The Geopolitics of Data Transfer: What Do Companies Need to ConsiderWhen Managing Conflicts of Law in a Global Investigation?
The last few years have seen some significant developments in data privacy regulation in Europe, the Middle East and Africa (EMEA). These have included the repeal of Safe Harbour and the introduction of the Privacy Shield, the approval of the General Data Protection Regulation (GDPR) by the European Parliament, the passing of the Data Privacy and Protection Law by the Qatari government, and the appointment of South Africa’s first members of the Information Regulator to monitor and enforce provisions of the Protection of Personal Information Act (POPI Act). It is fair to say that, with the advancement of and reliance on technology to conduct cross-border business, there will be no relaxation in data protection laws.
To add further uncertainty and complexity to the current regulatory environment, recent disruptive geopolitical developments, such as Brexit and the uncertainty injected by the Trump administration on the Privacy Shield, will inevitably further highlight conflicts of law and add complexity to the issue of data transfers, especially in the context of investigations and disputes – and, by extension, e-discovery. Because regulatory investigations and related processes frequently span several years, strategic decisions made today around data transfers will have important ramifications down the line.
The existence and the robustness of established data protection laws globally varies significantly from one jurisdiction to another. In this article, we provide an overview of key data privacy regulations throughout EMEA, and set out some considerations and practical guidelines to minimise risk exposure for companies and professional services firms dealing with cross-border investigations and litigation.
Evolving privacy protection across EMEA: is it enough?
In 1995, the European Commission (EC) issued a Directive,1 which prohibited the transfer of personal data to non-EU countries that do not have an ‘adequate’ level of privacy protection. To bridge the differences in approach to data privacy and to provide a mechanism to enable the free transfer of data between Europe and the United States, the US–EU Safe Harbour Framework (Safe Harbour) was developed, and has been in place for 15 years. Since then, with the increasing internationalisation of business and related data flows across borders, the EC recognised the lack of consistent safeguards around data privacy between member states and therefore proposed introducing true consistency via the GDPR. About a year after the EC began to draft the GDPR in 2012, Edward Snowden leaked information about the extent of the NSA’s mass surveillance and data collection practices, and almost concurrently an investigation into Facebook’s European privacy practices was launched by the Irish data protection watchdog. In such an environment, it was almost inevitable that the European Court of Justice would review the ‘adequacy’ criteria of data protection in the United States. The results of that review led to the Safe Harbour Framework being invalidated in October 2015,2leaving corporates in a state of uncertainty around data protection and data transfer for months while an alternative mechanism was developed. The result was the development of the EU–US and Swiss-US Privacy Shield (the Shield), which, after much debate, eventually came into force in July 2016, with the intent to provide more accountability and oversight over data protection privacy. The initial reactions to earlier drafts of the Shield were sceptical. Max Schrems, the European privacy campaigner and lawyer who was instrumental in getting Safe Harbour struck down, tweeted: ‘#PrivacyShield: They put ten layers of lipstick on a pig but I doubt the Court & DPAs suddenly want to cuddle with it’.3
Despite its controversies, in October 2017, the EC’s first annual review of the EU–US Privacy Shield found that, on the whole, the Privacy Shield ‘continues to ensure an adequate level of data protection’. The EC, however, noted room for improvement and has provided recommendations to the functioning of the Shield that need to be improved by US authorities.
The GDPR, which was approved by the European Parliament in April 2016, with an enforcement date of 25 May 2018, preserves the core principles and the Adequacy Criteria4 of the Directive, but additionally expanded certain areas (set out below), as well as outlining hefty fines and penalties.
Expanded territorial reach
The new regulation is no longer limited to data controllers and processors within the European Union. Instead, those whose processing activities relate to the provision of goods or services, or monitoring the behaviour of EU data subjects, will require the appointment of a representative within the European Union.
A data subject’s consent to process their personal data is required to be as easily withdrawn as it is granted. Data subjects will be able to withdraw consent to their data being processed.
International transfers risk awareness
Although the GDPR removes self-assessment as a basis for transfer, the consent derogation has undergone some changes. Data subjects are required to be adequately informed of the risk of transferring data outside the European Union.
