Hostname: page-component-78c5997874-94fs2 Total loading time: 0 Render date: 2024-11-13T22:49:07.124Z Has data issue: false hasContentIssue false

Data Localization and ASEAN Economic Community

Published online by Cambridge University Press:  23 December 2019

Benjamin WONG*
Affiliation:
National University of Singapore, [email protected]

Abstract

Data localization is a phenomenon that is of increasing global significance, as a growing number of countries impose data localization requirements on data controllers. This paper discusses data localization in the ASEAN context. It proposes a schema of data localization laws which comprises two categories of data localization requirements. This schema is used to examine data localization laws within ASEAN, and it will be shown that there is presently a moderate level of data localization among ASEAN Member States. The paper then discusses how data localization is dealt with in the EU and in ASEAN, addressing some recent developments in the two regimes. It concludes with recommendations for ASEAN's approach to data localization, drawing from the EU regime.

Type
Articles
Copyright
Copyright © Asian Journal of International Law, 2019

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

*

LLB (National University of Singapore); Advocate and Solicitor (Singapore). Sheridan Fellow, Faculty of Law, National University of Singapore, Singapore. The author would like to thank Teo Jen Min for her invaluable research assistance. Special thanks are owed to Tan Hsien-Li for her helpful pointers, and to the anonymous reviewers for their insightful comments. All errors remain solely the author's own.

References

1. A recent study has found that the Southeast Asian Internet economy (comprising ride-hailing, online media, online travel, and e-commerce) reached $72bn in 2018, and is projected to grow to $240bn in 2025 to make up eight percent of Southeast Asia's gross domestic product. See Rajan ANANDAN et al., “e-Conomy SEA 2018: Southeast Asia's Internet Economy Hits an Inflection Point”, online: <https://www.thinkwithgoogle.com/_qs/documents/6870/Report_e-Conomy_SEA_2018_by_Google_Temasek_121418_cpsLjlQ.pdf>.

2. See CHANDER, Anupam and , Uyên P, “Data Nationalism” (2015) 64 Emory Law Journal 677 at 679–81Google Scholar; KOMAITIS, Konstantinos, “The “Wicked Problem” of Data Localization” (2017) 2 Journal of Cyber Policy 355 at 357–62CrossRefGoogle Scholar; FRASER, Erica, “Data Localisation and the Balkanisation of the Internet” (2016) 13 SCRIPTed 359CrossRefGoogle Scholar.

3. Cyber Security Law of the People's Republic of China, art. 37.

4. Personal Data Protection Bill 2018, ss. 40, 41.

5. ASEAN consists of ten Southeast Asian Member States: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam. It has been argued that free trade agreements are in a better position than the international trade rules to address data localization measures: see BURRI, Mira, “The Regulation of Data Flows Through Trade Agreements” (2017) 48 Georgetown Journal of International Law 407 at 443Google Scholar.

6. United Nations Conference on Trade and Development [UNCTAD], “Data Protection Regulations and International Data Flows: Implications for Trade and Development” (United Nations 2016) at 14.

7. Non-tariff barriers have been recognized as having the potential to “undermine the economic integration process” and the realization of an economic community in ASEAN: see AUSTRIA, Myrna S, “Non-Tariff Barriers: A Challenge to Achieving the ASEAN Economic Community” in DAS, Sanchita Basu, MENON, Jayant, SEVERINO, Rodolfo, and SHRESTHA, Omkar Lal, eds., The ASEAN Economic Community: A Work in Progress (Singapore: ISEAS Publishing, 2013), at 32Google Scholar.

8. Burri, supra note 5 at 448; HODSON, Susannah, “Applying WTO and FTA Disciplines to Data Localization Measures” (2019) 18 World Trade Review 579 at 581CrossRefGoogle Scholar.

9. For more comprehensive analyses on how the GATS applies to data localization, see Hodson, supra note 8; MACDONALD, Diane A. and STREATFEILD, Christine M., “Personal Data Privacy and the WTO” (2014) 36 Houston Journal of International Law 625Google Scholar; BURRI, Mira, “The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation” (2017) 51 UC Davis Law Review 65Google Scholar.

10. General Agreement on Trade in Services, art. 1. Mode 1, where the service is provided from the territory of one country into the territory of another, is of particular relevance here, because these are the services that are the most likely to be affected by data localization requirements. Mode 2, where the service is provided in the territory of one country to the consumer of another country, may also be implicated.

11. For example, the Most Favoured Nation treatment obligation under art. II and the transparency obligation under art. III.

12. This is an example of a restriction on Mode 1 trade in services, where the service moves across the border.

13. This is an example of a restriction on Mode 2 trade in services, where the customer moves across the border.

14. Martina F. FERRACANE, “Restrictions on Cross-border Data Flows: A Taxonomy” (2017) ECIPE Working Paper 1/2017 at 5.

15. See also SELBY, John, “Data Localization Laws: Trade Barriers or Legitimate Responses to Cybersecurity Risks, or Both?” (2017) 25 International Journal of Law and Information Technology 213CrossRefGoogle Scholar.

