Back to Asia Pacific Regional Forum publications

Kate Chan
Ankura, Hong Kong SAR
kate.chan@ankura.com

Fred Chan
Ankura, Hong Kong SAR
fred.chan@ankura.com

Noriswadi Ismail
Ankura, London
noriswadi.ismail@ankura.com
 

Introduction: localisation goes global

It may sound like a paradox, but data localisation is becoming an increasingly global challenge as national regulators recognise the need for certain types of data to be stored locally and seek better control of cross-border data transfer.

This creates a major challenge for global companies who operate across several countries, and sell products and services which typically rely heavily on data. How best can they comply with a variety of different and complex national regulations, while efficiently managing their global operations, taking full advantage of emerging, data-driven technologies?

Before answering this question however, let’s look in a more detail at data localisation regulation in three key countries: China, India and Indonesia.

China: growing within limits

China’s CyberSecurity Law (CSL) became the region’s first national-level rules to address cybersecurity and data privacy protection. It requires organisations to store data within China, restricts its transfer outside the region and allows Chinese authorities to conduct spot-checks on a company’s network operations. While the law has provided greater clarity, some uncertainty remains on how it will be enforced and what steps are required to achieve compliance. What is clear, however, is that many institutions that transmit data to overseas headquarters will need to restructure their mechanisms when operating in China. It also highlights that data localisation is often just as concerned with the transfer of data out of a country as how it must be handled within it. Clearly, as China is a huge growth market, multinationals are motivated to address compliance issues quickly and effectively.

India: picking up speed

India’s Data Protection Bill has already received plenty of attention so the point to note here is its apparent acceleration, with the bill now set to be tabled in the current parliamentary session. This development is being closely followed by US tech concerned that new localisation requirements could create obstacles within a regulatory framework that is otherwise broadly aligned with the European Union’s General Data Protection Regulation (GDPR). The bill’s introduction should, however, provide greater certainty over areas relating to the protection of personal data and the growth of the digital economy.

Salman Warris, partner and head of the Telecommunications, Media and Technology (TMT) & Intellectual Property (IP) Practice at leading Indian law firm TechLegis, provides a legal perspective on the situation:

‘With the Personal Data Protection Bill having already been tabled before the parliament during the ongoing winter session it is expected that India would have a law sometime in the coming year [2020]. While the original draft document extensively borrowed from the GDPR, it went a step beyond obligating companies to ensure data localisation, and this was further complicated by the Reserve Bank of India Directive to the same effect with regard to Fintech companies. Of late the government has indicated the possibility of another data legislation dealing with “community data” comprising of non-personal data that if anonymised could be commercialised.’ 

Indonesia: staying ahead of technology

As the largest IT spender in Southeast Asia and home to the world’s fourth-largest mobile market, it should come as no surprise that Indonesia is accelerating changes to its data privacy regulation. What was initially intended as an amendment to existing regulation has rapidly evolved into something bigger, with the October 2019 Implementation of Electronic Systems and Transactions regulation revoking and replacing previous government rules on the subject.

Professor Abu Bakar Munir, data protection law expert and visiting professor at the Faculty of Law, Atmajaya University, Jakarta notes that both the digital economy and international trade require data to flow and that therefore:

‘A data localisation requirement can be regarded as a non-tariff barrier to trade in the digital economy. As argued by the Organisation for Economic Co-operation and Development (OECD), restrictive data localisation requirements affect firms’ ability to adopt the most efficient technologies, influence investment and employment decisions, increase the cost of innovation and lead to missed business opportunities. Indonesia’s relaxation of the data localisation rules is intended to attract foreign investment. The inclusion of the right to be forgotten is significant. It will be interesting to see how the industry will react and how the new regulation will interact with the forthcoming law on personal data protection.’

Taking action: rules of engagement

Without going into detail on each piece of data localisation-related regulation, it is easy to see that a global company operating across borders has a wider problem: how does it organise itself to meet multiple technical, legal and commercial challenges?

Successfully dealing with the challenge means going beyond a case-by-case approach and instead diving deeper: reviewing business and operating models to see how they can be customised to be more appropriate for jurisdictions with localisation requirements. The good news here is that most global organisations have the capability, capacity and resources to achieve this. For those with more modest budgets, strong controls and good risk management will go a long way.

Going local: the service provider route

Broadly speaking, data localisation rules mean that in order to transfer personal data across borders companies must seek authorisation from the relevant regulatory or government department. For many global companies this is an added and relatively unfamiliar complexity as, within the GDPR, there is normally no requirement to seek such permissions subject to complying with relevant data transfer mechanisms.

If we then place this requirement in the context of technology such as cloud infrastructure, it’s clearly challenging for a global organisation to keep on seeking approval every time it transfers data from, for example, China to the United States, from India to the EU, or from Indonesia to the rest of the world.

