Updated: Oct 18, 2020
Kan Jie Marcus Ho l University of Cambridge
Riding the waves of the Industrial Revolution – Cross Border Data Flows in the 21st Century
“The owl of Minerva takes flight only when the shades of night are gathering”. Hegel’s observation, that wisdom only arises after a major event in history, has been a constant throughout the history of mankind. As the waves of time sweep through the 21st century, the fourth industrial revolution beckons. Fuelling the boat of the age of digitisation, sees data taking a frontline role in accelerating change throughout the Asia Pacific (‘APEC’) Region, as AI, machine learning and business analytics take centre stage in leading the future. 
COVID-19 has sparked a push towards digitalisation within APEC. Indeed, businesses had to squeeze ‘years-long digital transformation road maps into days and weeks in order to adapt to the new normal.’ The future is largely moving towards E-Commerce, as traditional brick and mortar businesses are forced to adapt and change. This brings to light an issue of concern – the question of regulating cross-border data flows (CBDF) within APEC. This Article consists of two parts – in the first, it canvasses existing CBDF frameworks in APEC; and in the second, it argues that data liberalisation, rather than localisation, must be the way forward within Asia.
Cross-Border Data Flow Frameworks in Asia
As globalisation sweeps across the world, the ability to harness data enables businesses to reap huge benefits of economies of scale. For example, Google and Facebook acquired up to a total 61% of global market share in 2019, up from 56% in 2018. The reason for their growth can be attributed to the amount of consumer data held, with the former boasting 1.5 billion active monthly users and the latter with 2.38 billion users. Data enables one to develop business insights, leading to better cost reduction, faster decision making and an ability to advance new products and services, amongst other benefits.
In short, a CBDF is a transfer of data across different jurisdictions. Yet, harmonising CBDF rules remains difficult, particularly within APEC itself, as certain jurisdictions remain alert to risk of privacy infringements and national security. This Article will survey three main jurisdictions in Asia with active developments in CBDF rules – China, India and, Singapore.
Undergirding China’s CBDF laws involves a deep-seated mindset of a need to respect cyber sovereignty. Yi Shen (2016) opines that cyber sovereignty involves a country imposing its national borders on the Internet, largely ushering a move towards localisation. In 2017, China enacted the Cybersecurity Law, mandating ‘network operators’ to ‘store all data generated in China on mainland servers.’ With a ‘network operator’ being defined as an operator or manager of ‘any system comprised of computers’, hence bringing all (or most) businesses under its ambit. Moreover, the law requires data gathered within the mainland on PRC citizens to remain inside China. Any subsequent transfer will require approval of the relevant authority. In 2020, China published its ‘Data Security Law’, imposing harsher CBDF regulations over any ‘important data’, defined as ‘any data which may affect China’s national, economic, social, public or health security’.
Viewed thus, there is a move towards data localisation and stricter rules in the ambit of CBDFs in China.
The Information Technology Act requires sensitive personal data to be stored in India. This has been subsequently updated in 2012, to include governmental and public data; in 2014, requiring all backups of financial data to be stored in India; and in 2015, requiring the application server of all Indian customers to be stored in India.
There is a move towards stricter CBDF rules in India, placing fetters on certain types of data from flowing out of India itself.
The Personal Data Protection Act (‘PDPA’) requires individuals transferring data out of Singapore to comply with the nine obligations imposed by the PDPA, through ensuring that any foreign recipient of such data can provide protection ‘comparable’ to the PDPA. As opposed to China or India, Singapore sees a move towards data liberalisation, with the main objective of encouraging business efficiency.
Nevertheless, there has been various regional efforts towards harmonising CBDF rules.
One example would be the APEC Cross-Border Privacy Rules, encouraging treaty parties to ease CBDF regulations relating to personal data in order to spur business activity. To date, eight nations have joined the treaty – United States, Canada, Mexico, Japan, Singapore, Taiwan, Australia and Korea.
Nevertheless, there is still some headway to go in harmonising CBDF rules. The next part of this Article makes an argument of why data liberalisation is necessary.
