Managing risk in international data transfers
June 2022 | TALKINGPOINT | RISK MANAGEMENT
Financier Worldwide Magazine
June 2022 Issue
FW discusses how to manage risks in international data transfers with Nina Bryant, Ben Crew and Wajdi Kharrat at FTI Technology and Claude-Etienne Armingaud at K&L Gates LLP.
FW: Could you provide an overview of trends in global data flows? To what extent is the business world now unavoidably reliant on the ability to share information instantly over vast distances?
Bryant: Almost all businesses must operate across multiple borders and jurisdictions in today’s global world. To do this effectively, companies need the ability to share relevant data with parties who need it. Hence the primary challenge is how to share data effectively while maintaining compliance with the increasingly complex network of global data privacy laws, particularly concerning increasing data localisation requirements across many jurisdictions, including China and the Middle East. To address this, organisations must first determine what data needs to be shared with whom and whether there is a requirement to include personal data in datasets that flow between jurisdictions. For some organisations – such as global online retailers – it may be essential to transfer customer personal data between countries in order for the business to operate. However, others may be able to reduce risk by aggregating or anonymising their data before it is transferred. Additionally, organisations can take steps to minimise and put security and access boundaries around personal data that is transferred across borders, for example by assigning data administrators for a global application within the relevant countries of origin. While the data may be transferred to a central storage location, the risks are reduced by limiting access to that data only in country.
Kharrat: Since the European Court of Justice (CJEU) invalidated the European Union (EU)-US Privacy Shield in July 2020, organisations have spent nearly two years conducting global business and global data transfers amid an uncertain regulatory backdrop. Without clear guidance, organisations have often been required to make difficult trade-offs between risky transfers of sensitive data and pursuing global business interests. Fortunately, in March 2022, President Biden and Ursula von der Leyen, president of the European Commission (EC), announced that they had signed a preliminary agreement for a new Privacy Shield framework. This is a reassuring sign that authorities are taking steps to ease some of the legal and compliance burdens falling on global businesses. However, it remains unclear as to what the new framework will entail and when or if it will be officially implemented.
Armingaud: A global economy, with data being the fuel for that economy, means that globalised data is unavoidable. This tendency is in particular driven by more and more jurisdictions adopting rules on data transfers of personal data. Cross-border data transfer trends could be roughly described as, on the one hand, a Western trend, for example the EU’s General Data Protection Regulation (GDPR) aimed at data protection and restriction of transfers, in particular contractually framing personal data transfers, and, on the other hand, an Eastern data protectionism trend, such as China’s Personal Information Protection Law (PIPL) and Indonesia’s data protection laws and regulations, aimed at a general restrictive data localisation requirement, which may be linked to a broader concept of data sovereignty.
Crew: Businesses today are reliant on instant decisions, which often require free and efficient movement of data between countries. With the increasing prevalence of artificial intelligence and machine learning implementations within large corporations, there is no longer a question of whether or not data will be shared across borders. Rather, the question now is how to do so in a manner that is compliant and transparent without hindering business processes and timely execution. Maintaining compliance with the labyrinth of laws in place, not just in the Gulf Cooperation Council (GCC) but across the world, is no small undertaking.
“Data protection is less about what you are doing and more about why you are doing it.”
FW: How would you characterise the risks and complexities involved in cross-border data transfers? Drilling down, what particular factors do organisations need to consider?
Kharrat: In France, and the EU broadly, the primary risk of transferring data across borders is running afoul of the GDPR. Also in France, we have the Blocking Statute, which prohibits request or disclosure of certain information and could bar French companies from transferring data out of France for business or regulatory purposes. Generally speaking, and this was the basis for the Schrems II ruling that invalidated Privacy Shield, many European citizens are concerned that their personal information will end up in the hands of the US government. At the same time, multinational organisations are often required to send data to authorities in the US as part of investigations or legal matters. These two issues are at odds: comply with either the GDPR or with US laws. Organisations are left to work out complex processes and legal bases for meeting requirements across all jurisdictions.
