International Approaches and Recommendations for the ASEAN Digital Economy Framework

DINH TON Minh Duc & VU Phuong Linh

Abstract

In recent years, the Association of Southeast Asian Nations (ASEAN) has emerged as a dynamic region at the forefront of global digital transformation. However, the complexity of data regulation, coupled with the divergent national data legislation of ASEAN Member States, presents significant challenges to achieving harmonized data rules within the region. This lack of uniformity impedes the development of ASEAN’s digital economy. In response, the negotiation of the ASEAN Digital Economy Framework Agreement (DEFA) in September 2023 highlights ASEAN’s commitment to realizing its ambition of a unified and competitive digital economy. One of the key objectives of the DEFA is to facilitate cross-border data flows while ensuring data protection. This paper explores the potential for harmonizing data regulations within ASEAN by: (1) examining global data governance frameworks through case studies of the United States, China, and the European Union; (2) analyzing the current data regulatory landscape in ASEAN; and (3) assessing the potential of the DEFA. The paper concludes by offering recommendations for the development of an ASEAN data regulatory framework that aligns with regional needs and enhances ASEAN’s integration into the global digital economy.

Keywords: Data governance, Data regulation, ASEAN, DEFA, Digital economy.

Résumé 

Ces dernières années, l’Association des nations de l’Asie du Sud-Est (ASEAN) s’est imposée comme une région dynamique à l’avant-garde de la transformation numérique mondiale. Cependant, la complexité de la réglementation des données, associée aux législations nationales divergentes des États membres de l’ASEAN, pose des défis importants pour l’harmonisation des règles sur les données au sein de la région. Ce manque d’uniformité entrave le développement de l’économie numérique de l’ASEAN. En réponse à cela, la négociation de l’Accord-cadre sur l’économie numérique de l’ASEAN (DEFA) en septembre 2023 souligne l’engagement de l’ASEAN à réaliser son ambition d’une économie numérique unifiée et compétitive. L’un des objectifs clés du DEFA est de faciliter la circulation transfrontalière des données tout en garantissant leur protection. Cet article explore le potentiel d’harmonisation des réglementations sur les données au sein de l’ASEAN en : (1) examinant les cadres mondiaux de gouvernance des données à travers des études de cas des États-Unis, de la Chine et de l’Union européenne ; (2) en analysant le paysage actuel de la réglementation des données au sein de l’ASEAN ; et (3) en évaluant le potentiel du DEFA. L’article propose enfin des recommandations pour le développement d’un cadre réglementaire des données adapté aux besoins régionaux et visant à renforcer l’intégration de l’ASEAN dans l’économie numérique mondiale.

Mots-clés : gouvernance des données, régulation des données, ASEAN, DEFA, économie numérique.

   

The digital revolution has rapidly transformed the global landscape, ushering in an era where data—the by-product of individuals’ interactions with the Internet—is often referred to as the “new currency” or the “new oil”. Indeed, both modern production and consumption processes are heavily dependent on data. Individuals rely on data for daily activities that require modern technology to access the web while simultaneously generating data. Companies, in turn, collect this data for processing and analysis, driving product customization and innovation. Data, in this sense, is a non-depletable resource.^[1] The interactions between users and companies, combined with the borderless nature of the platforms facilitating these interactions, have fostered an increasingly integrated digital world. Ideally, this integration would allow data to be transferred seamlessly within a coherent framework. However, the growing divergence in domestic data regulations across nations presents significant challenges to the continued prosperity of the digital economy.

Against the backdrop of the booming global digital transformation, Southeast Asia (SEA) emerged as a dynamic, fast-paced market, with an estimated growth from approximately $300 billion to almost $1 trillion by 2030 from the World Economic Forum.^[2] Realizing the need for a unified regional development strategy moving forward, a key initiative was created—the Digital Economy Framework Agreement (DEFA)—in which one of the nine core negotiation targets is data: “Cross‑border Data Flows and Data Protection aims to facilitate cross-border data flow and establish frameworks to protect data privacy”.^[3] This is a statement of determination from ASEAN policymakers to establish a coherent, binding regional data governance framework with privacy and security playing a pivotal role while integrating such a framework in the wider context of the digital economy. This paper shall examine the potential of DEFA in achieving this aim by analyzing existing data governance models as possible examples and inspecting the past and current data governance landscape within the region before offering some recommendations for a comprehensive ASEAN data regulatory framework through DEFA.

