance with both domestic law and international standards. Similar provisions in the EU’s and the United States’ FTAs are weakly binding.
Instead, EU and U.S. FTAs contain more provisions on the free transfer or movement of data. These provisions predominantly extend commitments in the financial services, telecommunications, or audiovisual chapters to related data or information. Where included in the digital trade chapters, these provisions are explicit guarantees that disallow restrictions on cross-border data flows.
A Window of Opportunity for ASEAN
With the DEFA negotiations set to conclude by 2025, the next two years are a window of opportunity for ASEAN to realize its ambitions for digital integration and write its own rules for data governance.
For DEFA to be a “game-changer” for the bloc, ASEAN’s roadmap for digital integration needs to accelerate the harmonizing of data regulatory frameworks within the region. Developing comprehensive domestic legislations on data issues is a first step to establish clear benchmarks and norms. This in turn will smooth compatibility of data regulatory frameworks across jurisdictions.
As the world’s first region-wide digital economy agreement, DEFA has the potential to set an example for regulatory harmonization, especially among economies at very different stages of digital integration. To the extent that the design of FTAs often relies on the replication of existing templates, by ascribing the rules for the region, DEFA is a platform for ASEAN to shift from being a rule-taker to a rule-maker in global trade governance.