Digital Sovereignty in ASEAN

By Mackenzie Gunther

With large tech companies owning significant amounts of data, geopolitical tensions, the risk of critical data leaks, and the rising importance of self-reliance in the eyes of world leaders, the concept of who controls data is becoming a high priority.  

The global context over the past decade has set the scene for the emergence of a concept known as digital sovereignty. The International Data Corporation (IDC) defines government digital sovereignty as:   

the capacity for digital self-determination by a nation across six attributes of a digital sovereign solution, data, technical, operational, assurance, supply chain, and geopolitical aspects.”  

Digital sovereignty is a state’s ability to control its “digital destiny” – in other words, a government’s ability to control the data, including data flows and data ownership, within the country’s borders. The concept of digital sovereignty includes where data is stored as well as how and who can access it. Establishing digital sovereignty at a national level would allow governments the ability to manage how data is stored, used, and accessed within national borders, ensuring that data management follows local regulatory requirements.  

Due to the growing concern for digital self-reliance, governments are transitioning to sovereign cloud policies to regain data control. Sovereign clouds enable governments to take advantage of cloud computing while simultaneously aligning data storage, use, and management with local data laws. A sovereign cloud policy would require all data to reside on sovereign soil while prohibiting foreign access to data and cross-border data transfers. The policy shift:   

  1. Ensures that citizens’ data remains in the country and is managed under domestic regulatory standards;
  2. Safeguards cloud services and critical infrastructure from foreign interference; 
  3. Reduces reliance on foreign technological capabilities.  

Adopting a sovereign cloud thus can strengthen national security while decreasing dependence on other – potentially hostile – states.  

Digital Sovereignty in ASEAN States 

Although China often makes headlines relating to its stringent data protection laws, regionally digital sovereignty extends further, having been on the political agenda in many Southeast Asian states. Out of the ten members of the Association of Southeast Asian Nations (ASEAN), many have either passed or discussed policies that aim to increase digital sovereignty, often citing national security as a top priority.  

For example, in 2019, the Indonesian government passed a regulation called the Implementation of Electronic Systems and Transactions, also known as Law No. 71 of 2019. Key provisions of the law include data localization requirements, electronic systems governance requirements, and monitoring permissions to the Minister of Communication and Informatics. In a 2022 speech, Indonesia’s Minister for Communication and Informatics emphasized that digital sovereignty is a key step in strengthening the country’s independence. In 2022, Vietnam passed Decree No. 53/2022/ND-CP. To the detriment of many foreign firms, the law requires international companies to store data locally while also establishing a branch or representative office in the country. 

These are unlikely to be the only laws of this nature passed in the region. The increasing frequency of cybersecurity combined with the tense geopolitical backdrop – enveloped with uncertainty and instability – are causing Southeast Asian governments to adopt policies that reflect a rapid transition to digital sovereignty.  

Impact on ASEAN Geopolitics, Trade, and Industry   

As more governments shift toward a digital sovereignty stance, there will be a further fragmentation of regional data regulations. The divergent policies across countries will add barriers to negotiating multilateral agreements, such as trade agreements. It will also decrease the likelihood of all 10 ASEAN countries agreeing on regional frameworks and guidelines that establish norms around digital issues, such as the ethical use of AI. With ongoing negotiations for a Digital Economy Framework Agreement (DEFA), prioritizing digital sovereignty may work directly against the framework’s outlined goals. For instance, DEFA aims to promote digital trade, cross-border e-commerce, and interoperability across ASEAN states. If national governments are turning inwards when considering digital policies, DEFA may not live up to its potential. 

 Moreover, a fragmented regional approach to digital governance would not only affect ASEAN countries’ ability to cooperate within the bloc, but also complicate strengthening relations with other blocs such as the European Union. A splintered ASEAN digital policy landscape would force member-states to take a bilateral approach when looking outside of the region for international partnerships, rather than a unified, multilateral approach.  

 From a private sector perspective, the rise of digital sovereignty will impact many firms that operate transnationally across the region. Over the past few decades, technological advancements have allowed organizations to transition to shared services models – centralized administrative systems that support the company’s global operations. This has increased both time and cost efficiencies. Policies passed to increase digital sovereignty will reverse this trend, forcing companies to adopt localized data management systems that comply with local laws. 

 Companies now face the question of how they can adjust their internal systems to comply with local requirements, while also maintaining a degree of centralization across the company to ensure consistency and ease of delivering services. The rise of digital sovereignty will cause companies to incur increased costs as they ensure compliance in all the jurisdictions they operate in.  

 Additionally, as digital regulation becomes more localized, it will increase the barriers to entry for firms into some markets, making companies question whether it is worth operating in certain markets at all. This would result in a loss for both the company and the economy of the state passing the regulations.  

Conclusion  

Digital sovereignty and the desire to be self-reliant are increasing around the region. Governments have already begun passing more stringent laws on how data is stored and managed within their country’s borders.  

This trend will complicate DEFA negotiations and decrease the likelihood of successful multilateral agreements in the future. As countries become more insular, multinational companies will also have to adjust their internal data management systems to ensure compliance in different regulatory environments.  

Looking at the current geopolitical context, it is unlikely that there is going to be a reversal of the digital sovereignty trend in the coming years. To better mitigate risk the risk of non-compliance and minimize the negative consequences of these laws, organizations need to ensure they understand the regulatory environment of different jurisdictions, how they can adjust their data management systems to comply with local requirements, and be flexible in terms of adapting a global company policy to local contexts.  

Posted in

Related Articles

Outcomes from early US Presidential Debate: What’s Next?

Outcomes from early US presidential debate: What’s Next? 28 June 2024, By Grey Pilarczyk   CNN just concluded its first Biden-Trump debate of the 2024 election cycle, eliciting very mixed reactions. The debate largely consisted of Biden defending the record of his first term while Trump vowed to dismantle Biden’s policies on matters such as […]

Indonesia’s Jeopardized Digital Freedoms – A Case Study in Spyware

By Grey Pilarczyk Indonesia has long had a mixed human rights record, particularly regarding the online activity of Indonesians. In recent years, political activists and independent media outlets in the country have faced a barrage of digital threats and cyber-attacks. On May 1st, Amnesty International released a stunning report detailing Indonesia’s use of highly invasive […]

Unpacking the EU AI Act: An ASEAN Perspective

By Nigel Hee The European Union (EU) recently unveiled the Artificial Intelligence Act, a novel piece of legislation that aims to regulate the development, deployment and use of artificial intelligence (AI) systems within the EU. The Act is predicated on a risk-based approach, classifying AI systems into different risk categories and imposing corresponding obligations and […]