Global norms and regional innovation: GDPR, evolution of data protection in ASEAN and the legal trajectory of AI in Vietnam

Le, Cong Tran Quoc; Tran, Viet Dung; Nguyen, Dao Phuong Thuy

doi:10.2478/bjes-2025-0039

Abstract

Personal data protection has emerged as a defining challenge of the digital age, particularly with the rise of artificial intelligence (AI) and the increasing reliance on crossborder data flows. The European Union’s General Data Protection Regulation (GDPR) has set a global benchmark in this field, with its extraterritorial scope—the so-called Brussels Effect—provoking extensive debate worldwide. In ASEAN, with its accelerating digital transformation and economic integration, data protection laws are being reshaped under both global influences and local priorities. This study aims to identify the factors that have enabled GDPR standards to influence evolving legal frameworks of ASEAN and to examine how its member states are responding to global pressures, while simultaneously addressing the distinct challenges of data governance and regional data integration. Using a doctrinal and comparative approach, the study analyzes the personal data protection frameworks of ASEAN6, with Vietnam highlighted as a distinctive case. Vietnam stands out for explicitly integrating AIrelated provisions into its Personal Data Protection Law, reflecting both the influence of the GDPR and a localized adaptation aligned with strategies for national digital transformation. By examining ASEAN’s varied legal responses and Vietnam’s unique trajectory, the findings underscore the dynamic interplay between global standards and regional innovation. The article contributes insights for policymakers, businesses and scholars navigating data governance in the digital future of Southeast Asia.

