The ASEAN Data Landscape
AI companies operating across ASEAN face a fragmented regulatory landscape for cross-border data transfers. Unlike the EU, which provides a unified framework through the GDPR, ASEAN member states have adopted individual data protection laws at different stages of maturity, with varying requirements for cross-border transfers. For AI companies that train models on data collected across multiple ASEAN jurisdictions — or that deploy models serving users in multiple markets — this fragmentation creates significant compliance complexity.
The ASEAN Framework on Digital Data Governance, adopted in 2018, provides high-level principles for data protection harmonization, but it is non-binding and has not resulted in uniform national legislation. The ASEAN Data Management Framework (DMF) and Model Contractual Clauses (MCCs) for Cross Border Data Flows, published in 2021, offer more practical guidance, but adoption remains voluntary and inconsistent across member states. As of 2026, the effective legal requirements for cross-border data transfers vary substantially between Singapore, Malaysia, Thailand, Indonesia, the Philippines, and Vietnam — the six ASEAN markets where AI companies are most active.
Singapore as Data Hub
Singapore's PDPA provides a relatively permissive framework for cross-border data transfers. Under Section 26 of the PDPA, organizations may transfer personal data outside Singapore provided they take reasonable steps to ensure that the receiving organization provides a comparable standard of protection. The PDPC's Advisory Guidelines on Key Concepts in the PDPA clarify that "comparable standard" does not require identical legal protections in the receiving jurisdiction — rather, it requires contractual or other binding arrangements that provide equivalent protection to the data subjects.
In practice, Singapore-based AI companies transferring data to other ASEAN jurisdictions can rely on several mechanisms: contractual arrangements incorporating the ASEAN Model Contractual Clauses; binding corporate rules for intra-group transfers; the APEC Cross-Border Privacy Rules (CBPR) system, of which Singapore is a participating economy; or consent from the data subject (which, for AI training data, may require specific disclosure about the cross-border nature of the processing). The PDPC has also signaled its openness to certifications and codes of practice as transfer mechanisms, and we expect to see more formalized mutual recognition arrangements between ASEAN data protection authorities in 2026.
Key Jurisdictions
Malaysia's Personal Data Protection Act 2010 (PDPA Malaysia) takes a more restrictive approach to cross-border transfers. Section 129 prohibits the transfer of personal data outside Malaysia unless the destination country has been approved by the Minister. As of 2026, no such countries have been formally gazetted, which creates legal uncertainty for cross-border transfers. However, the Act provides exceptions for contractual necessity, consent, legal proceedings, and other prescribed circumstances. AI companies operating in Malaysia should structure their data flows to fall within these exceptions or obtain explicit consent for cross-border transfers.
Thailand's Personal Data Protection Act B.E. 2562 (PDPA Thailand), which became fully effective in June 2022, requires that the destination country or organization has adequate data protection standards, or that the transfer is subject to appropriate safeguards such as binding corporate rules or standard contractual clauses. The PDPA Committee has been working on subsidiary regulations for cross-border transfers, and we expect more detailed guidance in 2026. Indonesia's Personal Data Protection Law (UU PDP), enacted in October 2022, requires that data transfers to foreign jurisdictions satisfy an adequacy assessment or are covered by appropriate safeguards. Implementing regulations are still being developed, and the transitional period extends to October 2026.
Compliance Strategies
For AI companies operating across ASEAN, we recommend a layered compliance strategy. First, map your data flows comprehensively — identify every jurisdiction where personal data is collected, processed, stored, and transferred. This data flow mapping is the foundation for any compliance program and is essential for responding to regulatory inquiries or due diligence requests. Second, implement the ASEAN Model Contractual Clauses as a baseline for all intra-ASEAN data transfers. While not mandatory in every jurisdiction, the MCCs provide a recognized standard that satisfies the contractual safeguard requirements across most ASEAN data protection laws. Third, consider joining the APEC CBPR system for transfers beyond ASEAN, particularly to the US, Japan, South Korea, and other participating economies. Fourth, maintain jurisdiction-specific compliance documentation that addresses the unique requirements of each ASEAN market where you operate. A one-size-fits-all approach to cross-border data compliance will not survive regulatory scrutiny. The cost of building a robust cross-border data compliance framework is significant, but it is a fraction of the cost of a regulatory enforcement action — and it is increasingly a precondition for M&A transactions and institutional investment rounds.