The Internet has greatly simplified and hastened the way we share files with trading partners and colleagues based in other countries. But unknown to many of us, these transborder file transfers can involve personal information, which may be subject to certain national and international laws and regulations.
With this article, we hope to make you aware of the regulatory issues that impact transborder file transfers involving personal information and help you minimize the associated risks.
Why transborder data flows are necessary
The global economy and technological advancements in networking and communications is making sharing of information within or among organizations essential to business. If your business operates in other countries or transacts with trading partners based abroad, you'll surely have one or more processes that involve transborder data flows.
Some of these processes need files containing financial, customer, supplier, product, or personal data in order to complete. The moment you impede the flow of these data, you risk eroding productivity, business growth, innovation, and business opportunities. Governments realize this. That is why existing and proposed legislations are mostly only aimed at controlling or regulating the flow; not stopping it.
An overview of the problem
The presence of laws and regulations affecting transborder file transfers is not the problem here. They need to exist in order to protect data security and information privacy. It is the disparities among all these regulations that are making compliance activities sophisticated and costly for businesses.
For example, if you carry out file transfers with counterparts in Europe, Northern America, and the Asia-Pacific region, you'll need to be compliant with the individual transborder data flow regulations of these areas, which can vary significantly.
Most existing laws and regulations impacting transborder file transfers are based on the OECD (Organization for Economic Co-operation and Development) Guidelines that was first formulated in 1980. The fundamental principles, of which those guidelines were based on, included the following:
1. That data subjects be notified when their data is being collected;
2. That the data be used only for the purpose originally stated and not for anything else;
3. That the data not be disclosed without the consent of the data subject;
4. That the data be kept safe from potential abuse;
5. That the data collector's identity be disclosed to the data subjects;
6. That the data subjects be given access to their data and allowed to make necessary corrections;
7. That the data subjects be given the capability to hold data collectors accountable for enforcing the above principles.
These 7 principles are very similar to the 7 privacy principles that comprise the United States' Safe Harbor framework, which came into effect in November 2000.
Each OECD member country is influenced by its own unique cultural, historical, and legal background. Hence, the implementations of these OECD Guidelines may vary. Let's take a look at some of the existing regulations.
File transfers from Canada to the US
There are a number of Canadian laws that impact file transfers. One of them is PIPEDA (Personal Information Protection and Electronic Documents Act), a federal law governing how private organizations should collect, use and disclose personal information during business transactions. Under PIPEDA, an organization can transfer personal information to the US but it (the transferring organization) will be held accountable for ensuring continued security of the transferred data.
In the case of federal government institutions, which are covered by the Canadian Privacy Act, these institutions can transfer personal information provided that the contracts covering these transborder file transfers include appropriate privacy clauses.
A reliable source of information regarding Canadian privacy laws concerning transborder data flows in general (not just file transfers) can be found here.
File transfers with European Union Members
All 27 EU member states, as well as the other members of the European Economic Area (Iceland, Liechstenstein, and Norway), implement internal laws based on the EU Data Protection Directive, a set of minimum standards concerning protection of transborder data flows. It is the most comprehensive piece of legislation on this matter and was largely influenced by the OECD Guidelines.
While file transfers between member states may not be restricted by the EU Data Protection Directive, transfers to a non-EU country can be prohibited if that country is found to have inadequate levels of data protection. The adequacy/inadequacy of protection is determined by the European Commission.
A particular member state's privacy authority may still allow certain transfers to take place even if the receiving country doesn't have an adequate level of protection as long as, in the privacy authority's opinion, sufficient safeguards have been implemented to ensure the preservation of privacy. Such file transfers are typically subject to appropriate contractual clauses.
Since the Directive is a set of minimum standards, implementations vary among member states. Some implementations even exceed these standards.
US companies who need to handle personal information of EU citizens are allowed to do so provided they opt-in to the Safe Harbor Principles program and self-certify each year to the US Department of Commerce.
A more updated legislation, known as the European Data Protection Regulation, which is aimed at harmonizing these different implementations, is underway. Since it will supersede the Data Protection Directive and will potentially simplify your file transfer compliance obligations in Europe, it would be wise to keep track of it if you have interests in that region.
File transfers with Asia-Pacific countries
Most countries in the Asia-Pacific region are not as established when it comes to privacy and data protection regulations. The Asia-Pacific Economic Cooperation (APEC) group for example, whose 21 member countries lie in the Asia-Pacific rim, only came up with its APEC Privacy Framework in 2004.
APEC member countries that implement data protection legislations mostly pattern their laws on this Framework, which provides protection to transborder data flows through the "accountability" principle. The accountability principle, whose origins can be traced to the OECD Guidelines, holds the original collector of the personal information accountable for complying with the original privacy framework that applied in the place and time that the information was collected.
This principle is the same one applied in Canada's PIPEDA and is also present in Australia's draft Privacy Principles.
File transfers from Russia
Just like the EU Directive, Russia's legislation prohibits data transfers to countries that don't have similar data protection/privacy laws. Many of their provisions have undergone numerous amendments since being enacted 6 years ago, so you might want to check their most current state if you want to carry out compliant file transfers with someone from there.
File transfers from China
Many products are now made in China. Your trading partner or perhaps even your own company might already have a business unit operating there. As far as I know, China doesn't have a nationwide legislation covering file transfers. However, Jiansu Province, which is home to many of the biggest exporters of electronic equipment, chemicals and textiles, does have a "Regulation of Information Technology". Under this ordinance, there is a need to seek consent or official approval before file transfers can be sent outside the province.
Minimizing the risks
It would not be wise to take these regulations for granted. Some of these regulations are now evolving with stronger penalties against violators. In the Data Protection Regulation draft released by the EU last January, for example, penalties can go as high as 2% of a company's worldwide turnover. As the threats to personal information escalate, it is expected for legislations meant to mitigate them to bear more teeth.
When researching about these regulations, pay special attention to requirements such as: notices and safeguards; contractual clauses; and approvals from regulation authorities.
One way of minimizing the risks to your transborder file transfers is by employing a Managed File Transfer system like JSCAPE MFT Server, which already includes strong security features that not only secures data while in transit, but also the moment it reaches its destination.
For example, you can send files using a secure file transfer protocol like SFTP and then enable the server to automatically encrypt the transmitted file as soon as it arrives using PGP encryption. This can be very useful in countries where the sending party is held accountable because the sending party gains stronger assurance that the file it transmitted is immediately secured upon arrival.
Now that you have a general idea of the existing laws and regulations that govern transborder file transfers, I encourage you to study more closely those that affect the areas where you operate in or transact with. That way, you can apply the appropriate security measures where needed.