Increasing Need for Data Protection Laws
Technological advancements have rapidly accelerated the free flow of data between countries, improving the efficient exchange of knowledge, culture, and innovation. However, data transfers are closely monitored, especially because of the increase in misuse of important information, such as personal details. Many countries now enforce data protection laws within their territories to keep data secure. Some even have strict rules for storing customers’ sensitive data in physical stores within their borders and closely monitor cross-border data transfers. There are several reasons for this trend.
National Security
The personal data of a country’s citizens is more than a string of characters and numbers. If such data is to fall into destructive hands, the country as a whole can be in danger. Therefore, countries are paying close attention to the collection, usage, and storage of their citizens’ personal data. Governments are enacting data laws and regulations to safeguard sensitive information from foreign interference, cyber threats, and espionage for national security.
Data Protection and Privacy
Even at an individual level, data privacy and protection are important. Wrong use of personal data can result in illegal acts of fraud, identity theft, and so on. Hence, countries implement measures such as data localization to strengthen their citizens’ data protection and privacy.
Legal and Jurisdictional Control
Data flows freely beyond borders for various reasons, such as businesses operating multiple offices with data centers located in other countries. If there are breaches or disputes, enforcing a law becomes more complicated when data is in multiple locations. Storing personal data outside a country can lead to jurisdictional issues, and governments may lack control. Therefore, countries bring in laws clearly specifying their implications within borders and in extraterritorial situations.
Cloud Services and Potential Data Localization Violation Loopholes
The global cloud computing market is expected to reach USD 1,062 billion by 2028, with a projected growth rate of 12.27% from 2023 to 2028, according to Statista. Businesses are expected to adopt various cloud services, such as public cloud infrastructure as a service (IaaS), to cater to their needs.
While cloud computing enables organizations to process and store data anywhere in the world, the ease with which data can freely move across borders has brought it under scrutiny by many governments.
To ensure personal data protection, countries are implementing data localization regulations to govern where data is processed and stored. Organizations residing in a particular territory or collecting and using its residents’ information have to comply with data localization laws. However, compliance is far more complex, especially in the case of public clouds.
Two main challenges arise when organizations try to comply with local regulations while using public cloud services, especially those provided by hyperscalers.
Lack of Visibility
Many data localization regulations require organizations to store data within the country’s territory. But often, users might not know the physical location of the data when using cloud services. This is because cloud providers often distribute data across multiple locations for redundancy and efficiency. This can lead to a potential violation of the law, subjecting the organization to fines and penalties.
Lack of Control
Knowing where data is stored doesn’t guarantee the ability to retrieve it back to the organization’s home country. They may not have enough power over cloud service providers (CSPs) to make it happen, or the CSP might not have the required infrastructure in the organization’s country of interest. Inadvertently, organizations can fall victim to data localization non-compliance.
What is Data Localization?
Data localization refers to laws or regulations requiring companies to store and process digital data within the borders of a particular country. This often involves restricting the transfer of data to foreign countries, aiming to protect personal or sensitive information under local privacy laws and ensure easier access for the government’s regulatory and legal purposes.
Data localization laws can also be indirectly established through regulations on cross-border data transfers. These laws or regulations typically set specific conditions under which data can be transferred out of the country, effectively requiring data to be stored and processed locally.
Data Localization vs. Data Sovereignty vs. Data Residency
When discussing the definition of Data Localization, two other terms often crop up, namely “Data Sovereignty” and “Data Residency.” Although these terms are closely related, there are subtle differences between them.
| Data Localization | Data Sovereignty | Data Residency | |
|---|---|---|---|
| Meaning | Regulations that require data storage and processing to remain within a country. | The legal authority a country has over all data generated and stored within its borders. | The geographical location where the data is stored. |
In short, data localization requires a country’s data to remain within its borders. Data sovereignty refers to a country’s legal authority over all data generated within its borders, subjecting it to the nation’s laws and regulations, regardless of where the data’s owner is based. Data residency refers to the geographic location of the data.
