Do data havens exist?

D
Thomas Kahl – Pho­to: Clemens Mayer

In her Duet Inter­view with legal expert Thomas Kahl, Dr Cal­daro­la, author of Big Data and Law, dis­cuss­es pos­si­ble data man­age­ment sce­nar­ios in a glob­al con­text, focussing on their advan­tages and dis­ad­van­tages with regard to the legal sit­u­a­tion in question.

The GDPR came into force in May 2018 as the first har­mo­nized data pro­tec­tion law for Europe. Data pro­tec­tion laws out­side of Europe vary as we can see on the world­wide map of DLA Piper1. They range from coun­tries not hav­ing any data pro­tec­tion rules what­so­ev­er to coun­tries hav­ing bur­den­some, robust, mod­er­ate or lim­it­ed leg­is­la­tion. How do multi­na­tion­als man­age data com­ing from var­i­ous data sub­jects around the world, using cloud infra­struc­tures fol­low­ing the sun, con­tract­ing dif­fer­ent data proces­sors around the world etc.?

Thomas Kahl: The ever-increas­ing devel­op­ment of data pro­tec­tion leg­is­la­tion in var­i­ous coun­tries around the world pos­es a major chal­lenge for com­pa­nies oper­at­ing inter­na­tion­al­ly – not least because of the ever-increas­ing risk of sanc­tions in the event of data pro­tec­tion violations.

Today, pure­ly localised data pro­tec­tion man­age­ment approach­es do not work in large cor­po­rate groups any more than “catch all” approach­es – the data pro­tec­tion require­ments in var­i­ous inter­na­tion­al mar­kets – just look at the EU, USA and Rus­sia, for exam­ple – are too divergent.

Instead, a com­bi­na­tion of both is required: The trend is towards defin­ing what one might call a uni­form “base­line”, mean­ing a data pro­tec­tion stan­dard, region­al­ly or world­wide, for the entire group of com­pa­nies. This base­line is then sup­ple­ment­ed at a region­al or local lev­el by nec­es­sary adjust­ments com­men­su­rate with the indi­vid­ual markets.

The GDPR is increas­ing­ly serv­ing more and more com­pa­ny groups inside and out­side Europe as a “blue­print” for their com­pa­ny-wide data pro­tec­tion con­cepts. How­ev­er, in order to be able to adjust such glob­al con­cepts by incor­po­rat­ing the nec­es­sary region­al and local spec­i­fi­ca­tions, an effi­cient glob­al data pro­tec­tion gov­er­nance struc­ture with local hubs is required, which must not only be cog­nizant of the local legal con­di­tions, but also be pro­vid­ed with the “tools” for imple­ment­ing local require­ments – ide­al­ly with a glob­al­ly mon­i­tored data pro­tec­tion man­age­ment sys­tem that can be sup­ple­ment­ed with local “build­ing blocks” in the sense of a mod­u­lar prin­ci­ple which can be main­tained and expe­ri­enced locally.

As we learned in an ear­li­er inter­view with Vicky Fey­gi­na2, the legal require­ments of the GDPR for Big Data projects are man­i­fold and range from trans­paren­cy, infor­ma­tion, legal basis, life cycles, doc­u­men­ta­tion, infor­ma­tion secu­ri­ty etc. Such legal demands requires exten­sive and cost-inten­sive data man­age­ment on the part of the data con­troller. When do GDPR rules nor­mal­ly apply? And when does the applic­a­ble law usu­al­ly change?

At first glance, many com­pa­nies might think that not much has changed since the GDPR came into force in May 2018: If a com­pa­ny process­es per­son­al data with­in the EU, the pro­cess­ing is sub­ject to the strict require­ments of the GDPR. We call this “ter­ri­to­ri­al­i­ty prin­ci­ple”. But it’s the details that mat­ter: Many of the com­pa­nies based out­side the EU that come into con­tact with per­son­al data orig­i­nat­ing in the EU are, in fact, sub­ject to the same strict reg­u­la­tions. Why is that? The GDPR also applies when goods or ser­vices are offered to data sub­jects in the EU, that is, when data sub­jects with­in the EU are specif­i­cal­ly intend­ed for these pur­pos­es. Here­with, the GDPR adopts a prin­ci­ple known from com­pe­ti­tion law, the so-called “mar­ket place prin­ci­ple”, and thus con­sid­er­ably extends its scope of application.

