How domestic regulation can respond to globalisation of business Session 2 - Domestic Data Regulation Peter Sheerin Executive Committee Member 20 June 2018. Sheerin.peter@mail.com
Content Development of a borderless digital world. Data protection / privacy – the new normal. Data residency - challenges / issues. Extra-territorial reach – GDPR example. Physical location of data. The landscape of data protection regulation. Examples of global & regional legislative activity. Implications of legislative restrictions on data flows. The potential impact on local and international trade. Conclusion. http://www.biia.com/category/data-protection-privacy 2
Development of borderless digital world Over past few decades digital development has fundamentally changed communication, trade and the way business is conducted. Data transferred at ever-increasing speeds & demand for information constantly increasing. Technology is pushing the boundaries of what is possible – particularly around “cloud computing”. National governments are strengthening laws to protect citizen data, preserve national security &, in some cases, protect local business interests Implications for multinational companies substantial: threats of increased regulatory action, substantial financial penalties / imprisonment, disruptions to established business processes requirements to tighten controls for handling & processing information that crosses national boundaries.
Data protection / privacy – the new normal Sweeping new data privacy laws General Data Protection Regulation (GDPR), significantly restrict how certain types of information may be stored & used by organizations – & are being enforced by increasingly stiff fines and penalties. The CLOUD Act requires American companies to provide access to such data no matter what country the company stores it in. With various countries imposing so many different requirements, organizations face a regulatory patchwork of inconsistent, unclear & often contradictory demands. The result is that organizations conducting business internationally are struggling to meet a complex network of regulations that dictate where data can be stored, processed, or accessed.
Data residency - challenges / issues Data residency is the physical location or locations of an organization's data & the area of storage management involved with issues specific to managing data in those particular locations; Data location is becoming important because many countries are taking steps to protect citizen privacy & preserve national security interests. Legal requirements for data privacy & residency are different from one location to another. Clients of cloud provides must comply not only with the rules in each jurisdiction where they operate but also the rules governing how data is managed at the cloud service provider locations. Finding the right balance between the most fruitful use of data and the protection of privacy is one of the greatest challenges of our time.
Extra-territorial reach – GDPR example Wide scope of GDPR accounts for protecting personal data of residents in EU being processed by companies not based in EU or don’t process in EU While consent is essential in most cases, and while protecting personal data being transferred outside the EU is also essential the regulation involves far more than complying with the consent requirement, such as the right to be forgotten, data protection by design and by default, and protecting personal data being transferred outside the EU. Failure to prepare can have severe ramifications, - fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater. You don’t have to have physical operations in Europe to be affected by the GDPR.
Physical location of data Physical: Physical location is what has traditionally been considered. It is where the storage hardware resides - the question should really be “where, physically, are all copies of the data?” Legal: The country of registration of the entity that controls the data may represent the Legal location - Another legal entity could be the service provider - In the event of a data breach, the privacy laws of that country from where the data comes from will likely control the data. Political: If the legal entity is a subsidiary of an international corporation, then the country of headquarters is the Political location. Logical: Logical location - the location of how people can access data or the control point - with encryption technologies, who can access data is more important than the location of storage. Reference - Gartner’s “The Snowden Effect: Data Location Matters”
The landscape of data protection regulation Asia-Pacific region’s data protection laws are generally consent-based. APEC Privacy Framework - intended to improve standard of privacy protection & facilitating trans-border flow of PI Vast majority of 21 APEC Economies have local law on privacy data protection with balance expected to have in near term. Japan substantially updated Protection of Personal Information Act. Lawmakers & Data Protection Authorities across region are studying GDPR with view to reforming their laws to reflect this second generation upgrade of comprehensive data protection regulation. The USA CLOUD Act is likely to have less practical impact within region than GDPR.
Examples of global & regional legislative activity Data transfer restrictions have become an increasingly important consideration in the context of the negotiation of bilateral trade agreements Noticeable region-wide trend towards tighter, more strictly enforced regulation & for concrete efforts towards greater inter-operability of national data protection regimes: 2018 Singapore enacted Cyber Security Law Hong Kong & Singapore announced legislative reviews. Australia / Philippines introduced mandatory data breach notifications recently. South Korea, is known as strong jurisdictions for data privacy compliance. Australia, China, Thailand and Malaysia have legislation or restrictions on cross border sharing of credit data. Other jurisdictions legislation mainly silent on cross border issue but are proceeding with caution by way of bilateral discussions.
Implications of legislative restrictions on data flows Trade, investment, financial integration, data flows, migration, are all interdependent & are drivers of economic growth / prosperity for all according to G20. Digital trade holds huge potential, lowering transaction costs / scale requirements while giving easy access to global markets – substantial barriers still prevent potential benefits of digital trade from being fully realized. Business information in general & credit information in particular are essential part of the business & financial infrastructure China has realised challenges & established national quality monitoring centre for cross-border e-commerce in 2017 to (amongst others) monitor risk, credit, protect consumer rights & help create a safer and more trustworthy e-commerce environment, cooperating with Alibaba’s cross- border retail platform Tmall International on policy innovation, data sharing, quality supervision and information exchange.
The potential impact on local and international trade Recommendations by B20 to G20 Summit in Hamburg included; That localization of data be addressed - No data transfers means no growth in cross border trade. Fostering Global Connectivity – through definition of a harmonized cybersecurity baseline framework, by supporting norms for responsible state behaviour, by enabling free and trustworthy cross-border data flows, and by fostering investment in ICT infrastructure as well as in skill and capacity building. Establishing Beneficial Ownership Transparency – G20 members should increase their efforts to implement beneficial ownership transparency so that risks related to the ultimate owner(s) can be identified.
Conclusion The tightening of Asia’s data protection regulatory environment and the emergence of cyber security regulation comes at the same time as personal data has developed into an increasingly valuable business asset. As economies are increasingly digitalized & with moves to open financial institutions’ customer data up to wider sharing via open banking / Fintech apps, risk factors will continue to rise. The need to embrace privacy, data protection, and cyber security as data volumes, uses and value to businesses, together with rapid technology developments has never been greater as regulators, businesses and consumers all face increasing reputational business and financial risks. Data protection and cyber security regulation tend to be somewhat “event driven” – Equifax / Facebook amongst numerous others prompt policy makers/regulators to act. GDPR most likely to be the catalyst for regional / local adoption of facets of GDPR that are suited to jurisdictions place on the data protection maturity curve. Failure to act by policy makers/regulators to adopt the latest generation of data protection will result in a less then optimal two tier system for their citizens and businesses.
Thank You Sheerin.peter@gmail.com www.biia.com BIIA is not responsible for the use which might be made of the information contained in this presentation or report. Nothing in this presentation implies or expresses a warranty of any kind. 13
Recommend
More recommend
