Since the Hong Kong National Security Law (NSL) came into effect on 30 June 2020, authorities have wasted no time in enforcement. Within two weeks, media tycoon Jimmy Lai was arrested on “suspicion of breaches” of the law, as were another 10 employees from his company, including his two sons. Pro-democracy activist, Agnes Chow, was also arrested. These events are only the beginning.
In the wake of these developments, businesses face a challenging crossroads. Most immediately, companies face the threat of an enforcement order for non-compliance. This is punishable by a fine of HKD 100 000 (around USD 13 000) and six months imprisonment for failure to remove or restrict access to content. In the longer term, the National Security Law presents an alarming shift away from the “One Country, Two Systems” approach. It may only be a matter of time before China makes further inroads into Hong Kong with its onerous data localization rules, broad law enforcement access to data regulations, and strict critical information infrastructure protection measures. The NSL presents a serious threat to Hong Kong’s democracy and global businesses alike.
Unsurprisingly, companies have responded to this uncertainty by moving data out of Hong Kong and suspending the processing of government data requests. Bloomberg reported that Oursky, an app development company, is planning to relocate to the UK, while the energy start-up Liquidstar will be moving to Singapore. Further, US tech behemoths including Google, Facebook, and Twitter have all stopped processing Hong Kong government data requests, and the New York Times is moving part of its Hong Kong office to Seoul.
The NSL law has created an impetus for companies with regional operations in Hong Kong to reconsider their long-term approach as the business landscape is redefined. Companies can no longer rely on Hong Kong as a launchpad into the Chinese market. The looming uncertainty over how the NSL could impact the security of corporate data storage, coupled with deteriorating US-China relations, is driving companies to rethink their market strategy. Senior leaders must weigh the costs of continuing to operate data centres in Hong Kong as operational costs and risks grow. Moving forward, data-driven, innovative companies may look to establish new hubs in the region.
For starters, Australia has one of the most mature data centre markets in Asia Pacific, as well as an open regulatory regime. Australia was also one of the first countries to ratify the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and has historically been a staunch supporter of the free flow of data across borders. Recently, however, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 has raised industry concerns as it could potentially lead to government-mandated backdoors. Additionally, with tensions between Australia and China rising over the COVID-19 investigation Canberra is pushing, further trade retaliation from Beijing could be imminent.
As the third largest economy in the world and a vocal proponent of free-flowing data, Japan proves another viable option. Prime Minister Shinzo Abe is determined to make Japan a leader in the digital trade arena – pursuing strong bilateral digital trade agreements and driving the Data Free Flow with Trust approach at the G20. The country’s data centre industry has also grown significantly over the years and now boasts a cloud services market that is valued at roughly USD 6 billion. Japan represents a unique opportunity given its close ties to Silicon Valley, though for SMEs and start-ups, the high operating cost in Japan may prove challenging.
South Korea is another attractive choice. In May 2020, Oracle opened up its second cloud region in the country, and by 2025 over 30 new data centres will be built. Between President Moon Jae-in’s Digital New Deal, the Government’s National Strategy for Artificial Intelligence, and Seoul’s 5G leadership, the country is fast tracking digital governance initiatives that will support a strong data centre market. However, like some of its neighbours, Korea’s track record on data residency requirements, as well as onerous data protection regulations, can prove burdensome for foreign firms.
Finally, with Zoom announcing a new data centre in Singapore, the city-state is a serious contender with its 60 data centres already running to date. While Singapore’s excellent connectivity, and pro-business regulatory climate provide huge benefits, some companies may find its small and domestic market stifling. Nevertheless, it continues to be one of the top destinations because of its high standard digital trade rules, and strong bilateral relationships that help shield the country from the retaliatory tariffs and trade wars plaguing other markets.
While emerging economies including India and Indonesia should certainly not be dismissed, some of the data localization mandates create difficult regulatory regimes. Google’s announcement of its USD 10 billion investment in India over the next 5-7 years however, sends a powerful signal that industry is looking to India for long term growth opportunities. While India’s data centre market is expected to grow by USD 4.9 billion by 2025, the Ministry of Electronics and Information Technology is actively considering enacting data localization mandates for both personal and non-personal data. Meanwhile, the Reserve Bank of India’s 2018 directive mandates that all payment systems data be stored in the country.
As companies weigh options and consider their next move on the heels of the NSL, it is imperative that businesses ensure consumer data is protected and that adequate safeguards remain in place. With more people using the Internet and adapting to the new normal, technology solutions and services are being tested more than ever before. While reshoring is certainly not the solution, there may be a window of opportunity for governments across the Asia Pacific to attract new businesses and diversify their markets in the wake of the NSL.
This article was originally published on Corporate Compliance Insights on 18 September 2020.