Influencers in APAC MTDC markets: Regulations
August 23 2019
by Dan Thompson, Stefanie Williams, Emily Wentworth
When we consider datacenter markets at the country level, there are two current trends that stand to affect those markets more immediately than anything else: the growth of the public cloud and government regulations, specifically, data sovereignty laws. Part of a three-part spotlight series covering various influencers – cloud service providers and regulations – in APAC MTDC markets, this report looks at the regulations driving or inhibiting adoption of datacenter and other services in Singapore, China, Japan, Australia and Indonesia.
The 451 Take
While the effectiveness of regulations, including data sovereignty laws, at actually protecting the various country's citizens is debatable, and the practice itself is destructive to the overall freedom of the internet, what is evident is that these laws can spur growth in otherwise floundering or nonexistent datacenter markets (Indonesian providers, for example, commented that without the country's laws, the datacenter industry wouldn't be growing at all). In Europe, these efforts are somewhat coordinated through the EU; however, in APAC, the laws are simply all over the place. Given the ever-changing nature of technology (and government's general lack of understanding of it), these laws tend to either paint with a very broad brush in an attempt to be flexible to that change, or tend to be super restrictive out of fear and general protectionism.
Singapore takes a rather open-handed, and thus fairly singular, approach to data protection and localization that reflects well with the country's status as a 'hub city' for data and communications. In 2012, the country passed the Personal Data Protection Act (PDPA) and the Personal Data Protection Regulations (PDPR). Together, these define personal data as data that can, either by itself or when combined with other data a company may have, be used to identify a person. Under these rules – except if the data is anonymized – companies cannot collect or distribute personal data without the person's consent, and data is not allowed to be transferred outside the country unless it is sufficiently protected, or the transferring company has the consent of the individual.
Beyond data localization, all financial institutions must comply with the Technology Risk Management Guidelines, a series of mandates created in response to banks and financial institutions having become more reliant on technology. Among these guidelines is the Threat and Vulnerability Risk Assessment (TVRA), which applies to datacenters. Today, the TVRA is basically mandatory in order to be relevant in the market – banks are the only companies that are required to meet the TVRA, but many other industries have adopted its criteria voluntarily, and it is common for any business vertical to ask for the report from a provider.
Furthermore, in June of 2015, the Association of Banks in Singapore released a set of guidelines on control objectives and procedures for outsourced service providers that includes an Outsourced Service Provider's Audit Report (OSPAR) template. Similar to the TVRA, the OSPAR template seeks to put in place audit standardizations for banks looking to leverage outsourcing. Interestingly, just like TVRA, OSPAR only applies to banks; and yet other industries in Singapore are asking for the audit as a matter of self-regulation.
One of the leading voices behind the general data sovereignty push across the entire APAC region, China implemented its own localization statute in 2017 as part of a broader piece of legislation, referred to simply as the Cybersecurity Law. Building on earlier documents relating to VPNs and other cross-border data transfers, the localization provision applies to all network operators and businesses in 'critical sectors' that manage email or other data networks.
Energy, water management, transportation, financial services, public services and, crucially, telecommunications and IT services have all been specifically mentioned as falling into this vaguely defined category. The Cybersecurity Law does not apply to Hong Kong. Data localization enforcement in China falls on the shoulders of the Ministry for Industry and Informatization (MIIT), which regularly issues updates on security standards for the IT services industry, conducts audits of organizations' network operations and levies punishments in the form of fines and license suspensions to those organizations found to be out of compliance.
Amid protestations over censorship and protectionism, firms were given 18 months from the middle of 2017 to update their respective IT infrastructures. Despite warnings about investment turning to other parts of the world, most companies have found the payoff of access to the Chinese market too great to walk away from, and have acted accordingly. Many believe that business considerations around latency, performance (the Great Firewall slows almost all internet connections coming into and out of the country) and cost have made many large enterprises naturally deploy within China's borders. But the Cybersecurity Law has undoubtedly had a net positive impact on demand for datacenter services in the country from international sources, especially in primary markets.
Separate from data localization, MIIT's strict IT services licensing regime further complicates the Chinese colocation industry for foreign businesses, on both the service provider and end-user sides. Beijing has always regulated China's telecommunications industry by issuing permits to approved providers, and most enterprise IT services have been covered under a particular Value Added Telecom Services (VATS) license for about a decade.
Since 2015, MIIT has clarified that licenses are required to deliver any kind of connectivity-oriented service, including interconnection, VPNs, cloud and managed services and others. To make matters even more challenging for foreign colocation players, at least 50% Chinese ownership is required to obtain a license. Datacenter operators that want to serve local customers or bring their own clients to China must either form joint ventures with domestic organizations or forfeit all network-touching services to homegrown companies (most often one of the carriers). Again, Hong Kong does not fall under the same regulation, and Hong Kong-based organizations can apply for permits on their own. Other global players have instead decided to simply adopt minority stakes in China providers, along with strategic customer-sharing agreements, like CyrusOne has done with GDS.