1. The Digital Economy and Data Regulation

The term “digital economy” refers to the integration of digital technologies into the economy, characterized by rapid change and expansion.^[4] This concept encompasses a variety of activities in which digital inputs play a significant role in economic output. ASEAN has also defined the digital economy in its Work Plan on the Implementation of ASEAN Agreement on Electronic Commerce (AAEC) as e-commerce and all other digitized economic activities. Although lacking a consistent definition, a digital economy fundamentally includes many components of digitalization, such as policy and regulation, e-commerce, trade facilitation, logistics optimization, digital payment platforms, digital identity management, and e-government services. Moreover, individuals play a crucial role as end-users as they must be equipped with digital skills to harness the advantages of the digital economy.^[5] Thus, it can be inferred that a digital economy has the ability to harmonize technology, policy, and human capital and emphasize the need for infrastructure, concise regulatory frameworks, and individual capabilities to drive economic growth and development.

One central aspect of digital economy integration is data regulations, which serve as a cornerstone for enabling secure cross-border interactions in an expanding digital landscape.^[6] In essence, data protection aims to balance the benefits of personal data processing for businesses and the potential risks to individuals’ privacy and security. Data protection laws typically include fundamental principles governing personal data processing, including the requirement for data processing to be lawful, accurate, secure, transparent to individuals whose data is being processed, and limited to specified purposes. Moreover, these laws emphasize giving individuals a degree of control over how their personal data is being used and establish regulatory bodies tasked with overseeing compliance, conducting investigations, and enforcing obligations when necessary.^[7]

2. International Approaches to Data Governance

2.1. The State of Global Data Governance Landscape

The desire for a coherent data governance framework or harmonizing the law is by no means recent, especially among developed nations. As early as 1980, the Organization for Economic Cooperation and Development (OECD) issued the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, outlining basic principles in citizen’s data privacy protection such as limited data collection and protection against cyberattacks, as well as laying the foundation for uninterrupted and secure flows of data cross-border. Based on the guidelines, the OECD adopted two other texts: the Declaration on Transborder Data Flows (1985) and the Ministerial Declaration on the Protection of Privacy of Global Networks (1998). In 1990, the United Nations General Assembly adopted the Guidelines for the Regulation of Computerized Personal Data Files, calling for data to be protected from unlawful collection and threats and emphasizing the right of a person to know whether their information is being obtained or processed. All the above-mentioned texts aim to protect individual data as a fundamental right. However, those documents are merely political declarations without binding effects, providing no mechanism or precise rules to realize their ambitions.

It was only when the Council of Europe adopted the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data in 1981 (Convention 108) that a binding agreement existed. Ratified by States both within and outside the Council of Europe, Convention 108 contains high-level principles on data regulations in line with the abovementioned declarations, aiming to be a universal instrument in the field of data protection.^[8] The EU, still finding it necessary for a more detailed set of regulations, adopted the Data Protection Directive in 1995, which was replaced by the General Data Protection Regulation (GDPR) in 2016, marking the arrival of a truly regional and comprehensive regulatory framework harmonizing data regulation. The establishment of the GDPR opened up opportunities for countries and regional blocs to establish legally binding frameworks addressing data-related challenges that come with an increasingly integrated global digital economy.

2.2. Approaches to Data Regulation: Differing Interests at Odds

Given the complexity of data governance, it is essential for policymakers to consider all relevant aspects in order to gain a comprehensive understanding of the issue. In this regard, Henry Gao argued that: “Any framework for data regulation would involve three groups of players: the individual, who provides the raw data and uses the processed data; the firm, which processes the raw inputs from the consumer and typically controls such data; and the state, which monitors and regulates the data used by the first two groups”.^[9] This categorization of stakeholders offers a clear perspective on how their interests often conflict. Specifically, individuals are primarily concerned with the protection of privacy and personal security; private enterprises value the free flow and use of data; and the state focuses on ensuring societal security. Different regulatory approaches tend to prioritize one stakeholder over the others, resulting in three distinct models: (i) the EU model, which emphasizes the protection of individuals; (ii) the United States model, which prioritizes private enterprise; and (iii) the Chinese model, which focuses on the interests of the public and the state.^[10]