In addi­tion, it also cov­ers com­pa­nies that observe the behav­iour of affect­ed per­sons in the EU, even if they do not (them­selves) sell goods or ser­vices. If one want­ed to assume that the obser­va­tion of the user of a mod­ern web­site or mobile app was an essen­tial com­po­nent of the data pro­cess­ing activ­i­ties in ques­tion, and if we also includ­ed cloud ser­vices and big data ana­lyt­ics – whether for the pur­pos­es of busi­ness ana­lyt­ics, mar­ket­ing or IT secu­ri­ty – then the claim to valid­i­ty of the GDPR becomes clear in an inter­na­tion­al context.

The applic­a­ble data pro­tec­tion law does not change with the next juris­dic­tion in anoth­er coun­try. Rather, it is attached to the data, so that the pro­cess­ing of a data set can be sub­ject to a vari­ety of local reg­u­la­tions in dif­fer­ent coun­tries, depend­ing on where it comes from and where and for what pur­pos­es it is processed – which some­times can­not be rea­son­ably reconciled.

Would it help a multi­na­tion­al to take its data out of the ter­ri­to­ry of the Euro­pean Com­mu­ni­ty to cir­cum­vent the GDPR?

That might either not, or at least only under very nar­row con­di­tions, be pos­si­ble. If a Euro­pean com­pa­ny relo­cates its data pro­cess­ing activ­i­ties to a non-Euro­pean coun­try and, for exam­ple, estab­lish­es its own com­pa­ny out­side the EU for this pur­pose, which is to take over the busi­ness with Euro­pean data, but con­tin­ues to influ­ence it by means or busi­ness oper­a­tions locat­ed with­in the EU, Euro­pean data pro­tec­tion law might remain applic­a­ble for this rea­son alone – noth­ing would be gained. Sim­ply shift­ing the data pro­cess­ing activ­i­ties to a non-Euro­pean ser­vice provider does not help either.

Even if the strict require­ments of the GDPR does, under cer­tain cir­cum­stances, not apply to such a provider indi­vid­u­al­ly, the com­pa­ny respon­si­ble will have to ensure ade­quate data pro­tec­tion stan­dards abroad as well through oth­er mech­a­nisms, such as appro­pri­ate con­trac­tu­al safeguards.

One way or anoth­er, the GDPR makes a de fac­to glob­al claim of valid­i­ty – per­haps even unin­ten­tion­al­ly – if com­pa­nies or data sub­jects from the EU are involved in data pro­cess­ing or are affect­ed by it.

Are there pos­si­ble cas­es and fac­tu­al cir­cum­stances allow­ing a Euro­pean con­troller to cir­cum­vent the GDPR rules?

The­o­ret­i­cal­ly, yes – but, prac­ti­cal­ly speak­ing, they are dif­fi­cult to realize.

By relo­cat­ing the busi­ness activ­i­ty rel­e­vant to the respec­tive data pro­cess­ing to a coun­try out­side the EU, a com­pa­ny may still be able to par­tial­ly evade the scope of appli­ca­tion of the GDPR, and it would then be “out” for the time being, accord­ing to the “ter­ri­to­ri­al­i­ty prin­ci­ple”. How­ev­er, if it then turns its atten­tion back to Europe and its poten­tial cus­tomers there, the require­ments of the GDPR will again apply in many cas­es, as dis­cussed before.

