As countries enact data privacy laws, cloud services operators need to factor this in as they seek increased regional presence

The World Economic Forum (WEF) has estimated [1] that Asia’s combined gross domestic product (GDP) will overtake the combined GDP of the rest of the world by the end of this year and by 2030, Asia’s share of global growth will be around 60 per cent. Moreover, by 2030 almost 90 per cent of the world’s middle class will reside in Asia [2]. Asia Pacific has become the growth engine of the world.

Over the past decade, growth has largely been technology-driven, with a lot of emphasis on creating IT infrastructure. With rapid digitalization and the rise of data as the currency of trade, hyperscale data centers are one of the biggest growth areas within IT infrastructure. While cloud computing has been around for quite some time, hyperscale cloud services represent a transformational disruption in technology because they provide their customers with a global presence and reach with a high degree of efficiency, agility, and innovation.

Some estimates say that hyperscale data centers will account for US$71.2 billion in revenue globally by 2022 [3]. The Asia Pacific market is set to see the highest bump in compound annual growth rate (CAGR) with an expected rise of 24 per cent by 2022, according to the same estimates.

On the ground, hyperscale cloud computing service providers are rapidly growing their presence in the Asia Pacific region. Along with them, global OTT (Over the Top) companies, whose biggest markets are in Asia, are also beefing up their presence with their own hyperscale data centers; for example, Facebook is setting up a US$1 billion, 11-story data center in Singapore [4].

Increasingly, however, regulatory issues are cropping up with respect to IT infrastructure creation. With their populations becoming digital first and using technologies such as mobile banking, ride-hailing, food delivery and other services that depend on personal data, including financial data, many governments in Asia Pacific are in the process of enacting legislation to ensure their citizen’s data are protected not only for their own safety but often also for national security purposes, considering how valuable data has become in today’s information-driven economy.

Data residency laws can sometimes restrict hyperscale cloud service providers as cybersecurity concerns and worries about the potential overreach by sovereign entities (with respect to data hosted in foreign countries) have contributed to a continued perception that certain classes of data need to be housed within the geographical borders of the country in which it is generated [5].

This is not just an Asian phenomenon, globally also there is increasing concern about the geographical location of citizen data. This presents a challenge to hyperscale cloud service providers as they drive their efficiency through the ability to seamlessly move data across different geographies and house them in mega data centers located in different parts of the globe that offer the best security and cost benefit.

Different definitions
It is necessary to understand that when discussing data privacy and its location, the terms data residency, data sovereignty and data localization are often used interchangeably and this leads to misperceptions and misunderstandings of what data privacy laws are meant to cover. While all three pertain to where data should be housed, there are subtle differences between the three [6].

Data residency refers to the actual physical location of the data and the legal and regulatory requirements imposed on the data based on the region or country it resides in. Data sovereignty is a step up from residency in the sense that the data has to not only be stored in a designated location but would also be subjected to the laws of the country where it is stored. Data localization laws enforce how the data is processed within a certain territory. This is the most stringent and restrictive concept of the three, and like data sovereignty, is a version of data residency predicated on legal obligations and pertains to the creation and storage of personal data.

In the Asia Pacific almost all major countries/regions, including Australia, Japan, Hong Kong, China, Singapore, South Korea, The Philippines, Thailand, Malaysia, and India, have either enacted data privacy and protection laws or are in the process of doing so [7].

Different viewpoints
As expected with regards to such a contentious issue, there are arguments both in support for and against stringent data residency or localization laws.

In a research note AWS [8] pointed out that while governments may perceive an “increased security” with data residency requirements because they offer physical proximity, control, and local jurisdiction, such an approach does not “provide better overall data security”.

The counter argument rests on the premise that data localization is not just about security or efficiency. Thanks to rapid digitalization many of the countries in Asia Pacific are the biggest consumers of digital and social media technology and content. And this has given rise to interesting anomalies. For example, Facebook’s biggest market is in India yet out of its 15 data centers, none of them are in that country [9].

This disconnect between new sources of data and the location of data centers that house the data has often led to accusations from countries such as India of “data colonization” and “digital colonialism” [9], according to this line of reasoning.

Irrespective of technical or political arguments for and against data residency, data privacy and the demand for government control and jurisdiction over citizen data is something that is here to stay and cloud computing companies and those that use their services need to adapt as failure to adhere to data privacy and residency laws could result in both legal and financial consequences.

Over the short-term, at least, very few multinational cloud service providers will be able to provide physical storage in all countries that enact data privacy and residency laws. This opens opportunities for partnerships for data center companies with physical presence in different countries in Asia Pacific.

As a result, one of the drivers for data center demand in the Asia Pacific is the need for global cloud service providers to comply with data localization rules as well as to expand their reach to increasing number of users from large and growing countries in the region. Being present only in Asian hubs such as Singapore is no longer an optimal solution.

New investments
As an example, Amazon Web Services (AWS) and Google Cloud have announced new cloud regions in Indonesia, and this may drive data center colocation demand in the country [10]. In another example, according to analysts, the Indian government’s decision that financial transaction data must be locally stored, is one of the key reasons behind increased data center spending in India, which is likely to reach US$7 billion by the end of this year. Another major reason for growth is the need to drive efficiency of transactions with lower latency in a highly competitive market – anecdotal evidence showed that when an Indian online grocery store shifted its data center from Singapore to Mumbai, it noticed up to 10 per cent improvement in transaction efficiency [11].

In today’s digitalized economy, companies are data-rich and this is a major competitive advantage. They have access to unprecedented amounts of personal data and this has allowed them to enhance customer experience. With data being considered the currency of global trade, and cyber-attacks to steal data, both by criminal gangs as well an occasional state-backed actors a reality, it is little wonder that governments have started to look at legislation to ensure data privacy and also have some semblance of control over their citizen’s data.

Global companies which collect huge amounts of data or host them on multinational clouds have both a responsibility as well as a challenge to ensure that they meet local compliance obligations and at the same time provide high quality service to their customers.

How well these organizations deal with business risks posed by data residency laws will determine their success or otherwise. It will also determine in which direction the IT infrastructure industry moves in the Asia Pacific region.

PDG can help global cloud service providers and hyperscalers navigate the new country-specific data security laws that are coming up in the region. With its strong local presence and deep experiences in running hyperscale data centers, PDG can provide the expertise and infrastructure required to rapidly scale up in the Asia Pacific region.

About PDG
Princeton Digital Group (PDG) is a Warburg Pincus-backed investor, developer and operator of internet infrastructure. Our portfolio of data centers powers the expansion of hyperscalers and enterprises in the world’s fastest-growing digital economies. Our agility, speed and unmatched experience in scaling global internet infrastructure provide our partners and customers immediate access to growth opportunities across Asia.

Stephanus Tumbelaka

Author Stephanus Tumbelaka

Managing Director, Indonesia at PDG

More posts by Stephanus Tumbelaka