Armingaud: Risks pertaining to cross-border data transfers relate to regulatory compliance to ensure that such transfers are valid in light of a lack on foreseeability since the Schrems II decision. Less obvious, but not negligible, is whether proper information is being given to data subjects regarding data transfers. The French Data Protection Authority (CNIL) recently suspended the use of cookies on such grounds. Organisations also need to consider onward transfers that require end-to-end visibility by data exporters and the risks of a shared or joint several liability qualification as per the joint controller relationship between parties.
Crew: Restrictions on international data transfers are not only imparted according to the jurisdiction to which data is being sent. Organisations must also address the regulations of the country from which the data originated, as well as the controls in place among third parties that may process or otherwise interact with the data. Not every sub-jurisdiction or approved third party will have the same practices, and thus must be evaluated individually. In the Middle East, there are additional complexities due to the multijurisdictional structure of many countries. The United Arab Emirates (UAE) has three separate legal jurisdictions, all with differing privacy and industry laws that impact data transfers. In other countries, such as Saudi Arabia, there are also strict data localisation mandates and an array of complex requirements that must be considered.
Bryant: Transferring data is generally simple with today’s IT capabilities and infrastructure. However, this introduces risk if relevant technical staff are unaware of the potential risks of transferring personal data across borders. It is therefore essential that organisations have robust processes in place for implementing or updating processes or tooling that ensure the right questions are asked before designing IT architecture and solutions. This will support cross-border compliance, minimise transfer of personal data and reduce the risk of a breach or leak of sensitive data when encryption and access restrictions are not in place for data in transit. To mitigate this, organisations need a strong privacy by design framework. For example, in all business-as-usual (BAU) activities – for instance, any time a new database is created, a system application is upgraded, a new platform is developed or a new third party is onboarded – there needs to be an embedded ‘stop and think’ step for privacy. In addition, privacy considerations, such as where the data is coming from, what is in it, what are the risks around it and whether it may be transferred internationally, must be built into project management and BAU activities to avoid non-compliant or unprotected transfers of sensitive information.
“Fully complying with all the rules simultaneously is exceedingly difficult. Thus, organisations need to take an agile approach as the landscape shifts.”
FW: How do regulations governing data transfers vary between jurisdictions? To what extent do these variances add additional layers of risk?
Armingaud: Both the Western and Eastern cross-border transfer restriction trends – data protection and data protectionism – are essentially opposed. This divergence of opinion over how to deal with personal data necessarily calls for more complex agreements – which is leading to frustration and incomprehension during negotiations on both sides – or to separate, regional templates, which may lead to potential discrepancies in warranties.
Bryant: Each jurisdiction has its own requirements, and there is no standard approach to how data transfers should be managed. The GDPR has specific requirements and advice, such as the use of standard contractual clauses and conducting transfer risk assessments (TRAs) for any data that is leaving the EU. On the other hand, China’s PIPL includes a very strong data localisation principle and only permits data transfers in very limited circumstances. The legal basis and frameworks for data transfers vary widely depending on where the data originates and where it is being transferred to.
Crew: Many data privacy laws, including new laws in the Middle East, now emulate the GDPR in many ways, such as how jurisdictions are designated as adequate for cross-border data transfer. However, the issue becomes more complicated when the range of sector-specific laws come into consideration. For example, there are more than 20 laws in the UAE alone that have provisions for data security and privacy. These require special permissions or exceptions to be met before certain types of data, such as health information or financial records, may be sent across borders. All the laws contain differences in terms of what can be shared and what exceptional scenarios may justify special permissions for data sharing. Binding corporate rules (BCRs), which many organisations use as a mechanism for compliant cross-border data transfers, are also impacted by the patchwork of laws within the Middle East and globally. For example, the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) accept BCRs, but others, including Bahrain, Saudi Arabia and Qatar, do not, meaning that a company using BCRs for internal transfers will not be able to use them for data originating in those countries.
