This chapter looks at regulations affecting the cross-border flow of data which is critical for digital trade. It shows that, over the past decade, most ASEAN Member States have undertaken domestic reforms. However, while some have embraced approaches that balance openness with safeguards, others have introduced more restrictive measures, affecting their ability to harness the value of data. The chapter also shows that data localisation measures are growing in both number and restrictiveness in the region.
Digital Trade Review of the Association of Southeast Asian Nations
Abstract
Cross-border data flows are a cornerstone of digital trade, but policymakers face the dual challenge of enabling transfers while ensuring robust safeguards are in place that enable trust.
AMS’ regulatory approaches to data flows vary widely. At present, the Philippines, Singapore, Malaysia and Thailand have domestic regulation aligned with the concept of Data Free Flows with Trust (DFFT). By contrast, Brunei Darussalam, Indonesia and Viet Nam have adopted more restrictive, ad-hoc, approaches. Cambodia, Lao and Myanmar have yet to adopt regulations in this area.
Trade agreements and regional initiatives can help operationalise “trusted” data flows. At present, 12 agreements by AMS have data flow provisions, many of these are driven by Singapore. Inter-governmental arrangements including the ASEAN Model Contractual Clauses or the Global CBPR also provide instruments to enable trusted data flows.
Data localisation measures are becoming more common and more restrictive across ASEAN. AMS, particularly Indonesia and Viet Nam, could reduce unnecessary trade frictions by adopting less restrictive measures that nonetheless enable legitimate public policy objectives to be met.
Overall, the regulatory landscape that underpins data flows in ASEAN remains complex, underscoring the need for greater interoperability and coherence. Progress will require coordinated domestic reforms, clearer commitments in trade agreements and deeper international co‑operation, including under the forthcoming Digital Economy Framework Agreement (DEFA).
Cross-border data flows underpin today’s economic and social interactions. They help people connect with family and friends located in different geographical locations; they support research addressing global challenges (as was the case during the COVID-19 pandemic); they enable the co-ordination of production along global supply chains; and they allow firms, notably smaller ones, and people to access global markets. In sum, cross-border data flows have become the lifeblood of modern day social and economic activities (OECD and WTO, 2025[1]).
The growth of the digital economy and digital trade has led to an unprecedented increase in the amount of data crossing international borders. By some estimates, there are 20 times more bytes of traffic than there are stars in the expanding universe (OECD and WTO, 2025[1]). As more and more data crosses international borders, concerns across a range of policy areas have amplified, leading to a rise in measures that condition the movement of data across borders (Casalini and López González, 2019[2]; Casalini, López-González and Nemoto, 2021[3]; Ferracane, Kren and van der Marel, 2020[4]; World Bank, 2020[5]; Aaronson, 2018[6]; Jerker and Svantesson, 2011[7]).
A significant portion of the empirical literature on data flow governance focuses on domestic regulations.1 Evidence suggests that more restrictive domestic regulations can have significant negative effects on productivity and domestic data-intensive downstream industries (Ferracane, Kren and van der Marel, 2020[4]; van der Marel et al., 2016[8]).2 They may also reduce international trade across all sectors of the economy (López González, Sorescu and Kaynak, 2023[9]), especially in data-intensive services sectors (Ferracane and van der Marel, 2021[10]), and attenuate the positive trade effect of AI on the mobile apps market (Sun and Trefler, 2023[11]).
Open and balanced cross-border data flow regulations that ensure cross-border transfer with safeguards can offer important economic benefits. If all countries were to adopt such approaches, often associated with the term data free flows with trust, exports would rise by 3.6% and global GDP by 1.8%. By contrast, the absence of regulations on cross-border data flows or the use of more restrictive regimes is associated with economic losses (OECD and WTO, 2025[1]). Differences in data flow regimes between trading partners also matter: Countries sharing open cross-border data flow regimes are associated with higher digital services trade compared to country-pairs with different regimes (Ferracane and Van Der Marel, 2021[12]).
1. A notable exception is the study by Spiezia and Tscheke (2020[31]), which analyses cross-border data flow provisions in plurilateral arrangements. While the authors identify a trade effect of these provisions, they do not explicitly assess how this effect varies with the level of restrictiveness.
2. The authors clarify that this negative effect is more robust for restrictions that affect the domestic use of data than those restricting cross-border data flows.
However, the growing and pervasive use and exchange of data, including across borders, has fuelled concerns about the use and, especially the misuse, of data, including in the context of power relations among firms and between firms and consumers, and in particular with respect to privacy and personal data protection (Casalini and López González, 2019[2]). These concerns are compounded when data moves beyond the reach of domestic regulatory bodies or is subject to differing regulations depending on where it is located and the type of information that it contains.
While data and digital activity are inherently borderless, regulatory frameworks are not. Ensuring privacy and digital security, protecting and enforcing intellectual property rights, enabling economic development, and maintaining the reach and oversight of regulatory and audit bodies can all become more complex when data crosses jurisdictions (Casalini, López-González and Nemoto, 2021[3]).
Against, this backdrop, approaches to cross-border data flows vary significantly across ASEAN Member States (AMS). Some have embraced regulatory approaches that balance openness with safeguards while others have introduced more restrictive approaches, including data localisation measures. Although approaches to data regulation reflect national priorities in the context of different national circumstances, more restrictive approaches risk foregoing important positive economic and social gains associated with a more open and secured data environment (Box 3.1). This chapter provides a more detailed overview of how AMS regulate cross-border data flows.1
Issues around cross-border data flows can be approached from different perspectives – through domestic regulations, regional trade agreements (RTAs), and via plurilateral or inter-governmental arrangements (OECD, 2022[13]).
