AlixPartners director David White has investigated financial fraud as part of the US Department of Justice’s multi-agency bank fraud taskforce and has served as special e-discovery counsel for numerous multinational Fortune 100 companies. India Business Law Journal tapped his knowledge on data localization and other protection issues
Explain data localization, how it may apply to companies large and small, and why in-house counsel and law firms need to be familiar with its implications?
Data localization refers to legal requirements that data be stored within a certain jurisdiction. These requirements come in a number of different flavours, each driven by a different motivation.
The motivations can be based on national security and defence, cyber security and crime prevention, anti-terrorism and government surveillance, data privacy and protection of citizens, or quelling political dissent and opposition.
The types of data that are required to be maintained in the jurisdiction, and the way the data must be maintained, is typically driven by the underlying motivations. For example, law protecting national security and defence typically prohibits the export of any data that falls within the definition of the regulations. China’s state secret laws, which make the export of any state secrets a criminal act, are a well-known example. A lesser known example is the South Korean prohibition on the export of map data, though any foreigner who has tried to use Google Maps when navigating Seoul has felt their impact.
Where surveillance and law enforcement gain access to information is the driving motivation, be it for anti-terrorism, stopping cybercrime or quelling dissent, and the laws typically apply to telecoms and internet service provider data. Rather than prohibiting export, they also tend to only require that a copy remains within the jurisdiction. Laws focused on data privacy and consumer protection tend to allow export, but with caveats that data will be properly protected after they are transported out of the country.
How do Asian jurisdictions compare with the US or elsewhere with regard to data localization requirements?
The US tends to be more open when it comes to the free movement of data, and there are very few localization laws in the US. Anti-espionage and national defence export control laws are really the only ones, and even there the restrictions are more focused on preventing access to information by foreign nationals rather than the export of the information.
The definitions of the controlled information are also more clearly defined in the US. On the flip side, in China the definition of exactly what constitutes a state secret is very vague. The law does provide a very narrow list of items that could potentially be considered state secrets, but then follows with a catch-all provision that includes all “other matters that are classified as state secrets by the national State Secrets Bureau”, with no limitation on what those matters might in fact be.
The outcome is that this vague “state secrets” label allows the government to choose which potential violations to prosecute and which to ignore. In addition to state secrets laws, China also has a wide range of sectoral laws at both the national and regional level that prohibit the exports of all sorts of data types. These range from bank account records, health information, accounting records, online payments, credit references and financial transactions, to name but a few.
These latter types of topical localization laws are commonly found across Asia, but are not found in the US. They also include the previously mentioned requirements that copies of certain telecoms and ISP data remain in the country, bans on the removal of mapping data, data relating to critical infrastructure, and even ride-share data.
Finally, we are also seeing an uptick in some countries trying to protect their technology sectors by requiring that certain hardware and infrastructure systems remain in the country if providing services there, and effectively limiting the use of foreign cloud service infrastructure. These are not localization laws, so to speak, but in the end they have the same impact. If the servers must be maintained in country, so too must the data stored on them.
In India, the government has set up the BN Srikrishna Committee to enact a data protection and privacy law. What elements should the proposed law have for it to be suitable for Indian companies?
It is important for the committee to not just copy the privacy frameworks of other jurisdictions and to forge a path that is suitable for the unique legal, social, and economic needs of India. Unlike in many other jurisdictions, privacy is considered a fundamental right under the Indian Constitution, and Supreme Court rulings have reinforced this notion.
My understanding is that they have set off to find a middle road between the strict European GDPR regime and the less strict US laws with regards to the export of personal information outside of India. The new law is expected to contain some data localization requirements, but they will likely be limited to sensitive personal data such as medical history, religious and political affiliations, sexual identity, and criminal records.
Does India need a federal office for privacy and data protection – a body with cross-border regulatory powers like the Competition Commission of India (CCI)?
Yes, I believe it does. Data has to be able to move about freely in order to encourage and support responsible economic growth without harming the fundamental rights of citizens to protect their privacy. This is not possible in India, or in any country, unless there is a central regulatory body that can harmonize, interpret, and enforce the new regulatory framework that is to be proposed.
In the US, the Federal Trade Commission has stepped in to fill this role, and in the EU, it is the European Commission in concert with local member state data protection authorities. I expect the establishment of a similar central authority will be a very important component of the new bill, if it is to succeed at the national level. In fact, a proposed draft bill submitted to the committee by an Indian NGO formed by local privacy attorneys and advocates has suggested the formation of a privacy commission whose members will be appointed by the president. The commission would stand as the supreme body in judging matters of data privacy violations and approving requests regarding the collection, storage or processing of personal data. The draft bill also proposed the appointment of a director general of surveillance and interception reform apart from a number of other additional, joint, deputy or assistant directors general and other such officers. It remains to be seen to what extent the commission will adopt the proposed framework.
