While the transformation of automobiles into data-generating “smartphones on wheels” has revolutionized mobility, it has also raised critical concerns over data privacy and sovereignty. Equipped with sensors and connected technologies, smart vehicles collect vast amounts of data, including personal information, driving patterns, and biometric identifiers. While auto-exporting jurisdictions such as the United States, the European Union, and China have introduced regulatory measures to address these challenges, countries importing smart vehicles remain vulnerable due to their limited influence over the auto companies’ integrated technology and data policies.

This Article examines the regulatory and economic challenges faced by developing nations integrating foreign-designed smart vehicles, with a focus on Southeast Asia’s rapid adoption of Chinese electric vehicles. Using Thailand as a case study, it highlights the urgent need for regulatory frameworks that balance data protection with economic growth. By analyzing approaches from the three dominant auto-exporting jurisdictions, this Article explores how regional cooperation and adaptive regulatory strategies can help developing nations assert greater control over smart vehicle data governance.

I. Introduction

The transformation of automobiles from mechanical transportation to data-collecting and generating devices represents one of the most significant shifts in mobility. This evolution blurs the line between carmaker and technology firm, exemplified by what The Economist calls Tesla’s “identity crisis.”¹Schumpeter, Tesla Faces an Identity Crisis: Carmaker or Tech Firm?, The Economist (Apr. 24, 2024), https://www.economist.com/business/2024/04/24/tesla-faces-an-identity-crisis-carmaker-or-tech-firm. The classification of this identity has profound implications: it determines whether companies are valued as traditional manufacturers or as tech platforms, which in turn shapes investor expectations on growth models and profit margins. This ambiguity also forces policymakers to grapple with how to regulate firms in this evolving industry—a decision affecting everything from foreign investment and supply chain security to data governance. Highlighting this shift, Tesla’s CEO Elon Musk asserted in 2024 that modern vehicles are essentially mobile computing devices.²Andrew J. Hawkins, Elon Musk Wants to Turn Tesla’s Fleet into AWS for AI – Would It Work?, The Verge (Apr. 24, 2024), https://www.theverge.com/24139142/elon-musk-tesla-aws-distributed-compute-network-ai. Along these lines, the U.S. Commerce Secretary aptly describes these autos as smartphones on wheels,³Matthew Daly, Biden Orders US Investigation of National Security Risks Posed by Chinese-Made ‘Smart Cars’, AP. (Feb. 29, 2024). https://apnews.com/article/china-electric-vehicles-privacy-personal-data-biden-844f2406512b94212ee1a92a61e5a33a. a characterization that underscores the profound data protection implications for both the industry and its consumers.

As 97 percent of vehicles globally now feature smart screens and sophisticated sensors, they collect unprecedented amounts of personal data—from driving patterns and location histories to biometric information and connected device data.⁴Kashmir Hill, Automakers Are Sharing Consumers’ Driving Behavior with Insurance Companies, N.Y. Times (Mar. 11, 2024, updated Mar. 13, 2024), https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html. A Mozilla study declared cars the “worst product category” reviewed for privacy and revealed that modern vehicles collect more personal data than many other consumer devices.⁵Jen Caltrider, Misha Rykov & Zoë MacDonald, It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy, Mozilla Found. (Sept. 6, 2023), https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy. With the global fleet of connected vehicles now exceeding 400 million, almost doubling the total from 2021,⁶Mathlide Carlier, Connected Cars Worldwide – Statistics & Facts, Statista (Apr. 2, 2025), https://www.statista.com/topics/1918/connected-cars/#topicOverview. the stakes are only higher.

Countries that develop and design smart vehicles often benefit from greater awareness of the data-related implications and have begun implementing measures to address these concerns. For example, the United States (U.S.) has issued investigative orders to examine these issues, and a European Union (EU) data protection authority has flagged smart vehicles in their authoritative guidelines. China has enacted stringent measures, including restrictions on foreign vehicles in sensitive governmental areas and regulations mandating data localization.⁷See Infra Part III.

In contrast, countries that are not home to smart automakers, many of which are in the Global South, face distinct challenges. These nations typically have minimal influence over the technological design and data policies attached to the vehicles, despite increasingly relying on vehicles for economic development. As smaller economies, they hold limited bargaining power in negotiations with foreign auto corporations. This dynamic is particularly visible in Southeast Asia, especially Thailand, where the rapid expansion of Chinese automotive manufacturers has significantly reshaped the market. In Thailand, sales of Chinese smart vehicles surged nearly eightfold in 2023,⁸Kenya Akama, Chinese EV Makers Bring Price War to Thailand Even as Sales Sag, Nikkei Asia (May 7, 2024), https://asia.nikkei.com/Business/Automobiles/Chinese-EV-makers-bring-price-war-to-Thailand-even-as-sales-sag. yet the data governance implications of this automotive influx remain largely unexamined. Therefore, this Article examines the critical data privacy and sovereignty challenges confronting these vehicle-importing nations. It argues that to mitigate these risks, they must develop tailored regulatory frameworks designed to govern the cross-border flow of automotive data.

This Article is organized into four parts. Part II explores the rise of smart vehicles, with a particular focus on Southeast Asia, using Thailand as a detailed case study. Part III delves into the data protection challenges posed by smart vehicles, addressing both data privacy and sovereignty concerns. It also provides an overview of regulatory measures adopted by jurisdictions involved in the design and production of these vehicles, offering potential examples for importing countries to consider. Finally, Part IV provides recommendations for reimagining data governance frameworks to better align with the needs and priorities of developing nations.

II. The Rise of Smart Cars

The global automotive industry is undergoing a profound transformation, driven by advancements in digital connectivity. Consulting firm McKinsey projects that by 2030, 95 percent of all new vehicles sold will be connected, a sharp increase from 50 percent in 2021.⁹Michele Bertoncello et al., Car Data Can Help Mobility Players Along the Entire Value Chain—But They Need to Act Now, McKinsey (Feb. 11, 2021), https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/unlocking-the-full-life-cycle-value-from-connected-car-data. This shift is particularly evident in the rise of electric vehicles (EVs), which increasingly function as software-defined vehicles, cars that rely on software for core operations and enhanced functionality.¹⁰June Yoon, Connected Cars Pose Real Risks, Fin. Times (Oct. 1, 2024), https://www.ft.com/content/cee6b772-508d-438c-925a-d415e867b1f5. Connectivity and data-driven capabilities are now essential features of modern automobiles.

