The debate over international data transfers has become even more complex as jurisdictions around the world consider a variety of factors that complicate free flow. Breakout sessions at the IAPP Global Privacy Summit 2024 discussed in detail some of the hurdles facing data flows, including regulatory differences, pitfalls in adequacy decisions, and other legal considerations.
However, the most important potential transfer barrier to consider is data localization requirements. Regulations in different jurisdictions provide for varying degrees of personal and business data to be stored within countries to varying degrees, creating many ambiguities and uncertainties regarding legal transfers to and from specific countries. Certainty remains.
The “widening gap” in localization requirements
Localization requirements are interspersed between horizontal and sectoral laws. Policy rationale influences how much and how broadly data is covered under specific requirements. Jurisdictions with the most unique restrictions include China, the European Union, South Africa, Thailand, and Vietnam.
In a breakout session focused on localization, Singapore's Deputy Commissioner for Personal Data Protection Dennis Wong said the current requirements seen around the world fall into three main categories. Jurisdictions with specific local storage facilities and local storage requirements with no absolute restrictions on transfers. Jurisdictions with local storage requirements and “different” transfer rules. Jurisdictions have created a “double whammy” of strict local storage requirements and virtually complete prohibitions on the transfer of personal data.
“We see a fairly broad range of reasons why government regulators decide to impose this type of economic protectionism,” Wong said. “One of the reasons is clearly data protection in the personal information area, but there are also access to information regulatory requirements. Similar security, integrity, and critical system issues may continue.”
Gehen Gunasekara, an associate professor at the University of Auckland Business School, said there was a “widening gap” between jurisdictions' different localization requirements, and countries pursuing “data sovereignty” measures were threatening global economic disruption in all sectors. He added that there was a risk of creating a scenario that could lead to
“We don't want data to be 'kept in the dark', meaning law enforcement cannot access it and privacy regulators cannot have any control over how personal data is handled. It’s a growing gap problem,’” Gunasekara said. “What helps is what kind of rules (transfers) are needed regardless of where it takes place. It doesn’t matter in which country the data is stored, it doesn’t matter who has access to it. The rules that govern (need to be) standardized).
Real-time business impact
For multinational companies, differing transfer requirements create spiraling compliance costs to meet the spirit of each jurisdiction's laws, despite significant differences in storage and data transfer rules from country to country. .
Caroline Louveaux, Mastercard's chief privacy and data officer, CIPP/E, CIPM, says stricter data localization requirements could prevent companies from detecting fraud in real time. . It must be possible to “collect and share data from around the world” without friction.
As localization laws continue to diverge, governments are also classifying the same type of data into different categories. Louveau used the classification of sensitive data as an example of how countries differ in terms of definitions and subsequent requirements. She also pointed out “shades of gray” around classification and called for caution on personal payments and sensitive data.
Jade Nester (CIPP/E, CIPP/G, CIPM, FIP), head of European data and public policy at TikTok, said multinational organizations that are having difficulty navigating various elements of localization laws are actively seeking He said that a similar approach could be taken.
Partnering with a domestic third-party company to monitor data flows is also an option. Nester cited TikTok's Project Clover and Project Texas as examples, where the platforms partnered with NCC Group and Oracle, respectively, to assess and review compliance with jurisdictions' localization requirements.
“Sometimes that's just a requirement to just store the data locally, alone,” Nester said. “To really go beyond that, you have to layer some kind of accountability on top of that. That's what we tried to do by partnering with NCC Group.”
Despite TikTok's Project Texas actions, the Wall Street Journal reported in January that TikTok employees were allegedly sharing U.S. user data with engineers working at parent company ByteDance, based in China. The documents were examined.
Rethinking data adequacy agreements
Another breakout session clarified the process behind adequacy determinations and confirmed that data protection regulations between jurisdictions are sufficient or equivalent to allow the free flow of data. Ta. Regulators from Israel, South Korea and the United Kingdom spoke about their adequacy experiences with the European Commission, which has agreed adequacy partnerships with their respective jurisdictions in recent years.
Commissioners noted that the longer countries take to standardize multilateral data sharing standards, the greater the risk of future economic disruption and misuse of personal data due to the differing nature of localization requirements across jurisdictions.
Ko Haksoo, chairman of the Korean Personal Information Protection Commission, called for the establishment of multilateral “interoperable” data transfer standards. He said bridging the data protection legal gap between countries that have signed up to the Asia-Pacific Economic Cooperation Global Cross-Border Privacy Regulations and European Commission standards, such as Canada, Japan, South Korea and the United States, is a good start. he suggested. Mandates adequacy.
One example, according to Ko, is that the current data transfer environment makes joint national science and technology research efforts more difficult if there is cooperation between the EU, South Korea, and the United States. Potential issues stem from perceived friction between different language EU-US data privacy frameworks and South Korea's sufficiency decisions with the EU.
“(Achieving) EU adequacy is a unilateral evaluation system, and in some cases it has bilateral aspects, but in reality it is not a multilateral (system),” Ko said. “We really need multilateral dialogue at the national level and somehow… we need to devise better systems of cooperation.”
At the same time as GPS, the UK Information Commissioner John Edwards announced that the UK would join the Global Cooperation Agreement for Privacy Enforcement, which was established to strengthen the APEC CBPR.
“We place great value on networks for this type of effort, and we believe that working with existing members will be a very useful mechanism to share information on that basis to assist with enforcement.” ,” Edwards told IAPP exclusively. Following the announcement from the UK government. “Global CBPR has the potential to become an interoperable standard, and I think we have a better chance of getting there if we start a dialogue that involves Europe. It's not, but it could be.'' The next one. ”
Mr Edwards told a data transfer session that it would be “hugely inefficient” for each country to undergo a lengthy assessment of EU adequacy individually.
Given the inherent free flow of data, Mr. Edwards questioned the ability of individual bilateral transfer agreements to introduce uncertainty into data flows in a global sense. He cited the example of the relationship between Australia and New Zealand, where he previously served as privacy commissioner.
Neighboring Oceania countries are each other's largest trading partners and have data adequacy agreements. However, although New Zealand has an adequacy agreement with the EU, the European Commission has not yet granted adequacy to Australia.
“Soon we'll start to see a proliferation of ratings and networks with no cross-references,” Edwards said. “This is a huge challenge: being able to establish trust in one jurisdiction that is already considered to have essentially equivalent data protection standards in order to make an assessment that is binding on all levels. We need a mechanism.”