The European Union (“EU”) Data Act is being implemented in tranches from 12 September 2025 until 12 September 2027. It is intended to be a form of “low-intensity regulatory intervention”[2] to maximise the use of data and facilitate industry-led innovation arising out of data-sharing.[3] Hence the EU Data Act imposes obligations on, among others, manufacturers of products who collect data generated by a given product in its use, and data holders who make data available in the EU to allow free access to such data by businesses, the government, and consumers.
If a pan-Asian data act in the spirit of the EU Data Act were to be realised someday, the authors examine whether data localisation concerns will be the biggest hurdle.
A Singapore Data Act?
On a preliminary side note, Singapore has been proactive in developing data-related laws.[4] While this article deals with the context of a pan-Asian Data Act and the authors do not analyse in this article as to whether there should be a Singapore data act, the authors’ preliminary views are that such an act would make sense for two reasons.
First, a data sharing regime regulated under a data act may help to spur the monetisation of data in Singapore’s data economy. It is a truism that innovation can be a key driver in the modern Singapore’s economy.[5] A data act would facilitate the innovation process by setting clear guidelines and good practices in the use of data.
Second, a data sharing regime furthers Singapore’s intention to strengthen data regulations and integrate such practices in the economy. There are existing examples. For instance, the statutorily established Collaborative Sharing of Money Laundering/Terrorism Financing (ML/TF) Information & Cases (“COSMIC”) platform allowing financial institutions to share data on clients with one another on a voluntary basis and subject to the protections under Part 4A of the Financial Services and Markets Act 2022 (“FSMA”).[6] Notably, this will entail data transfers between financial institutions which have ties overseas, for instance, Standard Chartered Bank and the Hongkong and Shanghai Banking Corporation.
Lack of unified consensus in Asia towards data localisation
To determine whether data localisation concerns will be the biggest hurdle for a pan-Asian data act founded on an inter-State treaty, the starting point is for clarity on the objectives of such an act.
A pan-Asian data act will likely seek to emulate similar objectives under the EU Data Act:
The success behind the EU’s implementation of the EU Data Act stems from the unifying core objective of the EU project, namely a single European internal market.[9] It is this underlying perspective which has informed the EU’s recognition that restrictions on free movement of data by data localisation requirements may impede economic growth and investments from data sharing.[10]
However, unlike the EU, Asia does not have a similar body governing the development of data regulations in Asia. The lack of a unified rhetoric to guide the regional attitudes toward data regulations has led to a myriad of data-localisation regulations being developed independently in various Asian jurisdictions.
PR China’s data localisation requirements are arguably the strictest in Asia.
The data localisation rules under the Cybersecurity Law mainly require data collected and processed in PR China to be stored in PR China.[11] The data subject to these regulations include personal data and “important data”, the latter has been defined as information which poses a threat to core national interest such as PR China’s economic or societal interests, or which could affect PR China’s key fields such as artificial intelligence, deep sea or overseas interests.[12] Under this regime, critical information infrastructure operators (“CIIOs”), who operate any information infrastructure that could seriously endanger national security, national welfare, or the public interest, among others, must store such data within PR China.[13]
Transfers of personal information are subject to further restrictions under the Personal Information Protection Law (“PIPL”) which mandate the use of the Standard Contract Measures for the Export of Personal Information in cross-border arrangements involving the transfer of personal information. Such transfers are also subject to limitations. However, only non-CIIOs can transfer personal information out of PR China, restricting the number of industries which have the option of cross-border data transfers open to them.[14]
Similarly, India has certain data localisation requirements under its Digital Personal Data Protection Act (“DPDPA”) and, in relation to the financial sector, the circular on storage of payment system data issued by the Reserve Bank of India (“RBI”).[15]
In relation to particular sectors, and in consideration of likely future developments in India’s regulatory scene, there may be significant hurdles posed to a data sharing regime in Singapore to which offshore branches or affiliates of Indian entities are subject.