Data Localization in Southeast Asia
Several countries in Southeast Asia have come up with their own data localization and cross-border data transfer laws to protect the data of their citizens.
Indonesia
Indonesia is one of a few Southeast Asian countries that enforce data localization laws to ensure data is processed and stored within the country. The primary regulation in this context is Government Regulation No. 71 of 2019 on Electronic Systems and Transactions (GR 71). GR 71 categorizes electronic system operators (ESOs) into two types: public and private. Only public ESOs, like government institutions and their appointed parties, must process and store their data within Indonesia. Private ESOs, like private companies, are given the flexibility to store their data outside of the country. However, they are still expected to maintain the effectiveness of legal enforcement and monitoring in Indonesia. Private ESOs in certain industries, such as financial services, may be subject to sector-specific regulations to process and store personal data only in Indonesia.
Furthermore, Indonesia enacted the Protection of Personal Data (PDP) Law on October 17, 2022, as a part of its wider data protection regulations. While the PDP Law does not cover data localization, it specifies that, for cross-border data transfers, data controllers transferring personal data abroad must ensure that the recipient country has a level of data protection at least equal to that required in Indonesia.
Malaysia
Malaysia enacted a comprehensive data protection law called the Personal Data Protection Act (PDPA) in 2010. It came into effect in 2013, focusing on the protection of personal data and compliance requirements for businesses. PDPA requires organizations to fully protect personal data from any breach or misuse, by sufficient security measures in place.
While the PDPA does not contain specific data localization requirements, it does regulate cross-border transfers of personal data, The act generally prohibits the transfer of personal data outside of Malaysia unless certain exceptions apply. These exceptions include scenarios where the individual concerned has consented to the data transfer or the transfer is necessary due to a contract involving the individual, and the transfer will not lead to a violation of Malaysia’s data rules.
The Malaysian government has also launched data protection initiatives outside the scope of the PDPA. For instance, in 2018, it launched the Malaysia Digital Economy Blueprint, which promotes the use of in-country data centers and encourages the development of local data protection laws.
Singapore
To protect its citizens’ data, Singapore enacted the Personal Data Protection Act (PDPA) in 2012 and implemented it in phases. This act comprises various requirements governing the collection, use, disclosure, and care of personal data in Singapore. The Personal Data Protection Commission (PDPC) overlooks the implementation of PDPA.
PDPA applies to all organizations in the private sector. The public sector is excluded and is subjected to separate rules under the Government Instruction Manual 8 (IM8) and the Public Sector (Governance) Act.
PDPA does not include provisions for data localization, while cross-border data transfers are only permitted under a legal basis fulfilling specified conditions such as derogations, binding corporate rules, and so on.
Thailand
Thailand’s version of the EU’s GDPR, the Personal Data Protection Act (PDPA) came into effect on June 1, 2022, with the Personal Data Protection Committee (PDPC) as the regulatory authority. The key aspects of the PDPA include regulations on data processing, data collection, data storage, and data consent protocols. The law applies to every organization that collects, uses, or discloses personal information in Thailand or of Thai residents, irrespective of residency or business presence in Thailand.
Thailand’s PDPA does not explicitly require data localization. However, it does place certain conditions on cross-border transfers of personal data. Businesses must ensure that the recipient country or organization provides adequate protection or implements additional safeguards if necessary. In some cases, approval from the PDPC may be required before transferring data across borders.
Vietnam
Vietnam has implemented data localization regulations under its Cybersecurity Law (No. 24/2018/QH14), which took effect on June 12, 2018, and was further clarified by Decree No. 53/2022/ND-CP.
