April 25, 2023

Guide to the cross-border transfer of personal data for global companies

Guide to the cross-border transfer of personal data for global companies

Cross-border data transfer has been one of the most challenging aspects of data protection, particularly for international corporations. These companies’ operations frequently necessitate the transfer of regulated information from one country to another for additional processing or reporting purposes.

However, data residency requirements by country have been enacted to regulate the process of cross-border data transfers. While this is understandable considering the dangers and harm that unredacted transfers can bring about, it hampers business activities for many global companies, subjecting them to tedious requirements.

Given the severe penalties for breaking data protection laws, it is necessary that global companies implement appropriate mechanisms for sharing data across borders. This guide provides insight for global businesses to better understand and navigate the process.

What is cross-border data transfer?

It is simply the sharing of personal data from one national jurisdiction to another. We all know that the global economy of the twenty-first century is heavily reliant on the quick and seamless exchange of data across international borders. Cross-border transfers enable SaaS companies to provide innovative, cutting-edge services to all economic sectors, paving the way for emerging technologies such as IoT and AI. In addition, it also promotes economic growth, health, safety, and the common good. 

However, a lot of jurisdictions are now putting strong limitations in place to control this process. Reasons for this include national security, protection from misuse of citizens’ personal information, and strengthening domestic economic capabilities in an increasingly technological world.

What laws govern international data transfers?

Data sovereignty compliance entails adhering to cross-border data protection laws that have been established in various jurisdictions.

The following are some notable ones:

  • The European Union’s General Data Protection Regulation (GDPR).
  • The Personal Information Protection Law (PIPL) of China.
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
  • The Personal Information Protection Act (APPI) of Japan.

At the moment, there are no U.S. laws governing cross-border data transfers at the federal level, but the California Consumer Privacy Act (CCPA) is one of the most prominent state laws in this regard.

These laws ensure that data sharing is conducted in a secure manner, with the subjects’ consent, so that they may be protected from cybersecurity risks.

Cross-border data transfers according to GDPR

The GDPR establishes ground-breaking rules for cross-border data transfer. Although it is a massive piece of legislation, this section attempts to distill its provisions concerning cross-border data transfer within and beyond the EU.

There are virtually no transfer rules for EU cross-border data protection because all member countries are considered to have the same protection standard, namely the GDPR. However, Art. 28 stipulates that any transfer agreement between a controller and a processor must be in writing. The topic, scope, nature, and purposes of the processing, the categories of data subjects, the type of personal data provided, and the obligations and rights of the parties must all be specified in the agreement.

Transfers outside the EU are typically prohibited unless the recipient country is deemed to provide an equivalent level of privacy protection. However, no such country is mentioned in the GDPR. It appears that the EU decides on these countries on a case-by-case basis. This is referred to as an “adequacy decision.” An adequacy decision is made after investigation and confirmation that the data protection standards of the receiving country are on par with those of the EU. This decision has the effect of removing any restrictions on data transfers to the recipient nation. So far, twelve nations have achieved this status.

Where the receiving country is not covered by an adequacy decision, one of the following is required:

  1. Standard Contractual Clauses (SCC): These assist EU controllers in offering adequate protection during transfer to non-EU controllers or processors, as the case may be. Model clauses are sometimes provided by data protection authorities, subject to approval by the EU Commission. Transfers may also be made per ad hoc contractual provisions between the sender and the non-EU recipient; however, for these agreements to be enforceable, the relevant authority must approve them.
  2. Binding Corporate Rules (BCRs): These are rules that govern the transfer and processing of personal information among members of a group of undertakings or enterprises engaged in a common economic activity and their employees, including those located outside the territory. The advantage of BCRs over SCCs is that the former has a forward-looking effect. That is, once approved by the appropriate supervisory authority, it applies to all future transfers of this type without any additional requirements.

In addition to the options mentioned above, the GDPR has introduced two mechanisms for data transfer, namely: approved certification schemes and approved codes of conduct. These cross-border data transfer GDPR rules ensure that the party receiving the data takes all necessary security precautions to protect it.

Cross-border data transfers according to PIPL

The PIPL has imposed stringent controls to regulate cross-border transfers of personal data outside of China. Anyone sending personal data outside of China must first get the subjects’ informed consent, complete a protection impact assessment, and meet one of three additional requirements.

  1. Complete a security assessment conducted by the Cyberspace Administration Commission (CAC);
  2. Receive professional certification from an institution approved by the CAC; or
  3. Enter into data transfer agreements with overseas data recipients in accordance with the CAC’s template agreement.

The PIPL cross-border data transfer rules make the first requirement compulsory for all critical information infrastructure operators (CIIOs), including all other network operators who transfer data above a certain threshold. Any business wishing to send “important data” outside of China must comply with this requirement. Due to the low volume thresholds for network operators and the inclusive definition of “important data,” many global companies are now subject to security assessment requirements. 

Noncompliance is punishable both administratively and criminally. Businesses can avoid this by quickly determining whether a transfer necessitates a security assessment application and submitting one where applicable. Where it is not, the transfer must meet either or both of the other requirements above.

How InCountry helps global companies with regulated data

Operating on a global scale necessitates your data traversing complex regulatory, privacy, and sovereignty requirements. Global companies need a new, smarter strategy for cross-border data privacy to enable quick and effective compliance when conducting business in any nation.

Compliance has many advantages, including increased profits from operating in both established and emerging markets, eliminating non-compliance-related risks, expenses, and inefficiencies, and notably improved customer experience, brand recognition, and loyalty. The risks of non-compliance are the exact opposite. 

At InCountry, we track the cross-border data transfer rules of the most challenging and restrictive jurisdictions in order to deliver our comprehensive solution for regulatory compliance challenges. We provide data residency-as-a-service globally to ensure that you immediately comply with all protection laws, no matter where you are.

We can assist you in achieving real-time compliance because:

  • Every country has residency and localization requirements, and InCountry is always up to date with them. We keep data localized in the most secure data centers in every nation.
  • No one offers information security like InCountry; we only use the best security and protection measures available according to international standards.
  • We ensure that all phases of your data lifecycle are tightly secured. We only work with the best and most reputable service providers who adhere to security standards.

Schedule a demo with our experts to learn more about how our combined solution fits your needs.