FeaturesOpinionsData managementCloud management

The beauty and evil of cloud computing lie in the varying data privacy laws that different countries operate by. Without a clear grasp of what laws are in force, organizations are naturally hesitant in deploying cloud services delivered from data centers offshore.

Take Hong Kong and China for example. Cloud service providers have been hearing customer concerns regarding a potential 'seizure' of data that resides in Hong Kong data centers by the Chinese government for various reasons. Guided by such misty (and untrue) preconceptions, one can imagine how much business was lost due to the confusions about the application of data privacy laws.

Those who are familiar with the legal frameworks of Hong Kong and China will be able to tell this is impossible. Put it simply, under the "One Country Two Systems" principle, Hong Kong essentially operates in a legal jurisdiction that is totally separate from that of China.

Nonetheless, cloud service providers and potential cloud service customers will welcome a clearly worded position paper from the Hong Kong government, which clarifies the ownership of data between the Hong Kong Special Administrative Region and the People's Republic of China.

Viewing this with a wider scope, there are key influencers of data privacy laws that regulate trans-border data flow, such as the European Union's privacy regime, or the APEC privacy principles here in Asia. According to Thomas Shaw, Asia-based Attorney at Law and CloudRisk Asia's CEO, "this area is very dynamic and requires up to date knowledge before any analysis is undertaken." 

In this last part of the interview with Asia Cloud Forum, Shaw guides us through the different data privacy laws that are in force in several key economies today, and what actions organizations can take to protect their corporate data from government seizure, such as in the name of 'terrorism.'

Thomas Shaw: Many major countries have privacy laws which include some information security provisions but these are high variable. In my new cloud book, I discussed the privacy, security, data breach, blocking statute and other laws that effect cloud computing from every major region in the world. 

One of the first steps that organizations need to undertake is which of these global statutes and regulations apply to them and how to handle so many legal obligations. In my book published earlier this year on information security and privacy, I recommended that organizations synthesize a single global view of all of these obligations to facilitate compliance. 

Shaw: In Asia, Macau probably has the most comprehensive privacy laws, influenced by its European traditions, which uniquely for the region covers provisions such as the prohibition of the combining of data (for data mining or marketing purposes), or being the subject of automated decisions based on personal information.

There are new privacy laws all the time, with Malaysia having the new Personal Data Protection law come into force last year.

India just implemented a series of privacy and security regulations implementing some of the IT Amendments Act, in lieu of a comprehensive data protection statute, covering the collection and use of personal information.