Is ASEAN’S Trend of Data Localization the Best Answer to Data Protection Requirements?

Data localization strategies should be undertaken on a risk dependent approach to safeguard the region’s economic interests.

As concerns around data privacy increase, countries in Southeast Asia and beyond are increasingly turning to data localisation as a measure to protect personal data. This policy could create opportunities for more local data infrastructure but also halt digital trade for the region. In Today’s rapidly progressing world, data has been and is essential to every interface especially in the ASEAN region which is going through a steadfast digital transformation. In lieu of the significance of data, Southeast Asian countries have magnified their endeavours in developing their own data governance strategies. For instance, Thailand, Singapore, and Indonesia have enacted comprehensive data protection legislation.


On October 1st of this year, Vietnam passed legislation that requires international firms with services in Vietnam to store users’ data within Vietnamese territory and set up local offices. Indonesia mandates that all public sector data be stored in the country and also requires data localization in certain sectors, such as the financial sector. Although Thailand and the Philippines have not explicitly addressed data localization, a broader interpretation of their data privacy laws may allow for data localization to be covered. All these laws are a part of a larger trend in Southeast Asia and the world at large. These laws usually contain the requirement to store and process data locally, keeping a copy of the data in local servers and limits on the amount of data transferred across borders. the spread of data localization norms among Southeast Asian countries is mainly driven by their common concerns over national security and digital sovereignty.

These laws often tend to ignore the costs of data localization. At the outset, data localisation leads to additional costs on companies, who incur on spending additional resources on setting up server rooms, data centres, and local offices. If the cost is too high, companies may choose to withdraw or suspend operations. Data localisation can also restrain free trade and affect the regional economic development of ASEAN. Lastly, data localisation may slow down the performance and efficiency of current technologies like cloud computing and artificial intelligence. Cloud computing works most efficiently when data is able to flow across borders, and artificial intelligence works best when it has a diverse range of data sources to draw upon. One could argue that these policies have led to the rapid proliferation of data centres across the region which in turn will accelerate the region’s digitalization process. With the increasing support of data centers, people living in Southeast Asia will likely enjoy faster and more reliable internet connections, technology innovation will be further encouraged, and businesses in the region will find it easier to interconnect, migrate to the cloud, and digitalize their processes and services. But these also restrict cross border flows of data which tends to be the blood of digital economies. It also impedes the deployment of Internet of Things and thus slows the digitization of different aspects of a consumer’s life and will cause the region to lag behind in the race for digitization.

While countries are right to worry about the data of their citizens, many of them still prefer the free flow of digital trade between economies. Perhaps the answer lies in using data localization as a tool used through a risk based lens, where each country sets its own risk level and decides how it would like to balance security and economic considerations. A risk-based approach first requires countries to have strong data classification models, which can help identify which data is more sensitive than others. Security best practices, such as the principle of least privileged access and zero trust systems, which requires portals to continuously verify one’s identity through methods such as multi-factor authentication, can also help secure data. Countries will constantly have to refine their data security laws to ensure the right balance between privacy and not affecting economic or digital growth.

ASEAN has committed to establishing a digital economy and society throughout the region by 2025. If the region’s countries align on data protection standards, this would help encourage further economic integration and reduce barriers for the provision of services, much like the EU has done. The quicker ASEAN countries refine their data protection laws, the lesser challenges they will face in the future and make the most of any opportunities arising from digitization.

About the Author

Kavita Panda
Chief Operating Officer | Profile

Kavita Panda is our Chief Operating Officer and Country Manager for India. Kavita was Executive Director of The Walt Disney Company India, wherein, she spent a decade and half in various business roles across Content Syndication, Licensing and Merchandising, Solution Sales and Advertising Sales.