Transborder Data Flows at Risk
Physical borders may be technically irrelevant in the age of online business, global corporate groups, and cloud computing, but they retain legal and cultural significance. Some recent developments in data privacy law around the world suggest that the “free flow of information” is becoming more conditional, and that enterprises will have to be nimble to meet the expectations of regulators, consumers, and employees when the organization wants to move personally identifiable data from one country to another.
The proliferation of comprehensive data privacy laws, more or less on the European model, increasingly requires US-based multinationals and online companies to adapt to strict requirements for dealing with individuals in other countries. While the rules may soon become more uniform in the EU, they are still new and uncertain in many other countries.
In January 2012, the European Commission published a proposed Regulation that would replace the 1995 EU Data Protection Directive. While national practices differ considerably under the 1995 framework directive, the Regulation would establish a much more consistent European approach to data protection rights and enforcement.
The Regulation would continue to authorize data transfers to “white-listed” jurisdictions with EU-style comprehensive data protection laws (such as Switzerland, Argentina, Israel, and, for most purposes, Canada). It would also continue to recognize data transfers to US “Safe Harbor” companies and transfers protected by EU-approved standard contract clauses (“model contracts”) or binding corporate rules (“BCRs”), as well as transfers relying on informed consent. These have been subject to divergent national interpretations and procedures, however, and the Regulation aims to eliminate these differences.
For example, a European subsidiary sending employee or customer data to a central corporate system in New York, or to an outsourcing vendor in Mumbai, may use EU model contracts. But in some countries, such as the Netherlands, the contracts must first be notified to the local data protection authority or await approval from the authority. The Regulation would eliminate notification and approval procedures for those transfers. It would simplify, as well, the procedures for obtaining approval for BCRs, and it would allow a “group” of processors – as in the cloud computing context – to implement the same approved BCRs. In addition, the Regulation would generally allow data transfers outside the EU without the formality of model contracts or BCRs in instances where the transfers were not “frequent or massive,” appropriate safeguards were in place, and the national data protection authority was notified. These changes would be welcome, as they would greatly simplify planning and compliance for enterprises with European operations.
Less welcome are the provisions on extra-territorial jurisdiction in the draft Regulation. A US company, for example, would be subject to the Regulation if it offered goods or services to European residents, online or otherwise, or if it monitored their behavior (for example, by tracking their visits to other websites). This assertion of extra-territorial jurisdiction could prove difficult to enforce, but it would require American companies to re-think their approach to e-commerce and online marketing. It may not suffice in future to say that European rules do not apply simply because the company’s servers are not located there.
Russia adopted legislation based on the EU Data Protection Directive and Council of Europe Convention 108, generally prohibiting data transfers to countries lacking similar legislation absent the individual’s informed consent. However, it has been slow to organize the regulatory authority and clarify standards and procedures.
In July 2011, the Federal Law on Personal Data was amended to expressly allow data transfers to countries that have implemented the Council of Europe Convention, but this does not cover transfers to the United States or India, for example. There is no recognition of model contracts or Safe Harbor as there is in the EU and Switzerland, leaving documented consent as the safest approach to foreign data transfers.
China and Hong Kong
In 2011, the Ministry of Industry and Information Technology (MIIT) issued a proposed national standard, “Information Security Technology – Guidelines for Personal Information Protection.” The draft standard would require security provisions in outsourcing agreements. More problematically, it would prohibit the transfer of personal data abroad without explicit legal authorization or regulatory approval. It is not clear whether the standard would be mandatory for at least some industries, and whether any regulatory authority would issue guidelines or establish an approval procedure.
Meanwhile, Jiansu Province (where many foreign manufacturing joint ventures operate) has gone ahead on its own with a “Regulation of Information Technology” that came into force in January 2012. This ordinance generally requires consent or official approval for data transfers outside the province. The municipal government of Shenzen, near Hong Kong, has announced that it is preparing a similar ordinance.
Hong Kong has long had a Personal Data (Privacy) Ordinance, but its restrictions on transborder data transfers have never come into force. The Legislative Council is currently considering substantial amendments to the Ordinance, including provisions for white-listing and safeguards reminiscent of the EU approach to regulating data transfers abroad.
The 2010 Law on the Protection of Personal Data Held by Private Parties and the implementing Data Privacy Regulations (some provisions of which have not yet entered into force) address cross-border transfers of personal data. These require informed consent unless certain other conditions apply, one of which is data transfers to a parent or affiliate abroad operating under the same “internal processes and policies” as the compliant Mexican subsidiary (Law, Art, 37(III)). Effectively, this means that data could be transferred across borders within a corporate group, so long as the affected Mexican residents are given required rights of access, rectification, cancellation, and objection (“ARCO” rights), as mandated in the Mexican law, and the company meets security and other requirements for safeguarding the data. Transfers to a processor outside Mexico also would not require consent if they are subject to appropriate contractual and technical safeguards.
Republic of Korea
South Korea’s new Personal Information Protection Act, which came into effect in September 2011, generally requires consent to disclose personal data to a third party (Art. 17(1)). Transfers of data outside the country require notice and consent from the individual unless the transfers are legally required or made in connection with a criminal investigation (Art. 17(3)).
This strict consent requirement can be made to work in the consumer context, but it may be more difficult to implement in the employment context. Can a multinational group make it a condition of employment that recruits and current employees allow their data to be stored and used in a regional or international headquarters? As with other new national data privacy laws, global companies may have to await regulations or interpretive guidance from the authorities, in this case the Korean Ministry of Public Administration and Safety.
The Personal Data Protection Act adopted in 2010 is expected to come into force this year. Similar to the EU Data Protection Directive, the Act generally forbids the transfer of personal data outside the country, with some exceptions, unless the Ministry of Information, Communication, and Culture has approved the destination country based on an “adequate level of protection.” Ultimately, the Ministry may issue regulations clarifying alternatives for transfers to countries with dissimilar legal regimes, such as the United States. Otherwise, once the law is in effect, a global enterprise would need to rely on one of the EU-style exceptions, principally consent or the performance of a contract with the individual.
Data users should review the geography of their customers and employees and determine if their privacy policies and practices need to be updated to comply with new or anticipated requirements in many countries, in Asia and Latin America as well as in Europe. These typically mandate notice and safeguards for transborder data transfers, as documented in contracts, internal policies, and in some cases regulatory approvals.
In some countries, the only reliable legal basis for foreign data transfers in the near future is informed consent, which should be documented in a manner susceptible to proof. This will pose challenges for multinationals and for online retailers and service providers, and it would be prudent to watch for developing best practices among peer companies as well as further guidance from the (often new) regulatory authorities.