3.2.1. Domestic regulations addressing cross-border data flows vary greatly across AMS
In terms of domestic regulation, there are four ‘types’ of approaches to cross-border data flows.2
No cross-border data flow regulation (Category 0), usually because there is no privacy and data protection legislation at all. While this implies no restrictions on the movement of data, the absence of regulation can affect the willingness of firms in other countries to send data to these locations.
Open safeguards (Category 1). These refer to transfer mechanisms that tend to leave more discretion to the private sector as to how to safeguard transfers (often in the context of existing principles or guidance provided in domestic regulation). These include ex-post accountability principles (where sending entity is liable for how the data is treated at its destination), contracts governing the conditions for data flows or private sector-led adequacy decisions.
Pre-authorised safeguards (Category 2), includes approaches relying on pre-determined and transparent public sector approval before transfers can be made. In the context of privacy and personal data protection, these relate to determinations of adequacy or equivalence of protection by a public authority. Where an adequacy determination has not yet been made, firms can generally move data under model or approved contractual clauses or using binding corporate rules, or among other mechanisms.
Flow conditional on ad hoc authorisation (Category 3), relates to systems that only allow data to be transferred on a case-by-case basis subject to review and approval by relevant authorities. This approach relates to personal data for privacy reasons, but also to more sweeping categories of data such as “important” or “critical” data which are often not defined.
Across these different types of approaches, several exceptions are envisaged to permit the transfer of data. These include transfers in relation to “legitimate interest”, or for the “public interest”, or in relation to legal claims (among others). Data-subject “consent” is also frequently used for permitting data transfers, but its use remains the subject of debate.
Over the past decade, most AMS have undertaken reforms, introducing regulations affecting cross-border data flows, primarily in the form of data protection and privacy (Table 3.1). While these frameworks permit the transfer of personal data beyond national borders, the conditions under which such transfers are allowed vary significantly.
As of December 2025
*Not yet enacted.
The Philippines, Singapore, Malaysia, and Thailand’s domestic regulation foresees the use of open or pre-authorised safeguards when transferring data abroad. These approaches generally provide transparent criteria for transfers that balance openness with safeguards. By contrast, Brunei Darussalam, Indonesia, and Viet Nam tend to mandate prior approval from authorities on an ad-hoc or case-by-case basis (Figure 3.1). These tend to be less aligned with the principle of data free flows with trust. At the same time, Myanmar, Cambodia and Lao PDR have little regulation in this area.
Note: This figure categorises ASEAN Member States based on their domestic regulations to cross-border data flows. It presents a spectrum ranging from no regulation to strict, ad-hoc authorisation requirements. The categorisation of approaches to cross-border data flow regulation follows Casalini, López-González and Nemoto (2021[14]). *Cambodia and Lao PDR have no specific data protection law as of December 2025. In Cambodia, the Law on Electronic Commerce (2019) Article 32 “Data protection” (Kingdom of Cambodia, 2019[15]), does not explicitly cover cross-border data flows, while, in Lao PDR, the Law on Electronic Data Protection (2017) Article 17 “Sending or transferring electronic data” (Ministry of Justice of Lao PDR, 2017[16]), does not mention any safeguards in the transfer of data outside of the jurisdiction. Cambodia’s recently released draft Law on Personal Data Protection (2025) was not enacted at the time of writing.
Source: compilation based on text of legal instruments shown in Table 3.1.
Open and pre-authorised safeguards
The Philippines’ Data Privacy Act (DPA) of 2012 requires legally binding contracts when sending personal data to other countries. These contracts must ensure at least the same level of data protection as stipulated in the Philippine law (Congress of the Philippines, 2011[17]).3 Similarly, Singapore’s Personal Data Protection Act (PDPA) of 2012 (amended by the Personal Data Protection Regulations of 2021) allows international data transfers if they are covered by legally enforceable obligations – like laws, contracts, or binding corporate rules – that match Singapore’s data protection standards of its PDPA 2012 (Singapore Personal Data Protection Commission, 2021[18]).4
Malaysia has recently made significant progress in its cross-border data flow regime. Previously, the country’s 2010 Personal Data Protection Act (PDPA) offered leeway for ad-hoc decisions on international data transfers.5 However, since June 2025, Malaysia uses a more open approach that allows for private adequacy decisions for countries with a comparable level of data protection under the PDPA 2024 (Parliament of Malaysia, 2024[19]).6 The “Guidelines to the Amending Act for Cross-Border Personal Data Transfers (CBPDT)” (2025) also recommend using safeguards, such as binding corporate schemes, contractual clauses, or certification schemes to ensure that reasonable precautions are in place (Personal Data Protection Commission, 2025[20]).7 These guidelines also allow the use of contractual clauses from international models, such as the ASEAN Model Contractual Clauses for Cross Border Data Flows (see further information in Section “Inter-governmental arrangements also enable cross-border data transfers”), the EU GDPR Standard Contractual Clauses for the Transfer of Personal Data to Third Countries, or other contractual clauses determined by the government (Personal Data Protection Commission, 2025[20]).