A. Smart Cars: Cars with Data and Connectivity

Two decades ago, most vehicles lacked built-in satellite navigation, let alone the updatable systems now standard in modern cars. The introduction of infotainment systems with integrated navigation marks a turning point, initially receiving live traffic data via radio signals and later through built-in data connections.¹¹James Morris, Connected Cares Are Just as Revolutionary as Electric Vehicles, Forbes (Mar.12, 2022), https://www.forbes.com/sites/jamesmorris/2022/03/12/connected-cars-are-just-as-revolutionary-as-electric-vehicles. Today, many vehicles integrate a growing array of sensors with external services, enabling continuous data exchange between the car and external networks.¹²Id.

Smart cars, or connected vehicles,¹³This paper uses the terms smart cars and connected vehicles interchangeably. are defined by two distinct characteristics: they are data-intensive and possess pervasive connectivity. First, these vehicles generate and process a vast amount of information. This includes external sensor data, such as images and ultrasonic readings from the car’s surroundings; internal diagnostic data, detailing everything from engine performance to tire pressure; and granular data about the driver’s behavior.¹⁴Sylvia Zhang, Who Owns the Data Generated by Your Smart Car?, 32 Harv. J.L. & Tech. 299, 303 (2018). Also, by collecting and synthesizing information on the user’s physical movements (location history), digital habits (in-app activity), and the outside world, modern data science can be used to further infer a significant amount of sensitive information about the driver.¹⁵Id. at 304

Second, connected vehicles use sensors and data recorders to link with the internet, other devices, and surrounding infrastructure, allowing them to integrate with a wide range of digital platforms and applications.¹⁶Id. at 302. Operating as Internet of Things (IoT) devices, smart vehicles are equipped with data transmission nodes that enable continuous internet connectivity.¹⁷Olivia Dworkin, Jorge Ortiz & Nicholas Xenakis, Regulatory Frameworks for Smart Mobility: Current U.S. Regulation of Connected and Automated Vehicles and the Road Ahead, 2023 J. L. & Mob. 1, 2 (2023). They facilitate communication across multiple channels, including vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and the broader vehicle-to-everything (V2X) framework, encompassing networks, devices, pedestrians, grids, and cloud systems.¹⁸Id. Additionally, connected vehicles transmit data to their owners or manufacturers, providing diagnostic insights and operational status updates.¹⁹Id.

B. Market Trends in Southeast Asia

Southeast Asia is rapidly emerging as a pivotal battleground in the global EV industry supply chain. Chinese automakers have gained a significant foothold in the region, leveraging strategic advantages to outpace incumbent Japanese firms.²⁰Sayumi Take & Yuichi Shiga, Japan’s Automakers Lose Market Share in China, Thailand as EVs Spread, Nikkei Asia (Aug. 8, 2024), https://asia.nikkei.com/Business/Automobiles/Japan-s-automakers-lose-market-share-in-China-Thailand-as-EVs-spread; Daisuke Wakabayashi, River Akira Davis & Claire Fu, Japan Built Thailand’s Car Industry. Now China Is Gunning for It., N.Y. Times (July 30, 2024), https://www.nytimes.com/2024/07/30/business/japan-thailand-cars.html By 2024, Chinese manufacturers accounted for approximately 75 percent of Southeast Asia’s EV market.²¹Li Xirui, How China’s EVs are Taking Thailand by Storm, The Diplomat (Feb. 7, 2024), https://thediplomat.com/2024/02/how-chinas-evs-are-taking-thailand-by-storm. Reflecting the pressures of this shifting landscape, Japanese automakers Honda and Nissan entered merger discussions in 2024, citing “challenges from Tesla and Chinese rivals.”²²Kantaro Komiya, Honda, Nissan Aim to Merge by 2026 in Historic Pivot, Reuters (Dec. 23, 2024), https://www.reuters.com/markets/deals/honda-nissan-set-announce-launch-integration-talks-media-reports-say-2024-12-22.

The Southeast Asia region, and Thailand in particular, serves as an ideal case for examining how import-dependent developing nations navigate smart vehicle data governance challenges amid geopolitical tensions.²³Daisuke Wakabayashi & Claire Fu, Chinese E.V. Makers Rush In and Upend a Country’s Entire Auto Market, N.Y. Times (July 30, 2024), https://www.nytimes.com/2024/07/30/business/chinese-electric-vehicles-thailand.html; John Lee, Southeast Asia Can Navigate Growing Fractures in Global Automotive Sector, Fulcrum (Feb. 27, 2025), https://fulcrum.sg/southeast-asia-can-navigate-growing-fractures-in-global-automotive-sector. Thailand has become a key hub for Chinese automakers, driven by the government’s strategic push for EV adoption to maintain its status as the “Detroit of Southeast Asia.”²⁴Lionel Lim, Thailand, The ‘Detroit of Southeast Asia,’ Is at the Forefront of China’s Battle for the Global Auto Maker, Fortune (Nov. 24, 2024), https://fortune.com/asia/2024/11/24/thailand-china-electric-vehicles-asia-automakers; T.J., Detroit of the East: The South-East Asian Country Has Attracted Many Foreign Carmakers. Will They Stay?, Economist (Apr. 4, 2013), https://www.economist.com/schumpeter/2013/04/04/detroit-of-the-east. As a result, Chinese automakers have rapidly gained dominance in the Thai EV market, with their models accounting for approximately 80 percent of all EVs sold in the country by 2023.²⁵Li Fusheng, Thailand Emerging as Strategic Market for Chinese Automakers, China Daily (Sep. 23, 2024), https://www.chinadaily.com.cn/a/202409/23/WS66f0cb12a3103711928a9327.html. Thailand now dominates regional EV sales with a 78.7% market share, supported by a well-established midstream and downstream market that includes vehicle manufacturing and retail networks.²⁶Wanicha Direkudomsak, EVs in ASEAN: Thailand vs. Indonesia – Leading and Rising EV Production Hub, Krungsri Rsch. (Jul. 3, 2024), https://www.krungsri.com/en/research/research-intelligence/evs-in-asean-2024.

Beyond sales, Chinese manufacturers are expanding their production footprint in Thailand. For instance, Great Wall Motor plans to source up to 90 percent of its auto components from local suppliers, while BYD has launched operations at its Thai plant—its first factory in Southeast Asia.²⁷Id. These investments solidify Thailand’s role as a regional base for Chinese EV production, although the government’s subsidies have faced some pushback from existing auto industry stakeholders concerned about oversupply and potential price wars.²⁸Apornrath Phoonphongphiphat, Thai Subsidies for Chinese EV Makers Wreak Havoc on Auto Sector: Massive Oversupply Forces Legacy Thai Companies to Cut Production or Close Down, Nikkei Asia (July 28, 2024), https://asia.nikkei.com/business/automobiles/electric-vehicles/thai-subsidies-for-chinese-ev-makers-wreak-havoc-on-auto-sector.

