ICT Analytical Update: ASEAN Framework on Digital Data Governance Made Public, Contains Both Positive and Concerning Provisions

ICT Analytical Update| January 17, 2019
Authors: Kim Yaeger, Ella Duangkaew, Alson Soh

As of January 15, the ASEAN Framework on Digital Data Governance (“the Framework”) has been made public (the full Framework can be found here). The Framework was officially endorsed on December 6, 2018 at the ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN) in Bali, Indonesia. Developed as part of the Master Plan on ASEAN Connectivity 2025, the Framework seeks to strengthen the data ecosystem, harmonize legal and regulatory frameworks and foster data innovation in the ASEAN region.

In looking to develop forward-looking policies that facilitate the digital economy’s growth, the endorsed framework maps out the strategic priorities, principles and initiatives to provide a roadmap for ASEAN Member States in developing their policy and regulatory approaches towards data governance. This will be conceptualized according to each ASEAN Member State’s readiness, level of development and domestic legislation. They will also encourage organizations to consider and incorporate these Principles in the development of their policies and practices in the region.

The Framework has conceptualized four strategic priorities of digital data governance that will support the building of the ASEAN digital economy. It also identifies four initiatives to be used to support the strategic priorities. Through the initiatives, the Framework hopes to increase cybersecurity efforts and build capacity in data management and enforcement cooperation in the region:

Strategic Priorities                         


1. Data Life Cycle and Ecosystem à

2. Cross Border Data Flows à

3. Digitalization and Emerging Technologies à

4. Legal, Regulatory and Policy à

ASEAN Data Classification Framework

ASEAN Cross Border Data Flows Mechanism

ASEAN Digital Innovation Forum

ASEAN Data Protection and Privacy Forum

The first strategic priority on Data Life Cycle and Ecosystem aims to ensure data integrity and trustworthiness of data to facilitate business decisions, specifically by setting guidelines on data use and access control to promote accountability in data processing, and establishing measures to safeguard confidential data. These are captured in three sub-principles on data integrity and trustworthiness, data use and access control, and data security. This priority will be supported by the initiative to develop an ASEAN Data Classification Framework, which will aim to set out broad categories of data, descriptions of what each category entails, and development of security requirements for each data classification level. The framework would also endeavor to include recommended measures or protections for each category of data, including steps to allow data to be processed, shared or transferred across country borders.

The second strategic priority on Cross Border Data Flows strives to guide governments, businesses and consumers in ASEAN in managing data flows,  particularly to maximize the free flow of data within ASEAN to foster a vibrant data ecosystem. Simultaneously, the priority seeks to ensure that actions will be taken to ensure that the data transferred is accorded the necessary protection. This priority will be bolstered by an initiative to develop an ASEAN Cross Border Data Flows Mechanism, which will aim to streamline and facilitate procedures to process, share and transfer protected data across borders. As the specifics of the mechanism are developed,  the mechanism will consider the varying levels of maturity and local legislation of each ASEAN Member State.

The third strategic priority on Digitalization and Emerging Technologies aims to advocate for capacity building and equip stakeholders with the necessary resources to evolve with new trends and technologies. To support this priority, the framework calls for the development of an ASEAN Digital Innovation Forum to serve as a meaningful platform to engage businesses on capacity-building, allow stakeholders to share the latest information on technological developments, trends and regulatory issues, encourage public-private collaboration, promote innovation, and improve awareness on key issues, such as Cybersecurity in ASEAN.

The last strategic priority on Legal, Regulatory and Policy (Legislation, Regulation and Policy) seeks to develop and harmonize data protection and data management regulations. It will also encourage the development and adoption of best practices on data management in ASEAN Member States. These are captured in three sub-principles on personal data protection and privacy regulation, accountability, and development and adoption of best practices. To support this priority, the framework calls for the establishment of an annual ASEAN Data Protection and Privacy Forum, which will serve to enable policy makers to share operational knowledge and discuss issues related to data protection enforcement. The Data Protection and Privacy Forum will also serve facilitate knowledge sharing and discussion of the implementation details for the four proposed initiatives under the entire Framework.   

The Framework calls for ASEAN Member States to provide bi-annual updates on their progress in implementing the Framework at the working group level. Once the ASEAN Data Protection and Privacy Forum is set up, ASEAN Member States will be expected to utilize the platform to provide milestones on their implementation of the framework. Regarding review, while the Framework does not specify frequency of review, the Framework will be susceptible to periodic review and can be amended to accommodate new global and regional developments, should all ASEAN Member States agree to do so.

Overall, the Framework broadly supports principles and initiatives that would strengthen digital data governance in ASEAN and encourage innovation. For example, the Framework recognizes that maximizing the free flow of data fosters a vibrant data ecosystem (under the second strategic priority of Cross Border Data Flows), and encourages ASEAN Member States to minimize restrictions to foster increased data innovation and a thriving data ecosystem. However, there are some deeply concerning provisions within the Framework that could lead to the detriment of ASEAN’s digital economy growth and development.

Primarily, the establishment of a universal data classification system (the initiative to support the first priority on data lifecycle and ecosystem) is concerning, particularly as the Framework states (in support of the Framework) that “certain types of data (e.g. sensitive personal data) require higher levels of protection, such as by having stricter access controls or more stringent handling and disclosure requirements compared to data that is publicly available.” Such statements open the door for the application of data localization requirements for data deemed “sensitive” enough to require “higher levels of protection.” Data localization leads swiftly to decreased data security, investment and significant negative impacts on GDP and consumer welfare, for example, a 2014 study by the European Center for International Political Economy shows that data localization would lead to the -12.6% investment and $3.7 billion USD loss in consumer welfare in Indonesia. Should the Framework’s universal data classification system encourage such “protections,” it would certainly undermine the Framework’s goal to strengthen ASEAN’s digital economy. The contrast of having provisions that both foster and hinder the growth of the digital economy, through both flexible and restrictive data governance recommendations, reflect the diverse set of views in ASEAN regarding digital data governance, and how to regulate the digital economy in general. This in turn indicates a need for greater regional harmonization and private-public information sharing to unify ASEAN’s views singularly towards encouraging non-restrictive digital data governance policies, for the benefit of the region’s digital economy.