New commentary from a respected think tank attempts to provide guidance on cross-border data transfers. The guidance proposes principles for determining which country’s law to apply to a cross-border transfer. Although there is no guarantee that the guidance will gain favor with courts or regulators, it is an important indicator of what the future may hold for this important and undeveloped area of law. While the commentary does not provide concrete steps to lawfully effect cross-border data transfers today, companies can infer several lessons, detailed below, from the issues highlighted in the commentary.
Cross-Border Data Transfers
Cross-border data transfers are both an unavoidable reality of modern corporate life and a poorly mapped legal minefield. Despite a proliferation of regional rules, regulations, and statutes related to data governance and control, there is precious little guidance to assist companies that are trying to navigate these complicated—sometimes incompatible—requirements. That is why, as we noted in our report on data privacy and cybersecurity in global dealmaking “Private M&A 2020,” data transfer requirements have become an impactful trend in worldwide dealmaking.
The recently published Sedona Conference Commentary and Principles on Jurisdictional Conflicts over Transfers of Personal Data Across Borders (the “Commentary”) represents one attempt to clarify how companies, courts, and regulators should reconcile cross-border data protection laws. The Sedona Conference is a think tank of lawyers in private practice, in-house counsel, and academics dedicated to the study of antitrust law, complex litigation, and intellectual property. In the past, the work of the Sedona Conference has influenced U.S. jurisprudence at the intersection of law and technology. See, e.g., Zubulake v. UBS Warburg, 229 F.R.D. 422, 440 (S.D.N.Y. 2004) (citing Sedona Conference principles on eDiscovery).
The Six Principles
The Commentary proposes six principles to govern jurisdictional conflicts over cross-border data flows. These principles draw on existing norms of international law and set out a comprehensive framework for companies to assess which nation’s data protection laws apply to personal data they maintain.
Principles 1 and 2 describe which country or countries should have jurisdiction over data. Principle 1 recommends nonexclusive jurisdiction for the country or countries where data subjects live and organizations engage in economic activities. Principle 2 extends nonexclusive jurisdiction to any country “inextricably linked” to the data processing at issue. The Commentary endorses the European Union Court of Justice’s decision that a country had jurisdiction over the operator of a search engine because the search engine’s services and advertising are inextricably linked to the country. See Case C-131-12 ¶ 56.
The Commentary predicts that these two principles will reduce the need for data localization laws. Data localization laws generally require companies to store certain types of data in data servers located in the country, partially to ensure that the country will have jurisdiction over that data. The Commentary predicts that the consistent applications of the first two principles will eliminate the need for these laws because countries will have jurisdiction when they have a legitimate connection to the data at issue. This would be a positive development, in our view, for the many companies that face increased cost and regulatory complexity due to the requirements of national data privacy or security laws.
Principles 3 and 4 address contractual choice of law and forum selection provisions. Principle 3 promotes giving effect to choice of law or forum selection provisions in commercial contracts involving parties with comparable bargaining power. Principle 4 states that outside of the commercial context, a choice of law or forum selection provision should not deprive a person of protections that would otherwise apply to their data.
Principle 4 might not be adopted in jurisdictions, like the U.S., that routinely enforce forum selection provisions in consumer contracts. But the principle reinforces that companies must be mindful that some choice of law or forum selection provisions might not be enforced in certain jurisdictions.
Principle 5 provides that data in transit should be governed by the laws of the country from which the data originated, with exceptions for national security surveillance and law enforcement access to data in transit. This would apply equally if data is placed in transit by a data subject or by a custodian.
Principle 6 states that personal data that is material to a litigation should be provided to the party that needs it so long as appropriate safeguards are put in place regulating the use, dissemination, and disposal of the data. This principle, although designed to ensure more predictable access to data, would increase the availability of cross-border discovery and leave open substantial questions about who is responsible for ensuring the adequacy and effectiveness of the protections applied to produced data.
In the absence of case law or consistent guidance from regulators, the Commentary provides a useful map of the legal landscape, revealing several of the shoals and sharp rocks to be navigated by counsel in cross-border data transfers. Nevertheless, the principles-driven design of the Commentary does not offer concrete guidance on how companies should address these obstacles.
While companies might hope for broader adoption of these or any broadly accepted principles, there are several near-term steps companies can take to manage these risks:
- Be mindful of, and contract for, potentially applicable laws and legal risks of noncompliance in data transfers. There is no process to determine with certainty which data protection laws a court would apply to a given cross-border transaction, but these principles provide some guidance.
- Pay special attention to evolving data localization laws, which impose onerous requirements on companies to store data in specific jurisdictions. The removal of these requirements would be a positive development for many companies.
- Carefully consider how contractual choice of law and forum selection provisions will apply to data protection laws, especially in the consumer context.
- Be mindful of data protection laws that may present obstacles to sharing personal data in litigation and government investigations.
The Commentary was written by Sedona Conference’s Working Group on International Electronic Information Management, Discovery, and Disclosure (“WG6”). WG6 has produced three earlier publications dealing with discovery and data protection in civil litigation, data protection in cross-border investigations, and in-house guidance for cross-border discovery and data protection.
The authors gratefully acknowledge the assistance of law clerk Mathew Elder in preparing this entry.