Beyond adequacy: working together to ease multi-jurisdictional privacy compliance
International trade in digital goods and services relies on the sharing of data across borders. As an increasing number of countries introduce and update data protection laws, complying with requirements across jurisdictions is becoming increasingly complex. Cross-border data governance is a significant, and seemingly ever-growing, cost of doing business.
Diverging approaches between countries are, of course, to be expected, given differences in sociocultural norms surrounding privacy and the extent to which governments are expected to protect personal data. Europeans, for example, see privacy through a human rights lens. In the United States, the principal concern has historically been consumer protection and cybersecurity.
However, the digital economy relies on interoperability – not just of digital technology but of the legal frameworks and technical standards that govern its operation. It is not easy to build software, policies and processes that comply with data laws in multiple jurisdictions.
Managing data across borders
Since its introduction, the GDPR has been widely regarded as setting the high-water mark for data protection. Many multinational companies have therefore elected to operationalise GDPR requirements globally, implementing GDPR-based data governance programmes which meet or exceed many of the requirements of other privacy regimes. This has given rise to the "Brussels Effect", with the GDPR having an impact well beyond the borders of the EEA. For companies, taking the 'high-water mark' approach can keep compliance costs down by having a single set of operational processes, but may limit the extraction of value from certain data assets.
Some larger companies may instead adopt a federated data governance model, with a central data protection office at HQ and local privacy expertise spread out around the world to advise on jurisdiction-specific detail. This approach provides greater flexibility but demands a sizeable function of privacy expertise. In addition, the degree to which local differences can be implemented effectively is also affected by whether the systems and applications used by a company or group can accommodate regional adjustments, and whether data can be identified and segregated in line with applicable laws (which often do not limit their scope based on location of data or data subjects). Where adjustments for local laws cannot be implemented in a sufficiently targeted manner, companies are faced with risk decisions, or a "race to the top" from a layering of requirements from other laws applicable to them where these are not already met through GDPR compliance measures.
There are initiatives which seek to address part of this challenge by 'piggybacking' off existing technical standards and implementing privacy enhancing technologies. Software engineers and architects are typically comfortable working with ISO and similar standards. Where aspects of relevant data protection requirements have been embedded into such standards, the configuration of software settings (e.g. in a cloud deployment context) to comply with those technical standards will have the added benefit of supporting data compliance. This is the premise behind initiatives such as the Data Protection/Privacy Mapping Project, which maps ISO's new global privacy standard against aspects of data protection laws in over 20 jurisdictions. Such initiatives may be of particular assistance in relation to technical and operational measures that protect data – for instance through security measures, encryption techniques and access protocols. While helpful tools, they are not a panacea for privacy compliance.
Given the challenge faced by companies of all sizes in keeping up with the evolving patchwork of data protection regimes, regulatory cooperation to harmonise certain requirements would be a true 'dial mover' in removing barriers to trading and operating in the cross-border digital economy. This is particularly the case in sectors that are already highly regulated and rely heavily on the free flow of data across international borders, such as fintech and healthtech. The EU's approach to facilitating international transfers of personal data, with heavy reliance on centrally issued adequacy decisions and company-led risk assessments, creates real challenges for companies that are left having to assess an array of laws and practices in a myriad of countries and would create a spiderweb of decisions if the approach were adopted internationally.
The cloud industry is leading harmonisation efforts through codes of conduct, with the recent emergence of, for example, the EU Cloud CoC, the CSA CoC and the IaaS-focussed CISPE CoC. By bridging legal compliance and technical configuration through a common vernacular, the compliance burden is eased and barriers to entry are lowered, to everyone's benefit. These early efforts remain focussed on GDPR compliance, but the concept can be scaled to promote regulatory interoperability across jurisdictions. Regulatory coherency is high on the agendas of the OECD, the United Nations, the World Trade Organization, the World Bank and the World Economic Forum. However, few attempts to harmonise regimes go beyond high-level principles and recommendations.
Next to EU legislation, such as the GDPR, perhaps the most concrete example of international cooperation in relation to privacy requirements is the Cross-Border Privacy Rules (CBPR), created by the Asia-Pacific Economic Cooperation Forum (APEC) – an organisation founded on the need to integrate a diverse constituency of countries. The CBPR established a non-treaty framework based on mutually agreed privacy principles and operates through company certification and ongoing monitoring by accountability agents. Cobun Zweifel-Keegan describes the foundational idea behind the CBPR as follows: "[b]aseline data protection standards across jurisdictions can be interoperable without being equivalent". The CBRP is gaining traction, with the US, Taiwan and Australia having recently joined.
While companies can take steps to enhance and streamline their global data governance programmes, international regulatory cooperation in relation to privacy would make a real difference to the cost of compliance and make it easier for companies to provide digital services internationally.
Disclosures: James Wong is a data curator with the Data Protection/Privacy Mapping Project.