If one want­ed to avoid the strict require­ments of employ­ee data pro­tec­tion by such a relo­ca­tion, this might work in indi­vid­ual cas­es but will most­ly not be a prac­ti­cal option for busi­ness­es. Con­verse­ly, in the area of data pro­tec­tion for cus­tomer data from the EU, the pos­si­bil­i­ties here are very limited.

Can you envis­age cas­es and fac­tu­al cir­cum­stances where a non-Euro­pean con­troller process­es data of Euro­pean and non-Euro­pean data subjects?

Yes – absolutely.

Let’s take a web­site oper­a­tor based in a coun­try out­side the EU. His or her offer is aimed at his or her local mar­ket. It must there­fore com­ply with all the local legal require­ments. If his or her web­site is not active­ly tai­lored to the Euro­pean mar­ket and does not observe the behav­iour of Euro­pean users, s/he could per­haps get around the GDPR require­ments in indi­vid­ual cases.

But what if s/he offers an Eng­lish lan­guage ver­sion? Has s/he then per­haps already tai­lored what s/he offers to the Euro­pean mar­ket? And what about using mod­ern web tracking/analysis tech­nol­o­gy? Does s/he per­haps observe his or her users with it? This exam­ple shows: Depend­ing on the inter­pre­ta­tion of the reg­u­la­tions of the GDPR – and here many things are still unclear – it sets a clear case for being applic­a­ble prac­ti­cal­ly at a glob­al lev­el, which many com­pa­nies are often not aware of.

Is it in any way pos­si­ble to cir­cum­vent the GDPR and prof­it from an eas­i­er and less labour-inten­sive pro­cess­ing of data?

There are some start­ing points, but few real­ly bring the relief that many hope for.

One pos­si­bil­i­ty would be to mod­i­fy the data to be processed in such a way that the strict require­ments of the GDPR no longer apply to them.

The most impor­tant of these is anonymiza­tion, i.e. the mod­i­fi­ca­tion of the data in such a way that they can no longer be attrib­uted to a nat­ur­al per­son or only with dis­pro­por­tion­ate effort. How­ev­er, this option is often only avail­able in excep­tion­al cas­es. First­ly, because the require­ments for effec­tive anonymiza­tion are very high, and, sec­ond­ly, because such anonymiza­tion would most­ly be con­trary to the actu­al pur­pose of the processing.

The oth­er approach would be the tar­get­ed relo­ca­tion of the busi­ness to a coun­try out­side the EU – but with the dis­ad­van­tages already dis­cussed and the high risk of not being able to (com­plete­ly) escape the strict require­ments of the GDPR there either.

The GDPR seems to be an “export best­seller”, and a lot of coun­tries are study­ing the GDPR. How­ev­er, we have learned that the analy­sis of Big Data accord­ing to GDPR has its lim­i­ta­tions. Are there coun­tries issu­ing laws that allow a wider range of Big Data analy­sis and a sub­se­quent use of the infor­ma­tion gained? If so, which coun­tries might they be and will they mar­ket them­selves as future data havens?

The legal frame­work for Big Data Ana­lyt­ics is like­ly to be more lib­er­al in some coun­tries around the world than in the EU, includ­ing the USA, although the pres­sure on com­pa­nies there is also grow­ing steadily.

The Cal­i­for­nia Con­sumer Pri­va­cy Act, or CCPA for short, which came into force on Jan­u­ary 1, 2020, reg­u­lates, among oth­er things, what a com­pa­ny may and may not do with cus­tomer data. The CCPA expos­es many rel­e­vant pro­cess­ing activ­i­ties under a so-called opt-out, i.e. the user must explic­it­ly object to cer­tain pro­cess­ing activ­i­ties in order to pre­vent them. Depend­ing on how it is designed, this has cer­tain advan­tages for Big Data Ana­lyt­ics – as long as the user remains in agree­ment. In the USA, Big Data Ana­lyt­ics may also be eas­i­er to per­form because the require­ments for remov­ing the per­son­al ref­er­ence are some­times less rig­or­ous in the USA – and this lax­er con­di­tion, there­fore, tends to allow more data to be used for such pur­pos­es with­out cor­re­spond­ing pri­va­cy restrictions.