2.2.1. The United States Model

The US model is characterized by a market-based approach consisting of two underlying elements: free and fair competition between firms.^[11] As with traditional goods and services, the US promotes a free, undisrupted data flow that allows the market to regulate itself. Firms will have to amend their policies based on consumers’ opinions to avoid controversies and reputational damage.^[12]

Being market-based, this model views data as a fundamental component of electronic commerce. As such, data is addressed in numerous free trade agreements (FTAs) in which the United States participates, with the most recent example being the United States-Mexico-Canada Agreement (USMCA). These FTAs typically aim to prevent protectionist policies by applying principles of national treatment and most-favored-nation treatment to digital products. Additionally, they include provisions specifically designed for e-commerce, such as restrictions on the cross-border transfer of information, requirements for forced localization, and mandates for the forced transfer of source codes. At first glance, the purpose of these provisions is simply to prevent government intervention from distorting a digital market that would otherwise flourish under the free interaction of enterprise and consumer. However, simultaneously, they aim to harmonize basic rules for a digital marketplace where convoluted and incompatible national regulations pose a digital trade barrier. Recognizing the utmost importance of national security, these FTAs also incorporated cybersecurity cooperation provisions and excluded data procured, held and processed by its Members.^[13]

A market-based approach also safeguards consumers, as it recognizes the market’s and consumers’ vulnerability to big corporations’ immense influence and unfair practices. The most advanced of these safeguards is the “Principles on Access to and Use of the Internet for Electronic Commerce”, which first appeared in the US-Korea Free Trade Agreement (KORUS) and later in the USMCA. Accordingly, the consumers are entitled to (a) access and use services and digital products of their choice; (b) connect their choice of end-user devices to the Internet; and (c) access information on the network management practices of a consumer’s Internet access service supplier. These rights empower consumers with the benefit of competition among network providers, application and service providers, and content providers^[14].

2.2.2. The EU Model

The EU model separates data regulation into its framework and is much more geographically focused, with “the main purpose [being to] protect against risks posed by the country or location to which the data are to be transferred”.^[15]

Among its Member States, the GDPR set out very detailed standards on data protection along with rules and restrictions binding upon both the state and the private sector—a clear demonstration of prioritizing citizens’ interests. Under the regulation, data must be: (a) processed in a lawful, fair, and transparent manner; (b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date by rectify or erase all inaccurate data; (e) stored in a form that does not permit the identification of data subjects beyond the time necessary to achieve the purposes of processing; and (f) ensured appropriate security of the personal data.^[16] To this end, all data controllers are accountable for ensuring compliance with legal requirements and demonstrating that all appropriate measures have been taken.^[17]

Regarding data flow, the GDPR approach differs significantly from that of the US. Under the GDPR, authorization is required before data can be transferred to a third country, unless that country is recognized by the EU as having an adequate level of data protection. Additionally, if data is handled by firms operating outside the EU but offering services within the EU,^[18] EU rules still apply. If a company intends to transfer data to a partner in a third-party country with standards that are incompatible with the EU’s, it must establish contractual obligations with that partner to ensure data is secured and processed in accordance with EU standards.

2.2.3. The China Model

The China model is established through three key legislations: the 2017 Cybersecurity Law (CSL), the 2021 Data Security Law (DSL), and the 2021 Personal Information Protection Law (PIPL). The CSL stipulates that critical information infrastructure operators must collect and generate data in their operations domestically. The DSL shifts the scope of data localization and transfer requirements to “core” or “important” data, regardless of the controller. Finally, the most stringent of these laws, PIPL, requires that should firms process an amount of data above a threshold, all processing must be done locally. Under this regime, if data is deemed important or controlled by certain controllers, they must not be transferred outside China with few exceptions being: (a) the company has cleared a security review by China’s Cyberspace Authority; (b) the exporter and the recipient have agreed on standard contractual clauses; or (c) the Chinese subsidiary of multinational corporations has obtained a certification from the relevant authorities.^[19] Even if data outside this regime can be transferred cross-border, they must comply with the PIPL.^[20]

