Data flows are global, but privacy laws are local. I first uttered that statement in the last century during initial discussions on whether the United States had adequate privacy protection as defined by the 1995 European Union Data Protection Directive. At the time, I argued that privacy protections in the United States were a mosaic of federal and state laws, media attention, and private litigation that made the U.S. system effective — and effective is adequate. I also argued that the change in the wording of the Directive from equivalent to adequate was significant. Alas, the U.S. was not among the handful of countries found adequate.
That was a simpler time before terrorism made government use of private sector data more globally pervasive, the use of observational data had accelerated, big data had become part of our vocabulary, and cars were not part of the internet of things. So, the question of adequate countries has become much more complex. Comparing country laws and systems to other country laws and systems has become more problematic. If anything, it has made governance alternatives to adequacy more and more appealing. The simplicity of the Canadian accountability requirements for data export has become more and more attractive.
Latin America has now entered this complex adequacy equation. Personal data must flow from Latin American countries to the rest of the world for Latin Americans to be part of the global society of connected individuals. Latin American data protection authorities have an obligation to make sure their national citizens are protected when data goes beyond borders. Latin American interests mirror those that we see in Europe and Asia. As Brazil contemplates new legislation and the Ibero-American Data Protection Network Standards foretell revised legislation in other jurisdictions, it is useful to contemplate how policy makers might achieve protection and the free flow of data in highly complex ecosystems.
The comment period just closed on a draft decree from Colombia’s Superintendent of Industry and Commerce (“SIC”) on data transfers. Colombian law and secondary regulations require data only be transferred to countries with adequate privacy protections unless there is an exception. However, Colombia’s concept of transfers is very different than what one would find in European law. Colombia’s secondary regulations differentiate between a transfer, where data is exported to another controller, and transmissions, where data is shared with foreign processors. It is likely that most of the data that leaves Colombia is going to a processor, which means it is a transmission. Both transmissions and transfers are subject to a
2015 SIC decree on accountability. That means that controllers are always responsible for the data they share with others, and most controllers identify and mitigate the risks related to data movement. I filed comments on this latest draft decree. [add link]
The draft SIC decree lists countries that have been determined to be adequate. That list includes countries that are members of the European Union, most of those determined to be adequate by the EU Commission, and the U.S. I believe the U.S. was found to be adequate, not because privacy law and enforcement were found to be similar to Colombia’s, but rather because the U.S. is effective in protecting against careless and harmful data processing. Determining the adequacy of another country’s data protection and privacy protections is always difficult and complex. After 20 years, it is gratifying that the effective argument has some standing. But in the end, it is the accountability decree that is of most importance. Whether it is a transfer or a transmission, a data exporter owns the risks to others associated with all data processing phases, including movements across borders.
Most new and proposed general data protection laws contain accountability provisions. Linking accountability to responsible data movement is an effective means for signaling companies that they have ongoing obligations when data is moved. The due diligence they take to mitigate risk when moving data is what is ultimately important. For example, U.S. financial institutions do not have adequacy requirements, but they do have data safe guarding requirements that require high levels of assurance that the organization stands accountable when processing outside the United States.
My Colombia comments place an emphasis not on blanket requirements but rather on requiring organizations to understand the risk to people associated with a data export, and require contract provisions related to those risks. It is my view that tailored provisions protect against reticence risk as well as the other risks associated with processing.
The bottom-line for Latin American regulators, and those in Asia as well, is that protection of individuals will come more from accountability requirements than all the hours spent assessing whether other legal systems meet an adequacy test. And for companies, adequacy is not a getout-of-jail free card. Companies will still have to have policies and procedures to protect individuals when data moves.
The IAF has an Americas Discussion Group. If you have an interest please contact Marty at mabrams@informationaccountability.org.