For businesses that want to expand to a new market, though, complying with global data privacy laws is more akin to finding dozens of forks in the road, each one marked with an indecipherable signpost.
Should a company expand to China? That depends on whether the company wants to have its source code potentially analyzed by the Chinese government. Okay, what about South Korea? Well, is the company ready to pay three percent of its revenue for a wrongful data transfer, or to have one of its executives spend time behind bars?
Europe is an obvious market to capture, right? That’s true, but, depending on which country, the local data protection authorities could issue enormous fines for violating the General Data Protection Regulation.
What if a company just follows in the footsteps of the more established firms, like Google, Amazon, or Microsoft, which all opened data centers in Singapore in the past two years? Once again, the answer depends on the company. If it’s providing a service that Singapore considers “essential,” it will have to heed a new cybersecurity law there.
At this point, a company might think about entering a country with no data privacy laws. No laws, no getting in trouble, right? Wrong. Data privacy laws can sprout up seemingly overnight, and future compliance costs could severely cut into a company’s budget.
While this may appear overcomplicated, one guiding principle helps: If a company cannot afford to comply with a country’s data privacy laws, it probably should not expand to that country. The risk, which could be millions in penalties, might not outweigh the reward.
Today, for the third piece in our data privacy and cybersecurity blog series, which also took a look at current US data privacy laws and federal legislation on the floor, we explore the decision-making process of a mid-market-sized company that wants to expand its business outside the United States.
With the help of Reed Smith LLP counsel Xiaoyan Zhang, we looked at several notable data privacy laws in Europe, Asia, Latin America, the Middle East, and Africa.
Issue-spotting within a culturally-crafted landscape
Before a company expands into a new country, it should try to truly comprehend the data privacy laws located within, Zhang said. She said this involves more than just reading the law; it requires training one’s thinking into an entirely different culture.
Unlike crimes including manslaughter and robbery—which have near-universal definitions—Zhang said data privacy violations fluctuate from region to region, with interpretations rooted in a country’s history, economy, public awareness, and opinions on privacy.
“Data privacy is not like murder, which is much more straightforward,” Zhang said. “Privacy law is very intimately tied into culture.”
So, while overseas concepts might appear familiar— like protecting “personally identifiable information” in the US and protecting “personal information” in the European Union—the culture behind those concepts varies.
For example, in the European Union, a history of fierce antitrust regulation and government enforcement helped usher GDPR’s passage. In fact, Austrian online privacy advocate Max Schrems—whose legal complaints against Facebook heavily influenced the final text of GDPR—remarked years ago that he was surprised at the lack of tall garden hedges around Americans’ homes. The country’s understanding of privacy, Schrems realized, was different than that of Austria, and so, too, are its data privacy laws.
Similarly, Zhang said she has fielded many questions from EU lawyers who assume that data privacy regulations around the world are similar to those in GDPR.
“EU lawyers are used to thinking that, for every data collection, there must be a legitimate purpose, and they insist on asking the same questions,” Zhang said. “When I’m talking about legal advice in China, they’ll say ‘Oh, our medical device needs to collect data from users, does China have any law or statutes that give us a legitimate business purpose to collect that data?’”
Zhang continued: “No. In China, you don’t need that. It’s totally different.”
The differences can be managed with the right help, though.
The safest path for market expansion is to rely on a global data privacy lawyer to “issue-spot” any obvious global compliance issues, Zhang said. These experts will look at what type of data a company handles—including medical, financial, geolocation, biometric, and others—what type of service the company performs, and whether the company will need to perform frequent cross-border data transfers. Depending on all these factors, each company’s individual roadmap for data privacy compliance will be unique.
However, Zhang led us on a bit of a world tour, detailing some of the notable data privacy laws in Europe, Asia, Africa, the Middle East, and Latin America. Company expansion into these markets, Zhang emphasized, depends on whether a company is ready for compliance.
Many countries, many laws
Starting with Europe there is, of course, GDPR. Complying with the sweeping set of provisions is tricky because GDPR gives each EU member-state the authority to enforce the new data protection law on its own turf.