Understanding that these regulations might be confounding, the government of China released a series of documents to guide relevant stakeholders through the matrix of legal and administrative processes, including the Measures for Data Export Security Assessment, Guidelines for Data Export Security Assessment and Declaration, Cybersecurity Standards Practical Guide—Security Certification Specifications for Cross Border Processing of Personal Information V2.0 and Standard Contract Provisions on the Export of Personal Information.^[21]

The legal requirements and standards, coupled with administrative “hoops” that firms must jump through in this framework, demonstrate that to China, data governance is neither a matter of human rights nor economy but national security, and the government made full use of its extensive authority to realize its goals. President Xi himself affirmed this when addressing the Internet and information security as “a matter of national security and social stability”,^[22] proclaiming that “there is no national security without cybersecurity”.^[23]

3. Data Regulatory Landscape in ASEAN

3.1. ASEAN’s Previous Data Regulation Efforts

For its part, ASEAN has made numerous attempts to achieve its own cross-border data rule, with the first initiative to strengthen the region’s data ecosystem being the ASEAN Framework on Personal Data Protection in 2016. At the time, international data flows greatly emerged, boosting global GDP by 10.1 percent and accounting for US$2.8 trillion in 2014.^[24] This framework establishes principles and rules for data privacy at regional and national levels by aligning legal frameworks in ASEAN Member States and promoting data-driven innovation. Afterward, the ASEAN Framework on Digital Data Governance was introduced in 2018, offering general guiding principles for data governance. Since then, various regional efforts have been initiated to promote digital economy integration, all of which include provisions on data protection, namely the AAEC, Work Plan on the Implementation of the AAEC, AEC Blueprint 2025, ASEAN Comprehensive Recovery Framework, ASEAN Digital Masterplan 2025, ASEAN Digital Integration Framework Action Plan 2019-2025, and the Master Plan on ASEAN Connectivity 2025.

However, aside from the AAEC, none of the aforementioned initiatives impose legally binding national or international obligations. Instead, they represent a commitment by ASEAN Member States without any enforcement mechanisms or consequences for non-compliance.

3.2. Issues in Implementation: The ‘ASEAN Way’ and Divergence of Domestic Legislations

The “ASEAN Way” is a foreign relations mechanism that prioritizes consensus and consultation, aligning with the principle of non-interference in international law. However, this approach sometimes faces challenges in practice since Member States do not always fully comply with ASEAN’s decisions^[25]. Past conflicts among ASEAN Member States have raised questions on this particular mechanism and highlighted the need to balance cooperation and non-interference^[26].

Despite a shared understanding of the importance of regulation, achieving consensus on the frameworks has proven difficult. In response to the growing flow of data in the region, ASEAN Member States have independently adopted privacy legislation and data protection laws. Some countries, such as Indonesia^[27] and Vietnam^[28], have focused on data localization, requiring the storage of locally generated data within their borders. In contrast, countries like Malaysia^[29], Indonesia^[30], the Philippines^[31], Thailand^[32], and Singapore^[33] have enacted comprehensive data protection and privacy laws. Vietnam is set to join this group with its updated Law on Protection of Consumers’ Rights, which includes new obligations for safeguarding consumer information, set to take effect in July 2024^[34]. However, the varying legal frameworks and compliance requirements across these jurisdictions create complexities for businesses, potentially leading to greater regional unpredictability.

3.4. Disparities in Data Regulations within FTAs of ASEAN Member States

Another indication of the varying data governance preferences within ASEAN is the disparity in harmonizing cross-border data regulations between ASEAN Member States and their external trading partners. The adoption of data rules within free trade agreements (FTAs) aimed at aligning cross-border data regulations among signatories varies significantly across ASEAN Member States. While some countries are actively advancing digital economy agreements and enhancing existing FTAs with comprehensive data rules, others are lagging behind in this area.

Singapore stands out within ASEAN as a party to numerous FTAs that include data-related provisions. It is also a significant influencer in global data governance, with its agreements featuring many innovative data management and protection provisions.^[35] Outside of Singapore, however, commitments to data rules by other ASEAN Member States are generally limited, with data-related provisions often absent or weakly regulated in their FTAs. Vietnam is the second most committed ASEAN Member State regarding data regulation in its FTAs, ensuring that the maintenance of data protection measures and provisions related to data protection are in accordance with its domestic law. Indonesia, Malaysia, the Philippines, Thailand, and Cambodia have also incorporated similar provisions in their FTAs.^[36]

The significant variance in FTAs among ASEAN Member States has hindered the region’s path in meeting data governance norms and further exacerbated the gap between ASEAN and the global digital economy. Furthermore, the divergent data legislations across ASEAN Member States have threatened ASEAN’s objective of creating an integrated and competitive digital economy within its borders and increasing the region’s susceptibility to international fragmentation pressures.

