Data protection: Mutual recognition the way forward
Cloud computing can stimulate economic growth, greater efficiencies, job creation and innovation, but it also raises concerns for governments, particularly with respect to the privacy of personal data when it crosses borders.
When personal data is transmitted across national borders the governing legal, privacy and regulatory regimes for data protection can be ambiguous.
As a result of such concerns, some countries have shown a preference to locate their data processing facilities locally, favouring locally-owned cloud providers or global cloud providers that work with locally-owned computing infrastructure.
Even though restrictions on data transfer might be deemed necessary for public policy reasons (e.g. national security), extensive protectionist policies will impede the tremendous potential of cloud computing and have detrimental effects on global economic integration and international trade.
The issue has been recognized by the European Union (EU), where privacy protection laws are now endorsed in countries deemed to provide an adequate level of data protection. Such recognitions facilitate the free flow of personal data from the 27 EU countries and three European Economic Area (EEA) member countries (Norway, Liechtenstein and Iceland) to a third country with adequate level of data protection without any further safeguards.
Consistent with this background, New Zealand has recently become the eleventh country or territory recognized by the EU commission as ‘adequate’ (list here). This decision assures current and future European customers of New Zealand businesses that their information remains adequately protected as it flows from any of the EU and three EEA members to New Zealand.
This vote of confidence in turn will give New Zealand businesses a significant competitive edge internationally, and opens up new trading opportunities in the processing of off-shored data, cloud computing and financial or call center activity transactions over other countries trading with the EU.
The Asia Cloud Computing Association (ACCA) believes that to ensure seamless and uninterrupted cross-border information flows within Asia-Pacific and beyond, nations here should also aggregate their efforts towards a transnational mutual recognition system connection for privacy protection. Significant efforts have already been achieved through regional agreements such as the APEC Cross Boarder Privacy Rules (CBPR) and APEC Cross-border Privacy Enforcement Arrangement (CPEA). But, as promising as these arrangements may be, they do not cover all jurisdictions in Asia and still leave big gaps in governance.
ACCA encourages multilateral dialogues towards a mutual recognition framework in which nations recognize and accept each other’s legal structures. Going forward, this true interoperability would foster free flow of data across borders while accommodating legitimate and inherent differences in national privacy regimes and also different local protection requirements.
New Zealand’s reform of privacy laws to meet the standards required by EU Data Protection Directive (1995/46/EC) could be a useful reference point for any attempt at creating such a mutual recognition system in Asia.
Amir Haghbin - Malaysia Chapter Representative, ACCA