Cross-Border Data: Should Data be Barricaded?
Data has become a ubiquitous commodity in today's world, the importance of which is felt by companies, consumers, and countries alike. In the last two decades, the global technological race has pushed businesses to go international, propelling the movement of data between servers across national borders.
The expanding customer base and widening supply chain also require a global workforce and infrastructure for international operations. Moreover, technologies like cloud computing, IoT, and data analytics have also brought in an upsurge in the collection and transfer of data.
With globalization becoming a necessity in the information industry, cross-border data flow is essential and unavoidable in today's technological landscape. Though this movement of data across borders is essential for businesses and consumers, it has also raised concerns around data privacy and security.
This was highlighted in the July 2020 Schrems II judgment by the CJEU that deemed the transfer of personal data by EU companies to the US-based on the EU-US Privacy Shield framework as illegal. The ruling invalidated the Privacy Shield, citing potential interference from US surveillance agencies. As a result, companies performing cross-border data transfers based on standard contract clauses (SCCs) will be subject to stricter requirements around data protection.
In such a regulatory environment, companies need to be extremely vigilant around the laws and stipulations related to data in all the countries they operate. Regulations like the EU's General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Data Privacy Act (CCPA), among others, have made companies refine their strategy around cross-border data.
To restrict the increasing amount of cross-border data flows, governments are introducing laws and regulations for companies to follow the approach of data localization.
What is Data Localization?
Data localization limits the flow of data within the geographic borders of the country where the data was created. It can include restricting, controlling, or banning the international transfer of data with the objective to safeguard citizen information.
Seamless transfer of data provides uninterrupted access to information and services irrespective of the user's location. Restricting the movement of data introduces major challenges for businesses across segments, including international commerce, technology, health and safety, and organizations (typically non-profits) focused on social welfare, etc.
Several countries have implemented data localization laws in the past couple of years, and many are likely to follow suit. In 2016, China enacted its Cybersecurity Law that mandates operators and businesses dealing with critical information infrastructure to store personal information and important data in China. Similarly, Russia's Federal Law No. 242-FZ, which came into effect in 2015, requires entities with Russian customers to physically store their data within Russia.
Data localization laws can compel businesses to process the data locally, store a copy of the data locally, or seek additional consent for data transfer requests. These stipulations can put foreign companies at a disadvantage as they make the data transfer harder and add to the overall capital. Even a small and solely internet-based company will have to develop the necessary infrastructure to meet that region's data regulations, which is especially challenging.
The EU regulations have galvanized several countries into enforcing similar laws, the violation of which can negatively impact one's business. This is reflected in the case of India's decision to bar American Express and Diners Club International from adding new domestic customers from May 1. India's 'Storage of Payment System Data' directive mandates payment system providers to store data related to transactions, payments, instructions, and customer information in systems within India.
Similar lapses can hamper the company's operations, resulting in significant loss of time and money. Having an effective governance program can help you understand and be compliant with the regional laws and regulations.