While China and India strictly execute their rules on how Big Tech companies (Google, Apple, Facebook, Amazon, and Microsoft) must store and process user data, other countries in the world are making some compromises to secure their economic welfare.
China and India, which together account for more than one-third of the world’s population, have been belligerent with regards to their approach to data regulations.
For example, in 2019, India proposed a bill, known as the Personal Data Protection Bill of 2019. The extraterritorial provision of the draft kicked up a storm. This provision required companies — that operate not just in India but even outside of its borders and collect the personal data of Indian citizens — to process it in the servers located in the country. This bill, however, didn’t become a law thanks to the delay caused by the COVID-19 pandemic.
China was more stringent. It passed a cybersecurity law in 2016, which requires organisations and network operators to be subjected to government-authorised security checks and also to store data within the country’s territory.
To comply with the law, Apple, one of the rare and prominent Western Big Tech that has been immensely successful in China, has completed the construction of a new data centre in Guiyang this June. As per a report by The New York Times, Apple will transfer all Chinese user data to this server.
In ASEAN, while Singapore promotes a digital economy that allows data-reliant industries to thrive across diverse sectors, countries such as Malaysia, Brunei, Indonesia, Vietnam, Thailand, and the Philippines all realise data localisation regulations to some extent.
Western critics are worried that this approach will give Asian governments excessive power to surveil their own citizens, apply censorship, and undermine human rights. At the same time, defenders justify these laws/proposals saying it is a confrontation against the so-called data colonialism and they are meant to safeguard national security.
The divide within the region gained some steam when Japan promoted “data free flow with trust” in 2019 at the Osaka Declaration on Digital Economy, known as the “Osaka Track”, which aims to enhance protections for intellectual property, personal information, and cybersecurity of a global digital economy.
Over 50 countries, including China, South Korea, Vietnam, Singapore, and Thailand in Asia, agreed and signed the Osaka track. But India and Indonesia refrained. These two Asian giants wanted to preserve the policy space of developing countries with regard to data governance and leverage the ongoing multilateral talks on e-commerce under the aegis of the World Trade Organization instead.
The hard bargain of governments
In response to the unfavourable coverage of the international media on the Apple case, Qinduo Xu — China Radio International’s former chief correspondent in Washington and a senior fellow of the Pangoal Institution — stated that multinational companies must comply with the laws of the land in which they are operating — whether it is China, Vietnam, India, or countries in Europe.
“Firstly, it’s about national security,” he emphasised. “Secondly, it’s also about digital sovereignty.”
Data ownership is becoming a part of the geopolitical competition that will shape the 21st century. Xu added that Apple’s relocation of data storage to China is necessary because Beijing recognises the importance of protecting its information from being stolen by other countries, particularly those that are advanced in technologies and able to hack into the country’s internet without being caught.
It is not just the Western tech giants that have come under the public eye in China. Even local tech giants such as Alibaba and Tencent were and still are subjected to strict regulations by Beijing regarding data ownership and commercialisation. The Chinese government published a Personal Information Protection Law (PIPL) draft last year and issued revised antitrust regulations in February for platform providers.
But these barriers can hinder the growth of the region in a similar manner that tariff measures affect free trade. According to a report by the US-ASEAN Business Council and Deloitte, 67 per cent of investors are uncomfortable investing in digital businesses obligated to store user data locally.
From the technology perspective, according to Khoi Viet Ngo, CTO of SenSecures Vietnam and Vietnet Distribution, that Big Tech’s digital applications are originally designed to process data centrally and take full advantage of the internet and cloud service to serve their operations on a global scale. This process requires credible, uninterrupted, and synchronous connections among qualified clusters of servers in several countries worldwide.
“Having data unconnected to other data will inadvertently create disruption and congestion,” said Ngo. “Moreover, if a disaster happens, there is no way to recover the data located in the disaster site.”
If a country declines to transfer data generated from digital services, it will risk a slowdown in technology advancement. The technical systems running inside the country would also be outdated quickly and more vulnerable.
