Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

Similar documents
Safeguards on Personal Data Privacy.

2014 Luxury & Fashion Industry Conference for Multinationals

Enterprise with Integrity

The Role of SANAS in Support of South African Regulatory Objectives. Mr. Mpho Phaloane South African National Accreditation System

Developing and Implementing Data Protection Law: Malaysia and Beyond

EU data security and privacy trends

Achieving effective risk management and continuous compliance with Deloitte and SAP

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

Forum. Ningbo, China 25 February

Technology and data privacy Global perspectives

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

2017/SOM3/DIA/007 Digital Trade Building Blocks

GLOBAL INDICATORS OF REGULATORY GOVERNANCE. Scoring Methodology

Pay-TV Content Regulation -- How is it being done, in Asia? John Medeiros, Chief Policy Officer CASBAA Jakarta, May 17, 2017

Workday s Robust Privacy Program

Technology Lifecycle Management Assessment. Know your network - achieve business agility

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Managing Jurisdictional Risks for Public Cloud Services

Data and Cyber Crisis how to manage a crisis and reduce loss. Melissa Russell Special Counsel February 2016

International Accreditation Forum, Inc. User Advisory Committee UAC

Motorola Mobility Binding Corporate Rules (BCRs)

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Benefits of Open Cross Border Data Flows

Innovative and Flexible financing. for the New Economy C APITAL. The Leader in End-to-End Financial Services for Your Network Investments

CHAPTER 13 ELECTRONIC COMMERCE

Transforming networks and services for communications service providers

Protecting your data. EY s approach to data privacy and information security

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Hybrid Wide-Area Network Application-centric, agile and end-to-end

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

A Modern European Data Protection Framework

Software-defined Networking Development Model

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

GDPR: A QUICK OVERVIEW

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

แนวทางการพ ฒนา Information Security Professional ในประเทศไทย

Japan s Cyber Diplomacy

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Supplier Responding to New Products RFP Event

ITU-ACMA Asia Pacific Regulators Roundtable July 2014

MPI Vietnam Towards e-governance

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Contents. Navigating your way to the cloud

Data Localization. Data Localization

Purchasing. Operations 3% Marketing 3% HR. Production 1%

Trade Impacts of Forced Localization Measures. April 18, 2016 Japan Electronics and Information Technology Industries Association

The APEC Model. Global Partnership through Regional Initiatives

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HYBRID CLOUDS DEFINING A SUSTAINABLE STRATEGY

Server Virtualisation Assessment. Service Overview

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Information Bulletin

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Breaking Down the Barriers for Mobile Money in Asia. Michael Sek Pheng Yeo, IDC Financial Insights Asia/Pacific

Developing a Privacy Compliance Program

Drive digital transformation with an enterprise-grade Managed Private Cloud

E-readiness rankings 2007

Data Management and Security in the GDPR Era

OPTIMIZING CONNECTIVITY: Updated Recommendations to Improve China s Information Technology Environment

Building Trust in the Cloud Era - Protect, Respect Personal Data

IT Services: Identifying the Addressable Markets for Telecom Operators (Executive Summary) Executive Summary

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

M&A Cyber Security Due Diligence

A Regulator s Perspective on Accountability and How to Incentivise It

Heading Text. Manage your Organization s Governance, Risks, and Compliance Requirements and Transform your Business Potential with SAP GRC

Improving digital infrastructure for a better connected Thailand

QBPC s Mission and Objectives

Deloitte Audit and Assurance Tools

ANTICIPATE. MITIGATE. PROTECT.

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

Data Security Standards

SCHOOL SUPPLIERS. What schools should be asking!

