Taking Data Seriously

In some countries in the region, privacy has recently been declared a fundamental human right. Even when not defined so concretely, it is clear that individuals have certain demands and expectations over what happens to their own information.

These individual pressures have to be balanced with the needs of companies. To effectively scale, firms are increasingly interested in building infrastructure that does not always match geographic boundaries of countries. Citizen data and information of all sorts can be moved across borders and firms generally desire more movement rather than less. Businesses have strong reputational reasons for wanting to protect customer information.

Governments, of course, are deeply concerned about protecting the rights of their own citizens and the security of their countries. Officials have to balance the sometimes complementary--but sometimes competing--demands of business and consumer privacy or business and national security issues.

Toss into this volatile mix rapidly changing technology and regulatory and legal structures that move on a much slower timescales and it becomes clear why rules on managing data flows in Asia has started to fragment.

The Asian Business Law Institute (ABLI) held a workshop in Singapore yesterday as part of a larger project to begin to lay the groundwork for solutions. They brought together regulators from data privacy offices from around the region with others to help frame some of the issues.

The first task has been to examine the different data privacy and legal frameworks that currently exist across Asia. The variations are significant—from very few rules or laws at all on data or privacy to legal frameworks that are extensive with literally hundreds of specific provisions or sectoral rules monitored by multiple government agencies at different levels within a country.

Laws, administrative guidance and regulations are changing and evolving rapidly, making the data protection and privacy rules hard to follow for companies. Fines can be steep and even can be compounded for the same infraction.

The first report from ABLI is due to be released shortly and should be quite helpful for firms looking for a clear review of rules across the region. A shorter version, drafted by Graham Greenleaf for the workshop, shows some of the variations that matter to firms and is available here.

The ABLI project is now moving on to craft recommendations to untangle the increasingly complicated legal landscape for data flows.

The whole idea of data flows may sound like something that applies only to certain types of large internet firms, but increasingly laws could ensnare firms and consumers.

Even actions that do not explicitly appear to be done online could be captured through poorly structured data flow or privacy rules. As an example, new technology is allowing firms to manage their energy usage through sensors embedded in office or warehouse light fixtures. Many of these sensors are monitored “off-shore” with the data stored in data centers in multiple locations.

This data is therefore flowing across borders and being stored in a different location. It would be hard to see how, exactly, such data on whether or not lights are properly turned off at night is violating citizen rights or damaging national security. Yet such data flows could be stopped or such storage could be halted under certain legal rules in jurisdictions in the region.

Even in cases that seem to have clearer connections to consumers, not all information is identical. Singapore is currently littered with brightly colored bicycles available for rent. Customers are unlikely to be fussed about data showing specific trips taken by bicycle. But they care more about what happens to their financial data used to pay for the trip. Even here, however, they are likely to be concerned only in the event of a breach of data that causes consumers serious personal problems.

Asking firms to somehow “split” data into sensitive data and non-sensitive data or carve off financial data can be impossible. The bicycle company cannot properly operate if consumers cannot seamlessly find a nearby bike and rent it on the spot using their mobile phone to transfer their personal data and financial information to pay for the rental.

Smaller firms, especially, would be unable to manage their business operations if they had to divide up data into different bundles. Most smaller firms have no way to “atomize” data and somehow make it impersonal. In many cases, the very reason that consumers opt for smaller firms is precisely their ability to offer personalized services.

These smaller firms struggle to properly protect data themselves, but care even more deeply about data security. A data breach will destroy their reputation. Hence, smart companies will seek out the best operators, including cloud-based providers, to provide their information, security, and storage services.

Privacy people often split data issues into data controllers and data processors—who collects the data and who manipulates it after it is collected? This division may make sense for larger firms or for past practices, but is likely to make less sense going forward as data is gathered and manipulated simultaneously. Smaller firms, especially, do both.

Some officials seem to be interested in getting “consent” for the movement of data, especially across borders. While this idea seems intuitively appealing, technology may make this less and less practical over time.

Consider the bicycles. It can be argued that consumers gave “consent” the first time they signed up for the service. How are consumers to update their consent if the terms and conditions change over time? Do they need to agree each time their data flows overseas? If so, consent might need to be given with each ride. This could get so frustrating for customers that they stop renting bikes at all.

Or think again about the lighting sensors. If the sensors are changed to also track movement in the warehouse to turn off lights when no one is present, it could be argued that employees should be given the right to consent. How would such consent be collected? How often? By everyone? What about people who come into the warehouse occasionally? Just once?

If the law requires that this data be stored locally, why? What would officials do with this data if they had it? A data center contains very few jobs, so this ought not be the driving force behind data localization rules. Hence localization is supposed to be about security of information. But why is it assumed to be more secure to hold data on shore than off-shore or in the cloud? Hugging a server is not likely to automatically help drive security.

In short, there are multiple issues related to data flow. If Asia wants to remain at the forefront of digital trade, it is important that officials and regulators figure out how to create common systems and avoid further fragmentation. This requires looking not just at current challenges, but also thinking about how to foster and encourage new opportunities in the future.

***Talking Trade is written by Dr. Deborah Elms, Executive Director, Asian Trade Centre, Singapore***