Are GDPR rules applicable all over the world in every conceivable case? Or do data havens exist that data controllers are able to use to circumvent the manifold and sometimes inconvenient legal GDPR requirements and make their respective Big Data projects more cost-effective, easier to manage and less risky in cases of incompliance sanctioning? If so, where are those data havens located and how could controllers use them effectively?
In her Duet Interview with legal expert Thomas Kahl, Dr Caldarola, author of Big Data and Law, discusses possible data management scenarios in a global context, focussing on their advantages and disadvantages with regard to the legal situation in question.
The GDPR came into force in May 2018 as the first harmonized data protection law for Europe. Data protection laws outside of Europe vary as we can see on the worldwide map of DLA Piper1. They range from countries not having any data protection rules whatsoever to countries having burdensome, robust, moderate or limited legislation. How do multinationals manage data coming from various data subjects around the world, using cloud infrastructures following the sun, contracting different data processors around the world etc.?
Thomas Kahl: The ever-increasing development of data protection legislation in various countries around the world poses a major challenge for companies operating internationally – not least because of the ever-increasing risk of sanctions in the event of data protection violations.
Today, purely localised data protection management approaches do not work in large corporate groups any more than “catch all” approaches – the data protection requirements in various international markets – just look at the EU, USA and Russia, for example – are too divergent.
Instead, a combination of both is required: The trend is towards defining what one might call a uniform “baseline”, meaning a data protection standard, regionally or worldwide, for the entire group of companies. This baseline is then supplemented at a regional or local level by necessary adjustments commensurate with the individual markets.
The GDPR is increasingly serving more and more company groups inside and outside Europe as a “blueprint” for their company-wide data protection concepts. However, in order to be able to adjust such global concepts by incorporating the necessary regional and local specifications, an efficient global data protection governance structure with local hubs is required, which must not only be cognizant of the local legal conditions, but also be provided with the “tools” for implementing local requirements – ideally with a globally monitored data protection management system that can be supplemented with local “building blocks” in the sense of a modular principle which can be maintained and experienced locally.
As we learned in an earlier interview with Vicky Feygina2, the legal requirements of the GDPR for Big Data projects are manifold and range from transparency, information, legal basis, life cycles, documentation, information security etc. Such legal demands requires extensive and cost-intensive data management on the part of the data controller. When do GDPR rules normally apply? And when does the applicable law usually change?
At first glance, many companies might think that not much has changed since the GDPR came into force in May 2018: If a company processes personal data within the EU, the processing is subject to the strict requirements of the GDPR. We call this “territoriality principle”. But it’s the details that matter: Many of the companies based outside the EU that come into contact with personal data originating in the EU are, in fact, subject to the same strict regulations. Why is that? The GDPR also applies when goods or services are offered to data subjects in the EU, that is, when data subjects within the EU are specifically intended for these purposes. Herewith, the GDPR adopts a principle known from competition law, the so-called “market place principle”, and thus considerably extends its scope of application.
In addition, it also covers companies that observe the behaviour of affected persons in the EU, even if they do not (themselves) sell goods or services. If one wanted to assume that the observation of the user of a modern website or mobile app was an essential component of the data processing activities in question, and if we also included cloud services and big data analytics – whether for the purposes of business analytics, marketing or IT security – then the claim to validity of the GDPR becomes clear in an international context.
The applicable data protection law does not change with the next jurisdiction in another country. Rather, it is attached to the data, so that the processing of a data set can be subject to a variety of local regulations in different countries, depending on where it comes from and where and for what purposes it is processed – which sometimes cannot be reasonably reconciled.
Would it help a multinational to take its data out of the territory of the European Community to circumvent the GDPR?
That might either not, or at least only under very narrow conditions, be possible. If a European company relocates its data processing activities to a non-European country and, for example, establishes its own company outside the EU for this purpose, which is to take over the business with European data, but continues to influence it by means or business operations located within the EU, European data protection law might remain applicable for this reason alone – nothing would be gained. Simply shifting the data processing activities to a non-European service provider does not help either.
