Wajdi Kharrat, a Managing Director within FTI Technology’s Information Governance, Privacy & Security practice in France is an expert in global data privacy challenges and the ever-changing landscape of regulatory requirements. One of the key trends he’s continuing to watch is the arena of cross-border data transfers, including which laws are changing the legality of transferring data between jurisdictions, legal bases for conducting transfers and best practices for protecting data in transit. Wajdi recently sat down with Pierre Faller, Data Protection Officer at Dior, to discuss these issues in depth.
Kharrat: Since Privacy Shield was invalidated in July 2020, organisations have spent nearly two years conducting global business and global data transfers amid an uncertain regulatory backdrop. Earlier this year, President Biden and European Commission President von der Leyen announced that they had signed a preliminary agreement for a new Privacy Shield framework. This is a reassuring sign, however, it remains unclear as to what the new framework will entail. In light of all of this, can you share your perspective on the current trends surrounding global data transfers?
Faller: Unfortunately, the pandemic and the current events in Eastern Europe show the dependence of the smallest to the most prominent business to exchange of goods, out of which transfer of information is needed. In today’s world, data is no different than the export or import of any other valuable goods.
One would need a crystal ball to detect and project data flow constraints and problematics. However, we could resume the “privacy world” in several branches, or zones, in which an organisation would need to handle three types of privacy/consumer markets: i) privacy is a fundamental right (EU and all the adequate countries signed through international agreements with the EU), ii) privacy is based on consumer protection, as in North America, meaning privacy is part of a consumer expectation, and then, iii) the “privacy as a territorial security” zones, where strong geopolitical protections are in place. In other words, one data flow passing from Zone ii to Zone i may not cause a fundamental problem; while passing from Zone iii to i or ii may be more problematic.
Kharrat: In France, and the EU broadly, the primary risk of transferring data across borders is running afoul of GDPR. Getting more specific, how would you characterize the risks and complexities involved in cross-border data transfers?
Faller: While GDPR already placed the requirement of a favoured EU-stored data model, other jurisdictions implemented this requirement before GDPR (Russia in 2017) or after GDPR (China more strictly since 2021). Here is the trick. We often overthink from an EU to a non-EU data transfer flow. However, organisations need to also review i) non-EU to non-EU or ii) non-EU to EU data transfer flows from its headquarters or affiliates. Data location, consent to collect plus consent to transfer, let alone security standards applied to local countries, are among such complexities.
Kharrat: Yes. And fully complying with all the rules simultaneously is exceedingly difficult. Can you speak to how regulations governing data transfers vary between jurisdictions?
Faller: Various websites, blogs and the EDPB and national authorities, such as the excellent CNIL map, help inform privacy experts of such variations.
To offer a specific example, the EU and South Korea or Japan may be viewed as entirely adequate because the same definitions apply, the same fundamental rights apply, the same data subject rights apply across these regions. However, the gauge on i) consent or ii) transparency may vary from region-to-region. For example, in South Korea, a consent to transfer would more likely be submitted (even if you transfer South Korean data to the EU); in Japan, you must publish all of your third parties with whom you share data. We have such principles in Europe, yet they are emphasised here in two examples as a more robust prerequisite to transferring data abroad.
Kharrat: And this is all intensifying. For example, many countries are introducing or expanding laws that restrict data transfer and/or require data localisation. What other issues are likely to dominate this arena in the coming years?
Faller: For me it’s The Digital Act, AI regulation and the metaverse. Purchases of virtual assets and in virtual marketplaces will be scrutinised by regulators, and legislators will make progress on such legislative packages. If an organisation thought that cookie laws presented confusing data management issues, there will be more surprises over the coming years. Retail companies already probe their values on virtual markets — this isn’t a new concept, but bringing in a DPO and a virtual DPO to manage the privacy issues is adding a new layer of complexity.
Kharrat: With the volume of data transferred worldwide set to continue increasing and regulators ramping up on enforcement, I think we’ll begin to see new tech-based safeguard measures to help organisations deal with these issues while still conducting international business and commerce. What are your thoughts on the impending regulatory landscape?
Faller: We should expect more regulations to come in from different directions: i) to cover virtual data processing aspects or ii) to cover profiling aspects (such as in AI-led decision making). This in addition to the ever-growing array of local and regional privacy laws worldwide. The very question mark of a federal privacy law in the U.S. may further impact the data flow between the U.S. and Europe.
It is advised for organisations to look out for ever changing i) regional, ii) local and ii) sectorial laws. When all of these coalesce in a specific geographic zone, organisations can face complexity in guessing which rule must apply first and then seek appropriate advice.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.