The Prospects for Liberalizing Cross-Border Data Flows between China and ASEAN

Wednesday, March 15, 2023

Data sovereignty is a key issue that all countries must address when reckoning their domestic governance policies. While China and ASEAN are each other’s largest trading partner, they have not yet reached any agreement to liberalize cross-border data flows essential for digital commerce, writes Li Xirui of the S Rajaratnam School of International Studies at Nanyang Technological University in Singapore and the Intellisia Institute in Guangzhou, China. 

The Prospects for Liberalizing Cross-Border Data Flows between China and ASEAN

Credit: kb-photodesign /

In 2020, the Chinese government launched the Global Initiative on Data Security in an effort to shape global data governance. The following year, the League of Arab States (LAS) and China signed an agreement on data security cooperation. Central Asian countries concluded a similar framework deal with Beijing in 2022. Both initiatives cover the requirements for cross-border data transfers. The arrangement between China and the Central Asian nations sets out the principle that enterprises should store data in the countries where they operate.

China and the 10 members of the Association of Southeast Asian Nations (ASEAN) have reaffirmed their determination to deepen digital economy cooperation, particularly in data security and digital governance. Yet, they have not reached an accord similar to those that China has with the LAS and Central Asia, nor have they shown much interest in doing so. This is surprising given that China and ASEAN have a greater need to cooperate on international data transfers: They have been each other’s largest trading partner for several years, and cross-border data flows are essential for digital commerce.

This reluctance is likely because signing a specific agreement on international data flows between them would have little significance if they are unable to make greater commitments beyond what they have already signed up to under the Regional Comprehensive Economic Partnership (RCEP). Provisions on data in RCEP would likely represent the most that China and ASEAN member states are capable of committing to, as most of them are still in the process of developing their respective domestic data governance frameworks, predicated on the need to protect national sovereignty and security. They are simply not yet ready to make pledges on cross-border data flows.

In domestic data governance, the priority is national sovereignty and security

China has enacted a number of data protection laws since 2016, including the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL), the three major pillars of China’s legal framework for data. When formulating its domestic data governance, China is emphasizing more and more the utmost importance of national sovereignty and security. Both the CSL and DSL, for example, specify that they are to safeguard cyberspace sovereignty and national security. Even though the PIPL focuses on personal data, all organizations and individuals are required to uphold national security while protecting the security of personal data. In 2022, China released the Measures for the Security Assessment of Data Export, underscoring its priority concern that cross-border data transfers should not endanger national sovereignty and security.

RCEP signing ceremony, November 15, 2020: The free-trade deal includes the highest standards for e-commerce and cross-border data transfers to which China has agreed (Credit: VNA)

RCEP signing ceremony, November 15, 2020: The free-trade deal includes the highest standards for e-commerce and cross-border data transfers to which China has agreed (Credit: VNA)

Many ASEAN member states are of the same mind. They have either just issued or are about to enact their first comprehensive personal data protection laws. Thailand, for instance, released its first consolidated data protection law in 2019 but has implemented it only since June 2022. Recently, Indonesia enacted its first “umbrella regulation” on personal data protection. Vietnam is expected to pass its first personal data protection law by 2024.

ASEAN states are also emphasizing data/digital sovereignty while developing their domestic data governance. In 2018, Vietnam, enacted the Cybersecurity Law, which mandates data localization and highlights that all activities in cyberspace should not cause harm to national security. In 2022, Hanoi issued a decree to implement the data localization requirements set by the legislation and further increase internet sovereignty. 

Indonesia, meanwhile, has long advocated the protection of data sovereignty. Although its first personal data protection law does not include strict data localization requirements as had been expected, the country’s concern for national sovereignty and security has not diminished as they consider allowing data to freely cross its borders. Before the law was passed, Indonesia’s communication and informatics minister publicly stated that safeguarding digital and data sovereignty is a prerequisite for better managing cross-border data flows. Jakarta, for now, is maintaining strict sector-based controls on data exchanges. 

Malaysia is on the same path. Its legal and policy frameworks on data reflect the principle of data sovereignty. Even though Malaysia has not enacted any data localization laws, it does have rules such as a strict prohibition against data export without consent and a requirement that copies of data be stored in local infrastructure before they can be transferred abroad. These increase Malaysia’s sovereignty in cyberspace by making data free flow across borders more difficult. Thailand, too, has begun to focus on the concept of cyberspace sovereignty as it shapes its digital frameworks and data governance.

