South China Morning Post
Advertisement
Advertisement
The Schrems II case concerns a complaint that Facebook was not adequately protecting EU personal data when transferring and storing it in the US. Photo: Bloomberg
Opinion
Carolyn Bigg
Carolyn Bigg

Why global data flow is under threat, and why Asia is in a strong position to benefit

  • Firms must now consider all international data flows, including commonplace activities such as CRM systems, cloud solutions, or even operating a global website
  • In Asia, data is commonly seen by much of the region’s population as something to be used as a force for good
Carolyn Bigg
Carolyn Bigg
Why you can trust SCMP

Global trade largely depends on the free flow of data across borders – that is one reason data is often called “the new oil”. It is the very lifeblood of the digital economy.

Yet in the last few years the reality of international data flows has found itself out of step with the mercantilist direction of trade policy.

At first glance, the ruling on July 16 from the EU’s highest Court in the highly-anticipated Schrems II case appeared only to have major consequences for data sharing between the EU and the US. Now it’s abundantly clear that the decision presents a vast set of commercial, operational and legal challenges and risks for businesses all over the world.

The ruling affects all multinational businesses that transfer data in and out of the EU, use EU service providers, have EU entities or operations, or even just have EU-based customers or users – and not least the many businesses that rely on cloud and outsourcing providers in Asia.

In a nutshell, this is serious. But much of the world’s attention is focused elsewhere.

Data privacy concerns weigh heavily on China’s AI leadership ambitions

The Schrems II case, officially known as Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, concerns a complaint from Maximilian Schrems, a well-known Austrian data privacy activist, that Facebook was not adequately protecting EU personal data when transferring and storing it in the US, in part because the US does not have similar data protection laws to those in the EU, i.e., the General Data Protection Regulation (GDPR) and also because of the reach of US surveillance and national security laws over the data once in the US.

The resulting judgment from the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield framework an invalid mechanism for transferring personal data to the US. But the judgment did not stop there. The CJEU has also called into question an extremely common data transfer model that most businesses currently use to transfer “EU” data around the world, known as Standard Contractual Clauses (SCCs).

The EU decision has profound implications for software and technology companies which rely on globally hosted cloud services or outsourcing providers. Photo: Xinhua

SCCs are essentially standard sets of contractual terms to which both the provider and recipient of the personal data sign up, to ensure that recipients of GDPR-protected personal data comply with GDPR requirements even if the local data privacy laws do not provide the same safeguards. Casting doubt on SCCs makes it much more expensive and risky to transfer or access personal data outside the EU, and risks massive fines for businesses which get it wrong.

Although SCCs do remain a valid mechanism for processing “EU” personal data outside Europe, the judgment confirms that individual businesses must now verify whether the conditions of transfer (including the destination country) offer appropriate safeguards to individual’s personal data in accordance with GDPR.

That is, each business must now consider each and every single international data flow: even commonplace daily activities such as using global HR or CRM systems or cloud solutions, or operating a global website. The judgment also confers huge power on EU data protection regulators to suspend or prohibit transfers where such appropriate safeguards cannot be provided, and non-compliance could expose exporters of EU data to fines of up to a prohibitive 4 per cent of total global annual turnover. In terms of enforcement, it remains unclear how European member state data protection authorities will respond to complaints.

European court voids EU-US data transfer pact in Facebook privacy case

The cost and operational burden this requirement places on businesses cannot be underestimated. Not only will organisations need to assess the standard of data protection laws in each country according to GDPR, the surveillance practices and national security laws of these countries will also need to be taken into account as part of the risk assessment. Transfers which continue despite a “failed” assessment must be reported to an EU data protection regulator.

Given the risks of investigations or substantial fines under GDPR, contractual liabilities with existing vendors, or costs and operational challenges of finding alternative cloud, IT or service solutions, businesses will need to be forensic and thorough in their assessments if they wish to continue to use SCCs.

The decision has profound implications for software and technology companies which rely on globally hosted cloud services or outsourcing providers in countries such as India or the Philippines. In the coming weeks and months, both providers and their customers will need to grapple with some extremely tough questions.

Are they still able to service European customers? Will they need to build new data centres in Europe, or relocate? Do they need to repatriate, silo and/or ring fence GDPR-protected data within Europe? Should they avoid SCCs for transferring “EU” data altogether, and will the alternative GDPR cross-border mechanisms remain valid for much longer?

Unless pragmatic solutions can be found (whether from the EU data protection authorities, from further court decisions, or from governments), the global inflow and outflow of data may evaporate as trade tensions heat up. Our highly globalised data landscape will split into various terra incognita, an early world map projection of localised data flows within a regional landscape, no longer global in scope.

The Schrems II case concerns a complaint from Maximilian Schrems (pictured), an Austrian data privacy activist, that Facebook was not adequately protecting EU personal data when transferring and storing it in the US. Photo: EPA-EFE

If data is the new oil, then the likely beneficiaries of this ruling will be in Asia, which accounts for more than half of the world’s internet users. The region’s well-structured data management strategies make it particularly attractive for businesses looking to establish or relocate “rest-of-the-world” operations since the region can support digital experimentation and exploration within sound data governance frameworks. The fallout from the decision may also prompt international cloud and data outsourcing businesses to establish more and diversely located infrastructure, enabling them to provide customers with solutions that minimise offshore transfer.

In Asia, data is commonly seen by much of the region’s population as something to be used as a force for good – something that provides benefits and convenience, and not something to be locked away. When we think about data protection from a Western perspective, we are often prone to underestimate the extent to which culture shapes the legal framework for business compliance. This ruling presents a real opportunity for Asia to capitalise on its unique position.

Given the scale of this decision, it is likely to be some time before we see the full practical implications come into effect. But it is one that has sent shock waves across borders at the worst possible time, when the world needs to coordinate its response to the coronavirus pandemic and businesses are doing everything they can just to survive.

Carolyn Bigg is a partner at DLA Piper in Hong Kong. She focuses on data and technology, helping businesses manage data opportunities within compliant frameworks.

Post