Asia, Cross Border Data Flows: It’s Complicated…

by Nathan Boeger on January 18, 2019

January 18, 2019

Author : Nathan Boeger

Cloud Security, Data Protection, privacy

This post on cross-border data privacy in APAC originally appeared on the TECHNOLOGY HEAD FIRST blog

Have you ever met a new friend and asked a simple question like “What’s your favorite food?” only to be met with a deadpan face and the answer “It’s complicated”. I always think to myself, no its not. It’s food, you put it in your mouth, it tastes good, yum! What’s so hard about that? I know there are thousands upon thousands of regional and cultural cuisines not to mention dietary preferences. Still, it’s just food right? How hard can it be.

Sponsorships Available

Security, much like with food preferences, may seem simple. You have something you want to keep secret so you encrypt it, job done! Unfortunately, it’s not that simple. Just like with food, regional areas and countries have their own unique differences. More importantly, they are starting to assert their own rules and regulations and these could even have global implications.

One example of this is privacy around Cross Border Data Flows. Countries are starting to adopt rules around what data can and can not exist outside their borders. Also, how this data is gathered, how its used and transmitted. This is important for any company doing business in the region. Especially if you are using cloud services. With these providers, you may not have the ability to control where this data lives. Assuming you even know what the rules are. Here is just a sample of a few rules in the region.

In 2017 China enacted their new Cybersecurity Law. This law has a very broad definition of what they consider to be a “network operator”. Arguably, the definition they created includes any business with more than one computer. To be compliant, it requires network operators to fully cooperate with the Chinese crime or security investigators and allow full access to all data. More importantly, Article 37 requires network operators to store all data generated in mainland China to stay on servers inside China. This law also requires all data gathered on Chinese citizens to also remain inside China. Finally, this data may not be transmitted abroad without gathering the appropriate permission. Needless to say, this could be complicated when business with offices in China needs to do BI on data gathered inside China.

India has had several updates to their original Information Technology Act of 2000. The initial rules mainly applied to security practices and regulation of sensitive personal data. This included financial, medical, and sexual orientation. However, India has had made several updates. The rules introduced in 2012, required all Indian government data to be stored in India. In 2014 these updated required all backups of financial data to be stored in India. Finally, in 2015 the rules introduced required all application servers of Indian customers to be located in India. Here again, one needs to be careful on how they make use of data gathered inside India.

In 2012 Singapore enacted the Personal Data Protection Act (PDPA). This covered mainly the collection and disclosure of personal data. It’s intent was to address how personal data was gathered and how consumers could maintain trust with companies managing that data. Section 26 outlines how companies must ensure that data transferred outside of Singapore must still comply with the various protections in the PDPA. This includes data transferred to a third party. The recipient will be held accountable and must provide protection that is “comparable” to that under the PDPA.

This is actually refreshingly clear. All one needs to do is understand the PDPA, follow it as a guideline, and you will be complaint on data gathered in Singapore. However, on July 16, 2017 Singapore joined up with the APEC to participate in their Cross Border Privacy Rules (CBPR). This also includes countries like Mexico, USA, Canada, Japan and Korea. Details of how this will impact the current regulations is still unclear. It is a good sign, maybe something akin to an “international standard” will emerge. Time will tell.

As everyone knows, Asia is a diverse and complex region. ASEAN alone has 10 state members and depending on how you define the region, 40-60% of the world’s population lives in Asia. With such large populations and complex geopolitics comes complex regulations. I have not even mentioned the impact of regulations coming from outside Asia – like the EU. I suspect things going forward will only get more complicated and business will need to rely on specialists and tools that help them adapt and navigate this ever changing landscape. Perhaps this is a great opportunity for companies who focus on delivering these tools and enabling multinational companies to comply without having to spend lots of resources training and going it alone. Perhaps it is like good food. It’s always best shared with good company.