In recent years, the world of cross-border data flows has changed dramatically, driven by the exponential growth of data and the increasing ability and desire to harness and exploit it, as well as the growing number of regulatory developments that have created a patchwork of varying approaches across jurisdictions, which organizations must now navigate. Cross-border data transfers have become an increasingly complex issue, intersecting different areas of regulatory focus, including not only privacy and cybersecurity, but also trade, antitrust, intellectual property, and even data specific legislation as countries develop and implement digital strategies.
In the digital economy, data is viewed as a commodity, and its movement can have important implications, both from an economic and political perspective. For example, organizations required to store data locally may choose to limit services in specific jurisdictions, whether due to the cost or constraints caused by local requirements, or concerns over foreign authorities accessing the data. In the face of this increasing complexity, global organizations may find it challenging to comply with the full array of requirements across the different jurisdictions in which they operate. During this turbulent and often politically charged time, organizations need to take proactive steps to better position themselves to deal with the evolving landscape of cross-border data transfers and the uncertainty that comes with it. The development and implementation of effective information governance (IG) strategies can help create the foundation to ensure that your organization is set-up for success.
What is Data Localization?
Responsible for many of the restrictions relating to cross-border data transfers, data localization, also known as data sovereignty or data nationalism, refers to the obligation requiring organizations to store and process data within specified national borders. There has been a recent upward trend in the introduction of data localization requirements globally. In 2021, the number of countries with data localization measures in place was 62, with 144 restrictions imposed. This was up from 2017 when 35 countries had data localization measures in place, and 67 restrictions were imposed. This has come on the heels of the continued growth of the data economy, coupled with an increasing trend towards nationalism more generally, resulting in part from global supply chain disruptions and growing geopolitical tensions.
It is important to understand that data localization can come in different forms and have varying objectives, some more transparent in nature than others. For example, in some jurisdictions data localization focuses on restricting the transfer of specific types of data (e.g. personal data, health data, financial data, etc.), while in others the flow of broad ranges of data are restricted, such as data considered “important”, “sensitive”, “core”, and may relate to concerns regarding national security. These restrictions are enforced through different types of data localization rules, generally in the form of hard or soft data localization, such as the following examples:
- Data Mirroring – requires copies of data to be stored locally before the data can be transferred out of the jurisdiction;
- Explicit Local Storage – requires data to be physically stored within a particular jurisdiction, but allows for the possibility of foreign processing under specified conditions;
- Explicit Local Storage and Processing – requires data to be stored and processed within a particular jurisdiction; and
- De Facto Local Storage and Processing – requires data to be transferred only through stringent and often complicated transfer mechanisms which coupled with legal uncertainty and the possibility of large fines can make transfers too difficult and/or attract too much risk for some organizations.
Jurisdictions generally follow one of two approaches in regulating data and cross-border data flows. The first is a privacy-centric approach, as seen in the European Union (EU). The second approach focuses instead on government control of data and national security. In these instances, such as in China, data is considered a “national asset” to which the government should have access. Organizations should do their best to understand the complete picture of the relevant requirements in the jurisdictions in which they operate. This will help ensure compliance with both local requirements and potentially conflicting requirements in other jurisdictions. When it comes to cross-border transfers, there are two main types of data implicated, personal, and increasingly, non-personal data.
Transfers of Personal Data
The transfer of personal data has been the main focus of many of the regulatory developments in this space in the recent past. This has been driven by the EU’s General Data Protection Regulation (GDPR), under which transfers of personal data may only occur on the basis of an adequacy decision, or if subject to certain specified appropriate safeguards (e.g., binding corporate rules, standard contractual clauses (SCC), etc.). Many other jurisdictions have introduced similar privacy legislation modelled on the GDPR, including elements of data localization requirements. One example is China’s recently enacted Personal Information Protection Law (PIPL). The PIPL includes conditions for the cross-border transfer of personal data that are similar to the GDPR, but it is more stringent. For example, organizations wishing to transfer personal data out of the country for genuine business reasons must inform individuals of the identity of all foreign recipients and obtain separate consent, they must also meet additional conditions (e.g. SCC’s, Cyberspace Administration of China (CAC)-administered security assessments, etc.).
In addition to the PIPL, China has released further guidance relevant to cross-border data transfer measures. The CAC recently released the draft Rules concerning the Standard Contract for Cross-Border Transfer of Personal Information, together with the draft SCC’s, which provides detailed implementation rules and guidelines concerning the use of SCC’s as a transfer mechanism. The CAC also released the Technical Specifications for Security Certification of Cross-border Processing of Personal Information (a document without the force of law or regulation), and the final version of the Measures for the Security Assessment of Transfers of Data Abroad, providing detailed implementation rules and guidelines concerning these other two mechanisms for cross-border transfer of personal data. These guidance documents combined intend to provide clear rules regarding the cross-border transfer of personal data, enabling Chinese regulators to rollout a complete suite of legal mechanisms for these transfers. The Measures for the Security Assessment of Transfers of Data Abroad could also relate to non-personal data, and is highlighted below.
