Asia-Pacific governments are increasingly asserting control over data produced by their citizens, businesses, and public bodies. Geopolitical uncertainty, the rise of AI, and worries over foreign tech dependence have convinced many regulators that data is a core national asset.
And, as with physical items, they think the best way to secure that data is to keep it within their jurisdiction.
But that belief is based on a flawed assumption: that sovereignty is defined by where a server physically sits, rather than by who controls access to the data.
Regulators exercise digital sovereignty in many different ways.
South Korea’s Cloud Security Assurance Program (CSAP) requires public agencies to procure cloud services that store data locally, use domestically developed encryption algorithms, and have management and operations personnel reside in Korea.
Japan maintains a complex certification process for government software that is conducted almost exclusively in Japanese, which disadvantages non-Japanese providers.
India’s Digital Personal Data Protection Act, enacted in 2023, permits the government to impose restrictions on cross-border data transfers to specific countries if the authorities provide appropriate notification.
In Southeast Asia, Indonesia and Vietnam routinely propose sweeping data localization mandates. Even the Philippines, long considered by businesses and academics one of the region’s champions of free data flows, last year proposed legislation requiring public agencies (including universities) to keep nearly all data on domestic servers.
The trickiness around how to regulate cross-border data flows was one hurdle to the signing of ASEAN’s Digital Economy Framework Agreement (DEFA), potentially the world’s first regional comprehensive digital trade pact. The DEFA will be signed at the next ASEAN Leaders’ Summit in November, a year later than planned.
Secure cross-border data flows are a key ingredient for a successful DEFA. A watered-down compromise, such as one where member countries can delay joining onto such a pillar until they feel they are ready, would only perpetuate today’s fragmented regulatory landscape, meaning continued frictions in cross-border payment and commerce, and leave the DEFA only partially effective.
Without accepting cross-border data flows, ASEAN’s ambition to use the DEFA to turbocharge its digital economy to $2 trillion by 2030, up from $300 billion today, will look shaky.
When protection becomes vulnerability
Data localization is often motivated by security fears, but the practice carries its own security risks.
Last September, a fire at a South Korean data center knocked 647 government services offline. An estimated 850 terabytes of government data may have been permanently lost because there was no external backup. The very policy meant to protect the data instead created a single point of failure. If the affected systems had been designed with resilience principles in mind, like geographic redundancy and continuous backups, then the loss of data could have been mitigated.
Limiting cross-border data flows can also deny people access to innovative products and services because regulatory barriers make them economically unfeasible to offer. A local company, especially a fast-growing one keen to access international markets, may want to leverage cutting-edge AI services from a foreign provider—but may be blocked from doing so if that provider isn’t running its workloads through a local data center.
Localization can also be anticompetitive. Unlike large hyperscalers, smaller software-as-a-service companies rarely build their own data centers, and are thus the ones that disproportionately bear the compliance costs. It’s not just local, or even regional startups: Zoom fits in this category.
Asia-Pacific is also one of the most diverse regions when it comes to culture and languages—and many governments want to protect that diversity by supporting AI models in their own local languages. Yet mandating local data storage will prevent the world’s best large language models from using domestic content to improve their accuracy in low-resource languages.
Redefining digital sovereignty
True sovereignty isn’t about isolation. Instead, it’s about ensuring that the customer—and perhaps even government agencies themselves—is empowered. That approach is more sophisticated approach than a blanket localization requirement.
First, trust needs to come through technical guarantees rather than geographic restrictions. Modern end-to-end encryption ensures that no third party can access the keys needed for real-time data streams in transit. Additionally, customer-managed keys ensure that only the data owner can access data whereever it’s stored, making the physical location of servers largely irrelevant. Security architecture is more important than server geography.
Global standards can allow regulators to quickly assess a company’s privacy and security processes, even if the servers are located somewhere else.
Third, nations should adopt a strategy of relying on multiple cloud providers. This prevents dependence on any single ecosystem, and ensures competition.
Regulators should also institute a national risk-based data classification framework, similar to the European Union’s GDPR or Singapore’s Personal Data Protection Act. These laws give objective criteria to divide data into distinct tiers, between truly sensitive data that needs special handling, and other data that can be transferred across borders with adequate protections.
Nations should rightly maintain sovereign control over genuinely sensitive data, like military communications and medical records. But much of the data collected by public agencies—things like employment or housing statistics, or business registrations—don’t meet this threshold.
A path forward
A few trade agreements can serve as models for a more balanced approach to data sovereignty. The Australia-Singapore and EU-Singapore digital economy agreements restrict unjustified data localization requirements, while maintaining protections to address legitimate security concerns.
Initiatives like the Global Cross-Border Privacy Rules (CBPR) system and the OECD’s Data Free Flows with Trust (pioneered by Japan) also demonstrate that trusted data mobility and robust privacy protections aren’t mutually exclusive.
As ASEAN negotiators work to finalize the DEFA, and Asia-Pacific governments strive to leverage technological innovations and AI to drive economic growth, they face a choice: Embrace digital sovereignty through isolation, or achieve it through strategic design and technical controls.
The former offers the illusion of control while creating new vulnerabilities. The latter provides genuine security and selective control where necessary, while preserving access to global innovation and accelerating the path to national prosperity.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
