Why Privacy Laws’ impact goes well beyond Privacy

In Privacy, the Global Trade War: Part 1, we discussed how, very much like with trade tariffs and taxes on goods, privacy legislation has evolved beyond just protecting personal data during international transfers into another instrument significantly affecting global trade.

So, why should people outside the Privacy sector care about these new laws and the emergence of a privacy trade war? Because their impact manifests in many limitations on every company’s operations and additional costs to their cross-border business. In the global legislative noise caused by states piling privacy laws over one another, global businesses become victims restrained and buried under the diverse and ever-changing obligations.

The concrete impact on businesses can be best explained by looking at the regulatory instruments which states employ in this contest for situation.

The extraterritoriality (although perhaps the most visible) is certainly not the only weapon enabling countries to push their privacy requirements beyond their borders worldwide. Given how the global economy operates, every business that somehow uses personal data of a particular country’s residents (not even as a data controller) is obliged to comply with the country’s legislative requirements in some extent. This extraterritorial reach is present with the majority of global privacy and cybersecurity laws, including the GDPR, CCPA, Chinese Cybersecurity laws, Brazilian LGPD etc.

Adequacy (and its global versions) focuses on regulating the international data flows. Its European version (present even under the previous EU Data Protection Directive regime) authorizes facilitated exchange of personal data with the non-EU/EEA countries that provide an ‘adequate level of protection’. The European Commission is the judge based on its review of a very broad and general set of elements like the country’s rule of law, effectiveness of administrative and judicial redress, effective functioning of supervisory authorities or adequate enforcement powers. The European Commission then translates these general criteria into very specific domestic requirements on the assessed country and ties these as conditions to the country becoming ‘adequate’ – safe enough to enable transfer of EU residents’ data without additional barriers.  This relationship is essential to the businesses in countries that need to participate in EU markets.

From a political perspective, the EU is leveraging the gravity of its huge market to push its requirements upon businesses and governments alike. Something strongly reminiscent of global trade war practices. Meanwhile, the logical next step for businesses pressed to comply with several regulatory regimes, is to work towards the strictest one, coined as the ‘Brussels effect’.

With the adequacy regime in place, EU has thus established a two-tier system for countries. Most recently Japan has proved eager to join the EU adequacy bloc, looking to establish the biggest area of free personal data flow globally.

The EU is not alone in building its adequacy bloc of state allies. Brazilian LGPD anticipates establishment of a very similar framework. Furthermore, on an international scale, there are already data-transfer blocs existing: for instance, the APEC Privacy Framework and its Cross-Border Privacy Rules system aims to avoid barriers to information flows for its country members (very much like EU-U.S. Privacy Shield, for instance). It requires participating businesses to develop and implement data privacy policies compliant with the APEC Privacy Framework. The major difference with APEC CBPR system is that it does not impose any requirements upon the participating countries’ domestic laws and enforcement mechanisms – thus only the companies are left to comply with the requirements if they wish to transfer data without barriers.

Data localization laws are a ‘protectionist’ strategy of the privacy trade war. They can be compared to import tariffs in terms of creating additional barriers to the foreign companies when processing the data of the country’s residents.

In essence, these are legally imposed obligations to maintain certain types of data (typically sensitive or special categories of data) within the borders of the state. The commonly cited reason for imposing these rules is the accessibility of the data by the citizens (and thus easier exercise of the individual’s rights), ensuring that these potentially ‘higher value’ personal data remain at least in one primary copy under the jurisdiction of the given state. A less obvious reason may be the accessibility of the data by the state itself – for example, in relation to its enforcement action or citizen surveillance. As the case law has proven, sometimes it can be a proper hurdle for the states to access data about its residents that is held on servers outside their territory.

Yet another reason to introduce data localization may be its implied stimulus for the state’s domestic data centers and related services. It also favors the domestic businesses and domestic providers over foreign companies – unless they regain competitiveness by investing in relevant infrastructure of the state.

Data localization requirements are increasingly embraced by the states and we are already seeing them transcending into domestic sectoral laws and regulations. For instance, in India the Central Bank has produced a directive stating that all digital payment data must be stored only on Indian servers for “unfettered supervisory access”. This is together with Indian Privacy Bill evidence of a wider push by India to make companies store more of their data locally.

We have also seen global companies struggling with these laws as Russia blocked LinkedIn from operating there after it refused to transfer data on Russian users to local servers (as is the legal requirement there for a primary user database).[1]

To what end do the countries then use these far-reaching legislative tools? As is already suggested by the examples, they mostly add these to their other mechanisms of exercising influence over each other.

Privacy laws now serve twofold political purpose: i) to demonstrate state’s efforts in protecting its residents’ rights, and ii) to exercise influence over other countries and impose their own rules and requirements upon other states globally. The bigger the market, the stronger the voice and the further is the reach of these laws and requirements.

Stay tuned for Part 3 of Privacy, the New Global Trade War. You can read Part 1 here.

Check out One Trust’s tools and resources for:

[1] https://www.bbc.com/news/technology-38014501