EU data law changes offer opportunities for Asia's datacenter markets

Destinations such as Singapore, Malaysia or Hong Kong need to seize the opportunity of being deemed an acceptable data transfer partner with the European Union in order to get ahead of the competition.
Written by Kevin Kwang, Contributor

The European Union's (EU) Data Protection Regulation, which is currently being debated within the European Commission, will have far-reaching impact on datacenter destinations around the world since those which do not meet the EU's data protection laws will not be able to handle their citizens' data.

Asia's datacenter markets such as Singapore, Hong Kong or even Malaysia should thus pay attention to the impending regulatory changes and ensure their data protection regime is adequate to meet the EU's standards. This way, they can keep ahead of regional rivals and increase bilateral trade with Europe, advised SafeGov.org president Jeff Gould.

SafeGov.org is a forum for IT providers and leading industry experts dedicated to promoting trusted and responsible cloud computing offerings for the public sector.

In a recent interview with ZDNet Asia, Gould said Europe's ongoing regulatory amendments for data protection laws aim to streamline the implementation and enforcement of the rules in member EU states. One of its primary aims is to protect EU citizens' data from being exploited or compromised, which means if the data subject's details are sent overseas, that particular country must be compliant with the EU's data protection laws.

The challenge, however, is not many countries meet Europe's stringent data protection requirements, which effectively excludes them from being data transfer partners with the region, he noted.

Not many countries meet Europe's stringent data protection requirements.

In Asia-Pacific, for example, only Australia and New Zealand meet the European Commission's criteria of having the adequate level of protection "by reason of its domestic law or of the international commitments it has entered into", according to the EC's Web site.  

There are workarounds though, and these are dependent on enterprises regulating data flows from the Europe office to their offices around the world.

One such method is for companies with datacenters in different markets such as Microsoft or Amazon Web Services to enact binding corporate rules (BCRs) internally that are compliant with EU regulations. The other option would be to insert contractual clauses to compel non-European Economic Area (EEA) data processors to abide by EU data protection standards, Gould explained.

He also mentioned the EC is currently considering relaxing its adequacy assessment requirements further by not requiring the whole country to be compliant. Instead, a certain sector such as the data center industry could work with the local government and EU to meet the data protection requirements, thereby ensuring their businesses are not affected by any regulatory changes.

Singapore positioned to capitalize, India not quite

While Europe's Date Protection Regulation has yet to be firmed up, Gould urged datacenter hubs such as Singapore to look into how it could prepare itself to remain aligned with the EU's requirements.

Singapore may have introduced its Personal Data Protection Act 2012 (PDPA) in phases this January, but the SafeGov president said based on initial observations, the regulation will not be enough to comply with the EU's data protection laws.

This is because the Personal Data Protection Commission (PDPC), which came into being on January 2, 2013, to administer and enforce the PDPA, does not have "truly independent" data protection authority from the government, he pointed out.

According to the PDPC Web site, the commission's chairman and members were appointed by Singapore's Ministry of Communications and Information and all have appointments at the Infocomm Development Authority of Singapore (IDA), which is the local ICT regulatory body.

That said, Gould noted Singapore is already recognized as a reputable datacenter destination in Asia-Pacific, and he is "pretty confident" the local government will have taken note of developments in Europe and is positioning the country to take advantage of the market opportunities thrown up by the impending regulatory changes.

Already, Singapore is the EU's largest trading partner in Southeast Asia. Bilateral trade in goods and services between the EU and the Association of Southeast Asian Nations (Asean) reached well over 200 billion euros (US$262.1 billion) in 2011, of which the EU-Singapore trade comprised about a third, or 74 billion euros (US$94 billion), the EC Web site stated.

He added he is "less optimistic" over India's ability to ready its IT industry for the data protection changes. This is because he does not see as much "national unity" in addressing the shortcomings of the domestic data protection laws.

India has been pushing hard for the EU to accord it the much-coveted data-secure destination status, as it recognizes the boost it will give to the local business process outsourcing (BPO) industry. Last September, the government said it will sign off on the free trade agreement with the EU only if the latter granted it the data-secure destination status.

Editorial standards