The Geopolitics of Data Transfer: What Do Companies Need to Consider in a Post-Trump, Brexit and GDPR World?
The last few years have seen some significant developments in data privacy regulation in Europe, the Middle East and Africa (EMEA). These have included: the repeal of Safe Harbor and the introduction of the Privacy Shield, the approval of the General Data Protection Regulation (GDPR) by the European Parliament, the passing of generally applicable data protection law by the Qatari government, and the appointment of South Africa’s first members of the Information Regulator to monitor and enforce provisions of the Protection of Personal Information Act (POPIA). It is fair to say that, with the advancement of and reliance on technology to conduct cross-border business, there will be no relaxation in data protection laws.
To add further uncertainty and complexity to the current regulatory environment, recent disruptive geopolitical developments, such as Brexit and the election of Donald Trump to the US Presidency, will inevitably further highlight conflicts of law and add complexity to the issue of data transfers, especially in the context of investigations and disputes – and, by extension, e-discovery. Because regulatory investigations and related processes frequently span several years, strategic decisions made today around data transfers will have important ramifications down the line. Will the UK establish adequate data protection for a post-Brexit Union? Will President Trump ride roughshod over EU surveillance concerns?
The existence, and the robustness, of established data protection laws globally varies significantly from one jurisdiction to another. In this article, we will provide an overview of key data privacy regulations throughout EMEA, and set out some considerations and practical guidelines to minimise risk exposure for companies and professional services firms dealing with cross-border investigations and litigation.
Evolving privacy protection across EMEA – Is it enough?
In 1995, the European Commission (EC) issued a Directive,1 which prohibited the transfer of personal data to non-EU countries that do not have an ‘adequate’ level of privacy protection. To bridge the differences in approach to data privacy and to provide a mechanism to enable the free transfer of data between Europe and the US, the US-EU Safe Harbour Framework (Safe Harbour) was developed, and had been in place for the past 15 years. Since then, with the increasing internationalisation of business and related data flows across borders, the EC recognised the lack of consistent safeguards around data privacy between member states and therefore proposed introducing true consistency via the GDPR. About a year after the EC began to draft the GDPR in 2012, Edward Snowden leaked information about the extent of the NSA’s mass surveillance and data collection practices, and almost concurrently an investigation into Facebook’s European privacy practices was launched by the Irish data protection watchdog. In such an environment it was almost inevitable that the European Court of Justice review the ‘adequacy’ criteria of data protection in the US. The results of that review led to the Safe Harbour Framework being invalidated in October 2015,2 leaving corporates in a state of uncertainty around data protection and data transfer for months while an alternative mechanism was developed. The result was the development of the EU–US and Swiss–US Privacy Shield (Shield), which, after much debate, eventually came into force in July 2016, with the intent to provide more accountability and oversight over data protection privacy. The initial reactions to earlier drafts of the Shield were sceptical. Max Schrems, the European privacy campaigner and lawyer who was instrumental in getting Safe Harbor struck down tweeted: ‘#PrivacyShield: They put ten layers of lipstick on a pig but I doubt the Court&DPAs suddenly want to cuddle with it pic.twitter.com/gfkMexCruh’.3
And while US and EU officials have since described the Shield as ‘a framework that protects privacy and creates certainty’ and provides assurances that ‘any access to personal data for law enforcement or national security is limited to what is necessary and proportionate’,4 the Shield remains untested in court and is therefore vulnerable to future legal challenges.
In addition, there are clearly questions around the viability of the Shield under the Trump administration, as the EC is currently conducting an assessment of the agreement (see 7 April 2017 issue of GIR ‘Privacy Shield in Jeopardy under Trump’). Further, a recent Trump executive order (EO) to ‘exclude persons who are not United States citizens…from the protections of the Privacy Act…’5 directly opposes the spirit of the Shield, as does another key consideration: the Attorney General’s designation of specific countries that are covered by the Judicial Redress Act, which along with the Attorney General’s list became law in February 2017.