4. The Potential of DEFA to Form ASEAN Data Governance Rules

The negotiation process for DEFA—the world’s first region-wide digital economy agreement—was officially launched at the 23rd AEC Council meeting one month after the endorsement of the Study on the ASEAN DEFA by the ASEAN Economic Ministers on August 19, 2023.^[37] Successful implementation of the Agreement is anticipated to unlock US$2 trillion by 2030 within the region’s digital economy landscape. Within the negotiation framework, DEFA seeks to address nine focal points: Digital trade, Cross-border E-commerce, Payments and E-Invoicing, Digital ID and Authentication, Cross-border Data Flows and Data Protections, Online Safety and Cybersecurity, Cooperation on Emerging Topics, Talent Mobility and Cooperation, and Competition Policy. DEFA represents a renewed determination to achieve a framework to safeguard data privacy while achieving a seamless cross-border flow.^[38] Upon the negotiation’s conclusion in 2025, it will be a milestone for ASEAN to set its own rules for data governance. Said rules are crucial to ensure a safe and resilient digital economy in the region, especially in the context of increasing global integration. Furthermore, it poses significant implications for ASEAN’s position in the global digital economy by bringing various opportunities to elevate ASEAN’s attractiveness in the market.

Regionally, an immediate outcome would be smoother cross-border transactions and trade activities among its Member States. By reducing administrative processes, businesses can navigate transactions much more efficiently. Furthermore, simplifying administrative procedures would not only benefit multinational corporations but also encourage domestic entrepreneurship and small to medium enterprises—usually more hesitant and susceptible to risks—to participate in the digital economy. With reduced barriers created by a secured data regulatory framework, businesses are better equipped to compete, innovate, and enhance efficiency.

On an international scale, a harmonious ASEAN data regulatory framework means creating a transparent and cohesive environment that will attract foreign direct investments into the region. Harmonizing regulations and standards within ASEAN will build a certain and reliable atmosphere for foreign investors. This, in turn, diminishes uncertainties from the adaptation to varying legal frameworks, thereby fostering greater confidence to invest in the region’s digital economy. DEFA will also have significant implications for other regional blocs worldwide, being an instrument created by a bloc primarily composed of developing nations. A framework built upon the diverse landscapes and priorities of its Member States could serve as a model for developing nations navigating through similar challenges. This could substantially contribute to global data governance standards in a global digital economy where data transcends borders rapidly.

5. Recommendations for Establishing an ASEAN Data Governance Rule Through DEFA

As previously analyzed, ASEAN’s digital governance landscape presents a dichotomy for its Member States, as they strive to balance various factors such as economic prosperity versus regulatory control, and non-interference versus regional cooperation. When examining the data regulatory models of China, the US, and the EU, it is essential to take into account ASEAN’s regional characteristics and its capacity to determine the most suitable approach.

China’s model, which emphasizes government oversight and data localization policies, has proven effective within its own borders. However, this approach cannot be directly applied to ASEAN’s increasingly integrated, cooperative, and dynamic market. Additionally, China’s unique position in the global market, bolstered by its domestic digital service providers and strong economic capacity, enables it to enforce such control. In contrast, ASEAN faces significant challenges in adopting a similar model. The region’s lack of advanced technological infrastructure and financial resources presents substantial obstacles to establishing a data regulatory framework akin to China’s. Therefore, ASEAN must adopt a model that aligns with its own economic realities and regional integration goals, rather than attempting to replicate models that work for other global players.

