Skip to main content

Extraterritoriality in Data Transfers: Are you sharing it correctly?

In light of heightened global restrictions on cyber practices and data privacy, business is often left confused to the implications of data transfers to their offshore practices. In this vain, we ponder, are your data practices actually compliant?

Cross-border Data Sharing and its Challenges

The COVID-19 pandemic has upended the way organizations handle their sensitive data. [1] With international travel at a standstill, many organizations have amplified their use of digital information sharing. This poses problems for companies interacting with clients domiciled in nations where electronic communication is subject to government surveillance or the local data storage capabilities are insecure. Those needing to share data with companies in countries of high data risk profiles are now obligated to create specific protocols aimed at securing against data leakage and the concomitant loss of integrity and reputation.

Privacy: A Conflict in International Regulation

When companies discuss recent changes in the data privacy landscape, the most common thoughts are towards new laws such as the EU’s GDPR or California’s CCPA. But new consumer protection laws are not the only major development companies should be thinking about. Over the last decade, many countries have implemented privacy-intrusive security laws that require companies to share certain sensitive information with government entities. Many locales that were previously thought to be “safe” for data sharing, such as India, are in the process of drafting legislation that substantially broadens the extent to which governments can access and surveil personal and nonpublic data. [2] While we anticipate these laws to be used sparingly, companies must be mindful that government surveillance within one country may be defined as a data leak in another. At the crux of that matter, when and should such an information leak occur, there is potential for substantial property and reputational damage. 

While companies generally perform due diligence reviews on the clients and partners with whom they share data, they must also be aware of the discrepancies in law for the region of client domicile. For instance, Russia requires all personal data of its citizens to be stored on domestic servers and for data to be decrypted when requested by security agencies. Similarly, China often mandates a joint partnership with domestic entities who can be legally bound to share foreigners’ intellectual property and / or data with local government. Companies must be aware of these geopolitical risks and enact appropriate countermeasures to prevent the unwanted exposure of private data. Without the adoption of appropriate risk-mitigation measures, companies will be faced with a critically decreased allowance for data sharing.

Data Protection v. Data Privacy

Many companies believe that the more common cybersecurity frameworks we’ve seen widely used in Western companies (NIST, ISO, etc.), focused on protecting data from targeted hacks, are enough to protect personal and non-public data. While this is certainly important and often mandated by law, it does not suffice in the context of the extraterritoriality and cross-border data flow challenge. Companies must also be aware of the risks of sharing their proprietary information with clients or partners located in countries whose privacy laws would be inadequate at protecting consumer data per other regulations to which they may be subject. That is, compliance with Russian or Chinese local law, for instance, may place companies in breach of laws such as the GDPR. The largest of these risks come in two principal forms – risks of restriction in data flow and risks of data in storage.

Risk of Data Restriction

Nations such as China have passed security laws that regulate how data can be transferred into and out of the country. In practice, this means directing all incoming / outgoing data through government servers that can regulate to what IP addresses the transmission is sent. While the Chinese government is not yet able to fully control all data transmission, they have established a “whitelist” of foreign IP addresses which are permitted to connect to Chinese domestic networks, and a similar whitelist of domestic IP addresses (mostly corresponding to designated telecom providers) that can receive information from foreign sources. All IP addresses which are not on the whitelist are blocked. Since many companies use VPNs which are hosted on non-Chinese servers, they are often unable to send information securely to their clients or partners in China without using an approved domestic server or in-person communication. 

These risks of restriction to the data flow upon which companies depend is not limited to those countries from whom we’ve become accustomed to expect conflicting protection / privacy laws. In July 2020, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield, an agreement that allowed for a freer flow of information between companies in the EU and US based on a volunteer agreement to uphold certain protections. Stating that US "surveillance programmes [...] are not limited to what is strictly necessary," the European Court of Justice decided that American law does not adequately protect the personal information of Europeans. This subsequently informed the Schrems II decision that upheld that European companies can no longer transfer data to US-domiciled servers without employing contractual clauses detailing that data shipped to the US must be subject to protections as stringent as those in the EU. It comes as no surprise that this poses significant problems for companies whose current operations rely on freely sharing data across borders and entities.

Risks in Data Storage

Data transmission restrictions would not be a problem if third party data storage providers in risky countries could guarantee data confidentiality. However, domestic servers in nations like China and Russia are subject to laws that require their operator to submit user data upon government request. For example, Russia requires that Telegram, a popular secure messaging service, keep all of its users’ encryption keys and submit them to government agencies when asked. This lends to our second risk that information given to a local partner may be subject to surveillance or seizure – a downstream data transfer for which companies subject to western privacy law must account. This risk is particularly significant in countries with conflicting legal systems that can be easily exploited by domestic corporate or government interests to seize data from potential competitors.

While seemingly uncommon, recent privacy events have shown that companies as diverse as Apple, Disney, and Cisco have been affected by privacy loss in similar circumstances. An example of note includes China’s data localization law that required Apple to partner with a local cloud services company, GCBD, to store all user content uploaded as part of its iCloud service. According to the terms of service, “Apple and GCBD have the right to access your data stored on its servers. This includes permission sharing, exchange, and disclosure of all user data […].” Any Chinese company using Apple services such as iCloud could have their data (and potentially their partner foreign company’s data) stolen at will. Apple’s experience demonstrates that companies must factor in the requirements of local laws and integrity of the legal system when evaluating the risks of vendors and clients.

