Ranked in the top ten for global data center competitiveness, Hong Kong has become an essential hub in Southeast Asia’s regional data storage network. Public cloud providers like Amazon Web Services, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud have data regions there. It’s also home to data centers for third-party companies like SUNeVision and Equinix, which safeguard data for giants like IBM and Apple and scores of other companies that house valuable information in Hong Kong’s data centers.
But Hong Kong’s new national security law, passed on June 30, has thrown the city’s status as a data hub into jeopardy. The law presents companies with the challenge of having to comply with state requests for data: they are now legally required to be able to identify and produce a given user’s data from the sea of information flowing through the city. The change is forcing companies to react. Facebook, Twitter, LinkedIn, Microsoft, and Zoom — many of whom have some level of operations in mainland China — have said that they have suspended processing user-data requests from the Hong Kong police. But the law remains in force; as Beijing takes a closer hand in governing Hong Kong, transnational companies are being forced to consider that their data may be treated differently if it remains in the city’s data centers.
Since 1997, Hong Kong’s combination of proximity to China’s booming economy, political autonomy from Beijing, and legal and financial vestiges of a past as a British colony have made it one of the most important cities for Asian business. Hong Kong is currently home to 57 co-location data centers. In 2018, the city’s data center market was worth $883 million, projected to grow at 14% annually for the next five years. The city is also a key juncture in Southeast Asia’s network of internet infrastructure: it’s the landing point for 11 subsea internet cables, with a 99.995% consistent electricity supply. When it comes to data storage, Tokyo has higher earthquake risks, Taipei has likewise plus geopolitical uncertainty, and Hanoi can’t deliver reliable electricity supply. Kuala Lumpur has struggled with corruption, Bangkok has an opaque political system, and Singapore — where many tech firms keep their regional headquarters — has strict laws about speech. Up until June’s national security law, Hong Kong was in an ideal spot on the spectrum of East Asian geographies suitable for data hubs.
Although many international firms with data in Hong Kong say they are resisting requests, Glacier Kwong, an activist with Hong Kong digital-rights group Keyboard Frontline, warns that may change. “[Authorities] are now allowed to request online service providers and platforms to remove information online, and failure to do so can result in legal penalties, including imprisonment,” Kwong told Rest of World. “This creates huge motives for tech companies to comply with their request.” Hong Kong residents can look to the past for examples of companies complying with Chinese authorities: Yahoo’s disclosure of private emails in the 2002 case of Chinese engineer Wang Xiaoning set a worrying precedent for platforms operating in the legal gray area of data sharing.
An expert who studies data risks closely says that, even if Facebook refuses to comply with local authorities, third-party data companies or local telecoms could divulge other user information, as they’re subject to the same law. Even before the law was enacted, in 2019, the Hong Kong government made more than 5,500 requests from information and communication technology companies for user data, and over 4,000 requests for content to be removed — though not all of these requests were met with compliance. The law has had a chilling effect on Hong Kong’s residents. Kwong told a panel discussion at digital human rights conference RightsCon that she’d already observed people deleting their speech online and un-liking the pages of well-known political activists.
Paul Haswell, who heads the technology practice at international law firm Pinsent Masons’s Hong Kong office, said the fact that the police can now request user data under the national security law changes the environment in Hong Kong. In addition to housing corporate user data, the city has long been home to a legal services industry that built its reputation for discreteness and confidentiality dealing with wealthy Chinese clients. “Historically, the rest of the world has seen Hong Kong as a safe version of China,” said Haswell. “People are nervous that Hong Kong will become just another Chinese city.”
China’s cybersecurity policy is opaque and evolving. Apple, one of the biggest tech giants operating in China, has said that storing Chinese users’ data in the country enables the company to deliver on speed and reliability, while also complying with the government’s regulations. Experts and sources who work directly with companies that house data in Hong Kong say they could adjust to managing their data in a similar way. “U.S. firms operating in mainland China, such as Apple, Microsoft, LinkedIn, and GitHub, already face the scenario in Hong Kong, in that they’re potentially susceptible to China’s broad and vague national security laws on the mainland,” said Nigel Cory, associate director for trade policy at the Information Technology and Innovation Foundation, in Washington, D.C. Cory says all companies must abide by local laws when storing data. In China, companies store data locally, in large part to avoid the legal and commercial headaches caused by requests for data hosted outside of the country.
Most companies store multiple copies of their data in some format across a network of data centers. It’s often done to improve speed and prevent errors, but cloud providers also build regional hubs to service companies that comply with laws on local data storage, such as China. The data storage isn’t just limited to major tech companies: banks, insurance, and healthcare providers are often required to keep their data local as well. Cloud companies determine where they locate their data centers based on servicing these high-data-volume customers.
Transnational corporations that service these industries may look to the model of international companies like Apple as a possible future for their operations in Hong Kong. These companies are already in the practice of separating and, in some cases, storing Chinese users’ data locally, in order to comply with regulations. Apple’s Chinese iCloud partner is a data storage company called Guizhou-Cloud Big Data, which stores user data locally on the servers of state-run China Telecom. That doesn’t preclude data from flowing in and out of China, though. Carolyn Bigg, a lawyer at DLA Piper, says most kinds of data can leave China so that companies can utilize global systems like human resource databases. “It’s a case of identifying and tagging the mainland China data so they know where it is, in case the regulatory environment changes,” she says.
If companies decide that navigating the Chinese regulatory environment isn’t worth the hassle, they could choose to leave Hong Kong altogether. Less than three weeks after the national security law was enacted, Korea’s largest internet search engine, Naver, relocated its overseas data backup center out of Hong Kong to Singapore, reportedly over concerns that the law could leave user data (Naver’s Line messaging app has more than 200 million users globally) vulnerable to access, if it remained in Hong Kong. In a statement, the company said data in Hong Kong had been deleted earlier in July and its Hong Kong servers reformatted.
But cornerstone institutions like HSBC and Standard Chartered will have a harder time walking away from Hong Kong entirely. HSBC, which has been operating in Hong Kong since 1865, said in a social media post that it “respects and supports all laws that stabilise Hong Kong’s social order.” These institutions are cautiously wading through Hong Kong’s regulatory landscape, which, as the national security law demonstrated, can change overnight.
American tech giants with operations in Hong Kong are already reacting to the territory’s new regulatory environment. Google, whose search engine is blocked in mainland China, last week informed Hong Kong’s police to direct data requests through the territory’s Mutual Legal Assistance Treaty with the United States, according to the Washington Post. The company had already said it suspended requests for data after the national security law went into effect. The move defaults all requests from the police to a tenuous diplomatic process, one which the Trump administration has openly questioned.
As for the future of Hong Kong’s data storage industry, experts say the constellation of companies that has grown up to service Hong Kong’s internet infrastructure and data center market could now turn to serving mainland Chinese clients. In the wake of the coronavirus pandemic, China’s central government is spending more than $1 trillion to incentivize the construction of “new infrastructure,” to not only spur economic growth but also enable the country to rely on its own technological capabilities, including 5G networks and data centers. According to local real estate companies, at least a quarter of the new data center space going online in Hong Kong will be owned by Chinese telecoms by 2024.
Haswell, who navigates the legal complexities of international tech transactions, says for international firms that decide to remain in Hong Kong, managing data in a similar way to China would be “a walk in the park.” “We’re kind of slowly going down a path where data becomes owned by states,” says Haswell, “rather than being this free thing we all believed in.”