International: EU-US cross-border data transfers
Transfers of personal data to third countries which do not provide an adequate level of protection for personal data are prohibited under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), however, the Swiss-US Privacy Shield Framework and the EU-US Privacy Shield Framework ('the Privacy Shield') allow companies in the US and EU to comply with data protection regulations when transferring personal data across borders. Aaron P. Simpson, Jonathan Wright, and Maeve Olney, from Hunton Andrews Kurth LLP, provide an overview of the current approved mechanisms available for cross-border transfers of personal data, and discuss the pros and cons to data transfer restrictions and data localisation requirements.
Global data flows and connectivity are creating unprecedented economic opportunities. Cross-border data access, usage, and exchange are essential to economic growth in the digital age. The free flow of data allows businesses and consumers to access the best available technology and services, irrespective of where they are located. Routine business activities, such as providing goods or services, managing a global workforce, and maintaining supply chains, require the transfer of data among corporate locations and to service providers, customers, and others located across the globe. The ability of organisations to move data freely is as critically important as it is inexorably linked to the growth and success of the global economy.
The world's population in 2019 is estimated to be 7.7 billion people1. As of 30 June 2019, the number of internet users was estimated at 4.5 billion, which represents 58.8% of the world population2. The number of internet users around the world has grown by more than 1.9 billion since 2014, which represents an increase of more than 75% in just five years3. These unprecedented levels of internet access and connectivity have led to the rapid growth of the data economy. Whether directly, or by indirectly taking advantage of global-scale data infrastructure, such as cloud computing, global connectivity has enabled cross-border economic activity, allowing individuals, start-ups, and small businesses to participate in global markets. Progress in today's digital economy demands that huge amounts of electronic data flow seamlessly across jurisdictions. A recent study found that while global flows of goods and finance are flattening, cross-border data flows grew 45 times larger between 2005 and 20144. The same study found that global data flows raised global gross domestic product by approximately $2.8 trillion in 20145, a figure that could reach $11.1 trillion by 20256.
Despite the countless benefits of permitting the free flow of data across international borders, a number of countries, and political unions in the case of the EU, have implemented legal restrictions on cross-border data transfers. Transfer restrictions have been imposed to combat indiscriminate foreign government surveillance for national security and law enforcement purposes. Other restrictions are grounded in government efforts to strengthen domestic industry and support national companies.
Ultimately, however, instead of creating jobs and boosting economies, these restrictions tend to reduce efficiency, increase costs to local businesses, and block access to customers abroad. In addition, they prevent local consumers from obtaining the products and services of their choosing. With the increase in data-driven organisations, restrictions on cross-border transfers may isolate domestic economies from the growth potential associated with the digital economy. The free flow of data does not just benefit data-driven organisations, it is also essential to traditional businesses such as manufacturers, health care providers, and financial institutions. These types of organisations may not develop internet-enabled products, but they rely on the internet to sell and market their products, process transactions, and manage their workforces.
Restrictions on cross-border data transfers
The ability to effortlessly move huge quantities of data across international borders raises a number of privacy concerns and can undermine existing data protection requirements on the exporting side of the transfer. This creates an incentive for countries to implement transfer restrictions, and there is a growing trend toward doing so. Data transfer restrictions generally fall into two categories:
- cross-border data transfer restrictions; and
- data localisation rules.
Cross-border data transfer restrictions permit an organisation to transfer data only to jurisdictions that are deemed to adequately safeguard personal data, or put other protective measures in place, before transferring data out of the country of origin. In contrast, data localisation rules are more onerous and impose a greater administrative burden on global organisations by requiring the data, or a copy of the data, to be stored locally on servers in the country of origin. Accordingly, cross-border transfer restrictions tend to be more efficient and less economically disruptive. That said, many cross-border data transfer mechanisms currently in place and widely used were established prior to the digital revolution, and thus were not crafted to address the manner in which data flows.
The EU was an early adopter of data transfer restrictions, embedding the concept in the Data Protection Directive 95/46/EC ('the Directive'). The GDPR replaced the Directive in May 2018 but preserved the general prohibition on transfers of personal data to third countries that do not provide an adequate level of protection for personal data. The European Commission may make a determination that a third country or territory outside the EU ensures an adequate level of data protection by reason of its domestic law or the international commitments to which it adheres. This is a determination of 'essential equivalency.' To date, there have been only 13 countries that have been formally recognised by the European Commission as providing adequate protection for personal data7. As a result, personal data may flow freely from the EU to only these 13 countries. The adequacy finding for the U.S. is limited to personal data transfers covered by the Privacy Shield. Over 5,000 companies have certified to the Privacy Shield, which was implemented in 2016, and replaced the Safe Harbor, which was created in 2000. These companies rely on this certification as a mechanism to freely transfer personal data from the EU or Switzerland to the companies' U.S. Shield-certified entities.