This leaves ASEAN with two alternatives: the EU model, which prioritizes personal privacy and the facilitation of privacy safeguards for cross-border data transfers, or the US model, with a more laissez-faire approach, highlighting market dynamics and implementing less regulatory intervention. In this comparison, it is natural to conclude that the EU way, i.e., the GDPR, is the answer. After all, it is the only existing complete transnational framework designed explicitly around data regulation in combination with the prospect of harmonizing the regional legal landscape, which is similar to ASEAN’s goal. However, as analyzed, this model is built with a hyper-focus on privacy protection. In other words, the principles, rules, and obligations of the GDPR are set out to serve primarily as a safeguard of data privacy and security, with other factors such as market interests and state interests pushed into the background. Given the diverse views on human rights, different interests, economic development gaps, and technological capability of ASEAN Member States, such a singular approach to data regulation might not be practical or a viable option for the organization. Applying the US approach is also problematic as, while it is crucial to prioritize economic growth, a rigid focus on economic interest could hinder protecting individual privacy rights. This, combined with the “ASEAN Way” of decision-making and the different technological and economic development levels between Member States, may not allow ASEAN Member States to reach common ground to build a common data regulatory framework.

Therefore, amidst the emergence of global data governance models, ASEAN must strive to create its own data governance rule. To establish such a rule, the following recommendations are to be considered:

First, above all priorities, the central focus for establishing an ASEAN data governance regime for now should be harmonizing data regulatory frameworks across its Member States, which can be built upon existing domestic laws on privacy protection, data localization, and cybersecurity. DEFA will allow ASEAN to transition from a passive position in global trade regulations to an active participant by promoting economic integration of the entire bloc, including nations less developed in data governance, such as Laos, Cambodia, and Myanmar. This further emphasizes the need for a cohesive data governance rule for ASEAN, given the diversity of ASEAN Member States’ digital landscapes and regulatory approaches.

Second, to-be-created rules and standards for data must be concise and clear. It is important to note that while data regulation is an important agenda, it is not a new one; thus, consideration of preexisting data-related clauses in previous ASEAN initiatives on the digital economy is also essential as they provide valuable findings and references for the creation of DEFA, as well as to avoid duplication of regulations.

Third, ASEAN can utilize its existing digital economy partnerships to enhance the objective of the DEFA. For example, the Regional Comprehensive Economic Partnership (RCEP) may offer a platform for ASEAN to expand its provisions in the DEFA further and address additional data‑related issues beyond those already covered by the RCEP.^[39] In this regard, ASEAN can learn from Singapore’s experience as a frontrunner in data governance in the region through its various digital economy agreements, including with the United Kingdom (UKSDEA), Australia (SADEA), New Zealand and Chile (DEPA), and Korea (KSDPA), to draw out best data regulatory practices to be included in the DEFA.

Fourth, regulatory bodies dedicated to managing data regulation could be established, given the rapid growth of the digital economy within the region and the increasing reliance on cross-border data flows. These regulatory bodies would be tasked with formulating and implementing policies that promote transparency, security, and compliance with data protection laws across ASEAN Member States. Additionally, such regulatory bodies would play an important role in addressing emerging challenges and technological advancements, ensuring that ASEAN remains at the forefront of data governance in the digital age.

Conclusion

This paper has sought to conceptualize how the ASEAN Digital Economy Framework Agreement (DEFA) could harmonize ASEAN data rules and facilitate regional digital economy integration, while also considering its broader implications for global data governance. The paper first examined current global data governance approaches, identifying three primary regulatory models: the US, the EU, and China, each representing the priorities of key stakeholders in the data sphere: private enterprises, individuals, and the state, respectively.

ASEAN has also expressed its ambition to develop its own data regulatory framework, resulting in various initiatives and blueprints. However, the ASEAN Economic Community (AEC) Agreement, which includes only general provisions, is the sole binding data-related instrument within ASEAN. With each Member State adopting different data regulations in their national laws and FTAs, coupled with disparities in economic and technological capabilities, achieving consensus on a unified agreement has proven challenging.

Upon closer examination, this paper concludes that directly applying any of the current models would not be feasible, given ASEAN’s unique context. An ASEAN-specific approach is required—one that strikes a balance between the existing models and the national interests of its Member States. This approach should focus on harmonizing domestic laws, creating clear and concise new regulations based on existing ASEAN initiatives, learning from data-related provisions in ASEAN Member States’ FTAs, and establishing a regulatory body to oversee the enforcement of the ASEAN data regulatory framework.

