AlixPartners director David White has investigated financial fraud as part of the US Department of Justice’s multi-agency bank fraud taskforce, and has served as special e-discovery counsel for numerous multinational Fortune 100 companies. Asia Business Law Journal tapped his knowledge on data localization and other protection issues
Explain data localization, how it may apply to companies large and small, and why in-house counsel and law firms need to be familiar with its implications?
Data localization refers to legal requirements that data be stored within a certain jurisdiction. These requirements come in a number of different flavours, each driven by a different motivation.
The motivations can be based on national security and defence, cyber security and crime prevention, anti-terrorism and government surveillance, data privacy and protection of citizens, or quelling political dissent and opposition.
The types of data that are required to be maintained in the jurisdiction, and the way the data must be maintained, is typically driven by the underlying motivations. For example, law protecting national security and defence typically prohibits the export of any data that falls within the definition of the regulations. China’s state secret laws, which make the export of any state secrets a criminal act, are a well known example. A lesser known example is the South Korean prohibition on the export of map data, though any foreigner who has tried to use Google maps when navigating Seoul has felt their impact.
Where surveillance and law enforcement gain access to information is the driving motivation, be it for anti-terrorism, stopping cybercrime or quelling dissent, and the laws typically apply to telecoms and internet service provider data. Rather than prohibiting export, they also tend to only require that a copy remain within the jurisdiction. Laws focused on data privacy and consumer protection tend to allow export, but with caveats that data will be properly protected after they are transported out of the country.
How do Asian jurisdictions compare with the US or elsewhere with regard to data localization requirements?
The US tends to be more open when it comes to the free movement of data, and there are very few localization laws in the US. Anti-espionage and national defence export control laws are really the only ones, and even there the restrictions are more focused on preventing access to information by foreign nationals rather than the export of the information.
The definitions of the controlled information are also more clearly defined in the US. On the flip side, in China the definition of exactly what constitutes a state secret is very vague. The law does provide a very narrow list of items that could potentially be considered state secrets, but then follows with a catch-all provision that includes all “other matters that are classified as state secrets by the national State Secrets Bureau”, with no limitation on what those matters might in fact be.
The outcome is that this vague “state secrets” label allows the government to choose which potential violations to prosecute and which to ignore. In addition to state secrets laws, China also has a wide range of sectoral laws at both the national and regional level that prohibit the exports of all sorts of data types. These range from bank account records, health information, accounting records, online payments, credit references and financial transactions, to name but a few.
These latter types of topical localization laws are commonly found across Asia, but are not found in the US. They also include the previously mentioned requirements that copies of certain telecoms and ISP data remain in the country, bans on the removal of mapping data, data relating to critical infrastructure, and even ride-share data.
Finally, we are also seeing an uptick in some countries trying to protect their technology sectors by requiring that certain hardware and infrastructure systems remain in the country if providing services there, and effectively limiting the use of foreign cloud service infrastructure. These are not localization laws, so to speak, but in the end they have the same impact. If the servers must be maintained in country, so too must the data stored on them.
Which specific countries in Asia have encouraged freer exchange of data and business growth in this regard?
In Asia the same jurisdictions that have encouraged free trade and economic growth have typically also encouraged the freer movement of data. For example, both Singapore and Hong Kong, which are seeking to encourage their growth as regional data hubs, have very few controls on data exchange. Where laws exist, they typically focus on data security and privacy, and even there this focus is aimed at encouraging education and growth, and not discouraging free data flows.
There are no restrictions on transfer of personal data outside of Hong Kong, as cross-border transfer restrictions set out in section 33 of their Personal Data Privacy Ordinance were held back and have not yet come into force. In Singapore, the Personal Data Protection Act contains minimal limits on the ability of an organization to transfer personal data outside Singapore that are very much in line with the European General Data Protection Regulation (GDPR) model. The limits allow free transfer as long as the data owner can ensure that the data are properly protected and transparent with data subjects. This approach is similar to Japan and South Korea.
How do tighter requirements impact business operations in these jurisdictions with regard to international investigations, legal disputes and compliance obligations?
I’ve worked with many companies throughout the region both in building proactive compliance programs for privacy and other regulatory schemes such as anti-corruption and anti-money laundering, and with responding to internal investigations, lawsuits and regulatory inquiries. In each and every instance I have only seen that the tighter localization requirements greatly increase costs.
On the operational side, the requirement that certain data types must remain in specific geographic locations prevents the economy of scale that can be realized by leveraging global corporate resources and infrastructure, and the cloud hosting environment of large service providers. In many instances companies have to stand up separate data centres just to house the local data, and re-engineer their internal workflows to accommodate these needs.
On the investigations front we have also stood up regional data centres across Asia, and the rest of the globe, specifically to deal with data localization laws. These allow us to collect, process and review data locally without the need to transfer it across borders. Where we must transfer data to respond to foreign regulatory investigations or lawsuits, we are able to use these same resources and processes to limit the data being exported, and to anonymize or pseudo-anonymize the data before transport. However, all this infrastructure and added work is costly, which in turn greatly increases the overall cost of each matter.
