OECD Digital Trade Review Maps ASEAN Cross-Border Data Flow Regulation (May 2026)

The OECD published its Digital Trade Review of ASEAN on May 19, 2026, providing the most comprehensive regulatory map to date of how the 10 ASEAN Member States (AMS) regulate cross-border data flows. For compliance teams managing APAC operations, this is an essential reference document.

The Four-Tier Landscape

The OECD categorizes AMS into four regulatory approaches:

Open / Pre-Authorised Safeguards (Category 1–2)

• Singapore: PDPA (2012, amended 2021) allows transfers under legally enforceable obligations matching Singapore's standards. Also party to 8 trade agreements with data flow provisions and a signatory to the EU-Singapore Digital Trade Agreement (signed 2025).
• Malaysia: Transitioned from ad-hoc to open approach. The amended PDPA (Act A1727, 2024) effective June 2025 allows private adequacy decisions. The 2025 CBPDT Guidelines explicitly permit use of ASEAN Model Contractual Clauses, EU GDPR Standard Contractual Clauses, and binding corporate schemes.
• Philippines: Data Privacy Act (2012) requires legally binding contracts ensuring comparable protection.
• Thailand: PDPA (2019) relies on public adequacy decisions by the PDPC plus pre-authorized safeguards (ASEAN MCCs, EU SCCs, certifications, or binding government agreements).

Ad-Hoc Authorization (Category 3)

• Indonesia: PDP Law No. 27/2022 (effective October 2024) replaced the restrictive Regulation 20/2016 with a more flexible framework (adequacy → binding safeguards → consent). However, implementing regulations are still not issued as of December 2025, and the independent supervisory authority has not been established. Five data localization measures remain in force — the most restrictive in ASEAN.
• Vietnam: Decree 13/2023 requires a data protection impact assessment filed with the Ministry of Public Security, which can stop transfers. A new Data Law (No. 60/2024/QH15) effective July 2025 covers "core" and "important" data with prior approval requirements. A new Personal Data Protection Law (No. 91/2025/QH15) effective January 2026 adds further transfer regulation.
• Brunei Darussalam: First-ever Personal Data Protection Order (January 2025). Allows transfers only with comparable protection, but government exemption power creates ad-hoc flexibility.

No or Limited Regulation

• Cambodia: Draft Law on Personal Data Protection (2025) — circulated draft reportedly includes strict data localization and cross-border transfer prohibition. Not yet enacted.
• Lao PDR: Electronic Data Protection Law (2017) with no explicit cross-border transfer safeguards.
• Myanmar: No data protection regulation for international transfers.

Data Localization — Growing and Hardening

Data localization measures in ASEAN increased from 2 in 2012 to 12 in 2023, with 10 falling into the most restrictive category (local storage + processing + flow prohibition). Indonesia leads with 5 strict measures; Vietnam follows with multiple measures across sectors. Financial, personal, and cloud computing data are the most targeted types. Two draft measures are pending: Philippines' Draft Executive Order on Data Localisation of Cloud Data (2023) and Thailand's NCSC Standards for Cloud Computing Cybersecurity (2023).

Key Regional Instruments

• ASEAN Model Contractual Clauses (MCCs): Endorsed 2021. Malaysia has explicitly adopted them. A joint EU-ASEAN guide to MCCs and EU SCCs has been published.
• Global CBPR / Global PRP: Launched June 2025, building on APEC CBPR. Philippines and Singapore are participants. These are now binding, legally enforceable certification schemes.
• ASEAN Digital Economy Framework Agreement (DEFA): Targeted for completion in 2026 — could become the world's first regional digital economy pact harmonizing data flows.

Trade Agreements with Data Flow Provisions

As of October 2024, 12 AMS trade agreements include cross-border data flow provisions, with Singapore party to 8. Notable: RCEP (2022) excludes dispute settlement for e-commerce and has broad self-judging security exceptions. CPTPP includes more balanced LPPO exceptions. The EU-Singapore DTA (signed 2025) represents a potential bridge between EU and CPTPP approaches.

What Compliance Teams Need to Track

• Vietnam's new Personal Data Protection Law (effective January 2026) is the most immediate new compliance obligation — companies should assess whether any data they handle is reclassified as "core" or "important."
• Indonesia's implementing regulations remain the key watchpoint — once issued, they will determine the practical compliance burden.
• Cambodia's draft law could introduce the strictest data localization regime in the region if enacted as drafted.
• ASEAN DEFA completion in 2026 could reshape the regional compliance architecture.