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

Data ownership within governance: getting it right

Creation and Evolution of the Colombian DPA

APNIC input to the Vietnam Ministry of Information and Communications ICT Journal on IPv6

THE MADRID PROTOCOL. A single trademark registration supports regional economic integration. A Case Study

UK's Chartered Civil Engineers and their recognition in Europe and beyond. David Lloyd-Roach Director of Membership

Trough a cyber security lens

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

ADMM AND ESTABLISHMENT OF ASEAN POLITICAL SECURITY COMMUNITY 2015

Regional and subregional approaches to the Digital Economy: Lessons from Asia-Pacific and Latin America

Canada's New Anti-spam Law Are you prepared? Tricia Kuhl (Blakes) Dara Lambie (Blakes) Presented to ACC Ontario Chapter May 9, 2012

Global Nuclear Safety and Security Regime

Hong Kong s Personal Data (Privacy) Ordinance

2018 BSA GLOBAL CLOUD COMPUTING SCORECARD. Powering a Bright Future

Business Technology Briefing: Fear of Flying, And How You Can Overcome It

NOW IS THE TIME. to secure our future

Cloud Readiness Toolkit Overview

The Export Control and Related Border Security (EXBS) Program in ASEAN And ASEAN Single Window (ASW) Initiative

Transcription:

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia Bernie Trudel Chairman, Asia Cloud Computing Association 1

Data, Regulation, Jurisdiction and Cloud: A New Geography Lesson Cloud Data Storage In Japan...and in Singapore and the Cloud Company Headquarters in the U.S with servers in the UK, Germany and the Netherlands Multinational Doing Business in Japan... in Korea... in Thailand... in the Philippines... in Malaysia... in Singapore... in Indonesia... and the Multinational s Headquarters in Australia 2

ACCA Report: Key Findings There are no prohibitions on the use of cloud services in any country studied. Let me repeat There are no prohibitions on the use of cloud services in any country studied.

ACCA Report: Biggest Challenge The Rush to regulate is leading to unclear & inconsistent laws, particularly as to Cross-Border data flow Many countries are... witnessing a lot of changes with many new regulations [on cross border data transfer, taxation, data sovereignty effective this year or in the next few years] (p.20) This is the biggest hurdle. (p. 80) Since [FSI] legal requirements may differ significantly from one country to another, companies find it difficult to organize cloud services for the whole enterprise [to comply in all] relevant jurisdictions. (p.21) As [Telecommunications] legal environments differ in different territories, there is a huge challenge of harmonising and satisfying requirements across these territories. (p. 21). 4

ACCA Report: Roadmap to a Framework Leading countries in Asia are ideally positioned to provide a model for a Data Sovereignty FRAMEWORK. The report shows that Leading countries proactively support the adoption and growth of cloud computing. (p.16) Have minimal restrictions on international data transfer (p.15) Have comprehensive and mature data protection legislation in place (p.14 & 15) and Have business friendly regulations and major initiatives on cloud computing (p.14) 5

A deeper look at why businesses care? More than ever, IT choices will be made by the business and legal teams Business benefits drive Risk v. Benefit analysis Compliance requirements Reputation HR IT department are now sharing due-diligence and risk assessment responsibilities with the business decision-makers and legal departments 6

The Business Analysis: Cross - Border Data Flows: Nothing New? Life in the multinational: Its all global now This has been done for decades by industry on captive systems As recognised by APEC, TPP and AEC: efficiencies & benefits of cloud computing are best achieved when data information flows freely across borders The audit trail is key and outsourcing guidelines address this. 7

How do governments look at cloud computing? 8

What are the laws that impact data in the cloud? 9

What are the laws that impact data in the cloud? 10

What are the main Data Sovereignty issues? Domestic Regulatory Compliance: Confidentiality, availability, retention, audit Jurisdiction claimed by other countries Data leakage from the organization (risks to privacy) Liability, remedies, warranties, insurance Consistency of laws across jurisdictions as applied to data 11

Anecdotally: Governments are revising rules but Little Harmony in a Web of Laws 2013 Philippines: Recognizing cloud will help smaller banks, Bangko Sentral ng Pilipinas (BSP) new IT regulatory framework allows banks to use cloud computing; BSP recognizes some types of bank data appropriate for public cloud, some only for private cloud. 2012 Singapore: Data stored offshore must be protected by law comparable to Singapore s but you can seek an exemption from the government. Banking regulations allow use of cloud computing. India 2011 Privacy Rules revised in 2012 to exempt data outsourcing. 2012 Philippines: Data Privacy Act applies to extraterritorial data storage if data is about a Philippine citizen/resident, but not to residents of foreign jurisdictions. 2012 Australia: Businesses must take reasonable steps to destroy or permanently de-identify personal information that is no longer needed. Cloud customer held strictly liable for violations by cloud provider. EU and elsewhere looking to enact Data Purging laws, sometimes described as right to be forgotten. 12