RCEP and cross-border data transfers

China and all ASEAN member states signed the RCEP deal in November 2020. The free-trade agreement (FTA) entered into force in China, Australia, Japan, New Zealand and six of the Southeast Asian economies (Brunei, Cambodia, Laos, Singapore, Thailand and Vietnam) on January 1, 2022. It came into effect in South Korea a month later and in Malaysia a month after that. It came into effect for Indonesia on January 2, 2023. In the Philippines, the senate passed the pact on February 21, opening the way for the country to join on April 22. While Myanmar is reported to have ratified the accord in August 2021, questions about the status of the government in Naypyidaw have impeded ASEAN acceptance of the country’s accession.

In the section on electronic commerce (chapter 12), the RCEP treaty acknowledges that individual member states may require certain levels of data localization to ensure national security and achieve public-policy objectives. It makes clear, however, that no member state shall require data localization as a prerequisite for conducting business in its territory. RCEP, nevertheless, does not prohibit member states from imposing restrictions on international data flows. Rather, it stipulates that any regulatory requirements that restrict cross-border data transfers based on essential security interests shall not be disputed.

RCEP is the FTA with the highest standards for e-commerce and cross-border data transfers to which China has agreed to date. In signing on, China is arguably showing its principal commitment to international data mobility while retaining its own restrictive data governance system when necessary. China has applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Digital Economy Partnership Agreement (DEPA), both of which require a stronger commitment to liberalize cross-border data flows. The question is, in pursuit of these memberships, to what extent would China be willing to relax its data localization requirements and be more open on data rules. Since Singapore, the most developed digital economy among ASEAN, is already a member of both the CPTPP and DEPA, and Brunei, Vietnam and Malaysia are also part of the CPTPP, Beijing may not be in such a rush to discuss data cooperation with all ASEAN member states as a group.

In the meantime, ASEAN member states, many of which are still in the process of developing their domestic governing structures, are attempting to harmonize data policies among themselves. The approval by ASEAN countries in 2021 of the ASEAN Data Management Framework (DMF) and the ASEAN Model Contractual Clauses (MCCs) for Cross-Border Data Flows marks a significant achievement in the region’s digitalization process. These two initiatives, however, are non-binding and voluntary. In other words, member states and businesses operating in these countries have a great deal of autonomy in implementation, complying with the DMF and the MCCs as they see fit based on their own development stages. Clearly, ASEAN will take some time yet to agree on a common legal framework for regulating international data flows.

ASEAN-China summit in Phnom Penh, Cambodia, November 2022: Both sides agreed to launch negotiations to upgrade their free-trade area (Credit: Foreign Ministry of the People’s Republic of China)

ASEAN-China summit in Phnom Penh, Cambodia, November 2022: Both sides agreed to launch negotiations to upgrade their free-trade area (Credit: Foreign Ministry of the People’s Republic of China)

As agreed in the deal, Cambodia, Laos, Myanmar and Vietnam are allowed to impose data localization requirements on businesses for a certain period of time following RCEP’s entry into force. This temporary exemption indicates that these countries are not yet prepared to comply with the RCEP’s articles. Given that RCEP is legally binding, the articles on e-commerce represent the highest standard of commitment that all ASEAN members could make regarding cross-border data flows. This suggests that, for now, ASEAN as a group is not likely to be prepared to discuss further cooperation with China on cross-border data transfers.

Is the upgrading of the ASEAN-China Free Trade Area an opportunity?

At the 25th ASEAN-China Summit in November 2022, the Southeast Asian nations and China announced the launch of negotiations to upgrade the ASEAN-China Free Trade Area (ACFTA). Digital economy will be one of the key topics covered by the talks. As Cambodian Prime Minister Hun Sen, the 2022 ASEAN chair, stated, RCEP is the “core framework” for the establishment of the upcoming upgraded ACFTA. This should mean that the revised FTA will include some articles on e-commerce based on the parameters set by the RCEP. But given that both sides are still in the process of developing their own data regulatory systems and that they each face different challenges in coping with the existing digital governance architecture due to their emphasis on national sovereignty and security, it is unlikely that in an ACFTA 3.0 the two parties will take any major step to make bolder commitments on e-commerce and to liberalize further cross-border data transfers than what they have already pledged in the RCEP.

Opinions expressed in articles published by AsiaGlobal Online reflect only those of the authors and do not necessarily represent the views of AsiaGlobal Online or the Asia Global Institute


Li Xirui

Li Xirui

S Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), and Intellisia Institute

Li Xirui is pursuing doctoral studies at the S Rajaratnam School of International Studies (RSIS) of Nanyang Technological University (NTU) in Singapore. She is also a non-resident research fellow at the Intellisia Institute in Guangzhou, China.

Recent Articles
Recent Articles