Have a personal or library account? Click to login
Global norms and regional innovation: GDPR, evolution of data protection in ASEAN and the legal trajectory of AI in Vietnam Cover

Global norms and regional innovation: GDPR, evolution of data protection in ASEAN and the legal trajectory of AI in Vietnam

TalTech Journal of European Studies
Volume 15 (2025): Issue 3 (December 2025)
By: Cong Tran Quoc Le,  Viet Dung Tran and  Dao Phuong Thuy Nguyen  
Open Access
|Dec 2025

References

  1. Alfred, D.N. (2020) Navigating the road ahead: insights into the policy rationale of the PDP (Amendment) Bill 2020. Singapore: Personal Data Protection Commission Singapore. Available at: https://www.pdpc.gov.sg/-/media/Files/PDPC/DPO-Connect/November-20/Navigating-the-Road-Ahead.html (Accessed: 20 May 2025).
    Search in Google ScholarBack to article
  2. Alibeigi, A. and Munir, A.B. (2020) ‘Malaysian Personal Data Protection Act, a mysterious application’, University of Bologna Law Review, 5(2), pp. 363–372. Available at: https://doi.org/10.6092/issn.2531-6133/12441
    Search in Google ScholarBack to article
  3. Amiludin, A., Nurhalisa, S., Prasetya Umara, U. and Hidayatullah, M. (2024) ‘Comparison of protection laws private data in Indonesia, and the Philippines’, Jurisprudence, 14(2), pp. 171–191. Available at: https://doi.org/10.23917/jurisprudence.v14i2.4266
    Search in Google ScholarBack to article
  4. APEC (2019) APEC Cross-Border Privacy Rules (CBPR) policies, rules and guidelines (revised September 2019). Available at: https://cbprs.org/wp-content/uploads/2019/11/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting-3-16-updated-1709-2019.pdf (Accessed: 20 May 2025).
    Search in Google ScholarBack to article
  5. Artzt, M. and Tran, V.D. (2022) ‘Artificial intelligence and data protection: how to reconcile both areas from the European law perspective’, Vietnamese Journal of Legal Sciences (Ho Chi Minh City University of Law), 7(2), pp. 39–58. Available at: https://doi.org/10.2478/vjls-2022-0007
    Search in Google ScholarBack to article
  6. ASEAN (2016) ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN): framework on personal data protection. Available at: https://asean.org/wp-content/uploads/2012/05/10-ASEAN-Framework-on-PDP.pdf (Accessed: 20 May 2025).
    Search in Google ScholarBack to article
  7. ASEAN (2021) ASEAN digital masterplan 2025. Jakarta: ASEAN Secretariat. Available at: https://asean.org/wp-content/uploads/2021/09/ASEAN-Digital-Masterplan-EDITED.pdf (Accessed: 20 May 2025).
    Search in Google ScholarBack to article
  8. ASEAN (2023a) Framework for Negotiating ASEAN Digital Economy Framework Agreement. Available at: https://asean.org/wp-content/uploads/2023/09/Framework-for-Negotiating-DEFA_ENDORSED_23rd-AECC-for-uploading.pdf (Accessed: 20 May 2025).
    Search in Google ScholarBack to article
  9. ASEAN (2023b) Leaders’ statement on the development of the ASEAN Digital Economy Framework Agreement (DEFA). Available at: https://asean.org/wp-content/uploads/2023/09/Leaders-Statement-DIGITAL-ECONOMY-FRAMEWORK-AGREEMENT.pdf (Accessed: 20 May 2025).
    Search in Google ScholarBack to article
  10. ASEAN Briefing (2024) ‘Navigating personal data protection in Indonesia’. Available at: https://www.aseanbriefing.com/news/navigating-personal-data-protection-in-indonesia (Accessed: 20 May 2025).
    Search in Google ScholarBack to article
  11. Baker McKenzie (2024a) ‘Malaysia Personal Data Protection (Amendment) Act 2024 to come into force’, Baker McKenzie InsightPlus. Available at: https://insightplus.bakermckenzie.com/bm/data-technology/malaysia-personal-data-protection-amendment-act-2024-to-come-into-force (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  12. Baker McKenzie (2024b) ‘Thailand: new cross-border data transfer rules officially published as law’, Baker McKenzie InsightPlus. Available at: https://insightplus.bakermckenzie.com/bm/data-technology/thailand-new-cross-border-data-transfer-rules-officially-published-as-law (Accessed: 13 March 2025).
