'Inconsistent' watchdogs throw cloud biz barons into a tizzy

Inexperienced officials wreck everything, says expert


A lack of consistency over the way Asian regulators approach data privacy issues has led to a slow take-up of cloud services by businesses in the region, an expert has said.

Hong Kong-based outsourcing contracts expert Peter Bullock of Pinsent Masons, the law firm behind Out-Law.com, said that cloud providers are not offering business customers services that account for the fragmented regulatory approach to cross-border transfers of personal data.

Bullock said EU firms benefit from "a level of consistency" on how data privacy issues are dealt with by regulators in the trading bloc. "This is not the case across Asia Pacific," he said.

He added that companies selling cloud services in Asia have admitted that it has been difficult to demonstrate that the use of cloud in outsourcing arrangements leads to "demonstrable cost savings".

At a recent roundtable event hosted by Pinsent Masons, business executives said that because Asian firms are used to sweating their assets there is often less scope for cost savings to be made by switching to cloud solutions.

Bullock said that another underlying concern of Asian businesses in using cloud services is the "fragmentary nature" of the regulatory regime in operation across the region on the issue of cross-border personal data transfers.

"Most of the data protecting nations of Asia, do not have a good track record in regulating data flows across their borders," Bullock said. "Hong Kong, for instance, enacted a law requiring adequate provision for the protection of personal data leaving its shores in 1996, but to this day the provision has still not been brought into force."

Other jurisdictions, including Indonesia and Thailand, each with vast populations and burgeoning telecommunications and social media networks, currently have no data protection law whatsoever, he said.

"It is therefore left to businesses to regulate this themselves in their own best interests and with one eye on the relevant regulators, who may be in the EU or US," he added.

Current EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection.

Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.

There are a number of legal mechanisms that firms within the EU can put in place to meet the adequacy standards, such as agreeing "binding corporate rules" (BCRs) with regulators to govern the international transfer for personal data, or by using model clauses within outsourcing contracts to compel non-EEA data processors to abide by EU data protection standards.

Bullock said that BCRs have "yet to catch on in the Asia-Pacific region". He said that although the issue of BCRs is approached very differently by businesses in the EU, those firms benefit from "a level of consistency" on how data privacy issues are dealt with by regulators in the trading bloc. "This is not the case across Asia Pacific," he said.

"Each jurisdiction has its own laws, often produced in response to local sensitivities – culture, political, or sometimes simply down to market behaviours and who has got caught doing what, and when," Bullock said. "This does not make it easy to plan a region-wide approach to data privacy compliance."

"Also, the regulators are much less experienced than their EU counterparts and whilst this makes some of them less interventionist, it also means that they are often less predictable than their western equivalents.

"This all goes to uncertainty of the risk profile for data protection in individual jurisdictions. Cloud providers do not seem to be sensitive to these difficulties and shortcomings," he added.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Broader topics


Other stories you might like

  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Giant outsourcer keeps work from home, loses tax breaks. Government says 'good riddance'
    Philippines says subsidies inflate profits, not local economy

    The government of the Philippines has welcomed the decision by giant business process outsourcer Concentrix Corporation to forgo tax incentives and instead allow its staff to continue working from home for the foreseeable future. The nation feels that subsidising outsourcers' bottom lines does nothing to boost the local economy.

    The Philippines imposed lengthy and strict COVID-19 lockdowns that saw its substantial business process outsourcing sector quickly adapt to working from home. The nation's government supported that move by continuing to offer the pre-COVID subsidies it offered to outsourcers that run offices located in certain special economic zones.

    Those subsidies have subsequently been removed, and the requirement to operate from special economic zones restored.

    Continue reading

Biting the hand that feeds IT © 1998–2022