Thailand’s situation is particularly illustrative because it lacks a “national champion” automotive brand, unlike Vietnam’s VinFast—which has successfully entered global markets including the United States,²⁹Angel Hsu, Finding the Sweet Spot Amidst Major Power Rivalry: The Case of Vinfast, Fulcrum (Nov. 15, 2024), https://fulcrum.sg/finding-the-sweet-spot-amidst-major-power-rivalry-the-case-of-vinfast. as supported by Vietnam’s national champion strategy³⁰Nguyen Khac Giang, Grooming New Champions: To Lam Prepares for Private Sector-Led Growth in Vietnam, Fulcrum (Aug. 19, 2025), https://fulcrum.sg/grooming-new-champions-to-lam-prepares-for-private-sector-led-growth-in-vietnam.—or Malaysia’s Proton which has recently launches its first EV car.³¹Malaysia’s Proton Launches Its First Electric Vehicle, Reuters (Dec. 16, 2024), https://www.reuters.com/business/autos-transportation/malaysias-proton-launches-its-first-electric-vehicle-2024-12-16; Pritish Bhattacharya & Francis E. Hutchinson, Shifting to a Higher Gear: The Saga of Malaysia’s National Carmaker Proton, Trends in Southeast Asia No. 9/2024 (ISEAS–Yusof Ishak Inst. 2024). Thailand has a history of supporting the expansion of foreign automotive manufacturing. In the 1980s, Thailand attracted substantial investment from Japanese automakers like Toyota and Nissan following the Plaza Accord, which compelled Japan to relocate manufacturing abroad.³²See Wanna Yongpisanphob, Industry Outlook 2023–2025: Automobile Industry, Krungsri Rsch. (May 25, 2023), https://www.krungsri.com/en/research/industry/industry-outlook/hi-tech-industries/automobiles/io/io-automobile-2023-2025. Thailand’s rise as an automotive manufacturing plant was driven by a combination of export-friendly policies, competitive labor costs, and a favorable geographic location that made it more attractive than its regional peers.³³ Richard F. Doner, Gregory W. Noble & John Ravenhill, The Political Economy of Automotive Industrialization in East Asia 93 (2021); Tai Wan-Ping, The Political Economy of the Automobile Industry in ASEAN: A Cross-Country Comparison, 4 J. ASEAN Stud. 34, 49-50 (2016). However, despite this long-standing manufacturing legacy, critical technological know-how—and, consequently, any associated influence over data and technology policymaking—has remained with the foreign corporations. This is best exemplified by Thailand’s lack of a domestic auto brand, indicating that decades of production have not translated into national ownership.

III. Data Governance Implications Posed by Smart Cars

Smart cars—vehicles equipped with internet connectivity—collect and generate an unprecedented volume of data through integrated features such as in-car applications, remote functionalities, GPS navigation, and Wi-Fi hotspots.³⁴See Sara H. Jodka, Dashboard Confessions: Unveiling the Privacy Issues in Connected Cars, Reuters (Apr. 25, 2024), https://www.reuters.com/legal/legalindustry/dashboard-confessions-unveiling-privacy-issues-connected-cars-2024-04-25. These capabilities allow for seamless user experiences but also result in the accumulation of extensive and sensitive datasets.

This vast collection of data raises significant concerns related to data governance. From a data privacy perspective, issues arise when the information pertains to identifiable or identified individuals, implicating personal privacy rights. Beyond privacy, the broader issue of data sovereignty becomes critical when data—whether personal or non-personal—collected within a jurisdiction ultimately falls outside the control of its governing authorities.

A. Data Privacy

Data privacy concerns have become an inevitable consequence of modern vehicles equipped with systems that collect vast amounts of personal information.³⁵Caltrider, Rykov & MacDonald, supra note 5 (among 25 brands studied, all of them collected too much personal information than necessary). This extensive data collection poses significant privacy risks, particularly when drivers remain unaware of what information is being collected, how it is used, and to whom it is disclosed. The lack of transparency and corresponding absence of individual control (e.g., informed decision-making through the opt-in or opt-out options) exacerbate these risks. Individual control over personal information is central to the principles of autonomy and self-determination, and informational privacy emphasizes this control by framing privacy as the right to determine how one’s personal information is used and shared.³⁶ Helena U. Vrabec, Data Subject Rights Under the GDPR 48-50 (2021). Control over personal data has long been regarded as a cornerstone of privacy,³⁷Charles Fried, Privacy, 77 Yale L.J. 475, 482 (1968) (“[Privacy] is the control we have over information about ourselves.”); Carissa Véliz, Privacy is Power: Why and How You Should Take Back Control of Your Data 48 (2020) (“[P]rivacy matters because the lack of it gives others power over you.”). forming the foundation of privacy regulations in jurisdictions such as the U.S., EU, and many other legal systems worldwide.³⁸Daniel J. Solove & Woodrow Hartzog, Kafka in the Age of AI and the Futility of Privacy as Control, 104 B.U. L. Rev. 1021, 1025 (2024).

The principle of control is fundamentally undermined by the quiet yet extensive collection of personal data by smart cars, which ranges from precise location tracking and driving patterns to biometric information and data linked from other connected devices.³⁹Clara Mustata, Connected Cars: The Legislative Environment, Potential Reform and Privacy Issues, IAPP (Jun., 2024), https://iapp.org/resources/article/connected-cars-canada; Megan McCollum, Infographic Explores Driver Data Collection and Use in Connected Cars, Future Priv. F. (Sept. 16, 2024), https://fpf.org/blog/infographic-explores-driver-data-collection-and-use-in-connected-cars. Notably, the connected car platform High Mobility identifies 57 categories of data collected by smart vehicles, including sensitive health information such as driver fatigue and heart rate.⁴⁰Data Items: Explore the Variety of Car Data Items Available, High-Mobility https://www.high-mobility.com/car-data (last visited Feb. 5, 2025). Research conducted by Mozilla Foundation further highlights the breadth of this data collection, revealing that car manufacturers may access intimate details, including racial and genetic information, and even data related to sexual activity.⁴¹Jen Caltriderm, Misha Rykov & Zoë MacDonald, What Data Does My Car Collect About Me and Where Does It Go, Mozilla Found. (Sep. 6, 2023), https://foundation.mozilla.org/en/privacynotincluded/articles/what-data-does-my-car-collect-about-me-and-where-does-it-go.

