A fire at a South Korean government data centre in September 2025 knocked 647 public services offline and permanently destroyed an estimated 850 terabytes of state records, because the data had no backup outside the building. The cause was not a cyberattack. It was a localization rule that kept everything in one place.
Across the Asia-Pacific, governments from India to Indonesia are writing similar rules in the name of digital sovereignty. The same logic that lost that data is now shaping a region trying to build a $2 trillion digital economy.
Keep the data inside the building, and you control it. That is the promise behind data localization, and it sounds like security. The South Korean fire showed what it actually buys.
When the National Information Resources Service centre burned in September 2025, hundreds of government systems went dark at once. Tax portals, postal tracking, public health records — all routed through one physical site, with no live copy held anywhere else. The rule that required the data to stay home also ensured it had nowhere else to be.
This is the contradiction now spreading across the ASEAN region and beyond. Governments equate sovereignty with geography: control means the server sits within national borders. India, Vietnam, Indonesia, and the Philippines are each writing versions of this rule. The technical reality is that physical location is one of the weakest forms of data control available — and the gap between what these laws promise and what they deliver is where the real risk sits.
The rules confuse location with control
Start with the laws themselves, because they are more specific than the rhetoric. India’s Digital Personal Data Protection Act was notified on August 11, 2023, with implementing rules and a Data Protection Board still being finalized as of June 2026. Section 16 is the lever: it lets the central government restrict personal data transfers to named countries by notification. No blanket ban — just a list that can grow.
Vietnam went further and earlier. Decree 53/2022, enforcing the 2018 Cybersecurity Law, requires foreign providers with more than 100,000 Vietnamese users to store specified data in-country and open a local office. Indonesia’s Law No. 27 of 2022 leaves cross-border rules to future regulations, which means foreign cloud providers are planning around a rulebook that does not exist yet. The full text of each measure is public, from India’s bill tracker to Vietnam’s decree.
Andrew Smallwood, senior policy analyst at the Asia Society Policy Institute, warns that these spreading rules risk undermining the region’s own ambitions for seamless digital trade and could deter foreign cloud investment. The technical case against them is sharper still. Josh Kallmer, head of global public policy at OpenAI, argues that strict localization can weaken security by blocking the use of globally distributed infrastructure — the exact redundancy that would have saved Seoul’s 850 terabytes.
Here is the implication most coverage misses. Within twelve to eighteen months, the encryption tools that make physical location irrelevant — customer-managed keys, confidential computing — will be standard in every major cloud. The laws being written now will still be measuring control by where the box sits. That mismatch is the story.
Two camps are racing to set the model
The region is splitting into two approaches, and the winner will shape where data centres and AI investment cluster for a decade. Singapore, Japan, and South Korea push trusted cross-border flows, join the Global CBPR system, and sign digital economy deals that cap localization. Indonesia, Vietnam, India, and now the Philippines experiment with stronger storage rules and discretionary transfer bans.
What gets lost between the two camps is what these rules do to the people who cannot absorb them.
Rizal Sukma, senior fellow at CSIS Indonesia, notes that Jakarta is trying to balance sovereign control with its goal of becoming a regional digital hub — and that the regulatory uncertainty still worries investors. The ASEAN Digital Economy Framework Agreement, meant to grow the regional digital economy from about $300 billion to $2 trillion by 2030, is the test. Its signing already slipped by a year, now expected around the November 2026 summit. If its text caps unjustified localization, the open camp wins the decade. If it slips again, the Seoul fire stops being a warning and becomes a template.
Beyond the headline
The bigger picture
This wave is less about privacy than about governments trying to renegotiate power inside a digital economy run by foreign cloud and platform firms. Insisting that data stay home buys leverage over supply chains, law enforcement, and domestic politics. That sovereignty play now collides head-on with ASEAN’s stated goal of a single, compatible digital market — the two cannot both win.
