Within the software space, it is often the case that you will transfer data across borders (whether you know it or not). A transfer is not necessarily as blunt as taking a file from location A and transferring it to location B. Accessing file A from location B is in fact still a data transfer. In cases of data sovereignty where data is forced to stay in-country, companies often first resort to “we’ll just connect via a VPN so we appear to be in-country”. Many jurisdictions have wised up to this and have cleared this grey area in case law or other binding rules. The fact is, privacy laws are different for different regions.
A Little History
Most privacy regulations stem from the OECD guidelines on privacy – which detail 8 principles for processing data responsibly. These 8 principles are echoed in POPIA, but have evolved in each regulation in a slightly different way. Different countries put their own flavours and requirements on the guidelines, and signed those into legislation. These have since evolved within regions; take GDPR for example, which has evolved from the Data Privacy Directive, which had initially been derived from the OECD guidelines.
The Challenge with Managed Services
Often, managed services are delivered from a different country. In terms of data protection legislation, most laws will state that data cannot be transferred to a region that does not have laws that provide at least equivalent protection to the local law. We can see this in play under GDPR, where “adequacy decisions” dictate which countries’ laws are sufficient to not require additional documentation and contracting when transferring data there. Examples of these adequate countries include New Zealand, Canada (private sector), Argentina and a number of others. With any luck, South Africa will apply for an adequacy rating now that POPIA is in place.
A challenge I see quite regularly is where data is managed from India. India has currently got very nonrestrictive privacy regulation, relying on the IT Act. This will soon (hopefully) change when the PDPB comes into play – which in its draft form is one of the strictest privacy laws globally, particularly on the topic of consent. Until then, however, additional contracting needs to be in place to ensure that any company in India dealing with data is complying with at least the same organisational controls as the “exporting” company.
Most recently, I’ve run into issues with managed services coming out of Australia. Australia does have privacy laws, however, they are not seen as adequate in the eyes of GDPR, and there are differences that can be challenging as far as POPIA goes too. In a specific example, when contracting to an Australian company, there has been an ongoing contractual debate because the provider’s master services agreement only refers to the Australian Privacy Act, and not to the fact that GDPR/POPIA may require additional controls in place on the Australian company (particularly around security measures within an organisation, where GDPR is more prescriptive around policies and procedures as well as technical measures). There are now additional obligations and clauses being added to facilitate the managed services relationship between the companies, considering they operate globally and in a multitude of jurisdictions.
So What Should You Do?
For one, you and your Information Officer / Data Protection Officer need to be aware of the privacy regulations and obligations in each jurisdiction. From this point, often it is a case that additional contractual clauses would be put in place in order to strengthen the weaker of the regulations from a contractual point of view. From a European standpoint, exporting data to a country that has not been deemed adequate, requires that Standard Contractual Clauses be entered into between companies. This agreement cannot be adjusted and imposes a number of obligations into the arrangement. There are other methods too, such as Binding Corporate Rules, but those are a discussion for another article. There are numerous online resources to track the privacy laws in other countries, though it may be worthwhile bringing in a specialist consultant in the space too.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.