    Search in Google ScholarBack to article
  13. Baker McKenzie (2024c) ‘Thailand: PDPA compliance and challenges—development of the insurance industry in 2024’, Baker McKenzie InsightPlus. Available at: https://insightplus.bakermckenzie.com/bm/financial-institutions_1/thailand-pdpa-compliance-and-challenges-development-of-the-insurance-industry-in-2024 (Accessed: 13 March 2025).
    Search in Google ScholarBack to article
  14. Barocas, S. and Selbst, A.D. (2016) ‘Big data’s disparate impact’, California Law Review, 104(3), pp. 671–732. Available at: https://doi.org/10.2139/ssrn.2477899
    Search in Google ScholarBack to article
  15. Berg, C. (2018) ‘A classical liberal approach to privacy’, in The classical liberal case for privacy in a world of surveillance and technological change. Palgrave Studies in Classical Liberalism. Cham: Palgrave Macmillan, pp. 47–68. Available at: https://doi.org/10.1007/978-3-319-96583-3_3
    Search in Google ScholarBack to article
  16. Bradford, A. (2020) The Brussels Effect: how the European Union rules the world. New York: Oxford University Press. Available at: https://doi.org/10.1093/oso/9780190088583.001.0001
    Search in Google ScholarBack to article
  17. Chik, W.B. (2013) ‘The Singapore Personal Data Protection Act and an assessment of future trends in data privacy reform’, Computer Law & Security Review, 29(5), pp. 554–575. Available at: https://doi.org/10.1016/j.clsr.2013.07.010
    Search in Google ScholarBack to article
  18. Ching, M.R.D., Fabito, B. and Celis, N.J. (2018) ‘Data Privacy Act of 2012: a case study approach to Philippine government agencies’ compliance’, Advanced Science Letters, 24(10), pp. 7042–7046. Available at: https://doi.org/10.1166/asl.2018.12404
    Search in Google ScholarBack to article
  19. Dat, H.L.N.T. and An, C.T.T. (2024) ‘The regulation of data transmission in the digital era: from the European Union’s perspective and implications for Vietnam’, Vietnamese Journal of Legal Sciences, 11(2), pp. 1–13. Available at: https://doi.org/10.2478/vjls-2024-0007
    Search in Google ScholarBack to article
  20. Data Privacy Act (Philippines) (2012) Republic Act No. 10173, Republic of the Philippines Congress of the Philippines, 15 August.
    Search in Google ScholarBack to article
  21. ‘Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems’ (2020) (Schrems II), Case C-311/18, ECLI:EU:C:2020:559, 16 July.
    Search in Google ScholarBack to article
  22. ‘Decree No. 13/2023/ND-CP of the Government on personal data protection (Vietnam)’ (2023) Government Socialist Republic of Vietnam, 17 April.
    Search in Google ScholarBack to article
  23. Desiderio, L. (2021) ‘NPC pushes amendments to Data Privacy Act’, The Philippine Star, 27 June. Available at: https://www.philstar.com/business/2021/06/27/2108309/npc-pushes-amendments-data-privacy-act (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  24. Digital Policy Alert (2024) ‘DPA Digital Digest: Philippines’. Available at: https://digitalpolicyalert.org/digest/dpa-digital-digest-philippines (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  25. Draft Law on Cybersecurity (Vietnam) (2025) Available at: https://duthaoonline.quochoi.vn/dt/luat-an-ninh-mang/250714085609949149 (Accessed: 27 May 2025).
    Search in Google ScholarBack to article
  26. EDPB (2018a) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, European Data Protection Board. Brussels: EDPB.
    Search in Google ScholarBack to article
  27. EDPB (2018b) Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)— version adopted after public consultation, European Data Protection Board. Brussels: EDPB.
