A landmark pact that stopped short of the hardest clause
On 24 October 2025, ASEAN economic ministers meeting in Kuala Lumpur declared the "substantial conclusion" of the Digital Economy Framework Agreement (DEFA), the bloc's first region-wide digital treaty. After fourteen negotiating rounds, member states had locked down 24 articles and 98 paragraphs — roughly 73% of the core text, past the 70% threshold ASEAN set for declaring substantial conclusion, according to the US-ASEAN Business Council's account of the meeting and ASEAN's own adopted statement.
What did not make the cut is telling. The provisions left open are cross-border data flows, financial services and electronic payments, personal data protection standards, and digital identity. In other words, ASEAN agreed on the easy chapters — paperless trade, e-invoicing, cybersecurity cooperation — and deferred the single clause that determines whether data can actually move across the region's borders. The bloc now targets full textual conclusion by April 2026, a special ministerial meeting on 12 March, and a formal signing at the 49th ASEAN Leaders' Summit in Manila in November 2026.
The stakes are large. The Asian Development Bank's SEADS initiative estimates DEFA could double ASEAN's digital economy to roughly $2 trillion by 2030. But that figure assumes data can flow. A treaty that ring-fences data behind ten national borders would deliver a fraction of it — and would leave foreign partners, the UK among them, negotiating market access country by country rather than region-wide.
The case for caution is genuine
It would be unfair to cast ASEAN's data hawks as protectionist by reflex. Indonesia and Vietnam — the bloc's two largest internet markets — have real reasons for caution. Data-protection regimes across the ten members are uneven: some have mature privacy laws, others are still drafting them. Governments worry about law-enforcement access, about citizens' data sitting in jurisdictions with weaker safeguards, and about a handful of foreign platforms capturing the regional data layer before local champions can scale. Vietnam's Decree 53 and Indonesia's localisation rules grew directly out of those concerns. A blanket "no localisation, ever" rule that ignored them would be both politically dead on arrival and genuinely indifferent to legitimate privacy and security interests.
The honest rebuttal is not that those concerns are fake — it is that hard localisation is the wrong instrument for them. Forced data storage raises compliance costs most heavily on the 70-million-plus MSMEs SEADS identifies as the engine of ASEAN growth, while doing little for privacy that accountability mechanisms cannot do better. Citizen data is protected by enforceable standards and redress, not by the postcode of a server. The proportionate answer is interoperability plus safeguards: binding transfer rules paired with tools like ASEAN's own Model Contractual Clauses for Cross-Border Data Flows.
The UK has already placed its bet
Here Britain is an instructive counterpoint, and the reason this is a UK story at all. The UK's accession to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) entered into force on 15 December 2024, making it the first European member of the bloc. CPTPP's electronic-commerce chapter does precisely what DEFA's drafters are still arguing over: it prohibits unjustified restrictions on cross-border data transfers and bans forced data localisation, subject to a carve-out for genuine, non-discriminatory public-policy objectives.
Crucially, four ASEAN members — Brunei, Malaysia, Singapore and Vietnam — are already bound by those same rules as CPTPP parties. So is the UK. The liberal "trusted flows with safeguards" model is therefore not hypothetical for Southeast Asia; nearly half the bloc already lives under it through a different treaty.
The UK has gone further bilaterally. The UK-Singapore Digital Economy Agreement, in force since 2022, commits both governments to ban unjustified data-localisation requirements and unjustified barriers to cross-border data flows, while each must maintain a data-protection framework — openness and accountability bolted together, not traded off.
Trusted flows beat walled gardens
Britain's own 2025 domestic reform reinforces the point. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and sets out a clearer framework for international transfers, moving from the rigid "essentially equivalent" adequacy test toward a risk-based standard and faster "data bridges" to trusted partners. The lesson is that a jurisdiction can lower transfer friction without abandoning privacy protection — the opposite of the localisation reflex.
That is the template DEFA's holdouts should study. The choice is not between open data and protected citizens; it is between accountable cross-border flows and walled gardens that tax small firms while leaving privacy no better defended.
What to watch
For UK businesses, the next twelve months matter. If DEFA lands a CPTPP-grade data chapter, the UK's existing commitments with four ASEAN states extend naturally into a region-wide market of nearly 700 million people. If localisation wins, British and other foreign firms face a patchwork of national rules — and ASEAN forfeits much of the upside its own analysts have promised. The 12 March ministerial and the April textual deadline will signal which way the bloc is leaning. Southeast Asia does not have to choose between sovereignty and openness; the UK's recent treaty record shows the two can be engineered to coexist.