In this 4th and final part of this series of articles, we provide some perspectives on regulatory and data-related issues arising out of operating data centres.
Industry players that wish to build new data centres in Singapore will need to submit an application for approval, under the Singapore government’s call-for-application (“CFA”) scheme. This requirement stems from the government’s objective of ensuring that the growth of new data centre capacity remains sustainable (see our previous update on sustainable data centres).
At present, there is no ongoing CFA exercise under which the government is open to accepting new data centre applications. Interested applicants will therefore need to wait for the launch of the next CFA exercise. The pilot CFA exercise concluded in July 2023 with the selection of 4 winning proposals (namely AirTrunk-ByteDance, Equinix, GDS and Microsoft) out of more than 20 proposals received. As an indicative timeline, the government has stated that it intends to allocate further data centre capacity in the 12-18 months following the announcement of winning proposals.
In terms of the criteria that will be used to assess future applications, specific details have not yet been announced. The government has stated that it will engage industry stakeholders before calling for future applications.
As a reference, the pilot CFA exercise applied 3 broad criteria that proposals were required to meet (see press release):
The government has also highlighted the following reasons as to how the winning proposals were selected (see press release):
If future CFA exercises adopt a similar approach, applicants will not only need to ensure that their proposals meet any minimum criteria prescribed, but are sufficiently competitive to be selected. That said, the Singapore government is expected to review the relevant criteria before commencing the next round of applications, taking into account experiences gleaned from the pilot CFA exercise and stakeholder feedback. Interested data centre operators should monitor this area for further developments.
Data centre operators should also consider the potential licensing and regulatory implications of any connectivity-related activities. In particular, it is increasingly common for co-location data centre operators to include connectivity solutions as part of their service offerings, such as providing Internet access, capacity or managed network services to customers. In this regard, the offering of connectivity solutions may amount to the provision of telecommunication services that requires a telecommunications licence. Data centre operators that invest in telecommunication infrastructure, such as dark fibre or submarine cables, may also require a telecommunications licence to operate such infrastructure.
Data centre operators should also consider the impact of data privacy and other data-related laws in structuring their operations and infrastructure deployments. Ideally, these issues should be studied from an early stage of planning, as they can affect fundamental decisions such as whether to site a data centre in a particular location. They will also often need to be considered from a multi-jurisdictional perspective, as data centre operations often involve cross-border activities. We briefly discuss three issues below:
Data centre operators should identify and consider any relevant obligations under data privacy laws, as this can affect planning decisions (as mentioned above) as well as the measures that they need to implement for compliance with relevant laws. Typically, this will depend on several factors including the location(s) where data processing (including storage) takes place, as well as the nature of the operator’s role and services. For example, the nature of data processing activities undertaken by a data centre operator can differ significantly depending on whether it: (1) provides co-location services e.g. in the form of rack space and physical infrastructure, (2) provides managed data centre services, or (3) operates its own hyperscale self-build. Consequently, the nature of relevant data privacy obligations can also vary significantly.
In Singapore, the Personal Data Protection Act 2012 (“PDPA”) establishes a general data protection law that governs the collection, use and disclosure (including processing) of personal data. This includes personal data collected overseas and transferred into Singapore for storage and hosting. The PDPA is enforced by the Personal Data Protection Commission (“PDPC”).
An important issue affecting an operator’s PDPA obligations is whether it acts as an organisation or data intermediary (i.e. “controller” or “processor” respectively, as often referred to under other laws). The PDPA distinguishes between these 2 types of entities and imposes different obligations on each of them (see PDPC guidance). Data intermediaries are entities that process personal data on behalf of and for the purposes of other organisations, and as such are subject to fewer obligations. The role of an operator will also often affect the nature of documentation and legal instruments (including contracts) that need to be implemented to comply with relevant laws.
Data centre operators should also consider how cross-border transfer requirements and data localisation requirements may affect their operations. It is common for many data privacy laws around the world to restrict cross-border data transfers, and to permit data to be exported overseas only if certain safeguards are taken. Under Singapore law, the PDPA requires organisations that transfer personal data outside of Singapore to ensure that overseas recipients are bound by legally enforceable obligations to protect transferred personal data to a standard that is comparable to the PDPA, such as by implementing a contract that meets relevant requirements. Companies that transfer personal data into Singapore from other countries may also need to comply with those countries’ cross-border transfer requirements.
Data centre operators should also consider the potential impact of data localisation laws. These are laws that certain countries have enacted requiring data to be physically located for storage and/or processing within their geographical borders. For example, the Vietnamese government’s Decree 53/2022/ND-CP clarifying the Law on Cybersecurity 2018 requires certain service providers to store users’ personal data, data generated by users and data on the relationships of users locally in Vietnam. Such requirements may affect data centre activities that involve cross-border data transfers into Singapore.
If you have any questions or would like to discuss any issues, please do not hesitate to contact us.
This article is produced by our Singapore office, Bird & Bird ATMD LLP. It does not constitute as legal advice and is intended to provide general information only. Information in this article is accurate as of 29 September 2023.