Despite the general trend towards greater regulation of personal data transfers, there are still a number of jurisdictions without data localization requirements in place. These jurisdictions often rely solely on consent-based models as the basis for the transfer of personal data (generally on the condition of the continued expectation that data will be appropriately safeguarded). For example, in Canada under the current federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), and its proposed replacement legislation Bill C-27 Digital Charter Implementation Act, 2022, there is no prohibition on the transfer of personal data outside of Canada. As long as individuals are informed at or before the time their personal data is collected, they are considered to have implicitly consented to the transfer. Other jurisdictions may require express consent for the transfer of personal data (e.g. China). These types of requirements often fall under the category of de facto localization due to the burden placed on organizations to obtain these consents.
In the case of anonymized personal data, while truly anonymized data generally falls outside of the scope of the definition of personal data, it may be captured by the growing requirements relating to non-personal data. As such, organizations should still proceed with caution if undertaking any transfers of this data.
Transfers of Non-Personal Data
When organizations think about data localization requirements, the first thing that likely comes to mind are the restrictions relating to the movement of personal data. While this is the area most often driving these types of requirements, a number of jurisdictions require organizations to keep certain prescribed records and non-personal data within a particular geographic location, or require organizations to obtain permission from regulators and/or require specific additional reporting obligations in order to move records outside of the jurisdiction. Specific regulatory areas may attract these types of requirements, including corporate governance, accounting, finance and tax records, as well as records relating to human resources, and environment, health and safety. For example, in Canada if an organization wishes to maintain tax records electronically outside of the country, it must apply for authorization from the tax authority. Some of these requirements are so specific, that they require records be kept at a particular location within a jurisdiction (e.g. the head office). For example, in California, organizations must generally keep payroll, wage rate and time records at the place of employment or at a central location in the state of California.
There have also been a number of recent developments which see the transfer of non-personal data falling under the scope of data-specific legislation, as well as privacy and cybersecurity legislation. This is, in part, driven by concerns regarding laws passed in other jurisdictions which can compel organizations to provide data to foreign governments via transfer or access requests. This may include for example, requests for data held by cloud services providers regardless of data storage location under the United Sates (US) Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Another area of concern relates to the protection of trade secrets and intellectual property (IP) rights. This is evident in the EU’s recently adopted Data Governance Act (DGA), and recently proposed Data Act. These acts form part of the EU’s data strategy, which aims to develop a single market for the free flow of data within the EU and across sectors, benefitting businesses, researchers and public administrations. They introduce GDPR-like rules governing the transfer of non-personal data protected by IP rights or trade secrets outside the EU/EEA. The DGA relates to transfers of non-personal data covered by third parties’ IP rights or trade secrets held in public databases. Under this act, re-users may only transfer the data to non-EU/EEA countries under strict conditions. The Data Act, on the other hand, relates to the transfer of non-personal data protected by IP rights and trade secrets held by providers of data processing services, in the event of an access or transfer request by a non-EU/EEA government. In such cases, processors must prevent the transfer except in prescribed circumstances.
China is another jurisdiction where there has been considerable movement regarding the regulation of data, both personal and non-personal. For example, the Data Security Law (DSL), which entered into force in September 2021, relates to any record of information in electronic or any other form. The DSL “establishes a categorised and classified data security system and regulates the storage and transfer of information”. Under the DSL the government of China shall handle requests for data made by foreign judicial or law enforcement authorities, and organizations are prohibited from providing data to these foreign entities without the approval of the competent Chinese authorities. In addition, the Measures for the Security Assessment of Transfers of Data Abroad (mentioned above) also has the potential to relate to non-personal data, where that data is categorized as “important” or “sensitive”. The increasingly stringent and complex requirements coming from China have resulted in a number of organizations becoming more reluctant to share data, including standard business data, with foreign partners, due to the uncertainty surrounding what information can be shared, citing compliance with China’s security laws.
Although recently withdrawn in favour of starting over with new draft legislation, India’s Personal Data Protection Bill, 2019 (PDB) also included an expanded scope which covered non-personal data and regulations on cross-border data flows. This was a controversial issue within the bill and it remains to be seen whether India will continue down the path of regulating non-personal data in its next draft privacy legislation. This is just another example of the uncertainty organizations face when trying to prepare for new and updated requirements relating to cross-border data flows, and represents why organizations must be able to adapt and change their IG policies quickly.
Setting Up Your IG Program and Strategy
Given the continually evolving regulatory landscape, the uncertainty concerning both established rules (e.g. the invalidation of the Privacy Shield) and the realities of how new rules for cross-border transfers will actually be implemented, organizations need to ensure they have an effective IG program in place. This will be essential in helping organizations pivot and adapt to these new and changing requirements in a compliant and cost effective manner. In developing a new program or reviewing an existing program organizations should consider the following issues.
