Data sovereignty is a key issue that all countries must address when reckoning their domestic governance policies. While China and ASEAN are each other’s largest trading partner, they have not yet reached any agreement to liberalize cross-border data flows essential for digital commerce, writes Li Xirui of the S Rajaratnam School of International Studies at Nanyang Technological University in Singapore and the Intellisia Institute in Guangzhou, China.
Credit: kb-photodesign / Shutterstock.com
In 2020, the Chinese government launched the Global Initiative on Data Security in an effort to shape global data governance. The following year, the League of Arab States (LAS) and China signed an agreement on data security cooperation. Central Asian countries concluded a similar framework deal with Beijing in 2022. Both initiatives cover the requirements for cross-border data transfers. The arrangement between China and the Central Asian nations sets out the principle that enterprises should store data in the countries where they operate.
China and the 10 members of the Association of Southeast Asian Nations (ASEAN) have reaffirmed their determination to deepen digital economy cooperation, particularly in data security and digital governance. Yet, they have not reached an accord similar to those that China has with the LAS and Central Asia, nor have they shown much interest in doing so. This is surprising given that China and ASEAN have a greater need to cooperate on international data transfers: They have been each other’s largest trading partner for several years, and cross-border data flows are essential for digital commerce.
This reluctance is likely because signing a specific agreement on international data flows between them would have little significance if they are unable to make greater commitments beyond what they have already signed up to under the Regional Comprehensive Economic Partnership (RCEP). Provisions on data in RCEP would likely represent the most that China and ASEAN member states are capable of committing to, as most of them are still in the process of developing their respective domestic data governance frameworks, predicated on the need to protect national sovereignty and security. They are simply not yet ready to make pledges on cross-border data flows.
China has enacted a number of data protection laws since 2016, including the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL), the three major pillars of China’s legal framework for data. When formulating its domestic data governance, China is emphasizing more and more the utmost importance of national sovereignty and security. Both the CSL and DSL, for example, specify that they are to safeguard cyberspace sovereignty and national security. Even though the PIPL focuses on personal data, all organizations and individuals are required to uphold national security while protecting the security of personal data. In 2022, China released the Measures for the Security Assessment of Data Export, underscoring its priority concern that cross-border data transfers should not endanger national sovereignty and security.
Indonesia, meanwhile, has long advocated the protection of data sovereignty. Although its first personal data protection law does not include strict data localization requirements as had been expected, the country’s concern for national sovereignty and security has not diminished as they consider allowing data to freely cross its borders. Before the law was passed, Indonesia’s communication and informatics minister publicly stated that safeguarding digital and data sovereignty is a prerequisite for better managing cross-border data flows. Jakarta, for now, is maintaining strict sector-based controls on data exchanges.
Malaysia is on the same path. Its legal and policy frameworks on data reflect the principle of data sovereignty. Even though Malaysia has not enacted any data localization laws, it does have rules such as a strict prohibition against data export without consent and a requirement that copies of data be stored in local infrastructure before they can be transferred abroad. These increase Malaysia’s sovereignty in cyberspace by making data free flow across borders more difficult. Thailand, too, has begun to focus on the concept of cyberspace sovereignty as it shapes its digital frameworks and data governance.
China and all ASEAN member states signed the RCEP deal in November 2020. The free-trade agreement (FTA) entered into force in China, Australia, Japan, New Zealand and six of the Southeast Asian economies (Brunei, Cambodia, Laos, Singapore, Thailand and Vietnam) on January 1, 2022. It came into effect in South Korea a month later and in Malaysia a month after that. It came into effect for Indonesia on January 2, 2023. In the Philippines, the senate passed the pact on February 21, opening the way for the country to join on April 22. While Myanmar is reported to have ratified the accord in August 2021, questions about the status of the government in Naypyidaw have impeded ASEAN acceptance of the country’s accession.
In the section on electronic commerce (chapter 12), the RCEP treaty acknowledges that individual member states may require certain levels of data localization to ensure national security and achieve public-policy objectives. It makes clear, however, that no member state shall require data localization as a prerequisite for conducting business in its territory. RCEP, nevertheless, does not prohibit member states from imposing restrictions on international data flows. Rather, it stipulates that any regulatory requirements that restrict cross-border data transfers based on essential security interests shall not be disputed.
RCEP is the FTA with the highest standards for e-commerce and cross-border data transfers to which China has agreed to date. In signing on, China is arguably showing its principal commitment to international data mobility while retaining its own restrictive data governance system when necessary. China has applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), both of which require a stronger commitment to liberalize cross-border data flows. The question is, in pursuit of these memberships, to what extent would China be willing to relax its data localization requirements and be more open on data rules. Since Singapore, the most developed digital economy among ASEAN, is already a member of both the CPTPP and DEPA, and Brunei, Vietnam and Malaysia are also part of the CPTPP, Beijing may not be in such a rush to discuss data cooperation with all ASEAN member states as a group.
In the meantime, ASEAN member states, many of which are still in the process of developing their domestic governing structures, are attempting to harmonize data policies among themselves. The approval by ASEAN countries in 2021 of the ASEAN Data Management Framework (DMF) and the ASEAN Model Contractual Clauses (MCCs) for Cross-Border Data Flows marks a significant achievement in the region’s digitalization process. These two initiatives, however, are non-binding and voluntary. In other words, member states and businesses operating in these countries have a great deal of autonomy in implementation, complying with the DMF and the MCCs as they see fit based on their own development stages. Clearly, ASEAN will take some time yet to agree on a common legal framework for regulating international data flows.
At the 25th ASEAN-China Summit in November 2022, the Southeast Asian nations and China announced the launch of negotiations to upgrade the ASEAN-China Free Trade Area (ACFTA). Digital economy will be one of the key topics covered by the talks. As Cambodian Prime Minister Hun Sen, the 2022 ASEAN chair, stated, RCEP is the “core framework” for the establishment of the upcoming upgraded ACFTA. This should mean that the revised FTA will include some articles on e-commerce based on the parameters set by the RCEP. But given that both sides are still in the process of developing their own data regulatory systems and that they each face different challenges in coping with the existing digital governance architecture due to their emphasis on national sovereignty and security, it is unlikely that in an ACFTA 3.0 the two parties will take any major step to make bolder commitments on e-commerce and to liberalize further cross-border data transfers than what they have already pledged in the RCEP.
Further reading:
Li Xirui
S Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), and Intellisia Institute
Check out here for more research and analysis from Asian perspectives.