Concerns about data sovereignty, data flow and security are holding back cloud adoption in Asia, says industry body

Out-Law News | 10 Dec 2013 | 9:50 am | 3 min. read

Cloud adoption in Asia has yet to reach its potential because of data protection concerns in the region, the Asia Cloud Computing Association (ACCA) has said.

The group, which lobbies on regulatory issues to promote cloud adoption and whose members include Microsoft, AT&T and Cisco, said that a more harmonised approach to data privacy in Asia could boost the cloud computing industry and help businesses obtain greater flexibility and costs savings from their IT infrastructure.

"The promise of cloud is yet to be fully realised in Asia as it continues to remain surrounded by concerns around data sovereignty, cross border data flow and data security," ACCA said in a new report seen by "Regulators and authorities in Asia have rapidly responded to these concerns by introducing new laws, regulations and compliance requirements which attempt to mitigate the security and data privacy risks associated with the use of cloud computing platforms. However, it is unclear whether regulations are effectively addressing the key risks and may create inconsistencies from one country to another."

"As legal environments among the 14 countries differ significantly, there is a huge challenge for those adopting cloud services in satisfying requirements across the multiple jurisdictions," it said.

ACCA assessed the regulatory regimes in Australia, China, Hong Kong, India, Indonesia, Japan, Malaysia, New Zealand, Philippines, Singapore, South Korea, Taiwan, Thailand and Vietnam. Of the 14 countries, ACCA ranked Japan's legal framework as the most conducive for cloud adoption, but identified barriers to take up present within each country's regimes.

"From the scorecard results, it is observed that one of the key challenges in promoting cloud computing as an industry is the overall data safety," the report said. "Specific pain points for most countries are: data access and security, and the lack of regulation on cross border data flow."

Among its findings, ACCA said China has "strict and unclear restrictions on cross border data flow" and that its "province level" regulations do not align with "globally accepted standards". It said that whilst Singapore's regulatory regime is "business friendly", it said there is "minimal transparency in data access mechanism". In Hong Kong the same issue is present and means that "authorities are permitted to intercept communications", the report said.

ACCA said it backed the Asia Pacific Economic Cooperation (APEC) framework which facilitates the consistent transfer of personal data across borders among member countries.

APEC countries, which include Australia, Japan, Singapore and the US, operate a voluntary certified system that is aimed at ensuring data protection standards are consistent when personal data is transferred out of one of the member economies to another.

The APEC Cross-Border Privacy Rules (CBPR) is a relatively new development and operates where businesses submit their plans for governing data transfers to 'accountability agents' that are responsible for assessing and ultimately certifying whether businesses meet the standards set out in the CBPR. Those rules contain base requirements that relate to how personal data is collected and use and how secure the information is, among other things.

Data protection expert Rosemary Lee of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind, said: "Data privacy regulations are hardly homogenous in Asia and this does have an impact since there is a perception that Asian countries do not have sufficiently robust regimes to facilitate cloud adoption. For example, Hong Kong and South Korea have established data protection regimes whilst Malaysia, the Philippines and Singapore have only recently introduced their comprehensive data protection frameworks."

"For regulated sectors as banking, there are particular concerns surrounding protection of customer data, which could also inhibit cloud take-up. In Singapore, the financial services regulator MAS previously issued an IT outsourcing circular to financial institutions (FIs) requiring FIs to perform a thorough risk assessment before committing to any significant IT outsourcing by way of cloud. More recently, the Technology Risk Management Guidelines issued by the MAS highlight that FIs need to pay attention to cloud computing service providers’ abilities to isolate and identify customer data for protection," she said.

"Technological advancements typically outpace the development of laws and regulations to address such new technologies, cloud computing being a case in point. Coupled with the unevenness of data protection regimes in Asia, dealing with data sovereignty can be a challenge for regulators. As one might expect, existing or new regulations do not always address cloud and this can lead to uncertainty for companies when they consider the legality of adopting cloud services," Lee added.