In response to the EO and the Act, EU officials commented: ‘We will continue to monitor the implementation of both instruments and are following closely any changes in the US that might have an effect on Europeans’ data protection rights.’ For example, one could imagine a scenario where the Attorney General, Jeff Sessions, could decide at a later date to revoke some countries’ – or the EU’s – designations under the Judicial Redress Act: a decision that would wreak immediate havoc on the Shield.
The GDPR, which was approved by the European Parliament in April 2016, with an enforcement date of 25 May 2018 preserves the core principles and the Adequacy Criteria6 of the Directive, but additionally expanded certain areas (set out below), as well as outlining hefty fines and penalties.
Expanded territorial reach
The new regulation is no longer limited to data controllers and processors within the EU. Instead, those whose processing activities related to the provision of goods or services to, or monitoring the behaviour of EU data subjects, will require the appointment of a representative within the EU.
A data subject’s consent to process their personal data is required to be as easily withdrawn as it is granted. Data subjects will be able to withdraw consent to their data being processed.
International transfers risk awareness
Although the GDPR removes self-assessment as a basis for transfer, the consent derogation has undergone some changes. Data subjects are required to be adequately informed of the risk of transferring data outside of the EU.
Data controllers are required to report most data breaches to the new Data Protection Authority, where possible, within 72 hours of awareness, together with appropriate justification.
Fines and penalty
Unlike previous regulations, the GDPR introduced a tiered penalty approach for breaches, where fines for breaches are much higher than under previous regulations, ie, up to 4 per cent of annual worldwide turnover or €20 million.
Based on these changes alone, it is clear that the GDPR will introduce significant undertakings and potential risks for all parties affected, from concerned subjects, to oversight bodies and corporations with a nexus to the EU.
What about Brexit?
And then, there is Brexit. The Independent reported that Brexit will see ‘1,000 new laws passed unilaterally and without parliamentary scrutiny when European law is transposed into British law under the Great Repeal Bill’.7 What will the new UK data privacy regulation look like? Will it be less stringent than the GDPR? How high will the fines be? All we can do is wait for a new UK-specific data privacy regulation to be introduced to find out. We can, however, begin to imagine the risks.
In a post Brexit world, companies with operations in the UK may be particularly vulnerable to the uncertainties arising from the GDPR. It would appear that the current UK government’s stance on privacy leans towards deregulation. The UK, however, will still need to abide by the GDPR in the period between May 2018 and when article 50 completes its cycle (expected to be by March 2019), regardless of the UK’s future data privacy aspirations.
To add to the complexity, there will also have to be consideration of how to handle UK–US data transfer. If the UK administration decide to opt out of the GDPR following Brexit, the US and the UK could create a unique environment for data transfers. The obligations, however, under the Regulation for UK businesses operating in Europe would remain alongside the need to demonstrate an adequate (ie, comparably robust) data privacy environment. A UK–US mechanism would be highly unlikely to satisfy such obligations. This scenario poses the very real risk for UK corporates that they end up with two conflicting data regimes within one organisation.
There are currently no pan-Middle Eastern or pan-GCC (the Gulf Cooperation Council) laws governing data protection and privacy.
Israel is the only Middle Eastern country with data protection laws deemed adequate by the EC. Restrictions on transfer of data offshore are strict, and only include countries that ensure a level of protection of information, which is not lower than the level of protection provided for under Israeli law.
Many Middle Eastern countries (GCC countries in particular) have also undertaken considerable efforts to diversify their economies and increase economic integration in recent years. Saudi Arabia announced Vision 2030, which aims to increase the share of non-oil exports from 16 to 50 per cent over the next 15 years.8 Other GCC countries have also undertaken similar programmes, with the intent, like the UAE to continue to attract international IT and finance companies and investment, and increase cross-border technology infrastructure. These developments imply the need to consider developing a data protection regime.