The response gap
The tools to move data safely — strong encryption, customer-managed keys, shared certification — are advancing faster than the laws meant to govern them. The missed opportunity is real: regulators could anchor sovereignty in those tools and let data flow securely. Instead, many still equate control with geography, pushing firms to spend on redundant servers rather than genuine resilience.
What isn’t being said
Officials frame localization as costless insurance against foreign surveillance. It is not costless, and they rarely say who pays. The bill lands on small firms and start-ups that cannot run multiple data stacks, and on citizens whose services go dark when one central facility fails. The distributional cost is the part the speeches leave out.
Your compliance map needs redrawing before the rules land
With India’s transfer notifications and the ASEAN framework both expected in the second half of 2026, firms operating in the region face decisions now, not after the rules issue.
- Western businesses expanding into Asia-Pacific
Review India’s Digital Personal Data Protection Act and its forthcoming rules through PRS Legislative Research at prsindia.org to map whether Indian user or employee data in your systems could be caught by future country restrictions. Begin planning alternative hosting or encryption before any Section 16 notification is issued.
- Cloud and SaaS buyers serving multiple Asian markets
Use the Global CBPR Forum’s site at cbprforum.org to identify which of your markets participate in the system. Then press your vendors on available CBPR-aligned certifications, which reduce friction for cross-border transfers and let you show regulators a trusted-flow record rather than building duplicate infrastructure.
- Start-ups and SMEs operating across the region
You are the group least able to run parallel data stacks per country. Prioritise customer-managed encryption keys and a regional cloud architecture you can reconfigure fast. Document your data flows by jurisdiction now, so a sudden rule change in Hanoi or Jakarta is a configuration task, not a crisis.
FAQ
How does India’s Section 16 actually restrict cross-border transfers?
Under Section 16 of India’s DPDPA, organizations may transfer personal data outside India except to territories the central government notifies as restricted. Compliance means tracking those notifications, updating data-processing agreements, and possibly segmenting infrastructure so Indian data avoids restricted destinations. Multinationals must also map which vendors sub-process Indian data to ensure information is not routed through restricted locations once rules take effect.
What exactly does Vietnam’s Decree 53 require foreign firms to store locally?
Decree 53/2022 requires certain foreign providers with large Vietnamese user bases to store users’ personal data, usage logs, and relationship data on servers in Vietnam and set up a local branch or office. Western firms meeting the thresholds should prepare for database duplication, local incident-response capability, and possible inspection requests from the Ministry of Public Security, while ensuring global systems can segregate Vietnam-origin data when required.
Is Indonesia’s data law settled enough to plan around?
Not yet. Indonesia’s Law No. 27/2022 sets broad principles and anticipates government regulations on cross-border transfers, but the detailed rules are still being drafted. Western businesses should not assume past flexibility will continue. Monitor for implementing regulations, review data inventories for Indonesian data, and build flexibility into contracts and cloud architecture so hosting locations and transfer mechanisms can shift quickly if stricter rules emerge.
Explainer
- ASEAN Digital Economy Framework Agreement
- A regional treaty under negotiation among the ten ASEAN member states to build a single set of digital trade rules. Launched for talks in September 2023, it aims to grow the bloc’s digital economy from roughly $300 billion to $2 trillion by 2030. Its draft includes binding limits on unjustified data localization, which is why its repeatedly delayed signing now functions as a referendum on the whole region’s data direction.
- Global CBPR system
- A certification-based mechanism that lets companies move personal data across borders by proving they meet a shared privacy standard. It transitioned into a Global CBPR Forum in 2022 and counts Japan, Singapore, South Korea, and the Philippines among its participants. It offers an alternative to strict localization: trust is established through audited compliance rather than the physical location of a server.
- Digital Personal Data Protection Act
- India’s first comprehensive data protection law, notified on August 11, 2023. It governs how personal data is processed and grants individuals rights over their information, enforced by a Data Protection Board still being stood up in 2026. Its Section 16 power to restrict transfers to specified countries makes it a potential localization tool that operates through a growing list rather than an outright ban.
RELATED STORIES