How do tighter requirements impact business operations in these jurisdictions with regard to international investigations, legal disputes and compliance obligations?
I’ve worked with many companies throughout the region both in building proactive compliance programs for privacy and other regulatory schemes such as anti-corruption and anti-money laundering, and in responding to internal investigations, lawsuits and regulatory inquiries. In each and every instance I have only seen that the tighter localization requirements greatly increase costs.
On the operational side, the requirement that certain data types must remain in specific geographic locations prevents the economy of scale that can be realized by leveraging global corporate resources and infrastructure, and the cloud hosting environment of large service providers. In many instances, companies have to set up separate data centres just to house the local data, and re-engineer their internal workflow to accommodate these needs.
On the investigations front we have also set up regional data centres across Asia, and the rest of the globe, specifically to deal with data localization laws. These allow us to collect, process and review data locally without the need to transfer it across borders. Where we must transfer data to respond to foreign regulatory investigations or lawsuits, we are able to use these same resources and processes to limit the data being exported, and to anonymize or pseudo-anonymize the data before transport. However, all this infrastructure and added work is costly, which in turn greatly increases the overall cost of each matter.
Now that Europe’s General Data Protection Regulation (GDPR) is in effect, what have you observed in terms of ready compliance as opposed to non-compliance and general confusion about the regulation, particularly in Asia?
Nobody is in full compliance with GDPR, even across the EU. But this is OK, and is generally understood. I have had many conversations with various data protection authorities across the EU and Asia, and none of them expect companies to be a 100% compliant with the black letter of the law at this point.
What they do expect is good-faith efforts, and that companies have a comprehensive understanding of what personal data they are collecting, processing and using, for what purposes they are doing so, and on what legal basis. These are the core requirements of GDPR, and can be found most clearly in the article 30 record-keeping requirements.
Where companies are most likely to run afoul in these early days is if they are unable to answer these basic questions. Beyond this, they should be able to comply with the several enumerated data subject rights that are found in the GDPR, and have a comprehensive data breach response plan. This latter requirement, like many others, is directly in line with many domestic cyber security and privacy laws across Asia, so most companies should already have these in place.
The above core components should be the easiest to meet. It is the nuances of the definitions of terms that seem to be leading to the most confusion, especially at the operational level. The GDPR is very broad in its application, covering all industries, all data uses, and all data types in one single regulation. Because of this it needs to be very vague in many of its terms, and offers little practical guidance for companies seeking to be compliant.
A good example is the right to be forgotten, commonly called the right to erasure, under article 17. Here the law states that data subjects should have the right to request the erasure of their data when they no longer wish to share it with the data controller or their processors. While this right is subject to some limitations, there is little to no guidance for companies as to what the term “erasure” actually means.
Are companies actually required to scrub every bit and byte of data relating to the data subject from all their systems, including internal emails about them and data found in disaster recovery systems? Or is masking them from appearing in a customer management and in transactional databases containing purchase history sufficient? How do companies erase every trace of personal information for long-term employees who leave the company and request erasure? These are seemingly simple legal theories that will prove very difficult to decipher at the technical IT system level, and erasure is only one.
With hacking and cyber attacks now so commonplace and at times incredibly well structured, are there any real guarantees that sensitive data can be protected with safety?
Of course, there are no guarantees that any data can be protected. Some of the most sophisticated systems in the world have already been hacked.
However, there are real steps companies can take to reduce the availability of sensitive data to malicious attackers who get into their systems, and to reduce the likelihood of harm and liability.
One such step is improvement in their information lifecycle governance by ensuring the company does not retain personal information any longer than is required for its current business activities or by law. The large bulk of cyberattacks are successful because the attackers were able to access old sensitive data that were left lying about on shared drives or local computers.
There is no use in spending millions of dollars to lock down and routinely test the security of your core data systems, such as your HR database, if you are going to routinely let users download massive exports from these systems and store those on less protected open environments, especially when they are retained long after their useful lifespan.
Many companies have large caches of backup tapes that go back many years, are not encrypted, and store highly sensitive core business data and personal information. GDPR, and local privacy frameworks modelled after it, attempt to address these issues by requiring that companies only keep personal data for as long as needed for the original purpose for which it was collected, and no longer.
This alone will have a very large impact on improving security.
DAVID WHITE specializes in information life cycle governance, with a focus on electronic discovery, data privacy and security, litigation analytics, and regulatory compliance. He is a former Am Law 100 commercial litigator with more than 20 years of experience in assisting companies in complex litigation and regulatory investigations in the areas of electronic discovery, data analytics, compliance audits, data breaches, and forensic investigations. He is also a certified Six Sigma Green Belt and uses lean Six Sigma and project management methodologies to develop and implement cost-effective and efficient compliance protocols.