Vehicle data collection extends far beyond operational needs, with much of this information often being utilized for unrelated purposes and disclosed to third parties, frequently without the knowledge or awareness of drivers.⁴²Jon Keegan & Alfred Ng, Who Is Collecting Data from Your Car?, The Markup (Jul. 27, 2022), https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car. For instance, car companies can infer “driver scores” based on behaviors such as hard braking, acceleration, and phone usage. These scores are then sold to data brokers, who, in turn, provide this information to auto insurers.⁴³Kashmir Hill, Your Driving, Tracked, N.Y. Times (Jun. 10, 2024), https://www.nytimes.com/2024/06/09/briefing/driving-apps-insurance-tracking.html. Insurers may incorporate these scores into personalized coverage decisions, which, for some individuals, results in unexpectedly higher auto insurance rates.⁴⁴Kashmir Hill, Automakers Are Sharing Consumers’ Driving Behavior with Insurance Companies, N.Y. Times (Mar. 13, 2024), https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html.

B. Data Sovereignty

The proliferation of smart vehicles has transformed the once relatively straightforward realm of automotive regulation—focused on issues like road safety—into a far more complex matter of data sovereignty. Data sovereignty refers to a state’s authority over data generated within its jurisdiction, often exercised through data protection laws, competition regulations, and national security measures.⁴⁵Anupam Chander & Haochen Sun, Introduction: Sovereignty 2.0, in Data Sovereignty: From the Digital Silk Road to the Return of the State 7 (eds. Anupam Chander & Haochen Sun, 2023). These powers enable states to safeguard their populations, foster digital economies, and, in certain instances, exert control over their citizens.⁴⁶Id.

A state’s data sovereignty includes the ability to compel and control the means of compliance with its domestic laws.⁴⁷Andrew Keane Woods, Litigating Data Sovereignty, 128 Yale L.J. 328, 364 (2018). Digitally, states can assert significant control largely because they govern the physical infrastructure of networks within their borders,⁴⁸Id. at 360-61. as the physical location of servers and the storage of data will likely determine which jurisdiction’s laws apply,⁴⁹Paul Rosenzweig, The International Governance Framework for Cybersecurity, 37
Can.-U.S. L.J. 405, 422 (2012). granting states substantial leverage over data governance within their territories. For this reason, the concept for data localization emerges. Data localization is justified on grounds of national security, law enforcement access, and individual privacy protection. Retaining data within national borders mitigates cyber espionage risks, ensures jurisdictional control for law enforcement access, and prevents the circumvention of domestic data protection laws by restricting transfers to less-protective jurisdictions.⁵⁰Benjamin Wong, Data Localization and ASEAN Economic Community, 10 Asian J. Int’l L. 158, 162 (2020).

The issue of data sovereignty has gained urgency as foreign-manufactured smart vehicles, now functioning as mobile data-collecting devices, operate across other jurisdictions. This concern is amplified when considering data ownership; if ownership is defined by the practical ability to control data, then auto manufacturers become the de facto owners.⁵¹Sylvia Zhang, supra note 14, at 305, 315. They can maintain near-total control over vehicle data, facing few restrictions on how they use it or to whom they sell it.⁵²Id.

For many nations, particularly in the Global South, however, smart vehicles on their roads rarely originate as domestic products. The data policies governing these vehicles are thus likely drafted overseas, and while they may be influenced by local regulations through domestic compliance enforcement, these policies are not typically shaped by the importing countries from the outset.

Concerns about data sovereignty in a broader context have even been raised even by developed economies, like the EU. The European Parliament, particularly in the context of online platforms, has argued that the dominance of foreign internet platforms within the EU represents a significant erosion of European sovereignty, depriving Member States of control in areas such as copyright, data protection, taxation, and transportation.⁵³Tambiama Madiega, Digital Sovereignty for Europe 4 (EPRS Ideas Paper 651.992, 2020), https://www.europarl.europa.eu/RegData/etudes/BRIE/2020/651992/EPRS_BRI(2020)651992_EN.pdf. In response, Professors Anupam Chander and Haochen Sun have countered that these concerns regarding platform dominance are “misplaced.”⁵⁴Chander & Sun, supra note 45, at 26. They argue, “It is like arguing that because people drive Toyota cars on U.S. roads, we no longer control our streets. As long as the cars are regulated by local law, the fact that they might be built abroad should not undermine sovereignty.”⁵⁵Id.

However, with the increasing implementation of active measures in dominant digital jurisdictions such as the U.S., EU, and China, it is evident that the dynamics surrounding smart vehicles have shifted, particularly as cars have evolved into data-intensive machines. The following section will examine the administrative and legislative measures related to smart vehicles that have been introduced in these jurisdictions.

C. Survey of Measures in Auto-Exporting Jurisdictions

Major automotive regions have implemented measures to protect their strategic interests in the global competition over smart vehicles. In this study, the jurisdictions examined—the U.S., the EU, and China—are also referred to as the “Digital Empires” by Professor Anu Bradford for their extraterritorial influence in digital regulation.⁵⁶ Anu Bradford, Digital Empires: The Global Battle to Regulate Technology 6 (2023) (“Today, there are three dominant digital powers—the U.S., China, and the EU—who can metaphorically be thought of as “digital empires.”).

Before diving into their regulatory resources around data privacy and sovereignty, larger trade and economic measures issued by these jurisdictions provide some useful background. Notably, government subsidies followed by the mass production of Chinese EVs has sparked and intensified price wars and aggressive export strategies raising global overcapacity concerns.⁵⁷Daisuke Wakabayashi, China’s Problem With Competition: There’s Too Much of It, N.Y. Times (July 22, 2025), https://www.nytimes.com/2025/07/22/business/china-involution-competition-deflation.html. The EU has responded with targeted anti-subsidy tariffs on Chinese EVs, despite strong opposition from Germany and its automotive industry. ⁵⁸Andreas Rinke, Exclusive: Germany to Vote Against EU Tariffs on Chinese Electric Vehicles, Reuters (Oct. 4, 2024), https://www.reuters.com/business/autos-transportation/germany-vote-against-eu-tariffs-chinese-electric-vehicles-sources-say-2024-10-03; Volkswagen Calls on Germany to Vote Against EU Tariffs on Chinese Cars, Reuters (Oct. 2, 2024), https://www.reuters.com/business/autos-transportation/volkswagen-calls-germany-vote-against-eu-tariffs-chinese-cars-2024-10-02. The U.S. has implemented even more aggressive measures. The Biden administration has sharply increased tariffs on Chinese EVs while also initiating an investigation into “connected-vehicles” that treats data-rich automobiles as critical infrastructure, potentially barring China-linked digital components.⁵⁹Felicia Schwartz, US Proposes Banning Chinese Software and Components in Vehicles, Fin. Times (Sept. 24, 2024), https://www.ft.com/content/a04ec57d-38ba-4e1f-8e28-d4c76081900b. Furthermore, new rules for U.S. EV purchase subsidies, which restrict eligibility for vehicles with Chinese battery components, may incentivize Chinese manufacturers to seek new export opportunities abroad.⁶⁰Clarence Leong, Trump’s Megabill Gives Chinese EV Makers a Leg Up, Says Head of Auto Group, Wall St. J. (July 8, 2025), https://www.wsj.com/business/autos/trumps-megabill-gives-chinese-ev-makers-a-leg-up-says-head-of-auto-group-8d12948d. The trade measures from tariffs, subsidies, and market access restrictions reflect the larger context of the weaponization of economic interdependency.⁶¹Henry Farrell & Abraham Newman, The Weaponized World Economy: Surviving the New Age of Economic Coercion, Foreign Affs. (Aug. 19, 2025), https://www.foreignaffairs.com/united-states/weaponized-world-economy-farrell-newman.

