Management, compliance & auditing

Navigating local data privacy standards in a global world

Ralph O'Brien
March 18, 2022 by
Ralph O'Brien

For the first time in human history, a company can be bigger than a country — and we have technology available to everyone with the internet that enables global collaboration in real-time.

That's both a hell of a problem and a benefit. We can speak to people on the other side of the globe as if they were in the same room, collaborating on documents and producing things that truly represent global collaboration. We have technologies that can reach virtually everyone via smartphones and devices and global technology brands operating in similar ways for everyone on the planet.

The benefits of globalization are easy to see, and common approaches are key. After all, we humans are biologically similar, with similar biological needs, social conventions, human urges and frailties.

However, there are problems with a global approach. The further we move towards true globalization with a fully meshed internet where we join a truly global network, cloud computing, mobile computing, and "the world in the palm of your hand" (and coincidently the world being able to access you as a consequence), the more there seems to be a movement by nation-states to more jealously and fiercely guard and police their borders and to legislate to try and bring global organizations accountability.

Global world, local privacy laws

One of the tools governments try to impose is a requirement for data localization, which is often having to keep a copy of the data in-country or not be able to export the data of a citizen wider. This obviously conflicts with cloud computing providers, where even the company may not know where their providers are hosting and moving the data to. This can give rise to cloud providers offering local hosting.

Varying data privacy standards and legislation can be an issue. For example, countries have laws similar to the EU GDPR and principle-based omnibus laws. Some countries base data protection law on earlier versions, such as the EU 95 directive COE Convention 108. Some have alternative regimes increasing complexity, such as the U.S. Federal Sectoral system or the Australian co-regulatory model. This variation makes it more difficult for a single product design to meet every country's laws and facilitate the variations in individuals' rights that may vary across the globe. Even in the EU, where the GDPR is viewed as a gold standard, variation still exists in national laws. Germany, for example, provides a more restrictive national law, enforced by regional regulators, and ePrivacy laws that are based on an earlier directive which has led to national variations in legislation and enforcement.

Data privacy fines and enforcement

Organizations are free to ignore the law and take the consequences of investigation and prosecution, receiving data privacy fines and penalties from courts and regulators. However, we have companies with larger pools of resources than a country's court or regulator for the first time. This can lead to protracted legal challenges, appeals, and refuting country laws as illegal. Companies now can challenge and frustrate the legal process when faced with large fines in ways never before seen. Arguably, some apps and technology companies are so ubiquitous in use that governments cannot take ultimate sanctions such as banning or blocking them due to the level of societal reliance on such technologies.

Some jurisdictions have tried to impose limitations on the movement of data. For example, the EU GDPR states that data cannot be moved outside the EEA unless that country or territory is deemed adequate or alternative contractual safeguards or legal derogations are met. This has caused enormous difficulty for organizations to document and provide contractual paperwork safeguards between organizations and large legal cases such as Schrems I and Schrems II, but have ultimately resulted in little legal protection for individuals in other jurisdictions.

Some legal jurisdictions have struggled to regulate technology providers that provide products/services to their citizens but are based outside of them. Laws like the GDPR have introduced very misunderstood Extra-Territorial extent provisions, with requirements to introduce onshore representatives at a cost to businesses or try and make companies enforce rules beyond their jurisdiction. Often this is based on where a company is established or where they are targeting their business operations. Still, it is a complicated situation to get (for example) a U.S. or Chinese organization to comply with EU law, where they maintain no presence in the country but offer products and services to the individuals there through a global internet. 

Practically, organizations wish to have a single version of their product or service. It can be challenging to engineer, maintain or deliver multiple variations of the same thing, and a business should deliver a global version if possible. Still, local law may demand variations in areas such as data localization, retention periods, individual rights etc. Many organizations are now starting to try and adopt a "global gold standard" and give people rights, not because they have them under a country's law, but because they want to give them to their customers.

For business, this national variation represents significant problems. They want to take advantage of a global marketplace, release a single product that individuals can use anywhere on the globe, and take advantage of what technology has empowered us to do. However, the areas above place limitations on the power of a corporation to act in this global way, and companies have to carefully weigh the risks and benefits of releasing in each market and what national governments may be able to do or enforce upon them. At the same time, designing features that vary across the globe will mean that individuals' experience will vary, and they want to provide a consistent global user experience, including high standards of data protection regardless of the origin of individuals. 

In truth, the first step is often for an organization to create a data inventory to examine the locations and disposition of where their customers reside, where data is collected from and stored, and transferred to by both itself globally, and its partners, and to introduce levels of control required to meet expectations of all of its stakeholders and manage the risks it faces across multiple jurisdictions.

Want to learn more about privacy? Check out my privacy courses on Infosec Skills.

Ralph O'Brien
Ralph O'Brien

Ralph is a trusted advisor on Global Privacy and Security compliance, practices and management. His experience includes strategic GDPR adoption programs, advisory services and assurance delivery in global multinational environments.

He has worked in a wide variety of industry sectors including Defense, Public Sector, Pharma and Financial Services, representing both multinational corporations and boutique specialist consultancies.

He continues to be a hands-on practitioner, combining business-level consultancy with training and technical experience. He was responsible for the first global joint 27001/25999 management system to be certified. With a focus on business processes and the protection of information, and an ethos of management assurance, risk management and knowledge transfer he continues to ensure effective protection of assets appropriate to the business needs of the client.