    Search in Google ScholarBack to article
  28. EDPB (2020) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, European Data Protection Board. Brussels: EDPB.
    Search in Google ScholarBack to article
  29. EDPB (2023) Guidelines 07/2022 on certification as a tool for transfers, European Data Protection Board. Brussels: EDPB. Available at: https://www.edpb.europa.eu/system/files/2023-02/edpb_guidelines_07-2022_on_certification_as_a_tool_for_transfers_v2_en_0.pdf (Accessed: 10 January 2025).
    Search in Google ScholarBack to article
  30. European Commission (2021) ‘Adequacy decisions’. Available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  31. European Commission, Directorate-General for Trade (2024) ‘EU trade relations with Thailand’. Available at: https://policy.trade.ec.europa.eu/eu-trade-relationships-country-and-region/countries-and-regions/thailand_en (Accessed: 6 October 2025).
    Search in Google ScholarBack to article
  32. Eurostat (no date) ‘Population and population change statistics’. Available at: https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Population_and_population_change_statistics (Accessed: 10 January 2025).
    Search in Google ScholarBack to article
  33. Framework Agreement on Comprehensive Partnership and Cooperation between the European Union and its Member States, of the One Part, and the Socialist Republic of Vietnam, of the Other Part (2016) Official Journal L 329/8, 3 December.
    Search in Google ScholarBack to article
  34. ‘Google LLC v. Commission nationale de l’informatique et des libertés (CNIL)’ (2019) Case C-507/17, ECLI:EU:C:2019:772, 24 September.
    Search in Google ScholarBack to article
  35. ‘Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González’ (2014) Case C-131/12, ECLI:EU:C:2014:317, 13 May.
    Search in Google ScholarBack to article
  36. Government of Vietnam (2024) ‘Proposal for the development of the Law on Personal Data Protection’. Available at: https://chinhphu.vn/du-thao-vbqppl/ho-so-denghi-xay-dung-luat-bao-ve-du-lieu-ca-nhan-6312 (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  37. ‘Government Regulation No. 71 of 2019 on the organization of electronic systems and transactions (Indonesia)’ (2019) State Gazette of the Republic of Indonesia, No. 185, 10 October.
    Search in Google ScholarBack to article
  38. Habibulloh, M. (2025) ‘Digital governance and the right to privacy: a comparative analysis of AI regulation in Southeast Asia and the European Union’, Journal of Law, Policy and Global Development, 1(1), pp. 19–35. Available at: https://doi.org/10.71305/jlpgd.v1i1.333
    Search in Google ScholarBack to article
  39. Infocomm Media Development Authority and Personal Data Protection Commission Singapore (2022) Model AI governance framework. 2nd edn. Available at: https://www.pdpc.gov.sg/help-and-resources/2020/01/model-ai-governance-framework (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  40. Islam, M.T. and Karim, M.E. (2020) ‘Extraterritorial application of the EU General Data Protection Regulation: an international law perspective’, IIUM Law Journal, 28(2), pp. 531–565. Available at: https://doi.org/10.31436/iiumlj.v28i2.495
    Search in Google ScholarBack to article
  41. Kamara, I. and De Hert, P. (2018) ‘Understanding the balancing act behind the legitimate interest of the controller ground: a pragmatic approach’, Brussels Privacy Hub Working Paper, 4(12). Available at: https://doi.org/10.2139/ssrn.3228369
    Search in Google ScholarBack to article
  42. Kesa, A. and Kerikmäe, T. (2020) ‘Artificial intelligence and the GDPR: inevitable nemeses?’, TalTech Journal of European Studies, 10(3), pp. 68–90. Available at: https://doi.org/10.1515/bjes-2020-0022
    Search in Google ScholarBack to article
  43. Kohl, U. (2022) ‘The long-arm of the GDPR and its inherent weakness – the EDPB’s Guidelines 05/2021 on the interplay of Article 3 and Chapter v. of the GDPR’. Available at: https://doi.org/10.2139/ssrn.4027796
    Search in Google ScholarBack to article
  44. Law No. 27 of 2022 on Personal Data Protection (Indonesia) (2022) Supplement to the State Gazette of the Republic of Indonesia, No. 6820.
    Search in Google ScholarBack to article
  45. Law No. 96/2025/QH15 on Digital Technology Industry (Vietnam) (2025) National Assembly, 26 June.
    Search in Google ScholarBack to article
  46. LawAsia (2025) ‘Thailand: data privacy laws’. Available at: https://law.asia/thailand-data-privacy-laws/ (Accessed: 6 October 2025).