16. SIROLI, Gian Piero, “Considerations on the Cyber Domain as the New Worldwide Battlefield” (2018) 53 International Spectator 111CrossRefGoogle Scholar.

17. Selby, supra note 15 at 228.

18. Hodson, supra note 8 at 3.

19. Chander and Lê, supra note 2 at 713–35. Commenters have suggested, for example, that data localization requirements do not in fact enhance data security—what really matter are the security practices adopted to protect the data, wherever the data is located.

20. BRANNON, Ike and SCHWARTZ, Hart, “The New Perils of Data Localization Rules” (2018) 41 Regulation 12 at 12Google Scholar.

21. Hodson, supra note 8 at 18.

22. Ibid., at 5–19.

23. Ibid., at 13.

24. This difficulty is not limited to data localization requirements: see MATSUSHITA, Mitsuo and IINO, Aya, “Cross-Border Gambling and Betting Services Under WTO Disciplines” (2006) 1 Asian Journal of Comparative Law 1 at 14CrossRefGoogle Scholar.

25. Burri, supra note 9 at 127.

26. Namely Brunei, Malaysia, Singapore, and Vietnam.

27. To be clear, it is not suggested here that ASEAN should simply adopt the CPTPP solution.

28. As will be discussed in Part V below, the practice of data localization by ASEAN Member States may detract from ASEAN's drive towards greater regional economic integration.

29. See James M. KAPLAN and Kayvaun ROWSHANKISH, “Addressing the Impact of Data Location Regulation in Financial Services” (2015) Global Commission on Internet Governance Paper Series 14/2015; Ferracane, supra note 14; Francesca CASALINI and Javier López GONZÁLEZ, “Trade and Cross-Border Data Flows” (2019) OECD Trade Policy Papers 220.

30. Kaplan and Rowshankish, supra note 29 at 1–2.

31. The distinction is necessary because these two types of data localization restrictions differ in kind and not merely in degree: local processing requirements mandate that data controllers do certain things with their data locally, but they say nothing about whether the data can be transferred out of the country, while restrictions on transfer of data prevent data from leaving the country, but are silent on what must be done with the data in the country.

32. Ferracane, supra note 14 at 3.

33. Casalini and López González, supra note 29 at 16.

34. As of 15 April 2019.

35. The Government of Brunei has developed a data protection policy containing elements of data localization, but that policy only relates to state agencies.

36. A draft amendment has been issued by the Indonesian government clarifying the application of art. 17(2), but it remains uncertain whether or when it will take effect: see “Dirjen Aptika: Data Elektronik Strategis Wajib Dikelola di Indonesia” Kominfo (12 February 2019), online: Kominfo <https://www.kominfo.go.id/content/detail/16337/dirjen-aptika-data-elektronik-strategis-wajib-dikelola-di-indonesia/0/berita_satker>.

37. Act 709.

38. Similar requirements are imposed by the Philippines, Singapore, and Thailand; see below.

39. Republic Act No 10173.

40. No 26 of 2012.

41. s. 362/2014.

42. The analysis that follows is based on a draft version of the legislation: “Personal Data Protection Act” ETDA ICT Law Center, online: <https://ictlawcenter.etda.or.th/de_laws/detail/de-laws-data-privacy-act>.

43. Ibid., art. 24.2.

44. Ibid., art. 25.8.

45. Ibid., art. 28.2.

46. Ibid., art. 34.2.

47. The analysis that follows is based on a draft version of the legislation. “Vietnam Law on Cybersecurity”, online: <https://auschamvn.org/wp-content/uploads/2018/06/Draft-Cyber-Security-Law-Version-20-ENG.docx>.

48. Ibid., art. 1.

49. Consolidated Version of the Treaty on European Union, 26 October 2012, OJ C326/13.

50. Consolidated Version of the Treaty on the Functioning of the European Union, 26 October 2012, OJ C326/47.

51. Case C-55/94 Gebhard v. Consiglio dell”Ordine degli Avvocati [1995] ECR I-4165; [1996] 1 CMLR 603 at [25].

52. Directive 2006/123/EC of 12 December 2006 on services in the internal market [2006] OJ L376/36; Directive 2000/31/EC of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market [2000] OJ L178/1.

53. Gebhard, supra note 51 at [37]. See also Case C-76/90 Säger v. Dennemeyer & Co Ltd [1991] ECR I-4221 at [15].

54. Commission, “Building a European Data Economy” (Communication) COM (2017) 9 final (Data Economy Communication) at 3.

55. Ibid., at 7.

56. Ibid., at 8.

57. Ibid., at 6.

58. See ibid., at 7, where the European Commission notes that data localization requirements must be “carefully justified under the Treaty and relevant secondary law to verify that they are necessary and proportionate to achieve an overriding objective of general interest”.

59. Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

60. Ibid., art. 1(3). This does not, however, preclude restrictions on the free flow of personal data for other reasons; neither does it cover non-personal data. See also art. 1(2) of the proposed ePrivacy Regulation (Commission, Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM (2017) 10 final), which uses similar language.