Thailand’s Personal Data Protection Act of 2019 relies on public adequacy decisions and pre-authorised legally binding obligations.8 Thailand’s Personal Data Protection Committee (PDPC) determines whether a foreign country provides adequate personal data protection standards, issues adequacy decisions or can establish a pre-approved list of destination countries.9 In the absence of the PDPC’s adequacy decision, the subordinate regulation to the Act requires using one of several pre-authorised safeguards for sending data abroad. These include i. legally binding contractual clauses, such as the ASEAN Model Contractual Clauses for Cross-Border Data Flows, or EU GDPR clauses (Clause 10), ii. Certifications (Clause 14), or iii. binding agreements between Thai and foreign government agencies on data protection (Clause 8).
Flow conditional on ad-hoc authorisation
Brunei Darussalam has made important steps to governing international data transfers by introducing its first Personal Data Protection Order in January 2025 (Government Gazette, 2025[21]).10 Under this Order, organisations can only transfer personal data to other countries if they can ensure the same level of data protection as required in Brunei Darussalam. However, the flexibility of the government to exempt from requirements or not, offers room for ad-hoc decisions.11 This leeway creates uncertainty for businesses handling the data.
Indonesia is working towards a more open and trusted approach to international data transfers under its Personal Data Protection Law (No. 27 of 2022), which took effect in October 2024. Unlike regulation No. 20 of 2016 that requires coordination with the Minister for international data transfers,12 the new law allows for more flexibility and relies on data protection safeguards instead of formal reporting.13
However, important elements of the PDP law of 2022 still need to be put in place to ensure a clear and trusted environment for cross-border data transfers. Without these, businesses may face uncertainty when transferring data. Under existing regulation, personal data can only be sent to other countries if they provide adequate data protection. If the receiving country does not meet these data protection standards, the transfer must be protected by other safeguards, so-called “binding data protection protocols”.14 However, as of December 2025, Indonesia has not yet issued the implementing regulations detailing how these transfers should be handled. Consequently, the specific criteria for determining countries with adequate data protection levels and the requirements for binding data protection safeguards remains unclear. In addition, the independent supervisory authority meant to oversee international data transfers, as required by the law, has not yet been officially established.15
Viet Nam’s Decree on the Protection of Personal Data (13/2023) requires companies to carry out a data protection impact assessment, which must be available for inspection and assessment by the Ministry.16 The Ministry has the authority to stop the international data transfer if it violates the interests and national security of Viet Nam (or if the sender fails to comply with the requirements of the impact assessment (Article 25)).17 As a result, the existing legal basis for cross-border data transfers lack clarity on the criteria and the types of data concerned, creating uncertainty for businesses.
A new “Data Law” (No. 60/2024/QH15 of November 2024) has entered into force in July 2025. It covers international transfers of “core” and “important” data which are broadly defined (in Data Law, Decision No. 20/2025/QD-TTg). For transfers of core data, prior approval from the relevant ministry is needed after submitting an impacts assessment dossier. A new Personal Data Protection Law (No. 91/2025/QH15 of June 2025) applicable from January 2026 provides further regulatory aspects on international data transfers.18
No regulation
While Myanmar has not yet implemented any regulation for data protection in international data transfers, Cambodia and Lao PDR have partial coverage in the Law on Electronic Commerce (2019) and the Law on Electronic Data Protection (2017), respectively.19 In 2023, Cambodia proposed a Draft Law on Personal Data Protection (2025). While the draft will likely undergo further revisions, the circulated draft is understood to include a prohibition of cross-border data flows20 (and strict data localisation measures, see Chapter 3.3) (Greenleaf, 2025[22]; ESCAP-ECA-ECLAC, 2024[23]; UNESCAP, ASEAN, 2026[24]). To ensure that Cambodia can fully benefit from the economic and social advantages associated with the free flow of data, the new law would be strengthened by adopting a more open approach to cross-border data transfers supported by various safeguards such as adequacy decisions, and/or different forms of legally binding mechanisms.
3.2.2. Cross-border data flow provisions in trade agreements can facilitate data flows with trust
Cross-border data flow provisions increasingly feature in digital trade chapters of AMS’ Regional Trade Agreements (RTAs) – a trend largely driven by Singapore. By October 2024, 12 trade agreements address cross-border data flows (see Table 3.2 for an overview of ASEAN Member States’ trade agreements including digital trade provisions). Singapore is party to 8 or two-thirds of these agreements. However, only two-thirds of the 12 RTAs have a binding cross-border data flow provision (Figure 3.2).
As of October 2024
Note: The figure shows the number of Regional Trade Agreements (RTAs) that entered into force as of October 2024 by binding or non-binding data flow provision within an e-commerce chapter (TAPED variable “data_free_flow_prov_2_2_1”). The figure is based on the list of RTAs outlined in Table 3.2.
Source: calculation based on the TAPED database version of November 2024 (Burri, Vásquez Callo-Müller and Kugler, 2024[25]). All ASEAN Member States’ RTAs that include cross-border data flow provisions incorporate exceptions, in terms of sectoral coverage or in the context of pursuing legitimate public policy objectives (LPPO). For example, in terms of sectors, the ASEAN Agreement on E-commerce (2021) explicitly excludes financial services and financial service suppliers from its cross-border data flow obligations (see Article 4 (c)).
