Darryn Lim, director, Policy – APAC, for BSA, said the Comprehensive and Progressive Agreement for Trans-Pacific Partnership's provisions on cross-border data transfers and data localisation would help create business predictability and legal certainty for regional companies operating in cutting-edge 21st century industries.
He said the BSA favoured free movement of data across borders and no data localisation requirements as the organisation saw inherent benefits in such policies.
The CPTPP was formerly known as the Trans-Pacific Partnership Agreement or TPP. But after US President Donald Trump pulled his country out of the trade deal, the other 11 countries went ahead and completed negotiations. The deal has come into force for some and others will join once their parliaments have ratified it.
Lim was interviewed by email to tease out some details about the new treaty.
iTWire: What is BSA's interest in this treaty based on? Whom does the organisation represent in its lobbying for the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)?
Darryn Lim: As the leading industry association representing the global software industry before governments around the world, BSA is most interested in the agreement’s e-commerce chapter, which creates binding multilateral rules that limit restrictions on international data transfers, prohibit requirements for data localisation, and include added protections for source code, among other things.
These are consistent with the elements that BSA views as essential in any modern trade agreement for the 21st century to drive job creation, competitiveness, and innovation, as set out in BSA’s publication “Modernising Digital Trade: An Agenda for Software”. BSA represents companies like Adobe, Amazon Web Services, Apple, Baseplan Software, Cisco, Microsoft, IBM, Salesforce, Symantec, Workday, and numerous others. These companies are at the forefront of innovative data services driving the global economy, such as cloud computing, data analytics, cyber security, blockchain, machine-learning, and artificial intelligence. All of these services depend on the ability to transfer data globally.
Does this treaty leave open the possibility for other countries — say, like China or India — to join later?
The CPTPP allows new member countries to join the agreement, subject to the ability of each candidate to meet the obligations of the agreement, as well as any other terms and conditions imposed by existing CPTPP members. In any event, existing CPTPP member countries would have to agree to allow any new candidate to join the agreement.
Now that seven countries of the 11 involved have ratified the CPTPP, it has been given effect, has it not?
The CPTPP will go into effect on 30 December for six countries (Australia, Canada, Japan, Mexico, New Zealand and Singapore), and on 14 January 2019 for Vietnam. The trigger for the CPTPP going into effect — six countries having ratified the agreement — was met when Australia became the sixth country to ratify it on 31 October. Vietnam ratified the CPTPP on 15 November, hence the slightly later effective date for Vietnam. For the remaining countries (Brunei, Chile, Malaysia, and Peru), the CPTPP will go into effect after they have ratified it.
Why is it so important not to localise data storage? To me, it seems reasonable that a country would want to have data about its citizens' (and other residents) transactions stored within its borders.
For cutting-edge technologies like cloud computing and AI to be available, data needs to be transferred across borders. Data and server localisation requirements limit the availability of these services in the market, which impedes the ability of other local industries to compete, especially in the international market place.
Countries that are looking to have transactional data stored within its borders are often motivated by concerns around security. However, data security ultimately does not depend on the physical location of the data or the location of the infrastructure supporting it. Security is instead a function of the quality and effectiveness of the mechanisms and controls maintained to protect the data in question.
In fact, localising and concentrating data and servers in a country introduces cyber security vulnerabilities by providing a central point of attack for bad actors to target while denying access to the many security benefits that cloud-based technologies can bring, such as redundancy, around-the-clock security monitoring, cloud-based network defence tools, and others.
When it comes to encrypted data, is the BSA's stance any different given its opposition to the encryption bill currently before the Australian Parliament?
BSA’s stance remains the same as set out in the email interview by iTWire on 21 September. We would, however, clarify that, as mentioned in our submission to the Australian Parliament of 12 October and in our testimony during the public hearing on 19 October, we acknowledge and support the Australian Government's desire to have effective tools to aid in the fight against criminal and terrorist activity and to ensure that the rule of law applies equally to offline and online activity.
Our concerns with the Assistance and Access Bill 2018, as presently drafted, lie in its broad scope coupled with inadequate safeguards for the exercise of the authorities granted under the bill.
For instance, India is now insisting that all data regarding monetary transactions be stored physically within its borders. Would that be considered "unreasonable"?
BSA supports balanced policies that protect personal data and further cyber security. Regarding the data localisation measures that India’s financial services regulator (the Reserve Bank of India) have imposed, we focus on whether these requirements are necessary to achieve the RBI’s objectives. We understand these objectives to be two-fold – the ability for the RBI to perform its regulatory duties, and the need to ensure data integrity and security. Data localisation does not advance either of these goals.
With respect to the ability to perform regulatory duties, other regulators such as those in Singapore and Hong Kong expressly permit data held by financial services institutions to be stored and processed overseas, clearly demonstrating that the location of the data is not critical to the exercise of regulatory functions. With respect to ensuring data integrity and security, we would reiterate our earlier point that security is a function of the quality and effectiveness of the mechanisms and controls maintained to protect the data in question.
The US had an issue some months ago when it could not gain access to data stored by Microsoft in Ireland; the data was said to be needed to investigate a drugs-related case. Now, that has been overcome by passage of a new law, the CLOUD Act. How would the Comprehensive and Progressive Agreement for Trans-Pacific Partnership affect issues like this?
As far as we are aware, the CPTPP does not directly affect this issue, although the agreement does contain a number of co-operation and dialogue mechanisms at which this issue could be discussed.
Given that at least some of the countries involved in the CPTPP do not have digital systems that can deal effectively with some of the treaty changes, what is the use of putting such changes in place?
The e-commerce provisions in the CPTPP will improve the ability of countries to take advantage of the digital economy. Its provisions on cross-border data transfers and data localisation will help create business predictability and legal certainty for regional companies operating in cutting-edge 21st century industries. That is important not only for the software industry, but also for every industry that takes advantage of cloud computing or data analytic services.
In the BSA's view, what are ideal international data rules?
The ideal set of international data rules should facilitate job creation, competitiveness, and innovation. The driving principle should be: no market access barriers and no discrimination against innovative software services. These rules should include commitments by governments to, among other things:
- allow the free movement of data across borders;
- not impose data localisation requirements;
- promote the use of innovative technology in government operations;
- allow companies and government agencies to use the technology of their choice; and
- support strong encryption.
These elements and more are set out in our publication “Modernising Digital Trade: An Agenda for Software”
As mentioned above, the digital trade rules in the CPTPP are consistent with these elements that BSA views as essential.
What about ISDS – is it not part of the CPTPP? What is the BSA's view on this?
ISDS, or Investor-State Dispute Settlement, remains part of the CPTPP, although the CPTPP parties did make some limited adjustments to the ISDS provisions of the agreement.