Industry Insights with Rubaiyyaat Aakbar

Geo Focus: Asia , Geo-Specific , Standards, Regulations & Compliance

Event Horizon: What's Driving Data Localization Laws in Asia

Competing Data Sovereignty Rules Complicate Cross-Border Data Transfers
Event Horizon: What's Driving Data Localization Laws in Asia
Cisco unified computing servers in a data center in Phatthalung, Thailand (Image: Shutterstock)

Southeast Asia is emerging as a major hub for data center growth, witnessing one of the fastest expansions globally. The region is home to around 200 data centers, which were valued at $8.71 billion in 2021, and the market is expected to touch $17.73 billion by 2029, according to recent market research conducted by Arizton. Even with such enormous growth potential, the varying levels of development and different priorities of personal data protection regulations across ASEAN countries pose challenges for businesses.

See Also: How to Unlock the Power of Zero Trust Network Access Through a Life Cycle Approach

While many Southeast Asian countries' data protection frameworks resemble the European Union's General Data Protection Regulation, their motivations for restricting international data transfers differ significantly. Unlike the EU, which emphasizes individual rights, Southeast Asian nations view data primarily through the lens of state sovereignty.

These countries argue that controlling and safeguarding data generated within their borders - and owned by their citizens - is essential to national security and the protection of state sovereignty. The regulatory landscape varies widely across the region, reflecting differing national priorities. For example, the Philippines takes a business-friendly stance with minimal restrictions on cross-border data transfers, whereas Vietnam emphasizes national security, enforcing strict data localization requirements. This regulatory diversity complicates efforts to harmonize the region's digital policies.

What Is Data Localization?

Data localization refers to laws or regulations that require businesses to store and process digital data within a country's borders. This often involves restricting the transfer of data to other nations, aiming to enforce local privacy laws that protect personal or sensitive information. It also gives governments easier access to data for regulatory and legal purposes. Data localization laws can be indirectly established through regulations on cross-border data transfers typically allowed under specific conditions that can effectively require data to be stored and processed locally.

As data privacy concerns grow in Southeast Asia and globally, many countries are turning to data localization to protect personal information. But experts advise that these measures should be implemented with a risk-based approach, ensuring that data protection efforts are balanced with the potential impacts on innovation and the economy.

How It All Started

The goal of the ASEAN Digital Masterplan 2025 is to encourage the region's digitalization. Countries in Southeast Asia are working harder to create their data governance plans. Singapore, Malaysia and Hong Kong have embraced fairly common approaches to data protection laws, focusing on safeguarding personal information and ensuring business compliance.

Although these laws don't require data to be stored locally, they regulate the transfer of personal data across borders through consent, security measures and other conditions. Companies must ensure that the receiving country or organization provides sufficient protection or adopts additional safeguards when necessary. In some instances, approval from the Data Privacy Commission is needed before data can be transferred internationally.

Indonesia is among the few Southeast Asian nations that enforce data localization laws, requiring certain data to be processed and stored within its borders. Under Government Regulation No. 71 of 2019 on Electronic Systems and Transactions, or GR 71, electronic system operators are divided into two categories: public and private. Public ESOs, such as government bodies and their designated entities, must process and store data within Indonesia. Private ESOs, including businesses, have the flexibility to store data abroad. Certain industries, such as financial services, may face sector-specific rules mandating that personal data be processed and stored only within Indonesia.

Vietnam has established data localization regulations under its Cybersecurity Law - No. 24/2018/QH14, which took effect on June 12, 2018, and was subsequently clarified by Decree No. 53/2022/ND-CP. This law mandates that user data - including account information and relationship data - be stored in Vietnam for a minimum of 24 months. International companies are required to meet these data storage obligations and establish local offices within 12 months of a request from the Ministry of Public Security. In response, U.S. business groups representing technology giants such as Amazon, Google and Meta expressed concerns in a letter to Prime Minister Pham Minh Chinh, warning that this law could hinder investments and complicate the assessment of operational costs for businesses in Vietnam, as reported by Bloomberg.

A 'Growing Gap' in Localization Requirements

Statista predicted that the global cloud computing industry will develop at a pace of 18.49% from 2024 to 2029, reaching a value of $1,806 billion. To meet their demands, it predicted, businesses will use a range of cloud services, including infrastructure as a service -IaaS - on the public cloud. Although cloud computing makes it possible for businesses to handle and store data anywhere in the globe, the ease with which data can go across national boundaries has drawn the attention of numerous governments.

Countries are enacting data localization regulations that dictate where data can be processed and stored. Organizations operating within a specific territory or collecting and using the information of their residents must adhere to these laws. But achieving compliance can be particularly complex, especially when leveraging public cloud services. Two primary challenges emerge for organizations attempting to meet local regulations while using public cloud offerings, particularly those from hyperscale providers.

Data localization requirements are scattered across both sector-specific and general legislation, and the justifications for these policies shape the extent and scope of data affected by each mandate. Countries such as China, Indonesia, Thailand and Vietnam impose some of the most stringent restrictions. Gehan Gunasekara, an associate professor at the University of Auckland Business School, has pointed out a "growing gap" in localization requirements among different jurisdictions. This disparity raises concerns that nations adopting data sovereignty measures could disrupt the global economy across various sectors.

Business Consequences

In the realm of international IT-enabled services exports, countries such as Bangladesh, Indonesia, Pakistan and Vietnam are gaining prominence. According to Oxford's Online Labor Index, Bangladesh boasts the second-largest proportion of gig workers globally, at 15%, trailing only India. Within Asia, it is followed by Pakistan, the Philippines, Vietnam and Indonesia. Despite the considerable variations in storage and data transfer regulations across these nations, global corporations are facing escalating compliance costs due to the diverse transfer requirements necessary to align with the legal frameworks in each jurisdiction. Research from the Information Technology and Innovation Foundation indicates that restricting data flows has a statistically significant impact on a nation's economy, notably reducing overall trade and increasing import costs for downstream companies that increasingly rely on data.

Data localization affects the entire economy. ITIF's model shows that trade volumes decrease in line with imports. Since they are used as inputs in domestic production, higher import costs also reduce exports. ITIF has found that a one-unit increase in an industry's data restrictiveness is associated with a 0.5% decrease in the following year's trade - including a 0.6% decrease in imports and a 0.9% increase in import prices.

Smart Data Governance

It can be difficult to create a smart data governance structure that adequately addresses valid public policy issues, especially for Asian emerging country policymakers. But given how important data and digital technology are to advancing economic development, these authorities must strike the correct balance. Instead of giving in to the erroneous belief that local data ownership is appropriate, they ought to focus on putting in place smart data governance policies that encourage digital growth and embrace international norms for protecting public data.

Smart data governance involves modernizing laws to address legitimate concerns while ensuring an open, targeted and balanced approach that preserves the significant societal and economic advantages of data and digital technologies. If policymakers cling to costly and misguided data localization policies, they risk allowing countries with more effective digital strategies to gain a competitive edge. Consequently, smartly governed businesses and economies in these regions may thrive, while those adhering to restrictive policies could struggle and fall farther behind.



About the Author

Rubaiyyaat Aakbar

Rubaiyyaat Aakbar

Head of Cybersecurity, Insuretech startup

Aakbar has been the head of cybersecurity for an emerging insuretech startup in Singapore since 2019. He has almost two decades of experience, listed twice in the ASEAN Top CSO30 and holds globally recognized GRC certifications. Aakbar often speaks at regional conferences, and his insights on contemporary cybersecurity trends and threats appear in tech magazines.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.asia, you agree to our use of cookies.