Alongside this trade and industry-centered narrative, a parallel focus on privacy and security has also emerged. Each of these jurisdictions has introduced measures—from orders and regulations to public awareness campaigns—to govern the collection, use, and cross-border transfer of data generated by smart vehicles.

1. United States

The U.S., despite lacking comprehensive federal privacy legislation, has made notable strides in regulating smart car data.⁶²Olivia Dworkin, Jorge Ortiz & Nicholas Xenakis, Regulatory Frameworks for Smart Mobility: Current U.S. Regulation of Connected and Automated Vehicles and The Road Ahead, 2023 J. L. & Mob. 1, 2 (2023). Domestically, the Federal Trade Commission (FTC) has been actively investigating data practices within the U.S. auto industry since March 2024.⁶³David Balto, FTC Is Right to Crack Down on Auto Industry’s Data Collection, Bloomberg L. (May 31, 2024), https://news.bloomberglaw.com/us-law-week/ftc-is-right-to-crack-down-on-auto-industrys-data-collection. In a recent investigation concluded in January 2025, the FTC determined that General Motors had collected and sold data from millions of vehicles—sometimes as frequently as every three seconds—without adequately notifying consumers or obtaining their affirmative consent.⁶⁴Kashmir Hill, General Motors Is Banned from Selling Driving Behavior Data for 5 Years, N.Y. Times (Jan. 16, 2025), https://www.nytimes.com/2025/01/16/technology/general-motors-driving-data-settlement.html. The investigation resulted in a settlement prohibiting the company from disclosing geolocation and driver behavior data to consumer reporting agencies for a period of five years.⁶⁵Federal Trade Commission, FTC Takes Action Against General Motors for Sharing Drivers’ Precise Location and Driving Behavior Data Without Consent, FTC (Jan. 16, 2025), https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-general-motors-sharing-drivers-precise-location-driving-behavior-data.

Beyond the domestic auto industry, the Department of Commerce, under Executive Orders first issued in 2019 and expanded in 2024,⁶⁶The investigation follows Executive Order (EO) 13873 (2019), “Securing the Information and Communications Technology and Services Supply Chain,” which has since been expanded by EO 14117 (2024), “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” See U.S. Dep’t of Com., Citing National Security Concerns, Biden-Harris Administration Announces New Measures to Protect Americans’ Data from Countries of Concern (Feb. 29, 2024), https://www.commerce.gov/news/press-releases/2024/02/citing-national-security-concerns-biden-harris-administration-announces; Tech Policy Press, Preventing Access to Americans’ Bulk Sensitive Personal Data, https://www.techpolicy.press/tracker/preventing-access-to-americans-bulk-sensitive-personal-data (last visited Feb. 5, 2025). has initiated investigations into vehicle data control issues, including potential restrictions on connected vehicle imports, particularly those utilizing Chinese or Russian technology. Historically, the U.S. has benefited from a de facto digital sovereignty, as the geography of the Internet has largely been centered within its jurisdiction. The domestic storage of American data has traditionally allowed for judicial oversight, and even when such data is stored abroad, Congress has amended laws to grant prosecutorial authority over such overseas data.⁶⁷Chander & Sun, supra note 45, at 17-18.

2. European Union

As early as 2010, the French government raised concerns about the erosion of sovereignty in the face of foreign technology firms, particularly in the realm of cloud computing. The observation was made that North American companies was dominating the market, highlighting its critical importance to the sovereignty of European nations.⁶⁸Id. at 13. In the regulatory context, the European Union has expressed its commitment to digital sovereignty most fully through its comprehensive data protection law.⁶⁹Id. The General Data Protection Regulation (GDPR), enforced in 2018, exemplifies this commitment, not only protecting personal privacy but also reinforces data sovereignty by imposing strict restrictions on cross-border data transfers.⁷⁰Under the GDPR, transfers of personal data to third countries or international organizations are subject to strict conditions to ensure that the level of data protection guaranteed under the regulation is not compromised. See Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), 2016 O.J. (L119) recital 101. Notably, distinct from the other two jurisdictions in this analysis, the EU’s framework for cross-border data transfers establishes an adequacy test. This test aims to serve as a “model,” incentivizing other jurisdictions to align with EU standards to facilitate smoother data flows. To date, only a limited number of countries have received an adequacy decision from the European Commission.⁷¹European Commission, Adequacy decisions, https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en (last visited Sept. 1, 2025).

Moreover, the EU has fostered an ecosystem that amplifies the voice of civil society in shaping its digital framework. In the context of smart cars data more specifically, since 2016, initiatives like the “My Car My Data” campaign⁷²My Car My Data, https://mycarmydata.eu (last visited Feb. 5, 2025). have raised awareness about privacy concerns associated with connected vehicles. These efforts have influenced the European Data Protection Board to issue authoritative guidelines on connected vehicle data collection and disclosure.⁷³See European Data Prot. Bd., Guidelines 01/2020 on Processing Personal Data in the Context of Connected Vehicles and Mobility Related Applications at 5 (Mar. 9, 2021), https://www.edpb.europa.eu/system/files/2021-03/edpb_guidelines_202001_connected_vehicles_v2.0_adopted_en.pdf. Furthermore, the EU’s 2023 Data Act proposal⁷⁴See generally Tambiama Madiega, The Data Act, (EU Legislation in Progress PE 733.681, 2023) https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733681/EPRS_BRI(2022)733681_EN.pdf. builds upon this foundation by establishing clear rules for data sharing in connected products and services while maintaining strong personal data protections.⁷⁵Matthew Beedham, The EU is Regulating Data Shared Between Connected Cars, and Why That’s a Good Thing, TOMTOM (Mar. 17, 2022), https://www.tomtom.com/newsroom/explainers-and-insights/the-eu-is-regulating-data-shared-between-connected-cars. This comprehensive approach demonstrates how robust data protection legislation can evolve to address emerging technological challenges.