If the receiving entity is not in an 'adequate' country, the EU exporter must use an approved data transfer mechanism to transfer personal data to that entity. The European Commission has approved Standard Contractual Clauses ('SCCs') as one means of ensuring adequacy. The SCCs are by far the most ubiquitous transfer mechanism relied upon as they are inexpensive and quick to put in place. SCCs are a carryover from the Directive and their utility is increasingly being called into question. They generally work optimally for linear transfers of data, but their rigid structure is often not well suited to the web of data transfers and onward transfers between service providers and subcontractors, which frequently occur on a fluid basis, particularly in the context of cloud-based platforms. In addition, there are no clauses that permit data transfers outside the EU between data processors.
An alternative to SCCs are Binding Corporate Rules ('BCRs'). BCRs are an internal set of rules, or code of conduct, based on EU data protection principles which organisations develop and follow voluntarily to ensure adequate safeguards for personal data transferred outside of the EU to non-EU group entities. BCRs must be approved by EU data protection authorities, and the approval process can be lengthy and expensive. For this reason, as of May 2018, only 131 multinational organisations have adopted BCRs. The GDPR also permits transfers to a third country or international organisation where there is a code of conduct or certification in place. To date, however, no such codes of conduct have been approved.
More recent calls for increased data transfer restrictions can be traced to high-profile revelations regarding government surveillance. In 2015, the European Court of Justice ('CJEU') invalidated the US-EU Safe Harbor framework8. In the case known as 'Schrems I,' the Safe Harbor framework was held to be invalid on the basis that U.S. legislation did not limit interference with an individual's rights to what is strictly necessary. The Safe Harbor framework had been in place for 15 years, with more than 4,500 certified organisations. Certified organisations were forced to find alternative transfer mechanisms to allow the continued flow of data to the U.S. following this invalidation. For the most part, organisations fell back on the SCCs to permit the continued transfer of data to the U.S., or later turned to the Privacy Shield, which was developed in response to the Schrems I decision.
More recent calls for increased data transfer restrictions have arisen again through the 'Schrems II' case. The fundamental issue before the CJEU is whether the ability of U.S. law enforcement agencies to access the personal data of EU citizens transferred to the U.S. in the context of commercial transactions contravenes EU data protection laws, and whether the SCCs are invalid for failing to sufficiently safeguard EU data protection rights. During the hearing, counsel for Schrems also requested that the Privacy Shield be declared invalid, and there were intense debates regarding the level of data protection provided under the Privacy Shield. The CJEU's judgement is not due until the first half of 2020, and it could cause a real earthquake in the EU data protection landscape as it may result in the invalidation of the SCCs, the mechanism that is almost universally used in practice to legitimise transfers of personal data from the EU to non-EU countries. There is also a risk that the CJEU's decision on the broad questions that were referred to it may impact the validity of the Privacy Shield. Accordingly, the outcome of Schrems II may have serious consequences for EU data transfers and the global economy, especially since there is no real alternative to SCCs other than Privacy Shield, which only applies for transfers to the U.S. and is also potentially at risk, BCRs, and GDPR derogations9, which only apply in limited circumstances. As such, in the absence of SCCs, most organisations would be forced to turn to BCRs, which are generally suitable for those groups with more mature privacy frameworks in place. BCRs also typically only legitimise transfers of data within the same group of companies, so businesses with BCRs will still need to find other solutions to transfer personal data outside of their group, for example, to service providers.
Though data transfer restrictions offer the benefit of enhanced protections for data whilst moving as part of the global economy, they still restrict the free flow of data and impose administrative and financial burdens on organisations. Ensuring that business operations comply with applicable data protection laws can be prohibitively expensive. For example, data transfer restrictions raise the spectre of financial burdens associated with building bespoke data storage centres to accommodate national laws. Some organisations in the EU have had to invest significant resources to restructure their IT systems to restrict personal data originating in the EU from being transferred to 'non-adequate' jurisdictions in violation of the GDPR. On the flip side, some U.S. based businesses have chosen to avoid capital investments in the EU because the GDPR's onerous compliance requirements discourage the establishment of subsidiaries or offices in EU member states. When businesses are discouraged from entering or investing in new markets, consumers and businesses alike may be deprived of access to world-class products and services.
Data localisation requirements may apply broadly to all personal data processed in-country, or may be sector-specific and apply only to certain types of data, such as health or financial data. Data localisation requirements typically impose an outright ban on transferring data out of the country, or a requirement to build or use local infrastructure and servers to store personal data, allowing copies of the data to be transferred out of the country of origin provided the original data remains in-country. From a policy perspective, there is a growing trend towards data localisation rules, and certain jurisdictions have proposed or enacted data localisation requirements on the basis of data security concerns and local economic stimulation efforts. For example, China's Cybersecurity Law 2016, which came into effect on, 1 June 2017, and Vietnam's Law on Cybersecurity No. 24/2018/QH14, both contain localisation requirements, and India is currently considering a draft data protection bill, the Personal Data Protection Bill, 2018 (27 July 2018), that would contain a localisation requirement. India currently has data localisation requirements applicable to financial data, and the draft data protection bill considers applying data localisation rules more broadly, such as a mandate that a copy of all personal data be stored in India.
