Around the world, more and more regulations are being enacted to protect personal data: starting with the GDPR, which came into effect in 2018, new laws are being enacted and enforced in Brazil, California, the USA, China, Japan, South Korea, Thailand, and Vietnam, as well as in other countries and regions. This underscores the importance of data in modern business. In particular, personal data is subject to stricter regulations because it directly affects the rights and interests of individuals.
Complying with data-related regulations is essential for modern business. This article will review what compliance measures are required when moving data across borders.
Privacy laws apply to the laws of the country or region where the individual concerned was located when the personal data was collected. For example, Mr. A’s personal data collected when Mr. A is in France is subject to GDPR (European personal data protection law), and so on. If the same personal data of Ms. A is collected when Ms. A is in Singapore, then Singapore’s Personal Data Protection Act (PDPA) would apply to Ms. A’s personal data. The fact that the laws of the country where the person was located at the time the data collection took place apply to the personal data collected even if the data leaves the country (or outside the region) is called “extraterritorial application“.
The most common method to comply with the regulatory requirements is to conclude a “contract” between the entities exporting personal information and importing personal data. The GDPR uses what are known as standard contractual clauses (SCCs). Other types of SCCs are available in places such as ASEAN, China, and South America.
Another well-known example is the “adequacy decision” adopted by Europe. A similar concept to the “adequacy decision” has also been adopted by Japan as a white-listed country. The Privacy Shield, which was created to legitimize data transfers between the U.S. and Europe, had adequacy decisions in the past, but this was revoked. It is important to note that adequacy decisions can be revoked.
Another method used to legitimize cross-border data transfers is certification. One well-known example is the APEC CBPR/PRP, which is planned to be replaced by the Global CBPR system, a tool to enable the movement of data worldwide.
Above is a brief introduction to cross-border data transfer and legal regulations and measures that need to be taken. How was it?
Please let us know if you have a theme or topic, you would like us to cover on compliance via email to legal@pingcap.com.