3. China

China has established a state-centric digital policy framework that underscores how digital governance is rooted in state sovereignty.⁷⁶ Bradford, supra note 56, at 69-70. The modern concept of data or digital sovereignty,⁷⁷The terms data sovereignty and digital sovereignty may be overlapped, having different meanings in certain contexts and could be synonymous in the others. See e.g., Chander & Sun, supra note 45, at 7 (“In framing this book, we have chosen to use both “data sovereignty” and “digital sovereignty,” recognizing that the term is sometimes used distinctly with “data sovereignty” and sometimes interchangeably.”). may in fact have its roots in China’s 2010 white paper, which declared, “Within Chinese territory, the Internet is under the jurisdiction of Chinese sovereignty. The Internet sovereignty of China should be respected and protected.”⁷⁸Anqi Wang, Cyber Sovereignty at Its Boldest: A Chinese Perspective, 16 Ohio St. Tech. L.J. 395, 397 (2020) Six years later, The Chinese President emphasized the urgency of addressing technological dependence, stating that “[the internet’s] core technology being controlled by others is our greatest hidden danger.”⁷⁹Id. at 405.

In line with this philosophy and to further reinforce its “Great Firewall,” a mechanism designed to control access to the internet within Chinese borders, China enacted the 2017 Cybersecurity Law, requiring corporations operating within China to domestically store data collected abroad⁸⁰Jack Wagner, China’s Cybersecurity Law: What You Need to Know, The Diplomat (Jun. 1, 2017), https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know. and mandates that critical infrastructure operators conduct security assessments before transferring data overseas.⁸¹Wang, supra note 78, at 456-57. This framework was further strengthened by the Protection of Personal Information Law (PPIL), which imposes stringent restrictions on the export of personal data, underscoring China’s commitment to maintaining control over data flows.⁸²Graham Greenleaf, Personal Data Localization and Sovereignty along Asia’s New Silk Roads, in Data Sovereignty: From the Digital Silk Road to the Return of the State 300-01 (Anupam Chander & Haochen Sun eds., 2023). Greenleaf observes that PPIL articles 38-43 employ all forms of data localization, including: data storage mandates requiring certain personal data to remain in the PRC; cross-border transfer restrictions necessitating Cyberspace Administration of China (CAC)’s security assessment unless exempted (creating a de facto export ban); and alternative transfer mechanisms, permitting transfers only if they pass a CAC assessment, receive authorized certification, or comply with standard contractual clauses.

With regard to smart car data regulation, China has taken a cautious approach to allowing foreign vehicles to operate freely within its borders. For example, restrictions were imposed on Tesla, banning its vehicles from critical government functions⁸³Keith Zhai & Yuko Kubota, China to Restrict Tesla Use by Military and State Employees, Wall St. J. (Mar. 19, 2021), https://www.wsj.com/articles/china-to-restrict-tesla-usage-by-military-and-state-personnel-11616155643. and certain governmental areas.⁸⁴Elena Luchian, Tesla Cars Are Banned in Certain Areas in China Amid Security Concerns, Autoevolution (Jan. 26, 2024), https://www.autoevolution.com/news/tesla-cars-are-banned-in-certain-areas-in-china-amid-security-concerns-228221.html. Only recently did a provincial government approve Tesla for inclusion on its purchase list,⁸⁵Laura He, Tesla Is Now an Official Chinese Government Car, CNN (Jul. 5, 2024), https://www.cnn.com/2024/07/05/business/tesla-enters-chinese-government-purchase-list-for-first-time-intl-hnk/index.html. and this was contingent upon negotiations and the approval of Tesla’s data security measures,⁸⁶Raffaele Huang, Musk Wins China’s Backing for Tesla’s Driver-Assistance Service, Wall St. J. (Apr. 29, 2024), https://www.wsj.com/tech/tesla-wins-chinas-backing-for-driver-assistance-service-20816802. including a requirement for domestic data storage within China.⁸⁷Michelle Toh, Tesla Sets Up Data Center in China Amid Spying Concerns, CNN (May 26, 2021), https://www.cnn.com/2021/05/26/business/tesla-china-data-center-intl-hnk/index.html. Ultimately, the Chinese government permits only domestically manufactured Tesla vehicles to operate within the country,⁸⁸Mark Kane, Half of All Tesla EVs Are Made in China, Inside EVs (Apr. 10, 2024), https://insideevs.com/news/715427/tesla-ev-production-shanghai-vs-global. reinforcing its commitment to strict data governance and subsequent national security.

To debrief, the U.S. utilizes a bifurcated, enforcement-led strategy, relying on agencies like the FTC to police the industry. Externally, the U.S. addresses the issue through a national security lens, with the DOC investigating potential restrictions on connected vehicle imports from geopolitical rivals. The EU has focused on a more comprehensive rights-based model centered on its GDPR. The GDPR functions as a tool of both privacy protection and data sovereignty, leveraging a strict adequacy test that effectively exports its high standards to other jurisdictions seeking seamless data transfers. This regulatory environment is also benefitted by robust civil society engagement, with campaigns that influence guidelines and new legislation. Finally, China’s approach is explicitly state-centric, prioritizing national security and an uncompromising vision of digital sovereignty first articulated more than a decade ago. This doctrine is enforced through a powerful legal framework mandating that data collected in China be stored domestically, leveraging its regulatory power to ensure state control over data flows and mitigate perceived technological dependencies.

IV. Data Governance Considerations for Southeast Asia

As Southeast Asia embraces smart vehicles, data governance challenges—particularly in privacy and sovereignty—become increasingly urgent. This section examines the risks posed by foreign-designed vehicles, using Thailand’s rapid adoption of Chinese EVs, along with Chinese digital infrastructure as case studies. While these vehicles drive economic growth, their data policies remain externally shaped, raising concerns over security and regulatory gaps. The discussion then explores strategies to balance data protection with economic benefits, drawing lessons from the U.S., EU, and China on investigative action, regulatory oversight, and selective data localization, before arguing that ASEAN-wide cooperation could enhance regional bargaining power, ensuring smart vehicle adoption aligns with both national and regional digital governance priorities.

A. Acknowledge the Potential Data Governance Harms

For countries without domestic champions in smart vehicle design, the data governance concerns, encompassing both data privacy and data sovereignty, raised by major auto-exporting jurisdictions such as the U.S., the EU, and China warrant serious examination. These issues should not be dismissed as mere geopolitics and trade rhetoric but rather recognized as grounded concerns that merit further investigation.

