The confluence of globalization and digital transformation presents many new compliance issues for in-house counsel. One such challenge comes from data localization requirements. As companies become more global, they are also beginning to leverage information to create value in a variety of new ways. From collecting more accurate and detailed performance data to profiling customer needs and influencing decision-making in order to develop or improve products and services, data analysis is helping companies facilitate growth and open up new frontiers for increased revenue. But both the globalization and the digital transformation of business operations require that information flow freely around the world.
With this global growth comes an increasing number of governments that have enacted new regulations restricting the flow of information across their borders. Mainly driven by purported concerns over privacy, security, surveillance and law enforcement, many countries have recently imposed data localization requirements. Unlike the prior generation of censorship controls that typically sought to keep information out of a country, such as the Great Firewall of China,1 these new data localization controls typically seek to keep data in.
One example is a set of recent amendments to Russia Federal Law No. 242-FZ that went into effect in September 2015. With limited exceptions, this law now generally requires any company that collects personal information pertaining to Russian citizens to “record, systematize, accumulate, store, amend, update and retrieve” such data using systems physically located in Russia.2
Similarly, the government of Vietnam recently promulgated several draft laws that included data localization requirements as well as other restrictions on cross-border data transfers. The localization components were eventually shelved. However, as written, they could have potentially required every digital service or website offering services in Vietnam to locate at least one server within that country.3 The Chinese government also has been considering more regulations with increased localization efforts. The vague State Secrets laws have prevented the removal of certain protected information for several decades.[4] But recently, multiple regulations have been enacted in China that appear to prevent the removal of certain banking,[5] financial,[6] and personal health information[7] from within its borders. Restrictions in other industry sectors in China also appear to be under consideration. Most recently, a draft counterterrorism law was circulated in 2014 that, if enacted in its original form, could have potentially required business operators in the Internet and telecommunications sectors to store data on servers in China and provide encryption keys to public security authorities.[8] While this law was passed without these localization requirements, the possibility of laws with similar restrictions being passed in the future still remains. The list of countries that have data localization laws under consideration,[9] or that have recently enacted or considered them, continues to grow around the globe.[10]
Inevitably, the collection and usage of customer personal data brings about challenging questions regarding data protection and usage. As companies expand their markets and move to digitally transform their operations, they must fully consider both the sources and subject matter of the data they are collecting and the various laws and regulations that apply to them. Privacy laws are typically triggered by the residence and nationality of the data subjects, not simply the location of the data or its collection activities. The questions can be complex, but to avoid compliance gaps, company counsel should begin making the effort to map their data supply chains, fully understand their contents, and align them with the privacy laws of each jurisdiction they may implicate.
The opinions expressed are those of the author and do not necessarily reflect the views of AlixPartners, LLP, its affiliates, or any of its
respective other professionals or clients.
Published May 3, 2016.