    Search in Google ScholarBack to article
  47. Le, T.Q.C. (2021) ‘Quy định về tự do dữ liệu trong hiệp định thương mại tự do thế hệ mới - tác động đối với pháp luật Việt Nam’ (Regulations on freedom of data in new generation free trade agreements—impact on Vietnamese law), Vietnamese Journal of Legal Sciences, 146(07), pp. 95–106.
    Search in Google ScholarBack to article
  48. Lee, A. (2021) ‘Personal data, global effects: China’s draft privacy law in the international context’, Stanford University DigiChina Project. Available at: https://digichina.stanford.edu/work/personal-data-global-effects-chinas-draft-privacy-law-in-the-international-context/ (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  49. McKean, R., Magee, J. and de Souze, R. (2025) ‘DLA Piper GDPR fines and data breach survey: January 2025’, DLA Piper. Available at: https://www.dlapiper.com/en-us/insights/publications/2025/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2025 (Accessed: 10 January 2025).
    Search in Google ScholarBack to article
  50. Ministry of Public Security (Vietnam) (2024) ‘Submission No. 246/TTr-BCA-A05 to the Government on the dossier proposing the development of the Personal Data Protection Law’, 17 June. Available at: https://congan.tayninh.gov.vn/vi/chi-tiet-tin-tuc?Id=225214 (Accessed: 24 April 2025).
    Search in Google ScholarBack to article
  51. Norton Rose Fulbright (no date) ‘Overview of Thailand Personal Data Protection Act B.E. 2562 (2019)’. Available at: https://www.nortonrosefulbright.com/en/knowledge/publications/e29d223d/overview-of-thailand-personal-data-protection-act-be2562-2019 (Accessed: 6 October 2025).
    Search in Google ScholarBack to article
  52. OECD (2013) Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. Available at: https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188 (Accessed: 24 April 2025).
    Search in Google ScholarBack to article
  53. OECD (2019) Recommendation of the Council on artificial intelligence. OECD Legal Instruments, OECD/LEGAL/0449. Paris: OECD Publishing.
    Search in Google ScholarBack to article
  54. PDPC Malaysia (2022) Personal data protection guidelines on cross-border transfer of personal data (CBPDT), Personal Data Protection Commission Malaysia. Available at: https://www.pdp.gov.my/ppdpv1/en/akta/personal-data-protection-guidelines-on-cross-border-transfer-of-personal-data-cbpdt/ (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  55. PDPC Singapore (2020) Model AI governance framework, Personal Data Protection Commission Singapore. Available at: https://www.pdpc.gov.sg/help-and-resources/2020/01/model-ai-governance-framework (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  56. PDPC Singapore (2021) ‘APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems’, Personal Data Protection Commission Singapore. Available at: https://www.pdpc.gov.sg/help-and-resources/2021/10/apec-cross-border-privacy-rules-and-privacy-recognition-for-processors-systems (Accessed: 15 March 2025).
    Search in Google ScholarBack to article
  57. Personal Data Protection Act (Thailand) (2019) B.E. 2562, Government Gazette, No. 136, chapter 69 Gor, 27 May.
    Search in Google ScholarBack to article
  58. Pitogo, V. (2019) ‘National government agency’s compliance on Data Privacy Act of 2012: a case study, Philippines’, Journal of Physics: Conference Series, 1201(1), article 012021. Available at: https://doi.org/10.1088/1742-6596/1201/1/012021
    Search in Google ScholarBack to article
  59. Pramesti, I. and Afriansyah, A. (2020) ‘Extraterritoriality of data protection: GDPR and its possible enforcement in Indonesia’, in Advances in Economics, Business and Management Research: Proceedings of the 3rd International Conference on Law and Governance (ICLAVE 2019). Paris: Atlantis Press, pp. 83–94. Available at: https://doi.org/10.2991/aebmr.k.200321.012
    Search in Google ScholarBack to article
  60. ‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’ (2016) Official Journal L 119/1, 27.4.2016.
    Search in Google ScholarBack to article
  61. ‘Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) (2024) Official Journal L 2024/1689, 13.6.2024.