At the time of writing, the DEFA negotiation process was still in its early stages, with few official documents available. As such, the data rules within DEFA remain largely speculative. However, if successfully implemented, DEFA could stimulate a thriving regional digital economy, attract foreign investments, and provide an alternative model for other emerging digital economies. As the negotiation progresses and more information becomes available, further analysis of the proposals in the travaux préparatoires will be necessary to assess the potential impact of DEFA on both the regional and global digital economy.

Bibliography

International Agreements

ASEAN Agreement on Electronic Commerce, 22 January 2019 (entered into force 2 December 2021).

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, ETS 108 (entered into force 1st October 1985).

Free Trade Agreement Between the United States of America and the Republic of Korea, 30 June 2007 (entered into force 15 March 2012).

United-States-Mexico-Canada Agreement, 30 November 2018 (entered into force 1st July 2020).

International Documents

ASEAN, ASEAN Community Vision 2025 (2015), online: <asean.org/>.

ASEAN, ASEAN Comprehensive Recovery Framework (2020), online: <asean.org/>.

ASEAN, ASEAN Digital Integration Framework Action Plan 2019-2025 (2019), online: <asean.org/>.

ASEAN, ASEAN Digital Masterplan 2025 (2021), online: <asean.org/>.

ASEAN, ASEAN Economic Community Blueprint 2025 (2015), online: <asean.org/>.

ASEAN, ASEAN Framework on Digital Data Governance (2018), online: <asean.org/>.

ASEAN, ASEAN Framework on Personal Data Protection (2016), online: <asean.org/>.

ASEAN, Declaration of ASEAN Concord II (Bali Concord II) (2003), online: <asean.org/>.

ASEAN Economic Ministers, Bandar Seri Begawan Roadmap: An ASEAN Digital Transformation Agenda to Accelerate ASEAN’s Economic Recovery and Digital Economy Integration (2021), online: <asean.org/>.

ASEAN, Framework for Negotiating ASEAN Digital Economy Framework Agreement (2023), online <asean.org/>.

ASEAN, Master Plan on ASEAN Connectivity 2025 (2017), online: <asean.org/>.

ASEAN, Study on the ASEAN Digital Economy Framework Agreement (2023), online <asean.org/>.

ASEAN, Work Plan on the Implementation of ASEAN Agreement on Electronic Commerce (2021) 2, online: <asean.org/>.

EU, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ, L 281/31.

EU, Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [2016] OJ, L 119/1.

Guidelines for the Regulation of Computerized Personnel Data Files, UNGAOR, GA RES/45/95, 45th sess, suppl. no 49, UN Doc A/45/49 (1991) 178.

OECD, Declaration on Transborder Data Flows (1985) OECD/LEGAL/0216, online: <legalinstruments.oecd.org/>.

OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), online: <oecd-ilibrary.org/>.

OECD, Ministerial Declaration on the Protection of Privacy on Global Networks (1998), OECD/LEGAL/0301, online: <legalinstruments.oecd.org/>.

National Legislation

Kingdom of Thailand, Personal Data Protection Act, National Assembly, (2019), entered into force 1st June 2022.

Malaysia, Personal Data Protection Act, Parliament, (2010), entered into force 15 November 2013.

Republic of Indonesia, Government Regulation No. 71 on Electronic Systems and Transactions, Government of Indonesia, (2019), entered into force 10 October 2019.

Republic of Indonesia, Law No. 27 on Personal Data Protection, Parliament, (2022), entered into force 17 October 2022.

Republic of Singapore, Personal Data Protection Act, Parliament, (2020), entered into force 1st February 2021.

Republic of the Philippines, Republic Act 10173, Congress, (2012), entered into force 8 September 2012.

Socialist Republic of Vietnam, Decree No. 13/2023/ND-CP on the Protection of Personal Data. National Assembly, (2023), entered into force 1st July 2023.

Socialist Republic of Vietnam, Law on Cyber Information Security, National Assembly, (2015), entered into force 1st July 2016.

People’s Republic of China, Cybersecurity Law of the People’s Republic of China, National People’s Congress, (2016), entered into force 1st June 2017.

People’s Republic of China, Data Security Law of the People’s Republic of China, National People’s Congress, (2020), entered into force 1st September 2021.

People’s Republic of China, Personal Information Protection Law of the People’s Republic of China, National People’s Congress, (2020), entered into force 1st November 2021.

