Japan · Indonesia · South Korea · Fortune Technology
In Southeast Asia, Indonesia and Vietnam routinely propose sweeping data localization mandates
Compiled by KHAO Editorial — aggregated from 1 source. See llms.txt for citation guidance.
◌ Single Source
The trickiness around how to regulate cross-border data flows was one hurdle to the signing of ASEAN’s Digital Economy Framework Agreement (DEFA), potentially the world’s first regional comprehensive digital trade pact.
Key facts
- Without accepting cross-border data flows, ASEAN’s ambition to use the DEFA to turbocharge its digital economy to $2 trillion by 2030, up from $300 billion today, will look shaky
- Last September, a fire at a South Korean data center knocked 647 government services offline
- Initiatives like the Global Cross-Border Privacy Rules (CBPR) system and the OECD’s Data Free Flows with Trust (pioneered by Japan) also demonstrate that trusted data mobility and robust privacy
- Regulators should also institute a national risk-based data classification framework, similar to the European Union’s GDPR or Singapore’s Personal Data Protection Act
Summary
Asia-Pacific governments are increasingly asserting control over data produced by their citizens, businesses, and public bodies. And, as with physical items, they think the best way to secure that data is to keep it within their jurisdiction. But that belief is based on a flawed assumption: that sovereignty is defined by where a server physically sits, rather than by who controls access to the data. South Korea’s Cloud Security Assurance Program (CSAP) requires public agencies to procure cloud services that store data locally, use domestically developed encryption algorithms, and have management and operations personnel reside in Korea. Japan maintains a complex certification process for government software that is conducted almost exclusively in Japanese, which disadvantages non-Japanese providers.