Navigating Data Privacy: Owners and Operators
The importance of data privacy can’t be emphasised enough, as there have been substantial financial and personal losses when confidential data gets in the wrong hands.
A breach at a corporation can put proprietary data in the hands of a competitor or dilute customer confidence, while a breach at an online service platform could put users’ profiles at risk of identity theft in the hands of criminals.
Protecting data privacy against mishandling and unauthorised access has always been at the forefront of the agenda for governments and the private sector worldwide.
Establishing and maintaining strong data privacy protocols is fundamental to operating high-value, sustainable corporations and at Actis we recognise that this topic intersects with our aspirations to invest responsibly – and it’s part of our overall approach.
Governments and regulators can also be seen as invaders of data privacy. The COVID-19 pandemic has further exacerbated this conflict as many governments increased contact tracing with location tracking apps.
Privacy today faces growing threats from increasingly ubiquitous surveillance apparatus that is often justified in the name of security. As an investor/developer/operator of data centre infrastructure in many growth markets that are setting different standards for such fine balance between data privacy, protection and security, Actis needs to be well informed about such issues and position our investment carefully.
Public’s concerns on data privacy and protection
In the normal course of business operation, a single company, especially those with near monopolistic power, may possess the personal information of millions of customers who are prone to data theft and misuse if sufficient measures are not in place.
One well-known example is the Facebook data privacy scandal centred around the sharing of personally identifiable information to Cambridge Analytica who profited from illegal data harvesting. The backlash against Facebook for inadequate safeguards and oversight on personal data privacy has severely undermined the firm’s reputation.
Actis has existing data centre investments in China and Korea where our investee companies must strictly abide by the associated national laws of data privacy
Government agencies also collect vast amounts of data about individuals and businesses. In China, surveillance cameras equipped with facial recognition technology are frequently used for everything from identifying jaywalkers to mandatory hotel check-in.
Many people clock in and out of work by scanning their faces, and these cameras are also being used to screen people entering or exiting campuses, residential buildings and public transport facilities as data feeding channels for Big Data processing.
The number of closed-circuit television cameras in use in China has risen to over 600 million in 2020 and as a result, there has been a growing public concern over the inappropriate collection and use of personal facial information in China.
As a response, in 2020, China published the first draft of its new Personal Information Protection Law which is intended to unify rights to privacy, personal information collection and protection, and is the country’s first ever legislation in the area.
Decentralisation in data processing and storage
The proliferation of data sovereignty regulations and its enforcement is also raising concerns as data storage and processing moves from being centralised in a few regional locations, which tend to be jurisdictions with more transparency and stricter protection of data privacy, to being distributed across more local markets.
A prime example is Asia with data centres in regional hubs such as Hong Kong, Singapore and Tokyo holding the bulk of data processed and stored by global operators and service providers across Asia.
But many such global players have started to increase their presence in local markets such as India, Indonesia, Malaysia and Thailand. We are seeing similar trends in other developing regions such as Africa and Latin America.
Examples include Yondr who announced a joint venture partnership in October 2021 with Everstone Group. They plan hyperscale developments in the Indian market which will deliver 30MW by 2023 and 60MW of IT capacity when fully developed.
In October 2021, Equinix launched a new hyperscale data centre in São Paulo, Brazil with a total capacity of 14.4MW. In Africa, Microsoft Azure opened two hyperscale data centres in both Cape Town and Johannesburg in 2019, while Amazon AWS inaugurated its first hyperscale data centre in Cape Town in 2020, and both are exploring entry into Nigeria and Kenya.
We believe such transitions will become the norm going forward, thus putting more data centres with processing and storage capacity in jurisdictions that may not have the same level of transparency when it comes to data security and privacy protection.
It is, however, these early-stage markets with high growth potential that present the best risk adjusted opportunities for an investor like Actis.
Legal and regulatory framework for data centre
In Asia, Actis has existing data centre investments in China and Korea where our investee companies must strictly abide by the associated national laws of data privacy.
In China, obtaining a valid license from the Ministry of Industry and Information Technology (“MIIT”) is imperative for any internet data centre (IDC) operators to carry out data centre services.
The license approval is subject to close scrutiny by government agencies given that data storage and processing has a bearing on national security, mandating that an IDC operator with the IDC license must work with MIIT when it comes to data security/privacy.
With the growing concerns and escalating regulatory stringency in relation to data privacy globally, Actis is keenly aware of the regulatory framework within the markets in which we invest, develop and operate data centres
However, it’s noteworthy that Actis and our data centre investment program are primarily focusing on providing the fundamental infrastructure, i.e. land, shell and core, and mechanical, electrical and plumbing (MEP), for built-to-suit or wholesale colocation purposes.
Data storage and processing lies with our tenants and customers, who are subject to even more licensing requirements as internet service providers (ISP) and internet content providers (ICP) in addition to IDC in China.
Our customers, who range from telecom couriers providing colocation and managed data services, to domestic and international internet/e-commerce/cloud companies providing direct services to individual subscribers/consumers, are solely responsible for compliance with any regulatory requirement in data privacy or sharing personal data of their customers with the regulators.
We also take a similar approach in Korea, where the key legal and regulatory framework governing data privacy consist of the Personal Information Protection Act (the “PIPA”) as a general law, together with several sector-specific laws including the Act on the Promotion of IT Network Use and Information Protection (the “Network Act”).
The operators such as Korea Telecom and our customers who will be mostly global cloud services providers (the “CSPs”) ensure that their respective data centre modules within our two facilities are equipped with scalable security controls and multiple layers of defence that help to protect the integrity of their customers’ information.
However, as the operators and CSPs do not have visibility into or knowledge of what customers are uploading onto its service network or platform, customers are ultimately responsible for their compliance with the PIPA and related regulations.
With the growing concerns and escalating regulatory stringency in relation to data privacy globally, Actis is keenly aware of the regulatory framework within the markets in which we invest, develop and operate data centres.
Our infrastructure focused investment strategy allows us to deploy capital across many growth markets to satisfy the growing need for data centre capacity from both traditional telecom couriers and global CSPs, while at the same time largely insulating our funds and investments from the increasingly sensitive data privacy and security issues faced by these customers and users of our data centre facilities.