Enhanced data laws in Southeast Asia – opportunities and challenges for data centre operators

Drawn by the rapid pace of digitisation and the surge in demand for cloud-based services in APAC, multinationals are expanding their cloud infrastructure footprint into this region. The Southeast Asia region is proactively seeking to ramp up its data centre industry through foreign investment and is expected to be the fastest growing region for co-location data centres over the next five years. Data centres are therefore becoming a focal point of opportunity for both government and commercial stakeholders.

However, not all developments are advantageous for data centre operators. The global trend towards robust data protection regulations is also taking hold in Southeast Asia, with several markets, particularly Vietnam and Thailand, implementing more stringent security measures for cybersecurity and data protection.

For those data centre operators trying to identify opportunities with an awareness of the key challenges, we highlight three critical regulatory updates for the Southeast Asia region.

01| Vietnam removes foreign investment restrictions on data centres

Vietnam is taking bold steps forward with its new Law on Telecommunications, effective from 1 July 2024. Notably, this legislation removes foreign ownership constraints for data and cloud providers, a significant shift from the previous cap of 49% on foreign investments in various Vietnamese sectors.

This legislative shift addresses long-standing tensions between Vietnam’s local investment restrictions and its obligations under the international trade agreements. The move also addresses international players’ concerns about the ability of domestic data centres to meet the surge in demand and maintain international security standards.

The relaxation of foreign ownership restrictions has been well received by international players in cloud computing and data storage, and some multinational corporations (MNCs) have expressed intentions to invest in domestic data centres in Vietnam.

02| Tightening of Vietnam’s data regime

Before celebrating the recent easing of foreign ownership rules, data centre operators should be aware of another impending legislative change in Vietnam - one which may not be as favourable to international operators. Although the final text is pending release, the publicly available draft of Vietnam's new Data Law suggests it will increase compliance complexity for data centre operators.

• Concerns over enhanced government access: The Data Law, championed by the Ministry of Public Security, has raised concerns by appearing to facilitate greater governmental access to information. Specifically, it grants government entities the power to request data from entities and individuals in “special cases”, such as public emergencies or when data is crucial for fulfilling specific public tasks but not otherwise available. While it also sets responsibilities for government agencies when handling this data, including only using the data for the stated purpose, implementing necessary technical and organisational measures, and destroying it when no longer needed, these obligations are too vague and may not provide sufficient comfort for overseas organisations. 
   
• Increased enforcement risks caused by lack of clarity: Mirroring regulatory dynamics in China, the draft law mandates prior approval for cross-border transfers of “core data” and “important data”, two concepts formulated as having high relevance to Vietnam’s national security yet vaguely defined. Because of that, companies may be required to seek regulatory approval in a broad scope of scenarios that are difficult to foresee. This emphasis on security over operability could lead to heightened uncertainty due to the threat of investigations and enforcement risk, which may ultimately deter foreign investment.

3| Thailand’s data localisation rules

Thailand’s National Cybersecurity Agency (NCSA) released an official notification on cybersecurity standards for cloud systems in mid-September 2024. The notification requires that primary data centres for “high impact data”— although vaguely defined — be situated in Thailand, and backup data centres in Thailand, Southeast Asia, or Hong Kong. 

These localisation requirements may be set both to protect data security and incentivise foreign investment and growth within the region.

With these rules expected to come into effect in September 2026, operators have a window to strategise and optimise their investments of data centres in the region in line with the new compliance requirements. 

Looking ahead

In a global landscape where authorities are continuously balancing data security with economic growth, it is crucial for data centre operators to be aware of practical impacts that these regulations might have on their operations. Businesses operating and using digital infrastructure must regularly reassess their strategies in the region to mitigate compliance risks.

We are currently working with several multinational corporations to analyse these developments. For further guidance or questions, please feel free to reach out. 

Subscribe to Tech Insights to stay informed re future developments.