Data PrivacyCross-Border Transfer of Data: A Global Perspective

INTRODUCTION

The borderless nature of the Internet has made it extremely easy and accessible to transfer data from one corner of the globe to the other.

Data, or personal data specifically, can be effortlessly used to gather details such as name, address, character traits, etc. of a person. Nonetheless, certain data that is often called as “sensitive personal data”, can be used to gain information regarding religious beliefs, private life, professional life, health, etc.

Therefore, in the present day and age, countries and Governments have realised the importance of data and the need to protect it. Thus, countries worldwide have employed various methods to regulate the cross-border transfer of data from one country to another.

A highly regulated and protected system is required to monitor the safety of the data that is transferred within and outside countries. Cross-border transfer of data is regulated through various data protection legislation, which are different for different countries in the world.

Most countries in today’s day and age have inculcated data protection laws in their legislative systems. Some countries have a relatively comprehensive system for data protection, which needs to be adhered to, in the event any data is transferred to or from such jurisdiction.

However, most of the countries that follow dedicated laws for data protection ensure that the five broad principles for cross-border transfer of data are followed. They include adequacy, informed consent, contractual necessity, the interests of Data Subjects or other persons, and overriding legal or state functions.

To say the least, there exists a basic law of adequacy that states that the country or territory on the receiving end of the data is required to have a data protection legislation that is on the same level as that of the country sending their data.

CROSS-BORDER DATA TRANSFER REGULATIONS ACROSS THE GLOBE

i. European Union

The privacy laws of the European Union (herein after referred to as “EU”) are covered under the General Data Protection Regulation (“GDPR”).  The GDPR allows the free flow of data within the countries that are members of the EU. Cross-border transfer of data to a non-EU country is also permitted provided the ‘principles of adequacy are complied with in the recipient country, wherein equal importance and measures are taken for the protection of data in comparison to what is taken in the EU.

The transfer of data from the EU to a third country is guaranteed in Article 45 of the GDPR, where, after checking the level of adequacy of protection, a cross-border transfer of data may take place. Article 46(1) covers some exceptions to the general rule of level of adequacy where there can be a cross-border transfer of data provided-

1. The person exporting the data himself gives assurance of appropriate safeguards.
2. Enforceable Data Subject rights and legal remedies are available in the respective third country.

The appropriate safeguards as available in the provisions of GDPR are:

• binding corporate rules that are codes of conduct that allow the transfer of data,
• standard contractual clausesthat were adopted by the European Commission for the transfer of data, and
• other ad hoc contractual clausesthat are agreed between the Data Exporter and the Data Importer for the transfer of data.

The regime laid down by the EU in data privacy and rules for cross border transfer of data prove to be the most comprehensive system of regulation. Most countries that have already obtained or are in the process of enforcing data privacy and protection rules to control and regulate the transfer of data have taken inspiration from the extensive and detailed provisions provided in the GDPR. Even in situations of cross border transfer, the principles of adequacy have become a universal requirement in all countries for facilitating cross border transfer of data.

ii. Australia

The data protection regime in Australia is regulated under the Privacy Act, 1988 (hereinafter referred to as “Privacy Act”). The meaning of personal data is equated with the understanding of personal information.  The transfer of data by the Australian based organisations is primarily covered under the purview of the Australian Privacy Principles (hereinafter referred to as “APP”). There is no mention of third countries in the Privacy Act and it regulates the disclosures instead of transfers.

On June 24, 2021, the Australian Parliament passed legislation that established a framework that would help access certain electronic data held by companies outside of Australia for law enforcement and national security purposes. This law specifically paved the way for the bilateral transfer of data between the United States and Australia.

The cross-border transfer of personal data to third countries is permissible only if there is a legal basis for it and one of the following applies:

1. Adequate jurisdictions.

2. Transfer of data only if they follow a specific code of conduct.

3. There are approved standard contractual clauses.

4. Binding corporate rules.

5. Other derogations like consent, contract performance, etc.

Chapter 8 of the APP, along with Section 16C of the Privacy Act, 1988, form a regulatory framework for the facilitation of cross-border transfers of personal information or data. This framework requires the entity to perform the necessary checks in order to ensure that the receiving country will handle the information in the same way as the APP handles it. In an instance where there is a case of mishandling of the data in another country, the entity is solely accountable for it.

When an entity governed by the APP discloses its data to a third country, it will also need to conform with the rules of chapter 6 of the APP Rules which cover the purpose for collecting such personal data. The transfer of personal data is applicable as per chapter 8 of the APP only if the necessary requirements in chapter 6 of the APP are met.