The Law requires both domestic and foreign enterprises operating in telecommunications, the internet, or those providing cyberspace value-added services (Cyberspace Service Providers) in Vietnam to locally store certain types of data. This data includes personal information, data on the relationships of service users, and user-generated data within Vietnam. The government determines the specific data storage period, with a minimum duration of 24 months, as stipulated in Decree 53. Furthermore, foreign enterprises that provide certain listed services and have used these services in violation of cybersecurity laws are required to establish a branch or representative office in Vietnam
Regulations on cross-border data transfers are provided in the Decree 13/2023/ND-CP on Protection of Personal Data (PDPD), Vietnam’s first-ever comprehensive data privacy law enacted on April 17, 2023, and came into effect on July 1, 2023. PDPD outlines specific requirements for cross-border data transfer, such as formulating an Overseas Data Transfer Impact Assessment dossier and notifying the Cybersecurity Department of the data transfer.
The Philippines
The Philippines enacted the Data Privacy Act (DPA) in 2012 to ensure the fundamental human right to data privacy. The National Privacy Commission (NPC) is responsible for implementing and enforcing the DPA. It provides guidelines and standards for processing personal data and supplements the DPA with various circulars and advisories.
While the NPC critically scrutinizes cross-border data transfers, no law stipulates that data storage and retention should be within the national borders of the Philippines. Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer with approved standard contractual clauses or binding corporate rules.
Data Localization and Cloud Repatriation
To avoid any financial or reputation hit because of regulatory non-compliance, organizations are increasingly adopting a cloud repatriation strategy. Cloud repatriation means moving an organization‘s workloads and data from the public cloud back to on-premises data centers. The organization itself owns, manages, and operates these data centers, eliminating ambiguity in visibility and control. This can help them better comply with stringent local regulatory measures.
As opposed to the general belief that maintaining private data centers is expensive and cumbersome, new technologies like virtualization and hyperconverged infrastructure (HCI) have made them cost-effective and easily operable.
Specifically, HCI can replicate a cloud-like data center environment, offering similar benefits. They make data centers more accessible and manageable by integrating various resources into a single, unified system. Data resources can simply be managed through a software interface, reducing hardware complexity. Organizations can enjoy faster deployment, easy scalability by adding more nodes to the infrastructure, and automation capabilities. In short, the baseline of maintaining data centers has become much more convenient and efficient.
In addition to private data centers, organizations can migrate their workloads from hyperscaler public clouds to local cloud services. Although there is relatively less control and visibility compared to private data centers, it will allow them to abide by the local data protection and localization laws while retaining the benefits of the cloud.
Sangfor Solutions for Your Data Localization Compliance
For organizations in Southeast Asia, Sangfor‘s innovative technologies, such as Hyperconverged Infrastructure (HCI), Hybrid Cloud, and Managed Cloud Services (MCS), can help with data localization compliance.
Sangfor HCI
Sangfor HCI powers data centers with cutting-edge virtualization technology and seamlessly integrates compute, storage, networking, security, and management into a unified software stack. It offers organizations an agile, simple, resilient, and scalable software-defined data center.
What sets our HCI solution apart is its strong presence in the Asia Pacific region, as demonstrated by Sangfor ranking as the 2nd Largest HCIS Vendor by Revenue in Asia-Pacific for 2Q2023 based on Gartner® Market Share.
Sangfor Managed Cloud Services (MCS)
Organizations can be free from the pressure to build data centers by adopting our Managed Cloud Services (MCS). Sangfor MCS offers managed Infrastructure-as-a-Service and Platform-as-a-Service from data centers distributed across Southeast Asia. Organizations can sit back and relax with Sangfor MCS to comply with local regulations.
Sangfor Hybrid Cloud
Organizations that wish to retain their data on-premises while hosting applications in the cloud can leverage Sangfor Hybrid Cloud. It is an integration of private cloud and public cloud environments. With the private cloud element in our hybrid cloud, you can comply with local data localization requirements while enjoying the benefits of both clouds. This setup allows organizations to seamlessly manage workloads across both environments, providing greater operational flexibility.
Please visit our website www.sangfor.com for additional information or reach out to us on our contact page.
