Discussions on international data transfers are becoming more complex as global jurisdictions consider various factors complicating free flows. Breakout sessions at the IAPP Global Privacy Summit 2024 took a dive into some of the hurdles facing data flows, including diverging regulations, perceived adequacy decision pitfalls and other legal considerations.
However, top of mind among potential transfer barriers are data localization requirements. Varying jurisdictional regulations are stipulating different levels of personal and business data be stored domestically to incongruent degrees, leaving much ambiguity and uncertainty around legal transfers to and from certain countries.
A 'growing gap' in localization requirements
Localization requirements are scattered between horizontal and sectoral law. Policy rationales impact to what degree and how broadly data is covered under a given requirement. Among the jurisdictions posing some of the most unique restrictions are China, the EU, South Africa, Thailand and Vietnam.
In a breakout session focused on localization, Singapore Personal Data Protection Deputy Commissioner Denise Wong said current requirements seen around the world fall into three main categories: Jurisdictions with specific local storage facility and local storage requirements without full restrictions on transfers; jurisdictions with local storage requirements and "disparate" transfer rules; jurisdictions creating a "double-whammy" with strict local storage requirements and virtually total prohibitions on transferring personal data.
"We do see a fairly wide variety of reasons that government regulators will make that decision to impose this type of economic protectionism," Wong said. "One reason is obviously data protection in the personal information space, but there's also access to information regulatory requirements. There could also be equal security, integrity and continuation of critical systems issues."
University of Auckland Business School Associate Professor Gehan Gunasekara added there is a "growing gap" between jurisdictions' varying localization requirements, which risks creating a scenario where countries pursuing "data sovereignty" measures could cause global economic disruption across any number of sectors.
"We don't want the data 'going dark,' in other words, law enforcement not having access to data and privacy regulators not being able to have any kind of control over what is done with personal data, so that's the growing gap problem," Gunasekara said. "What is helpful is to say is, what kind of rules should be around (transfers), no matter where they happen. It shouldn't matter which country the data is stored, the rules governing who has access to it (need to be standardized)."
Real-time business consequences
For multinational companies, varying transfer requirements result in upward spiraling compliance costs to meet the spirit of the law in each jurisdiction despite major differences in storage and data transfer rules from country to country.
Mastercard Chief Privacy and Data Responsibility Officer Caroline Louveaux, CIPP/E, CIPM, said, stricter data localization requirements can hinder a company performing fraud detection in real-time. It needs to be able to "collect and share data from across the globe" without friction.
As localization laws continue to diverge, governments are also classifying the same types of data into different categories. Louveaux used sensitive data classifications as an example of how countries differ on definitions and subsequent requirements. She also called attention to personal payment and critical data, noting the "shades of gray" around categorization.
TikTok Director, Data Public Policy, Europe, Jade Nester, CIPP/E, CIPP/G, CIPM, FIP, said multinational organizations experiencing difficulty in meeting varying components of localization laws can take a proactive approach.
Partnering with a domestic third-party firm to monitor data flows is one option. Nester cited TikTok's Project Clover and Project Texas in which the platform partnered with NCC Group and Oracle, respectively, to assess and review compliance with jurisdictional localization requirements.
"Just storing data locally by itself, sometimes that's a requirement," Nester said. "To really go above and beyond, you have to layer some sort of accountability over that, which is what we tried to do by partnering with the NCC Group."
Despite TikTok's Project Texas measures, The Wall Street Journal reviewed internal company documents in January, which alleged TikTok employees occasionally share U.S. user data with engineers working at the Chinese-based parent company ByteDance.
Rethinking data adequacy agreements
Another breakout session unpacked the process behind adequacy decisions, which confirm data protection regulations between jurisdictions are adequate or equivalent enough to allow data free flow. Regulators from Israel, South Korea and the U.K. spoke on their adequacy experiences with the European Commission, which agreed to adequacy partnerships with each jurisdiction in recent years.
Each commissioner said the longer it takes for countries to standardize multilateral data sharing standards, the greater the risk for future economic disruption and misuse of personal data due to the differing nature of jurisdictional localization requirements.
South Korea Personal Information Protection Commission Chairperson Haksoo Ko called for the establishment of multilateral "interoperable" data transfer standards. He proposed a good starting place would be bridging the data protection legal divide between countries that have signed onto the Asia Pacific Economic Cooperation Global Cross-Border Privacy Rules, such as Canada, Japan, South Korea and the U.S., and the standards the European Commission mandates to grant adequacy.
One example, according to Ko, is how the current data transfer landscape makes joint-national scientific and technological research endeavors more difficult if there were to be cooperation between the EU, South Korea and the U.S. The potential issue stems from perceived friction between differing language in the EU-U.S. Data Privacy Framework versus South Korea's adequacy decision with the EU.
"(Obtaining) EU adequacy is a unilateral assessment system, or sometimes there's a bilateral aspect, but it's not really a multilateral (system)," Ko said. "We really need to have a national-level multilateral dialogue and somehow come up with … a better system of cooperation."
To coincide with GPS, U.K. Information Commissioner John Edwards announced the U.K. is joining the Global Cooperation Arrangement for Privacy Enforcement, which was established to augment the APEC CBPR.
"We really value network for these kinds of engagements, and think working with the existing members is going to be really useful mechanism for us to share information on that basis for us to cooperate on enforcement," Edwards said, speaking exclusively to the IAPP in wake of the U.K. government's announcement. "The Global CBPR has potential to become an interoperable standard, and if we start having a dialogue that involves Europe, then I think we have a greater chance of getting there. It's not going to be this version of the CBPR, but it might be the next one."
Edwards said in the data transfer session that "it's very inefficient" for countries to be subject to lengthy evaluations for EU adequacy on an individual basis.
Given data's inherent free-flowing nature, Edwards questioned the uncertainty separate bilateral transfer agreements raise for data flows in a global sense. He used the relationship between Australia and New Zealand, where he formerly served as privacy commissioner, as an example.
The neighboring Oceania nations are each other's largest trading partners and they have a data adequacy agreement in place. However, while New Zealand has an adequacy agreement with the EU, the European Commission has not yet granted Australia adequacy.
"We are soon going to start to see a proliferation of assessments and a network that doesn't cross-reference each other," Edwards said. "That's an enormous challenge. We need to have a mechanism by which we can establish trust in one jurisdiction, which has already been deemed to have essentially equivalent data protection standards to make an assessment that binds all levels."