61. Regulation (EU) 2018/1807 of 14 November 2018 on a framework for the free flow of non-personal data in the European Union [2018] OJ L305/59, art. 1.

62. Ibid., art. 5.

63. Ibid., art. 7(4).

64. Ibid., art. 4.

65. General Data Protection Regulation, recital 101.

66. This restriction has been subject to some academic criticism suggesting that the EU's restrictions on the transfer of personal data out of the EU do not effectively achieve the aim of personal data protection. See for example, HON, W. Kuan, Data Localization Laws and Policy: The EU Data Protection International Transfers Restriction Through a Cloud Computing Lens (Cheltenham, Edward Elgar, 2017), at 318CrossRefGoogle Scholar.

67. European Communication, “Exchanging and Protecting Personal Data in a Globalised World” (Communication) COM (2017) 7 final at 9.

68. Charter of the Association of Southeast Asian Nations, 20 November 2007.

69. This goal was formalized in the Declaration of ASEAN Concord II: see Declaration of ASEAN Concord II (Bali Concord II), 11 May 2012.

70. ASEAN Economic Community Blueprint, 20 November 2007 at 10.

71. ASEAN Economic Community Blueprint 2025, 22 November 2015 at 6. Negotiations on ATISA were concluded at the 33rd ASEAN Summit on 13 November 2018.

72. ASEAN Framework Agreement on Services, 15 December 1995, art. 1.

73. Association of Southeast Asian Nations (ASEAN), “The 16th ASEAN Telecommunications and Information Technology Ministers Meeting and Related Meetings: Joint Media Statement” (2016), at para. 4; Association of Southeast Asian Nations (ASEAN), “ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN): Framework on Personal Data Protection” (2016). The development of an ASEAN framework on personal data protection was one of the stated initiatives of the ASEAN ICT Masterplan 2020, which was adopted at the previous TELMIN Meeting with a view to advancing the digital economy in the ASEAN region: see Association of Southeast Asian Nations (ASEAN), “The ASEAN ICT Masterplan 2020” (ASEAN Secretariat 2015), at 26.

74. Association of Southeast Asian Nations (ASEAN), “ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN): Framework on Digital Data Governance” (2018). The development of an ASEAN digital data governance framework was a key initiative of the Master Plan on ASEAN Connectivity 2025, which was adopted with the view to promoting physical, institutional, and people-to-people connectivity within the ASEAN region: see Association of Southeast Asian Nations (ASEAN), “Master Plan on ASEAN Connectivity 2025” (ASEAN Secretariat 2016), at 54.

75. Association of Southeast Asian Nations (ASEAN), “The 18th ASEAN Telecommunications and Information Technology Ministers Meeting and Related Meetings: Joint Media Statement” (2018), at para. 4.

76. Association of Southeast Asian Nations (ASEAN), “ASEAN Telecommunications and Information Technology Ministers Meeting (TELMIN): Framework on Digital Data Governance” (2018), at para. 20.

77. Ibid.

78. Notably, art. 7(4)(c) expressly excludes financial services.

79. Data Economy Communication, supra note 54 at 6.

80. ASEAN Agreement on Electronic Commerce, 22 January 2019, art. 7(4)(b).

81. Gebhard, supra note 51.

82. For an excellent compendium that seeks to facilitate convergence on the regulation of cross-border transfers of personal data across the broader Asia-Pacific region, see GIROT, Clarisse, ed., Regulation of Cross-Border Transfers of Personal Data in Asia (Singapore, Asian Business Law Institute, 2018)Google Scholar.

83. CHIA, Siow Yue and PLUMMER, Michael G., ASEAN Economic Cooperation and Integration: Progress, Challenges and Future Directions (Cambridge, Cambridge University Press 2015) at 155CrossRefGoogle Scholar.

84. See HENRY, Laurence, “The ASEAN Way and Community Integration: Two Different Models of Regionalism” (2007) 13 European Law Journal 857CrossRefGoogle Scholar.

85. DEINLA, Imelda, The Development of the Rule of Law in ASEAN: The State and Regional Integration (Cambridge, Cambridge University Press 2017) at 130CrossRefGoogle Scholar. On the nature of “soft law”, see ABBOTT, Kenneth W. and SNIDAL, Duncan, “Hard and Soft Law in International Governance” (2000) 54 International Organization 421 at 422CrossRefGoogle Scholar. (“The realm of soft law begins once legal arrangements are weakened along on or more of the dimensions of obligation, precision, and [adjudicatory] delegation.”)

86. Deinla, supra note 85 at 162; but cf. Henry, supra note 84 at 864–5.

87. See ASEAN PDP Framework, supra note 73. Note para. 7, which provides that ASEAN Member States may delay the application of the framework until they are ready to implement it, in view of the varying levels of development among the ASEAN Member States. Note also para. 13, which provides for the amicable settlement of disputes “through consultation or negotiations, without any reference to any third party or international tribunal”.

88. See text to ftn. 61–4.