What does cross-border data flow mean?
Cross-border data flows refer to the movement of personal or sensitive data from one country to another through physical transfer of storage media or electronic transfer over the Internet and other networks. This includes transferring data for business purposes, such as when a company operates in multiple countries, or for any other reason, such as when an individual travels with a data-enabled device.
Cross-border data flows may have different data regulations and protections in different countries, and the transfer of data across borders can increase the risk of unauthorized access and misuse, so legal, privacy, and can raise security concerns. As a result, many countries have implemented laws and policies that regulate the flow of data across borders. This includes restrictions on the types of data that can be transferred, the circumstances, and the level of protection.
The Importance of Cross-Border Data Flows in the Modern World
Cross-border data flows are becoming increasingly important in today’s globalized world where information and commerce often cross borders. Key benefits and importance of cross-border data flow include:
· International business facilitation: Cross-border data flow is critical to the functioning of international trade and commerce. Businesses can use data to make informed decisions, manage their supply chain, and communicate with customers and partners around the world.
· Technological advances: Cross-border data flows are also important for the development and implementation of new technologies such as cloud computing, artificial intelligence, and the Internet of Things. These technologies rely on the ability to transfer data between countries in order to operate effectively.
· Improved public health and safety: Cross-border data flows play a key role in improving public health and safety by enabling the sharing of critical health and safety information between countries. For example, data on infectious diseases can be rapidly shared across countries to contain outbreaks and prevent their spread.
· Protection of individual rights and freedoms: Cross-border data flows also help protect individual rights and freedoms by giving people access to information and resources around the world. For example, individuals use the Internet to access information about health, education, and political issues, and to participate in online forums and discussions.
Cross-Border Data Flows: A GDPR Perspective
The General Data Protection Regulation (GDPR) is a comprehensive privacy regulation implemented by the European Union (EU) in May 2018. This regulation sets out specific requirements for cross-border flows of personal data. or an identifiable natural person.
Under the GDPR, cross-border transfers of personal data are permitted only if appropriate safeguards are in place to protect the privacy and rights of individuals. Validity can be ensured through several mechanisms, including validity determinations, standard contractual clauses, binding corporate rules, and exceptions.
· Adequacy Decision: An adequacy decision is issued by the European Commission and is a formal decision by a third country or international organization to provide an adequate level of protection for personal data. To date, the European Commission has issued adequacy decisions for a number of countries and territories including Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
· Standard Contractual Clauses: The Standard Contractual Clauses, also known as the Model Contract, are pre-written clauses that can be used to transfer personal data from the EU to third countries. Organizations can use standard contractual clauses to ensure that personal data transferred outside the EU are provided with adequate protection.
· Binding Corporate Rules: The Binding Corporate Rules (BCR) are internal policies and procedures that companies can adopt to control transfers of personal data within their corporate group. BCRs, which must be approved by EU data protection authorities, provide a way for an organization to ensure the protection of personal data transferred from one of the entities to another within the same group of companies.
· Exception: In limited circumstances, personal data may be processed, with the express consent of the data subject, to protect vital public interests or to establish, exercise or defend legal claims.
The GDPR also requires organizations participating in cross-border data transfers to implement appropriate technical and organizational measures to ensure the security of personal data. These measures may include encryption, access controls, regular security audits, etc.
Additionally, the GDPR requires organizations to appoint an EU representative if they are processing personal data on behalf of data subjects in the EU but are not established in the EU. This representative will act as a point of contact for data subjects with EU data protection authorities and help ensure that the organization is compliant with her GDPR.
India’s vision for cross-border data flows?
The Digital Personal Data Protection Bill 2022 is a proposed bill in India that would seek to regulate the collection, storage, and use of personal data by organizations operating in India. The bill establishes specific requirements for cross-border data flows. This is defined as the transfer of personal data from India to a foreign country or territory.
Under the proposed bill, cross-border data flows are subject to a number of restrictions and requirements, including:
· Pre-approval: Organizations must obtain pre-approval from data protection authorities before transferring personal data outside of India. This approval is based on an evaluation of several factors, including the level of personal data protection in the receiving country, the purpose of the data transfer, and the rights and freedoms of the data subject.
· Data Localization: The bill requires organizations to store certain categories of personal data within India. This includes sensitive personal data, defined as data necessary for the sovereignty, security, and strategic interests of India. Organizations must also retain a copy of all personal data transferred outside of India.
· Security measures: Organizations must implement appropriate technical and organizational measures to ensure the security of personal data during cross-border data flows. This includes measures such as encryption, access controls, and regular security audits.
Notice and Consent: Organizations must notify data subjects before transferring personal data outside of India. The data subject must also provide
Express consent to assignment, unless the assignment is required for the performance of a contract or legal obligation.
· Data access and rectification: The bill requires organizations to provide data subjects with access to their personal data so that they can rectify any inaccuracies. This includes personal data transferred outside of India. Organizations should put in place appropriate mechanisms to enable data subjects to exercise these rights regardless of where their personal data is stored.
· Data Retention: Organizations should retain personal data only as long as necessary to fulfill the purpose for which it was collected. This includes personal data transferred outside of India. Organizations should put in place appropriate mechanisms to ensure that personal data is deleted in a timely manner when it is no longer needed.
In summary, the Digital Personal Data Protection Bill of 2022 sets out strict requirements for cross-border data flows, and organizations should take care to ensure compliance with these requirements. Organizations should obtain pre-approval for cross-border data flows, store certain categories of personal data within India, implement appropriate security measures, provide notice, and obtain consent from data subjects. You must provide access to and correction of your data and retain your personal data only when needed. By doing so, organizations can ensure that personal data is protected while enabling continuous information flows and commerce across borders.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – info@delta-data-compliance.com