“Even if there are no data regulations, companies have always considered placing the data of its users domestically,” said Ngo.
Placing servers outside a country’s borders will increase the amount of data transferred internationally. Every six months, the amount of bandwidth required for digital applications would rise by several tens of percentage, which would eventually result in higher costs for users.
In Vietnam, there are about 27 data centres in 2020 but all of them were set up and run by domestic enterprises such as Viettel, VNPT, and FPT. Ngo said that the country is not a big market with enough qualified human resources to operate data centres at higher tiers. If the regulation is too strict, Big Tech could consider leaving the country because there are no alternatives for storage. Even local companies had to invite Facebook and Google to set up servers at their data centres at a meagre price, VTC News reported in 2017.
“Most data centers in Vietnam are still not able to reach the high level of security and technology capability,” Ngo said. “If the law requires it but there is no safe place for them to store data, why would they do it?”
Countries including India, Vietnam, and Indonesia eventually narrowed down their data storage provisions. However, it is to be noted that these countries do not compromise on their strategic autonomy. They still secure the power to step in whenever a foreign internet service provider violates the law of the land or when it stops providing access to data upon request, to preserve sovereign interest.
It is people who are compromising
“It is important to know the frame of reference you are based on to judge a country’s personal data protection policy,” Ngo added. “Even in terms of human rights, each country has a different definition.”
Governments in China, India, the EU, Japan, and the US have different viewpoints when it comes to data governance, and they are even clashing with each other when delivering them to citizens.
In China, Xu says, people have accepted that as long as they are online or sharing data with Apple, Google, Alibaba, Tencent, or even other state-owned corporations, the data is beyond their control.
“There’s news about the change of hand of the data storage or new apps or the deletion of certain apps [on iCloud], but they failed to become headlines stories,” Qinduo stated. “Do people care that these data might be in the hands of the government? No.”
A survey by Harvard Gazette, which saw the participation of 32,000 people from 2003 to 2016, found that people’s satisfaction with the government in China is much higher than in the US. In 2016, 95.5 per cent of respondents said they were “relatively satisfied” or “very satisfied” with Beijing.
Meanwhile, trust in technology companies suffered a plunge across 28 countries, according to the Edelman Trust Barometer 2020 report. A lot of evidence suggests that Big Tech companies are illegally taking advantage of user data. Instagram harvested biometric data of 100 million accounts. Facebook improperly exposed 87 million users to Cambridge Analytica. Alphabet, Google’s parent company, faced a US$5-billion lawsuit over non-transparent data collection through Google Analytics, Google Ads, and other apps.
Ngo commented that even before moving to the cloud, users’ awareness about data protection in physical environments such as an internal network or personal computer is already a matter of concern. Phishing, misdelivery, misconfiguration, sharing access, downloading malware, clicking unknown links are the most worrisome causes of data breaches, according to Verizon’s 2020 Data Breach Investigations Report.
Research by CybSafe in 2019 suggested that 90 per cent of cyber breaches recorded by the UK Information Commissioner’s Office (ICO) were stemmed from human errors that enabled attackers to access encrypted channels and sensitive information. Similar results were found by Kaspersky Lab’s interviews in 2018 with more than 7,000 people across 24 countries.
Training in digital skills, broadly defined by UNESCO as those needed to “use digital devices, communication applications, and networks to access and manage information,” becomes more relevant than ever in developing countries, where the common understanding of digital information is mostly ignored.
Ngo said that when protecting cybersecurity, professionals will leverage three Ps — product, policy, and people. Product refers to technology solutions while Policy focuses on the processes and rules within an organisation and a country. People are those creating, owning, and transferring information.
“Most companies still rely on the first “P” when it comes to data protection, meaning buying products or using third-party services,” Ngo said. “But the most important factor is the people and it is essential to reduce these cyber-risks by taking action in changing staff cyber-awareness and behaviours.”
Image Credit: 123rf.com
The post Big Tech vs data protection laws in Asia: Who is compromising? appeared first on e27.