December 20, 2019
Over the last few weeks, Noriswadi Ismail, Managing Director, Data Privacy, Ankura has been meeting clients, industry bodies, and fellow data privacy and cybersecurity professionals in China, India, and Indonesia. Having examined the impact of evolving data localisation rules on global organisations, he shares his observations on current developments, key challenges, and opportunities.
INTRODUCTION – LOCALISATION GOES GLOBAL
It may sound like a paradox, but data localisation is becoming an increasingly global challenge as national regulators recognise the need for certain types of data to be stored locally and seek to better control cross border data transfer.
For global companies operating across multiple countries and selling products and services that typically rely heavily on data, this creates a major challenge. How best can they comply with a variety of different and complex national regulations, while also managing their global operations efficiently and taking full advantage of emerging, data-driven technologies?
Before answering that question, however, let’s look in a little more detail at data localisation regulation in three key countries:
CHINA – GROWING WITHIN LIMITS
China’s Cybersecurity Law (CSL) became the region’s first national-level rules to address cybersecurity and data privacy protection. It requires organisations to store data within China, restricts its transfer outside the region, and allows Chinese authorities to conduct spot-checks on a company’s network operations. While the law has provided greater clarity, some uncertainty remains on how it will be enforced and what steps are required to achieve compliance. What is clear, however, is that many institutions that transmit data to overseas headquarters will need to restructure their mechanisms when operating in China. It also highlights that data localisation is often just as concerned with the transfer of data out of a county as how it must be handled within it. Clearly, with China a huge growth market, multinationals are motivated to address compliance issues quickly and effectively.
INDIA – PICKING UP SPEED
India’s Data Protection Bill has already received plenty of attention so the point to note here is its apparent acceleration, with the bill now set to be tabled in the current parliamentary session. This development is being closely followed by US tech concerned that new localisation requirements could create obstacles within a regulatory framework that is otherwise broadly aligned with the GDPR. The bill’s introduction should, however, provide greater certainty over areas relating to the protection of personal data and the growth of the digital economy.
Salman Waris, Partner and Head of the TMT & IP Practice at leading Indian law firm TechLegis, provides a legal perspective on the situation: “With the Personal Data Protection Bill having already been tabled before the Parliament during the ongoing winter session it is expected that India would have a law sometime in the coming year. While the original draft document extensively borrowed from the GDPR, it went a step beyond obligating companies to ensure data localization, and this was further complicated by the Reserve Bank of India Directive to the same effect with regard to Fintech companies. Of late the government has indicated the possibility of another data legislation dealing with ‘community data’ comprising of non-personal data that if anonymised could be commercialised.”
INDONESIA – KEEPING AHEAD OF TECHNOLOGY
As the largest IT spender in Southeast Asia and home to the world’s fourth-largest mobile market, it should come as no surprise that Indonesia is accelerating changes to its data privacy regulation. What was initially intended as an amendment to existing regulation has rapidly evolved into something bigger, with the October 2019 Implementation of Electronic Systems and Transactions regulation revoking and replacing previous government rules on the same subject.
Professor Abu Bakar Munir, data protection law expert and visiting professor at the Faculty of Law, Atma Jaya University, Jakarta, Indonesia notes that both the digital economy and international trade require data to flow and that therefore “a data localisation requirement can be regarded as a non-tariff barrier to trade in the digital economy. As argued by the OECD, restrictive data localisation requirements affect firms’ ability to adopt the most efficient technologies, influence investment and employment decisions, increase the cost of innovation and lead to missed business opportunities. Indonesia’s relaxation of the data localization rules is intended to attract foreign investment. The inclusion of the right to be forgotten is significant. It will be interesting to see how the industry will react and how the new regulation will interact with the forthcoming law on personal data protection.”
TAKING ACTION – RULES OF ENGAGEMENT
Without going into detail on each piece of data localisation-related regulation, it’s easy to see that a global company operating across borders has a wider problem – how does it organise itself to meet multiple technical, legal and commercial challenges?
Dealing with the challenge successfully means going beyond a case-by-case approach and instead diving deeper; reviewing business and operating models to see how they can be customised to better suit jurisdictions with localisation requirements. The good news here is that most global organisations have the capability, capacity, and resources to do that. For those who don’t have such big budgets, strong controls and good risk management will go a long way.
GOING LOCAL – THE SERVICE PROVIDER ROUTE
Broadly speaking, data localisation rules mean that in order to transfer personal data across borders, companies must seek authorisation from the relevant regulatory or government department. For many global companies this is an added and relatively unfamiliar complexity as, within the GDPR, there is normally no requirement to seek such permissions subject to complying with relevant data transfer mechanisms.
If we then place this requirement in the context of technology such as cloud infrastructure, it’s clearly challenging for a global organisation to keep on seeking approval every time they transfer data from, for example, China to the US or from India to the EU or from Indonesia to the rest of the world.
