On May 22, 2026, the state-owned Shenzhen Data Exchange signed a memorandum of understanding with Malaysian firm Zetrix AI to link China’s and Southeast Asia’s data markets. The model trades access rights, usage permissions, and processed data products — not raw datasets. A pilot phase is targeted for operation within 12 to 18 months. China classified data as a factor of production in April 2020 and has since built more than 50 domestic data exchanges.
The framework must satisfy two clashing legal regimes: China’s outbound-transfer security rules and Malaysia’s Personal Data Protection Act. Whoever sets the template will shape where the next generation of AI models gets trained.
China is not just buying Southeast Asian data. It is trying to write the rulebook for how that data moves at all.
The vehicle is a memorandum signed on May 22, 2026, between the Shenzhen Data Exchange and the Malaysian technology firm Zetrix AI. On paper, it is a commercial pilot to connect two data markets. Wong Thean Soon, Zetrix AI’s group managing director, has described the goal as something like a stock exchange, but for data — a venue where access rights and usage permissions change hands rather than the files themselves.
That framing is accurate, and incomplete. The deal exports more than a trading desk. It exports a governance model designed in Beijing, built around state-run exchanges, security assessments, and a state designation of which datasets count as sensitive. Malaysia is the test case for whether that model travels.
The question underneath the MoU is not whether data will sell. It is whose rules will decide how.
The architecture matters more than the transaction
The model does one technically specific thing: it sells access, not files. Ou, who oversees cross-border data business at the exchange, has said raw data is rarely traded. Instead it is packaged into services and products after strict compliance checks, because large language models trained in China increasingly need broader overseas data to keep improving.
That design choice carries a longer implication. In the next 12 to 18 months, if the pilot goes live, the venue that hosts these transactions also defines the standards — how rights are priced, how compliance is verified, which datasets are eligible. Set the venue, and you set the terms for everyone who lists on it.
The trust problem is already visible. Bryan Ng, founder of WITO Technology, the exchange’s first Malaysian data provider since 2024, has noted that companies initially feared their data was being sold to China outright. His answer is process: legal, technical, and compliance reviews on approved datasets, with personal information kept out.
Whether that process holds across two legal systems is the open question. Kendra Schaefer, a partner at Beijing-based advisory Trivium China, warns that China’s exchanges remain experimental and fragmented, with unclear standards on how data rights are defined and priced — and that cross-border pilots will test whether state-designed infrastructure works beyond China’s own regulatory environment.
The compliance pitch is convincing on its own terms. The harder issue sits one level up, in the law itself.
Two legal systems with no shared referee
China’s outbound data transfers run through three instruments: the Personal Information Protection Law, the Data Security Law, and the 2022 Measures for Security Assessment of Outbound Data Transfers. Together they require security reviews or standard contracts for many exports and let the Cyberspace Administration of China halt non-compliant transfers.
Malaysia works differently. Its Personal Data Protection Act 2010 restricts cross-border transfers unless the receiving country offers equivalent protection or consent applies. It does not mandate general localisation. The two regimes overlap, but they do not match — and there is no joint tribunal built for exchange-traded data products.
This resembles Europe’s regulated data spaces, which also trade access and analytics rather than raw files. The governance is the difference. Schemes like GAIA-X are industry-driven and bound by GDPR. The Shenzhen model is state-owned, aligned with the National Data Administration, and embedded in industrial policy — giving government planners direct say over what data moves where.
So the pilot’s real prize is not a Malaysian dataset. It is the rulebook. If Beijing’s design becomes the default venue for monetising Southeast Asian data, the rules of access stop being neutral plumbing and start being leverage.
Beyond the headline
The power behind it
The real leverage sits with China’s National Data Administration and Cyberspace Administration, which decide what outbound data is permissible and under what conditions. Even when deals are negotiated between private firms, the architecture of security assessments and “important data” designations is set in Beijing. That gives Chinese regulators a quiet veto over how Southeast Asia’s data feeds future AI systems.