Actions You Can Take to Protect Your Data
Action Rationale
Track countries whose privacy laws around data storage align with the regulations to which your company is subject. Conduct an internal gap assessment to see where data is transferred or stored in countries not in alignment. Data stored in countries without adequate privacy measures should be encrypted using passwords known only to the trusted local entity and your own organization. Data stored in a cloud server in a sensitive country can be subject to surveillance and seizures. Even if the data stored on the local server is encrypted at source, the authorities may collect metadata or demand that the local entity provide an unencrypted version.
If storing information in particular regions is not possible due to data localization requirements or transmission risks, data storage and processing should be consolidated in the country of domicile of the client (minimization, limitation, and migration). All sensitive tasks should be compartmentalized to avoid the need for information transfer between the data collection, analysis, and management stages. While complete data migration may be infeasible for many companies, adhering to the principals of minimization and limitation will naturally limit the transfer of information to destinations where processing is not necessary to the purpose. Keeping all data storage in a similar region of processing, whether or premise or through a continental provider, allows an organization to enact additional security precautions, such as self-destruction of the data after a certain time period or detection of unauthorized access.
If third parties in extraterritorial locales must be used to analyze data, use homomorphic encryption techniques. Homomorphic encryption allows for encrypted data to be processed without the need for decryption. Secure multiparty computing can also be used to “split” the input into multiple discrete parts; each part can be sent to different parties for evaluation. Homomorphic encryption allows for end-to-end encrypted data processing. Since the data does not need to be decrypted before analysis is performed, homomorphic encryption is useful when the third-party cloud provider has a high risk of being compromised. However, calculations with homomorphically-encrypted data tend to be very resource consuming, so organizations will need to carefully weigh the costs and the benefits. Secure multiparty computing is a more cost-friendly alternative that works by separating data into distinct chunks which are sent to different third parties. As a principal, companies should invest in their data protection capabilities and see this as a space for competitive innovation against the benefit of increasing free-flowing data.
Update your clear-desk policies, mobile and laptop device policies, and all others to reflect the appropriate level of access and security demands. Paper copies should be avoided, and decryption passwords for electronic media should be known only by designated persons at the local entity and your organization – not by the traveler carrying the information. These policies should be accompanied with associated trainings set periodically. Paper-based and unencrypted electronic media is subject to interception, particularly when passing through closely-monitored environments such as border checkpoints. Mobile devices are a high security risk because they are carried on one’s person and can easily be intercepted.
Employ multi-agent encryption methods, such as Shamir’s Secret Sharing, to encrypt all sensitive information. For example, five individuals could each be given a unique key for an encrypted sensitive document; using a secret sharing method, this document can be decrypted by any three keyholders. By ensuring that documents can only be decrypted if multiple people provide their keys, sensitive information can be kept secure even when a person’s key (or multiple keys) are compromised. It also allows for redundancy: only a certain number of keyholders are needed to decrypt the document. Companies also have the flexibility to assign different levels of information access. For example, senior members of a company could be given more decryption keys and therefore require less keyholders to decrypt sensitive information.

Keeping your data safe extraterritorially can be challenging, particularly given the changing regulatory landscape. However, with the proper use of electronic tools and well-governed data policies, any organization can mitigate or remove the risk of operating in jurisdictions with conflicting data protection and privacy standards.

How Sia Partners can Help

Sia Partners has extensive experience helping organization enact best practices in cybersecurity. With market-leading expertise in Cyber Risk Management and Data Privacy, Sia Partners can help your organization draft an information security policy that fits your needs. Our global consultancy practice can assist with third-party risk assessment, compliance with privacy laws in multiple jurisdictions, and integration of the latest cybersecurity tools into your daily workflow. In addition, Sia’s Cyber e-Learning platform can help turn your organization’s employees into cybersecurity professionals, as well as build resilience and practical know-how for crisis situations. We also offer proprietary AI tools to help your organization monitor and adapt to emerging cybersecurity threats.

With 100+ projects delivered, Sia Partners has extensive experience helping companies reinforce their Privacy Policies, Procedures, and Standards. Additionally, our Centers of Excellence have developed technical AI solutions to support the maturity of your organization’s Privacy Program. 

Reg Review

  • Our Reg Review solution uses AI to help compliance and risk teams navigate challenges like regulatory inflation, technicalities, increased regulator monitoring, managing local specificities, strengthening teams, and more.

Data Protection / Privacy Tools

  • Data Privacy vendor screening
  • Data analytics for stored and deleted personal information
  • Cybersecurity training and testing
  • Learn more about our Data Privacy offering

Business Transformation Cyber Services

  • Gap assessment / risk analysis
  • Data inventories
  • Individual rights management (end-to-end)
  • Integration of Privacy management solutions and tools
  • Third-party risk assessments and controls
  • Training