How­ev­er, giv­en these advan­tages, I would still strug­gle to deem the US a “data haven” – the cur­rent and emerg­ing new legal require­ments already seem too robust for com­pa­nies to hide behind them in the future.

It will be inter­est­ing to see how the UK devel­ops – either with an EU-com­pli­ant data pro­tec­tion stan­dard as a “safe third coun­try” or a “data haven”, with a low­er data pro­tec­tion stan­dard than the EU, which might try to attract com­pa­nies to it.

In sum­ma­ry, even though many coun­tries around the world now have more lib­er­al frame­work con­di­tions for data pro­tec­tion for com­pa­nies, the trend is toward increas­ing­ly robust data pro­tec­tion regimes. The USA is a good exam­ple, but so is Brazil, with a data pro­tec­tion frame­work that is strong­ly based on the GDPR and gov­ern­ing data pro­tec­tion for almost 210m peo­ple. And even Chi­na is cur­rent­ly intro­duc­ing its first data pro­tec­tion law.

As a result, “data havens”, if there is or was any such thing in the past or present, are like­ly to be a lega­cy mod­el – either due to the prac­ti­cal­ly glob­al valid­i­ty of the GDPR or the steady devel­op­ment towards ever more robust data pro­tec­tion regimes.

My opin­ion is:

 

“Data havens”, if there is or was any such thing in the past or present, are like­ly to be a lega­cy model.

Thomas Kahl

Let us assume that a data con­troller process­es data com­pli­ant with a nation­al law which would at the same time not be com­pli­ant with the GDPR. Is the “re-import” of the processed data to the Euro­pean Union legal?

The GDPR itself con­tains no restric­tions on the con­di­tions under which per­son­al data from non-Euro­pean coun­tries may be “import­ed” into the EU, if you will. The fact that the data was pre­vi­ous­ly col­lect­ed and processed under oth­er legal sys­tems does not per se argue against the per­mis­si­bil­i­ty of pro­cess­ing the data here.

One thing is clear, how­ev­er: If per­son­al data is import­ed into the EU, pro­cess­ing with­in the EU is sub­ject to the pro­vi­sions of the GDPR. This leads to (often) bizarre results: For exam­ple, the con­troller may have to inform per­sons in coun­tries around the world about intra-Euro­pean pro­cess­ing in accor­dance with the pro­vi­sions of the GDPR, even though such pro­ce­dures are total­ly unfa­mil­iar in the coun­try of origin.

And what is to be done if the data, once import­ed into the EU, must be re-export­ed to the coun­try of ori­gin? Do the same require­ments apply then as for the export of per­son­al data orig­i­nat­ing from Europe? The instru­ments of the GDPR – at least at the cur­rent stage – cov­er these cas­es to a lim­it­ed extent only and often require cre­ative solutions.

When a data con­troller wants to trans­fer his or her data to a proces­sor out­side of the Euro­pean Com­mu­ni­ty, s/he needs com­pa­ra­ble and ade­quate lev­els of data pro­tec­tion which s/he nor­mal­ly would achieve by agree­ing to the Euro­pean Stan­dard Claus­es or, in case of the US, by agree­ing to the Pri­va­cy Shield. This wasn’t a prob­lem until the recent law­suit Schrems II before the Euro­pean Court of Jus­tice (ECJ). What does the recent deci­sion imply for data controllers?

It makes inter­na­tion­al data trans­fer – a back­bone of the inter­na­tion­al econ­o­my – con­sid­er­ably more dif­fi­cult: On the one hand, such a trans­fer is now com­pli­cat­ed by the strict require­ments imposed by the ECJ in its Schrems II rul­ing, includ­ing the can­cel­la­tion of the US pri­va­cy shield, which applies imme­di­ate­ly with­out grant­i­ng a tran­si­tion­al peri­od. On the oth­er hand, how­ev­er, there is also the uncer­tain­ty that has pre­vailed for months now for affect­ed com­pa­nies in deal­ing with the “new” require­ments. The court makes every data trans­fer to a coun­try out­side the EU sub­ject to the pro­vi­so that the lev­el of data pro­tec­tion in the tar­get coun­try always be ade­quate – regard­less of the mech­a­nisms used to legit­imize the transfer.