Those in favour of data localisation restrictions believe there are a number of cognisable benefits to implementing such restrictions. As a result, there have been a number of localisation proposals around the world. Those in favour argue that localisation restrictions result in:
- enhanced national security by providing ready access to data;
- increased data security; and
- the promotion of domestic industry and job protection through stimulation of the local economy.
Whether in response to national security surveillance concerns, a desire to protect domestic industry, or some combination thereof, these proposals are based on a number of false assumptions and ultimately fail to meet the stated goals.
The suggestion that data localisation requirements promote domestic industry is inaccurate – these restrictions have the opposite effect. Localisation restricts the ability of organisations to compete in the global marketplace by limiting access to the global supply chain. Data localisation requirements also wall off domestic businesses from billions of potential customers outside of the home country's borders. The effect of this isolation is that it also reduces investment and access to capital and customers. Accordingly, rather than stimulating economic growth, data localisation requirements may instead result in real economic costs. A study conducted by the European Centre for International Political Economy, looking at the effects of proposed or enacted legislation in seven jurisdictions, found that the introduction of data localisation requirements across all sectors of the economy would result in GDP losses as follows: Brazil (-0.8%), the EU (-1.1%), India (-0.8%), Indonesia (-0.7%), and Korea (-1.1%)10.
Another myth regarding data localisation requirements is that they increase security. The reality is that data security depends on a plethora of controls and a system's overall reliability and resiliency, not simply the physical location of a server. Consolidating data in one region could give rise to concentrated 'sites of attack' vulnerable to destruction, corruption, inconsistent regional infrastructure, and natural disasters. In addition, data localisation could hurt domestic industry by forcing organisations to rely on local storage providers. While this may promote the growth of the local data centre and cloud computing industry, as a matter of wider public policy such an approach is myopic at best. These local providers may lack the resources to properly protect data, and they often require local businesses to expend more capital than would flexible cloud storage options offered by experienced operators based in other jurisdictions. Competitiveness, not protectionism, will yield positive outcomes in the long term, and economic growth is better served by organisations that are able to leverage the most efficient and reliable services from around the world.
For these reasons, data localisation is a major threat to the free flow of data and, as such, detrimental to an efficient global information economy. Erasing data localisation barriers, in contrast, creates opportunities for shared prosperity. The US Chamber of Commerce found, in a 2016 study, that over the long term, global data liberalisation will generate hundreds of thousands of new jobs and billions of dollars in national cost savings, and ultimately will raise GDP in countries including South Korea (by $33.01 billion), Turkey (by $7.15 billion), Indonesia (by $29.38 billion), Vietnam (by $3.46 billion), Nigeria (by $23.43 billion), and the EU as a whole (by $275.57 billion). The study concluded that, over time, unlocking the flow of data across borders would lift the world's total GDP by $1.72 trillion11.
Somewhat paradoxically, data transfer restrictions and data localisation requirements continue to proliferate in parallel with the growth of the digital global economy. These restrictions, though well-intentioned as a protective measure to help safeguard personal data, tend to reduce efficiency and create barriers to economic growth. The free flow of data benefits not only data-driven organisations, but also traditional businesses seeking to compete in the global marketplace. Legal restrictions on the movement of data, whether in the form of transfer restrictions or more stringent localisation requirements, threaten to impede economic growth in the 21st century.
1. Available at: https://www.prb.org/worldpopdata/
2. Available at: https://www.internetworldstats.com/stats.htm
3. Available at: https://datareportal.com/reports/digital-2019-global-digital-overview
4. Richard Dobbs et al., McKinsey Global Institute, Digital Globalization: The New Era of Global Flows (March 2016).
6. James Manyika and Michael Chui, McKinsey Global Institute, By 2025, Internet of things applications could have $11 trillion impact (July 2015), https://www.mckinsey.com/mgi/overview/in-the-news/by-2025-internet-of-things-applications-could-have-11-trillion-impact
7. The 13 countries that have received adequacy rulings to date are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the U.S. for Privacy Shield-certified companies.
8. The Safe Harbor Framework was designed to facilitate data transfers from the EU to U.S. organisations that self-certified that they complied with the Safe Harbor framework, which essentially amounted to a public attestation that they complied with certain European privacy standards.
9. In the absence of an adequacy decision, or of appropriate safeguards (e.g., BCRs, SCCs), organisations can only make a transfer if it is covered by one of the 'exceptions' set out in Article 49 of the GDPR. Organisations should only use these as true 'exceptions' from the general rule that they should not make a restricted transfer unless it is covered by an adequacy decision or there are appropriate safeguards in place.
10. Matthias Bauer et al., The Costs of Data Localisation: Friendly Fire on Economic Recovery, ECIPE occasional paper number 3/2014 (May 2014).
11. U.S. Chamber of Commerce, Globally Connected, Locally Delivered: The Economic Impact of Cross-Border ICT Services (2016), https://www.uschamber.com/report/globally-connected-locally-delivered-the-economic-impact-cross-border-ict-services