U.S.–ASEAN bilateral Agreements on Reciprocal Tariffs (ART) commitments reveal that cross-border data flows are far more complex than many assume. These agreements vary significantly across countries, and domestic laws remain decisive.

• Cambodia & Thailand: Commit to free transfer of data across trusted borders—unconditional and trade-first.
• Malaysia: Ensures cross-border transfers with appropriate safeguards, aligned with its PDPA—balancing trade facilitation with compliance.
• Viet Nam: Removes licensing requirements for outbound transfers, easing administrative hurdles without explicit safeguards or adequacy references.
• Indonesia (draft clause): Proposes recognising the U.S. as providing adequate data protection, potentially conflicting with PDPL Article 56, which assigns adequacy assessments to data controllers, not the government.

These differences illustrate a spectrum of approaches across ASEAN—from liberalisation-first to safeguard-driven or adequacy-linked mechanisms. While trade facilitation is the shared goal, domestic data-protection laws remain the ultimate authority, creating practical and legal complexities for businesses operating across multiple jurisdictions.

Understanding these evolving commitments is not just a regulatory concern—it is strategically critical. Companies that proactively navigate these differences can reduce compliance risks, optimise cross-border operations, and seize opportunities in ASEAN’s growing digital economy. Conversely, overlooking these nuances could result in unintended legal and operational consequences.

Author
Prof. Abu Bakar Munir
Co-Founder Asosiasi Profesional Privasi Data Indonesia (APPDI)