The Rise of Southeast Asia as a Digital Powerhouse: AI, Data Infrastructure, and Evolving Legal Landscapes

Written by: Livia Leta Dharmawan and Valerie Elaine Tamzil

Southeast Asia has rapidly transformed into a global hotspot for digital investments, data center expansion, and artificial intelligence (AI) infrastructure development, driven by a digital economy projected to reach &800 billion by 2030. Fueled by rising internet penetration and millions of new digital consumers annually, this growth has spurred skyrocketing demand for data infrastructure. Companies are racing to build facilities to manage the deluge of data generated by this digital boom. However, this rapid expansion also raises critical legal questions, from data protection and cybersecurity to cross-border data governance, prompting governments to modernize regulations that balance innovation with security. Balancing innovation with strong legal safeguards is essential for ensuring technological progress benefits society, particularly in Southeast Asia. Singapore's Personal Data Protection Act (PDPA) of 2012 exemplifies this by governing the collection, use, and disclosure of personal data. It emphasizes user consent, transparency, and accountability through Data Protection officers and policies. The PDPA not only protects consumer rights but also fosters a stable environment that drives digital investments and innovation, significantly boosting the region’s data center and AI sectors.

Conversely, Indonesia is undergoing legal transformation with the adoption of Law No. 27 of 2022, which seeks to modernize its digital and data policies amid rapid technological change. Similar to Singapore's PDPA, it aims to protect personal information and ensure data security. However, uncertainties in Indonesia's evolving legal system may concern investors. This underscores the need for clear regulations to attract digital investments and promote growth while balancing innovation and robust safeguards.

Both Singapore and Indonesia draw inspiration from international standards in shaping their domestic laws. Singapore’s PDPA closely aligns with the European Union’s General Data Protection Regulation (EU’s GDPR), facilitating smoother cross-border data transfers and assuring international investors of high standards. However, businesses face challenges such as compliance costs and navigating different regulatory frameworks. To address these, companies should conduct data audits, appoint Data Protection Officers, implement security measures, and develop clear privacy policies. Singapore’s regulatory stability is further supported by Bilateral Investment Treaties (BIT) and International Investment Agreements (IIA), ensuring fair investor treatment and effective dispute resolution.

Meanwhile, Indonesia’s Law No. 27 of 2022 gradually integrates GDPR but faces challenges in achieving full alignment due to its regulatory system. While frameworks under the United Nations Trade and Development (UNCTAD) aim to protect foreign investments, ongoing legal adjustments create unpredictability compared to Singapore’s settled practices. These contrasts underscore the region’s nuanced journey, where mature and emerging legal systems alike strive to support a booming digital economy while addressing the complexities of data governance, AI ethics, and global interoperability.

The role of GDPR as a set of global standards for data protection influences ASEAN countries to develop their own data privacy laws, which affect foreign direct investment (FDI) in the sector. BIT and IIA protect investors from regulatory changes and ensure compliance with international standards. BIT ensures fair treatment and protection against expropriation while providing dispute resolution through Investor-State Dispute Settlement (ISDS). Meanwhile, IIA includes broader trade agreements with digital trade provisions that facilitate cross-border investments. Indonesia's engagement in BIT or P4M (Perjanjian Promosi dan Perlindungan Penanaman Modal) aligns with UNCTAD’s investor protection framework and includes ISDS provisions.

Furthermore, digital investment views cross-border data flows as a critical aspect. Due to the ASEAN member states implementing varying degrees of data protection laws. The ASEAN Model Contractual Clauses (MCC) provide a standardized framework for data transfers, enabling businesses to operate across multiple jurisdictions with legal certainty. Countries such as the Philippines, Malaysia, and Singapore have adopted stringent data protection frameworks aligned with the GDPR, which influence investment decisions in the region. In contrast, Indonesia’s PDP Law or UU PDP seeks to balance investor interests with national data sovereignty concerns. Indonesia’s approach to cross-border data flows involves strict compliance requirements, as outlined in its PDP Law.

In terms of cybersecurity, they have regulations that play a crucial role in securing the digital investment environment. ASEAN member states adhere to global standards like ISO/IEC 27701:2019 for Privacy Information Management Systems (PIMS), creating a legal framework for valid certification schemes regarding data transfers. These standards enable seamless data flow across multiple countries. Nonetheless, the UNDP (United Nations Development Programme) highlights the necessity of regional cooperation to mitigate cyber threats, particularly in the finance and e-commerce sectors.

Southeast Asia is being positioned as a major hub for digital investments, with its digital economy expected to surpass $1 trillion by 2030. Indonesia’s sovereign wealth fund and Singapore’s Granite Asia plan to invest up to $1.2 billion in the tech sector, while Apple is set to invest nearly $10 million in Indonesia to enhance local production after a sales ban on its latest iPhone model. However, challenges persist, including inadequate infrastructure, low road density, limited cross-border data flow, and issues with digital literacy and access to quality datasets. Legal complexities and regulatory inconsistencies underscore the need for a unified digital investment framework.

Indonesia's digital transformation strategy aims to position the country as a regional leader by leveraging advancements in AI and fintech. Key focuses include infrastructure development, such as investments in broadband, cloud computing, and data centers, to improve connectivity. For foreign investment, establishing a PT PMA (Penanaman Modal Asing) allows foreign investors to operate, but the process is complex and includes bureaucratic delays, ownership restrictions, high taxes, and labor laws. Navigating legal and governance challenges like corruption can be difficult, making thorough planning and local partnerships essential for successful investments.

The legal frameworks governing digital investments in Southeast Asia have undergone significant evolution, increasingly aligning with global standards such as the GDPR. Investor protections, including BITs IIAs, play a crucial role in ensuring fair treatment in cross-border investments. Looking ahead, ASEAN's digital economy holds immense potential, provided it continues to enhance legal frameworks and develops the necessary infrastructure to support this growth.