    Search in Google ScholarBack to article
  62. Rustad, M.L. and Koenig, T.H. (2019) ‘Towards a global data privacy standard’, Florida Law Review, 71(2), pp. 365–453. Available at: https://scholarship.law.ufl.edu/flr/vol71/iss2/3 (Accessed: 15 March 2025).
    Search in Google ScholarBack to article
  63. Shivhare, S. (2025) ‘Malaysia charts its digital course: a guide to the new frameworks for data protection and AI ethics’, Future of Privacy Forum, 6 July. Available at: https://fpf.org/blog/malaysia-charts-its-digital-course-a-guide-to-the-new-frameworks-for-data-protection-and-ai-ethics/ (Accessed: 7 October 2025).
    Search in Google ScholarBack to article
  64. Sudirman, L., Disemadi, H. and Aninda, A. (2023) ‘Comparative analysis of personal data protection laws in Indonesia and Thailand: a legal framework perspective’, JED (Jurnal Etika Demokrasi), 8(4), pp. 497–510. Available at: https://doi.org/10.26618/jed.v8i4.12875
    Search in Google ScholarBack to article
  65. Tan, O.S.L., Vergara, R.G. and Khan, S. (2021) ‘Digital tracing and Malaysia’s Personal Data Protection Act 2010 amid the COVID-19 pandemic’, Asian Journal of Law and Policy, 1(1), pp. 47–62. Available at: https://doi.org/10.33093/ajlp.2021.3
    Search in Google ScholarBack to article
  66. Tran, N.D. (2011) Quyền con người, quyền công dân trong Nhà nước pháp quyền xã hội chủ nghĩa Việt Nam (Human rights, citizens’ rights in the socialist rule of law state of Vietnam). Hanoi: National Political Publishing House.
    Search in Google ScholarBack to article
  67. Tran, V.D. (2024) ‘Bàn về phát triển quy phạm đạo đức trong tiến trình xây dựng pháp luật về trí tuệ nhân tạo’ (On the development of ethical norms in the process of building artificial intelligence legislation), Vietnam Journal of Legal Sciences, 9(181). Available at: https://doi.org/10.70236/tckhplvn.115
    Search in Google ScholarBack to article
  68. Tran, V.D. and Le, C.T.Q. (2022) ‘Developing a regulatory framework for autonomous vehicles: a proximal analysis of European approach and its application to ASEAN countries’, TalTech Journal of European Studies, 12(2), pp. 165–188. Available at: https://doi.org/10.2478/bjes-2022-0016
    Search in Google ScholarBack to article
  69. Watson, A. (1993) Legal transplants: an approach to comparative law. 2nd edn. Athens, GA: University of Georgia Press.
    Search in Google ScholarBack to article
  70. Wong, B. (2019) ‘Data localization and ASEAN Economic Community’, Asian Journal of International Law, 10(1), pp. 158–180. Available at: https://doi.org/10.1017/S2044251319000250
    Search in Google ScholarBack to article
  71. Yeung, K. and Bygrave, L.A. (2022) ‘Demystifying the modernized European data protection regime: cross-disciplinary insights from legal and regulatory governance scholarship’, Regulation & Governance, 16(1), pp. 137–155. Available at: https://doi.org/10.1111/rego.12401
    Search in Google ScholarBack to article
DOI: https://doi.org/10.2478/bjes-2025-0039 | Journal eISSN: 2674-4619 | Journal ISSN: 2674-4600
Journal RSS Feed
Language: English
Page range: 250 - 290
Published on: Dec 12, 2025
Published by: Tallinn University of Technology
In partnership with: Paradigm Publishing Services
Publication frequency: 2 issues per year
Keywords:
AI,
ASEAN,
GDPR,
personal data protection,
Vietnam
Related subjects:
Computer sciences,
Computer sciences, other,
Business and economics,
Political economics,
Political economics, other,
Law,
Law, other,
Social sciences,
Social sciences, other

© 2025 Cong Tran Quoc Le, Viet Dung Tran, Dao Phuong Thuy Nguyen, published by Tallinn University of Technology
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License.

Previous articleVolume 15 (2025): Issue 3 (December 2025)Next article