In terms of LPPOs, RCEP provides broad exception, allowing parties to adopt measures to protect “essential security interests”, which “shall not be disputed by other Parties” (Article 12.15 3(a) and 3(b)). Moreover, the existing exceptions are self-judging with language such as “that it considers necessary”. This contrasts with the approach in CPTPP which is more general. Both CPTPP (2018) and DEPA (2024) include exceptions related to instances which would “constitute a means of arbitrary or unjustifiable discrimination” and “impose restrictions on transfers of information greater than are required to achieve the objective” (CPTPP Article 14.11 3(a) and 3(b), and DEPA Article 4.3 3(a) and 3(b)).21
The EU‑Singapore Digital Trade Agreement (EUSDTA), although falling outside the sample period of analysis, deserves particular attention. Beyond reflecting a high degree of ambition, the language also provides a potential new path bridging contrasting approaches to cross-border data flows, including between the EU and CPTPP countries. In particular, EUSDTA recognises differences in approaches to privacy protection and invites signatories to explore ways of increasing convergence between regimes to facilitate cross-border data flows. It also provides a list of what might be considered legitimate public policy objectives.
Three-quarters (9 out of 12) of AMS’ trade agreements with data flow provisions have dispute settlement mechanisms that apply to e-commerce provisions including cross-border data flow rules. Although a minority, 3 out of 12 RTAs, explicitly exclude the dispute settlement mechanism for the e-commerce chapter. This is the case in RCEP, stating that “No Party shall have recourse to dispute settlement under Chapter 19 (Dispute Settlement) for any matter arising under this Chapter”.22 In the case of CPTPP exceptions for Malaysia and Viet Nam were given for a period of two years after the date of entry into force.
Entered into force as of October 2024
Note: *The EU-SGP DTA is not counted in the graphs because it was signed in 2025, which falls outside the sample period. ASEAN-Australia-New Zealand Free Trade Agreement (AANZFTA-Second Protocol) entered into force in 2025. It is not counted in the graphs of this section as it falls outside the sample period.
Source: compilation based on the TAPED database version of November 2024 (Burri, Vásquez Callo-Müller and Kugler, 2024[25]).
3.2.3. Inter-governmental arrangements also enable cross-border data transfers
ASEAN Member States participate, to varying degrees, in both non-binding and binding inter-governmental arrangements concerning cross-border data transfers.23 For example, all AMS are party to the ASEAN Framework on Personal Data Protection (ASEAN PDP Framework) established in 2016. It outlines non-binding principles of personal data protection across the region.24
In 2021, ASEAN Digital Senior Officials endorsed the ASEAN Model Contractual Clauses (MCCs) for data transfers.25 These are contractual terms and conditions that organisations can voluntarily include in their binding legal agreements to help ensure that the cross-border transfers of personal data are compliant with AMS’ legal and regulatory requirements, as well as with the principles set forth in the ASEAN PDP Framework.26 Malaysia referred to the ASEAN MCCs as an adequate safeguard for cross-border data flows in the guidelines to its Personal Data Protection Act (PDPA) of 2024 (see Section “Domestic regulations addressing cross-border data flows ”).
In addition, the Philippines and Singapore also participate in the APEC Cross-border Privacy Rules (CBPR) and APEC Privacy Recognition for Processors (PRP) – data protection principles and privacy practices, which were adopted in 2011, and have since evolved into Global CBPR and Global PRP. The global frameworks were officially launched in June 2025 and align around several privacy laws worldwide. Building on the foundations of the APEC CBPR and APEC PRP, they establish binding and legally enforceable international data protection and privacy practices once an organisation is certified. These certification schemes allow companies to demonstrate that they are compliant with data protection and privacy practices. (IAPP, 2024[26]).
ASEAN Member States are also increasingly introducing data localisation measures,27 and these tend to fall mostly under the most restrictive category, requiring both local data storage and prohibiting cross-border data transfers (see Box 3.2 for OECD’s classification of data localisation measures).28 The number of such measures has increased substantially – rising from just two in 2012 to 12 in 2023 (Figure 3.3).29 Among these, 10 reflect the strictest form. Two additional measures currently in draft form would also fall into this category: the Philippines’ Draft Executive Order on Policy Guidelines on Data Localisation of data stored in the Cloud (2023)30 and Thailand’s National Cyber Security (NCSC) Committee’s Standards for the Maintenance of Cybersecurity in Cloud Computing Systems (2023).31
Note: In this graph, data localisation measures are counted based on the number of legal instruments that are either in place or in draft form. As of April 2025, ASEAN Member States have a total of 14 legal instruments with explicit data localisation requirements, including two instruments still in draft form. Categorisation of data localisation measures are outlined in Box 3.2 based on Del Giovane, Ferencz and López-González (2023[27]) and López González, Casalini and Porras (2022[28]). Notations are as follows Cat. 1=Local storage requirement without flow restriction, Cat. 3=Local storage and processing requirement with flow prohibition (or ad-hoc exceptions).
Source: based on Del Giovane, Ferencz and López-González (2023[27]).
Data localisation measures can be classified into three main categories according to their general level of restrictiveness (Figure 3.4) (see Del Giovane, Ferencz and López-González (2023[29]) for more information).
Category 1 refers to measures that require data to be stored locally but do not prohibit its storage or processing abroad.
Category 2 includes measures that mandate both local data storage and processing, while still allowing for international data transfers and access under clearly defined conditions – such as those related to the type or integrity of the data.