Kharrat: Fully complying with all the rules simultaneously is exceedingly difficult. Thus, organisations need to take an agile approach as the landscape shifts. There are many unexpected pitfalls that can arise. For example, a recent incident in Germany saw a lawyer from within the EU travel to Germany to access certain data for a matter so that the data would not need to be transferred out of the country. However, it ended up being considered a transfer anyway, because the lawyer who viewed the data was not a German resident. This is only one example of the jurisdictional nuances that can create complicated compliance issues. M&A activity is another issue that can arise. If an organisation purchases a company residing in a country with strict data transfer restrictions, important data may not be accessible or transferrable to business units in other countries. Because data is now a valuable asset, this kind of limitation could have a direct impact on an organisation’s ability to derive value from an acquisition.
FW: How important is it for organisations to undertake a data transfer risk assessment (TRA)? What steps need to be taken when conducting a TRA to ensure it is effective, up to date and compliant with current regulatory requirements and privacy laws?
Crew: Determining data transfer risk requires assessment across three key pillars: the rules in the country of origin, the rules and data practices in countries to which data is being sent, and the controls in place among third parties. Organisations must conduct an assessment of their third parties – just because they are located in an approved jurisdiction does not guarantee that they are following the letter of the law. An organisation needing to transfer data between various jurisdictions in the Middle East or elsewhere needs to conduct thorough assessments that take all variables into consideration, then follow that up with explicit processes that uphold compliance with requirements in each region and ensure their third-party partners are doing so as well.
Kharrat: Organisations need to undertake a data TRA, applying the ‘accountability’ principle to evidence that the transfer of personal data is considered and handled seriously. Recently, the French CNIL ordered three French websites to comply with the GDPR by ceasing, if necessary, to use a technology provider carrying personal data to the US. This decision was limited to a specific technology. However, all US cloud services using European personal data could potentially be affected. The specifics of the case underscore that TRAs can be complex, and organisations need to get the right legal and technology experts to ensure they remain compliant throughout the process. Key steps in the TRA process include the following. First, documenting the transfer, which will help define the nature of the data and explain the business need for the transfer. Second, identifying and assessing risks that must be considered across jurisdictions, such as the existence of adequacy, access by public authorities and the extent of legal protections in place. Third, establishing and documenting technical and organisational safeguard measures. Fourth, determining how the organisation can mitigate identified risks and what mechanisms are needed to manage the overall process.
Bryant: TRAs are absolutely critical and cannot be overlooked when personal data is being transferred between jurisdictions. This ties back to the importance of embedding privacy into standard processes. Regulatory requirements in the country of origin and the country of receipt must be covered in questions contained in the TRA. Criteria should also cover the technical and organisational controls in place to protect the data at the same level it would be in its country of origin and whether the personal data in scope can be anonymised, aggregated or minimised to reduce risk. TRAs should be handled with the same best practices as data privacy impact assessments (DPIAs), meaning they should be repeated any time there is a change to the systems, laws or other key factors. They should be reviewed at least annually and updated over time to evolve alongside shifting regulations and data requirements.
Armingaud: Pertaining to the accountability principle, a data transfer risk assessment is mandatory. To quote the European Data Protection Board (EDPB): “Knowing your transfers is an essential first step to fulfil your obligations under the principle of accountability.” Mapping a transfer requires the entity to perform a 360-degree overview of the process, asking and being able to answer questions on who, why, what, how and how long, from initial export to final import of the personal data.
“It is critical to have robust third-party risk management in place and mechanisms to enforce compliance across all an organisation’s jurisdictions and third parties.”
FW: What kinds of tools, such as encryption and containerisation, may be used to protect privileged, sensitive or confidential information being transferred internationally?
Kharrat: Encryption is critical when data is being transferred, and it should also be utilised at every stage of the data lifecycle to provide the strongest possible protections for sensitive and personal information. Equally important is for organisations to carefully manage their encryption keys because encrypted data becomes useless if the encryption key is lost. Organisations should ensure their keys are kept in-country and in control of the organisation, rather than a third party storage provider outside Europe, to reduce the risk of data loss. Due diligence over third parties is also critical. Organisations should conduct risk assessments and regular audits on any third party that may have access to their data, to ensure that the strongest possible safeguards are really in place.
