Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Singapore
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Southeast Asian Economic Bloc issues Guides on Data Anonymisation, Data Transfers, and Generative AI

12 Mar 2025 Singapore 7 min read

The rapid advancement of technology has necessitated robust frameworks and guidelines to ensure responsible anonymisation, secure personal data transfers, and ethical AI governance. The Association of Southeast Asian Nations (“ASEAN”) economic bloc, whose members include Singapore, Indonesia, Malaysia, Vietnam, Thailand, Philippines, Brunei, Cambodia, Laos and Myanmar, has recently issued three Guides, namely (1) the Joint Guide to ASEAN and Ibero-American Data Protection Network Model Contractual Clauses; (2) the Expanded ASEAN Guide on AI Governance and Ethics – Generative AI; and (3) the ASEAN Guide on Data Anonymisation. The Guides provide comprehensive insights and recommendations aimed at fostering a secure, ethical, and collaborative digital environment across ASEAN member states. From a practical perspective, the Guides provide a framework and alignment of the laws that are in place or may be enacted in ASEAN member countries.

Joint Guide to ASEAN and Ibero-American Data Protection Network Model Contractual Clauses

The Joint Guide to ASEAN and Ibero-American Data Protection Network (“RIPD”) Model Contractual Clauses offers a comprehensive framework for the transfer of personal data between ASEAN countries, and Ibero-American countries that are members of the RIPD. RIPD members include Mexico, Andorra, Spain, Argentina, Chile, Colombia, Costa Rica, Panama, Ecuador, Peru, Brazil, Uruguay, and Portugal.

The Guide complements the ASEAN and RIPD model contractual clauses (“MCCs”) by allowing data exporters and importers in these regions to harmonize the ASEAN and RIPD MCC. MCCs are model standard contractual clauses that allow data exporters and importers to comply with the applicable data transfer limitations in data protection laws of the respective regions.

Data exporters and importers in the ASEAN and RIPD regions can refer to this Guide to better evaluate how to modify and integrate the ASEAN and RIPD MCCs to help ensure compliance with applicable data protection laws. 

The Guide is divided into three parts: (1) general considerations, which include what parties must consider when entering into the ASEAN and RIPD MCCs and how such MCCs should be interpreted; (2) obligations for controller-to-controller transfers; and (3) obligations for controller-to-processor transfers. 

The second and third parts of the Guide cover key concepts such as data protection safeguards, data subject rights, compliance, dispute resolution, and termination. By comparing the MCCs, the Guide aims to ensure a high level of protection for personal data during international transfers, fostering trust and collaboration between ASEAN and Ibero-American countries under the RIPD. 

Expanded ASEAN Guide on AI Governance and Ethics – Generative AI

The Expanded ASEAN Guide on AI Governance and Ethics – Generative AI focuses on the governance and ethical considerations of generative AI (“Gen AI”) within ASEAN. This Guide should be read with the ASEAN Guide on AI Governance and Ethics (2024), which serves as a practical guide on AI technologies in general.

The Guide identifies six key risks associated with Gen AI and provides some policy recommendations to address such risks and promote the responsible adoption of Gen AI:

  • Mistakes and anthropomorphism – AI may “hallucinate” by generating output based on perceived incorrect patterns due to lacking the ability to discern the truth.
     
  • Factually inaccurate responses – AI may generate erroneous responses due to, among other things, incorrect and/or insufficient inputs or prompts provided.
     
  • Deepfakes, impersonation, fraudulent and malicious activities – AI can be used to generate realistic content for nefarious purposes such as to scam individuals.
     
  • Infringement of intellectual property rights – works or material protected by intellectual property rights may be illegally or improperly used to train AI systems.
     
  • Privacy and confidentiality – AI may be mistakenly trained using or provided with confidential data or used to reconstructive sensitive information.
     
  • Propagation of embedded biases – AI may exhibit biases from their training data which may lead to biased outputs.

The Guide emphasises the importance of accountability, trust, security and the safe and ethical development and use of AI to address the risks above. It also highlights the need for regional coordination and alignment with global best practices. By offering detailed policy recommendations and use cases, the Guide aims to support ASEAN member states in harnessing the benefits of Gen AI while mitigating its risks, ultimately fostering a trusted and ethical AI ecosystem in the region. 

ASEAN Guide on Data Anonymisation

The ASEAN Guide on Data Anonymisation serves as a technical and application-oriented resource regarding data anonymisation concepts and techniques aimed at policymakers, regulators, and industry organisations within ASEAN member states. 

The Guide outlines the anonymisation process, key concepts, and terminology, providing a foundational understanding of how personal data should be converted into non-identifiable data. 

The Guide emphasises that while data anonymisation may not be a specific legal requirement under many data protection laws in the ASEAN region, it is an important means for the protection of personal data, facilitating compliance with applicable laws, and enabling safer data sharing and collaboration.

The Guide details a five-step anonymisation process:

  • First, review the data to determine what can be anonymised and whether it is suitable for anonymisation.
     
  • Second, de-identify the data by removing all direct identifiers (unique data attributes that can lead to an individual’s identification, such as a full name or national identification number).
     
  • Third, apply anonymisation techniques to indirect identifiers (non-unique data attributes that may lead to an individual’s identification when combined with other data, such as date of birth or age).
     
  • Fourth, evaluate risks through a risk assessment by considering various factors and the possibility of attacks to the anonymised data.
     
  • Fifth, managing residual risks through implementing appropriate contractual, administrative and/or technical controls.

The Guide highlights the importance of documentation and assessments throughout the anonymisation process. By providing a structured approach to data anonymisation, the Guide aims to build trust in data protection practices, promote data sharing, and enhance privacy safeguards across the ASEAN region.

Conclusion

The three guides provide frameworks for addressing the challenges and opportunities associated with data protection and use of AI technology in the ASEAN region. Such guides will be particularly helpful for stakeholders seeking a centralised or unified approach to ASEAN operations, and in the case of the Joint Guide to ASEAN and RIPD MCCs, for a unified approach when dealing with the transfer of personal data in the ASEAN and RIPD regions. By promoting best practices, standardising approaches and offering detailed policy recommendations, the guides aim to foster a secure, ethical, and collaborative digital landscape. As technology continues to evolve, these guidelines will play a crucial role in ensuring that ASEAN member states can navigate the complexities of data protection and AI governance effectively.

Click here to refer to the ASEAN Guide on Data Anonymisation.

Click here to refer to the Joint Guide to ASEAN and RIPD MCCs.

Click here to refer to the Expanded ASEAN Guide on AI Governance and Ethics – Generative AI.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the guides; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.

More insights
TMT - Technology, Media & Telecommunications

Explore more

Expert Guide International

Data protection and cybersecurity laws in Singapore

21 min read
Publication Singapore

CMS toolkit series

02 Jul 2025 1 min read
Event Singapore

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.