Cross Border Data Transfers – An Old Problem, With or Without GDPR

While we are all suffering from GDPR (General Data Protection Regulation) fatigue, there is one aspect that people tend to ignore: Cross Border Data Transfers. Restrictions around Cross Border Data Transfers are not just a result of GDPR – they have been around for years, especially in Asia, typically a result of the introduction Sovereign Data Walls in some countries.

What is a Sovereign Data Wall?

Think of a Sovereign Data Wall as a data boundary encircling a country. As an example, President Trump famously wants to build a wall between the USA and Mexico. A Sovereign Data Wall is a very similar virtual equivalent, but instead of keeping Mexican citizens outside of the USA, it is intended to keep Personal Data from crossing borders.

What is Data Localisation?

Sovereign Data Walls represent themselves in the form of Data Localisation laws, which require personal data to be processed in a specific country.

Data localisation is designed to protect the personal data of a countries’ citizens and sometimes its residents, typically requiring personal data to be collected, processed and stored inside the Sovereign Data Walls of a country. Once collected, the data can be transferred outside of the country, but only after meeting certain data protection requirements, such as those around the notifying users of how the information will be used and obtaining their consent.

Data localisation laws may require data to travel with its own rules, such that access outside of the country can be revoked by an individual if they no longer want that data to be processed outside of their nations’ Sovereign Data Walls.

What does GDPR say about this?

At the highest level, we must understand the term “restricted transfer”, which involves a transfer of data from inside the EU to a country outside the EU. Restricted transfers are not allowed under GDPR, unless covered under an “adequacy decision” or other exception.

Also important is understanding the difference between “transfer” and “transit”. Think about it this way: If you are flying from Singapore to New York and you connect through London, you do not have to clear customs in London. Data transfer under GDPR works the same way. If you route data from London to Paris, but it goes via a server in Singapore, it is not deemed a restricted transfer. Under GDPR, it is an internal EU transfer (that is, until Brexit – then we have a new problem!).

GDPR applies if you are processing personal data in the EU. However, it also applies if:

  1. you are not in the EU, but you are processing the personal data of a person in the EU;
  2. you are in the EU, and you are sending personal data to a person or organisation outside of the EU; and
  3. the “outsider” that you are sending the personal data to is not employed by you or by your company (although it can be a company in the same group).

However, you are also making a “restricted transfer” (which is prohibited) if you collect information about individuals in an “unstructured” manner and you send this to your back-office in a non-EU country in order to:

  • put the data into digital format; or
  • add to a highly structured manual filing system relating to individuals.

Putting personal data onto a website will often result in a restricted transfer. The problem occurs when someone outside the EU accesses the data via the website. For example, if you are loading personal data onto a UK server which may be accessed through a website from outside the EU, this should treat this as a restricted transfer.

Why do I care about this?

Suppose you are a global company and you process data in the cloud. When you are dealing with a country with data localisation laws, this is not allowed. Instead of using the low cost and more efficient cloud services, you now need to set up a local data centre in that country. This creates short term cost increases, not to mention the long term challenges resulting from the inability to aggregate data and perform analysis.

What countries should I be concerned about?

Countries that have some type of data localisation laws include: Argentina, Australia, Belgium, Brazil, Bulgaria, Canada, China, Colombia, Cyprus, Denmark, Finland, France, Germany, Greece, India, Indonesia, Iran, Kazakhstan, Kenya, Luxembourg, Malaysia, Netherlands, Nigeria, New Zealand, Romania, Poland, Russia, South Korea, Sweden, Taiwan, Turkey, UK, USA, Vietnam and Venezuela.

Conclusion:

The challenges GDPR introduces around Cross Border Data Transfers are not necessarily new problems, as many companies have already been struggling to deal with them in the past. Ultimately, the GDPR provisions relating to EU citizens makes an existing problem just a bit more complicated.

Peter Lancos and Sonal Rattan are co-founders at Exate Technology.

To Top