This enforcement is done through Data Protection Authorities (DPAs), which oversee, investigate, and issue fines for GDPR violation. Each member-state has its own DPA, and, in the months before GDPR’s implementation, the DPAs gave mixed signals about what local enforcement would look like.
France’s DPA, the National Data Protection Commission (CNIL), said that companies that are at least trying to comply with GDPR “can expect to be treated leniently initially, provided that they have acted in good faith.”
Less than one year later, though, that leniency met its limit. CNIL hit Google with the largest GDPR-violation fine on record, at roughly $57 million.
The best defense to these penalties, Zhang said, is to consult with local legal experts who know the region’s enforcement history and details.
“You cannot just seek consultation from a GDPR expert. If you want to go specifically to Germany, you need German lawyers who can offer insight on things that are specific to Germany,” Zhang said. “That’s for all of Europe.”
Outside of Europe—but still inspired by GDPR—is Latin America. Zhang said several Latin American countries have enacted, or are considering, legislation that protects the data privacy rights of individuals.
In 2018, Brazil passed its comprehensive data protection law, which protects people’s personal information and includes tighter protections for sensitive information that discloses race, ethnicity, religion, political affiliation, and biometrics. Argentina also forwarded privacy protections for its citizens, and it earned a special clearance in GDPR as a “whitelisted” party, meaning that personal data can be moved to Argentina from the EU without extra safeguards.
Moving to China, a whole new risk factor comes into play—surveillance.
China’s cybersecurity law grants the Chinese government broad, invasive powers to spy on Internet-related businesses that operate within the country. Implemented in 2017, the law allows China’s foreign intelligence agency to perform “national security reviews” on technology that foreign companies want to sell or offer in China.
This authority raised alarm bells for the researchers at Recorded Future, who attributed past cyberattacks directly to the Chinese government. Researchers said the law could give the Chinese government the power to both find and exploit zero-day vulnerabilities in foreign companies’ products, all for the price of admission into the Chinese market.
“China’s law has a hidden angle for government control and monitoring,” Zhang said. “It has a different rationale.”
Outside of China, Singapore has garnered the attention of Google, Microsoft, and Amazon, which all built data centers in the country in the past few years. The country passed its Personal Data Protection Act in 2012 and its Cybersecurity Act in 2018, the latter of which sets up a framework for monitoring cybersecurity threats in the country.
The law has a narrow scope, as it only applies to companies and organizations that control what the Singaporean government calls “critical information infrastructure,” or CII. This includes computer systems that manage banking, government, healthcare, and aviation services, among others. The law also includes data breach notification requirements.
Moving to South Korea, the risk for organizations goes up dramatically, Zhang said. The country’s Personal Information Protection Act preserves the privacy rights of its citizens, and its penalties include criminal and regulatory fines, and even jail time. Cross-border data transfers, in particular, are strictly guarded. One wrongful transfer can result in a fine of up to three percent of a company’s revenue.
Traveling once again, expansion into Africa requires an understanding of the continent’s burgeoning, or sometimes non-existent, data privacy laws. Zhang said that, of Africa’s more than 50 countries, only about 15 have data protection laws, and even fewer have the regulators necessary to enforce those laws.
“Among [the countries], nine have no regulators to enforce the law, and five have a symbolic law but it’s not enforced,” Zhang said.
So, that invites the question: What exactly does happen if a company expands into a country that doesn’t have any data privacy laws?
What happens is potentially more risk.
First, a country could actually develop and pass a data privacy law within years of a company’s expansion into its borders. It’s not unheard of—less than one year after Amazon announced its rollout into Bahrain, the country introduced its first comprehensive data privacy law. Second, compliance with the new data privacy law could be expensive, Zhang said, forcing a company into a tough situation where it might have to withdraw entirely from the new market.
“One common misconception is that if a country doesn’t have a law at all, it’s a good country to go to,” Zhang said. “You should think twice about whether that’s the case.
Expand or not? It’s up to each company
There is no single roadmap for companies entering new markets outside the United States. Instead, there are multiple paths a company can take depending on its product, services, the data it collects, data it will need to move between borders, and its tolerance for risk.
The safest path, Zhang said, is to ask questions upfront. It is far better to make an informed decision about how to enter a market—even if compliance is costly—than to be surprised with fines or penalties later on.