The present reality is that multinationals increasingly organise their data in regional cloud hubs rather than establishing infrastructure in every local jurisdiction where they operate. These organisations collect large volumes of personal data from customers and local employees—a trend that will only intensify as multinational investment in Southeast Asia grows. As this investment accelerates, the volume and sensitivity of collected data will increase significantly. This note discusses how evolving local rules in Southeast Asian countries are poised to impact these data management practices.

Indonesia

Data localisation - Data localisation in Indonesia is governed primarily by Government Regulation No. 71 of 2019 (GR 71) and the Personal Data Protection (PDP) Law enacted in 2022, which together set a nuanced framework for data storage and processing within the country.

Indonesia’s data localisation rules primarily mandate local storage and processing for public sector data and certain sensitive financial sector data, while private and non-financial sectors can often store data offshore under strict regulatory oversight and data protection obligations.

However, sector-specific regulations, notably in financial services, impose stricter localisation requirements for private companies (e.g., banks must localise financial data).

Data transfer out of Indonesia - Indonesia allows the transfer of personal data out of the country under several layered conditions, as set out in the Personal Data Protection Law (PDP Law, 2022). The law’s core requirement is that data transferred internationally must be given an equivalent level of protection as under Indonesian law.

Main Requirements are:

• Adequacy Principle: Data controllers can transfer data to a country that has an equal or higher standard of data protection than Indonesia. Assessing “adequacy” will eventually be handled by a dedicated Data Protection Authority (not yet operational as of September 2025).
• Appropriate Safeguards: If the destination country lacks sufficient protection, legally binding and enforceable safeguards (such as contractual clauses) are required to ensure equivalent personal data protection.
• Explicit Consent: If neither adequacy nor appropriate safeguards are available, data controllers must obtain the explicit consent of the data subject before any transfer takes place.

Administrative Procedures - Data controllers must report and coordinate cross-border data transfers with Indonesia’s Ministry of Communication and Informatics, typically notifying the ministry before and after each transfer.

Singapore

Data localisation - Singapore does not impose general data localisation obligations. The country promotes data flows as a hub economy, including through initiatives like the Association of Southeast Asian Nations (ASEAN) Digital Economy Framework and cross-border digital trade agreements (e.g., Digital Economic Agreements (DEAs) with Australia, UK, South Korea, etc.). There are only limited localisation restrictions in narrow regulated sectors (e.g., banking, insurance, healthcare), where supervisory agencies may require that some classes of data (such as financial ledgers or health records) remain accessible to regulators within Singapore.

Data transfer out of Singapore - The Personal Data Protection Act (PDPA) is the central law. Cross-border transfers are permitted if the receiving organisation is bound to provide a standard of protection comparable to the PDPA.

Key mechanisms include:

• Legally enforceable obligations: through binding corporate rules, contracts incorporating Personal Data Protection Commission (PDPC) model clauses, or adherence to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR).
• Consent: Explicit consent of the individual is an alternate legal basis.
• Exemption for deemed consent: Where transfer is necessary to fulfill a contract with the individual.

The Personal Data Protection Commission (PDPC) has issued detailed Advisory Guidelines on Key Concepts and cross-border compliance toolkits. Unlike Indonesia, Singapore’s framework emphasises organisational accountability rather than pre-transfer approvals.

Malaysia

Data localisation - Malaysia does not have blanket localisation requirements but enforces stricter conditions in financial services, telecommunications, and health (particularly under the supervision of Bank Negara Malaysia and sectoral regulators). For ordinary commercial entities, data may be stored offshore if transfer rules are followed.

Data transfer out of Malaysia - The Personal Data Protection (Amendment) Act 2024 began taking effect in phases starting 1 January 2025, the specific cross-border data transfer provisions (the adequacy-based model) became effective on 1 April 2025. This established an "adequacy-based" model: transfers are permitted to destinations that have laws substantially similar to the PDPA or provide an adequate level of protection equivalent to that afforded by the PDPA. This replaced the previous whitelist regime, eliminating the legal uncertainty that existed when no official whitelist was published. Transfers may also occur under exemptions, e.g.:

• Consent of the individual;
• Necessary for contract performance;
• Public interest or legal claims;
• Regulatory approvals for financial/health transfers.

The Ministry of Digital has supervisory jurisdiction, but sectoral regulators interact in practice for sensitive industries.

Thailand

Data localisation –Thailand’s Personal Data Protection Act (PDPA Thailand, effective 2022) does not mandate general localisation. However, certain government organisations and operators of critical information infrastructures (for example, telecommunications, energy, and finance) that use cloud services may be required to host their data within Thailand, as specified under subordinate legislation and official notifications issued pursuant to the Cybersecurity Act.