Regarding the finance sector in particular, the RBI has clarified that payment system data (customer data,[16] payment sensitive data[17] and transaction data[18]) can only be stored in foreign jurisdictions if being used for processing a cross-border transaction.[19] Once the overseas processing is completed, such data must be deleted in the foreign location within 24 hours of the completion of the processing.[20] Further, such data can only be shared with an overseas regulator with approval from the RBI.[21]
Non-personal data[22] is also subject to certain non-enforceable guidelines imposed by the Ministry of Electronics and Information Technology under the National Data Governance Framework Policy (“NPD Framework”). This framework largely sets out broad principles without specific directions regarding actions which must be taken by parties and provides, among other things, that legislations and a regulatory body will be developed in the future to govern the transfers of non-personal data.
Data localisation regimes similar to those in PR China and India may pose a significant hurdle to cross-border data transfers. In comparison, the data localisation regimes in Japan and South Korea appear more permissive.
Japan appears open to allowing the circulation of such data to circulate into and within foreign territories. Notably, the EU-Japan High-Level Economic Dialogue in October 2023 led to the conclusion of the agreement to facilitate transfer of personal and non-personal data between the EU and Japan by, among other provisions, removing data localisation requirements and removing restrictions on such transfers, except where necessary to achieve a “legitimate public policy objective” between the EU and Japan.[23] This could send a signal to the rest of the Asian countries to pursue such agreements on a bilateral or multilateral basis and reduce the obstruction posed by data localisation regimes to the imposition of data transfer obligations.
While there are data localisation requirements, in particular guidelines published by government agencies, they are not enforceable in Japan. These guidelines generally apply to medical institutions,[24] businesses involved in the provision of or which receive medical information,[25] and third party contractors who contract with governmental bodies to develop, operate, or maintain information systems.[26] For example, the Guidelines for Governmental Bodies to Establish Standards for Countermeasures mandate that the government agencies ensure the third party contractors are contractually obliged to store personal information within Japan.[27]
South Korea has data localisation regulations under the Personal Information Protection Act (“PIPA”), and other sector specific regulations[28] limiting cross-border transactions. However, the language of the PIPA does not restrict cross-border transfers of personal information per se. Instead, it expressly provides for “international cooperation” through data sharing subject to the establishment of “relevant policy measures so that the rights of data subjects may not be infringed”.[29]
South Korea’s openness to cross-border data sharing has influenced the development of its free trade agreements with other countries. Of particular note is the free trade agreement between EU and South Korea which provides for free transfer of data from South Korean branches and affiliates of EU financial companies to EU headquarters, subject to the imposition of “adequate safeguards to the protection of privacy with regard to the transfer of personal data”.[30] A similar arrangement has been made between South Korea and the United States to reduce data localisation requirements.[31]
A Regional Data Sharing Regime within Southeast Asia to begin with?
In light of the different data localisation regulations in Asia, it may be easier to start by implementing a data sharing regime within a specific region in Asia first.
Southeast Asia may be well-placed to implement a harmonised cross-border data sharing framework within the umbrella of the Association of Southeast Asian Nations (“ASEAN”). Like the EU, ASEAN has a common goal to create a “single market and production base” which facilitates the “free flow of goods, services and investment” among other things.[32] Additionally, the ASEAN Member States endeavour to eliminate or minimise barriers to flow of information across-borders for “business purposes”.[33] There are strong existing trade ties amongst the ASEAN countries through free-trade areas established in separate agreements.[34] Even taking India and PR China’s strict stance on data localisation into consideration, both countries are closely related to ASEAN through free trade agreements.[35]
Significantly, ASEAN has recognised cross-border data flows as a strategic priority in the ASEAN Framework on Digital Data Governance endorsed in December 2018.[36] Harmonisation initiatives in relation to data sharing regulations have also been launched by ASEAN. In response to the data localisation regulations in the region relating to personal data, ASEAN has published the ASEAN Model Contractual Clauses as the first step in implementing a move toward facilitating cross-border data flows of personal data among ASEAN Member States.