Category 3 encompasses measures that require data to be stored and processed locally and either prohibit its transfer abroad or allow for such transfers only based on ad-hoc authorisation.
A separate “Category 0” does not impose local storage requirements (and is therefore not a data localisation measure), instead, it sets conditions on access or protection/security. This might be a less trade restrictive way of ensuring that legitimate public policy objectives can be met.
Source: Del Giovane, Ferencz and López-González (2023[29]).
Seven of the ten ASEAN Member States have at least one explicit data localisation measure in place (Figure 3.5). Singapore has implemented one measure, which falls under the least restrictive category. By contrast, Indonesia has introduced five measures that align with the strictest form of data localisation. Similar approaches are also reflected in the draft regulations in Thailand and the Philippines.
Note: In this graph, data localisation measures are counted based on the number of legal instruments that are either in place or in draft form. As of April 2025, ASEAN Member States have a total of 14 legal instruments with explicit data localisation requirements, including those still in draft. Categorisation of data localisation measures are as follows: 1= Local storage requirement without flow restriction, 3=Local storage and processing requirement with flow prohibition (or ad-hoc exceptions).
Source: based on Del Giovane, Ferencz and López-González (2023[27]).
While less stringent data localisation measures in ASEAN are generally cross-cutting, applying broadly across multiple sectors, the most restrictive forms tend to be sector-specific, most notably applying to the public sector and cloud computing activities (Figure 3.6). These stricter measures also tend to target certain types of data, such as financial, personal, or cloud computing data (Figure 3.7).
Although data localisation measures aim to address a range of government objectives, there are potentially less trade distorting ways of attaining these. AMS should seek to reduce the use of the most restrictive forms of data localisation with a view to reducing their negative impact on consumer choice and prices as well as digital security and resilience (see Del Giovane, Ferencz and López-González (2023[27])).
Note: In this graph, data localisation measures are calculated based on the number of sectors affected by existing or draft legal instruments in each ASEAN Member State. As of April 2025, ASEAN Member States use or drafted a total of 14 legal instruments containing explicit data localisation requirements, each affecting one or more sectors.
Source: based on Del Giovane, Ferencz and López-González (2023[27]).
Note: In this graph, data localisation measures are calculated based on the number of different types of data affected by existing or draft legal instruments in each ASEAN Member State. As of April 2025, ASEAN Member States use or drafted a total of 14 legal instruments (including two of them in draft form) containing explicit data localisation requirements, each applying to one or more types of data.
Source: based on Del Giovane, Ferencz and López-González (2023[27]).
The regulatory landscape for cross-border data flows in ASEAN has been in flux during the last decade. Seven out of ten AMS have put in place personal data protection regulations by taking different approaches. At the same time, the remaining three AMS are yet to put in force regulation in this area.
This regulatory fragmentation calls for greater efforts to build bridges to ensure coherence and interoperability between approaches, both with respect to other AMS but also globally. ASEAN countries have understood this and have started to build tools to enable data free flows with trust. This includes discussions in trade agreements that incorporate data flow provisions as well as greater engagement in inter-governmental initiatives including the ASEAN Model Contractual Clauses and the APEC Global CBPR.
It will be important for AMS to continue aligning approaches to ensure open and safeguarded transfers. In this context, the Digital Economy Framework Agreement (DEFA) discussions open opportunities to enable greater data use and re-use within ASEAN. In parallel, ASEAN countries should continue incorporating binding data flow provisions, combined with privacy provisions, in future trade agreements. AMS should also try to reduce their reliance on data localisation measures, which can have unintended consequences, including greater security risks, higher costs for consumers and fewer services offered at higher prices.
These reforms will be important not just in the context of enhancing digital trade, but also of better participating in and benefitting from the AI revolution, requiring more seamless and safeguarded data flows (see Chapter 5).
References
[6] Aaronson, S. (2018), Data Is Different: Why the World Needs a New Approach to Governing Cross-border Data Flows.
[25] Burri, M., M. Vásquez Callo-Müller and K. Kugler (2024), “TAPED: Trade Agreement Provisions on Electronic Commerce and Data (November 2024)”, https://doi.org/10.1093/jiel/jgz044.
[2] Casalini, F. and J. López González (2019), “Trade and Cross-Border Data Flows”, OECD Trade Policy Papers, No. 220, OECD Publishing, Paris, https://doi.org/10.1787/b2023a47-en.
[14] Casalini, F., J. López-González and T. Nemoto (2021), MAPPING COMMONALITIES IN REGULATORY APPROACHES TO CROSS-BORDER DATA TRANSFERS.
[3] Casalini, F., J. López-González and T. Nemoto (2021), MAPPING COMMONALITIES IN REGULATORY APPROACHES TO CROSS-BORDER DATA TRANSFERS.
[17] Congress of the Philippines (2011), AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES, https://privacy.gov.ph/data-privacy-act/ (accessed on 5 June 2025).
[27] Del Giovane, C., J. Ferencz and J. López-González (2023), The Nature, Evolution and Potential Implications of Data Localisation Measures.
[29] Del Giovane, C., J. Ferencz and J. López-González (2023), The Nature, Evolution and Potential Implications of Data Localisation Measures.
[23] ESCAP-ECA-ECLAC (2024), Cambodia Economy Profile, https://dtri.uneca.org/v1/uploads/country-profile/khm-country-profile-en.pdf (accessed on 8 July 2025).