Data controllers are required to report most data breaches to the new Data Protection Authority, where possible, within 72 hours of awareness, together with appropriate justification.
Fines and penalties
Unlike previous regulations, the GDPR introduced a tiered penalty approach for breaches, where fines for breaches are much higher than under previous regulations, ie, up to 4 per cent of annual worldwide turnover or €20 million.
Based on these changes alone, it is clear that the GDPR will introduce significant undertakings and potential risks for all parties affected, from concerned subjects, to oversight bodies and corporations with a nexus to the European Union.
What about Brexit?
And then there is Brexit. The Independent reported that Brexit will see ‘1,000 new laws passed unilaterally and without parliamentary scrutiny when European law is transposed into British law under the Great Repeal Bill’.5 In June 2017, it was announced in the Queen’s Speech that the Data Protection Bill (the Bill) will replace the Data Protection Act 1998 (1998 Act), and will set new standards for protecting general data, in accordance with the GDPR. The Bill introduces new powers and offences in relation to data protection while largely replicating existing powers under the 1998 Act, and increases the maximum level of fines in the United Kingdom so that it is consistent with the GDPR. Further, the Bill also adds to and modernises many of the offences contained within the 1998 Act.
According to the Information Commissioner’s Office, ‘the Bill will not transpose the GDPR into UK law, before or after the day the UK leaves the EU. The government plans to achieve this through the European Union (Withdrawal) Bill (after its adoption as an Act). Once the UK leaves the EU, the Bill will help ensure that the standards of the GDPR are enshrined in UK law’. The GDPR has direct effect in the United Kingdom from 25 May 2018 until the United Kingdom leaves the European Union.
How will the Bill differ from the GDPR? According to the Department for Digital, Culture, Media and Sport, the Bill is a complete data protection system, so as well as governing general data by the GDPR, it covers all other general data, law enforcement data and national security data. It also has a number of agreed modifications in areas such as academic research and financial services.
To add to the complexity, there will also have to be consideration of how to handle UK–US data transfer. The United Kingdom will have to demonstrate that it has protections in place with the United States that ensure the same level of protection as provided under the EU–US Privacy Shield. A potential solution for this is to use Switzerland as a model for the United Kingdom – it has an adequacy finding, meaning that it has a mirror of the Privacy Shield agreement with the United States. Thus, an agreement such as this would mitigate the potential to run afoul of EU regulations.
There are currently no pan-Middle Eastern or pan-GCC (the Gulf Cooperation Council) laws governing data protection and privacy.
Israel is the only Middle Eastern country with data protection laws deemed adequate by the EC. Restrictions on transfer of data offshore are strict, and only include countries that ensure a level of protection of information that is not lower than the level of protection provided for under Israeli law.
Many Middle Eastern countries (GCC countries in particular) have also made considerable efforts to diversify their economies and increase economic integration in recent years. Saudi Arabia announced Vision 2030, which aims to increase the share of non-oil exports from 16 to 50 per cent over the next 15 years.6 Other GCC countries have also undertaken similar programmes, with the intent, like the UAE, to continue to attract international IT and finance companies and investment, and increase cross-border technology infrastructure. These developments imply the need to consider developing a data protection regime.
In international economic zones, such as in designated areas in the UAE and Qatar, data protection law, implementation and enforcement are relatively well-developed. The Dubai International Financial Centre (DIFC) and the Qatar Financial Centre (QFC) have their own dedicated data protection laws and enforcement bodies mirroring best practices the European Union. They all stipulate that personal data can only be transferred to an outside jurisdiction if an adequate level of protection for that personal data is ensured by laws and regulations that apply to the recipient, or if a special permit is approved by the regulatory bodies.7, 8 The DIFC also publishes a list of countries considered as being ‘adequate’ for this purpose, which notably excludes the United States. No such list exists for the QFC. That being said, these laws only apply to licensed entities operating in these special zones.
Further, the Abu Dhabi Global Market (ADGM), the international financial centre established in the UAE capital, recently announced a number of enhancements to the ADGM Data Protection Regulations 2015 effective from February 2018. The enhancements are designed to bring some of the definitions closer to international standards, provide clarity around the timing of certain obligations and expand the number of jurisdictions approved for the transfer of personal data. Some of the changes include recognition of the DIFC for data exports and an increase in the maximum fine.
