Requiring Data Storage In-Country Raises Corporate Risks(1)

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The uptick in international laws demanding companies store personal data within geographic borders forces multinationals to engage in complicated risk assessments, privacy professionals said April 20.

Governments often demand data localization under the guise of protecting privacy, but such laws are really enacted to ease government access to data or to boost local cloud service providers, Lothar Determann, a data privacy partner at Baker McKenzie LLP in Palo Alto, Calif., said during a panel at the International Association of Privacy Professionals Global Privacy Summit 2017 in Washington.

Russia is the most active enforcer of local data storage requirements, the panelists said. The Russian government blocked LinkedIn Inc.'s website in November 2016 in a high-profile case where it alleged that LinkedIn failed to comply with the law by not storing Russian citizens’ data within the country. It remains blocked despite LinkedIn’s insistence that it is in compliance.

A handful of other countries have adopted data localization requirements, including recently China, but Russia remains, for now, the country demanding the most risk-analysis attention from multinationals, the panelists said.

Kristen Mathews, the head of the Privacy & Cybersecurity Group at Proskauer Rose LLP in New York, said that data localization laws will force companies to undertake a lot of risk assessment in order to figure out “how and where to store data locally.”

The basic elements of a proper risk assessment, Mathews said, are having a rudimentary plan for the cost of compliance, then balancing that cost against the likelihood of enforcement. The wild card is figuring out the magnitude of harm that could result from enforcement measures such as shutting down websites or other actions affecting a company’s ability to operate in a country, she said.

Bret Cohen, a privacy and cybersecurity partner at Hogan Lovells LLP in Washington, said forcing global companies to redesign their existing network architecture in order to comply with one country’s data localization law “isn’t a trivial or cheap consideration.” It may be a hard sell for a company’s privacy team to convince the information technology team that data must be routed in particular ways to comply with data localization laws, he said.

The panelists agreed that, if faced with a government data localization compliance audit, such as those underway in Russia, companies should be able to document the steps they have taken to comply, even if they may not be in full compliance.

The panel, “What Companies Need to Know to Comply With International Data Localization Laws,” was sponsored by Bloomberg Law and moderated by Donald Aplin, managing editor for privacy and data security news at Bloomberg BNA.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security