Even if the strict requirements of the GDPR does, under certain circumstances, not apply to such a provider individually, the company responsible will have to ensure adequate data protection standards abroad as well through other mechanisms, such as appropriate contractual safeguards.
One way or another, the GDPR makes a de facto global claim of validity – perhaps even unintentionally – if companies or data subjects from the EU are involved in data processing or are affected by it.
Are there possible cases and factual circumstances allowing a European controller to circumvent the GDPR rules?
Theoretically, yes – but, practically speaking, they are difficult to realize.
By relocating the business activity relevant to the respective data processing to a country outside the EU, a company may still be able to partially evade the scope of application of the GDPR, and it would then be “out” for the time being, according to the “territoriality principle”. However, if it then turns its attention back to Europe and its potential customers there, the requirements of the GDPR will again apply in many cases, as discussed before.
If one wanted to avoid the strict requirements of employee data protection by such a relocation, this might work in individual cases but will mostly not be a practical option for businesses. Conversely, in the area of data protection for customer data from the EU, the possibilities here are very limited.
Can you envisage cases and factual circumstances where a non-European controller processes data of European and non-European data subjects?
Yes – absolutely.
Let’s take a website operator based in a country outside the EU. His or her offer is aimed at his or her local market. It must therefore comply with all the local legal requirements. If his or her website is not actively tailored to the European market and does not observe the behaviour of European users, s/he could perhaps get around the GDPR requirements in individual cases.
But what if s/he offers an English language version? Has s/he then perhaps already tailored what s/he offers to the European market? And what about using modern web tracking/analysis technology? Does s/he perhaps observe his or her users with it? This example shows: Depending on the interpretation of the regulations of the GDPR – and here many things are still unclear – it sets a clear case for being applicable practically at a global level, which many companies are often not aware of.
Is it in any way possible to circumvent the GDPR and profit from an easier and less labour-intensive processing of data?
There are some starting points, but few really bring the relief that many hope for.
One possibility would be to modify the data to be processed in such a way that the strict requirements of the GDPR no longer apply to them.
The most important of these is anonymization, i.e. the modification of the data in such a way that they can no longer be attributed to a natural person or only with disproportionate effort. However, this option is often only available in exceptional cases. Firstly, because the requirements for effective anonymization are very high, and, secondly, because such anonymization would mostly be contrary to the actual purpose of the processing.
The other approach would be the targeted relocation of the business to a country outside the EU – but with the disadvantages already discussed and the high risk of not being able to (completely) escape the strict requirements of the GDPR there either.
The GDPR seems to be an “export bestseller”, and a lot of countries are studying the GDPR. However, we have learned that the analysis of Big Data according to GDPR has its limitations. Are there countries issuing laws that allow a wider range of Big Data analysis and a subsequent use of the information gained? If so, which countries might they be and will they market themselves as future data havens?
The legal framework for Big Data Analytics is likely to be more liberal in some countries around the world than in the EU, including the USA, although the pressure on companies there is also growing steadily.
The California Consumer Privacy Act, or CCPA for short, which came into force on January 1, 2020, regulates, among other things, what a company may and may not do with customer data. The CCPA exposes many relevant processing activities under a so-called opt-out, i.e. the user must explicitly object to certain processing activities in order to prevent them. Depending on how it is designed, this has certain advantages for Big Data Analytics – as long as the user remains in agreement. In the USA, Big Data Analytics may also be easier to perform because the requirements for removing the personal reference are sometimes less rigorous in the USA – and this laxer condition, therefore, tends to allow more data to be used for such purposes without corresponding privacy restrictions.
However, given these advantages, I would still struggle to deem the US a “data haven” – the current and emerging new legal requirements already seem too robust for companies to hide behind them in the future.
It will be interesting to see how the UK develops – either with an EU-compliant data protection standard as a “safe third country” or a “data haven”, with a lower data protection standard than the EU, which might try to attract companies to it.
In summary, even though many countries around the world now have more liberal framework conditions for data protection for companies, the trend is toward increasingly robust data protection regimes. The USA is a good example, but so is Brazil, with a data protection framework that is strongly based on the GDPR and governing data protection for almost 210m people. And even China is currently introducing its first data protection law.