Bryant: Encryption is a critical tool to help protect sensitive information in transit and at rest. However, other options such as anonymisation, aggregation and pseudonymisation should be considered rather than defaulting to transferring and protecting personal data through encryption. In many instances, the receiving party does not require the entire personal data set. Tokenisation is another tool that is used in some cases. This approach replaces sensitive data with a non-sensitive equivalent using unique identification symbols, referred to as a token, which has no exploitable value but maps back to the sensitive data without compromising its security. Once assigned, a token can be transferred rather than the original personal data, allowing the information to be utilised without actually transferring an individual’s personal information across borders. Again, a strong user access model with a local administrator is also helpful, particularly in cases where it is impossible to fully localise personal information. With this model, data may be transferred to another jurisdiction but remain accessible only to administrators and users in the region of origin. Privacy notices must also be clear and transparent to uphold a lawful basis for collecting and transferring data belonging to employees, customers or other third parties.
Armingaud: To protect personal data, we need to make use of what is referred to under article 32 of the GDPR as technical and organisational measures (TOMs). These are not restricted to only technical tools but also fall under pure process. In that sense, annex II of the EC Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries provides a set of process type examples of TOMs, including ‘measures for ensuring data minimisation’, ‘measures for ensuring data quality’ and ‘measures for ensuring limited data retention’. Implementing TOMs requires the controller to carry out a proportionality test relying on the underlying personal data and the processing operations. It is, however, sometimes easier, less time consuming and less expensive to set out a maximum level of TOMs regardless of the sensitivity of the processing.
Crew: Before establishing controls and tools for data transfer, organisations must differentiate between internal transfers and transfers to third parties. Further, organisations must assess the level of risk of the data being transferred. These variables will affect the types of protections that need to be put in place. That said, encryption is table stakes and should always be in place for data in transit. Anonymisation should also be used whenever practical. Intercompany transfer agreements and BCRs can be established to ensure data at rest is always stored in a jurisdiction that provides adequate protection. Further, controls should be established within enterprise systems to flag when personal information is included in an email or when large volumes of data are being transferred. Legal and privacy teams can also use privacy software tools to conduct ongoing third-party risk assessments and vendor due diligence.
FW: What essential advice would you offer to organisations on establishing an effective international data transfer solution that manages risk and provides an adequate level of protection?
Crew: It is essential to know who you are sharing your data with and know them well. Many organisations are not aware of where their data is shared. And if they are, they often do not have visibility into how shared data is being handled. It is critical to have robust third-party risk management in place and mechanisms to enforce compliance across all an organisation’s jurisdictions and third parties. Regularly, at least once a year, data privacy impact assessments should be conducted on vendors and systems. These exercises cannot be treated as tick-box activities. Rather, organisations must be rigorous about the questions they are asking and hold vendors accountable to the answers they give. Education is another essential factor. Employees need to know the risks of transferring sensitive data and what they need to do to help reduce that risk. Companies should empower employees with training and the knowledge they need to participate in a culture of privacy.
Armingaud: If I were to offer only one word of advice, it would be to ‘document’. Data protection is less about what you are doing and more about why you are doing it. Being prepared and able to justify any action when processing data ensures that either you are doing it right or you have a justified and legitimate answer for it, as per the accountability principle.
Bryant: First and foremost, companies need to understand data – where it is collected from, stored and sent to. Evaluate and document the business requirement for transferring data and the steps taken to minimise the personal data leaving the country, as well as the risks around data that is transferred. Establish a defensible legal basis for transferring data. Conduct these assessments on a case-by-case basis for different types of data, different business uses and different jurisdictions. Also, be sure that there are no processes in which data is automatically transferred without any controls.
Kharrat: With a risk-based approach, organisations can challenge and test their safeguard measures, maintain visibility into remaining risk and determine how the organisation balances risk against business needs. When data is being transferred, legal, compliance and privacy leaders should establish a legal basis for doing so and document the additional safeguards that have been implemented to protect data that leaves the country. Without a robust privacy assessment programme to audit internal safeguard measures and third parties, organisations will have limited chances to establish an effective international data transfer solution that manages risk and provides an adequate level of protection.