In international economic zones, such as in designated areas in the UAE and Qatar, data protection law, implementation and enforcement are relatively developed. The Dubai International Financial Centre (DIFC) and the Qatar Financial Centre (QFC), have their own dedicated data protection laws and enforcement bodies mirroring best practices from the EU. They all stipulate that personal data can only be transferred to an outside jurisdiction if an adequate level of protection for that personal data is ensured by laws and regulations that apply to the recipient, or if a special permit is approved by the regulatory bodies.9, 10 DIFC also publishes a list of countries considered as being ‘adequate’ for this purpose, which notably excludes the US. No such list exist for the QFC. That being said, these laws only apply to licensed entities operating in these special zones.
Nevertheless, to date, with the exception of Israel, no Middle Eastern or African countries are considered to have adequate data protection environments from an EU perspective. However, it would appear that change is afoot: Qatar became the first GCC member state to issue a generally applicable data protection law last November. It will come into effect this May, and the potential fine of non-compliance is 5 million Qatari riyals. While the law currently provides specific guidance on the transfer of personal data to other jurisdictions, we can expect that there will be further regulations issued to assist the current law’s implementation.
In addition, there are general constitutional rights and sector-specific laws (notably in telecommunications, banking and medical information) related to data privacy in these countries. Depending on the circumstances, these laws may apply and should be considered when conducting international investigations or responding to litigation.
Given the geopolitical realities of the region, it is unlikely that any EU type regime will be enacted in the Middle East in the near future. However, recent technological developments across the region suggest that authorities are quickly becoming aware of the challenges of international data privacy, which may have implications for the Middle East. In Saudi Arabia, there is a new freedom of information and protection of private data law under review by the Advisory ‘Shura’ Council.11 In Bahrain, a draft data protection law is being reviewed before the Parliament.12 Rapid regional economic transformation will also ensure that data privacy continues to be an important topic in the future.
Many African economies are becoming vibrant hubs of economic progress, but the pace in the data privacy development area has been considerably slower.
In June 2014, the African Union (AU) adopted the Convention on Cybersecurity and Personal Data Protection,13 which many identified as a transformative moment for data protection in the region. However, to this day, no country has undertaken its ratification, and the convention requires 15 countries to ratify it in order to enter into effect.
Morocco and Mauritius, both with robust data protection laws and active enforcement bodies, remain the notable exceptions in the continent, while the rest of the countries remain in their formative stages. Most countries include general constitution rights and sector specific laws (notably in telecommunications) related to data privacy in many African countries, but roughly half of the 54 African countries on the continent still have no comprehensive data protection regulation and are not publicly working on adopting one. African countries with data protection laws have reported very few enforcement actions, and while most of the existing data protection laws hinge on the principle of adequacy, the same laws do not specify which countries are considered to be ‘adequate’.
In Kenya, a data protection bill was expected to be presented in Parliament by the end of May 2014, but the bill has still not yet passed at the time of this article’s writing.14 South Africa’s Protection of Personal Information (POPI) Act was signed into law on November 2013, but it is still not effective as a full commencement date has not yet been established.15
Interestingly, the POPI Act might be one of the most stringent examples of data privacy initiatives. It prohibits the transfer of personal information outside of South Africa, subject to certain exceptions. For example, where consent is provided and where the recipient is subject to a law or binding agreements that are able to demonstrate effectively data processing principles similar to the conditions for processing personal information under the POPI Act.16 POPI Act is also unique as it considers criminal penalties and imprisonment when convicted of a breach.17
Some key considerations
In EMEA, the approach to data protection varies significantly across the board, and we have seen how both developed economies and emerging markets suffer from regulatory disparity. Essentially, global convergence on the issue of data privacy remains unlikely. Some would argue that the EU is pushing for the GDPR to be the ‘gold standard’ of data privacy for other countries to follow, while others would question costs associated with complying with these standards as well as suggest an imbalance between protecting individuals’ rights to the detriment of national security.