Thailand exemplifies this dilemma. The rapid influx of affordable and technologically advanced Chinese smart vehicles has been widely celebrated. There is a strong political consensus across both government and opposition parties⁸⁹Li Xirui, How China’s EVs Are Taking Thailand by Storm, The Diplomat (Feb. 7, 2024), https://thediplomat.com/2024/02/how-chinas-evs-are-taking-thailand-by-storm. on the role of EVs in achieving sustainable development goals.⁹⁰Fusheng, supra note 25. However, this enthusiasm should not preclude scrutiny. The recent backlash against aggressive discounting strategies employed by BYD dealers illustrates the complexities of this market shift. In early 2024, the Thai Consumer Protection Board received approximately 70 complaints from consumers who felt disadvantaged by sudden price reductions following their purchases, prompting an official investigation.⁹¹Panarat Thepgumpanat & Chayut Setboonsarng, BYD’s Steep EV Discounting in Thailand Sparks Backlash, PM Seeks Assurances, Reuters (Jul. 5, 2024), https://www.reuters.com/business/autos-transportation/byds-steep-ev-discounting-thailand-sparks-backlash-pm-seeks-assurances-2024-07-05.

Beyond market dynamics, concerns over data governance deserve greater attention. As also previously discussed,⁹²See infra Part III B. China enforces strict data localization requirements, requiring that data collected overseas by Chinese corporations be stored within its jurisdiction and made available to government authorities upon request. In response to concerns that American data collected from Chinese products may be stored in China,⁹³See Peter E. Harell, Managing the Risks of China’s Access to U.S. Data and Control of Software and Connected Technology 4-7 (2025), https://carnegie-production-assets.s3.amazonaws.com/static/files/Harrell_US-China%20Data%20Regulation.pdf. for instance, the U.S. has implemented measures aiming at addressing both data privacy and sovereignty risks.

Thailand’s increased reliance on Chinese digital infrastructure suggests a broader pattern of limited regulatory scrutiny in this domain. The Thai government has welcomed Chinese investment in cloud infrastructure, with the Ministry of Digital Economy and Society—home to Thailand’s Personal Data Protection Committee itself—openly supporting Chinese tech giant Huawei’s involvement in the country’s cloud ecosystem.⁹⁴Huawei, Huawei Cloud Vows to Empower Thailand a Regional Cloud Hub as MDES Elaborates on “Cloud-First” Strategy for the First Time, Huawei Cloud (Aug. 15, 2024), https://www.huaweicloud.com/intl/en-us/news/20240815174757013.html. Whereas the U.S. continues its campaign against the company for its alleged role in facilitating Chinese surveillance activities overseas,⁹⁵Justin Sherman, The U.S. is Continuing Its Campaign Against Huawei, Lawfare
(Jul. 20, 2021), https://www.lawfaremedia.org/article/us-continuing-its-campaign-against-huawei. most of the leading enterprises, government ministries, and financial institutions in Thailand today rely on Huawei’s services.⁹⁶Huawei, supra note 94. While Thailand’s Personal Data Protection Act (PDPA) was modeled after the EU GDPR⁹⁷Graham Greenleaf & Arthit Suriyawongkul, Thailand—Asia’s Strong New Data Protection Law, 160 Priv. L. Bus. Int’l L. Rep. 1, 3 (2019). and therefore includes similar strict provisions on cross-border data transfers,⁹⁸Wong, supra note 50, at 168 (observing that section 27 of Thailand’s PDPA restricts data transfers to countries with lower data protection standards, subject to exceptions such as data subject consent. The data protection regulator may also designate certain countries as providing adequate protection, exempting them from this restriction). there has been no scrutiny against the large-scale data storage in China, particularly in light of the Chinese cyber laws requiring localization of data collected overseas.

B. Balancing Data Governance and Economic Benefits

As developing countries integrate smart vehicle technology into their economies, they must navigate complex intersections of data protection, digital sovereignty, and economic development. Countries like Thailand, which lack home-grown smart vehicles but serve as a major automotive plant, face unique challenges in balancing economic benefits, regulatory capacity, and negotiating power with multinational corporations. While foreign direct investment (FDI) in the EV sector can be crucial for economic growth, it also raises significant concerns regarding data governance. A well-calibrated regulatory approach must account for both the opportunities and risks associated with increased vehicle connectivity.

A critical step is strengthening data protection governance to ensure a non-discriminatory approach to vehicle data collection. While concerns over Chinese smart vehicles dominate global discourse, a broader, brand-neutral approach is necessary—one that acknowledges that all modern connected cars collect and transmit data. U.S.-style investigative mechanisms could be instrumental in assessing both the economic benefits and potential threats posed by EV adoption. Thorough studies, conducted independently or in collaboration with civil society organizations as demonstrated in the EU, would provide a fact-based foundation for regulatory interventions.

Building on the EU data protection authority’s work, Thailand’s data protection authority may also take a more proactive role in enforcing the existing data protection law and issuing sector-specific guidelines on smart vehicles data collection. While the Thai PDPA mirrors the EU’s GDPR, enforcement efforts remain underdeveloped due to both manpower and budget constraints.⁹⁹Gunn Jiravuttipong & Khemmaphat Trasadikoon, Examining the Benefits and Challenges of Thailand’s Latest Data Protection Law, Tech for Good Inst., https://techforgoodinstitute.org/blog/expert-opinion/examining-the-benefits-and-challenges-of-thailands-latest-data-protection-law (last visited Feb. 5, 2025). For this reason, smart vehicle data governance should not be left to reactive enforcement alone; instead, multi-stakeholders including privacy non-governmental organizations, independent think tanks, and investigative news outlets need to get involved more actively in raising awareness of emerging technologies, enriching a healthier data protection ecosystem.¹⁰⁰Filippo Lancieri, Narrowing Data Protection’s Enforcement Gap, 74 Me. L. Rev. 15, 19 (2022).

