Tech Transactions & Data Privacy 2022 Report
In the past year, we have seen more and more government bodies around the world putting up regulatory barriers to restrict the extraterritorial movement of data. However, heightened restrictions on the flow of information are in direct conflict with the ever-growing need of multinational businesses to move data across borders in an increasingly globalized and digitized economy. This alert provides an overview of the current landscape of data sovereignty laws in the major economic bodies globally and proposes a compliance strategy for multinational companies.
The following is a high-level survey of the current state of data sovereignty laws of five high-profile jurisdictions following a turbulent 2021. We then offer some tips for businesses to keep in mind when shaping their compliance strategies for 2022.
2021 Recap: Data Localization/Transfer Regulations in Review
While the world continues to grapple with the Covid-19 pandemic, businesses are increasingly pivoting to digital service models that leverage the internet in place of in-person transactions. Many countries have responded by clarifying or amending their regulation of the flow of individuals’ data:
Russia. Subject to very several narrowly defined exceptions, Russia requires all companies that collect personal information of Russian citizens to use the databases located within its territory for recording, systemization, accumulation, storage, correction and retrieval purposes. Additionally, personal information collected in Russia can only be moved to a jurisdiction that ensures adequate protection1or based on legally permitted conditions (including when the transfer is based on a data subjects’ consent or is necessary to perform a contract). In 2021, Russia’s Personal Data Law was amended with increased fines for non-compliance, but the fines for violations for data localization requirements remain the same (approximately USD $16,000 - $96,000 for first-time violators and USD $280,000 for repeated violators). The Russian government has not been engaged in widespread enforcement of its data localization requirements, but there have been efforts to compel compliance by blocking high-profile global Internet platform operators.
China. China passed its Personal Information Protection Law and Data Security Law in 2021, which includes strengthened localization requirements, making it more difficult to export data collected in China to other countries.
Under the new regime, the types of data that China views as critical to its national and economic interests (defined as “Important data”2 and “core data”3) must be stored in China. Companies operating in enumerated industries4 and companies that process large amounts of data5 are subject to heightened data localization and data transfer restrictions. Other types of companies and other less “important” types of data can be transferred and stored abroad when certain conditions are met, which include obtaining certification from Chinese regulators for cross-border data transfers, or executing standard cross-border data transfer contracts (to be provided by Chinese regulators) with the data recipients. For a more in-depth discussion about China’s Personal Information Protection Law, please see our previous article here.
The European Union. EU’s GDPR does not require data collected in member countries to be confined in the EU, but it prohibits data transfers from the EU to a country that lacks “adequate” data protection unless certain safeguards are provided. The EU Commission has so far recognized 13 countries6 as providing “adequate” protection of personal data. The U.S. is not considered a country that provides adequate protection. Organizations located in countries other than the EU or those 13 jurisdictions must apply appropriate safeguards on personal data to be able to receive EU data, which include implementing mechanisms including binding corporate rules (BCRs), Standard Contractual Clauses (SCC), an approved code of conduct, or an approved certification mechanism inside the organizations. Following Brexit, the UK is recognized by the EU as a country that provides adequate protection to personal data in 2021, meaning that personal data can move freely between the UK and the EU.
The United States. The United States does not have an overarching data transfer regulatory scheme on the federal level. Certain types of data may need to stay in the territory under export control laws, national security laws or sector-specific regulations. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects and restricts the use of Protected Health Information, but does not address the issue of offshoring data7. On the state level, California, Virginia and Colorado passed or amended data protection laws in 2021, and the trend is expected to continue in the coming years. These state privacy laws have provisions addressing the protection of data subjects’ rights but currently have not promulgated any restrictions on interstate or international transfer of data.
A Proposed Compliance Strategy
Companies with business interests across different jurisdictions are challenged to comply with a patchwork of international privacy laws. Moving data across borders is essential under many circumstances to keep the business functioning. For example, companies need to share data internally with their international affiliates subsidiaries to process employee payrolls and transfer data externally with foreign vendors and business partners to perform market analysis or to deliver products or services to local customers. Whichever jurisdictions a company operates in, here are three steps to take when designing a strategy to enable international data transfer in an organization:
-
Conduct Data Mapping. It is important to have a solid grasp of the data flow in a multinational organization, so the staff implementing the compliance strategy can understand the nature and scope of the issue they are dealing with. In order to take a good inventory of its data, a multinational company should ask its stakeholders the following questions: which jurisdictions does the company operate in? What types of data does the company collect in those jurisdictions? Is the company operating in an industry that is subject to additional restrictions?
