Data Regulations Follow – and Go Beyond – Europe’s GDPR

New battles are flaring up around data privacy and portability. The issues that came to the fore in Europe’s landmark General Data Protection Regulation (GDPR) and influenced similar laws elsewhere have become increasingly complex for businesses that can become caught in cross-border conflicts.

The GDPR became effective in 2018 and applied to any company with activity in the European Union. It set fines for violations as high as €20 million or 4% of a company’s total global turnover. In addition to focusing corporate attention on data risks, policies and procedures, the EU more recently proposed two measures – the Data Act and the Digital Operational Resilience Act – affecting cross-border data and technology operations.

“GDPR formalized a set of data protection principles that brought consistency across the EU member states . . . and extended specific obligations to vendors and data processors,” said Linnea Solem, founder and CEO of consulting firm Solem Risk Partners. “It really built a model to explain the role of a company that outsources and the due-diligence expectations of their business partners that process personal data.”

Linnea Solem, Solem Risk Partners

Subsequent actions in multiple jurisdictions have erected barriers to data flows, further increasing compliance challenges, and as the New York Times has reported, “the era of open borders for data is ending.”

Tom Garrubba, director of third-party risk management services, Echelon Risk + Cyber, pointed out that the European rule grew out of the shared notion that privacy is a personal right. “Now every other privacy regulation in the world has used GDPR as a foundation,” he said.

Privacy-as-a-right, however, is debated in the U.S. because it is not mentioned in the Constitution. While there have been attempts to legislate a national data privacy standard – including the currently proposed American Data Privacy and Protection Act – states have seized the initiative, as in the California Consumer Privacy Act (CCPA) of 2018. Two years later, voters approved an expansion of the law.

The Disclosure Lever

U.S. policies affecting corporations tend to revolve around disclosures of how they use client data.

The Securities and Exchange Commission took this approach in two proposals this year, on cybersecurity risk management for investment advisers and funds, and on cybersecurity risk management, strategy, governance and incident reporting by public companies.

In comment letters, industry participants complained about reporting windows being too short for firms caught in crisis mode. Some asserted that the reporting requirements could reveal system vulnerabilities to threat actors.

Tom Garrubba, Echelon Risk + Cyber

Nevertheless, Dechert partner Kevin Cahill said the likelihood that the SEC rules will be adopted has prompted firms to revisit their current cyber incident response plans, identify who from compliance and legal departments should join the discussion, and look at “how to address the new disclosure and reporting requirements.”

New types of data are being captured in GDPR- and CCPA-type nets. California’s law covers household data including water and electricity consumption, as “California additionally considers household information as private,” Garrubba said.

Eyes Everywhere

Looking at the global as well as domestic landscape, “What’s top priority for us is making sure that we’re compliant with legislation everywhere we operate,” said Eric Hirschhorn, chief data officer, Bank of New York Mellon Corp.

As a major bank and custodian with a multinational footprint, BNY Mellon has long been focused on data privacy issues. Hirschhorn described GDPR as more a collection of durable principles than a compliance template.

“Over the last several years, we have become much more thoughtful and deliberate as to how we use information and where we store it,” he said. “This is not only due to new regulations, but also to changes in the world around us.”

Although new privacy requirements may emerge that differ from GDPR, they would require a similarly thoughtful approach. Working on GDPR elements such as data inventories, privacy-impact assessments and data subject rights has helped create “muscle memory,” Hirschhorn said. Organizations acting holistically will not be caught “flat footed” in the face of new proposals or regulations, he added.

Local Storage Mandates

Unlike five or 10 years ago, the BNY Mellon executive said, ensuring compliance with constantly evolving data privacy rules requires capturing and tagging data and having the technological ability to store it in-country, when so-called data localization laws mandate.

Nigel Cory, ITIF

As of 2017, 35 countries had enacted 67 rules requiring data to be stored locally, according to Nigel Cory, associate director for trade policy, Information Technology and Innovation Foundation. By last September, Cory told an American Enterprise Institute podcast, 62 countries had enacted 144 restrictions “targeting a growing range of data types,” making it “increasingly difficult for firms to operate across borders and to collect and use data from markets and consumers around the world.”

Despite consensus among governments to take privacy and data protection seriously, with “good examples of GDPR-inspired legislation” having taken effect, some initiatives were delayed by the pandemic emergency, said cybersecurity expert Ilia Kolochenko, founder and CEO of ImmuniWeb. Facing corporate and consumer pushback, India recently shelved a Personal Data Protection Bill, which is expected to be revised.

Into this environment, U.S. Secretary of Commerce Gina Raimondo in April introduced along with several allied nations the Global Cross-Border Privacy Rules Forum, aiming at “a new era of multilateral cooperation in promoting trusted global data flows.” They announced a certification program to enable companies to demonstrate compliance with internationally recognized data privacy standards.

Also in the works is a U.S.-EU Trans-Atlantic Data Privacy Framework, which according to a White House fact sheet “will underpin an inclusive and competitive digital economy and lay the foundation for further economic cooperation.”

Cross-Functional Collaboration

Kirsten Mycroft, BNY Mellon’s chief privacy officer, underlined what chief data officer Hirschhorn said about a broader set of data points and in-country versus out-of-country handling. Companies must examine the applicability and scope of laws, how existing programs and implementations can be leveraged, and whether course adjustments or even bespoke implementations are necessary in some locations or circumstances.

Kirsten Mycroft, BNY Mellon

“This is definitely going to drive even closer collaboration between the chief privacy, data and information security officers,” Mycroft said.

A sticking point that impacts new EU legislation as well as negotiations between the EU and the Biden administration has been the mechanisms to efficiently enable cross-border data transfers, given the contrast between EU and U.S. privacy principles.

“It’s putting a bigger focus on third-party use of data, so getting beyond just security to the authorized use of data and data transfers,” Solem said.

A first step is putting correct contractual clauses in place for where the data originates, Garrubba said. To meet that need, organizations without in-house privacy professionals cognizant of different countries’ privacy laws should seek an expert in-country.

Such a framework isn’t necessary to navigate the panoply of privacy regulations within the U.S., given interstate commerce laws, Garrubba noted. If systems address the most stringent version of each requirement, then “that will cover the organization across the board.”