The ASEAN Digital Masterplan aims to triple the size of the regional digital economy by 2030. To build effective technological infrastructure against the backdrop of bipolar competition, ASEAN states must pursue a standardized data governance approach to protect citizens, information, and economic viability.

Background: Expansive Digital Economy

ASEAN states have undergone extensive digital transformation in recent years. Internet users in ASEAN increased from 360 million in 2019 to 460 million in 2022. The region outperforms global standards, reaching a smartphone penetration rate of 136%, and is marked by a young population, burgeoning middle class, and high digital literacy.

The ASEAN Digital Masterplan 2025, launched in 2021, outlines the goal of ASEAN becoming a ‘leading digital community and economic bloc’. This development was spurred by the COVID-19 pandemic, which demonstrated the importance of digital platforms in everyday lives. Similarly, ASEAN’s Digital Economy Framework Agreement (DEFA) strives to triple the region’s digital economy by 2030, growing the digital economy from US$300 billion to almost US$1 trillion. 

However, differing approaches to infrastructure building and cybersecurity governance among ASEAN members hinder a comprehensive regional strategy, creating fragmented signals for prospective businesses. ASEAN’s digital strategy, especially its data governance strategy, must encourage higher standardization among members while allowing them to freely pursue collaborations with foreign partners.

Geopolitical Competition: Competitive Advantages and Innovation Models

Hedging between the US and China has emerged as a prevalent strategy among middle powers. With technology adoption among ASEAN states, this is no different. Thailand, for instance, shares a military alliance with the US, but hosted the first test bed for Huawei’s 5G technology in 2019. Hence, in creating a data governance strategy for ASEAN, policymakers must not ignore this foreign policy approach. 

China and the US dominate in different technologies – the US leads in cloud technology, controlling 70% of the cloud market, while Chinese firms like Huawei and ZTE dominate in providing 4G and 5G networks. Both technologies are crucial for the requisite data management and connectivity in digital transformation. The varied adoption of US- and Chinese-led technologies presents differing implications for establishing a cybersecurity apparatus in the region. 

In recent years, Chinese state investment in private high-tech firms has grown significantly to reach China’s objective of increasing high-tech industrial capacity. Coupled with eased regulations and subsidies in targeted sectors, Chinese technology follows a low-cost model that is especially attractive for developing economies. However, increased state investment mirrors increased state discretion in the operations of private firms. By adopting Chinese technology, countries should acknowledge that Chinese state actors may gain access to the hosted networks and data – a choice concerning digital sovereignty that policymakers must consider.

Meanwhile, US technologies lead in industry standards. For instance, Amazon Web Services supports 143 cloud security standards, providing a one-stop shop to ensure compliance when using its services. However, when analysing state action and longer-term projections, the US may struggle to stay ahead of Chinese competition in tech. US state investment in technology is prioritised towards basic R&D (primarily in universities) over commercial and experimental R&D. This results in well-supported academic research output, but lagging application and commercialization, making US-led tech products slower to innovate. 

Signing on to technologies also yields a political cost. In recent years, the US sought to exclude Chinese technology from its allied network. In 2020, the Federal Communications Commission identified Huawei as a national security threat, citing its ties to the Chinese state and potential for espionage. Both the Trump and Biden administrations encouraged allies to procure technology from Western-aligned democratic countries, by way of the Clean Network Initiative and the US-EU Trade and Technology Council, respectively. For ASEAN states, close alignment with the US regarding technology may rope states into a US-led, anti-China camp, leading to technological adoption determined by geopolitics and not product performance.

Given ASEAN states’ strategy of hedging between American and Chinese leadership, data sovereignty emerges as a crucial task for policymakers. Implementing data sovereignty means that countries regulate the data generated within its borders. Data sovereignty may entail data localization, where locally collected data remains stored on local clouds. Data sovereignty allows states to use technology from international providers while retaining control over data management. As more transactions, social interactions, and communications move online, sovereignty over digital operations is a non-negotiable requirement for a sovereign state. 

Enacting data sovereignty legislation grants agency and security to a state, allowing states to protect their citizens’ information while balancing neutrality between US, China, and other international players.

Data Sovereignty

However, when states independently pursue data sovereignty, this presents large operating costs for transnational firms. Firms must ensure compliance across jurisdictions while maintaining product consistency and interoperability. Firms also require the capacity and resources to comply with local legislation. To illustrate, Vietnam’s Decree No. 53/2022/ND-CP on Cybersecurity Law requires firms to establish a local representative office to cooperate with authorities in case of a security breach. This presents large costs in hiring, training, and legal compliance. Not all transnational firms can shoulder such costs, deterring smaller firms in favour of larger ones, limiting business competition. 

Data sovereignty regulations also extend beyond data on individuals – personal data – and into supply chain or R&D data – non-personal data. Stringent regulations on non-personal data could challenge a firm’s ability to establish supply chains or R&D structures that span multiple jurisdictions. This runs the risk of firms outright avoiding a state with data sovereignty regulations.

ASEAN’s challenge lies in balancing the individual interests of member states with creating consistent regional legislation that creates ease for businesses. A regional data protection framework should distinguish between personal and non-personal data protection to avoid overly stringent regulations on multinational businesses. Existing international standards are also useful for developing a regional approach. For instance, legal terms on consent to data collection under Singapore’s Personal Data Protection Act were amended in 2021 to more closely match the EU’s General Data Protection Regulation, increasing navigability for international actors.

The ASEAN Framework on Personal Data Protection (2016) introduced model contractual clauses (MCCs), standardized contractual terms for cross-border transfer of personal data. However, adoption of MCCs is voluntary for states and businesses. As of January 2025, only Singapore and Thailand have officially adopted this standard. Increasing take-up rates of the MCC for member states and businesses would bolster interoperability in the region. This could be achieved by integrating MCCs into national legislation, mandating MCCs in trade agreements, or including MCCs in tendering processes.

With a more convergent data sovereignty policy, data protection among member states would be held to high standards, granting safety and assurance for cross-border digital operations. For businesses, standardized policy would signal reliability, regional coherence, and simplification of compliance costs.

Image credits: Openverse

Maggie Hung
Maggie Hung is a Toronto-based analyst from Hong Kong. A graduate of the United World College, Maggie developed a passion for addressing international issues rooted in historical precedence. While interning at the Hong Kong Competition Commission, Maggie conducted research on global antitrust regulation and emerging issues in competition law. Her experience in business regulation has grown her interest in the applications of policy in commerce.