Over the years, ABLI has been focusing on data governance, in particular cross-border transfer of personal data, as one key plank of its work to promote convergence of laws and practices in this field. In May 2018, ABLI published a compendium titled Regulation of Cross-border Transfers of Personal Data in Asia, a first-of-its-kind publication that provides a holistic study of the regulations on data transfers in 14 Asia Pacific jurisdictions (Australia, China, Hong Kong SAR, India, Indonesia, Japan, Macao SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam) to address the wider spectrum of issues impacting the legal framework of cross-border data flows. The Compendium was followed by a June 2020 Comparative Review titled Transferring Personal Data in Asia: A path to legal certainty and regional convergence, which sets out proposals for how public stakeholders in those 14 jurisdictions may promote legal certainty and greater consistency between their respective laws and regulations on cross-border transfers of personal data in the region. In 2022, ABLI, together with its partner, published a series of individual reports and a comparative study that examine consent, and to a lesser extent, legitimate interest, as the bases for processing personal data in the 14 jurisdictions.
This issues paper on data embassy is a continuation of ABLI’s ongoing efforts to promote convergence of risk management practices with a view to facilitating the transfer of data across Asia.
Why data embassy?
From engagement with public and private stakeholders, ABLI has learnt that one recurring pain point when it comes to transferring data across borders stems from the hesitation on the part of transferor organisations to grant access to their data. Once the transferor transfers its data to the recipient, the data falls under the possession of the recipient, leaving the transferor with limited ability to act (or react) if public authorities of the recipient’s jurisdiction require access to that data. The transferor is also often unfamiliar with the legal regimes and institutions of the recipient’s jurisdiction. Its reluctance to “part with” its data is thus understandable.
Two solutions have been proffered to tackle this pain point. One solution concerns transfer risk assessment and mitigatory measures, another area of work that ABLI is progressing simultaneously. The other solution is the creation of data embassies, a special type of offshore data centres.
A data embassy embodies a dynamic interplay of competing yet, at times, compatible interests: the desire of the customer to “insulate” its data from access by public authorities of the country hosting the data embassy and to have a say in the law that governs the data embassy needs to be balanced against the desire of the host country to exercise sovereignty over the territory on which the data embassy sits, all happening against the backdrop where countries globally are racing to establish themselves as technology or digital economy hubs by playing host to data centres.
So what is a data embassy? What are the data embassy models in operation today? What features does a data embassy tend to have? Is the creation of a data embassy the ultimate response to concerns over offshore public authorities’ access to data? What more needs to be done so that the overall robustness of data embassies can be enhanced?
This issues paper attempts to address these queries and put forward further questions for thought in the hope of eliciting more discussions among businesses, policy practitioners and public officials who are studying the data embassy concept and contemplating its adoption.
The issues paper could be downloaded from here. Readers are welcome to send their comments and feedback to [email protected].
![[Interview] Landmark Indonesian Recognition](https://abli.asia/wp-content/uploads/elementor/thumbs/Interview-Landmark-Indonesian-Recognition-qyrpydq7g6gonjx6j9t9j0r1rqwwtrar5m0vw55480.jpg "[Interview] Landmark Indonesian Recognition")