Nevertheless, to date, with the exception of Israel, no Middle Eastern or African countries are considered to have adequate data protection environments from an EU perspective. However, it would appear that change is afoot: in 2016, Qatar became the first GCC member state to issue a generally applicable data protection law. The law, which came into effect in May last year, poses a potential fine of 5 million Qatari riyals for non-compliance. While the law currently provides specific guidance on the transfer of personal data to other jurisdictions, we can expect that there will be further regulations issued to assist the current law’s implementation.
In addition, there are general constitutional rights and sector-specific laws (notably in telecommunications, banking and medical information) related to data privacy in these countries. Depending on the circumstances, these laws may apply and should be considered when conducting international investigations or responding to litigation.
Given the geopolitical realities of the region, it is unlikely that any EU type regime will be enacted in the Middle East in the near future. However, recent technological developments across the region suggest that authorities are quickly becoming aware of the challenges of international data privacy, which may have implications for the Middle East. In Saudi Arabia, there is a new freedom of information and protection of private data law under review by the Advisory ‘Shura’ Council.9 In Bahrain, a draft data protection law is being reviewed before Parliament.10 In Turkey, the Law on Protection of Personal Data No. 6698 was passed in 2016 and the Regulation on Deletion, Destruction and Anonymization of Personal Data was published in the Official Gazette No. 30224 in October 2017. In May 2017, the draft Regulation on Data Controller’s Registry was submitted to public review and is expected to soon enter into force. Rapid regional economic transformation will also ensure that data privacy continues to be an important topic in the future.
Many African economies are becoming vibrant hubs of economic progress, but the pace in the data privacy development area has been considerably slower.
In June 2014, the African Union (AU) adopted the Convention on Cybersecurity and Personal Data Protection,11 which many identified as a transformative moment for data protection in the region. However, to date, no country has undertaken its ratification, and the convention requires 15 countries to ratify it in order to enter into effect.
Morocco and Mauritius, both with robust data protection laws and active enforcement bodies, remain the notable exceptions in the continent, while the rest of the countries remain in their formative stages. Most countries include general constitution rights and sector specific laws (notably in telecommunications) related to data privacy in many African countries, but roughly half of the 54 African countries on the continent still have no comprehensive data protection regulation and are not publicly working on adopting one. African countries with data protection laws have reported very few enforcement actions, and while most of the existing data protection laws hinge on the principle of adequacy, the same laws do not specify which countries are considered to be ‘adequate’.
In Kenya, a data protection bill was expected to be presented in Parliament by the end of May 2014, but the bill had still not passed at the time of writing.12 South Africa’s Protection of Personal Information (POPI) Act was signed into law in November 2013, but it is still not effective as a full commencement date has not yet been established.13 The Information Regulator, which is tasked with ensuring government departments and companies comply with the POPI Act, is not also yet fully operational; however, it aims to be in full swing in 2018.14
Interestingly, the POPI Act might be one of the most stringent examples of data privacy initiatives. It prohibits the transfer of personal information outside South Africa, subject to certain exceptions; for example, where consent is provided and where the recipient is subject to a law or binding agreements that are able to demonstrate effectively data processing principles similar to the conditions for processing personal information under the POPI Act.15 POPI Act is also unique as it considers criminal penalties and imprisonment when convicted of a breach.16
Some key considerations
In EMEA, the approach to data protection varies significantly across the board, and we have seen how both developed economies and emerging markets suffer from regulatory disparity. Essentially, global convergence on the issue of data privacy remains unlikely. Some would argue that the European Union is pushing for the GDPR to be the ‘gold standard’ of data privacy for other countries to follow, while others would question costs associated with complying with these standards as well as suggest an imbalance between protecting individuals’ rights to the detriment of national security.
In Europe there are several factors dominating the political and data discourse, chief among them being Brexit and the new responsibilities related to the GDPR.
