ABSTRACT The European Union’s General Data Protection Regulation (GDPR) of 2016 is widely recognised as the benchmark global standard for data-privacy law. In recent years, countries across Southeast Asia have enacted or updated data-privacy laws with provisions that align with the GDPR. This paper explores the balance of internal and external forces driving these regulatory changes. It argues that a nuanced understanding of diffusion in the policymaking process allows us to see beyond the ‘Brussels Effect’ and how the increasing digitalistion of Southeast Asian societies has created increasing local demand for regulatory change. While an analytical focus on scripting in the drafting of GDPR-like laws focuses attention on the extraterritorial reach of the EU’s regulatory power, an analytical focus on problematisation points to different pathways of domestic learning regarding data privacy, especially in response to rising data-security threats.