References

Alfred, D.N. (2020) Navigating the road ahead: insights into the policy rationale of the PDP (Amendment) Bill 2020. Singapore: Personal Data Protection Commission Singapore. Available at: https://www.pdpc.gov.sg/-/media/Files/PDPC/DPO-Connect/November-20/Navigating-the-Road-Ahead.html (Accessed: 20 May 2025).
Search in Google Scholar Back to article
Alibeigi, A. and Munir, A.B. (2020) ‘Malaysian Personal Data Protection Act, a mysterious application’, University of Bologna Law Review, 5(2), pp. 363–372. Available at: https://doi.org/10.6092/issn.2531-6133/12441
Search in Google Scholar Back to article
Amiludin, A., Nurhalisa, S., Prasetya Umara, U. and Hidayatullah, M. (2024) ‘Comparison of protection laws private data in Indonesia, and the Philippines’, Jurisprudence, 14(2), pp. 171–191. Available at: https://doi.org/10.23917/jurisprudence.v14i2.4266
Search in Google Scholar Back to article
APEC (2019) APEC Cross-Border Privacy Rules (CBPR) policies, rules and guidelines (revised September 2019). Available at: https://cbprs.org/wp-content/uploads/2019/11/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting-3-16-updated-1709-2019.pdf (Accessed: 20 May 2025).
Search in Google Scholar Back to article
Artzt, M. and Tran, V.D. (2022) ‘Artificial intelligence and data protection: how to reconcile both areas from the European law perspective’, Vietnamese Journal of Legal Sciences (Ho Chi Minh City University of Law), 7(2), pp. 39–58. Available at: https://doi.org/10.2478/vjls-2022-0007
Search in Google Scholar Back to article
ASEAN (2016) ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN): framework on personal data protection. Available at: https://asean.org/wp-content/uploads/2012/05/10-ASEAN-Framework-on-PDP.pdf (Accessed: 20 May 2025).
Search in Google Scholar Back to article
ASEAN (2021) ASEAN digital masterplan 2025. Jakarta: ASEAN Secretariat. Available at: https://asean.org/wp-content/uploads/2021/09/ASEAN-Digital-Masterplan-EDITED.pdf (Accessed: 20 May 2025).
Search in Google Scholar Back to article
ASEAN (2023a) Framework for Negotiating ASEAN Digital Economy Framework Agreement. Available at: https://asean.org/wp-content/uploads/2023/09/Framework-for-Negotiating-DEFA_ENDORSED_23rd-AECC-for-uploading.pdf (Accessed: 20 May 2025).
Search in Google Scholar Back to article
ASEAN (2023b) Leaders’ statement on the development of the ASEAN Digital Economy Framework Agreement (DEFA). Available at: https://asean.org/wp-content/uploads/2023/09/Leaders-Statement-DIGITAL-ECONOMY-FRAMEWORK-AGREEMENT.pdf (Accessed: 20 May 2025).
Search in Google Scholar Back to article
ASEAN Briefing (2024) ‘Navigating personal data protection in Indonesia’. Available at: https://www.aseanbriefing.com/news/navigating-personal-data-protection-in-indonesia (Accessed: 20 May 2025).
Search in Google Scholar Back to article
Baker McKenzie (2024a) ‘Malaysia Personal Data Protection (Amendment) Act 2024 to come into force’, Baker McKenzie InsightPlus. Available at: https://insightplus.bakermckenzie.com/bm/data-technology/malaysia-personal-data-protection-amendment-act-2024-to-come-into-force (Accessed: 7 October 2025).
Search in Google Scholar Back to article
Baker McKenzie (2024b) ‘Thailand: new cross-border data transfer rules officially published as law’, Baker McKenzie InsightPlus. Available at: https://insightplus.bakermckenzie.com/bm/data-technology/thailand-new-cross-border-data-transfer-rules-officially-published-as-law (Accessed: 13 March 2025).
Search in Google Scholar Back to article
Baker McKenzie (2024c) ‘Thailand: PDPA compliance and challenges—development of the insurance industry in 2024’, Baker McKenzie InsightPlus. Available at: https://insightplus.bakermckenzie.com/bm/financial-institutions_1/thailand-pdpa-compliance-and-challenges-development-of-the-insurance-industry-in-2024 (Accessed: 13 March 2025).
Search in Google Scholar Back to article
Barocas, S. and Selbst, A.D. (2016) ‘Big data’s disparate impact’, California Law Review, 104(3), pp. 671–732. Available at: https://doi.org/10.2139/ssrn.2477899
Search in Google Scholar Back to article
Berg, C. (2018) ‘A classical liberal approach to privacy’, in The classical liberal case for privacy in a world of surveillance and technological change. Palgrave Studies in Classical Liberalism. Cham: Palgrave Macmillan, pp. 47–68. Available at: https://doi.org/10.1007/978-3-319-96583-3_3
Search in Google Scholar Back to article
Bradford, A. (2020) The Brussels Effect: how the European Union rules the world. New York: Oxford University Press. Available at: https://doi.org/10.1093/oso/9780190088583.001.0001