The first annual review of the Shield, in October last year, found that US authorities need to make improvements to ensure the successful functioning of the Shield. Recommendations included:
• the appointment of a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board;
• closer cooperation between privacy enforcers, raising more awareness for EU individuals on how to exercise their rights under the Shield, notably how to lodge complaints; and
• more proactive and regular monitoring of companies’ compliance with the Shield obligations by the US Department of Commerce.
The review noted that over 2,400 companies have now been certified by the US Department of Commerce. Following from the report, the Commission will work with US authorities on the follow-up of its recommendations and will continue to closely monitor the functioning of the Shield, including US authorities’ compliance with their commitments.
In Africa, the GDPR is expected to have an impact as its scope will also cover many data controllers and processors outside the European Union. This includes e-commerce websites or target advertising providers and their Africa-based processors, who will be directly subject to the new provisions. The free flow of data between European and African countries will therefore be conditional upon proactive law-making and an adequate level of data protection, equivalent to that set out by the GDPR. Thus, a high standard of personal data protection compliance should be applied to ensure compliance with new regulations.
All these factors create uncertainty for companies operating across borders, and leave investors, management and stakeholders susceptible to uneasy regulatory transitions, high costs and exposure to the risk of heavy fines. For industry practitioners, and companies involved in investigations or expecting regulatory probes or even cross-border litigation, there is no single solution, but there are certain measures that can be undertaken in preparation to mitigate risks.
A clear data strategy is vital to any investigation where data may reside in several jurisdictions. Crucial considerations include knowing what data is being considered, the jurisdiction where the data resides, applicable data privacy regulations and what clearance is required, and the origin of the data collection, let alone transfer.
Depending on the nature and severity of the investigation, companies will be most successful if they take a conservative approach to data transfers, as privacy failures may (and most likely will) lead to sizeable liabilities. In addition, beyond the considerations listed above and the mechanisms potentially used for data transfer, from a strategic and practical perspective, it is worth acknowledging that once data is transferred into the United States it becomes ‘discoverable’ and little regard will be given to data protection rights that it may have attached in its country of origin.
Collection and preservation
Prior to carrying out a data collection or data preservation exercise, ensure that the appropriate risk management tools have been engaged, and steps have been taken to ensure compliance with data privacy regulations in the jurisdiction the data is being hosted in. We counsel, in general, collection and preservation of data in its jurisdiction of origin.
Training and escalation
All personnel involved in investigations and data transfers should be provided with up-to-date training regarding data transfer protocols and jurisdictional data privacy regulations. They should also be trained to properly document the considerations and safeguards, throughout the investigation, for any data transfer. Escalation protocols should also be in place to ensure demonstrable consideration and consultation in relation to data transfer, especially for jurisdictions with data privacy regulations that are more challenging to address. Identifying and engaging the appropriate counsel in each jurisdiction, as well as having data identification, processing and transfer experts with extensive cross-border experience in the European Union and elsewhere to assist internal stakeholders, is a necessity.
Data transfer strategy
Develop, in consultation with your advisers, a data transfer strategy that takes into consideration the nature of the data, its origin, data privacy and other data-related constraints (banking secrecy, commercial and state secrecy, etc), and security. Err on the side of caution and weigh the risks of using untested or controversial data transfer mechanisms. After all, it is not possible to close the stable door after the data horse has bolted.
Finally, it is imperative to consult and involve expert data privacy and transfer experts from the outset in any cross-jurisdictional investigation, to help navigate the potential conflicts of law we have addressed in this article. From the data identification and location exercise, to the treatment of data in a manner compliant with applicable data privacy laws, to the mechanism employed, if appropriate, for data transfer, advice and execution by the right experts will be critical to success.
1 Data Protection Directive 95/46/EC.
2 Court Justice of the European Union ‘The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid’ Press Release No. 117/15.
3 Max Schrems (@maxschrems) 29 February 2016.
4 The Data Protection Act 1998, Schedule 1, Part II.
7 DIFC Law No. 1 of 2007 (Amended by Data Protection Law Amendment Law DIFC Law No. 5 of 2012), section 11, 12.
8 Qatar Financial Centre Legislation, Data Protection Rules, section 3.1, 3.2.
15 Protection of Personal Information Act of 2013, Chapter 9, section 72.
16 Protection of Personal Information Act of 2013, Chapter 11, section 107.