Data Liberalisation – The Way into the Future
Data liberalisation must be the way forward in Asia. Khumon (2018) opines that data flows have increased GDP worldwide by 10.1% over the past decade, with APEC cautioning a fine border lies between protecting personal data and crafting unnecessary fetters to CBDFs. Jefferey and Grant (2015) observe that data localisation is driven by the sentiment that the destination country lacks adequate protection as the exporting country, particularly as tensions rise across the world amidst security concerns. Nevertheless, the implementation of such measures will weaken growth in Asia, with Cory (2017) pointing out that data localisation represents ‘barriers to digital trade’, reducing GDP in Asian economies such as China, India and Vietnam by 0.7 – 1.7%.
The argument against data localisation is convincing – data localisation leads to an unnecessary fetter for firms due to incurred costs, as increased investment in IT services to procure data storage and data centre systems become necessary. For small firms without any ability to invest in such services, this may lead to less incentive and higher barriers of entry within the marketplace. Moreover, the need to obtain governmental consent for every subsequent transfer of data will lead to inefficiency and act as a deterrence for small businesses to go global. This is why a harmonising framework is necessary, and the owl of Minerva has perhaps started spreading its wings – within ASEAN, the Regional Comprehensive Economic Partnership proposed will potentially harmonise the CBDF rules relating to data privacy; and the ASEAN agreement on E-Commerce will facilitate the harmonising of CBDF rules within ASEAN. It is certainly hoped the Gordian Knot imposing a fetter on data liberalisation will be unravelled in time to come.
Word Count – 1,000 Words
 McKinsey estimates that multinational corporations such as Alibaba, Amazon, Google, Baidu and Facebook invested between USD 20 billion and USD 30 billion globally in AI in 2016; https://www.mckinsey.com/~/media/McKinsey/Featured%20Insights/Artificial%20Intelligence/AI%20and%20SE%20ASIA%20future/Artificial-intelligence-and-Southeast-Asias-future.ashx; Accessed on 4th August 2020  Tan; COVID-19 pandemic has sped up digital transformation in firms – Study; https://www.straitstimes.com/business/companies-markets/pandemic-has-sped-up-digital-transformation-in-firms-study; Accessed on 4th August 2020  Clearcode; Walled Gardens vs Independent AdTech – The Fight for Ad Dollars and Survival; https://clearcode.cc/blog/walled-garden-vs-independent-adtech/; Accessed on 4th August 2020  Davenport; Three big benefits of big data analytics; http://book.itep.ru/depository/big_data/AST-0147176_Three_Big_Benefits_of_Big_Data_Analytics.pdf; Accessed on 4th August 2020  Case C-362/14; Maximillian Schrems v Data Protection Commissioner  ECLI: EU: C: 2015: 650  Yi Shen; Cyber Sovereignty and the Governance of Global Cyberspace; https://link.springer.com/article/10.1007/s41111-016-0002-6?&utm_medium=other&utm_source=other&utm_content=4182018&utm_campaign=10_dann_ctw2018_6_social_22; Accessed on 9th July 2020  Cross-Border Privacy Rules in Asia – An Overview; https://www.lawfareblog.com/cross-border-privacy-rules-asia-overview#:~:text=To%20date%2C%20eight%20nations%20have,and%20the%20Republic%20of%20Korea.; Accessed on 5th August 2020  Regulation for Cross-Border Privacy in Southeast Asia – An Institutional Perspective; https://www.econstor.eu/bitstream/10419/184950/1/Khumon.pdf; Accessed on 5th August 2020  Jeffery and Grant; The Latest Cross Border Privacy Rules in Asia; https://m.mto.com/Templates/media/files/Reprints/Law360_The%20Latest%20Cross-Border%20Privacy%20Rules%20In%20Asia-Pacific.pdf; Accessed on 5th August 2020  Cory; Cross Border Data Flows: Where are the barriers, and what do they cost?; https://m.mto.com/Templates/media/files/Reprints/Law360_The%20Latest%20Cross-Border%20Privacy%20Rules%20In%20Asia-Pacific.pdf; Accessed on 5th August 2020