-
Analyze Applicable Laws. Based on the results of the data mapping exercise, a multinational company should be able to compile a list of jurisdictions in and through which its data moves and identify the applicable laws in those jurisdictions. A company’s legal department or outside counsel should be consulted to complete this step, as it involves legal analysis.
-
Design A Formal Compliance Strategy. A formalized compliance strategy is important, especially in those jurisdictions where companies need to demonstrate their compliance to local regulators to be approved to export data and to defend themselves in case of a data breach. A thorough global data sovereignty law compliance strategy should be designed in accordance with the applicable laws and available data maps. For jurisdictions with strict data localization requirements, companies should investigate options to store data locally (for example, setting up local data centers or confining covered data to local servers offered by cloud vendors). For jurisdictions where data may be transferred for processing offshore, a multinational company should confirm whether its current data transfer mechanisms are up to date. 2021 was a very active year in which we saw many changes to nations’ stances on international data transfers and 2022 is already shaping up to be just as active. It is important for multinational companies to assess or reassess their data privacy compliance programs when evaluating their business strategies in 2022 and beyond.
Conduct Data Mapping. It is important to have a solid grasp of the data flow in a multinational organization, so the staff implementing the compliance strategy can understand the nature and scope of the issue they are dealing with. In order to take a good inventory of its data, a multinational company should ask its stakeholders the following questions: which jurisdictions does the company operate in? What types of data does the company collect in those jurisdictions? Is the company operating in an industry that is subject to additional restrictions?
Analyze Applicable Laws. Based on the results of the data mapping exercise, a multinational company should be able to compile a list of jurisdictions in and through which its data moves and identify the applicable laws in those jurisdictions. A company’s legal department or outside counsel should be consulted to complete this step, as it involves legal analysis.
Design A Formal Compliance Strategy.A formalized compliance strategy is important, especially in those jurisdictions where companies need to demonstrate their compliance to local regulators to be approved to export data and to defend themselves in case of a data breach. A thorough global data sovereignty law compliance strategy should be designed in accordance with the applicable laws and available data maps. For jurisdictions with strict data localization requirements, companies should investigate options to store data locally (for example, setting up local data centers or confining covered data to local servers offered by cloud vendors). For jurisdictions where data may be transferred for processing offshore, a multinational company should confirm whether its current data transfer mechanisms are up to date.
2021 was a very active year in which we saw many changes to nations’ stances on international data transfers and 2022 is already shaping up to be just as active. It is important for multinational companies to assess or reassess their data privacy compliance programs when evaluating their business strategies in 2022 and beyond.
FOOTNOTES
1 Jurisdictions that are deemed to ensure adequate protection include signatories to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and countries that are in a special list approved by Russian privacy regulators from time to time.
2 Important data is defined as data that poses a threat to China's national and economic interests or impacts the rights of individuals and organizations and has an "obvious cascading effect" across a range of industries and enterprises.
3 Core data (a subset of important data) is defined as data that poses a "serious threat" to China's national and economic interests.
4 The following companies are subject to China’s data localization rules: (i) companies in public communication and information services, power, traffic, water resources, finance, public service, e-government, and other critical information infrastructure which—if destroyed, suffering a loss of function, or experiencing leakage of data—might seriously endanger national security, national welfare, the people’s livelihood, or the public interest; and (ii) other similarly situated companies. They are referred to as “Critical Information Infrastructure Operators” or “CIIO”s.
5 The threshold is either processing the personal information about over 1 million people, or cumulatively has exported personal information of more than 100,000 people, or sensitive personal information of more than 10,000 people to offshore jurisdictions.
6 These 13 jurisdictions are Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED.
7 The Centers for Medicare & Medicaid Services (CMS) may have some nuanced requirements related to offshoring that might apply to health care providers.