Chapter 6 of the APP, details the purposes for which an entity governed by the APP can disclose its data to a third country. In order to transfer personal data as per chapter 8 of the APP, it must conform with the requirements enlisted in Chapter 6 of the APP.

The term disclosure is not explicitly defined, but there is said to have been a disclosure of information when an APP entity shares its data with a third country or overseas recipient, or reveals internal and important information in conferences or meetings that are held in oversees countries, sends a hard copy document or an email that includes personal information to the third country, and finally intentionally or unintentionally puts up information online that is accessible by the third country. The rule has also made a distinction between disclosure and unauthorized access, which is covered in chapter 11 of the APP.

In order to ensure that overseas country does not breach the APP, there are certain reasonable measures that an APP entity is required to take, namely, the ‘reasonable steps test.’ The level of circumstances determines whether there is a need to perform the reasonable steps test for the transfer of data to third countries. The transfer of data that is essentially sensitive in nature, or if there has been a breach with a particular country in the past, etc., will require the reasonable steps test to be performed in a more rigorous manner. Finally, the third country must also provide a redressal scheme and a law or binding scheme to claim redressal.

iii. United States of America

The USA does not have a universally and generally applicable law for all countries or a very comprehensive regulation for that matter. At the moment, the California Consumer Privacy Act, (hereinafter referred to as “CCPA”) is the fundamental law that covers aspects of data privacy and data protection.

The US has come up with a new set of rules that are to be followed by the US based businesses that receive data from the EU, known as the “EU-US Safe Harbour Framework.” This has given rise to the free flow of personal data from the EU to the USA as long as the entity that is receiving this personal data is compliant with the privacy principles enumerated in the Safe Harbour framework.

iv. China

China recently passed its own regime for privacy and protection of data, which came into effect on November 1^st, 2021. It has been called the Personal Information Protection Law (hereinafter referred to as “PIPL”), which controls and governs the privacy laws for data and ensures safe processing of the same.

Privacy laws and protection policies enforced in China’s PIPL are heavily based on the EU’s GDPR. Recently, the Cyberspace Administration of China (hereinafter referred to as “CAC”) promulgated its final version of the standard measures of contract in order to partake in cross-border transfer of data, along with the standard contractual clauses for cross-border transfer of data as mentioned under the PIPL.

The cross-border transfer of data and its prescribed regulations under the PIPL have many similarities with the GDPR, barring a few differences. China’s PIPL, in comparison to the EU, places certain additional requirements that need to be met to carry out cross-border transfer of data.

For instance, exporters who are Critical Information Infrastructure Operators (hereinafter referred to as “CIIOs”) or who are involved in the processing of a large amount of personal information have some additional requirements to be fulfilled. For now, the PIPL does not specify what constitutes a large amount of personal information, but the CAC is to release further guidelines for the same.

INDIAN PERSPECTIVE

Taking the case of India into consideration, it is yet to enforce a data protection law into its legislative framework and is actively working towards it. For now, India’s data privacy law has certain restrictions on the transfer of personal data that takes place within India and to another country. These restrictions are:

1. the entity on the receiving end of the data must ensure compliance to the same level of data protection that the transferor follows,

2. transfer the information only if it is necessary to adhere to a lawful contract, or after taking prior permission of the data principal.

However, as on the present date, the focus and primary requirement remains to be the ‘level of adequacy’.

The Digital Personal Data Protection Bill, 2022 (hereinafter referred to as the “DPDP Bill”) throws light upon the transfer of personal data outside India rather briefly, wherein it is stipulated that the Central Government, after taking into consideration several factors as applicable, would notify such countries to which personal data can be transferred.

Hence, the stand on cross-border transfer of data from an Indian perspective is rather foggy. An insight into the same can only be gained with the due course of time, as and when the DPDP Bill is enacted.

AMLEGALS REMARKS

Countries, whether they are developed or developing, are all indulging in the transfer of data inside the borders of their country or overseas. When there is regular transfer of data, which can be sensitive, there must be a comprehensive regime to protect the data that is transferred amongst countries.

Many countries have realised the importance of the same and introduced a regulatory framework for themselves. However, they are held back from the free flow of data with certain countries because they do not have a comprehensive system in place. This barrier to the transfer of data can affect economies and businesses worldwide, as it is through data and its transfer that most economies and businesses function.

– Team AMLEGALS assisted by Ms. Aayushi Udeshi (Intern)

For any query or feedback, please feel free to get in touch with mridusha.guha@amlegals.com or falak.sawlani@amlegals.com