Search in Google Scholar Back to article
Chik, W.B. (2013) ‘The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform’, Computer Law & Security Review, 29(5), pp. 554–575. Available at: https://doi.org/10.1016/j.clsr.2013.07.010
Search in Google Scholar Back to article
Ching, M.R.D., Fabito, B. and Celis, N.J. (2018) ‘Data Privacy Act of 2012: a case study approach to Philippine government agencies’ compliance’, Advanced Science Letters, 24(10), pp. 7042–7046. Available at: https://doi.org/10.1166/asl.2018.12404
Search in Google Scholar Back to article
Dat, H.L.N.T. and An, C.T.T. (2024) ‘The regulation of data transmission in the digital era: from the European Union’s perspective and implications for Vietnam’, Vietnamese Journal of Legal Sciences, 11(2), pp. 1–13. Available at: https://doi.org/10.2478/vjls-2024-0007
Search in Google Scholar Back to article
Data Privacy Act (Philippines) (2012) Republic Act No. 10173, Republic of the Philippines Congress of the Philippines, 15 August.
Search in Google Scholar Back to article
‘Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems’ (2020) (Schrems II), Case C-311/18, ECLI:EU:C:2020:559, 16 July.
Search in Google Scholar Back to article
‘Decree No. 13/2023/ND-CP of the Government on personal data protection (Vietnam)’ (2023) Government Socialist Republic of Vietnam, 17 April.
Search in Google Scholar Back to article
Desiderio, L. (2021) ‘NPC pushes amendments to Data Privacy Act’, The Philippine Star, 27 June. Available at: https://www.philstar.com/business/2021/06/27/2108309/npc-pushes-amendments-data-privacy-act (Accessed: 7 October 2025).
Search in Google Scholar Back to article
Digital Policy Alert (2024) ‘DPA Digital Digest: Philippines’. Available at: https://digitalpolicyalert.org/digest/dpa-digital-digest-philippines (Accessed: 7 October 2025).
Search in Google Scholar Back to article
Draft Law on Cybersecurity (Vietnam) (2025) Available at: https://duthaoonline.quochoi.vn/dt/luat-an-ninh-mang/250714085609949149 (Accessed: 27 May 2025).
Search in Google Scholar Back to article
EDPB (2018a) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, European Data Protection Board. Brussels: EDPB.
Search in Google Scholar Back to article
EDPB (2018b) Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)— version adopted after public consultation, European Data Protection Board. Brussels: EDPB.
Search in Google Scholar Back to article
EDPB (2020) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, European Data Protection Board. Brussels: EDPB.
Search in Google Scholar Back to article
EDPB (2023) Guidelines 07/2022 on certification as a tool for transfers, European Data Protection Board. Brussels: EDPB. Available at: https://www.edpb.europa.eu/system/files/2023-02/edpb_guidelines_07-2022_on_certification_as_a_tool_for_transfers_v2_en_0.pdf (Accessed: 10 January 2025).
Search in Google Scholar Back to article
European Commission (2021) ‘Adequacy decisions’. Available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions (Accessed: 7 October 2025).
Search in Google Scholar Back to article
European Commission, Directorate-General for Trade (2024) ‘EU trade relations with Thailand’. Available at: https://policy.trade.ec.europa.eu/eu-trade-relationships-country-and-region/countries-and-regions/thailand_en (Accessed: 6 October 2025).
Search in Google Scholar Back to article
Eurostat (no date) ‘Population and population change statistics’. Available at: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Population_and_population_change_statistics (Accessed: 10 January 2025).
Search in Google Scholar Back to article
Framework Agreement on Comprehensive Partnership and Cooperation between the European Union and its Member States, of the One Part, and the Socialist Republic of Vietnam, of the Other Part (2016) Official Journal L 329/8, 3 December.
Search in Google Scholar Back to article
‘Google LLC v. Commission nationale de l’informatique et des libertés (CNIL)’ (2019) Case C-507/17, ECLI:EU:C:2019:772, 24 September.
Search in Google Scholar Back to article
‘Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González’ (2014) Case C-131/12, ECLI:EU:C:2014:317, 13 May.
Search in Google Scholar Back to article
Government of Vietnam (2024) ‘Proposal for the development of the Law on Personal Data Protection’. Available at: https://chinhphu.vn/du-thao-vbqppl/ho-so-denghi-xay-dung-luat-bao-ve-du-lieu-ca-nhan-6312 (Accessed: 7 October 2025).
Search in Google Scholar Back to article
‘Government Regulation No. 71 of 2019 on the organization of electronic systems and transactions (Indonesia)’ (2019) State Gazette of the Republic of Indonesia, No. 185, 10 October.
