Data Sovereignty Issues and Challenges in a Cross-Border Data Transfer

The topic of Data Sovereignty of citizens/residents is going to see more conflicts as Governments and Internet Businesses both realize the value of data and informed Citizens are equally skeptical to give it to either of them for the preservation of their Privacy...

In 2006, Clive Humby, the British mathematician, data scientist and entrepreneur, is credited to have said, "Data is the new oil". Today, we are in a "Digital Age" where data is more valuable than ever. Just as the global manufacturing industry a half century ago learned to adapt to an age of automation, companies today are learning to adapt to an age of digitization. In all the areas of business, we have learned to harness the power of the data to understand customer needs, develop new products, improve business processes, increase revenue and profitability. We have also learned to accept the necessity of constantly collecting and analysing our inputs and results. We can collectively call these inputs and results, "Data".

While some may disagree with the statement that "Data is the new oil", it is true that all top companies globally and even Governments base their decision-making on data. Data sovereignty is the idea of data being subject to the laws and governance structures within the country where it is being collected - in contrast to Data being governed by the Laws and Governance structures of the country where it is stored or processed or where the company storing the data is incorporated.

Let me share three key recent developments in Hong Kong-China, India and EU regarding Data Sovereignty.

Three Recent Developments in HK (China), EU and India

1. On 7 July 2020, TikTok said it would exit the Hong Kong market within days, while other technology companies, including Facebook, WhatsApp, Telegram, Google, Zoom and Twitter, suspended processing (Chinese/HongKong) government requests for user data in the region over Beijing's new security laws.¹

2. On 16 July 2020, the Court of Justice (of the European Union) invalidated the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield.

a. However, it considered that the Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries was valid.³

b. The General Data Protection Regulation ('the GDPR') provided that the transfer of such data to a third country may, in principle, take place only if the third country in question ensured an adequate level of data protection.

3. On 27 July 2020, the Government (of India) further banned the 47 apps linked with a particular country as clones of earlier banned apps. On 29 June 2020, India banned 59 mobile apps which were considered as prejudicial to the sovereignty and integrity of India, defence of India, security of state and public order.² For stealing and surreptitiously transmitting users' data in an unauthorized manner to servers which have locations outside India. The compilation of these data, mining and profiling by elements hostile to the national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which requires emergency measures. Before we plumb the depths of Data Sovereignty and Cross-Border data transfers/intelligence, let's see the broader context to understand why it matters.

Pandemic driving up the Digital Living

2020 has been a unique year. An unexpected pandemic, Covid-19, forced people to stay at home or follow social distancing. What was lost to social distancing was mitigated by digital intimacy. What it means is that what we were doing physically got replaced by Digital means. Physical meetings got replaced by Zoom/Teams/Webex meetings. Physical documents got replaced with digital documents and so on. In the words of Satya Nadella, CEO, Microsoft on 30th April 2020, during quarterly earnings report -

"We've seen two years' worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything."⁴

We are using platforms or portals or cloud-based services, on the internet that directly or indirectly require our personal or basic data for providing that service. By giving permissions and authorization to them during installation or use, we let them collect and save our personal info on their servers or in the cloud. Imagine what that data looks like when combined with other metadata (Metadata is information about the content of data, but not the contents of the data itself. for e.g. not the contents of a telephonic call, but the call records including numbers called, duration, telecom towers, operators, location, devices of the people making the call). Couple that with metadata related to where you've visited on the web or where the receiver has visited. A story will begin to form and that story can be pretty telling, depending on your activity. To understand this we need to go into the history of internet evolution.

Evolution of the internet from a Defence Project to Corporate Cloud

Beginning of the Internet: The "Internet" started as a US Department of Defence project to ensure that their computer systems survived the aftermath of a massive/Nuclear attack, by connecting them across different locations (some people may relate it to the Terminator movie). The objective was to develop communication protocols which would allow networked computers to communicate transparently across multiple, linked packet networks. This was called the Internetting project and the system of networks which emerged from the research was known as the "Internet."⁵

Internet as a tool for marketing: It later evolved on the public domain/business/commercial side with standardization and open systems. The development of browser and graphic user interface on computers led to consumer interest and a Dot-Com craze for internet-oriented companies. When people realized they can do business over the internet and reach millions of customers, such as at ebay.com and later amazon, their valuations skyrocketed.

Google and Facebook ushered in the era of search engine marketing and social media marketing, which leveraged the user data in return for free services and this data was later sold to advertisers for putting the right ad in front of internet users. These companies grew so big and powerful that many people wondered if there was an abuse of dominance under the Competition Laws.

On the Consumer protection front, questions arose on the huge amounts of Data these companies were collecting and mapping into buying behaviour and profiling, leading to privacy violations. The above models came to be known as "Surveillance Capitalism" or behavioural advertising model as it banked on the surveillance of the users and then selling the data to advertisers for behavioural manipulation.

Cloud Computing: While earlier businesses invested in IT (Information Technology) infrastructure in Hardware, Software and services to serve business needs and keep them running. Big Companies like Amazon, Google, Microsoft which had large data centers, developed models to farm out different IT resources not only to their internal departments, but also to external companies and charged for it. Data Center is a large group of networked computer servers typically used by organizations for the remote storage, processing, or distribution of large amounts of data.

It was a win-win as a rental or Utility model of computing. Businesses especially startups don't need to block their capital in IT, but rather pay as they go/use. But this cloud model came with one big issue. It also implied that all the data which companies would keep to themselves would now be sitting in the server farm of an external Cloud Service Provider (CSP) such as Google Cloud, Azure or AWS (Amazon Web Services).