On China’s data localization framework, other nations could also consider it as a model, particularly for national security purposes. While complete data localization may not be practical for every developing country,¹⁰¹Wong, supra note 50, at 159 (“[A] key concern is that data localization serves as an inhibitor of trade in services and, more generally, as an obstacle to economic integration.”). Similarly, Chander and Sun argue that in the digital sphere, sovereignty is often asserted against corporations rather than governments. As digital sovereignty evolves, states must regulate not only domestic citizens but also foreign entities, particularly global firms providing cross-border services. To remain effective in an era of internet globalization, legal frameworks must extend to foreign entities. Chander & Sun, supra note 45, at 7. targeted restrictions—such as limiting data access in sensitive geographic areas or for specific government personnel—could serve as an effective safeguard. This approach allows governments to balance maintaining an open market with ensuring that sensitive data categories, such as geolocation, images of military installations, and biometric identifiers, remain under national jurisdiction. A Comparison between Thailand’s PDPA with China’s PIPL illustrates the point. The justifications for allowing cross-border data transfers under the PDPA are relatively flexible, permitting transfers based on consent or contractual necessity—grounds not recognized under Chinese law.¹⁰² Dominic Paulger, Navigating Cross-Border Data Transfers in the Asia-Pacific Region (APAC): Analyzing Legal Developments from 2021 to 2023 6-9 (2023), https://fpf.org/wp-content/uploads/2023/09/FPF-Issue-Brief-APAC-CBDTs.pdf. Critically, these legal bases can be illusory in practice, as data subjects rarely provide truly informed consent,¹⁰³Daniel J. Solove, Murky Consent: An Approach to the Fictions of Consent in Privacy Law, 104 B.U. L. Rev. 593, 620-21 (2024). and service providers can arbitrarily necessitate data sharing in the name of providing services.¹⁰⁴Meta, for instance, relied on contractual necessity as a legal basis for personalized ads until it faced enforcement action from the Irish Data Protection Commission. Mark MacCarthy, The European Data Protection Board (EDPB) Goes After Tech’s Personalized Ad Business Model, Brookings (Feb. 1, 2023), https://www.brookings.edu/articles/the-european-data-protection-board-goes-after-techs-personalized-ad-business-model.

Furthermore, China’s PIPL is even more stringent when a cross-border transfer involves “important data” (defined as data that may endanger national security or public interest) or pertains to critical information infrastructure operators, such as those in the transportation sector. In these circumstances, any data transfer out of China must undergo a mandatory security assessment that details the recipient, the legality of the transfer, and the safeguards and risks involved.¹⁰⁵ Paulger, supra note 102, at 14. Therefore, the transfer of smart vehicle data out of China is highly likely to be subject to these stringent requirements, providing a clear regulatory model that Southeast Asian countries could adapt for their own national security needs.

Finally, Southeast Asian countries may leverage the Association of Southeast Asian Nations (ASEAN) as a platform to develop a coordinated approach to data localization policy.¹⁰⁶ASEAN consists of ten Southeast Asian Member States: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam. ASEAN, Member States, https://asean.org/member-states (last visited Feb. 5, 2025). Through ASEAN, member states can establish regional standards that balance the need for data sovereignty with broader economic integration, ensuring that data localization requirements reflect both regional priorities and legitimate concerns about cross-border data flows.¹⁰⁷Wong, supra note 50, at 178 (noting key differences between ASEAN and the EU, including ASEAN’s smaller economic size, which necessitates participation in the global supply chain. Consequently, the EU’s data localization approach may have limited applicability in the ASEAN context.). In recent years, ASEAN has increasingly focused on data governance and cross-border data flows, leading to the emergence of important instruments. The adoption of the 2016 ASEAN Framework on Personal Data Protection established guiding principles for member states, while the 2018 ASEAN Framework on Digital Data Governance set forth principles to facilitate cross-border data flows, aiming to maximize the free flow of data within ASEAN while ensuring adequate protection.¹⁰⁸Id. at 176. In 2021, the member states adopted the ASEAN Model Contractual Clauses (MCCs), a voluntary mechanism that businesses can incorporate into binding contracts to govern the transfer of personal data across borders within the region.¹⁰⁹ Paulger, supra note 102, at 20.

It is important to note that the MCCs are not a mandatory legal instrument but a recommended guide that businesses are encouraged to follow.¹¹⁰Id. at 3. Beyond simply facilitating the implementation of the MCCs, another area for improvement is the development of a more defined regional standard for data localization. Such a mandate—for example, requiring a local copy of certain data to be maintained—would establish a baseline for data sovereignty. As of 2020, this aspect remained largely unstandardized across the region, with only Indonesia and Vietnam having domestic laws containing such a requirement.¹¹¹Wong, supra note 50, at 169. As smart vehicles from third-party countries become more prevalent in ASEAN, member states could leverage the legal mechanisms examined here to develop a unified data governance policy. A coordinated approach would enhance the region’s collective leverage in negotiations, strengthen regulatory standards, and align smart vehicle adoption with broader digital governance objectives, thereby reducing the need for fragmented national policies.

V. Conclusion

The rise of smart vehicles represents not only a technological shift but also a fundamental challenge to data governance. As connected and data-driven automobiles become prevalent, countries without domestic automakers face a difficult balancing act—embracing economic opportunities while safeguarding data privacy and sovereignty. The world’s leading automotive and regulatory powers, the U.S., the EU, and China, have each leveraged their regulatory influence and economic weight to shape data governance frameworks. However, smaller economies, particularly in Southeast Asia, lack the same negotiation power, leaving them more vulnerable to externally imposed data policies attached to foreign smart vehicles. For instance, a major economic power like China has negotiated with leading automakers such as Tesla,¹¹²See, e.g., Raffaele Huang, Musk Wins China’s Backing for Tesla’s Driver-Assistance Service, Wall St. J. (Apr. 29, 2024), https://www.wsj.com/tech/tesla-wins-chinas-backing-for-driver-assistance-service-20816802. resulting in Tesla recently becoming the only foreign recipient of China’s “Auto Privacy Protection” mark¹¹³Heidi Tai, Tesla Becomes the Only Foreign Automaker to Receive China’s Auto Privacy Protection Mark, DigiTimes Asia (Nov. 12, 2024), https://www.digitimes.com/news/a20241112PD200/tesla-china-automobile-fsd-2024.html.—a privilege that smaller economies cannot easily secure.

Thus, rather than relying on bilateral negotiations with automakers, Southeast Asian countries must explore alternative strategies to strengthen their regulatory position. A regional approach through ASEAN could provide greater collective leverage, allowing member states to set common data governance standards and negotiate with foreign manufacturers as a unified economic bloc. Additionally, adopting a hybrid regulatory model—drawing from the U.S.’s investigative oversight, the EU’s enforcement-driven data protection framework, and China’s selective localization policies—could help balance economic benefits with national security and data sovereignty concerns. As smart vehicles continue to reshape global mobility, Southeast Asia should move beyond passive adoption and actively shape data governance frameworks that serve both economic and regulatory interests.

Attamongkol Tantratian is a Lecturer in Law, at the Faculty of Social Sciences and Humanities, Mahidol University. We would like to thank Uduak Ekott and Che Zhe for their invaluable contributions to the early stages of this project, which resulted in the publication of Uduak Ekott, Zhe Che & Attamongkol Tantratian, Connected Vehicles and Data Privacy & Sovereignty in the Global South, Tech Pol. Press (Oct. 23, 2024), https://www.techpolicy.press/connected-vehicles-and-data-privacy-sovereignty-in-the-global-south.

Gunn Jiravuttipong is a J.S.D. Candidate at the University of California, Berkeley School of Law.