Harmonization: Steps to Improve Asia s Regulatory Environment Distinguish truth from myths & misunderstandings Understand the customer s regulatory challenges Understand the business and technology Understand the need for regulatory consistency across the region ACCA can contribute to a better understanding, and ultimately, to better laws and regulations. 13

Objective: Understanding, Explaining & Improving Asia s Regulatory Landscape Develop a factual understanding of the regulatory landscape for 14 counties Recommendations to bring each country closer to the Ideal Australia China Hong Kong India Indonesia Japan Malaysia New Zealand Philippines Singapore South Korea Taiwan Thailand Vietnam 14

14 Countries A major global research firm A major regional law firm 700 man hours In-country resources Data Sovereignty Research 68 Questions 300 page SUMMARY of responses 100 page report. 15

The Ideal State for Cloud Computing Cloud Access: Regulations support the use of cloud computing Data Safety: Data is safe from access and liability regulations. International consistency: Regulations are clear, well understood, reasonable to comply with, and aligned to global norms. Cross Border Movement: Consumers can leverage cloud providers from other jurisdictions. Regulatory Stability and Enforcement: Legal environment is predictable, fair, and aligned with international regulations. 16

Relative legal environment (International consistency & regulatory stability / enforcement) An Emerging Digital Divide of Leaders and Followers Asia s 14 countries fall into two groups: Leaders and Followers Australia China Hong Kong India Japan Malaysia New Zealand Philippines Singapore South Korea Taiwan Thailand Vietnam Indonesia Relative cross border movement score (Size of bubble indicates relative average of data safety and cloud access scores.)

Distinguishing Leaders from Followers Factor Leaders Followers Data protection law Clear data protection law with reasonable No formal data protection law requirements that correspond to globally accepted best-practices Protected data elements Personal Identifiable Information (PII) is Inconsistent or not clearly defined defined and subject to regulations consistent with international or regional guidelines (such as APEC and OECD) Applicability of cloud computing regulations Law transparency Censorship Transfer of data outside of jurisdiction Effective agency (or regulator) Product preference Localization requirements Clearly understood what laws affect cloud computing users and providers; in addition, laws are technology neutral and do not discriminate between technical options, except where justified Laws are introduced in a transparent manner with public input No filtering or censoring requirements by Internet Service Provider or Cloud Service Providers Can be accomplished with reasonable controls Enforcement conducted in fair and impartial manner No country specific technical requirements that would require changes to the standard product No discrimination between local and foreign service provider Unclear what applies (i.e., telecommunications laws) or laws that restrict cloud usage Little consultation or advance notice provided Mandatory filtering and / or censoring requirements Not clear or involves onerous requirements Ad-hoc enforcement; varying enforcement between different agencies of the same government; regulators have high degree of discretion over enforcement decisions and regulatory interpretation, with little accountability or public scrutiny technical restrictions that may require country-specific changes to standard product Foreign Cloud service providers may be subject to additional requirements and / or restrictions than local providers 18

Stay competitive

ACCA Recommendations End the rush to regulate: thoughtfully rewrite laws that are unclear & inconsistent Potential for Leadership: The best ideas in Asia can become the FRAMEWORK for Data Sovereignty 20

Final Thoughts Simplifying Data Sovereignty Ideal State Road map for regulators Toward a Framework Eliminating Confusion and mis-perceptions It s a good news story that we ll make great 21

Asia Cloud Computing Association Mission: to accelerate cloud-computing adoption across the region of Asia Pacific by engaging stakeholders, providing tools to remove barriers and demonstrating the benefits of adoption. Vision: become the leading influencing industry voice on cloud-computing promotion and governance to business, government and citizens in Asia DRIVING ADOPTION DATA SOVEREIGNTY Cloud Readiness Index Public Policy Newsletter Data Sovereignty Study and Scorecard SME Cloud Index SME Resource Centre Cloud Assessment Tool Service Provider Index Advocacy Stakeholder engagement 22

23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback