Data has become a ubiquitous commodity in today's world, the importance of which is felt by companies, consumers, and countries alike. In the last two decades, the global technological race has pushed businesses to go international, propelling the movement of data between servers across national borders.

The expanding customer base and widening supply chain also require a global workforce and infrastructure for international operations. Moreover, technologies like cloud computing, IoT, and data analytics have also brought in an upsurge in the collection and transfer of data.

With globalization becoming a necessity in the information industry, cross-border data flow is essential and unavoidable in today's technological landscape. Though this movement of data across borders is essential for businesses and consumers, it has also raised concerns around data privacy and security.

This was highlighted in the July 2020 Schrems II judgment by the CJEU that deemed the transfer of personal data by EU companies to the US-based on the EU-US Privacy Shield framework as illegal. The ruling invalidated the Privacy Shield, citing potential interference from US surveillance agencies. As a result, companies performing cross-border data transfers based on standard contract clauses (SCCs) will be subject to stricter requirements around data protection.

In such a regulatory environment, companies need to be extremely vigilant around the laws and stipulations related to data in all the countries they operate. Regulations like the EU's General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Data Privacy Act (CCPA), among others, have made companies refine their strategy around cross-border data.

To restrict the increasing amount of cross-border data flows, governments are introducing laws and regulations for companies to follow the approach of data localization.

What is Data Localization?

Data localization limits the flow of data within the geographic borders of the country where the data was created. It can include restricting, controlling, or banning the international transfer of data with the objective to safeguard citizen information.

Seamless transfer of data provides uninterrupted access to information and services irrespective of the user's location. Restricting the movement of data introduces major challenges for businesses across segments, including international commerce, technology, health and safety, and organizations (typically non-profits) focused on social welfare, etc.

Several countries have implemented data localization laws in the past couple of years, and many are likely to follow suit. In 2016, China enacted its Cybersecurity Law that mandates operators and businesses dealing with critical information infrastructure to store personal information and important data in China. Similarly, Russia's Federal Law No. 242-FZ, which came into effect in 2015, requires entities with Russian customers to physically store their data within Russia.

Data localization laws can compel businesses to process the data locally, store a copy of the data locally, or seek additional consent for data transfer requests. These stipulations can put foreign companies at a disadvantage as they make the data transfer harder and add to the overall capital. Even a small and solely internet-based company will have to develop the necessary infrastructure to meet that region's data regulations, which is especially challenging.

The EU regulations have galvanized several countries into enforcing similar laws, the violation of which can negatively impact one's business. This is reflected in the case of India's decision to bar American Express and Diners Club International from adding new domestic customers from May 1. India's 'Storage of Payment System Data' directive mandates payment system providers to store data related to transactions, payments, instructions, and customer information in systems within India.

Similar lapses can hamper the company's operations, resulting in significant loss of time and money. Having an effective governance program can help you understand and be compliant with the regional laws and regulations.

Mitigations

In light of the EU regulations, organizations are expected to adopt the latest and more robust techniques to meet the existing and upcoming guidelines around data localization.

Several tech giants are embracing an encrypt-everything strategy. Employing a crypto-agile network will provide protection and security for all the data being transmitted across the internet while also being compliant with regional laws and statutes.

Data encryption is more than essential right now, considering the hybrid workplace and remote working models, which make it difficult to keep sensitive data under the company's control and within regional borders. Moreover, employees using external devices and third-party web applications bring new challenges in protecting data and preventing data loss.

Data encryption protects our passwords, credit card details, technological inventions, and all types of confidential information. Without encryption, data is vulnerable to exploitation and illegal use.

Encryption involves translating readable data into non-readable data (ciphertext) so that it can be decoded only using the decryption key. It is performed to prevent unauthorized access of data when it is being transmitted and while it is at rest.

Data protection solutions can encrypt employee emails, devices, and data. The modern encryption algorithms devised for data protection provide confidentiality, authentication, integrity, and non-repudiation to promote key security initiatives.

Encryption can be considered a temporary and suitable solution for now. In September 2020, the Data Protection Authority of Germany's Baden-Württemberg recognized end-to-end encryption as an acceptable measure for providing additional protection to data. The authority observed that encryption can provide an adequate level of safety if the encryption keys are accessible only to the data exporter, and the data cannot be decrypted even by intelligence services.

However, encryption may not be an effective solution for every scenario. For instance, end-to-end encryption will not ensure privacy if data is outsourced to an entity (outside of the EEA) that is contracted to process the personal data in an intelligible manner.

Are Organizations Prepared Enough?

The CJEU's Schrems II decision given in mid-2020 has brought about a dramatic shift in the way data is transferred outside of the EU. The IAPP-FTI Consulting Privacy Governance Report 2020 found that of the 65% of respondents who transfer data outside of the EU, 55% use the now invalid EU-US Privacy Shield as the transfer mechanism.

However, 88% of the respondents rely on SCCs, and this number is expected to grow as companies using the EU-US Privacy Shield will have to shift towards other mechanisms to enable data transfers. About 75% of the firms implied that they plan to switch to SCCs, while 45% to 53% would add additional contract-based, technical-based, or policy-based safeguards.

Most companies find it challenging to comply with data and privacy regulations due to the difficulty in identifying cross-border data flows. This has been highlighted by one such instance where the company was ineffective in recognizing the movement of data outside of the EU.

In March 2021, the Bavarian DPA issued a notice to a company that used Mailchimp to send newsletters to its German customers. It concluded that as Mailchimp is based in the US, the transfer of email addresses from Germany to the US was unlawful based on the Schrems II ruling.

Such cases are a reminder that both, big corporations with the requisite tools and infrastructure as well as small companies, can lack in their oversight procedure due to inaccurate knowledge regarding the flow of data. Companies need to be aware of the existing and upcoming regulations and fully understand their impact on the business in order to develop appropriate remedies. It is crucial to prepare an inventory tracking the transfer of data across various servers and third-party vendors. By identifying and mapping all their data flows, companies can get a clear picture of all their cross-border activities.

To begin with, organizations having the latest and comprehensive record of processing activities (RoPAs) can perform a detailed analysis of cross-border exposure and remediation. Reassessing the accuracy of their RoPAs in accordance with the new requirements and managing the current RoPAs for the long term will enhance privacy management and help develop relevant remediation strategies.

Organizations should conduct regular transfer impact assessments (TIAs) to monitor the movement of data. Any actions performed during this stage should be documented to identify key risk areas and map out suitable steps for remediation.

Mapping these flows in the Data Map as you conduct the RoPAs or TIAs can help understand the flow of data. By recording and identifying all the transactions, companies can determine which actions are prohibited as per that country's regulations. Necessary policies can be formulated based on these findings to allow cross-border data flow without any legal hurdles.

Meru Data offers a wide range of applications and services to automate, streamline and secure your information governance (IG) processes. We offer simplified solutions for data mapping, retention, disposition, and compliance with regulations like GDPR and CCPA.

Our flexible and business-centric information governance IG programs provide visibility to information flows within and outside the organization, making it easier to track and monitor the movement of data. By enabling collaboration between the legal, privacy, IT, and business users, our systems allow the successful implementation of governance programs.