Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Managing the Exchange of Personal Data Across Borders

Jose Tabuena | November 19, 2013

Cross-border transfer of information is an increasingly crucial and thorny component of transacting business around the globe.

The challenges of data exchange for international companies are considerable as the requirements and repercussions are not uniform across jurisdictions. What is permissible in the United States may be forbidden in Europe or elsewhere. Internal auditors and compliance professionals at multinationals need to be cognizant of the rules regarding the transfer of data in the jurisdictions where they operate to ensure that actions taken in one geography of the business do not result in infractions in others.

One of the biggest risks is the potential of cyber-security breach. This concern is emerging as technology becomes more pervasive, Big Data emerges, and companies extend their reach internationally. The Internet doesn't recognize borders—as data is moved from the data center to the cloud and across borders, security breaches become a more tangible risk.

Numerous countries and the European Union have implemented privacy laws that typically forbid cross-border transfers unless certain conditions are met. There is considerable divergence, however, in definitions and how certain types of data are to be secured, which can create significant difficulties in transferring it. The Ponemon Institute in a study of privacy and data protection compliance for multinational organizations, for example, found that the varying data definitions result in higher compliance costs. This is not surprising to those who have to manage the regulatory complexity while trying to minimize disruption to business processes.

What Is Personal Data?

Most countries have data protection laws that govern how personal information relating to individuals may be processed. Personal data, also referred to as “personally identifiable information” (PII), is a core concept in privacy regulation as it defines the scopes and boundaries of privacy statutes and regulations around the world. Lawyers refer to PII as a jurisdictional trigger as in its absence there is no privacy right or harm to protect. Thus, privacy regulation focuses on the collection, storage, use, and disclosure of PII while leaving non-PII largely unprotected.

In the United States alone the lack of a uniform definition is a substantial burden, as it is a trigger for breach notification requirements in 48 jurisdictions (46 states plus D.C. and Puerto Rico). The PII definition varies so much within the United States that compliance professionals need to reference complex charts with links to statutes in order to monitor its meaning in a given state.

Internal auditors and compliance professionals at multinationals need to be cognizant of the rules regarding the transfer of data in the jurisdictions where they operate to ensure that actions taken in one geography of the business do not result in infractions in others.

Currently, companies can move data between the EU countries and the United States under a formal “safe harbor” treaty between the two jurisdictions if the United States' party gets certification confirming its data procedures comply with principles set out in EU data law. The lack of clarity and harmony under the EU Data Protection Directive, however, gives rise to uncertainties relating to the maintenance and the location of PII, such as the use of cloud computing. Companies can still move data from Europe to other jurisdictions that the European Union has assessed as providing “adequate protection” of data, but there are not many countries that are so qualified. Moreover, with proposed regulation intended to update the framework for managing PII, the European Union has raised the possibility of scrapping this safe-harbor provision.

To compound the compliance challenges, the narrow focus by privacy regimes on data location made sense when data could be transported between countries only by physically carrying storage media across borders. With the inception of the Internet, the cloud, and the ease of electronic transfer and remote access to data, the concept of location is increasingly irrelevant to data protection.

A common misconception is that merely viewing data remotely is not subject to transfer restrictions. But in Europe it is accepted without question that remote access to PII is equivalent to the transfer itself of the data—information security experts recognize that to be able view the data, it has to be actually transmitting from the position it is stored to the location it is being seen.

There's no real regulatory guidance or case law specifically on this point, but when you consider that the purpose of the data export restriction is to prevent leakage of PII, then remote access presents precisely the same risk as a traditional transfer.  Someone remotely accessing data that is hosted in another country could, after all, easy print, duplicate, or even write down and improperly disclose personal information.

How to Manage the Transfer Process

Given the regulatory uncertainty and the current disparity amongst privacy regimes and definitions of PII—particularly between the United States and European Union—how can a global company develop an efficient and compliant data transfer process? An organization with a robust privacy program is likely to have conducted a security risk assessment with analysis of its compliance vulnerabilities. Presumably the company is collecting the data they're generating and tracking so they know where they have it. At minimum the organization should have:

  • Performed a comprehensive data discovery process to find all of its PII and other critical data;
  • Determined the lines of business affected by privacy laws and regulations such as Health Insurance Portability and Accountability Act (HIPAA) in the United States and the EU Data Protection Directive; and
  • Mapped the movement of customer PII and other sensitive and confidential information within the organization, including data flows to and from third parties.

The internal audit and compliance functions are well-situated to support effective company information practices that can facilitate the secure transfer of sensitive data across borders. Audit and compliance can also aid in creating processes that considers the management of PII over a range of security objectives, rather than by using a simple dichotomy.

Keep in mind that the main difficulty is advancing a consistent approach that navigates the disparate definitions of PII. With continued advances in information technology, the task of defining PII is likely to undergo transformation. There have been recent experiences displaying the potential of Big Data and the power of correlation. What is not considered PII today could easily become PII in the future as the ability to link pieces of data to specific individuals becomes more prevalent. It is the typical experience of legal concepts lagging behind changing technology.

Multinationals need to be aware that the European Union has the strictest privacy regime. Tailoring a data approach that incorporates EU principles may ultimately afford the most flexibility. Any approach should consider the applicability of what is referred to by privacy practitioners as fair information practices built around different levels of risk to individuals.

Compliance and privacy programs will need to be alert in this rapidly evolving area. Computer science has shown that the very concept of PII is far from straightforward. The ability to “identify” depends more on context including technology as well as social and corporate practices. The varying definitions of PII threaten the utility of mechanisms for allowing the data transfers. The current safe harbors that are typically bilateral may be on the way out.

More organizations that operate in Europe are now examining the use of Binding Corporate Rules (BCRs) as they approach a more global harmonized solution being sought by the European Union. BCRs permit data transfers between entities globally, whereas the EU-U.S. Safe Harbor is limited to data transferred between those two regions. However, BCRs are not for the faint of heart and require a commitment in terms of resource, time, and cost.

BCRs are an affirmative statement of taking data protection seriously, which will require extensive project management by the compliance program to develop and implement. Fortunately, BCR standards sync well with other data protection initiatives including many state laws and the HIPAA. The very specific things that U.S. law requires with various types of data also fit nicely with the EU concept of data privacy and, further, into what BCRs require to do to protect data—such as consulting agreements, audits, risk management, breach reporting, and other measures.

Many commentators foresee more unified and revised privacy frameworks that take into account new technologies that impact current definitions of PII. Awareness is growing that the focus of standards on data location should not obscure the underlying purpose of the data export restriction—which is ensuring data protection. The specific objective for restricting data transfer of PII was, and remains, to protect personal data against access by unauthorized persons. Where technology can be applied—data strongly encrypted and the decryption keys securely managed, for example—the data's location should be immaterial. Conversely, keeping data within a particular geography does not guarantee better protection if it is not secure.