International Data Privacy Laws

Many multinational enterprises are faced with a plethora of restrictions and regulations both in their home countries and in the countries where they conduct business. While some of these laws are similar, many are not, which forces them to constantly examine their handling of private information.

The end result is a varied list of regulations and restrictions that enterprises must adhere to in order to have successful business practices overseas. It’s inconsistency at its best.

Aren’t all international restrictions the same?

The short answer: No. Each regulation – although it may serve a similar purpose as another country’s restriction – serves a different purpose and/or protects a different target (be they people, companies or industries) in their country or origin.

The goal of the General Data Protection Regulation (GDPR), for example, is to strengthen and unify data protection within the European Union (EU). This means that citizens will have better control over their data. While laws like GDPR are based on an agreed consensus of the individual states, the regulations of individual countries are more based on their responses to the political and technical landscape we see today.

There is an interest in protecting both the personal information of citizens and increasingly a desire to protect sensitive business and political data. The rise of software-as-a-service (SaaS) by multi-national organizations that often need to make large international data transfers between locations is increasing concern over who has control over this information. The desire to ensure that those using cloud-based services are managing the data correctly and compliantly is paramount.

Is there an easy way for international companies to comply with all of the various laws?

Unfortunately, no. Each new set of laws brings its own unique challenges. For example, the scope of both the new Chinese Privacy law covers ‘any citizen’s PII’, which means that any foreign company located anywhere in the world with Chinese citizens as customers is bound by this new regulation. In fact, the Chinese law goes even further than GDPR, and covers any ‘natural persons,’ which is even more expansive than just citizens.

How is privacy changing multinational business?

These laws are creating a stricter environment that limits the ways in which data may be collected and used. The new Chinese law seems to favor the security of political and business content, so perhaps the creation of this is just as much about state control as it is about protecting its citizens.

Users and customers now have to be asked if they agree to their information being collected and used in specific ways. Generally, companies are going to request this up front and the majority of the populous will just agree, similar to “Terms of Use Agreements” here in the US. So, while some controls are being put in place for users to opt out of specific things, generally most users are going to opt in up front. With agreements such as EU-US Privacy Shield allowing the transfer of PII data to the US from Europe, personal information is still flowing freely around the world as well.

How will the restrictions impact the business of doing business?

We’re already seeing a shift toward a regionally focused implementation of products and services for data storage and collaboration, as opposed to the centralized versions we have seen previously. Providers who can keep content and PII data physically within each region will find it significantly easier to assuage both user and regulatory fears around the privacy and security of their identity and content. The European data center construction market is seeing a marked increase in large US-based companies (such as Facebook and Microsoft) building out their own data centers. A recent Research and Markets report projects data center construction market growth from US$ 9,558 Million in 2016 to US$ 22,829.1 Million by 2025.

What’s the end cost?

Given the complexities of each individual country’s data privacy laws, it’s understandable many enterprises are concerned with what’s required by each country and how to achieve these standards. These regulations are also changing the face of multinational business, challenging enterprises to change the essential from “HOW should we do business in other countries?” to “WHAT is the cost of doing business in other countries?”

There have been clear examples of regulatory pressures causing businesses to withdraw from specific regions. For example, the implementation of FATCA saw Swiss banks (like UBS and Credit Suisse) ask US clients to either re-arrange or close their accounts. The fall of Safe Harbor created a myriad of concerns over the processing and storage or European data in the US, resulting in many of the larger firms initiating programs to move content to Europe to overcome this challenge.

While some of these laws are onerous, businesses are always going to be driven by opportunity. If the value of operating within a specific market is greater than the cost of compliance, then enterprises will work to overcome the regulations or accept the risks. While protectionism is becoming more commonplace, most countries are determined to remain open for business under the guise of globalization.

By Daren Glenister