{"id":14996,"date":"2019-04-02T08:10:02","date_gmt":"2019-04-02T16:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/04\/02\/news-8745\/"},"modified":"2019-04-02T08:10:02","modified_gmt":"2019-04-02T16:10:02","slug":"news-8745","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/04\/02\/news-8745\/","title":{"rendered":"The global data privacy roadmap: a question of risk"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Tue, 02 Apr 2019 15:00:00 +0000<\/strong><\/p>\n

For most American businesses, complying with US data privacy laws<\/a> follows a somewhat linear, albeit lengthy, path. Set up a privacy policy, don\u2019t lie to the consumer, and check the specific rules if you\u2019re a health care provider, video streaming company, or kids\u2019 app maker.<\/p>\n

For American businesses that want to expand to a new market, though, complying with global data privacy laws is more akin to finding dozens of forks in the road, each one marked with an indecipherable signpost.<\/p>\n

Should a company expand to China? That depends on whether the company wants to have its source code potentially analyzed by the Chinese government. Okay, what about South Korea? Well, is the company ready to pay three percent of its revenue for a wrongful data transfer, or to have one of its executives spend time behind bars?<\/p>\n

Europe is an obvious market to capture, right? That\u2019s true, but, depending on which country, the local data protection authorities could issue enormous fines for violating the General Data Protection Regulation<\/a>.<\/p>\n

What if a company just follows in the footsteps of the more established firms, like Google, Amazon, or Microsoft, which all opened data centers in Singapore in the past two years? Once again, the answer depends on the company. If it\u2019s providing a service that Singapore considers \u201cessential,\u201d it will have to heed a new cybersecurity law there.<\/p>\n

At this point, a company might think about entering a country with no data privacy laws. No laws, no getting in trouble, right? Wrong. Data privacy laws can sprout up seemingly overnight, and future compliance costs could severely cut into a company\u2019s budget.<\/p>\n

While this may appear overcomplicated, one guiding principle helps: If a company cannot afford to comply with a country\u2019s data privacy laws, it probably should not expand to that country. The risk, which could be millions in penalties, might not outweigh the reward.<\/p>\n

Today, for the third piece in our data privacy and cybersecurity blog series, which also took a look at current US data privacy laws<\/a>\u00a0and federal legislation on the floor<\/a>, we explore the decision-making process of a mid-market-sized company that wants to expand its business outside the United States.<\/p>\n

With the help of Reed Smith LLP counsel Xiaoyan Zhang, we looked at several notable data privacy laws in Europe, Asia, Latin America, the Middle East, and Africa.<\/p>\n

Issue-spotting within a culturally-crafted landscape<\/strong><\/h3>\n

Before a company expands into a new country, it should try to truly comprehend the data privacy laws located within, Zhang said. She said this involves more than just reading the law; it requires training one\u2019s thinking into an entirely different culture.<\/p>\n

Unlike crimes including manslaughter and robbery\u2014which have near-universal definitions\u2014Zhang said data privacy violations fluctuate from region to region, with interpretations rooted in a country\u2019s history, economy, public awareness, and opinions on privacy.<\/p>\n

\u201cData privacy is not like murder, which is much more straightforward,\u201d Zhang said. \u201cPrivacy law is very intimately tied into culture.\u201d<\/p>\n

So, while overseas concepts might appear familiar\u2014 like protecting \u201cpersonally identifiable information\u201d in the US and protecting \u201cpersonal information\u201d in the European Union\u2014the culture behind those concepts varies.<\/p>\n

For example, in the European Union, a history of fierce antitrust regulation and government enforcement helped usher GDPR\u2019s passage. In fact, Austrian online privacy advocate Max Schrems\u2014whose legal complaints against Facebook heavily influenced<\/a> the final text of GDPR\u2014remarked years ago<\/a> that he was surprised at the lack of tall garden hedges around Americans\u2019 homes. The country\u2019s understanding of privacy, Schrems realized, was different than that of Austria, and so, too, are its data privacy laws.<\/p>\n

Similarly, Zhang said she has fielded many questions from EU lawyers who assume that data privacy regulations around the world are similar to those in GDPR.<\/p>\n

\u201cEU lawyers are used to thinking that, for every data collection, there must be a legitimate purpose, and they insist on asking the same questions,\u201d Zhang said. \u201cWhen I\u2019m talking about legal advice in China, they\u2019ll say \u2018Oh, our medical device needs to collect data from users, does China have any law or statutes that give us a legitimate business purpose to collect that data?\u2019\u201d<\/p>\n

Zhang continued: \u201cNo. In China, you don\u2019t need that. It\u2019s totally different.\u201d<\/p>\n

The differences can be managed with the right help, though.<\/p>\n

The safest path for market expansion is to rely on a global data privacy lawyer to \u201cissue-spot\u201d any obvious global compliance issues, Zhang said. These experts will look at what type of data a company handles\u2014including medical, financial, geolocation, biometric, and others\u2014what type of service the company performs, and whether the company will need to perform frequent cross-border data transfers. Depending on all these factors, each company\u2019s individual roadmap for data privacy compliance will be unique.<\/p>\n

However, Zhang led us on a bit of a world tour, detailing some of the notable data privacy laws in Europe, Asia, Africa, the Middle East, and Latin America. Company expansion into these markets, Zhang emphasized, depends on whether a company is ready for compliance.<\/p>\n

Many countries, many laws<\/strong><\/h3>\n

Europe<\/h4>\n

Starting with Europe there is, of course, GDPR. Complying with the sweeping set of provisions is tricky because GDPR gives each EU member-state the authority to enforce the new data protection law on its own turf.<\/p>\n

