Indonesia, meanwhile, has long advocated the protection of data sovereignty. Although its first personal data protection law does not include strict data localization requirements as had been expected, the country’s concern for national sovereignty and security has not diminished as they consider allowing data to freely cross its borders. Before the law was passed, Indonesia’s communication and informatics minister publicly stated that safeguarding digital and data sovereignty is a prerequisite for better managing cross-border data flows. Jakarta, for now, is maintaining strict sector-based controls on data exchanges.
Malaysia is on the same path. Its legal and policy frameworks on data reflect the principle of data sovereignty. Even though Malaysia has not enacted any data localization laws, it does have rules such as a strict prohibition against data export without consent and a requirement that copies of data be stored in local infrastructure before they can be transferred abroad. These increase Malaysia’s sovereignty in cyberspace by making data free flow across borders more difficult. Thailand, too, has begun to focus on the concept of cyberspace sovereignty as it shapes its digital frameworks and data governance.
RCEP and cross-border data transfers
China and all ASEAN member states signed the RCEP deal in November 2020. The free-trade agreement (FTA) entered into force in China, Australia, Japan, New Zealand and six of the Southeast Asian economies (Brunei, Cambodia, Laos, Singapore, Thailand and Vietnam) on January 1, 2022. It came into effect in South Korea a month later and in Malaysia a month after that. It came into effect for Indonesia on January 2, 2023. In the Philippines, the senate passed the pact on February 21, opening the way for the country to join on April 22. While Myanmar is reported to have ratified the accord in August 2021, questions about the status of the government in Naypyidaw have impeded ASEAN acceptance of the country’s accession.
In the section on electronic commerce (chapter 12), the RCEP treaty acknowledges that individual member states may require certain levels of data localization to ensure national security and achieve public-policy objectives. It makes clear, however, that no member state shall require data localization as a prerequisite for conducting business in its territory. RCEP, nevertheless, does not prohibit member states from imposing restrictions on international data flows. Rather, it stipulates that any regulatory requirements that restrict cross-border data transfers based on essential security interests shall not be disputed.
RCEP is the FTA with the highest standards for e-commerce and cross-border data transfers to which China has agreed to date. In signing on, China is arguably showing its principal commitment to international data mobility while retaining its own restrictive data governance system when necessary. China has applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), both of which require a stronger commitment to liberalize cross-border data flows. The question is, in pursuit of these memberships, to what extent would China be willing to relax its data localization requirements and be more open on data rules. Since Singapore, the most developed digital economy among ASEAN, is already a member of both the CPTPP and DEPA, and Brunei, Vietnam and Malaysia are also part of the CPTPP, Beijing may not be in such a rush to discuss data cooperation with all ASEAN member states as a group.
In the meantime, ASEAN member states, many of which are still in the process of developing their domestic governing structures, are attempting to harmonize data policies among themselves. The approval by ASEAN countries in 2021 of the ASEAN Data Management Framework (DMF) and the ASEAN Model Contractual Clauses (MCCs) for Cross-Border Data Flows marks a significant achievement in the region’s digitalization process. These two initiatives, however, are non-binding and voluntary. In other words, member states and businesses operating in these countries have a great deal of autonomy in implementation, complying with the DMF and the MCCs as they see fit based on their own development stages. Clearly, ASEAN will take some time yet to agree on a common legal framework for regulating international data flows.