The big ques­tion now is: Is the trans­fer of data, even with the instru­ments pro­vid­ed by the GDPR, includ­ing the EU stan­dard con­trac­tu­al claus­es, to a coun­try in which no lev­el of data pro­tec­tion com­pa­ra­ble to that in the EU exists, per se impos­si­ble, or are dif­fer­ent solu­tions con­ceiv­able in indi­vid­ual cas­es, and if so, to what extent? What role does the nature of the data to be trans­ferred play? Are there any data trans­fers that are less risky than oth­ers due to the pur­pos­es pur­sued and there­fore eas­i­er to be made per­mis­si­ble for transferring?

The ECJ seems to allow for dif­fer­ent lines of rea­son­ing here, but which of them will take hold will be shown by the author­i­ties in the com­ing months.

After the ECJ Schrems II rul­ing, many com­pa­nies con­tin­ue to process per­son­al data orig­i­nat­ing from the EU in the US and oth­er coun­tries out­side the EEA. Some com­pa­nies often do not have an alter­na­tive, e.g. when they only have a pres­ence in the US and nowhere else. How is this com­pat­i­ble with the rul­ing of the Schrems II deci­sion? Is the US a data haven or is it regard­ed as such?

The pro­cess­ing of per­son­al data in the US, or oth­er coun­tries out­side the EU or the EEA, may of course still be per­mit­ted under the ECJ Schrems II rul­ing. The mere fact that pro­cess­ing takes place out­side the EEA does not nec­es­sar­i­ly mean that it is not per­mis­si­ble. On the one hand, it is to be not­ed that the ECJ in its Schrems II rul­ing had to eval­u­ate only cer­tain cas­es, specif­i­cal­ly, the cas­es in which enter­pris­es trans­mit per­son­al data to places out­side of the EEA. For exam­ple, the rul­ing did not deal with cas­es in which com­pa­nies based out­side the EU pro­vide ser­vices direct­ly to cus­tomers in the EU. Sec­ond­ly, the con­se­quences of the ECJ rul­ing remain high­ly controversial.

How­ev­er, the pro­cess­ing of per­son­al data from the EU in the US cer­tain­ly does not “make every­thing eas­i­er”. If per­haps not direct­ly the prin­ci­ples of the Schrems II rul­ing, at least the oth­er gen­er­al pro­vi­sions of the GDPR will apply to many of these cas­es. Thus, a “flight across the pond” usu­al­ly does not lead to evad­ing Euro­pean data pro­tec­tion oblig­a­tions. In addi­tion, the lev­el of data pro­tec­tion in the US is con­stant­ly rising.

To answer your ques­tion: Under these cir­cum­stances, the US should no longer be viewed as a “data haven”.

Mr Kahl, thank you for shar­ing your insights on pos­si­ble data man­age­ment in the glob­al con­text with their advan­tages and dis­ad­van­tages with regard to applic­a­ble law

Thank you, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with rec­og­nized experts, delv­ing even deep­er into this fas­ci­nat­ing topic.


1 https://​www​.dlapiper​dat​apro​tec​tion​.com/

2 Duet Inter­view with Vicky Feygina


About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Thomas Kahl

Thomas Kahl is a specialist lawyer in the field of information technology law and a partner with the international law firm Taylor Wessing, located at the firm’s Frankfurt office. He advises national and international companies on all legal questions relating to information technologies. With his expertise, Kahl supports clients to manage digitisation projects and the use of innovative technologies. He is an expert for the implementation of the provisions of the GDPR in a national as well as international context.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

FOL­LOW ME