China’s new National Security Law (NSL) presents a threat to businesses operating in Hong Kong. In this op-ed, Access Partnership’s Sarah Skaluba and Seha Yatim reflect on where else APAC, data-driven, innovative companies may look to establish new hubs in the region.
Since the Hong Kong National Security Law (NSL) came into effect on June 30, 2020, authorities have wasted no time in enforcement. Within two weeks, media tycoon Jimmy Lai was arrested on “suspicion of breaches” of the law, as were another 10 employees from his company, including his two sons. Pro-democracy activist Agnes Chow was also arrested. These events are only the beginning.
In the wake of these developments, businesses stand at a challenging crossroads. Most immediately, companies face the threat of an enforcement order for noncompliance. This is punishable by a fine of HK$100,000 (around US$13,000) and six months imprisonment for failure to remove or restrict access to content. In the longer term, the National Security Law presents an alarming shift away from the “One Country, Two Systems” approach. It may only be a matter of time before China makes further inroads into Hong Kong with its onerous data localization rules, broad law enforcement access to data regulations and strict critical information infrastructure protection measures. The NSL presents a serious threat to Hong Kong’s democracy and global businesses alike.
Unsurprisingly, companies have responded to this uncertainty by moving data out of Hong Kong and suspending the processing of government data requests. Bloomberg reported that Oursky, an app development company, is planning to relocate to the U.K., while the energy startup Liquidstar will be moving to Singapore. Further, U.S. tech behemoths including Google, Facebook and Twitter have all stopped processing Hong Kong government data requests, and The New York Times is moving part of its Hong Kong office to Seoul.
The NSL has created an impetus for companies with regional operations in Hong Kong to reconsider their long-term approach as the business landscape is redefined. Companies can no longer rely on Hong Kong as a launchpad into the Chinese market. The looming uncertainty over how the NSL could impact the security of corporate data storage, coupled with deteriorating U.S.-China relations, is driving companies to rethink their market strategy. Senior leaders must weigh the costs of continuing to operate data centers in Hong Kong as operational costs and risks grow. Moving forward, data-driven, innovative companies may look to establish new hubs in the region.
Alternative Options for Organizations
For starters, Australia has one of the most mature data center markets in Asia Pacific, as well as an open regulatory regime. Australia was also one of the first countries to ratify the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and has historically been a staunch supporter of the free flow of data across borders. Recently, however, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 has raised industry concerns, as it could potentially lead to government-mandated backdoors. Additionally, with tensions between Australia and China rising over the COVID-19 investigation Canberra is pushing, further trade retaliation from Beijing could be imminent.
As the third-largest economy in the world and a vocal proponent of free-flowing data, Japan proves another viable option. Prime Minister Shinzo Abe is determined to make Japan a leader in the digital trade arena, pursuing strong bilateral digital trade agreements and driving the Data Free Flow with Trust approach at the G20. The country’s data center industry has also grown significantly over the years and now boasts a cloud services market that is valued at roughly US$6 billion. Japan represents a unique opportunity given its close ties to Silicon Valley, though for SMEs and startups, the high operating cost in Japan may prove challenging.
South Korea is another attractive choice. In May 2020, Oracle opened up its second cloud region in the country, and by 2025, over 30 new data centers will be built. Between President Moon Jae-in’s Digital New Deal, the Government’s National Strategy for Artificial Intelligence and Seoul’s 5G leadership, the country is fast-tracking digital governance initiatives that will support a strong data center market. However, like some of its neighbors, Korea’s track record on data residency requirements and onerous data protection regulations can prove burdensome for foreign firms.
Finally, with Zoom announcing a new data center in Singapore, the city-state is a serious contender with its 60 data centers already running to date. While Singapore’s excellent connectivity and pro-business regulatory climate provide huge benefits, some companies may find its small and domestic market stifling. Nevertheless, it continues to be one of the top destinations because of its high standard digital trade rules and strong bilateral relationships that help shield the country from the retaliatory tariffs and trade wars plaguing other markets.
While emerging economies including India and Indonesia should certainly not be dismissed, some of the data localization mandates create difficult regulatory regimes. Google’s announcement of its US$10 billion investment in India over the next five to seven years, however, sends a powerful signal that industry is looking to India for long-term growth opportunities. While India’s data center market is expected to grow by US$4.9 billion by 2025, the Ministry of Electronics and Information Technology is actively considering enacting data localization mandates for both personal and nonpersonal data. Meanwhile, the Reserve Bank of India’s 2018 directive mandates that all payment systems data be stored in the country.
As companies weigh options and consider their next move on the heels of the NSL, it is imperative that businesses ensure consumer data is protected and that adequate safeguards remain in place. With more people using the internet and adapting to the new normal, technology solutions and services are being tested more than ever before. While reshoring is certainly not the solution, there may be a window of opportunity for governments across the Asia Pacific to attract new businesses and diversify their markets in the wake of the NSL.
Sarah Skaluba is Manager, Data Policy & Trust at 
Seha Yatim is a Policy Manager for Asia & the U.S. at Access Partnership, a global public policy consultancy for the tech sector.
Seha helps companies navigate the technology-related regulatory and policy environment in the Asia-Pacific region, with a special focus on ASEAN. She analyses various technology policies including data privacy, cybersecurity, technology risk, smart cities and others. With her acute sense of business impacts, she also identifies opportunities for clients to enable them to expand their business and achieve their goals.
Prior to joining Access Partnership, Seha worked for the world’s largest package delivery company to raise thought leadership on trade and industry issues such as cross-border trade, e-commerce, high tech, industrial manufacturing and free trade agreements. She began her career in the Singapore Ministry of Manpower, where she formulated and executed communications plans for foreign manpower policies, as well as labor-trafficking issues. Seha holds a Master of Science in International Relations from the S. Rajaratnam School of International Studies and a Bachelor of Business Management from the Singapore Management University. She is a Certified Information Privacy Professional/Asia (CIPP/A) and is fluent in English and Malay.
