Last month, US President Joe Biden signed a Bill that would ban TikTok in the United States unless its China-based owner ByteDance divests from the social media platform. This move stemmed from fears that China could compel the platform to hand over the personal data of its 170 million American users to the Chinese government under its National Intelligence Law.
In the lead-up to Biden’s sell-or-ban law, Apple removed WhatsApp and Threads from its app store in China under orders from China’s cyberspace regulator citing national security concerns. Telegram and Signal, two other foreign messaging apps, were also removed for the same reason.
The ongoing technological tussle between the two major powers reflects a broader trend that is taking place all over the world. Increasingly, countries are implementing unilateral policies and initiatives to regulate the internet and digital sphere, in a bid to safeguard their autonomy and control of the internet.
While the fracas between US and TikTok is unlikely to have any repercussions for Singapore, the crux of the issue – a fight over data – matters to all of us.
THE FIGHT OVER YOUR DATA AND MINE
One of the key battlegrounds for technological contestations between countries is data – who controls it, and what data belongs to whom.
Citing national security concerns and protecting citizens’ personal information, governments around the world are rolling out policies that mandate companies to store and process the data that they collect within the geographical borders of the country. This was the case for TikTok, which previously sought to assuage US lawmakers’ concerns by migrating data belonging to US users to servers owned by US-based Oracle.
Data localisation policies are also motivated by concerns that data may be transferred to countries with lax data protection laws, where our information and digital footprint risks theft and misuse.
According to a report published by the Information Technology and Innovation Foundation, 62 countries have implemented regulations to confine data within their borders as of 2021, nearly double that from 35 countries in 2017.
In Asia, Vietnam has enacted a cybersecurity law that requires domestic companies and certain foreign firms to store personal data and other types of data locally. Cambodia is likewise drafting a law that will mandate data localisation.
WHY SHOULD WE CARE?
Claims of national security concerns by governments should not be dismissed as an extension of increasingly fraught geopolitics. National claims to citizens’ data pose debilitating consequences for ordinary citizens like you and me.
For one, data localisation policies can potentially hamper the interoperability of technical and financial services. These include cloud computing services that we use to improve collaboration and reduce cost, and telecommunications infrastructure like 5G, the backbone for modern day life. Imagine not being able to remit money home to your loved ones living abroad or a vendor who provides a service because of a country’s restrictive data regulation policy.
Cross border data flows are also essential for customer service delivered round-the-clock and from distant parts of the world.
At the business level, data localisation policies can compromise the effectiveness of cybersecurity-related services that rely on cross-border data flows that include personal information. In addition, according to the Centre for Information Policy Leadership, data localisation policies can degrade other critical business functions like human resource management (particularly among multi-national companies), fraud detection and manufacturing competencies that are spread across the globe.
Ironically, overly stringent data restriction policies can hamper the ability of businesses to detect cyberthreats that require personal data like IP addresses and user activity. This means that customers like you and me might be more vulnerable to malware and fraud.
Thus, restrictions on cross-border data flows are potentially deleterious for Singapore’s society and economy.
AVOID ALL-OR-NOTHING APPROACH
The Singapore government shares the same concerns regarding national security and citizens’ data privacy. In her parliamentary speech delivered in January, Minister for Communications and Information Josephine Teo spoke on what the government has done to strengthen cybersecurity and ethical use of consumers’ information.
However, Singapore adopts a balanced approach to data governance, one that enables cross-border data flows while ensuring that appropriate mechanisms are in place to protect data.
For instance, it introduced the Personal Data Protection Act (PDPA) in 2012, which established a baseline standard of protection that all organisations that collect, use or disclose personal data within Singapore must abide by.
Additionally, the PDPA only permits the transfer of personal data outside of Singapore when specific requirements are met, which ensures that the transferred data will be protected to a standard comparable to that under the PDPA. Updates were made in 2021 to strike a balance between protecting consumers’ personal data and enabling businesses to harness the data for innovation.
Singapore has also undertaken bilateral and multilateral initiatives to facilitate the trusted and seamless flow of data across its borders. For example, it has Digital Economy Agreements (DEAs) with five countries. These treaties support cross-border data flows while safeguarding personal information by establishing common frameworks and rules for digital trade between Singapore and the signatories.
Singapore has also joined the Asia-Pacific Economic Cooperation Cross Border Privacy Rules system, which aims to bridge differing national privacy laws within the region. Such cooperation seeks to reduce barriers to cross-border flow of data.
So what more should the government do? To facilitate the seamless yet secure flow of data across borders, a risk-based classification framework is the practical next step.
These frameworks outline specific procedures on how different tiers of data should be managed, based on their security requirements. Organisations will be able to concentrate their protection and security efforts accordingly, such that they can divert more resources to protect sensitive data while allowing the flow of less-sensitive data across borders.
Additionally, Singapore should continue seeking out opportunities to enhance data interoperability with other digital economies.
One promising opportunity is the Association of Southeast Asian Nations (ASEAN) Digital Economy Framework Agreement (DEFA) – the first regional digital economy agreement in the world. DEFA aims to align digital trade regulations within the region and promote cross-border collaboration in nine key aspects of the digital economy, such as cybersecurity and cross-border data flows.
One key challenge to address is member states’ unevenly paced legislation on data governance. With negotiations still underway, Singapore must seize this opportunity to advocate for greater convergence in member states’ data regulations.
As digital sovereignty gains momentum, Singapore must remain a trailblazer in navigating an increasingly fragmented digital landscape characterised by mounting barriers to cross-border data flows. This will enable citizens and organisations to fully leverage the benefits of data flows, while safeguarding data security and privacy.
Carol Soon is Principal Research Fellow and Chew Han Ei is Adjunct Senior Research Fellow at the Institute of Policy Studies. Ann Mak is Research Assistant. They are authors of a working paper titled Digital Sovereignty: State Action and Implications for Singapore funded by the NUS Centre for Trusted Internet and Community.
This piece was first published in CNA on 30 May 2024.
Top photo from Freepik.