Deciphering data privacy


AlixPartners director David White has investigated financial fraud as part of the US Department of Justice’s multi-agency bank fraud taskforce and has served as special e-discovery counsel for numerous multinational Fortune 100 companies. India Business Law Journal tapped his knowledge on data localization and other protection issues

Explain data localization, how it may apply to companies large and small, and why in-house counsel and law firms need to be familiar with its implications?

Data localization refers to legal requirements that data be stored within a certain jurisdiction. These requirements come in a number of different flavours, each driven by a different motivation.

The motivations can be based on national security and defence, cyber security and crime prevention, anti-terrorism and government surveillance, data privacy and protection of citizens, or quelling political dissent and opposition.

The types of data that are required to be maintained in the jurisdiction, and the way the data must be maintained, is typically driven by the underlying motivations. For example, law protecting national security and defence typically prohibits the export of any data that falls within the definition of the regulations. China’s state secret laws, which make the export of any state secrets a criminal act, are a well-known example. A lesser known example is the South Korean prohibition on the export of map data, though any foreigner who has tried to use Google Maps when navigating Seoul has felt their impact.

Where surveillance and law enforcement gain access to information is the driving motivation, be it for anti-terrorism, stopping cybercrime or quelling dissent, and the laws typically apply to telecoms and internet service provider data. Rather than prohibiting export, they also tend to only require that a copy remains within the jurisdiction. Laws focused on data privacy and consumer protection tend to allow export, but with caveats that data will be properly protected after they are transported out of the country.

How do Asian jurisdictions compare with the US or elsewhere with regard to data localization requirements?

You must be a subscriber to read this article, or you can register for free to enjoy the current issue.