This enforcement is done through Data Protection Authorities (DPAs), which oversee, investigate, and issue fines for GDPR violation. Each member-state has its own DPA, and, in the months before GDPR\u2019s implementation, the DPAs gave mixed signals about what local enforcement would look like<\/a>.<\/p>\n

France\u2019s DPA, the National Data Protection Commission (CNIL), said that companies that are at least trying to comply with GDPR \u201ccan expect to be treated leniently initially, provided that they have acted in good faith.\u201d<\/a><\/p>\n

Less than one year later, though, that leniency met its limit. CNIL hit Google with the largest GDPR-violation fine on record<\/a>, at roughly $57 million.<\/p>\n

The best defense to these penalties, Zhang said, is to consult with local legal experts who know the region\u2019s enforcement history and details.<\/p>\n

\u201cYou cannot just seek consultation from a GDPR expert. If you want to go specifically to Germany, you need German lawyers who can offer insight on things that are specific to Germany,\u201d Zhang said. \u201cThat\u2019s for all of Europe.\u201d<\/p>\n

Latin America<\/h4>\n

Outside of Europe\u2014but still inspired by GDPR\u2014is Latin America. Zhang said several Latin American countries have enacted, or are considering, legislation that protects the data privacy rights of individuals.<\/p>\n

In 2018, Brazil passed its comprehensive data protection law, which protects people\u2019s personal information and includes tighter protections for sensitive information that discloses race, ethnicity, religion, political affiliation, and biometrics. Argentina also forwarded privacy protections for its citizens, and it earned a special clearance in GDPR as a \u201cwhitelisted\u201d party, meaning that personal data can be moved to Argentina from the EU without extra safeguards.<\/p>\n

Asia<\/h4>\n

Moving to China, a whole new risk factor comes into play\u2014surveillance.<\/p>\n

China\u2019s cybersecurity law grants the Chinese government broad, invasive powers to spy on Internet-related businesses that operate within the country. Implemented in 2017, the law allows China\u2019s foreign intelligence agency to perform \u201cnational security reviews\u201d on technology that foreign companies want to sell or offer in China.<\/p>\n

This authority raised alarm bells<\/a> for the researchers at Recorded Future, who attributed past cyberattacks directly to the Chinese government<\/a>. Researchers said the law could give the Chinese government the power to both find and exploit zero-day vulnerabilities in foreign companies\u2019 products, all for the price of admission into the Chinese market.<\/p>\n

\u201cChina\u2019s law has a hidden angle for government control and monitoring,\u201d Zhang said. \u201cIt has a different rationale.\u201d<\/p>\n

Outside of China, Singapore has garnered the attention of Google, Microsoft, and Amazon, which all built data centers in the country in the past few years<\/a>. The country passed its Personal Data Protection Act in 2012 and its Cybersecurity Act in 2018, the latter of which sets up a framework for monitoring cybersecurity threats in the country.<\/p>\n

The law has a narrow scope, as it only applies to companies and organizations that control what the Singaporean government calls \u201ccritical information infrastructure,\u201d or CII. This includes computer systems that manage banking, government, healthcare, and aviation services, among others. The law also includes data breach notification requirements.<\/p>\n

Moving to South Korea, the risk for organizations goes up dramatically, Zhang said. The country\u2019s Personal Information Protection Act preserves the privacy rights of its citizens, and its penalties include criminal and regulatory fines, and even jail time. Cross-border data transfers, in particular, are strictly guarded. One wrongful transfer can result in a fine of up to three percent of a company\u2019s revenue.<\/p>\n

Africa<\/h4>\n

Traveling once again, expansion into Africa requires an understanding of the continent\u2019s burgeoning, or sometimes non-existent, data privacy laws. Zhang said that, of Africa\u2019s more than 50 countries, only about 15 have data protection laws, and even fewer have the regulators necessary to enforce those laws.<\/p>\n

\u201cAmong [the countries], nine have no regulators to enforce the law, and five have a symbolic law but it\u2019s not enforced,\u201d Zhang said.<\/p>\n

So, that invites the question: What exactly does happen if a company expands into a country that doesn\u2019t have any data privacy laws?<\/p>\n

What happens is potentially more risk.<\/p>\n

First, a country could actually develop and pass a data privacy law within years of a company\u2019s expansion into its borders. It\u2019s not unheard of\u2014less than one year after Amazon announced its rollout into Bahrain<\/a>, the country introduced<\/a> its first comprehensive data privacy law. Second, compliance with the new data privacy law could be expensive, Zhang said, forcing a company into a tough situation where it might have to withdraw entirely from the new market.<\/p>\n

\u201cOne common misconception is that if a country doesn\u2019t have a law at all, it\u2019s a good country to go to,\u201d Zhang said. \u201cYou should think twice about whether that\u2019s the case.<\/p>\n

Expand or not? It\u2019s up to each company<\/strong><\/h3>\n

There is no single roadmap for companies entering new markets outside the United States. Instead, there are multiple paths a company can take depending on its product, services, the data it collects, data it will need to move between borders, and its tolerance for risk.<\/p>\n

The safest path, Zhang said, is to ask questions upfront. It is far better to make an informed decision about how to enter a market\u2014even if compliance is costly\u2014than to be surprised with fines or penalties later on.<\/p>\n

The post The global data privacy roadmap: a question of risk<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Tue, 02 Apr 2019 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
For any American company taking steps outside the US market, global data privacy compliance is a question of risk versus reward.<\/p>\n

Categories: <\/p>\n