Data transfer out of Thailand – For international transfers, the PDPA applies a framework similar to the EU General Data Protection Regulation (GDPR):

• Adequacy: Transfers are allowed to jurisdictions recognised as having adequate protection. However, as of September 2025, the Personal Data Protection Committee (PDPC) has not yet published a “whitelist” of destination countries.
• Exemption to adequacy requirement:
  • Required by law.
  • With informed consent of the data subject - data subject is informed of the potential inadequate level of protection in the recipient country or organisation.
  • Necessary under certain conditions such as compliance with legal obligations or contractual necessity, life/health protection, or vital public interest.

• Appropriate Safeguards: If adequacy is not available, data controllers/processors must use appropriate safeguards ensuring the enforceability of the data subject rights. The PDPC has officially recognised the ASEAN Model Contractual Clauses and the EU GDPR Standard Contractual Clauses as valid safeguards.
  • Contractual: binding agreements or contractual clauses which have been approved and suggested by the PDPC, for example, (i) ASEAN Model Contractual Clauses for Cross Border Data Flows, or (ii) EU GDPR Standard Contractual Clause for the Transfer of Personal Data to Third Countries.
  • Certification: demonstrating compliance with recognised standards through certification mechanisms approved by the PDPC.
  • Intra-group transfers: Allowed under binding corporate rules (BCRs) approved by the PDPC.

• "No Third-Party Access" Doctrine: Storing or transferring data outside of Thailand is not considered a "data transfer" under the PDPA if the data controller retains sole and exclusive control (e.g. encryption keys), and no third party can access the data. This allows businesses to use foreign cloud infrastructure without triggering cross-border transfer obligations under the law.

Philippines

Data localisation –The Philippines generally does not impose data localisation.

Data transfer out of the Philippines –The Data Privacy Act 2012 (DPA), which is the primary data privacy legislation in the Philippines, allows data transfers internationally but a comparable level of protection through contractual or other reasonable means must be provided.

Mechanisms may include:

• Adequacy principle: Transfers to jurisdictions meeting NPC (National Privacy Commission) adequacy expectations.
• Contractual safeguards: Model clauses, instruments binding the recipient.
• Consent: If adequate safeguards are not assured.

In this regard, the NPC has issued an advisory (NPC Advisory No. 2024-01) providing guidance on the availability of various model contractual clauses for transfers of personal data across jurisdictions, including model/standard contractual clauses of the ASEAN, Council of Europe, European Commission and data privacy agencies of the United Kingdom, New Zealand and Argentina, among others.

Vietnam

Data localisation - Vietnam imposes one of the most stringent localisation regimes in ASEAN.

Under Decree 53/2022/ND-CP (implementing the Law on Cybersecurity 2018), foreign entities providing certain types of services – particularly telecommunications, data storage/sharing, domain-name provision to Vietnam users, e-commerce, online payment, social networks/social media, online games, or other online information services – are required (under specific circumstances such as committing violations and/or failing to cooperate with the competent authorities), upon written request from the Minister of Public Security (MPS), to:

• store specific user data (including personal data of users, data created by users, and data on user relationships) in Vietnam; and
• establish a local branch or representative office in Vietnam.^[1]

These obligations must be fulfilled within 12 months from the date of the MPS' decision, with data retention required for a minimum of 24 months, starting from the request's receipt.^[2]

In addition, Decree 147/2024/ND-CP (on management, provision, and use of internet services and cyber information) requires certain service providers to maintain at least one server system physically located in Vietnam to enable inspection, supervision, storage, and provision of information upon competent authorities’ request. This is a standing licensing/operating condition for:

• Operators of general information websites;^[3]
• Domestic social network service providers;^[4]
• Enterprises providing online game services;^[5] and
• Enterprises providing information services on mobile networks.^[6]

Data transfer out of Vietnam - The Vietnamese Government regulates cross-border transfers of both personal and non-personal data.

Under Decree 13/2023/ND-CP and the Law on Personal Data Protection (effective from 1 January 2026), organisations that transfer personal data across borders must:

• Prepare a Cross-Border Transfer Impact Assessment (CTIA) using the official form;
• Submit one original CTIA to competent authority within 60 days of initiating the transfer; and
• Update and amend the CTIA when its contents change.^[7]

For non-personal data, the Law on Data sets principles for cross-border transfer/processing where the data is classified as important or core data.^[8] CTIA dossiers must be prepared and submitted for both categories. However, core data may be transferred only after prior approval is granted, while important data requires dossier submission only (no prior approval required). 

Cambodia

Data localisation – Cambodia is still in the early stages of developing comprehensive data protection. As of 2025, there is no general data localisation law. However, sectoral regimes (e.g., financial services under the National Bank of Cambodia, and telecom licenses) may impose localisation obligations.

