Extraterritoriality in Data Transfers: Are you sharing it correctly?
In light of heightened global restrictions on cyber practices and data privacy, business is often left confused to the implications of data transfers to their offshore practices. In this vain, we ponder, are your data practices actually compliant?
Cross-border Data Sharing and its Challenges The COVID-19 pandemic has upended the way organizations handle their sensitive data.  With international travel at a standstill, many organizations have amplified their use of digital information sharing. This poses problems for companies interacting with clients domiciled in nations where electronic communication is subject to government surveillance or the local data storage capabilities are insecure. Those needing to share data with companies in countries of high data risk profiles are now obligated to create specific protocols aimed at securing against data leakage and the concomitant loss of integrity and reputation.
Privacy: A Conflict in International Regulation When companies discuss recent changes in the data privacy landscape, the most common thoughts are towards new laws such as the EU’s GDPR or California’s CCPA. But new consumer protection laws are not the only major development companies should be thinking about. Over the last decade, many countries have implemented privacy-intrusive security laws that require companies to share certain sensitive information with government entities. Many locales that were previously thought to be “safe” for data sharing, such as India, are in the process of drafting legislation that substantially broadens the extent to which governments can access and surveil personal and nonpublic data.  While we anticipate these laws to be used sparingly, companies must be mindful that government surveillance within one country may be defined as a data leak in another. At the crux of that matter, when and should such an information leak occur, there is potential for substantial property and reputational damage. While companies generally perform due diligence reviews on the clients and partners with whom they share data, they must also be aware of the discrepancies in law for the region of client domicile. For instance, Russia requires all personal data of its citizens to be stored on domestic servers and for data to be decrypted when requested by security agencies. Similarly, China often mandates a joint partnership with domestic entities who can be legally bound to share foreigners’ intellectual property and / or data with local government. Companies must be aware of these geopolitical risks and enact appropriate countermeasures to prevent the unwanted exposure of private data. Without the adoption of appropriate risk-mitigation measures, companies will be faced with a critically decreased allowance for data sharing.
Data Protection v. Data Privacy Many companies believe that the more common cybersecurity frameworks we’ve seen widely used in Western companies (NIST, ISO, etc.), focused on protecting data from targeted hacks, are enough to protect personal and non-public data. While this is certainly important and often mandated by law, it does not suffice in the context of the extraterritoriality and cross-border data flow challenge. Companies must also be aware of the risks of sharing their proprietary information with clients or partners located in countries whose privacy laws would be inadequate at protecting consumer data per other regulations to which they may be subject. That is, compliance with Russian or Chinese local law, for instance, may place companies in breach of laws such as the GDPR. The largest of these risks come in two principal forms – risks of restriction in data flow and risks of data in storage.
Risk of Data Restriction Nations such as China have passed security laws that regulate how data can be transferred into and out of the country. In practice, this means directing all incoming / outgoing data through government servers that can regulate to what IP addresses the transmission is sent. While the Chinese government is not yet able to fully control all data transmission, they have established a “whitelist” of foreign IP addresses which are permitted to connect to Chinese domestic networks, and a similar whitelist of domestic IP addresses (mostly corresponding to designated telecom providers) that can receive information from foreign sources. All IP addresses which are not on the whitelist are blocked. Since many companies use VPNs which are hosted on non-Chinese servers, they are often unable to send information securely to their clients or partners in China without using an approved domestic server or in-person communication. These risks of restriction to the data flow upon which companies depend is not limited to those countries from whom we’ve become accustomed to expect conflicting protection / privacy laws. In July 2020, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield, an agreement that allowed for a freer flow of information between companies in the EU and US based on a volunteer agreement to uphold certain protections. Stating that US "surveillance programmes [...] are not limited to what is strictly necessary," the European Court of Justice decided that American law does not adequately protect the personal information of Europeans. This subsequently informed the Schrems II decision that upheld that European companies can no longer transfer data to US-domiciled servers without employing contractual clauses detailing that data shipped to the US must be subject to protections as stringent as those in the EU. It comes as no surprise that this poses significant problems for companies whose current operations rely on freely sharing data across borders and entities.
Risks in Data Storage Data transmission restrictions would not be a problem if third party data storage providers in risky countries could guarantee data confidentiality. However, domestic servers in nations like China and Russia are subject to laws that require their operator to submit user data upon government request. For example, Russia requires that Telegram, a popular secure messaging service, keep all of its users’ encryption keys and submit them to government agencies when asked. This lends to our second risk that information given to a local partner may be subject to surveillance or seizure – a downstream data transfer for which companies subject to western privacy law must account. This risk is particularly significant in countries with conflicting legal systems that can be easily exploited by domestic corporate or government interests to seize data from potential competitors. While seemingly uncommon, recent privacy events have shown that companies as diverse as Apple, Disney, and Cisco have been affected by privacy loss in similar circumstances. An example of note includes China’s data localization law that required Apple to partner with a local cloud services company, GCBD, to store all user content uploaded as part of its iCloud service. According to the terms of service, “Apple and GCBD have the right to access your data stored on its servers. This includes permission sharing, exchange, and disclosure of all user data […].” Any Chinese company using Apple services such as iCloud could have their data (and potentially their partner foreign company’s data) stolen at will. Apple’s experience demonstrates that companies must factor in the requirements of local laws and integrity of the legal system when evaluating the risks of vendors and clients.
Keeping your data safe extraterritorially can be challenging, particularly given the changing regulatory landscape. However, with the proper use of electronic tools and well-governed data policies, any organization can mitigate or remove the risk of operating in jurisdictions with conflicting data protection and privacy standards.
How Sia Partners can Help
Sia Partners has extensive experience helping organization enact best practices in cybersecurity. With market-leading expertise in Cyber Risk Management and Data Privacy, Sia Partners can help your organization draft an information security policy that fits your needs. Our global consultancy practice can assist with third-party risk assessment, compliance with privacy laws in multiple jurisdictions, and integration of the latest cybersecurity tools into your daily workflow. In addition, Sia’s Cyber e-Learning platform can help turn your organization’s employees into cybersecurity professionals, as well as build resilience and practical know-how for crisis situations. We also offer proprietary AI tools to help your organization monitor and adapt to emerging cybersecurity threats. With 100+ projects delivered, Sia Partners has extensive experience helping companies reinforce their Privacy Policies, Procedures, and Standards. Additionally, our Centers of Excellence have developed technical AI solutions to support the maturity of your organization’s Privacy Program.
Our Reg Review solution uses AI to help compliance and risk teams navigate challenges like regulatory inflation, technicalities, increased regulator monitoring, managing local specificities, strengthening teams, and more.
Data Protection / Privacy Tools
Data Privacy vendor screening
Data analytics for stored and deleted personal information
Cybersecurity training and testing
Learn more about our Data Privacy offering
Business Transformation Cyber Services
Gap assessment / risk analysis
Individual rights management (end-to-end)
Integration of Privacy management solutions and tools
Third-party risk assessments and controls