From fragmentation to interoperability: How the GDPR shapes ASEAN data privacy and cross-border data flows

This paper examines how the European Union’s (EU) General Data Protection Regulation (GDPR) has shaped the trajectory of data protection and cross-border data flow regimes across the Association of Southeast Asian Nations (ASEAN). Using a comparative doctrinal method, it systematically assesses the legislative frameworks of Vietnam, Indonesia, Malaysia and Singapore against key GDPR provisions on international transfers, data subject rights and accountability. The findings indicate selective transplantation: ASEAN states internalise core GDPR principles while preserving jurisdiction-specific priorities, exemplified by Vietnam’s security-oriented stance and Malaysia’s enduring ‘data users’ model. This hybridisation generates convergence around concepts such as consent and data portability, alongside divergence in enforcement architectures and restrictions on cross-border data flows. The study contributes to broader regulatory debates by showing that ASEAN’s calibrated adaptation of the GDPR reflects a pragmatic balance between interoperability and regulatory sovereignty. It closes with a policy roadmap calling for clearer adequacy pathways, regionally harmonised transfer standards and strengthened intra-ASEAN cooperation to ease compliance burdens and enable digital trade. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.