Data transfer out of Cambodia –Cambodia has no omnibus personal data protection law yet in force (a draft Personal Data Protection Law is under discussion). Current practice relies heavily on contractual arrangements, regulator-specific rules, and international agreements.

• Transfers can usually occur with data subject consent or under contractual guarantees.
• Expected future law will likely follow an adequacy, safeguard and consent model similar to other ASEAN neighbors.

Executive Summary: Data Localisation & Cross-Border Transfers in Southeast Asia

References:

Indonesia

- Government of Indonesia. (2019). Government Regulation No. 71 of 2019 on Electronic Systems and Transactions (GR 71/2019). Retrieved from (https://peraturan.go.id)

- Government of Indonesia. (2022). Law No. 27 of 2022 on Personal Data Protection. Retrieved from (https://peraturan.go.id)

- Ministry of Communication and Informatics (Kominfo). Personal Data Protection Guidance. (https://kominfo.go.id)

Singapore

 - Parliament of Singapore. (2012). Personal Data Protection Act (as amended 2021). Retrieved from (https://sso.agc.gov.sg)

 - PDPC. (2021). Advisory Guidelines on Key Concepts in the PDPA. (https://www.pdpc.gov.sg)

 Malaysia

 - Parliament of Malaysia. (2010). Personal Data Protection Act 2010 (Act 709). Retrieved from (https://www.agc.gov.my)

 - JPDP (Malaysia). Guidelines & Standards. Retrieved from (https://www.pdp.gov.my)

Thailand

- Royal Thai Government. (2019). Personal Data Protection Act B.E. 2562 (2019). Retrieved from (http://ratchakitcha.soc.go.th) 

- Personal Data Protection Committee (PDPC Thailand). (2022). Implementation Guidelines. (https://pdpc.or.th) 

Philippines

- Republic Act No. 10173. (2012). Data Privacy Act of 2012. Retrieved from (https://www.officialgazette.gov.ph)

- NPC. (2016). Implementing Rules and Regulations. (https://privacy.gov.ph)

Vietnam:

- Government of Vietnam. (2018). Law on Cybersecurity. Available at (https://vanban.chinhphu.vn/?pageid=27160&docid=206114)

- Government of Vietnam. (2024). Law on Data. Available at (https://chinhphu.vn/?pageid=27160&docid=212488&classid=1&typegroupid=3)

- Government of Vietnam. (2025). Law on Personal Data Protection. Available at (https://chinhphu.vn/?pageid=27160&docid=214590&classid=1&typegroupid=3)

- Government of Vietnam. (2022). Decree 53/2022/ND-CP – Implementation of Law on Cybersecurity. Available at (https://vanban.chinhphu.vn/?pageid=27160&docid=206381)

- Government of Vietnam. (2023). Decree 13/2023/ND-CP on Personal Data Protection. Available at (https://vanban.chinhphu.vn/?pageid=27160&docid=207759)

- Government of Vietnam. (2024). Decree 147/2024/ND-CP on the management, provision and use of internet services and information in cyberspace. Available at (https://vanban.chinhphu.vn/?pageid=27160&docid=211654)

- Government of Vietnam. (2025). Decree 165/2025/ND-CP – Implementation of Law on Data. Available at (https://chinhphu.vn/?pageid=27160&docid=214331&classid=1&typegroupid=4)

Cambodia:

- MPTC. (2025). Draft Law on Personal Data Protection. Retrieved from (https://opendevelopmentcambodia.net)

- National Bank of Cambodia. (2019). Technology Risk Management Guidelines. Retrieved from (https://www.nbc.gov.kh/NBC-Risk-Management-Guidelines)

^[1] Art. 26 of Decree 53/2022/ND-CP

^[2] Arts. 26.6(c) and 27 of Decree 53/2022/ND-CP

^[3] Art. 34.2 of Decree 147/2024/ND-CP

^[4] Art. 35.10 of Decree 147/2024/ND-CP

^[5] Art. 54.1 of Decree 147/2024//ND-CP

^[6] Art. 74.2 of Decree 147/2024/ND-CP

^[7] Art. 25 of Decree 13/2023/ND-CP; Art. 20 and 22 of the Law on Personal Data Protection

^[8] Art. 23.2 of the Law on Data; Art. 12.5 of Decree 165/2025/ND-CP

Authors:

Indonesia, Malaysia, Singapore – Kin Wah Chow, Evi Triana, Daniel Markho Santoso

Thailand - Kaew (Peeraya) Thammasujarit, Terapat Laopatarakasem

Vietnam – Khanh Nguyen, Ly Nguyen, Nguyet Nguyen

Philippines - Edmund J. Baranda

Cambodia - Monyrak Phang

Related articles:

Understanding the ASEAN Manufacturing Landscape

Anticipating Trade Mark Issues in Southeast Asia

TAGS

• China Plus One
• Data
• data localisation
• South East Asia
• data transfer