For two years, trade negotiators from Jakarta to Hanoi have been quietly drafting what could be the most consequential digital trade instrument outside the WTO: the ASEAN Digital Economy Framework Agreement (DEFA). Launched at the 2023 ASEAN Summit in Jakarta and targeted for substantive conclusion by end of 2025, DEFA is the bloc's first attempt at a binding, region-wide digital pact. For US technology firms operating across Southeast Asia's fast-growing digital economy, it is the most important treaty most American policymakers have never read.
The stakes are large and concrete. According to the Google–Temasek–Bain e-Conomy SEA report, Southeast Asia's internet economy is on track to reach roughly US$1 trillion in gross merchandise value by 2030, with some industry estimates of the broader digital economy approaching $2 trillion when business-to-business and digital financial services are included. That market is currently fragmented across ten different legal regimes — from Singapore's PDPA to Vietnam's data-localisation-heavy Decree 13/2023 and Indonesia's PDP Law. DEFA's promise is to stitch those regimes together into something coherent enough for cross-border commerce to actually function.
What DEFA Is Actually Negotiating
According to the ASEAN Secretariat and a feasibility study prepared by the Boston Consulting Group at the bloc's request, the agreement spans nine substantive pillars. Four of them matter most to US firms:
- Cross-border data flows. The negotiating text reportedly includes commitments against unjustified data localisation and in favour of interoperable transfer mechanisms — language broadly inspired by the CPTPP and the US-Japan Digital Trade Agreement, but softer in its enforcement teeth.
- Digital identity and digital payments. DEFA envisions mutual recognition of digital IDs and an extension of the existing ASEAN cross-border QR-code payments network already linking Singapore, Thailand, Malaysia, Indonesia, the Philippines and Vietnam.
- Digital trade facilitation. Paperless trade, e-invoicing, and e-signature recognition — boring on paper, transformative for SMEs that ship across the Strait of Malacca.
- Cybersecurity and online safety cooperation. A coordination framework rather than harmonised rules, which is probably the right call given the bloc's diversity.
The Cross-Border Data Question
The single most important provision in DEFA is whatever it ultimately says about data. ASEAN already has the 2021 Model Contractual Clauses for Cross Border Data Flows and the 2021 Data Management Framework, but both are voluntary. A binding DEFA commitment against forced localisation would meaningfully reduce compliance costs for cloud providers, fintechs, and SaaS firms — most of which are American.
The risk is in the carve-outs. Vietnam and Indonesia have both built domestic regimes that treat broad categories of data as sovereign assets — Vietnam's Decree 53/2022 and Decree 13/2023 require local storage for a wide range of personal data, while Indonesia's Government Regulation 71/2019 distinguishes public and private electronic system operators with different localisation triggers. If DEFA's national-security and public-policy exceptions are written loosely, those domestic regimes survive unchanged and the agreement becomes ornamental.
This is where the US should care, and care loudly. The Office of the United States Trade Representative withdrew its longstanding support for binding digital trade commitments at the WTO Joint Statement Initiative in October 2023 — a decision that has left American negotiators with diminished leverage to shape regional pacts like DEFA from the outside. ASEAN's text will, in effect, set the floor for what "good" looks like across Asia for the next decade. The Indo-Pacific Economic Framework (IPEF) trade pillar, which collapsed in late 2023, was supposed to be the US vehicle for this conversation. It is not coming back.
A Pro-Innovation Path Forward
DEFA is a chance to demonstrate that proportionate, interoperable rules beat fragmentation. A few principles should anchor the final text:
- Default to data mobility, with narrow exceptions. The CPTPP/USMCA model — free flows subject to legitimate public-policy objectives applied in a non-discriminatory, least-trade-restrictive manner — remains the right template. Loose "essential security interest" carve-outs are how good treaties get hollowed out.
- Mutual recognition over harmonisation. ASEAN's diversity is a feature. Recognising each other's adequacy decisions and certification schemes is faster than negotiating a single privacy code that no one wants.
- SME-first digital trade facilitation. Paperless trade and e-invoicing recognition is where DEFA delivers concrete value to the firms least able to lobby for it.
- A real review mechanism. Digital trade rules written in 2025 will look antique by 2030. Building in a structured five-year review keeps the agreement living rather than ornamental.
Why Washington Should Be Watching
American firms — AWS, Google Cloud, Microsoft Azure, Stripe, Meta, Visa, Mastercard — already underpin much of Southeast Asia's digital infrastructure. A DEFA that ratifies free cross-border data flows would lock in that integration. A DEFA riddled with localisation loopholes would, over time, push more of the stack onshore in each member state, raising costs for users and entrenching incumbents.
Southeast Asia is the rare region where the open-internet model can still win on its merits. ASEAN's negotiators should finish the job. And the next US administration — whichever party — should treat DEFA's implementation phase as the centerpiece of a serious digital trade policy for Asia, not an afterthought.