The bigger picture
This pilot reflects a shift from treating data as a by-product of digital services to treating it as an infrastructure layer — standardised, priced, and routed like energy or bandwidth. As countries build sovereign AI stacks, cross-border deals become less about market access and more about whose technical standards underwrite the next decade of machine-learning supply chains.
What isn’t being said
Official narratives stress privacy safeguards and economic opportunity. They say little about how AI capability gaps compound once one side aggregates regional data at scale. If Chinese platforms become the default venue for selling Southeast Asian data, local firms may gain short-term revenue while ceding long-term control over model performance, infrastructure location, and future rule-setting.
What to do before the pilot goes live
With a 12-to-18-month pilot window flagged and two legal regimes still unaligned, companies touching China or Malaysian data face decisions now, not later.
- Compliance and legal teams at Western firms in ASEAN
Map your cross-border data flows against China’s outbound security-assessment rules and Malaysia’s PDPA, using the primary texts at cac.gov.cn and pdp.gov.my. Confirm your contracts, consents, and localisation practices align before engaging any exchange. Negotiate governing law and audit rights up front — there is no dedicated cross-border redress mechanism between the two states.
- AI developers sourcing regional training data
If your models rely on ASEAN or Chinese data, track the ASEAN Digital Economy Framework Agreement via asean.org and Malaysia’s Digital Economy Blueprint via mdec.my. Adjust your data-sourcing, model-training locations, and vendor choices ahead of any new regional rules on trusted flows or localisation.
- Corporate strategy and policy leads
Treat the first live data-product listing as your signal. If it appears within the pilot window, regulators on both sides are comfortable with commercial transactions. If it stalls, expect extended sandboxing with test datasets or a quiet narrowing to low-risk data — and plan your APAC data strategy for either outcome.
FAQ
Does Malaysian or Chinese data have to be stored locally to use these exchanges?
China’s laws push localisation for “important” and large-scale personal data, often requiring storage on Chinese servers and export only after a CAC security assessment. Malaysia’s PDPA does not mandate general localisation but restricts transfers to jurisdictions with equivalent protection or under approved exemptions. Firms will need clear data-mapping to separate datasets that must stay local from those that can move.
What compliance steps must foreign businesses take to participate?
For China-linked exchanges, firms typically appoint a data-protection officer, run personal-information impact assessments, adopt China-standard export contracts, and prepare for inspections by the CAC or local regulators. In Malaysia, registration with the Personal Data Protection Commissioner and compliance with notice, consent, retention, and security obligations are key. Many firms use local counsel and third-party auditors to operationalise these requirements.
How would disputes over data misuse or pricing be resolved?
Current China–Malaysia instruments create no bespoke tribunal for data-exchange disputes. Conflicts over misuse, pricing, or intellectual property will likely fall to contract clauses specifying arbitration forums such as the Singapore International Arbitration Centre or the China International Economic and Trade Arbitration Commission. Parties should negotiate governing law, jurisdiction, audit rights, and breach remedies before listing, given the absence of a dedicated redress mechanism.
Explainer
- Shenzhen Data Exchange
- A state-owned data trading platform under the Shenzhen municipal government that acts as a middleman for buying and selling data access rights. It is one of more than 50 such exchanges built across China since 2020 and works with partners in eight countries and regions, including cross-border data guidelines with Singapore. Its Malaysian deal is its first attempt to export the exchange model into a market with a fully separate legal system.
- Personal Information Protection Law
- China’s comprehensive privacy law, in force since 2021, governing how personal data is collected, processed, and exported. It works alongside the Data Security Law and the 2022 outbound-transfer measures to require security reviews for many data exports. For cross-border exchanges, it means Malaysian personal data routed through Chinese platforms must clear China’s own export rules in addition to Malaysia’s.
- National Data Administration
- A Chinese government body created in 2023 to unlock data value and build an integrated national data market. Its deputy director-general, Gao Hong, has said the agency’s 2026 priority is constructing a unified national data market and producing more high-quality datasets for AI. Its alignment with state-owned exchanges gives Beijing direct policy influence over what data moves abroad and on what terms.
RELATED STORIES