Search in Google Scholar Back to article
Habibulloh, M. (2025) ‘Digital governance and the right to privacy: a comparative analysis of AI regulation in Southeast Asia and the European Union’, Journal of Law, Policy and Global Development, 1(1), pp. 19–35. Available at: https://doi.org/10.71305/jlpgd.v1i1.333
Search in Google Scholar Back to article
Infocomm Media Development Authority and Personal Data Protection Commission Singapore (2022) Model AI governance framework. 2nd edn. Available at: https://www.pdpc.gov.sg/help-and-resources/2020/01/model-ai-governance-framework (Accessed: 7 October 2025).
Search in Google Scholar Back to article
Islam, M.T. and Karim, M.E. (2020) ‘Extraterritorial application of the EU General Data Protection Regulation: an international law perspective’, IIUM Law Journal, 28(2), pp. 531–565. Available at: https://doi.org/10.31436/iiumlj.v28i2.495
Search in Google Scholar Back to article
Kamara, I. and De Hert, P. (2018) ‘Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach’, Brussels Privacy Hub Working Paper, 4(12). Available at: https://doi.org/10.2139/ssrn.3228369
Search in Google Scholar Back to article
Kesa, A. and Kerikmäe, T. (2020) ‘Artificial intelligence and the GDPR: inevitable nemeses?’, TalTech Journal of European Studies, 10(3), pp. 68–90. Available at: https://doi.org/10.1515/bjes-2020-0022
Search in Google Scholar Back to article
Kohl, U. (2022) ‘The long-arm of the GDPR and its inherent weakness – the EDPB’s Guidelines 05/2021 on the interplay of Article 3 and Chapter v. of the GDPR’. Available at: https://doi.org/10.2139/ssrn.4027796
Search in Google Scholar Back to article
Law No. 27 of 2022 on Personal Data Protection (Indonesia) (2022) Supplement to the State Gazette of the Republic of Indonesia, No. 6820.
Search in Google Scholar Back to article
Law No. 96/2025/QH15 on Digital Technology Industry (Vietnam) (2025) National Assembly, 26 June.
Search in Google Scholar Back to article
LawAsia (2025) ‘Thailand: data privacy laws’. Available at: https://law.asia/thailand-data-privacy-laws/ (Accessed: 6 October 2025).
Search in Google Scholar Back to article
Le, T.Q.C. (2021) ‘Quy định về tự do dữ liệu trong hiệp định thương mại tự do thế hệ mới - tác động đối với pháp luật Việt Nam’ (Regulations on freedom of data in new generation free trade agreements—impact on Vietnamese law), Vietnamese Journal of Legal Sciences, 146(07), pp. 95–106.
Search in Google Scholar Back to article
Lee, A. (2021) ‘Personal data, global effects: China’s draft privacy law in the international context’, Stanford University DigiChina Project. Available at: https://digichina.stanford.edu/work/personal-data-global-effects-chinas-draft-privacy-law-in-the-international-context/ (Accessed: 7 October 2025).
Search in Google Scholar Back to article
McKean, R., Magee, J. and de Souze, R. (2025) ‘DLA Piper GDPR fines and data breach survey: January 2025’, DLA Piper. Available at: https://www.dlapiper.com/en-us/insights/publications/2025/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2025 (Accessed: 10 January 2025).
Search in Google Scholar Back to article
Ministry of Public Security (Vietnam) (2024) ‘Submission No. 246/TTr-BCA-A05 to the Government on the dossier proposing the development of the Personal Data Protection Law’, 17 June. Available at: https://congan.tayninh.gov.vn/vi/chi-tiet-tin-tuc?Id=225214 (Accessed: 24 April 2025).
Search in Google Scholar Back to article
Norton Rose Fulbright (no date) ‘Overview of Thailand Personal Data Protection Act B.E. 2562 (2019)’. Available at: https://www.nortonrosefulbright.com/en/knowledge/publications/e29d223d/overview-of-thailand-personal-data-protection-act-be2562-2019 (Accessed: 6 October 2025).
Search in Google Scholar Back to article
OECD (2013) Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. Available at: https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188 (Accessed: 24 April 2025).
Search in Google Scholar Back to article
OECD (2019) Recommendation of the Council on artificial intelligence. OECD Legal Instruments, OECD/LEGAL/0449. Paris: OECD Publishing.
Search in Google Scholar Back to article
PDPC Malaysia (2022) Personal data protection guidelines on cross-border transfer of personal data (CBPDT), Personal Data Protection Commission Malaysia. Available at: https://www.pdp.gov.my/ppdpv1/en/akta/personal-data-protection-guidelines-on-cross-border-transfer-of-personal-data-cbpdt/ (Accessed: 7 October 2025).
Search in Google Scholar Back to article