“The primary challenge is how to share data effectively while maintaining compliance with the increasingly complex network of global data privacy laws.”
FW: Given that the volume of data transferred around the world will only increase, do you expect the associated risks and regulatory regimes to intensify? What key issues are likely to dominate this issue over the coming years?
Armingaud: It is not so much that the volume is increasing, but the sensitivity of the underlying data. There is an increasing frustration within many countries arising from the perceived data wealth being funnelled to the US and generating less value in the country of origin. I would expect to see more data localisation requirements, so protecting individuals against foreign access will, for all intents and purposes, dictate the future evolution of regulations.
Bryant: We will see increasing data protection and privacy regulation around the world and an increasing trend toward data localisation. The key is to find a balance. Too much oversight will stifle innovation and business effectiveness, while too little will put consumers at risk. Organisations are also going to face increasing pressure to establish firm boundaries around the types of data they can use for commercial purposes. There will be ongoing issues around how ownership of and access to large data sets will impact antitrust compliance and merger clearance. The EU’s Digital Markets Act is one of numerous emerging laws that will carry implications across both privacy and antitrust, as is the proposed EU AI Act, which could impose strong governance over how businesses can use data. Another legislative development is a proposed Privacy Shield replacement. It is an attempt at solving some current data transfer challenges, but it will likely face a lengthy approval process and subsequent challenge from European privacy advocates. Ultimately, data protection will continue to be a significant board-level issue and organisations will need to lean into privacy by design strategies and the importance of privacy to corporate value.
Kharrat: Every country is introducing or expanding laws that restrict data transfer or require data localisation. Because this can hinder advancement and technology innovation, I think we will begin to see new tech-based safeguard measures to help organisations meet data localisation requirements, while still conducting international business and commerce. For example, there are some interesting developments in encryption technology that can split encrypted data between different parties or processed data without decrypting it first, so that personally identifying data can be protected and kept separate from data that may be needed for legal, regulatory or business purposes.
Crew: In the Middle East, data localisation laws will continue to emerge and cause headaches. Organisations need to watch for developments on this front, particularly around how data transfer rules and adequacy approvals change and are leveraged in geopolitical posturing. Data privacy adequacy decisions and data transfer requirements may be increasingly politicised, which will create more risks for multinational businesses that rely on adequacy judgements as a basis for cross-border transfers.
Nina Bryant is a senior managing director in the Technology segment and head of the UK information governance, privacy & security practice, based in London. Ms Bryant specialises in combining data expertise across legal, compliance, privacy and risk to enable business transformation and build cultures of compliance and collaboration in combination with effective technology solutions. Prior to FTI Technology, she led a number of data governance and regulatory compliance programmes at Deutsche Bank and IBM. She can be contacted on +44 (0)20 3727 1124 or by email: nina.bryant@fticonsulting.com.
Ben Crew has over 20 years’ experience working with clients to resolve risks associated with their data and assist clients in managing their data in a more secure and effective manner. He brings a wealth of experience in providing compliance expertise to clients from a range of industries, including financial services firms, hospitality, governmental and technology firms across the Middle East region. He can be contacted on +971 (50) 286 7553 or by email: ben.crew@fticonsulting.com.
Wajdi Kharrat is a risk management, privacy, compliance, information governance and security expert within the information governance, privacy and security practice of FTI Consulting’s Technology segment. Mr Kharrat is based in Paris and regularly advises corporate clients on initiatives to improve performance, manage risk and meet compliance requirements through the use of technology. He also assists law firms in responding to their clients’ technical and business issues. He can be contacted on +33 (1) 4008 1277 or by email: wajdi.kharrat@fticonsulting.com.
Claude-Etienne Armingaud is a partner at K&L Gates LLP’s Paris office. He is a member of the technology transactions and sourcing practice group, and global practice group coordinator for data protection, privacy and security. He advises clients active in new technologies, with a focus on innovation such as FinTech and blockchain-based services, connected and autonomous cars, data optimisation and valuation, notably in the internet of things (IoT) sector. He can be contacted on +33 (1) 5844 1516 or by email: claude.armingaud@klgates.com.
© Financier Worldwide