As a result, “data havens”, if there is or was any such thing in the past or present, are likely to be a legacy model – either due to the practically global validity of the GDPR or the steady development towards ever more robust data protection regimes.
My opinion is:
“Data havens”, if there is or was any such thing in the past or present, are likely to be a legacy model.Thomas Kahl
Let us assume that a data controller processes data compliant with a national law which would at the same time not be compliant with the GDPR. Is the “re-import” of the processed data to the European Union legal?
The GDPR itself contains no restrictions on the conditions under which personal data from non-European countries may be “imported” into the EU, if you will. The fact that the data was previously collected and processed under other legal systems does not per se argue against the permissibility of processing the data here.
One thing is clear, however: If personal data is imported into the EU, processing within the EU is subject to the provisions of the GDPR. This leads to (often) bizarre results: For example, the controller may have to inform persons in countries around the world about intra-European processing in accordance with the provisions of the GDPR, even though such procedures are totally unfamiliar in the country of origin.
And what is to be done if the data, once imported into the EU, must be re-exported to the country of origin? Do the same requirements apply then as for the export of personal data originating from Europe? The instruments of the GDPR – at least at the current stage – cover these cases to a limited extent only and often require creative solutions.
When a data controller wants to transfer his or her data to a processor outside of the European Community, s/he needs comparable and adequate levels of data protection which s/he normally would achieve by agreeing to the European Standard Clauses or, in case of the US, by agreeing to the Privacy Shield. This wasn’t a problem until the recent lawsuit Schrems II before the European Court of Justice (ECJ). What does the recent decision imply for data controllers?
It makes international data transfer – a backbone of the international economy – considerably more difficult: On the one hand, such a transfer is now complicated by the strict requirements imposed by the ECJ in its Schrems II ruling, including the cancellation of the US privacy shield, which applies immediately without granting a transitional period. On the other hand, however, there is also the uncertainty that has prevailed for months now for affected companies in dealing with the “new” requirements. The court makes every data transfer to a country outside the EU subject to the proviso that the level of data protection in the target country always be adequate – regardless of the mechanisms used to legitimize the transfer.
The big question now is: Is the transfer of data, even with the instruments provided by the GDPR, including the EU standard contractual clauses, to a country in which no level of data protection comparable to that in the EU exists, per se impossible, or are different solutions conceivable in individual cases, and if so, to what extent? What role does the nature of the data to be transferred play? Are there any data transfers that are less risky than others due to the purposes pursued and therefore easier to be made permissible for transferring?
The ECJ seems to allow for different lines of reasoning here, but which of them will take hold will be shown by the authorities in the coming months.
After the ECJ Schrems II ruling, many companies continue to process personal data originating from the EU in the US and other countries outside the EEA. Some companies often do not have an alternative, e.g. when they only have a presence in the US and nowhere else. How is this compatible with the ruling of the Schrems II decision? Is the US a data haven or is it regarded as such?
The processing of personal data in the US, or other countries outside the EU or the EEA, may of course still be permitted under the ECJ Schrems II ruling. The mere fact that processing takes place outside the EEA does not necessarily mean that it is not permissible. On the one hand, it is to be noted that the ECJ in its Schrems II ruling had to evaluate only certain cases, specifically, the cases in which enterprises transmit personal data to places outside of the EEA. For example, the ruling did not deal with cases in which companies based outside the EU provide services directly to customers in the EU. Secondly, the consequences of the ECJ ruling remain highly controversial.
However, the processing of personal data from the EU in the US certainly does not “make everything easier”. If perhaps not directly the principles of the Schrems II ruling, at least the other general provisions of the GDPR will apply to many of these cases. Thus, a “flight across the pond” usually does not lead to evading European data protection obligations. In addition, the level of data protection in the US is constantly rising.
To answer your question: Under these circumstances, the US should no longer be viewed as a “data haven”.
Mr Kahl, thank you for sharing your insights on possible data management in the global context with their advantages and disadvantages with regard to applicable law
Thank you, Dr Caldarola, and I look forward to reading your upcoming interviews with recognized experts, delving even deeper into this fascinating topic.