[4] Ferracane, M., J. Kren and E. van der Marel (2020), “Do data policy restrictions impact the productivity performance of firms and industries?”, Review of International Economics, Vol. 28/3, pp. 676-722, https://doi.org/10.1111/roie.12467.
[12] Ferracane, M. and E. Van Der Marel (2021), Regulating Personal Data Data Models and Digital Services Trade Background Paper, http://www.worldbank.org/prwp.
[10] Ferracane, M. and E. van der Marel (2021), “Do data policy restrictions inhibit trade in services?”, Review of World Economics, Vol. 157/4, pp. 727-776, https://doi.org/10.1007/s10290-021-00417-2.
[21] Government Gazette (2025), Personal Data Protection Order of Brunei Darussalam, https://www.agc.gov.bn/AGC%20Images/LAWS/Gazette_PDF/2025/EN/S%201_2025%20[E].pdf (accessed on 8 July 2025).
[22] Greenleaf, G. (2025), “Cambodia’s draft data privacy law: Too much is left to delegated prakas”, 193 Privacy Laws & Business International Report, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5206970 (accessed on 8 July 2025).
[26] IAPP (2024), Unlocking global data privacy interoperability with CBPRs, https://iapp.org/news/a/unlocking-global-data-privacy-interoperability-with-cbprs.
[7] Jerker, D. and B. Svantesson (2011), The regulation of cross-border data flows, http://www.svantesson.org..
[15] Kingdom of Cambodia (2019), LAW ON ELECTRONIC COMMERCE, https://commerce-cambodia.com/wp-content/uploads/2021/06/eCommerceLawEN.pdf (accessed on 7 July 2025).
[28] López González, J., F. Casalini and J. Porras (2022), A PRELIMINARY MAPPING OF DATA LOCALISATION MEASURES.
[9] López González, J., S. Sorescu and P. Kaynak (2023), “Of bytes and trade: Quantifying the impact of digitalisation on trade” 2022.
[30] Malaysian Personal Data Protection Commission (2010), Malaysia Personal Data Protection Act (Act 709), https://www.pdp.gov.my/ppdpv1/akta/akta-pdp-2010/ (accessed on 6 June 2025).
[16] Ministry of Justice of Lao PDR (2017), Lao PDR Presidential Decree_Law on Electronic Data Protection_2017_en.
[13] OECD (2022), “Fostering cross-border data flows with trust”, OECD Digital Economy Papers, No. 343, OECD Publishing, Paris,, https://doi.org/10.1787/139b32ad-en.
[1] OECD and WTO (2025), Economic Implications of Data Regulation: Balancing Openness and Trust, OECD Publishing, Paris, https://doi.org/10.1787/aa285504-en.
[19] Parliament of Malaysia (2024), AMENDMENT 2024 PERSONAL DATA PROTECTION ACT Act A1727, https://www.pdp.gov.my/ppdpv1/akta/akta-pdppindaan-2024/ (accessed on 6 June 2025).
[20] Personal Data Protection Commission (2025), Guidelines to the Amending Act for Cross-Border Personal Data Transfers (CBPDT), https://www.pdp.gov.my/ppdpv1/en/buku-garis-panduan-pemindahan-data-peribadi-rentas-sempadan-cbpdt-2/ (accessed on 6 June 2025).
[18] Singapore Personal Data Protection Commission (2021), Personal Data Protection Act 2012 (ACT 26 OF 2012) / Personal Data Protection Regulations 2021, https://sso.agc.gov.sg/SL/PDPA2012-S63-2021?DocDate=20210930&WholeDoc=1#P13- (accessed on 5 June 2025).
[31] Spiezia, V. and J. Tscheke (2020), “International agreements on cross-border data flows and international trade: A statistical analysis”, OECD Science, Technology and Industry Working Papers, No. 2020/09, OECD Publishing, Paris, https://doi.org/10.1787/b9be6cbf-en.
[11] Sun, R. and D. Trefler (2023), THE IMPACT OF AI AND CROSS-BORDER DATA REGULATION ON INTERNATIONAL TRADE IN DIGITAL SERVICES: A LARGE LANGUAGE MODEL, http://www.nber.org/papers/w31925.
[24] UNESCAP, ASEAN (2026), Digital Trade Regulatory Review for ASEAN, Bangkok: ESCAP., https://hdl.handle.net/20.500.12870/8392.
[8] van der Marel, E. et al. (2016), “A methodology to estimate the costs of data regulations”, International Economics, Vol. 146, pp. 12-39, https://doi.org/10.1016/j.inteco.2015.11.001.
[5] World Bank (2020), World Development Report 2020: Trading for Development in the Age of Global Value Chains, Washington, DC: World Bank, https://doi.org/10.1596/978-1-4648-1457-0.
← 1. This chapter draws on the framework developed by Casalini, López-González and Nemoto (2021[3]) on cross-border data flows, and on the research of Del Giovane, Ferencz and López-González (2023[29]) on data localisation measures.
← 2. These are not mutually exclusive: different approaches can apply to different types of data even within the same jurisdiction. For example, health data might be subject to more stringent approaches than data related to product maintenance.
← 3. See Data Privacy Act of 2012 in Chapter VI, SEC. 21. (a), stating that “[t]he personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information is being processed by a third party.”
