How domestic regulation can respond to globalisation of business - - PowerPoint PPT Presentation

How domestic regulation can respond to globalisation of business

Session 2 - Domestic Data Regulation

Peter Sheerin Executive Committee Member 20 June 2018.

Sheerin.peter@mail.com

Content

• Development of a borderless digital world.
• Data protection / privacy – the new normal.
• Data residency - challenges / issues.
• Extra-territorial reach – GDPR example.
• Physical location of data.
• The landscape of data protection regulation.
• Examples of global & regional legislative activity.
• Implications of legislative restrictions on data flows.
• The potential impact on local and international trade.
• Conclusion.

2 http://www.biia.com/category/data-protection-privacy

Development of borderless digital world

Over past few decades digital development has fundamentally changed communication, trade and the way business is conducted.

• Data transferred at ever-increasing speeds & demand for information constantly increasing.
• Technology is pushing the boundaries of what is possible – particularly around “cloud computing”.
• National governments are strengthening laws to protect citizen data, preserve national security &,

in some cases, protect local business interests

Implications for multinational companies substantial:

• threats of increased regulatory action,
• substantial financial penalties / imprisonment,
• disruptions to established business processes
• requirements to tighten controls for handling &

processing information that crosses national boundaries.

Data protection / privacy – the new normal

Sweeping new data privacy laws

• General Data Protection Regulation (GDPR), significantly restrict how certain

types of information may be stored & used by organizations – & are being enforced by increasingly stiff fines and penalties.

• The CLOUD Act requires American companies to provide access to such data no

matter what country the company stores it in.

With various countries imposing so many different requirements,

• rganizations face a regulatory patchwork of inconsistent, unclear & often

contradictory demands. The result is that organizations conducting business internationally are struggling to meet a complex network of regulations that dictate where data can be stored, processed, or accessed.

Data residency - challenges / issues

• Data residency is the physical location or locations of an organization's

data & the area of storage management involved with issues specific to managing data in those particular locations;

• Data location is becoming important because many countries are taking

steps to protect citizen privacy & preserve national security interests.

• Legal requirements for data privacy & residency are different from one

location to another. Clients of cloud provides must comply not only with the rules in each jurisdiction where they operate but also the rules governing how data is managed at the cloud service provider locations.

Finding the right balance between the most fruitful use of data and the protection of privacy is one of the greatest challenges of our time.

Extra-territorial reach – GDPR example

• Wide scope of GDPR accounts for protecting personal data of residents in EU

being processed by companies not based in EU or don’t process in EU

• While consent is essential in most cases, and while protecting personal data being transferred
• utside the EU is also essential the regulation involves far more than complying with the consent

requirement, such as the right to be forgotten, data protection by design and by default, and protecting personal data being transferred outside the EU.

• Failure to prepare can have severe ramifications, - fines of 4 percent of annual turnover (revenue) or

20 million Euro, whichever is greater.

• You don’t have to have physical operations in Europe to be affected by the GDPR.

Physical location of data

• Physical: Physical location is what has traditionally been considered. It is

where the storage hardware resides - the question should really be “where, physically, are all copies of the data?”

• Legal: The country of registration of the entity that controls the data may

represent the Legal location - Another legal entity could be the service provider - In the event of a data breach, the privacy laws of that country from where the data comes from will likely control the data.

• Political: If the legal entity is a subsidiary of an international corporation,

then the country of headquarters is the Political location.

• Logical: Logical location - the location of how people can access data or the

control point - with encryption technologies, who can access data is more important than the location of storage.

Reference - Gartner’s “The Snowden Effect: Data Location Matters”

The landscape of data protection regulation

• Asia-Pacific region’s data protection laws are generally consent-based.
• APEC Privacy Framework - intended to improve standard of privacy

protection & facilitating trans-border flow of PI

• Vast majority of 21 APEC Economies have local law on privacy data

protection with balance expected to have in near term.

• Japan substantially updated Protection of Personal Information Act.
• Lawmakers & Data Protection Authorities across region are studying

GDPR with view to reforming their laws to reflect this second generation upgrade of comprehensive data protection regulation.

• The USA CLOUD Act is likely to have less practical impact within region

than GDPR.

Examples of global & regional legislative activity

• Data transfer restrictions have become an increasingly important

consideration in the context of the negotiation of bilateral trade agreements

• Noticeable region-wide trend towards tighter, more strictly enforced

regulation & for concrete efforts towards greater inter-operability of national data protection regimes:

• 2018 Singapore enacted Cyber Security Law
• Hong Kong & Singapore announced legislative reviews.
• Australia / Philippines introduced mandatory data breach notifications

recently.

• South Korea, is known as strong jurisdictions for data privacy compliance.
• Australia, China, Thailand and Malaysia have legislation or restrictions on

cross border sharing of credit data.

• Other jurisdictions legislation mainly silent on cross border issue but are

proceeding with caution by way of bilateral discussions.

Implications of legislative restrictions on data flows

• Trade, investment, financial integration, data flows, migration, are all

interdependent & are drivers of economic growth / prosperity for all according to G20.

• Digital trade holds huge potential, lowering transaction costs / scale

requirements while giving easy access to global markets – substantial barriers still prevent potential benefits of digital trade from being fully realized.

• Business information in general & credit information in particular are

essential part of the business & financial infrastructure

• China has realised challenges & established national quality monitoring

centre for cross-border e-commerce in 2017 to (amongst others) monitor risk, credit, protect consumer rights & help create a safer and more trustworthy e-commerce environment, cooperating with Alibaba’s cross- border retail platform Tmall International on policy innovation, data sharing, quality supervision and information exchange.

The potential impact on local and international trade

Recommendations by B20 to G20 Summit in Hamburg included;

• That localization of data be addressed - No data transfers means no growth

in cross border trade.

• Fostering Global Connectivity – through definition of a harmonized

cybersecurity baseline framework, by supporting norms for responsible state behaviour, by enabling free and trustworthy cross-border data flows, and by fostering investment in ICT infrastructure as well as in skill and capacity building.

• Establishing Beneficial Ownership Transparency – G20 members should

increase their efforts to implement beneficial ownership transparency so that risks related to the ultimate owner(s) can be identified.

Conclusion

• The tightening of Asia’s data protection regulatory environment and the emergence of cyber

security regulation comes at the same time as personal data has developed into an increasingly valuable business asset.

• As economies are increasingly digitalized & with moves to open financial institutions’

customer data up to wider sharing via open banking / Fintech apps, risk factors will continue to rise.

• The need to embrace privacy, data protection, and cyber security as data volumes, uses and

value to businesses, together with rapid technology developments has never been greater as regulators, businesses and consumers all face increasing reputational business and financial risks.

• Data protection and cyber security regulation tend to be somewhat “event driven” – Equifax

/ Facebook amongst numerous others prompt policy makers/regulators to act.

• GDPR most likely to be the catalyst for regional / local adoption of facets of GDPR that are

suited to jurisdictions place on the data protection maturity curve.

• Failure to act by policy makers/regulators to adopt the latest generation of data protection

will result in a less then optimal two tier system for their citizens and businesses.

BIIA is not responsible for the use which might be made of the information contained in this presentation or report. Nothing in this presentation implies or expresses a warranty of any kind.

13

Thank You

www.biia.com Sheerin.peter@gmail.com