Japan's Act on Protection of Personal Information (APPI), one of the oldest data protection laws in Asia, dates back to 2003. It is designed to protect the rights and interests of individuals, and defines how personal information must be handled by businesses. For the purposes of APPI, 'personal information' is defined as any information that could be used to identify a specific individual, such as name, birth date, etc. APPI also designates 'special care-required personal information' (essentially sensitive personal information), which includes data such as race, gender, religion, social status and medical history, and requires consent from the individual to use or distribute.
Furthermore, APPI provides that this personal data cannot be transferred to foreign countries unless a) the individual has consented beforehand, b) the receiving country has equivalent laws to Japan, or c) the company has undertaken adequate precautionary steps to protect the personal data to Japanese standards (the latter two are admittedly not well defined). In January 2019, the EU and Japan formalized their EU-Japan Economic Partnership Agreement, which not only establishes trade agreements between the two groups, but also mutually acknowledges one another's privacy laws. To date, the countries in the EU are the only countries on Japan's equivalency list.
For datacenter and cloud providers, first and foremost, special care must be given to the handling of personal information or sensitive personal information from employee contracts and contracts with individuals for service. Also, these contracts must be stored inside Japan, or have prior approval to be stored elsewhere. This may require extra consideration and process for those businesses not based in Japan. Finally, the Japanese law does not contain the concept of a 'data processor' like the EU's General Data Protection Regulation (GDPR) does, so datacenter and cloud providers don't seem to bear any responsibility for the data of a customer's customer (think business associate with regards to HIPAA in the US). However, as part of the process of acknowledging one another's regulations, both countries have released a set of Supplementary Rules that help define communications between the two countries as well as how to maintain data on the work of the other's citizens.
Finally, the Financial Information System Center (FISC) provides guidance and research on securing information and related systems. The organization maintains the Security Guidelines on Computer Systems for Banking and Related Financial Institutions, which contains aspects pertaining to datacenter, cloud and managed service providers. Similar to Singapore's Technology Vulnerability and Risk Assessment (TVRA) standards, FISC standard compliance is essentially a must-have for providers looking to serve the financial verticals in Japan. The good news, however, is that many of the FISC requirements are met through the certification process of the various ISO and SOC certifications that are already common among datacenter providers.
While the Australian government has always taken an interest in protecting the personal data of its citizens, a government-led cloud-first policy is driving an accelerated effort to introduce more stringent legislation to better protect the interests of its citizens and enterprises, as well as create the foundation for the government's newest datacenter selection process. The federal government operates primarily under the Australian Privacy Principles (APP), but there are numerous additional laws that are applicable specifically to network operators, software firms, and even equipment vendors, as well as laws put in place by individual state governments.
Chapter 8 of the APP (APP 8) outlines the policies associated with cross-border disclosure of personal information, basically stating that an organization disclosing personal information to an overseas recipient must ensure the recipient does not breach the APPs related to that information. If the recipient violates APP regulations, the initial organization is responsible. Difficulties in vetting potential vendors often entices organizations to select in-country providers for both datacenter and cloud services in order to more easily comply with the statutes of the law.
The Australian federal government has also launched a digital transformation program that includes a cloud-first model for data storage going forward. The program's certification framework is designed to address and mitigate data sovereignty issues within hosting supply chains, especially those that arise following the change in ownership of a facility. Any datacenter that is part of the government's panel will undergo a certification process based on the degree of sovereignty assurance it can provide. Datacenter providers in Australia believe that APP and its associated and resultant regulations, as well as the federal government's digital transformation strategy, will actually support demand for datacenter and cloud services within Australia by both Australian and foreign entities with an Australian presence, which will drive ongoing development of datacenters across the country, but specifically in Sydney.
As a means to implement certain aspects of Law 11 (Indonesia's Electronic Information and Transactions law, enacted in 2008), the president created Government Regulation number 82 (2012) (GR82). GR82 offers specific language for companies providing any sort of digital-based public service. Article 17 of GR82 states that anyone providing a public service via electronic means will have a continuity/DR plan, and must use a datacenter inside Indonesian territory (for production and DR). It then grants further control over the datacenter placement to the Minister of Information and Communication (sometimes translated as Minister of Communications and Informatics – MoIC or MoCI).
Although neither Law 11 nor GR82 defines specifically what a public service is, one possible interpretation is that a public service is any product or service designed to be used by someone else (i.e., web applications, mobile apps, public cloud infrastructure, IaaS, etc.). In short, if a business is serving an Indonesian customer base through some digital means, or will be housing Indonesian data, it must be done in a datacenter inside Indonesia.
Since GR82 came into effect, the MoIC has publicly spoken about relaxing various aspects of GR82, which, in addition to a lack of any real enforcement on most verticals, has given businesses an excuse to take a 'wait and see' posture. That, combined with the debate over what actually constitutes a public service, means movement toward colocation by local enterprises has been slow at best.
That said, there has been some movement due to the new regulations, and subsequent regulations for the banking industry like OJK 38/2016, SE OJK 10/2016, OJK 75/2016 (and others) seem to suggest that the banking and insurance industries will be a growing customer base for colocation providers for the near future. Finally, the MoIC is rumored to be drafting an amendment to GR82 that would potentially resolve a lot of the gray areas of the regulations, but what those amendments will be is unclear.