← 4. See Personal Data Protection Regulations of 2021 in Part 3 “Requirements for transfer” “10. – (1). […] take appropriate steps to ascertain whether, and to ensure that, the recipient of the personal data is bound by legally enforceable obligations (in accordance with regulation 11) to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the Act.
← 5. Before April 2025, Malaysia’s PDPA of 2010 permitted transfers only to jurisdictions deemed adequate by the Minister (Malaysian Personal Data Protection Commission, 2010[30]). The law lacked an official whitelist of approved countries and clear criteria for determining adequacy. Although a public adequacy mechanism was announced in 2017 through the Public Consultation Paper No. 1/2017 (Transfer of Personal Data to Places Outside Malaysia) – requiring the Minister to publish a Gazette notification listing countries with comparable data protection – there was no indication, at the time of writing, that such a whitelist was ever issued. As a result, no countries were officially approved adequate for data transfers under this provision.
← 6. See Personal Data Protection Act (amendment) 2024 (Act A1727) “Section 129 (2) A data controller may transfer any personal data of a data subject to any place outside Malaysia if; (a) in that place there is in force any law which is partly similar in scope to this Act.”.
← 7. See Personal Data Protection Guidelines: Cross Border Personal Data Transfer (CBPDT) (2025) from 12. to 12.1.3, which reads “12. Requirement to take all reasonable precautions and exercise all due diligence for cross border transfers of personal data.” (Personal Data Protection Commission, 2025[20]).
← 8. Data transfer within the same group of companies / affiliated businesses may be exempt from the above requirement if binding corporate rules are approved by the PDP Committee.
← 9. See Clause 28 of the Personal Data Protection Act (2019) and the subordinate regulation to Thailand’s PDPA (2019) (Notification-of-the-Personal-Data-Protection-Committee-Section-28.pdf). Clauses 5 and 6 prescribe the criteria to designate countries or international organisations having adequate level of protection and the power of the PDPC to adjudicate (ibid.).
← 10. Brunei’s Data Protection Policy of 2014 applies to public agencies only.
← 11. The PDPO (2025) states under “Transfer of personal data outside Brunei Darussalam”: 24. (1) No organisation shall transfer any personal data to a country outside Brunei Darussalam except in accordance with the prescribed requirements to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Order. (2) The Authority may, on the application of any organisation, by notice in writing exempt the organisation from any prescribed requirement pursuant to subsection (1) in respect of any transfer of personal data by that organisation. (3) An exemption under subsection (2) - (a) may be granted subject to such conditions as the Authority may specify in writing; and (b) need not be published in the Gazette and may be revoked at any time by the Authority. (4) The Authority may at any time add to, vary or revoke any condition imposed under this section.” (Government Gazette, 2025[21]).
← 12. The wording used in Article 22(2), which clarifies the meaning of “coordination”, suggests a notification-based requirement rather than an authorisation of the transfer by the Minister, see Article 22(2): i. Reporting in advance: the entity must report its plan to transfer personal data across borders. The report must include, at a minimum, the destination country, the name of the receiving entity, the date of transfer, and the purpose/reason for transfer; ii. Seeking advocacy (optional and only applies if needed): It implies that the Ministry can provide guidance, and entity can request guidance from the Ministry. It does not imply that approval is required; iii. Post-transfer reporting: The entity must submit a report detailing the execution of the data transfer after it occurs.
← 13. The requirement to coordinate with the Ministry of Communication for every cross-border personal data transfer, as stipulated in Regulation 20/2016, is no longer the prevailing framework following the entry into force of Law No. 27 of 2022 (PDP Law), see Article 75 of the PDP Law which states: “At the time this Law comes into force, all provisions of laws and regulations governing Personal Data Protection shall remain in effect insofar as they do not conflict with the provisions of this Law.” This means Regulation 20/2016 still technically applies, but only to the extent that it does not conflict with Law No. 27/2022. Since the PDP Law Article 56 introduces a new framework for cross-border data transfers (based on adequacy, binding safeguards, or consent), the previous “coordination with the Ministry” requirement is most likely overridden. Therefore, although Regulation 20/2016 has not been formally repealed, its provisions related to cross-border data transfers are effectively no longer applicable following the enactment of the PDP Law.
← 14. The PDP Law (No. 27 of 2022) states under “Transfer of Personal Data outside the Jurisdiction of the Republic of Indonesia” in Article 56: (1) A Personal Data Controller may transfer Personal Data to a Personal Data Controller or a Personal Data Processor outside the jurisdiction of the Republic of Indonesia under this Law. (2) In transferring Personal Data under section (1), a Personal Data Controller must ensure that the country of domicile of the Personal Data Controller and/or the Personal Data Processor who receives transferred Personal Data has a Personal Data Protection level equal to or higher than the one regulated by this Law. (3) If the provision of section (2) is not met, the Personal Data Controller must ensure that adequate and binding Personal Data Protection protocols apply. (4) If the provisions of section (2) and section (3) are not met, the Personal Data Controller must obtain approval from the Personal Data Subject. (5) Ancillary provisions for transfer of Personal Data shall be stipulated by Regulation of the Government.”
← 15. The articles 58‑60 of Law No. 27 of 2022 mandate the establishment of an independent supervisory authority reporting directly to the president. However, as of May 2025, this authority has not been established and it is understood that the Ministry of Communication and Informatics (KOMINFO) stepped in as a transitional authority (see the verbal statements by the Director General of Public Information and Communication of KOMINFO at https://en.antaranews.com/news/300042/alleged-voter-data-leak-reminder-for-pdp-laws-derivative-rules).
