Beyond GDPR: Data Localization Laws Abroad
By Danny Lee and Chris Keegan
Globalization and technology development have enabled the significant expansion of international business opportunities; however, some national governments are attempting to exert control over the increasingly porous technological barriers between countries.
The European Union General Data Protection Regulation (“GDPR”), which takes effect on May 25, 2018, will require all companies in the EU involved in the processing of personal data to comply with an expanded scope of data privacy protection. A number of other countries, including China, Russia, India, and Brazil, have also introduced similar regulations. Though perhaps lesser-known than GDPR, these regulations nonetheless require significant compliance.
China, Russia, India, and Brazil, among others, are increasing restrictions on government procurement of software and hardware from foreign companies and enacting data localization laws intended to keep citizens’ personal data in-country and subject to local regulation. These laws pose a growing threat to the information technology sector and beyond, with the potential to cause companies to withdraw operations from key markets, threaten the free flow of information across borders, compromise the maintenance of global supply chains, and open companies up to fines and worse.
Becoming fully effective in late 2018, China’s new cybersecurity law will require companies that collect “personal information” and “important data” in China to also store that data in China. Despite concerns about ambiguity in the law that could leave businesses open to selective punitive enforcement, the law does not define the term “important data” and defines “personal information” to broadly include all kinds of information. Moreover, among other things, the law will also compel companies in different sectors such as finance and communications to undergo security checks. As currently set out, China’s new cybersecurity law requires further guidance from the Chinese government for US companies to parse through vague language in the new law to avoid ambiguity.
Many of China’s recently implemented policies, including cyber, stem largely from its 2006 plan to transform the republic from a global center of low-tech manufacturing to a major center of innovation by the year of 2020. This goal is to be achieved by formulating and implementing regulations to encourage and protect indigenous innovation; however, after several US companies raised concerns over this policy, China agreed to delink Chinese indigenous innovation policies from government procurement preference in 2011. Since then, the US-China Business Council (“USCBC”) reported that China’s commitment to delink indigenous information from government procurement has had mixed results, with some sub-national governments complying with the policy while the majority of companies reported that they had seen little impact on their business resulting from China’s commitment to a change of policy.
What is troubling for US companies is how some other countries are now embracing the Chinese government model of innovation policy with such policies inevitably shaping cyber regulations in those countries. For example, Argentina, Brazil, India, Indonesia, Nigeria, and Russia are instituting their own protectionist indigenous innovation policies designed to boost their domestic manufacturing and services in high-technology industries, including cyber.
Over the last few years, Russia has been expanding restrictions on government procurement of software and hardware from foreign companies for the defense and security purposes. Effective on January 1, 2016, the Russian government issued Decree No. 1236, which prohibited government entities from acquiring foreign software. This order permitted government entities to purchase only software registered and designated as “Russian Software” and allowed procurement of foreign software only if a government purchaser can demonstrate that there is no domestic alternative.
This enforcement is likely to have a significant impact on foreign software and hardware vendors operating in the Russian market. While the order applies only to governmental entities, there are indications that a number of state-owned companies have been implementing these restrictions as a matter of policy and such entities comprise a substantial share of the Russian software and hardware market. Furthermore, there is no assurance that such restrictions may not be extended eventually to the private sector.
On May 25, 2017, the Indian government approved a new policy to give preference to local goods and services in public procurement with a view to promote “Make in India” initiative. The policy aims to encourage procurement from local suppliers with substantive local content set at a minimum of 50 percent of value addition. By way of background, India’s National Manufacturing Policy 2011 called for increased local content requirements in government procurement in certain tech-oriented sectors, and another localization measure in 2014 included a requirement for storing electronic communications between users in India locally on Indian servers.
Brazil also favors domestic firms in government procurement programs. The Brazilian law gives preference to domestic companies, even if the domestic products are up to 25 percent more expensive than the competing foreign good. Foreign subsidiaries in Brazil and companies operating in Mercosur countries (a trading block composed of Argentina, Brazil, Paraguay, and Uruguay with associate members Bolivia, Chile, Colombia, Ecuador, and Peru) would also be eligible for this preference.
Consequence of Noncompliance
Noncompliance with the government procurement requirement and data localization laws may potentially trigger administrative or civil liability and subsequent administrative or criminal liability for continuous failure to comply. For example, since November 2016, Russia has completely banned LinkedIn, which has declined to place its data servers inside the country to comply with Russian law. Failure to take action will place companies in an unenviable position of being forced to choose between abandoning key markets or complying with regulations that will harm their customers and their economic interests or face fines and penalties.
Chris Keegan, Beecher Carlson’s Cyber and Technology Practice Leader in the Executive Liability Practice, brings his industry expertise to the placement of network, privacy, technology, and media E&O insurance for a wide variety of companies including financial institutions, authentication providers, manufacturers, healthcare, retail, and telecommunications companies. He has also executed Cyber Information Risk Assessment projects and worked with regulators on evaluation of E-Business risks.
Chris is closely involved with the development of new insurance products designed to transfer electronic risk and is often asked to speak on these topics at seminars and functions throughout the United States and Canada. He has published a number of articles and books on privacy, intellectual property, and technology and is licensed to practice law in New York, New Zealand, and England. He can be reached at firstname.lastname@example.org.
JaeEon (Danny) Lee is a Legal Intern in Beecher Carlson’s Executive Liability Practice in New York, and is a rising third-year law student at Brooklyn Law School, where, in addition to obtaining his J.D., he is also pursuing his Certificate in Business Law. Previously, Danny interned at Barclay Damon, LLP where he primarily focused on litigation and researched issues on Corporate and Labor & Employment Law matters. He also interned for Microsoft Korea where he reviewed and analyzed business strategies and foreign regulations. Danny has a B.A. from Emory University in Sociology, with minors in Educational Studies. Danny is particularly interested in corporate, white collar crime, cybersecurity, and employment law and is actively involved in the Asian-Pacific American Law Students Association. He can be reached at email@example.com and firstname.lastname@example.org.