On 24th December 2020, many multinational companies based in Britain breathed a sigh of collective relief. After years of diplomatic wrangling, the United Kingdom and the European Union struck a deal on Christmas Eve to extend a grace period to permit the free flow of data between the two regions.
Such unrestricted data transfers might last beyond Brexit if the United Kingdom meets the “adequacy” standard imposed by the European Commission on data protection. For all intents and purposes, the on-going saga highlights the pressing urgency to include the treatment of data transfer in all national and regional trade treaties.
In Asia, how to effectively manage the flow of data is at the forefront of many political leaders’ agendas. Despite its strong hold over data sovereignty, the data governance framework in China is still a work-in-progress. For example, China has yet to join any international regulatory organizations like the Asia-Pacific Economic Cooperation Cross Border Privacy Rules, a government-backed data privacy certification system.
China is far from nonchalant when it comes to data treatment, however. In November 2020, China’s President Xi Jinping weighed in: “Network information flows across borders, and information flow leads the flow of technology, capital, and talent.”
Similarly, Hong Kong’s mindset is also shifting. Previously under wraps in deference to privacy rights, the discussion to share our data for the greater good is finally gaining momentum. In fact, the groundwork for what looks poised to be a data sharing future has been accelerated by the pandemic. Driven by social distancing, citizens of Hong Kong are warming up to the idea of sharing their data virtually in the name of convenience than ever before.
Data protection standards across regions must be rooted in the basic tenet of privacy protection reciprocity.
Further, with the clock ticking louder by the day to expand into the Greater Bay Area, Hong Kong is under pressure to upgrade its data governance framework to fit in with China’s overall expansive digital strategy. Together, it appears that the preference for controlled data exchange with our innovative neighbors might finally come of age.
We must bear in mind that cross-border data flows do not equate to unfettered data flows across regions. Countless examples of malicious use and data exfiltration cast any data collection activities in a bad light. Instead of choosing either extreme — isolated data island or unconstrained data flow — policy makers in the Greater Bay Area should establish a closed-loop regional network within which the free movement of digital goods and services can be carefully monitored.
To implement this, the data protection standards across regions must be rooted in the basic tenet of privacy protection reciprocity. Before exiting their borders, data owners must be assured that their data is protected by a privacy and security management system or other appropriate safeguard no less stringent than those outlined by their own laws. To dispel mounting public concerns, policy makers must adopt a risk-based approach regarding sensitive data. The flows of extremely sensitive data within the region must be strictly controlled.
Reciprocity is just the starting point. Cross-border law enforcement must also be normalized. We should seek out Chinese regulators to actively develop bilateral regional agreements, and other binding principles and accreditation frameworks that support a fast-track exemption route for Greater Bay Area companies that serve customers across regions.
Similar to the function of a European Data Protection Board, the Greater Bay Area could establish an independent data protection authority that contributes to the application of agreed data protection principles across the region and promotes cooperation between regional data protection authorities.
Lately, there is an objective need for countries to grant local courts the ability to exercise jurisdiction over foreign defendants. For example, the China’s latest Personal Information Protection Law (Draft) gives the court extraterritorial power to regulate cross-border processing of PRC individuals’ information for the purpose of providing products or services to them.
In contrast, there are currently no restrictions on the transfer of personal data outside of Hong Kong under Hong Kong’s Personal Data (Privacy) Ordinance. Any attempt to establish a two-way economic network will fail if we do not account for extraterritorial protections. A lack of adequate legislative safeguards would lessen people’s willingness to let their data transfer out of the borders. Public trust is the mainstay of a successful Internet economy. Without buy-ins from the general public, few innovative offerings can gain traction.
Perhaps it is too early to adopt an all-encompassing law that applies to all three distinct legal systems in the Greater Bay Area: Guangdong, Hong Kong and Macau. To rectify this constraint, similar to the function of a European Data Protection Board, the Greater Bay Area could establish an independent data protection authority that contributes to the application of agreed data protection principles across the region and promotes cooperation between regional data protection authorities.
Looking forward, the need to reduce legal fragmentation between various highly integrated economies only adds to the case for each region to harmonize new privacy laws. Deep economic potential can be unlocked if we remove regulatory friction. China is home to more than 700 million internet users. As its home-breed tech companies go global, access to more diverse datasets through international hubs such as Hong Kong can galvanize their global operations and make them more competitive.
On the other hand, the liberation of data flows would also supply oxygen to Hong Kong’s struggling economy. We now operate on the edge of market unevenness, precariously balancing our roots in conventional industries with the force of digitalization. Our ability to intervene and adjust the economic course is essential to fine-tune this balance. In the face of increasing digitization of the economy, relaxing the rules on data sharing would provide insights for Hong Kong companies to appreciate when and where innovation is needed.
Data exchanges are often structured so that the benefits of disclosure are instant and tangible, while the costs are delayed and even amorphous. As many recent scandals have shown, the consequences of privacy leaks can present long-lasting reputational and economic damages. But if data movement is marshalled properly, the resulting benefits can outweigh the risks. More data cascades over borders can lead to better innovation, which in return would raise public receptiveness and generate more data that further improves innovation and enables smoother economic integration. It is a self-reinforcing feedback loop that feeds on the movement of data from one recipient to another. The key is to forestall any privacy vulnerabilities early on.
We must at all costs try to avert self-isolation, or trap ourselves on safe data islands while cutting off from the benefits of closer links to a greater digital economy that awaits us. Forewarned is forearmed. To make the scheme of the Greater Bay Area truly work, we must find a way to harmonize the data sharing standard in a lawful and orderly fashion. With a treasure trove of useful data up for grabs, it is in China and not the West, where the future of a true digital economy is being staked out.