Data Sovereignty in APAC: Navigating the "Splinternet"

For the last decade, the internet was effectively "borderless." A startup in Saigon could host its database in AWS us-east-1, serve customers in Jakarta, and analyze the data in Singapore.

Those days are over. Architecture is now driven by Geography.

We have entered the era of Data Nationalism.

Between 2021 and 2023, we faced a "Compliance Gridlock." China’s strict PIPL assessments and Vietnam’s Decree 13 effectively froze cross-border data transfers for multinationals. The risk was so high that companies simply stopped moving data.

• China (2021-2023): When PIPL launched (Nov 2021), the only legal way to export data for many companies was a "State Security Assessment." The queue was massive, the approval rate was near zero, and companies effectively froze cross-border data projects out of fear.
• Vietnam (2022-2023): Decree 53 (Oct 2022) and Decree 13 (April 2023) created a similar paralysis. MNCs halted data movements because the "Impact Assessment" forms were confusing and the Ministry of Public Security hadn't clarified the approval process.

Today, the 2025 landscape is more nuanced. Governments have realized that total isolation kills business, so they are moving to a model of "Controlled Permeability."

• China: PIPL (Eased Rules via March 2024 regulations).
• Vietnam: The new Law on Personal Data Protection (PDPL) (Passed June 2025).
• Indonesia: PDP (Personal Data Protection Law).

If you treat Asia as a single region (e.g., "Just put it all in Singapore"), you are architecting for non-compliance. Here is how to design for the Splinternet without destroying your customer experience.

1. Vietnam: The New "GDPR of the East" (2025 Law)

For years, we operated under Decree 13, which was a government order, not a full law.

That changed in June 2025 with the passing of the Law on Protection of Personal Data (PDPL), effective Jan 1, 2026.

The Shift:

• Revenue-Based Fines: The new law introduces fines of up to 5% of global revenue for serious cross-border violations. This moves non-compliance from a "cost of doing business" to an "existential threat."
• Legitimate Interest: Unlike Decree 13 (which required consent for everything), the new PDPL introduces "Legitimate Interest" as a basis for processing, aligning closer to GDPR.

The Architectural Requirement:

You must implement a local "Mirror" or "Residency Pod."

While the law allows data transfer, it maintains the strict requirement that you must be able to provide the data to the Ministry of Public Security (MPS) rapidly upon request.

• Strategy: Store the primary copy in Vietnam (VNPT/Viettel/AWS Hanoi Local Zone) or ensure a real-time hot-sync to a local instance to satisfy the "availability" mandate.

2. China: From "Fortress" to "Green Channel"

The narrative that "Data can never leave China" is outdated.

In March 2024, the CAC (Cyberspace Administration of China) introduced significant exemptions to fix the user experience for cross-border travel and commerce.

The "Green Channel" Exemptions:

You no longer need a rigorous State Security Assessment for:

1. Contract Performance: Booking a flight, shipping a package, or processing a payment for a Chinese user traveling abroad.
2. HR Management: Transferring employee data to a global HQ.
3. Small Volume: Transferring non-sensitive data of fewer than 100,000 people/year.

The Architectural Impact:

You don't need a "Shared Nothing" architecture anymore for standard apps. You need a "Tagged Data" Architecture.

• Tagging: You must tag data as "Common" vs. "Sensitive."
• Routing: "Common" data (Booking confirmation) routes globally to give the user a fast experience. "Sensitive" data (Biometrics, Location history) stays in the Alibaba Cloud/Tencent Cloud instance.

3. The Solution: The "Federated PII" Pattern

How do you obey 10 different laws without building 10 different apps?

You decouple PII (Personally Identifiable Information) from Metadata.

The Old Way (Centralized):

• All data (Name, ID, Transaction Logs) $\rightarrow$ AWS Singapore.

The New Way (Federated):

1. Local PII Stores: You deploy lightweight "Data Residency Pods" in restricted countries (e.g., a local SQL instance in Hanoi, a local instance in Jakarta). These store only the PII (Name, Phone, ID) to satisfy local storage laws.
2. Global Metadata Lake: You store the transaction logs, analytics, and non-sensitive data in your central region (Singapore/Tokyo).
3. Tokenization: In the Global Lake, the user is identified only by a UUID (e.g., user_123).
4. The Bridge: When the app needs to show the user's name, it queries the Local Pod. When it needs to show their order history, it queries the Global Lake.

4. The Cost of Compliance vs. The Cost of Architecture

This fragmentation introduces Infrastructure Overhead.

Instead of one big RDS instance, you are managing five smaller ones. Your DevOps complexity increases.

The Executive Pitch:

• Option A (Ignore it): We save $5,000/month on servers. Risk: We face fines of 5% of global revenue (Vietnam PDPL) or get blocked by the Great Firewall (China).
• Option B (Federate): We spend $5,000/month extra on complexity. Benefit: We are future-proof and can offer Chinese/Vietnamese users a seamless experience without breaking the law.

Data Sovereignty is no longer a legal checklist. It is a Non-Functional Requirement (NFR) just like Latency or Uptime.

Summary

The days of "Move Fast and Break Things" are over for Data. Now it is "Move Fast and Tag Things Correctly."

1. Vietnam: Prepare for the 2025 PDPL. The 5% revenue fine makes local compliance non-negotiable.
2. China: Leverage the "Green Channel." You can export data for business necessity (payments/travel), so optimize your UX accordingly.
3. Architecture: Stop building one big database. Start building a Federated PII network.