Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
The harmonization of privacy laws is becoming increasingly necessary in the global economy. It will benefit organizations by simplifying and standardizing complex legal obligations across global operations. It will benefit individuals by better guaranteeing consistent basic privacy rights across jurisdictions.
Importantly for this audience, it will make the work of the privacy professional, and the task of assisting clients or employers in navigating global obligations and developing global privacy programs, much easier.
No area exemplifies the complexity of global privacy regulation better than the rules on cross-border data transfers. Some jurisdictions do not regulate this at all. Others entirely prohibit the offshore transfer of personal information. Most, however, establish rules for managing cross-border data transfers, designed to ensure that accountability follows the data wherever it goes, and that basic protections remain in place.
Often, legislative restrictions on cross-border data flows are viewed — and sometimes used — as trade barriers. As the IAPP's Director of Research and Insights Joe Jones recently noted on LinkedIn, data protection authorities "continue to shine a light on data transfers with increasing scrutiny being directed beyond the transatlantic context," reigniting the need for an organizational focus on this compliance issue.
The difficulty for privacy professionals is that privacy laws approach cross-border data transfers in a variety of ways. The New Zealand Privacy Act, for example, regulates only controller-controller transfers, on the basis that the controller remains fully liable under the act for controller-processor transfers. By contrast, the EU General Data Protection Regulation regulates both controller-controller and controller-processor transfers.
While many jurisdictions, including New Zealand and soon Australia, provide for the transfer of data to "safe countries," very few — such as the European Commission — have actually created whitelists. Such lists are, of course, fraught with political issues and sensitivities, more so now than ever.
This means contractual protections remain the most common mechanism by which to transfer data across borders. However, unsurprisingly, the requirements for such contractual protections differ across jurisdictions. Enter the Global Privacy Assembly, which has created three comparison tables that set out in detail the standard and model contractual clauses in different data protection frameworks — in the U.K., the EU, the Association of Southeast Asian Nations network, the Council of Europe, the Ibero-American network, Argentina and New Zealand.
Organizations can use the tables as a reference to see how the clauses compare in different countries, and the GPA's aim is to facilitate the design and use of contractual clauses compliant with each of the frameworks.
There must be a better way to enable the safe transfer of personal information across borders. There are international efforts afoot to create more pragmatic and sensible options, such as the Organisation for Economic Co-operation and Development's data free flow with trust concept, which aims to promote the free flow of data while ensuring trust in privacy, security and intellectual property rights.
I urge privacy professionals to support these efforts. However, in the meantime, it seems we will need to tread water in a sea of slightly different contractual clauses. The GPA's comparison tables will help.
Daimhin Warner, CIPP/E, is the country leader, New Zealand, for the IAPP.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.