In Europe there are several factors dominating the political and data discourse, chief among them are Brexit and the new responsibilities related to the GDPR. In addition, considering the importance of the US to the global economy in general, and to EMEA in particular given the strength and value of trading relationships with the US, the uncertainty of the Shield must form an important part of the debate, not least because the Trump administration, if anything, makes it even more uncertain. Specifically, in the US, the combination of a very old Privacy Act (it was drafted in 1974, since which time Europe has rewritten its privacy rules three times) and Trump’s wide executive order, which could see government agencies insisting on access to European citizens’ personal data, having met a very low threshold of proof – a mere ‘risk to public safety’ would be enough, and some agencies are likely to view that very broadly. In this context, risking reliance on the Shield seems unwise.
All of these factors create uncertainty for companies operating across borders, and leave investors, management and stakeholders susceptible to uneasy regulatory transitions, high costs and exposure to the risk of heavy fines. For industry practitioners, and companies involved in investigations or expecting regulatory probes or even cross-border litigation, there is no single solution, but there are certain measures that can be undertaken in preparation to mitigate risks.
A clear data strategy is vital to any investigation where data may reside in several jurisdictions. Crucial considerations include: knowing what data is being considered, the jurisdiction where the data resides, applicable data privacy regulations and what clearance is required, and the origin of the data collection, let alone transfer.
Depending on the nature and severity of the investigation, companies will be most successful if they take a conservative approach to data transfers, as privacy failures may (and most likely will) lead to sizeable liabilities. In addition, beyond the considerations listed above and the mechanisms potentially used for data transfer, from a strategic and practical perspective, it is worth acknowledging that once data is transferred into the US it becomes ‘discoverable’ and little regard will be given to data protection rights that it may have attached in its country of origin.
Collection and preservation
Prior to carrying out a data collection or data preservation exercise, ensure that the appropriate risk management tools have been engaged, and steps have been taken to ensure compliance with data privacy regulations in the jurisdiction the data is being hosted in. We counsel, in general, collection and preservation of data in its jurisdiction of origin.
Training and escalation
All personnel involved in investigations and data transfers should be provided with up-to-date training regarding data transfer protocols and jurisdictional data privacy regulations. They should also be trained to properly document the considerations and safeguards, throughout the investigation, for any data transfer. Escalation protocols should also be in place to ensure demonstrable consideration and consultation in relation to data transfer, especially for jurisdictions with data privacy regulations that are more challenging to address. Identifying and engaging the appropriate counsel in each jurisdiction, as well as having data identification, processing and transfer experts with extensive cross-border experience in the EU and elsewhere to assist internal stakeholders, is a necessity.
Data transfer strategy
Develop, in consultation with your advisers, a data transfer strategy that takes into consideration the nature of the data, its origin, data privacy and other data-related constraints (banking secrecy, commercial and state secrecy, etc), and security. Err on the side of caution and weigh the risks of using untested or controversial data transfer mechanisms. After all, it is not possible to close the stable door after the data horse has bolted.
Finally, it is imperative to consult and involve expert data privacy and transfer experts from the outset in any cross-jurisdictional investigation, to help navigate the potential conflicts of law we have addressed in this article. From the data identification and location exercise, to the treatment of data in a manner compliant with applicable data privacy laws, to the mechanism employed, if appropriate, for data transfer, advice and execution by the right experts will be critical to success.
- Data Protection Directive 95/46/EC.
- Court Justice of the European Union ‘The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid’ Press Release No. 117/15.
- Max Schrems (@maxschrems) 29 February 2016.
- EC commissioner Věra Jourová at a press conference on 12 July 2016.
- ‘Executive Order: Enhancing Public Safety in the Interior of the United States’ Office of the Press Secretary, The White House, 25 January 2017.
- The Data Protection Act 1998, Schedule 1, Part II.
- DIFC Law No. 1 of 2007 (Amended by Data Protection Law Amendment Law DIFC Law No. 5 of 2012), section 11, 12.
- Qatar Financial Centre Legislation, Data Protection Rules, section 3.1, 3.2.
- Protection of Personal Information Act of 2013, Chapter 9, section 72.
- Protection of Personal Information Act of 2013, Chapter 11, section 107.