← 16. See Decree 13/2023 in Article 24 “Assessment of impact of personal data processing”: 1. A Vietnamese citizen’s personal data shall be transferred abroad in case where the Sender makes a dossier on assessment of impact of outbound transfer of personal data and carries out the procedures specified in Clauses 3, 4 and 5 of this Article. The senders include the Personal Data Controller, the Personal Data Controller-cum-Processor, the Personal Data Processor and the Third Party. 3. A dossier on assessment of impact of outbound transfer of personal data shall be always available to serve inspection and assessment by the Ministry of Public Security. 4. The Sender shall notify the Ministry of Public Security of information about the data transfer and contact details of the organisation or individual in charge of such transfer in writing after the personal data is successfully transferred.”
← 17. See Viet Nam’s Decree 13/2023 in 8. “The Ministry of Public Security shall decide to request the Sender to stop transferring personal data abroad in the following cases: a) It is detected that the transferred personal data is used for activities that violate the interests and national security of the Socialist Republic of Vietnam. b) The Sender does not comply with regulations in Clause 5 and Clause 6 of this Article; c) A Vietnamese citizen's personal data is leaked or lost.”
← 18. The entry into force of the regulation falls outside of the review period. The content of the regulation is therefore not discussed in the text.
← 19. Cambodia’s Law on Electronic Commerce (2019) does not explicitly cover cross-border data flows, but under Chapter 6 “Consumer protection” in Article 32 “Data protection” states that the data holder must ensure that the personal data is protected by security safeguards (Kingdom of Cambodia, 2019[15]). Lao PDR’s Law on Electronic Data Protection (2017), in Article 17 “Sending or transferring electronic data” stipulates certain requirements for the transfer but no direct rules on what is considered as adequate data protection in the transfer (Ministry of Justice of Lao PDR, 2017[16]).
← 20. Cambodia’s draft Law on Personal Data Protection (LPDP) was released in July 2025. It specifies that data shall not be transferred abroad unless one of three conditions is fulfilled: (1) A permission for transfer from the relevant ministry; (2) an adequacy assessment by the data controllers; and/or (3) a range of exceptions, including consent, public interest and related. Data controllers still need to provide evidence in the case to using the 2nd or 3rd mechanism. While this moves Cambodia closer to existing personal data protection regulation, there remains a degree of ambiguity regarding the legal basis for transfers, including with little guidance related to how adequacy is to be assessed.
← 21. See Casalini, López-González and Nemoto (2021[14]) for a discussion of different LPPOs in data flow provisions in trade agreements.
← 22. Reference is made to the e-commerce chapter.
← 23. Plurilateral arrangements are international frameworks that aim to align different privacy principles around core values of data privacy protection. They vary in terms of enforceability. Some rely on non-binding clauses, which aim to encourage the adoption of data privacy principles. Others adopt binding clauses, which include stronger enforcement mechanisms.
← 24. See https://asean.org/wp-content/uploads/2012/05/10-ASEAN-Framework-on-PDP.pdf, accessed on 29 July 2025.
← 25. Please note that ASEAN Secretariat joined with the European Commission published a guide to ASEAN MCCs and EU Standard CCs, accessible at The-Joint-Guide-to-ASEAN-Model-Contractual-Clauses-and-EU-Standard-Contractual-Clauses.pdf.
← 26. See 3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf, accessed on 29 July 2025. ASEAN Model Contractual Clauses for Cross Border Data Flows were set out as strategic priorities as part of the ASEAN Cross-Border Data Flow Mechanism in the ASEAN Framework on Digital Data Governance of 2018, see 6B-ASEAN-Framework-on-Digital-Data-Governance_Endorsedv1.pdf (accessed on 29 July 2025).
← 27. Although there is no single, and widely accepted, definition of data localisation there is broad agreement that its consequence is more local storage or processing that would have otherwise been the case. One tractable definition involves identifying explicit requirements for data to be stored and/or processed within the domestic territory. According to López González, Casalini and Porras (2022[28]), the number of data localisation measures and their restrictiveness has been growing globally.
← 28. This work considers solely explicit requirements to store data locally rather than implicit cases like a complete prohibition on cross-border data transfers, which corresponds to a de factor requirement for local storage and processing.
← 29. Table 3.A.1 provides an overview of data localisation measures analysed in this section.
← 30. Philippines’ Draft Executive Order specifies in “Section 4. Data Residency” that “Only Non-Sensitive Government Data may be stored in off-shore infrastructure, and in “Section 5. Security Operations Centers” that “All security operations centers providing cybersecurity services to NGAs, GOCCs, GFIs, SUCs, LGUs, and government instrumentalities should be deployed in infrastructure located within the Philippines.”, see https://digitalpolicyalert.org/event/14959-introduced-draft-data-residency-executive-order-in-the-philippines, accessed on 25 July 2025.
← 31. Thailand’s NCSC Standards specify in “2.5.1 Data Center Location (Data Localisation)” that “A PRIMARY data centre must be located in Thailand” and that “A BACK-UP data centre must be located either: in Thailand; or in a Southeast Asian country geographically closest to the primary users (e.g. Singapore or the Hong Kong SAR)”, see https://ratchakitcha.soc.go.th/documents/43184.pdf, accessed on 25 July 2025.