Chapters

de Terwangne, Cécile, “Privacy and data protection in Europe: Council of Europe’s Convention 108+ and the European Union’s GDPR”  in Gloria González, Rosamunde Van Brakel & Paul De Hert, eds, Research Handbook on Privacy and Data Protection Law (Cheltenham: Edward Elgar Publishing, 2022).

Gao, Henry S., “Data regulation in trade agreements: different models and options ahead” in Smeetz, Maarten, eds, Adapting to the Digital Trade Era: Challenges and Opportunities (Geneva: World Trade Organization, 2021).

Articles

Burri, Mira, “The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation” (2017) 51:1 UC David L Rev 65.

Katsumata, Hiro, “Reconstruction of Diplomatic Norms in Southeast Asia: The Case for Strict Adherence to the ‘ASEAN Way” (2003) 25:1 Contemporary Southeast Asia: A Journal of International & Strategic Affairs 104.

François LeSieur, “Regulating cross-border data flows and privacy in the networked digital environment and global knowledge economy” (2012) 2:2 International Data Privacy L 93.

Nesadurai, Helen E. S., “ASEAN and regional governance after the Cold War: from regional order to regional community?” (2009) 22:1 The Pacific Review 92.

Encyclopedia Entries

Bukht, Rumana & Richard Heeks, “Defining, Conceptualising and Measuring the Digital Economy” (2017) Centre for Development Informatics, Working Paper No 68.

James Manyika et al, “Digital Globalization: The New Era of Global Flows” (2016) McKinsey Global Institute, Report.

Sefrina, Mima, “Understanding the ASEAN Digital Economy Framework Agreement: A Means to Support ASEAN Integration” (2023) Economic Research Institute for ASEAN and East Asia, Working Paper No 1.

Surtiwa, Salsabila Siliwangi & Christian Jeremia Gultom, “ASEAN for Data Protection: Remarks On 2016 ASEAN Framework on Personal Data Protection and The Impact Towards Regional Peer to Peer Lending” (2019) 558 Advances in Social Science, Education and Humanities Research 720.

Svantesson, Dan J. B., “A Legal Method for Solving Issues of Internet Regulation; Applied to the Regulation of Cross-Border Privacy Issues” (2010) European University Institute Law, Working Paper No 18.

Xie, Taojun et al, “Navigating Cross-Border Data Transfer Policies: The Case of China” (2023) Asia Competitiveness Institute Research, Working Paper No 1.

Online Sources

“Explanatory notes for the ‘decision of the Central Committee of the Communist Party of China on some major issues concerning comprehensively deepening the reform” (2014) China Daily, online: <subsites.chinadaily.com.cn/>.

“Frontier Technology Quarterly: Data Economy: Radical transformation or dystopia?” (2019) United Nations, online: <un.org/>.

Alsabah, Nabil, “China’s Quest for Cybersecurity Causes Headache for Foreign Companies” (2017) The Diplomat, online: <https://thediplomat.com/>.

“Digital Economy Framework Agreement (DEFA): ASEAN to leap forward its digital economy and unlock US$2 Tn by 2030” (2023), ASEAN, online: <asean.org/>.

Tran, Manh Hung et al, “Vietnam: New Law on Protection of Consumers’ Rights, new obligations for digital services providers” (2023) Baker & McKenzie, online: <insightplus.bakermckenzie.com/>.

Broom, Douglas, “Young people in ASEAN are embracing digitalization” (2024) World Economic Forum, online: <weforum.org/>.

Lee, Jesslene, “ASEAN Window of Opportunity for Shaping Global Data Governance” (2023) The Diplomat, online: <thediplomat.com/>.

Lee, Jesslene, “Asean’s window of opportunity to write its own data rules” (2023) The Business Times, online: <businesstimes.com.sg/>.

Medina, Ayman Falak, “An Overview of Singapore’s Free Trade Agreements” (2023) ASEAN Briefing, online: <aseanbriefing.com/>.

Gillani, Seharish, Dermish Ahmed & Jeremiah Grossman, “The role of data protection in the digital economy” (2021) Unlocking Public and Private Finance for the Poor, Working Paper, online: <policyaccelerator.uncdf.org/>.

---