Whoever would have thought that, in a world where it seems nearly everything is connected, we would still have laws requiring that data be held within specific territories or regions? Yet it seems that as more and more data moves online, is stored in the cloud, and gets transmitted all around the world and back in the blink of an eye, governments become ever more determined to introduce territorial restrictions limiting the movement of data.
The best known example of this is the EU’s Data Protection Directive which forbids movement of personal data outside of Europe to territories that do not provide “adequate” data protection – or, in layman’s speak, territories that the EU doesn’t consider to be safe. This rule can be dated back to a technological world where data sat in a single database on a single server, and legislators sought to guard against businesses moving data outside of the EU in an attempt to circumvent European data protection laws. Against that backdrop, it was a very sensible rule to introduce. 20 years on from its adoption, it now starts to look a little long in the tooth.
The problem is that legislative and regulatory thinking hasn’t advanced a great deal in that time. Within those communities, there’s still a perception that data can, somehow, be kept within a single territory or region and not accessed or transmitted beyond those boundaries – or that, if it must, then implementing a standard form data protection agreement (so-called “model clauses”) between the ‘data exporter’ and the ‘data importer’ somehow solves the problem.
But here’s the thing: it doesn’t. Denying that international data movements are an integral and necessary part of the global data economy is like denying that the earth moves round the sun. Spend any time dealing with cloud vendors, or social media platforms, or interest based advertising providers, and you’ll quickly learn that data gets stored in multiple geographic locations, often through chains of different subcontractors, and tens, hundreds and perhaps even thousands of different databases. With that knowledge, legislating that data should be kept in-territory or in-region is at best pointless. At worst, it’s economically disastrous.
More than that, thinking that a ‘one size fits all’ set of model clause terms will somehow prove relevant across the multiplicity of different online business models that exist out there – or (and let’s be honest) that businesses executing those terms can and will actually comply with them – is nothing but a bad case of denial.
But despite this, these so-called ‘data residency’ laws only seem to be growing in favour – inevitably spurred in part through both post-Snowden mistrust of other countries’ data protection regimes and in part through misguided economic self-interest. Other than the 31 countries in the European Economic Area that have adopted data residency requirements, other countries including Israel, Russia, Switzerland and South Africa (in EMEA), Argentina, Canada, Mexico and Uruguay (in the Americas), and Australia, India, Malaysia, Singapore and South Korea (in APAC) all have there own data residency rules.
The great irony here is that these rules will not prevent international movements of data. They won’t even hamper them to the slightest degree. Data will move beyond boundaries just as it always has, only at an ever quicker and more voluminous rate. All of which begs the question: if data residency rules are to have this head on collision with increasingly globalised use of data, what can businesses do to comply?
For any large multinational organisation, there really in only one solution: Binding Corporate Rules. Model clauses contain too many stiff and unworkable provisions that any commercial organisation would be very hesitant to sign – and, once the business reaches any sort of global scale, the prospect of regularly signing exponential numbers of model clauses becomes quickly very unattractive indeed. Safe harbor is a fine solution, but only for transfers of data from Europe and Switzerland to the US and, with the future of safe harbor currently in doubt, doesn’t offer the longevity on which to build a robust compliance platform.
So that leave Binding Corporate Rules, which are specifically designed for large multinationals moving large volumes of data and for whom safe harbor and model clauses are not options. More than that, Binding Corporate Rules have a regulatory recognition that extends beyond Europe – being expressly recognised in many non-EU countries as a valid solution for overcoming strict national data residency rules (Canada, Israel, South Africa, Singapore and Switzerland all being good examples). And even in territories where Binding Corporate Rules don’t have express regulatory recognition, they’re at least generally tolerated as compliant with local data export regimes.
In the current political climate, it’s highly unlikely that data residency rules will relax in the short- to mid-term. At the same time, data protection rules are only set to get stricter and carry greater risk (interesting fact: in 2011 there were 76 countries with data protection laws; by 2013 there were 101; and there are currently another 24 countries with new incoming privacy laws). Businesses with any kind of global footprint need to prepare for this and build out their data governance programs accordingly, with Binding Corporate Rules offering the most widely recognised and future-proofed solution.