ASEAN countries generally do not have data localisation laws, or only have data localisation laws with respect to personal information. For instance, Thailand, akin to Singapore, does not have data localisation laws but has a personal data protection regime restricting outward transfers of personal data such as by requiring an appropriate level of protection being implemented by parties involved in the transfer.[37] Similarly, the Philippines does not have a data localisation regime but has personal data protection regulations in place.[38] Further, as the data localisation requirements largely relate to personal data, a possible way to circumvent any conflicts with data localisation rules would be to draft the data act to encompass only non-personal data.
That said, such a regional data sharing regime within Southeast Asia is not without any hurdles.
First, the ASEAN goal to reduce barriers to cross-border data flows is qualified by the need to comply with “[the Member State’s] respective laws and regulations”.[39] Despite the ASEAN goal of facilitating information flows, data localisation laws have notably not been declared as barriers to trade. This is unlike the position in the EU, which has developed a Digital Trade Title which it recommends in every Free Trade Agreement with third countries, that prohibits data localisation requirements between the contracting countries.[40]
Second, the guidelines produced by ASEAN are applicable to Member States and businesses on a purely voluntary basis.[41] Therefore, the present efforts to facilitate the eradication of barriers to cross-border data transfers may not produce significant results.
More Inter-State Treaties?
Concurrently, governments in Asia arguably have a strategic economic interest to enter into bilateral or multilateral treaties which relax the data localisation requirements to allow for data to be stored and transferred between businesses and to the government, where necessary. Any nuances specific to a country’s concerns may be covered in bespoke agreements on a country-by-country basis.
The inclusion of such clauses in free trade agreements would present a more nuanced approach to circumvent data localisation restrictions and facilitate discussions to accommodate the consideration of each involved country specifically. This is important in Asia’s context in particular, due to the lack of harmonisation and the diversity of cultures and governance in the region.
As an example, Singapore entered into a multilateral treaty facilitating cross-border data transfers with the EU through the EU-Singapore Digital Partnership and the Digital Trade Principles agreed upon at the start of 2023. Discussions to further these arrangements began on 20 July 2023 in relation to a Digital Trade Agreement which aims to eradicate barriers to data transfers between the signatories.[42]
The authors expect that in countries such as Japan and South Korea, a similar willingness to allow cross-border data transfers bode well for a data sharing regime to be fruitfully negotiated with other governments. This would promote innovation from cross-border data sharing between businesses primarily resident in those jurisdictions.
Conclusion
There will be broad lessons for everyone to learn from the EU’s regulation of data sharing under the EU Data Act. These lessons will help to inform Asian governments in deciding how to resolve any apparent conflict between data localisation concerns and an interest to promote innovation through data sharing. Greater inter-State cooperation – and not a closed door approach – will likely be the key to achieving prosperity and growth for all.
[1] The opinions expressed in this article are the personal opinions of the authors. They do not purport to reflect the opinions of the authors’ employers or organisations.
[2] Para 3.4.1.3 of the Study to support an Impact Assessment on enhancing the use of data in Europe (“Impact Assessment Study”).
[3] Page 1 of the Inception Impact Assessment (Ref. Ares(2021)3527151).
[4] On 1 Mar 2024, the Personal Data Protection Commission released the Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems clarifying the use of personal data in the use and development of artificial intelligence, hot on the heels of the finalisation of the text of the EU Data Act. See the full text here: https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/advisory-guidelines-on-the-use-of-personal-data-in-ai-recommendation-and-decision-systems.pdf.
[5] Speech by then Prime Minister Lee Hsien Loong at the debate on the motion of thanks to the President on 19 April 2023: https://www.forwardsingapore.gov.sg/news/transcript-of-speech-by-pm-lee-hsien-loong-at-the-debate-on-the-motion-of-thanks-to-the-president.