PDPC Singapore (2020) Model AI governance framework, Personal Data Protection Commission Singapore. Available at: https://www.pdpc.gov.sg/help-and-resources/2020/01/model-ai-governance-framework (Accessed: 7 October 2025).
Search in Google Scholar Back to article
PDPC Singapore (2021) ‘APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems’, Personal Data Protection Commission Singapore. Available at: https://www.pdpc.gov.sg/help-and-resources/2021/10/apec-cross-border-privacy-rules-and-privacy-recognition-for-processors-systems (Accessed: 15 March 2025).
Search in Google Scholar Back to article
Personal Data Protection Act (Thailand) (2019) B.E. 2562, Government Gazette, No. 136, chapter 69 Gor, 27 May.
Search in Google Scholar Back to article
Pitogo, V. (2019) ‘National government agency’s compliance on Data Privacy Act of 2012: a case study, Philippines’, Journal of Physics: Conference Series, 1201(1), article 012021. Available at: https://doi.org/10.1088/1742-6596/1201/1/012021
Search in Google Scholar Back to article
Pramesti, I. and Afriansyah, A. (2020) ‘Extraterritoriality of data protection: GDPR and its possible enforcement in Indonesia’, in Advances in Economics, Business and Management Research: Proceedings of the 3rd International Conference on Law and Governance (ICLAVE 2019). Paris: Atlantis Press, pp. 83–94. Available at: https://doi.org/10.2991/aebmr.k.200321.012
Search in Google Scholar Back to article
‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’ (2016) Official Journal L 119/1, 27.4.2016.
Search in Google Scholar Back to article
‘Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) (2024) Official Journal L 2024/1689, 13.6.2024.
Search in Google Scholar Back to article
Rustad, M.L. and Koenig, T.H. (2019) ‘Towards a global data privacy standard’, Florida Law Review, 71(2), pp. 365–453. Available at: https://scholarship.law.ufl.edu/flr/vol71/iss2/3 (Accessed: 15 March 2025).
Search in Google Scholar Back to article
Shivhare, S. (2025) ‘Malaysia charts its digital course: a guide to the new frameworks for data protection and AI ethics’, Future of Privacy Forum, 6 July. Available at: https://fpf.org/blog/malaysia-charts-its-digital-course-a-guide-to-the-new-frameworks-for-data-protection-and-ai-ethics/ (Accessed: 7 October 2025).
Search in Google Scholar Back to article
Sudirman, L., Disemadi, H. and Aninda, A. (2023) ‘Comparative analysis of personal data protection laws in Indonesia and Thailand: a legal framework perspective’, JED (Jurnal Etika Demokrasi), 8(4), pp. 497–510. Available at: https://doi.org/10.26618/jed.v8i4.12875
Search in Google Scholar Back to article
Tan, O.S.L., Vergara, R.G. and Khan, S. (2021) ‘Digital tracing and Malaysia’s Personal Data Protection Act 2010 amid the COVID-19 pandemic’, Asian Journal of Law and Policy, 1(1), pp. 47–62. Available at: https://doi.org/10.33093/ajlp.2021.3
Search in Google Scholar Back to article
Tran, N.D. (2011) Quyền con người, quyền công dân trong Nhà nước pháp quyền xã hội chủ nghĩa Việt Nam (Human rights, citizens’ rights in the socialist rule of law state of Vietnam). Hanoi: National Political Publishing House.
Search in Google Scholar Back to article
Tran, V.D. (2024) ‘Bàn về phát triển quy phạm đạo đức trong tiến trình xây dựng pháp luật về trí tuệ nhân tạo’ (On the development of ethical norms in the process of building artificial intelligence legislation), Vietnam Journal of Legal Sciences, 9(181). Available at: https://doi.org/10.70236/tckhplvn.115
Search in Google Scholar Back to article
Tran, V.D. and Le, C.T.Q. (2022) ‘Developing a regulatory framework for autonomous vehicles: a proximal analysis of European approach and its application to ASEAN countries’, TalTech Journal of European Studies, 12(2), pp. 165–188. Available at: https://doi.org/10.2478/bjes-2022-0016
Search in Google Scholar Back to article
Watson, A. (1993) Legal transplants: an approach to comparative law. 2nd edn. Athens, GA: University of Georgia Press.
Search in Google Scholar Back to article
Wong, B. (2019) ‘Data localization and ASEAN Economic Community’, Asian Journal of International Law, 10(1), pp. 158–180. Available at: https://doi.org/10.1017/S2044251319000250
Search in Google Scholar Back to article
Yeung, K. and Bygrave, L.A. (2022) ‘Demystifying the modernized European data protection regime: cross-disciplinary insights from legal and regulatory governance scholarship’, Regulation & Governance, 16(1), pp. 137–155. Available at: https://doi.org/10.1111/rego.12401
Search in Google Scholar Back to article

Global norms and regional innovation: GDPR, evolution of data protection in ASEAN and the legal trajectory of AI in Vietnam

Abstract

Paradigm

My account