To simplify this complexity, global organisations are using locally-based service providers with the necessary infrastructure and technical safety measures to satisfy the data localisation requirements. While there are clear benefits to having these local service providers manage all data localisation compliance activities on the ground. It is important, just as in any outsourcing, for the global organisation to monitor risk levels.

In fact, risk is a key factor in many aspects of data localisation. Setting up a detailed risk assessment in relation to each jurisdiction is crucial to ensure it meets your organisation’s risk appetite.

From establishment to expansion - data risks remain key

It is vital to build data security risk assessment and risk management into each stage of the commercial journey, as highlighted below.

When global private equity firms or corporates invest in China, India, and Indonesia they will seek first to gauge fully how compliance issues will affect them. That means more than merely understanding the regulation and how it is likely to be enforced. It also extends to the third parties and vendors, especially with local entities managing data-related risks on their behalf. Due diligence is crucial when choosing a service provider, whether in China, India or Indonesia. There is a risk that some providers may see this process as a box-ticking exercise. It is far better to make it more of a stress test by socialising data and running through different scenarios.

So, after having gone through the due diligence exercise with your chosen service provider, addressed compliance and received advice from lawyers within the jurisdiction, the next step is to operationalise. As in many areas of business life, some issues may only become apparent when plans move from the drawing board to the marketplace. The key here is to be aware that until now, your advice will be from a legal perspective and your preparation may have focused on technical challenges. In this next stage you need the flexibility to adapt to real-time challenges but with the discipline of a strong control environment to keep you safely on track.

Now, having followed the right advice and taken advantage of the huge opportunities within China, India and Indonesia, our notional company wants to expand further into the region. That expansion raises a new question because it may mean transferring data to countries without an established data protection framework. Given the complexities already described, trading with a country that has no data protection framework may seem a positive, but in fact, it can create unknown and unquantifiable risks. That is why we are seeing some large global organisations actually imposing their own organisation-wide data protection framework to manage risk. This trend towards companies taking a global approach to data privacy is covered in more detail within our previous article entitled ‘GDPR: building a global data privacy framework’.

Another data-related challenge during the business life cycle comes with involvement in mergers and acquisitions. There are many scenarios here but the general point is that, depending on where the acquiring or acquired company operates and is headquartered, serious risks can emerge around data localisation. It is therefore very important to have the global privacy officer, chief information officer, chief risk officer or chief data officer, preferably on both sides of the deal, involved in due diligence from an early stage.

The converse to this is if our notional company is not doing well and therefore restructures in order to consolidate the business, this results in some local operations being closed and requires data to be transferred out of China, India or Indonesia to the entity’s headquarters or other offices. Obviously, risks will vary according to where the organisation is globally based but nevertheless, it is very important to reassess the risks before and after any such divestment.

Progress without precedent: how best practice can put you on the front foot

As highlighted earlier, data privacy regulation in general, and data localisation rules in particular, are relatively new and still evolving. This means that in some cases we are still awaiting technical guidance from regulators and that companies and their legal advisers have little in the way of precedent to guide them when it comes to enforcement.

Given these circumstances, the best way forward is to take a risk-based approach, with a holistic team that continually reviews the data transfer mechanisms and connects this to the needs of the wider business.

Data will fall into two categories. The first relates to corporate operations such as marketing data, HR data and finance data. Best practise here is to anonymise local data and then enter it using highly secure and efficient methods, for example, by way of end-to-end encryption. The second relates to business-to-consumer (B2C) activity, which typically involves personal customer data. A best practice here is to undergo a highly structured, GDPR-like data inventory programme. This is in line with article 30 of the GDPR, which requires that ‘each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.’

Although it remains unclear whether China, Indonesia, and India will apply article 30, it may still be worth implementing because having strong data inventory can drive improvement within compliance and data transfer programmes.

Talking of common standards, there is growing interest in ISO 27701 certification, which provides an increasingly recognised and respected external validation for both privacy and cybersecurity control frameworks. This is a topic we expect to cover in greater detail in the future.

Looking forward: act local and think global

The willingness of companies to set universally high standards proactively, rather than focus purely on local compliance needs, is clearly a positive. The challenge will be to keep their eye on the wider benefits and opportunities this brings, particularly around winning customer trust, while also paying close attention to the detail in terms of country-specific data localisation.

The challenge for regulators goes beyond clarifying technical guidance relating to new data localisation requirements. It extends to engaging with other regulators both across regions and globally, to simplify and standardise requirements. This can help regulators to improve protection of their own national interests and further smooth out the path to international investment and growth. An approach that could see localisation and globalisation go hand in hand.