Data, and the challenges around where it originates, where it lives, and how much is being created have garnered a great deal of attention recently. The accelerated demand for and attention around data has been generated by a number of factors, including a widespread shift to cloud-based technologies in order to sustain COVID-driven remote working, increased European Union scrutiny and enforcement of compliance around General Data Protection Regulation (GDPR) safeguards for personally identifiable information (PII), high-profile lawsuits involving American big tech companies, and a more intense focus by organizations on the security of their data centers in response to tougher e-privacy regulations.
That is particularly true when it comes to data localization requirements in Europe, where companies are facing significant pressure around GDPR and e-privacy regulations, which dictate how data about a country’s citizens or residents is collected, processed, and/or stored before being transferred outside the country’s borders. This applies to data that is generated by and about customers, as well as information involved in eDiscovery, compliance matters, litigation, and investigations. These mandates will directly impact data discovery and workflow processes.
Along with the requirements of other global jurisdictions, many international organizations are eager to avoid subjecting their data to U.S. attitudes toward data privacy, American politics, and laws like the USA Patriot Act. This means that organizations around the world, no matter where they are headquartered, are increasingly interested in cloud storage options that serve as localized and secured data repositories where their data is collected and kept, ensuring it does not cross into other jurisdictions.
This is all taking place in an environment where a global pandemic has forced employees around the world to work from home, fueling an even greater acceptance of cloud-based technology and the need to store the increasing amounts of data that is being generated. The work-from-home environment has also spurred vast amounts of information being shared on collaboration platforms, such as Slack, Google Meet, Google Chat, and Microsoft Teams, where employees may be speaking more informally than they have before, and organizations have less experience producing information from these types of systems during eDiscovery and investigations.
With legal and regulatory situations in flux, companies that operate on a global scale must consider all of these new pressures and considerations around collecting, processing, and storing data inside individual countries where they operate before data is transferred internationally. Platforms that enable cloud storage of sensitive data are able to meet strict regulatory localization requirement, eliminating the need for companies to seek physical data centers in multiple jurisdictions, such as the EU. They should also look for ways to increase efficiencies of the tools they use, as litigation, investigations, and compliance matters become more complex. This will not only allow them to remain in compliance with regulations around the world but also to take advantage of new technologies and opportunities.
One driving force for the increased interest in data localization is the anticipated changes from the proposed EU Regulation on Privacy and Electronic Communications,or ePrivacy Regulations. ePR, as it is also known, will replace the ePrivacy Directive of 2002 and provide specific regulations around electronic communications. Originally intended to take place in 2018 alongside the EU GDPR’s rules on personal data processing, ePrivacy Regulations may not come into effect until next year at the earliest. But when they are implemented, they could have far-reaching implications. For example, unlike GDPR, ePrivacy Regulations will also affect business-to-business marketing, not simply PII.
While the final passage of the ePrivacy Regulations has been delayed, companies should begin to plan for them now, especially as enforcement of GDPR has forced eDiscovery processes to be more structured, secure, and efficient. Compliance with such regulations continues to be paramount for organizations that operate within the EU, since GDPR fines surpassed $42 million in the first quarter of 2021 alone.
Fines and enforcement have varied across nations. In the first quarter, the greatest number of fines occurred in Spain, where regulators imposed fines in 34 cases that totaled $21.7 million. German regulators imposed the second highest number of fines, $14.8 million, for just three cases.
Yet another major sign that the pressure around data privacy requirements is increasing comes from the European Data Protection Board (EDPB), which released final guidance in June around data transfers to third countries.
Under the new guidance, companies that process EU users’ data in third countries that don’t have adequate data arrangements with the EU, such as the U.S., will either need to spend a great deal of time and money to comply with the standards or suspend their flows of data. However, one way to comply with these new requirements is to store and process EU user data locally. This can be done by working with third-party SaaS providers that have data repositories within the EU.
“The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area,” said Andrea Jelinek, char of EDPB.
U.S. companies are already contending with the implications of the EU approach to data privacy. For example, Facebook is currently in a case over data flows from EU to the U.S. In the latest development in that matter in May, Ireland’s High Court issued a ruling that allows that country’s data privacy authority to continue with its review of how Facebook handles the personal data of Europeans. Facebook has claimed that data flows are an integral part of its business model, according to media reports.
The case is being closely watched to determine if other tech companies will be able to manage their data as Facebook has or if they will need to follow in the footsteps of Microsoft and handle all data in “centers” that are local to Europe.
The Advantages of Understanding EU-Specific Data Requirements
With all of these considerations and uncertainties, companies that operate internationally should consider exploring how and where they store data. A secure, cloud-based platform supported by a provider familiar with EU-specific considerations will allow organizations to manage evolving EU data localization regulations and improve the efficiency of their tools to manage the complexity and scope of litigation, investigations, and compliance. It is highly likely that law firms and legal departments will be turning to SaaS providers with overseas data management capabilities as they grapple with data-flow- or data-privacy-related cases between the EU and U.S.
However, it is critical to find and vet the right partner. There are several areas to consider when researching providers, including the following.
- Compliance — Maintaining data privacy and compliance across every jurisdiction where companies operate is of crucial importance. Organizations must find providers that have experience with not just U.S. federal and state regulations, such as the Freedom of Information Act and California Consumer Privacy Act, but international regulations, such as GDPR and ePrivacy Regulations, as well.
- Security — Companies also need to look for providers that offer the highest levels of security certifications and use third-party audits to verify those certifications. Organizations should closely examine potential providers’ organizational, architectural, operational, and network security protocols to make sure those are best in class.
- eDiscovery —With the explosion in data, eDiscovery continues to be an expensive, time-consuming burden. When potentially responsive information involves localized, consumer/customer data in the cloud, the situation becomes even more complicated. Companies should look for providers that have experience with eDiscovery as well as international data privacy matters.
- Investigations —The rise in work-from-home situations has led to an increase in interest for internal investigations. Providers that offer the ability to mine data, utilize machine learning, and recognize patterns will allow organizations to find information that will help to keep them in compliance with state, federal, and international regulators, as well as with their own internal standards.
For international companies, the last 20 months have been a time of dizzying change. Even as COVID has impacted how much data employees and customers generate and where that data lives, regulators and courts around the world have continued to enforce existing regulations around data privacy and implement new ones. This has accelerated the need for companies that deal with data from users around the world, particularly the EU, to think carefully about how they store, process, and move that PII. The IT and legal industries can expect this pace to continue as U.S. political powers also crack down on data privacy laws and consumer rights.
The key will be to understand where your organization fits in. This is particularly important for companies that deal in massive amounts of PII, which must be closely safeguarded to ensure risk is minimized and the chances of running afoul of regulators and other enforcement agencies is taken into consideration by all departments — legal, compliance, and IT. By being proactive and working with the right partners, companies can better position themselves for future challenges that await around securing, collecting, and storing data.