Five things to watch in data governance in the Asia-Pacific in 2025

2025 will be a year of rapid changes, to which many will have to adjust. Technologically, we can expect the capabilities and applications of artificial intelligence (AI) systems, including generative AI, to continue to rapidly expand into commerce and society.

We will also see heightened tensions over technology transfers, industrial policy, and export controls from the United States in the realm of advanced technologies such as semiconductor manufacturing and access to cloud-enabled advanced computing capabilities from sanctioned markets.

Companies and organizations, including governments, increasingly will seek the best, most secure, and most cost-effective software-enabled solutions from wherever they are developed or deployed. The need for access to leading foreign-provided services, seamless cross-border data exchange, and the global nature of cloud computing will remain in tension with the protectionist predilections of many countries.

Considering these factors and more, based on my experience engaging with policy makers throughout the Asia-Pacific on data policy for the last 10 years, these are five important regional developments to watch for in digital policy in 2025.

1. Digital trade

We can expect continued robust efforts by Australia, Japan, and Singapore in promoting ambitious digital trade disciplines in the Asia-Pacific region. These countries’ consistent efforts stand in contrast to the start-and-stop approach from the United States. The United States pulled out of the Trans-Pacific Partnership in 2017 and then initiated the Indo-Pacific Economic Framework for Prosperity discussions in 2022, before effectively walking away from any meaningful trade discussions in 2023.

The main questions for 2025 are:

• Will efforts to conclude an ASEAN DEFA result in an ambitious and commercially meaningful arrangement among ASEAN member states, or will efforts to quickly conclude the agreement result in lower-standard outcomes or wide-open exceptions to commitments?
• Will the United States play a constructive role in digital trade discussions in the region, or will it remain on the sidelines of the emerging regional economic architecture?

2. Regional backsliding on digital trade

Another important area to watch is whether, instead of building on previous generations of digital trade agreements, such as the commitments in the e-commerce and other chapters of the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP), the region will backslide.

Two illustrative symptoms of backsliding in the APAC region would be:

• The conclusion of a low-ambition ASEAN DEFA that uses the exceptions and limitations provisions from the Regional Comprehensive Economic Partnership (RCEP) or sidesteps commercially meaningful commitments on data transfers, data localization, source code disclosure requirements, the imposition of customs duties on electronic transmissions, and other crucial disciplines instead of building on the CPTPP and Singapore-led digital economy agreements.
• The accession to the CPTPP and DEPA of countries with domestic policies known to run counter to the letter and spirit of these two agreements.

Both scenarios will significantly hinder efforts to knit together a regional consensus on digital trade and best practices for domestic policy.

3. The proliferation of AI-related policies

Countries throughout the Asia-Pacific have been concerned about AI-related policies for over half a decade, with efforts in Australia, India, Japan, Korea, Singapore, and many others to promote ethical AI, transparency, fairness, and explainability — meaning the ability of an AI model to produce output that humans can understand — while reducing the risks associated with bias in the recommendations of predictive algorithms. With the November 2022 launch of ChatGPT and the explosion of attention on large language models and generative AI, the pressure on policy makers to identify and address the perceived risks of AI is greater than ever. Most policy makers throughout the Asia-Pacific are keenly aware of the transformational potential of AI on economic development and productivity and appear to be highly reluctant to introduce legally binding rules limiting AI without thoroughly considering the costs and benefits of such rules.

Many countries, with Singapore as a prime example, have focused on providing detailed guidance to companies, especially small companies and start-ups, and citizens, without imposing legally binding obligations.

Two, in the absence of cross-cutting legal frameworks that provide comprehensive and centralized approaches to AI regulation, we are likely to see a proliferation of sector-based rules. Without a general "whole of government" approach and proper coordination, this could lead to a patchwork of rules and requirements within each country, compounding the challenges companies face with the lack of regulatory interoperability at the international level. Examples may include rules on AI and privacy, AI and consumer protection, AI and competition, and AI and intellectual property.

We can also expect sector regulators, such as bodies regulating financial, healthcare, or educational organizations, to issue more rules for the use of AI in their respective domains. As is frequently the case, the technology providers of AI solutions are often not the regulated entities, and without adequate and broad consultations, such rules may not be well aligned with national priorities or well informed by technology providers themselves.

4. Enhanced concerns around cyber resilience

2025 will see an exacerbation of cyber incidents and attacks. Between the increased nature and severity of criminal cyber-attacks and the increased risks in the near or medium term of state-backed cyber-attacks in the context of espionage or sabotage, governments are rightly concerned about developing and implementing policies that could "harden" their infrastructure against such attacks.

Specific areas of concern include:

• Unnecessary fragmentation internationally and within markets in cybersecurity controls required to demonstrate minimum cybersecurity capabilities;
• Reluctance to recognize international certifications for existing internationally recognized cybersecurity standards and controls;
• Varying and uncoordinated auditing requirements; and
• Lack of consistency in cybersecurity incident notification and reporting requirements.

As many cloud computing and software-enabled service providers offer services across sectors in many countries, intra- and international policy fragmentation drastically increases costs with no concomitant increase in cybersecurity. Worse, in the case of unwieldy and unaligned incident notification requirements, such fragmentation imposes burdens on providers exactly when they are trying to respond to and mitigate incidents. This may compromise the effectiveness of their responses, thus harming cybersecurity capabilities, resilience, mitigation, and response.

2025 will require enhanced vigilance by cloud computing and software-enabled service providers to actively identify and engage in policymaking, especially in the areas of critical infrastructure protection and public sector procurement. Because many IT service providers are not the regulated entities, as with the example regarding AI above, they often receive requests to comply with government-imposed requirements by their critical infrastructure customers that were designed without the affected industry’s input.

5. How the United States engages in the region

The first Trump administration also revived and elevated the Quadrilateral Security Dialogue, a diplomatic partnership between Australia, India, Japan, and the United States. The Quad has a focus on security matters, including cybersecurity, and is another avenue for the United States to exert technology policy leadership in the region.

One important question is whether discussions would focus on formalizing trade, technology, or cybersecurity agreements among "like-minded" markets (e.g., Australia, New Zealand, Japan, Singapore, the United States, and possibly Taiwan). Or would the Trump administration seek to include a much broader range of markets in the region, including countries that might be skeptical or resistant to binding commitments on digital trade and cybersecurity, including India, Indonesia, and Vietnam?

And even if the new administration does pursue robust negotiations with regional partners over digital trade, will trading partners in the region trust and invest in such efforts given the false starts and reversals of US policy in the past?

Conclusion

2025 will be an important year for data policy in the Asia-Pacific region and the globe. The pace of activity, the impact of uncertain events, and the risk of policy fragmentation both within countries and between markets will make effective industry engagement critical. We need to recognize that many of the policy drivers (concerns about consumer safety and the societal or economic impact of technology, the impact of AI on jobs, creativity, and education, among others, and the rapidly increasing threat of disruptive cyber events) are legitimate, even if they lead to or justify problematic policies.

If industry is to effectively resist rising trends toward "techno-nationalism", "digital sovereignty", and other protectionist tendencies, we will have to recognize the legitimate concerns of policy makers and come up with meaningful solutions.

Absent effective engagement in this regard we may see more intra- and international policy fragmentation in data policy. This will lead to unnecessary costs and delays in the critically important objective of digital transformation. Ultimately, this will come at the expense of services, security, and economic growth for consumers, businesses, nations, and regional stability.

© The Hinrich Foundation. See our website Terms and conditions for our copyright and reprint policy. All statements of fact and the views, conclusions and recommendations expressed in this publication are the sole responsibility of the author(s).