Understanding Your Business and Your Data
In order to identify and understand the data transfer requirements relevant to your organization you must first understand how your business is structured and the jurisdictions in which it operates. This includes the different business functions in each jurisdiction, where physical offices or employees are located, as well as where customers and/or clients are located. Different types of data and records can attract varying requirements. For example, personal information will of course attract obligations relating to privacy, while financial information has the potential to attract not only obligations relating to tax, accounting and financial reporting, but privacy legislation as well. As discussed above, both of these areas commonly have relevant storage location requirements so it is important for organizations to understand which records and data are connected to the different jurisdictions in which they operate, and where there is potential for overlapping or conflicting obligations. Organizations should also do their best to understand how each jurisdiction regulates data (i.e. privacy-centred vs. government control), and how this aligns with their business operations.
Along with understanding the business, it is equally important for organizations to understand their data. This includes understanding not only what data they have, but also how it was collected, where it was collected from, and why it was collected. These are all important questions that will help map the flow of data through the organization, establishing a data lineage. Understanding what data you have and how it flows through the organization, including being able to easily identify where any cross-border data transfers occur through these flows, will help save time and money, and reduce risk in the face of changing requirements. Understanding your data is crucial to implementing effective measures to minimize that data and set appropriate periods for retaining the data you need.
Data Retention and Minimization
Another important area organizations should focus on when it comes to refining their IG strategy is setting and following rules for records and data retention and disposition. Once an organization understands all the records and data it collects, uses, and retains as part of its business operations it is essential to set appropriate retention periods, balancing not only statutory requirements and business needs, but privacy considerations as well. It is equally important for organizations to actively engage in defensible disposition of records and data based on these set periods. Organizations should also ensure they are keeping relevant records related to cross-border data transfers. This includes records of processing activities, such as records of transfers as a form of processing. This also includes records of consents relevant to the transfer of data, and any records of the notice provided (e.g. privacy notices or policies). These will be important in the event of an investigation to help demonstrate compliance with relevant requirements.
Data minimization is also key from the perspective of both collection and disposition. The less unnecessary data an organization has the easier and cheaper it will be to change any practices surrounding a particular jurisdiction or data type, including moving the data to a new storage location, if new requirements are introduced. Having less data also helps to reduce risk in the event of an investigation or if facing data access or transfer requests from foreign governments. To further reduce risk, organizations should ensure that any third party service providers they enter into an agreement with follow the organization’s retention and data minimization policies wherever possible.
Third Party Service Providers
How and when organizations partner with third party service providers is another area requiring careful consideration in the context of cross-border data transfers. When choosing a third party service provider, organizations may want to consider whether the provider offers options to store the data within different jurisdictions, especially those in which the organization operates. Selecting a provider with data centres around the world could help reduce the cost of moving data if new requirements are introduced within a particular jurisdiction. However, even if the data is stored within a particular jurisdiction, organizations still need to be careful when selecting which third party service provider to use. In the eyes of some regulatory authorities, it might not matter whether the data ever leaves the originating jurisdiction. If there is a perceived threat of access by foreign governments and law enforcement because the provider is based in another jurisdiction, and regardless of whether or not appropriate safeguards are in place to protect the data, having the third party serve as a data processor may still render the organization non-compliant. Safeguarding the data from access in contravention of applicable laws is paramount.
Organizations also need to consider the safety and security of the data and records in their control. While security is not necessarily dependent on storage location, especially as cyber incidents can be perpetrated from anywhere in the world, when deciding where to store their data, organizations should consider the extent to which local government and law enforcement can access data held within their borders. Further, depending on relevant data localization requirements, organizations must carefully consider which safeguards they implement. For example, the popular cybersecurity measure known as “sharding” requires data to be split up across multiple data centres, if a data localization requirement exists in relation to this data, then this method, although effective from a cybersecurity perspective, should be used with caution. In order to help ensure data remains secure, organizations should have appropriate technological, organizational, and physical safeguards in place. This includes controlling who has access to data and what they are able to do with it. It is important to note that in some jurisdictions, accessing data from an outside jurisdiction may be considered a “transfer”. If organizations have appropriate safeguards in place, they can help reduce the risk of inappropriate data transfers by individual actors.
Employee Education and Awareness
As always, it is crucial to ensure employees are properly trained on your organization’s policies and procedures as they relate to data transfers, and all other relevant topics, such as data minimization, retention and disposition, and cybersecurity. Employees are an important resource when it comes to ensuring compliance. In the event of an incident or an investigation, a lack of knowledge or understanding of an organization’s policies will not be an adequate excuse in the eyes of a regulator.
Due to the current patchwork of requirements and uncertainty surrounding how data transfers will ultimately be regulated, it is crucial for organizations to take whatever steps they can now to implement effective IG strategies to help support and facilitate their data transfers. For example, it is currently unclear whether the distinction between “personal” and “non-personal” data will gain broader traction from a regulatory standpoint, given the varied approaches, the blurred boundaries between the two, and the potential for mixed datasets. However, if an organization understands its data, and how it relates to the myriad of requirements, it can ensure the data is effectively tagged with the relevant metadata (e.g. country of origin) to help set rules for storage location and any requirements surrounding eligibility for transfer. The complex and evolving nature of data transfers makes it very difficult for organizations to know what to expect. This is why having a robust IG program in place is one of the best defences for ensuring compliance.