In one of the more animated discussions here at the International Conference of Data Protection and Privacy Commissioners in Hong Kong, a diverse panel of privacy professionals, policymakers and former regulators debated the future of global data localization law.
Apple Senior Director, Global Privacy Law and Policy Jane Horvath, CIPP/G, set the stage pointedly: “Data localization laws have become disjointed from their original aim,” she said. “A key question before us is whether the laws should determine where data is stored, or should engineers make that decision to make sure you get the fastest and most secure experience?”
As it is now, she argued, “In a primary school in Europe … a data-localization requirement results in student data being hosted in an unsecured server under a school administrator’s desk is more compliant than in a secure data center outside of Europe, even when that data has been transferred securely.
“That cannot be right.”
Nigel Cory, a trade policy analyst at the Information Technology and Innovation Foundation, said, “We’re seeing a growing trend, as dozens of countries are enacting these kinds of barriers to data flows, targeting a growing range of data types, including personal data, but beyond that.”
Currently, there are at least 34 different countries with data localization policies, he said, with China featuring a dozen of them, plus major countries, such as Russia, Indonesia and Vietnam. Further, Brazil and Colombia are considering implementation. “What we’ve seen is that many policymakers are mistakenly believing that data is more secure if kept within a country’s borders,” he said. “But in most instances, they do not increase security or privacy.” Rather, he said, it’s mostly about law enforcement retaining easy access to the data.
“Whether it’s a splintering or Balkanization or whatever you call it,” Cory said, “this presents a real risk to the global economy and innovation.”
Which brought the conversation to Europe’s “adequacy” decisions for data transfer and the looming General Data Protection Regulation, which introduces new frameworks for transferring data outside of the EU.
“Adequacy is often seen only as a European system,” said the European Commission’s Bruno Gencarelli, who heads up data protection at DG Justice, “but this is less and less the case. Around 120 countries now have data privacy law, and many more are considering legislation in this field.” Nor is Europe alone in seeing privacy as a fundamental human right, he noted. The expansion of countries signing on to the Council of Europe’s Convention 108, which is a “binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data,” is a sign of international convergence on data privacy standards, he said.
“This is not a European obsession,” Gencarelli said.
Further, Indian courts have recently recognized privacy as a fundamental human right. “This is not a European obsession,” Gencarelli said.
He also emphasized that the EU is working with stakeholders on expanding methods of data transfer, including new certification instruments introduced by the GDRP, where there may be room for APEC’s Cross Border Privacy Rules to play a role, and partial adequacy agreements like Privacy Shield or the EU-U.S. Umbrella agreement.
“Would that we all were adequate,” Former Privacy Commissioner of Canada Jennifer Stoddart joked. “That’s a data protection commissioner’s dream. But I’m very impressed by the effort being put into adequacy by the EU. This is a recent development, and we should take notice of this.”
What’s been done with adequacy thus far, Stoddart said, could certainly use improvement. “I’ve read all the adequacy decisions,” she said, “but it was a very depressing exercise. I’m highly encouraged that this is being totally revamped and the EU unit which administers this, under Bruno’s leadership, is taking on the challenges in terms of differing national cultures and legal systems that don’t resemble Europe’s civil law approach. What is taboo in Europe is not what is taboo in other parts of the world, and vice versa.”
Stoddart especially mentioned work that needs to be done in the law enforcement arena. “If we think back to the revelations of Mr. Snowden,” she said, “it was as if this was unique, something that no one had ever done or was doing elsewhere. I know nothing about national security, but I think most countries have very robust national security systems that eat up a lot of data, and that may include, may I say, the European Union. In the same way that we’ve made progress on adequacy, we have to recognize that we do have different national security systems.”
“But in the real world,” Tomczak-Górlikowska noted, “the Safe Harbor decision was a data localization decision.
Monika Tomczak-Górlikowska, data privacy legal counsel at Shell International, was more pointed. “For me, the adequacy mechanisms from Europe are a 19th-century way of doing data privacy,” she said. “Here’s Europe telling other parts of the world whether they’re good enough. It’s always awkward in the real world that you’re either good enough or not good enough, and that’s how they perceive adequate or not adequate. Telling a counterpart in a country that is not adequate that they are not adequate is always a little awkward.”
Tomczak-Górlikowska was encouraged by talk of certification and CBPRs, which may provide some flexibility for challenged companies. “That’s much more optimistic than other parts of this panel,” she said. “I think that mechanisms for adequacy until now have not been giving data privacy a good name.”
Indeed, Stoddart said, the negotiations around Privacy Shield seem to offer a way forward and a model. “There was a broad consultation with all stakeholders … and even now,” she said, “the White House statement has stressed the importance of cooperation.”
“But in the real world,” Tomczak-Górlikowska noted, “the Safe Harbor decision was a data localization decision. The model clauses case before the Irish Court is a data localization decision, if you’re removing mechanisms that lead to limited opportunities to transfer data. We need more mechanisms for accountable transfers, and to allow companies who have no influence over how national security is driven to be able to progress and thrive in the globally connected world.”
Gencarelli stressed that the EU is not using privacy as some kind of pretext for holding onto data for law enforcement access or any other nefarious motive. “It’s only by working on convergence and common standards and trying to influence the common standard and the demand for standards that we can move forward,” he said. “That’s the best response to protectionist tendencies that use privacy as a pretext. I think this is part of our discussion with the U.S. and Japan. We work on these forms of convergence and setting those standards.
“If you say Privacy Shield is about data localization, I firmly disagree.”