Geopolitical Tension Inflaming Restrictions on Global Data Transfers, Privacy Lawyers Say

Companies have had to conduct data transfer impact assessments (TIAs) to ensure that Europeans' data would be equally protected in other jurisdictions since the original EU Data Protection Directive, but now they find themselves under increasing restrictions, privacy attorney Eduardo Ustaran said.

The U.S. is approaching data transfers from a different perspective, said privacy and cybersecurity lawyer Scott Loughlin. Justice Department rules finalized at the end of the Biden Administration limit the transfer of bulk data to certain jurisdictions deemed to have adverse relations with the U.S., such as China, he said.

These rules will affect how large amounts of data can be accessible to entities and persons who are either in China or have interactions with China, Loughlin added. This is a national security law, not a consumer protection one, and has nothing to do with personal data protection, he said.

Moreover, Loughlin said, this set of rules isn't pragmatic, but almost entirely bans cross-border transfers. This development isn't happening in a vacuum, and other countries are likely to boost their scrutiny of transfers to China, he added.

Moreover, this focus on China is bound to make its way to Europe, and impact every jurisdiction where international data flows are restricted either on the grounds of personal protection or national security, Ustaran said. European data protection authorities (DPAs) will possibly start applying some of the same criteria as the U.S. does to data transfers to China, he said. The question is: If even the greater controls placed over data transfers by the U.S. fail to fully satisfy EU standards, what protections can China offer that would be considered good enough?

The U.S. became focused on cross-border transfers because of former National Security Agency contractor Edward Snowden's disclosure of confidential U.S. documents in 2013, but the work it's doing now to expose Chinese activities adds to the "obsession" about which countries are more dangerous concerning data availability, Ustaran said. He predicted that the EU approach to global data transfers will now be applied "vigorously" to China.

The U.S. prejudges that data transfers to China, Venezuela and other nations are unlawful, so companies may need to assess their cybersecurity controls rather than performing TIAs, Loughlin said. But there is probably no government, much less any company, that can completely ensure that the Chinese government can't access its data, he said.

Given this more rigid approach to transfers, if an organization wants to operate internationally, it must decide how to do it under the appropriate standards, said Ustaran: The challenge is that there's a presumption that whatever the organization does won't be good enough. While the EU-U.S. data privacy framework is manageable because the U.S. handles personal data in a visible way, no one knows what efforts China might make to ensure its government is complying with standards set by, for example, the EU, he said.

Asked how businesses can deal with these issues in a coordinated way, privacy attorney Katie McMullan said the "MVP of data transfer mechanisms" is BCRs. Companies that opt for them have to go through an exhaustive process to comply with data protection principles, perform TIAs and other processes, and have their BCRs scrutinized by data protection regulators, she said.As such, BCRs allow organizations to react to geopolitics and changing rules more easily, she added.