Region needs to harmonise data laws

In the 21st century, the ability of data created on computers to move freely across geographical borders - which do not exist on the Internet - has presented governments with new regulatory challenges.

This is most apparent with the advent of cloud computing, where data stored or processed by a service provider can be located outside the country where the data was created.

Like electricity, businesses utilising cloud computing save a lot of money by paying for only the amount of computing that they need at any particular time. Cloud computing enables small businesses to have the same computing capabilities as large businesses without investing in information technology (IT) infrastructure.

However, to get the full advantage of cloud computing, systems need to scale and move data from one location to another, often from one country to another, safely, securely and within the law.

New data laws in Singapore show that the Government understands it is crucial to ensure data flows in and out of Singapore as smoothly as the ships that pass through its harbours.

But the region is far from being in step. When a business in Indonesia wants to use a cloud service provided by a company in Singapore, the Indonesian business may run into regulations that prohibit sending data outside the country.

In 2012, the Philippines enacted a data privacy law that applies to extraterritorial data storage if data is about a Philippine resident, but not to residents of foreign jurisdictions.

In contrast, India's 2011 Privacy Rules were revised only a year later to exempt "data outsourcing." The idea was to enable cross-border data flows critical to India's IT industry.

Such differences in approach create challenges for those who want to move data between the two countries.

In an attempt to prevent such walls being erected, the Asia- Pacific Economic Cooperation (Apec) forum has established a voluntary Privacy Framework and Cross Border Privacy Rules to guide governments drafting privacy laws.

In March, in a step towards greater harmonisation, Apec and the European Union's (EU) privacy working group (Article 29 Working Group) and the 21 Apec member economies published a document that maps differences between EU and Apec privacy rules to help businesses enable cross-border data flows.

ASEAN was among the first to adopt a strategy of cross-border legal harmonisation for e-commerce in its ICT Masterplan 2015. Harmonised data laws, similar to customs laws across the region, will be critical to achieving the economic development promised by the formation of the ASEAN Economic Community by next year.

Some countries in Asia are harmonising their laws. Last November, Singapore's Infocomm Development Authority introduced the Multi-Tier Cloud Security Standards. This sets acceptable security standards for the use of cloud computing by a wide range of industries, the first of its kind by a national government.

In 2012, the Government also adopted the country's first overarching privacy law. Following global norms, it allows personal data to be transferred to countries that have comparable data protection laws. These updates are seen to be crucial for the continued economic success of Singapore, and indeed the entire region.

A recently released Asia Cloud Computing Association report found a widening divide in the ease of moving data across borders among 14 countries in the Asia-Pacific region.

The gulf is between leading markets such as Australia, Japan, New Zealand and Singapore on the one hand, and emerging markets such as China, Indonesia, Malaysia and Vietnam on the other. The leading markets were shown to have clear data protection laws that corresponded to global best practices.

Other countries, however, restrict cross-border data flow or impose regulations inconsistent with regional and international standards.

Thailand, Vietnam and others have no formal data protection laws upon which service providers or foreign regulators can rely. Some have laws that are unclear about data transfers to other jurisdictions.

And many countries, even among the leaders, have law enforcement access laws that are not transparent.

The failure to understand the importance of harmonising data laws will risk deepening this divide as emerging economies fall further behind. The laws of leading countries could serve as the model for a harmonised regional framework and an opportunity to be recognised as a secure digital marketplace globally.

Digital policy coordination and harmonisation is a lot to ask of a region, which is why those that lead - countries such as Singapore - need to support those that follow.

This can be done by promoting data security and safety through ASEAN, and setting up a "Best in Class" gold standard to manage information and data flows in the Asia-Pacific region.

This article was published on May 12 in The Straits Times.

Get a copy of The Straits Times or go to straitstimes.com for more stories.