[6] See the new Section 28(N) of the FSMA under the Financial Services and Markets (Amendment) Act 2023. See also the new section 28E(1) of the FSMA, which generally requires, among other things, that the provider of information knows or has reason to believe that the person whose data is being transferred is a client of the requesting financial institution.
[7] Para 3.2.1 of the Impact Assessment Study.
[8] Ibid.
[9] Article 3(3) of the Treaty on European Union.
[10] Page 3 of the Communication from the Commission to the European Parliament, the Council, the European economic and social committee and the committee of the regions, “Building a European Data Economy”.
[11] Article 2 of the CSL.
[12] Paragraph 9 of the draft Guidelines for Data Cross-Border Transfer Security Assessment.
[13] Article 37 of the CSL.
[14] Article 4 of the Standard Contract Method for the Export of Personal Information.
[15] Circular DPSS.CO.OD.No 2785/06.08.005/2017-18 on “Storage of Payment System Data” dated April 06, 2018 (“Circular on Storage of Payment System Data”).
[16] This includes the customer’s name, contact details and personal identification details.
[17] This includes customer and beneficiary account details.
[18] This includes transaction references, and details of the transaction such as origination, timestamps and the amount.
[19] Paragraph 5 of the FAQ to the Circular on Storage of Payment System Data published by the RBI dated June 26, 2019.
[20] Ibid.
[21] Paragraph 6, ibid.
[22] Paragraph 4.1 of the Report by the Committee of Experts on Non-Personal Data Governance Framework dated 16 December 2020 defines “non-personal data” as data which does not relate, and any never related to, an identified or identifiable natural person.
[23] Articles 2 and 3 of the Protocol Amending the Economic Partnership Agreement between the EU and Japan.
[24] Guidelines on the Safety Management of Medical Information Systems (only available in Japanese).
[25] Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services Handling Medical Information; Guidelines on the Safety Management of Medical Information Systems (only available in Japanese); Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services handling Medical Information (only available in Japanese).
[26] Guidelines for Governmental Bodies to Establish Standards for Countermeasures.
[27] Para 4.2.2 of the Guidelines for Governmental Bodies to Establish Standards for Countermeasures.
[28] For instance, the Credit Information Act, in relation to data relevant for the processing of personal credit information, and the Framework act on Consumers which requires businesses to ensure consumer’s data is not stolen or lost.
[29] Ibid.
[30] Article 7.43 of the EU-Korea Free Trade Agreement.
[31] Article 15.8 of the U.S.-Korea Free Trade Agreement
[32] Article 1(5) of the Charter of the Association of Southeast Asian Nations.
[33] Article 7(4) of the ASEAN Agreement on Electronic Commerce (“ASEAN E-commerce Agreement”).
[34] For instance, the ASEAN-China Free Trade Agreements, the ASEAN-JAPAN Free Trade Area and the ASEAN -Republic of Korea Free Trade Area.
[35] Each of the listed countries are engaged in Free Trade Agreements with ASEAN. See the list here: https://asean.org/free-trade-agreements-with-dialogue-partners/.
[36] Page 6 of the ASEAN Data Management Framework.
[37] Section 28 of the Personal Data Protection Act B.E. 2562 (2019) (“Thailand Data Protection Act”).
[38] Republic Act 10173 Data Privacy Act of 2012.
[39] Article 7(4)(a) of the ASEAN E-commerce Agreement.
[40] https://trade.ec.europa.eu/access-to-markets/en/content/digital-trade-eu-trade-agreements-0.
[41] Page 8 of the ASEAN Data Management Framework.
[42] https://www.straitstimes.com/business/eu-and-singapore-open-negotiations-on-digital-trade-agreement.
Hui Ming Chua, Benson Lim & Brendan Wang, A Pan-Asian Data Act: Will Data Localisation Concerns Be The Biggest Hurdle? (Oct. 1, 2025), https://digital.law.nycu.edu.tw/blog-post/paxbeb/.
No. 1001, Daxue Rd., East Dist., Hsinchu City 300093, Taiwan