Cross-Border Data Transfer Laws & Corporate Compliance

Cross-Border Data Transfer Laws & Corporate Compliance

By Miss Bushra Sial

Introduction

Cross-border data flow is central to the global digital economy and a key catalyst for international trade. In recent times, a crucial issue involving data protection and privacy law pertains to cross-border data transfers and corporate compliance. Defining ‘cross-border’ data protection is essential. Regardless of cross-border data transfer, individual privacy rights must be protected. Imperatively, wherever data is processed or stored, it needs to be protected regardless of the boundaries.

This issue is critical as misconceptions persist regarding its meaning. Is there an issue of cross-border data transfer or is it just a misconception? Does it refer to the data transferred between electronic devices, or to the agreements and communications within a company related to corporate compliance? The absence of a clear definition could open the floodgates to potential privacy breaches. Therefore, the interpretation of the laws provided can infringe on the fundamental rights of an individual. The significant Articles are: Article 14 (1) inviolability of the dignity of man and Article 19 (A) right to information of the Constitution of the Islamic Republic of Pakistan, 1973, which ensures that an individual’s privacy is not compromised nor invaded.

Challenges in Cross-Border Data Sharing

Many companies face challenges with cross-border data sharing, particularly in finance and medicine. Specifically, the storage and transfer of patient data are major challenges across borders. Hence, it is necessary for clarity on the definition of cross-border data protection as it is one of the key issues. Conflicts of law arise when cross-border data protection is in question, particularly regarding the jurisdiction clause included in contracts to ensure compliance with a company’s terms and conditions. Various factors influence how cross-border data protection is managed, depending on the companies and jurisdictions involved.

In Pakistan, we should highlight this issue and have a definition of what is meant by ‘cross-border data compliance’—referring to ensuring that the transfer, processing, and storage of data across national borders adhere to the legal and regulatory requirements of all the countries involved. We do have the Prevention of Electronic Crimes Act (PECA), 2016, and the Personal Data Protection Bill of 2023. However, these laws should align with global regulations for cross-border data compliance. Ensuring the protection of data exchanged between parties in a contract is crucial. It is important to implement safeguards that not only uphold these standards but also align with corporate compliance requirements.

The Personal Data Protection Bill, 2023

The Personal Data Protection Bill, 2023, is one of the essential pieces of legislation that emphasizes the importance of safeguarding individuals’ data protection rights. The bill broadly defines personal data, covering all essential elements to ensure transparency. It identifies the rights of data subjects and the duties of data controllers. The bill identifies three important data types: personal, sensitive, and critical.

Two important sections address the data protection of companies across borders. Section 31 of the Personal Data Protection Bill 2023 covers the conditions for the cross-border protection of data by emphasizing obtaining the explicit consent of the data subject to transfer the data, as this is the right of the data subject pertaining to privacy laws. In addition, the country to which the data is transferred shall also provide adequate protection considering the privacy and security laws. Section 32 outlines the framework for cross-border data transfer, excluding ‘critical personal data’ and allowing transfers under specific contractual agreements to ensure compliance.

Predominantly, in Pakistan, the Pakistan Cloud First Policy sets out a clear schematic process for data management, which includes open data, public data, restricted data, sensitive data, etc. It is imperative to mention these categories to know which data falls in which category and to have an overview of these categories to know where the data is not being protected and privacy laws are compromised. These key concerns regarding data subjects’ rights in Pakistan raise challenges in meeting the standards set by international law.

Comparison with International Standards

The adoption of the General Data Protection Regulation (GDPR) has significantly reshaped international law by introducing stringent limitations and requirements on the collection, processing, and sharing of personal data. Importantly, it addresses previously uncovered areas, focusing on individual and company rights within the scope of global privacy laws. This is a key element in global data protection laws, clarifying that when data is transferred to a third country, it is considered cross-border data sharing.

To address the alarming issues concerning cross-border data transfer, privacy-enhancing technologies (PETs) have emerged. These are technologies, tools, techniques, and practices designed to protect an individual’s privacy rights. This is achieved by safeguarding personal data during storage, processing, and transmission. For example, fully homomorphic encryption (FHE) has been acknowledged by many governments, regulators, and enterprises to create a shield for protecting data across the globe.

FHE is an advanced form of encryption that allows computations to be performed on encrypted data without needing to decrypt it first. Some countries have seen positive outcomes from these measures. For example, Singapore’s privacy regulator, Infocomm Media Development Authority (IMDA), has published a case study on PET use in cross-border collaboration by highlighting the positive impacts on data transfers, localization, and protection laws across jurisdictions. The European Data Protection Board (EDPB) reemphasizes this by highlighting the compliance of PETs with EU law in facilitating data transfer across borders.

Nevertheless, this remains one of the global dominant issues as numerous unaddressed challenges are revealed over time, which has been one of the daunting elements for companies in maintaining corporate compliance.

Cross-border data transfer is one of the pivotal concerns. Hence, there are some key frameworks and principles, such as the Asia-Pacific Economic Cooperation (APEC) framework. This framework supports a flexible approach to data protection, enabling cross-border data flows. Then there is the Organization for Economic Co-operation and Development (OECD) framework, which promotes an adaptable approach to data privacy that, upon crossing a border, ensures data is adequately protected. It highlights the concept of Data Free Flow with Trust (DFFT), coined in 2009, which aims to promote the free flow of data while ensuring an individual’s trust, privacy, security, and intellectual rights.

Similarly, it encourages member countries to follow the framework while facilitating international standards. In EU-US data transfers, Standard Contractual Clauses (SCCs) are legal contracts that ensure adequate data protection when transferring personal data. These standards meet the needs of data subjects globally, and countries are aligning their laws to facilitate smooth data movement while protecting contract confidentiality.

Analysis

Given the vital need for data protection, countries worldwide have developed data protection frameworks, especially after the Industrial Revolution and technological advancements that raised the focus on individual rights and cross-border data protection. Therefore, every country has its laws to protect its data, and it implies those laws concerning cross-border transfer, with companies agreeing to them.

Consent is imperative as it forms one of the essential elements of a contract. This needs to be expressed by each company to ensure that they have agreed on certain terms and conditions and are the shield for the data subject to affirm the fundamental rights of the citizens. However, the process of cross-border data transfer is significant for global trade, commerce, communication, and economic perspectives.

It is pertinent to mention that developed countries have created easy ways for companies to follow by helping them ensure that the elements of the contracts are met, which can help them protect their data across borders with fewer challenges. Companies in any jurisdiction need to prepare themselves to minimize the risk factors by adhering to the data transfer restrictions across borders and by focusing on SCCs, especially the jurisdiction clause if any dispute arises.

Importantly, ensuring that there is no ambiguity or unnecessary clause that can infringe any of the parties’ security and privacy rights. Considering these key issues, companies should allocate additional time for effective compliance. It also includes having grace periods for adapting to the new rules to meet global standards.

Conclusion

In summary, data transcends borders and must be protected accordingly to ensure privacy laws are upheld. In developed countries, cross-border laws protect data regardless of their jurisdictional boundaries.

Companies must ensure that their terms and conditions include clear provisions for cross-border data protection and safeguarding the personal information of data subjects. These provisions should align with applicable corporate compliance standards, eliminating any ambiguity in the enforcement of privacy laws, including international regulations such as GDPR, to ensure full compliance with data protection requirements.

Therefore, developing countries like Pakistan should adopt and implement data protection laws that align with international standards. This will enable effective protection of cross-border data, promote better outcomes, and support the growth of a thriving digital economy.