To simplify this complexity, global organisations are using locally-based service providers with the necessary infrastructure and technical safety measures to satisfy the data localisation requirements. While there are clear benefits to having these local service providers manage all data localisation compliance activities on the ground, it’s important, just as in any outsourcing, for the global organisation to monitor risk levels.
In fact, risk is a key factor in many aspects of data localisation. Setting up a detailed risk assessment in relation to each jurisdiction is crucial to make sure that it meets your organisation’s risk appetite.
FROM ESTABLISHMENT TO EXPANSION, DATA RISKS REMAIN KEY
It’s vital to build data security risk assessment and risk management into each stage of the commercial journey, as highlighted below:
When global private equity firms or corporates invest in China, India, and Indonesia they will seek first to fully gauge how compliance issues will impact them. That means more than understanding the regulation and how it is likely to be enforced. It also extends to the third parties and vendors, especially with local entities managing data-related risks on their behalf. Due diligence is crucial when choosing a service provider, whether in China, India, or Indonesia. There is a risk that some providers may see this process as a box-ticking exercise; much better to make it more of a stress test by socialising data and running through different scenarios.
So, after having gone through the due diligence exercise with your chosen service provider, addressed compliance, and received advice from lawyers within the jurisdiction, the next step is to operationalise. As in many areas of business life, some issues may only become apparent when plans move from the drawing board to the marketplace. The key here is to be aware that up until now, your advice will be from a legal perspective and your preparation may have focused on technical challenges. In this next stage you need the flexibility to adapt to real-time challenges but with the discipline of a strong control environment to keep you on track, safely.
Now, having followed the right advice and taken advantage of the huge opportunities within China, India, and Indonesia, our notional company wants to expand further into the region. That expansion raises a new question because it may mean transferring data to countries without an established data protection framework. Given the complexities already described, trading with a country that has no data protection framework may seem a positive, but in fact, it can create unknown and unquantifiable risks. That is why we are seeing some big global organisations actually imposing their own organisation-wide data protection framework in order to manage risk. This trend towards companies taking a global approach to data privacy is covered in more detail within our previous article GDPR: Building a global data privacy framework.
Another data-related challenge during the business life cycle comes with involvement in mergers and acquisitions (M&A). There are multiple scenarios here but the general point is that, depending on where the acquiring or acquired company operates and is headquartered, serious risks can emerge around data localisation. It is therefore very important to have the global privacy officer, chief information officer, chief risk officer, or chief data officer, preferably on both sides of the deal, involved in due diligence from an early stage.
The converse to this is if our notional company is not doing well and therefore restructures in order to consolidate the business. This results in some local operations being closed, which requires data to be transferred out of China, India, or Indonesia to the entity’s HQ or other offices. Obviously, risks will vary according to where the organisation is globally headquartered but nevertheless, it is very important to reassess the risks before and after any such divestment.
PROGRESS WITHOUT PRECEDENT – HOW BEST PRACTICE CAN PUT YOU ON THE FRONT FOOT
As highlighted earlier, data privacy regulation in general – and data localisation rules in particular – is relatively new and still evolving. This means that in some cases we are still awaiting technical guidance from regulators and that companies and their legal advisers have little in the way of precedent to guide them when it comes to enforcement.
Given these circumstances, the best way forward is to take a risk-based approach, with a holistic team that continually reviews the data transfer mechanisms and connects this to the needs of the wider business.
Data will fall into two categories. The first relates to corporate operations such as marketing data, HR data, and finance data. Best practice here is to anonymise local data and then enter it using highly secure and efficient methods (for example, by way of end-to-end encryption). The second relates to B2C activity, which typically involves personal customer data. A best practice here is to undergo a highly structured, GDPR-like data inventory programme. This is in line with Article 30 of the EU GDPR, which requires that ‘each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.’
Although it’s still unclear whether China, Indonesia, and India shall arguably apply Article 30, it may still be worth implementing because having strong data inventory can drive improvement within compliance and data transfer programmes.
Talking of common standards, there is growing interest in ISO 27701 certification, which provides an increasingly recognised and respected external validation for both privacy and cybersecurity control frameworks. This is a topic we expect to cover in greater detail in the future.
LOOKING FORWARD: ACT LOCAL, THINK GLOBAL
The willingness of companies to proactively set universally high standards, rather than focus purely on local compliance needs, is clearly a positive. The challenge will be to keep their eye on the big picture benefits this brings, particularly around winning customer trust, while also paying close attention to the detail in terms of country-specific data localisation.
The challenge for regulators goes beyond clarifying technical guidance relating to new data localisation requirements. It extends to engaging with other regulators, across regions and globally, to simplify and standardise requirements. This can help regulators to both better protect their own national interests and further smooth the path to international investment and growth. An approach that could see localisation and globalisation go hand in hand.
To help our clients solve these issues, Ankura assists with third party vendor due diligence, risk assessments which consider multiple regulatory frameworks and applicable data inventory requirements. If you would like to discuss any of the subjects covered in this article or find out more about how Ankura can help you manage data privacy and security within your organisation, please contact our team.
Senior Managing Director
+852 2233 2512 Direct