By Antony Cook, Associate General Counsel, Corporate External and Legal Affairs, Microsoft Asia. This article was originally posted on LinkedIn.
Moving the conversation from where data is located, to how data is protected
Borderless Digital World
In Singapore, a student logs into a US-based e-learning platform to join a physics lecture delivered by a leading academic; in Malaysia, an engineer accesses a cloud-based dashboard with real-time analytics on how his company’s manufacturing facilities across Asia are performing; and in Thailand, a doctor accesses an AI platform that processes clinical trial data from around the world to determine the best intervention for her patient.
These activities have something in common – they depend on the smooth flow of data across international borders. If economic growth in the 20th century was defined by international flows of physical goods and currency, economic growth in the 21st century will be defined by international data flows. Research by McKinsey Global Institute estimates that international data flows have, to date, contributed $2.8 trillion to global GDP. In an increasingly connected Asia, where technologies such as cloud, Internet of Things, artificial intelligence and blockchain are becoming increasingly pervasive, effective cross-border data flows are essential for innovation, trade and economic growth.
Restrictive Data Regulations & its Impact
But despite the critical role that cross-border data flows play, data flows in some jurisdictions in Asia are being affected by regulations requiring that certain categories of data remain within the country. These data localization regulations fall into two broad categories. The first are regulations that predate digital commerce and trade – for example, some countries continue to have data localization regulations applicable to medical information that were originally designed to apply to paper records, many decades before the digital transformation of medicine that we see today. While these regulations were not developed with digital technologies in mind, they can sometimes be construed broadly enough to apply in unexpected situations – for example, if a hospital wants to move to cloud services to enhance productivity and deliver better patient outcomes. The second category of data localization regulations are more recent and typically arise out of concerns regarding cybersecurity, privacy or national security.
Whichever category the regulations fall into, the result is the same: a stifling of innovation, economic growth and international trade. Innovations powered by technologies such as cloud, Internet of Things, artificial intelligence and blockchain don’t just benefit from the movement of data across international borders, they depend on it. Many of the benefits of hyperscale cloud services depend on the vast computing power, economies of scale and enhanced security that comes from internationally-distributed data centers. The network of sensors and connected devices powering the Internet of Things will, in many cases, be distributed across more than one jurisdiction. Machine learning technologies, which are advancing the field of artificial intelligence so rapidly, depend on access to large and varied datasets, as well as raw computing power, both of which may have to be sourced from another country or, indeed, more than one country. And the distributed ledger technology embodied by blockchain is, by its nature, distributed and territory-agnostic.
For citizens and companies in affected countries, the net result of data localization regulations is that the range of products, services and technology, and the sophistication of available solutions, is far more limited than is the case in other economies that facilitate, rather than restrict, the smooth flow of data. In particular, companies in affected countries are forced to adopt a technology strategy based on compliance with arbitrary location requirements (and all of the associated costs they bring), instead of factors such as innovation, quality, cost and economies of scale, putting them at a competitive disadvantage versus competitors in other jurisdictions. For the more than 80% of technology-driven startups with plans to scale internationally, progress can be slowed by restrictions on outbound data flows and challenges in accessing international technology solutions. Localization regimes also make the country a less attractive destination for foreign investment and local setup, as companies are reluctant to subject themselves and their investments to onerous and costly localization requirements. This in turn impedes a country’s ability to innovate, to grow, and to benefit fully from the growth of the digital economy.
Driving Trust in Technology
Given the clear benefits of cross-border data flows, and the negative impacts associated with restrictions on those data flows, why then do we continue to see data localization regulations in certain jurisdictions? In most cases, data localization regulations arise from well-intentioned efforts to enhance privacy and security. Unfortunately, data localization does not guarantee, or even enhance, the privacy or security of our data, nor does it increase trust in the digital economy. In some respects, it may even be counterproductive to these objectives. For example, as data localization regulations limit the choice available to companies in affected jurisdictions, those companies may not have access to technology solutions that are truly “state of the art” from a global security perspective, which may make them a relatively easy target for malicious actors. And with the increasing sophistication of cyber-attacks, any policies that increase data centralization only serve to multiply the damage caused by successful attacks.
Whilst mandating local storage does little to enhance protection, implementing frameworks to enhance privacy and security that apply regardless of data location have proven to be far more effective. It is therefore critical that we ensure trust in cross-border data flows by making sure that the privacy and security of data is protected to the required standards no matter where the data is located. But what are the frameworks available to us to achieve this?
International Standards & Frameworks
The good news is that a range of national and international frameworks have proven to enhance privacy and security whilst simultaneously facilitating the smooth transfer of data. One example is Singapore’s Personal Data Protection Act, which permits transfers of personal data outside of Singapore if the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that in Singapore. The legally enforceable obligations can include obligations imposed under law, contract (for example, data processing agreements), binding corporate rules or another legally binding instrument. This flexible, outcomes-focused approach has been central in securing Singapore’s position as a hub for technology, data processing and innovation in the Asia region, as part of its “Smart Nation” vision. There are several other examples, from the European Union (where the General Data Protection Regulation takes a similar, albeit much more prescriptive, approach to transfers of personal data) to the Philippines which permits international transfers, as long as contractual or other appropriate means are used to ensure that personal data is protected when transferred overseas.
Of course, solving international challenges cannot be achieved through national efforts alone. At an international level, several efforts are underway to strengthen international cooperation on data transfers through bilateral and multilateral agreements and cross-jurisdictional engagement. These efforts are helping to enhance consistency across borders and better facilitate secure data flows, which will in turn drive international trade and commerce. For example, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership requires participating countries not to impose localization requirements on computing facilities or to require businesses to build local data storage centers. This sits within a broader framework which seeks to protect privacy and strengthen international relations. Several other initiatives are well-progressed, including at an APEC and ASEAN level, to ensure that appropriate international measures are in place to govern the smooth transfer of data. Meanwhile, international security standards and certifications, such as those developed by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) are playing an important role in ensuring consistency and alignment of security and privacy measures across territories.
Technology Leadership & Accountability
At Microsoft, we recognize that technology companies also have an important role to play. We must be transparent as to data location, privacy and security. We must disclose where data is located and the measures we have in place to ensure that it is kept private and secure. We must demonstrate compliance on an ongoing basis by having our services assessed by independent third parties against international security standards and certifications. And we must stand behind our commitments contractually. It is for this reason that all of our cloud services are built on four key pillars – namely security, privacy, transparency and compliance. In short, we must play our part in helping to ensure that our customers’ data is protected to the required standards, no matter where it is located.
We also recognize that striking the right balance is not easy. But if we are to succeed, and by doing so build the next phase of the digital revolution in Asia, we must now change the conversation – from where data is located to how data is protected and secured. Only then can we successfully build national and international frameworks that facilitate the smooth flow of data across borders whilst protecting privacy, security and trust.