Last year, the US Federal Trade Commission (FTC) carried out four enforcement actions under the Asia-Pacific Economic Co-operation Cross-Border Privacy Rules System (APEC CBPR). Can you explain the significance, if any, of these enforcements?
The APEC CBPR system facilitates legally legitimate data transfers between APEC member economies through a voluntary, enforceable mechanism, which certifies companies as being compliant with the APEC CBPR program requirements. The APEC CBPR system is based on nine data privacy principles taken from common elements typically found in the privacy regulations across the region and the globe. These are: Preventing harm; notice; collection limitation; uses of personal information; choice; integrity; security safeguards; access and correction; and accountability.
Companies that seek to participate in the APEC CBPR system must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet the standards. The companies that were the subject of the FTC enforcement actions, however, were not and had never been certified. In the US, one of the regulator’s primary focuses regarding data privacy is to ensure companies actually are doing what they say they are doing in their privacy policies and other representations to consumers.
By making deceptive statements that they participated in the APEC CBPR, the companies violated the FTC Act. The commission also found that some of the companies falsely claimed that they were participants in the third-party privacy certification program sanctioned under the CBPR program. Under the terms of the settlements with the FTC, these companies are now prohibited from misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government, or self-regulatory, or standard-setting organization.
The APEC CBPR is a self-certifying framework based on trust and it only works to protect data subjects if the system has some enforcement teeth behind it to ensure that those who represent their compliance with it are actually trustworthy. The enforcement actions are significant as they exhibit the US’s commitment to the program. I am sure other regulators across the region will follow along with their own in due time.
Now that Europe’s General Data Protection Regulation (GDPR) is in effect, what have you observed in terms of ready compliance as opposed to non-compliance and general confusion about the regulation, particularly in Asia?
Nobody is in full compliance with GDPR, even across the EU. But this is OK, and is generally understood. I have had many conversations with various data protection authorities across the EU and Asia, and none of them expect companies to be 100% compliant with the black letter of the law at this point.
What they do expect is good-faith efforts, and that companies have a comprehensive understanding of what personal data they are collecting, processing and using, for what purposes they are doing so, and on what legal basis. These are the core requirements of GDPR, and can be found most clearly in the article 30 record-keeping requirements.
Where companies are most likely to run afoul in these early days is if they are unable to answer these basic questions. Beyond this, they should be able to comply with the several enumerated data subject rights that are found in the GDPR, and have a comprehensive data breach response plan. This latter requirement, like many others, is directly in line with many domestic cyber security and privacy laws across Asia, so most companies should already have these in place.
The above core components should be the easiest to meet. It is the nuances of the definitions of terms that seems to be leading to the most confusion, especially at the operational level. The GDPR is very broad in its application, covering all industries, all data uses, and all data types in one single regulation. Because of this it needs to be very vague in many of its terms, and offers little practical guidance for companies seeking to be compliant.
A good example is the right to be forgotten, commonly called the right to erasure, under article 17. Here the law states that data subjects should have the right to request the erasure of their data when they no longer wish to share it with the data controller or their processors. While this right is subject to some limitations, there is little to no guidance for companies as to what the term “erasure” actually means.
Are companies actually required to scrub every bit and byte of data relating to the data subject from all their systems, including internal emails about them and data found in disaster recovery systems? Or is masking them from appearing in a customer management and in transactional databases containing purchase history sufficient? How do companies erase every trace of personal information for long-term employees who leave the company and request erasure? These are seemingly simple legal theories that will prove very difficult to decipher at the technical IT system level, and erasure is only one.
With hacking and cyberattacks now so commonplace and at times incredibly well structured, are there any real guarantees that sensitive data can be protected with safety?
Of course there are no guarantees that any data can be protected. Some of the most sophisticated systems in the world have already been hacked.
However, there are real steps companies can take to reduce the availability of sensitive data to malicious attackers who get into their systems, and to reduce the likelihood of harm and liability.
One such step is improvement in their information lifecycle governance by ensuring the company does not retain personal information any longer than is required for its current business activities or by law. The large bulk of cyberattacks are successful because the attackers were able to access old sensitive data that were left lying about on shared drives or local computers.
There is no use in spending millions of dollars to lock down and routinely test the security of your core data systems, such as your HR database, if you are going to routinely let users download massive exports from these systems and store those on less protected open environments, especially when they are retained long after their useful lifespan.
Many companies have large caches of backup tapes that go back many years, are not encrypted, and that store highly sensitive core business data and personal information. GDPR, and local privacy frameworks modelled after it, attempt to address these issues by requiring that companies only keep personal data for as long as needed for the original purpose for which it was collected, and no longer.
This alone will have a very large impact on improving security.
David White specializes in information life cycle governance, with a focus on electronic discovery, data privacy and security, litigation analytics, and regulatory compliance. He is a former Am Law 100 commercial litigator with more than 20 years of experience in assisting companies in complex litigation and regulatory investigations in the areas of electronic discovery, data analytics, compliance audits, data breaches, and forensic investigations. He is also a certified Six Sigma Green Belt and uses lean Six Sigma and project management methodologies to develop and implement cost-effective and efficient compliance protocols.