By Mehmet Munur, CIPP/US

Recent revelations relating to PRISM and the Verizon FISA Order should not—but likely will— affect the current talks to enact the General Data Protection Regulation. These disclosures may make international data transfers to third countries more prescriptive, affect current and future adequacy decisions and frustrate businesses engaging in international data transfers. Considering that government surveillance is a global reality, erecting barriers to transfers of personal data for businesses is unlikely to make good sense.  

One of the greatest challenges affecting businesses transferring personal information is the regulation of transfers of personal data to other countries. This trend appears to be on the rise independent of revelations relating to PRISM. Article 25 and 26 of the EU Data Protection regulates the transfers of personal data to third countries. The proposed General Data Protection Regulation will continue this adequacy mechanism. The OECD Privacy Principles, Convention 108 of the Council of Europe and APEC Privacy Framework have also affected this trend. As a result, a recent survey has found that more than 60 countries have adopted data protection and privacy laws that regulate transborder data flows. Many countries aspiring to achieve the coveted EU adequacy standard have adopted similar laws, hoping to bolster their outsourcing sectors. Therefore, regulation of transborder data transfers is currently, and will likely continue to be, one of the biggest challenges to businesses.

This challenge is exacerbated by the expanding speed and scope of communications on the Internet, cloud computing, smartphones and the modern multinational corporations with personnel and data scattered around the world. Despite these growing global challenges for businesses, some lawmakers and privacy regulators insist on a territorial and local approach to the regulation of data. Other regulators insist on authorizing each and every international transfer of personal data. These and other inconsistent obligations could be removed with the introduction of the proposed General Data Protection Regulation. However, the revelations relating to NSA’s PRISM program may bolster arguments for greater restrictions on transborder data flows.

If successful, these restrictions on the U.S. Department of Commerce EU Safe Harbor, Standard Contractual Clauses and even future authorizations for Binding Corporate Rules may increase. Currently, adherence to the Safe Harbor may be limited to the extent necessary to meet national security, public interest or law enforcement requirements. Standard Contractual Clauses also allow the processor to promptly notify the controller about any legally binding request for disclosure of personal data by law enforcement authority unless otherwise prohibited. Sharing with law enforcement agencies and exceptions for informing other parties exist in some Binding Corporate Rules—if the Article 29 Working Party has shown its discomfort with this issue in its Processor BCR guidance. Considering that there are severe monetary and criminal penalties for violating the secrecy requirements relating to National Security Letters and Foreign Intelligence Surveillance Court orders, such exemptions to inform others of disclosures to government agencies clearly fit under these requirements outlined above. However, revising these instruments to restrict disclosures to law enforcement agencies will only frustrate businesses and place them between a rock and hard place—as is still done with respect to EU data protection compliance, e-discovery and SOX whistleblower hotlines issues. Therefore, arguments for further restrictions on international data transfers as a result of these recent revelations should not carry the day.

Just as transborder data flows and their regulation are a reality, so is government surveillance. All governments access data about persons within and without their borders. The manner, scope, transparency and checks-and-balances of these programs may vary, but their existence does not. Unless all governments come clean on their surveillance programs, government surveillance will continue to be a muddy, but level, playing field. Law firms and think tanks have issued whitepapers arguing that governments all over the world have access to personal information held in the cloud. One whitepaper argues that the right of the government to access data stored in the cloud exists in every jurisdiction. Another attempts to dispel misconceptions relate to the Foreign Intelligence Surveillance Act. Furthermore, as the capabilities of government surveillance programs increase, due to the interconnected nature of the Internet, they will be able to reach data stored in other countries—if they have not already. Therefore, erecting walls against transborder data flows due to surveillance concerns when there is a city of tunnels under the walls for surveillance only serves to frustrate those attempting to walk on the ground.

Furthermore, even without unilateral government surveillance, many countries have agreed to cooperate on criminal and national security issues. This cooperation is likely to provide governments with access to personal data that is not stored by an entity subject to their jurisdiction. For example, the United States has Mutual Legal Assistance Treaties with more than 60 countries, including all members of the EU. The U.S. and EU regularly cooperate against terrorism. Therefore, some of the international privacy and data protection issues that have been raised by the unilateral collection of information by the PRISM program may have already been resolved at the member state and EU level.

Nevertheless, the French Data Protection Authority, CNIL, has already announced that it started an internal working group to study privacy and data protection issues arising from the access to French citizens’ personal data by foreign governments. The Article 29 Working Party is also likely to continue to investigate this issue. Therefore, the PRISM program and related disclosures are likely to affect the regulation process. Instead, efforts should be made to streamline the upcoming laws and compliance obligations for businesses and make current laws uniform in application.

If the regulation of transborder transfers of personal data increases, businesses on both sides of the Atlantic will likely be affected. These changes will not only adversely impact the cloud service providers, who depend on the EU Safe Harbor or Standard Contractual Clauses, but also other multinationals who transfer personal information—due to their internal HR data transfers or otherwise. The added cost and complexity of abiding by these obligations may adversely affect the bottom line of small- and medium-size enterprises. However, it is unlikely to change surveillance programs of any particular government.

Mehmet Munur, CIPP/US, is an attorney at Tsibouris & Associates, LLC. He concentrates his practice in the areas of technology, financial services and information privacy and security. He advises clients on wide a variety of international, federal and state privacy and security laws and compliance issues.

Read more by Mehmet Munur:
Best practices in drafting plain-language and layered privacy policies

Five considerations before publicizing privacy policy updates


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»