Software as a Service (SaaS) and Cloud storage services have dramatically increased in popularity in recent years, but their use often entails international data transfers, which can result in major compliance challenges for users and providers. These CSPs normally operate in few countries but provide their services across the world, online.

Age of 5G, IoT and AI

The public Internet got a major boost with the Telecom and Mobile revolution. While data speeds over wireless networks improved, Mobile phones with Android and Apple ecosystems became the next frontier for consumers and digital marketers. The development of apps led to mobile first strategy for many internet firms (e.g. Whatsapp, Snapchat, Tiktok). Mobile phones also allowed collection of data which was previously unavailable to digital marketers over traditional internet and PC. Data such as GPS location, Call records (CDR), messages, bluetooth and wifi proximity, tracking on the Go, battery status, access to camera and mic, storage and pictures, videos etc. and much more became the staple of marketing strategies with most consumers not even knowing the data they were relaying and to whom.

The Internet of Things (IoT) came into being from the realization that it is not only the people who provide  information/data in the Google search bar or facebook posts. But data collection can be supplemented with non-human data sources - Things (machines/sensors/bots), by adding a host of sensors to almost any device and connecting it to the internet. These sensors can be in your wrist-band relaying health data or on your AC, fridge, heater, car, TV, Smart Speakers like Alexa or Google Echo, industrial machines, aircrafts etc. sending relevant data (temperature, engine condition, content viewing patterns and preferences etc.). This data then can be used for taking actions preemptively or providing recommendations using prediction engines.

Big Data and AI: Big Data involves collection of these vast swathes of data and applying analytics to recognize patterns. Data Science is getting insights through Data. It could be a Classification or Prediction problem. Artificial intelligence is the development of computer systems which are able to do the tasks or achieve goals that normally require human intelligence. AI/machine learning/Deep learning needs large amounts of data to enable machines/computers to train using algorithms. For e.g. millions of pictures of cats and dogs are required for computers to identify and differentiate between a cat or dog in a previously unseen picture.

Surveillance

Era of Mass Surveillance: Since September 11th, 2001, the United States government has dramatically increased the  ability of its intelligence agencies to collect and investigate information on both foreign subjects and US citizens. The Patriot Act, enacted shortly after the September 11, 2001 terrorist attacks, was essentially an amendment to FISA (Foreign Intelligence Surveillance Act) that expanded surveillance to individuals not directly linked to terrorist groups. Many of the most controversial parts of the Patriot Act, particularly those dealing with bulk surveillance, expired in 2015 but were renewed in part or whole through the Freedom Act. Some of these surveillance programs, including a secret program called PRISM, captured the private data of citizens who are not suspected of any connection to terrorism or any wrongdoing.⁶

PRISM⁷ began in 2007 in the wake of the passage of the Protect America Act under the Bush Administration. The program is operated under the supervision of the U.S. Foreign Intelligence Surveillance Court (FISA Court, or FISC) pursuant to the Foreign Intelligence Surveillance Act (FISA). Its existence was leaked six years later by NSA contractor and American whistleblower, Edward Snowden, who warned that the extent of mass data collection was far greater than what public knew and included what he characterized as "dangerous" and "criminal" activities.

The program was designed "to receive" emails, video clips, photos, voice and video calls, social networking details, logins and other data held by a range of US internet firms like Facebook, Apple, Google, Microsoft, Yahoo and Twitter among others. In the wake of the revelations, countries became increasingly concerned with who could access their national information and its potential repercussions.

Many of the current concerns that surround data sovereignty relate to enforcing privacy regulations and preventing data that is stored in a foreign country from being compiled by the host country's government.

Cyber Security and Cyber Crime

Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.

Cyber security is important because government, military, corporate, financial, and medical organizations collect, process, and store unprecedented amounts of data on computers and other devices. A significant portion of that data can be sensitive information, whether that be intellectual property, financial data, personal information, or other types of data for which unauthorized access or exposure could have negative consequences. Organizations transmit sensitive data across networks and to other devices in the course of doing businesses, and cyber security describes the discipline dedicated to protecting that information and the systems used to process or store it.⁸

While Governments do surveillance and cyber warfare, they are not the only ones who can do it. Cybercrime⁹ refers to any and all illegal activities carried out using technology. Cybercriminals — who range from rogue individuals to organized crime groups to state-sponsored factions — use techniques like phishing, social engineering, and all kinds of malware to pursue their nefarious plans.

In another incident, Cambridge Analytica (CA) claimed to have five thousand data points on every American voter. In the words of Brittany Kaiser, a CA whistleblower¹⁰ and others-"Data is the most valuable asset on Earth; we targeted those whose minds we thought we could change until they saw the world the way we wanted them to. I do know that their targeting tool was considered a weapon,"

"There is a possibility that the American public had been experimented on."

"This is becoming a criminal matter, when people see the extent of the surveillance, I think they're going to be shocked."

Data Protection Regulations/Privacy Law:

The American whistleblower Edward Snowden's revelations of mass surveillance got governments to think about protection of their citizens' data from the eyes of foreign governments. One of the solutions was Data Localization.

Data Localization: Data Nationalism or Data residency:, pertains to the geographical location specified by a business, government, or industry body where their data is stored. Usually, this is done for policy or regulatory reasons.

However if the data is stored in the cloud of a cross border service provider. It automatically implies that either the cloud service provider needs to have a local Data Center within the restricted geography access or he/she can't transfer data or do business. This can lead to fractionalization of cloud computing/fragmentation of the Internet. Organizations will need to move to Hybrid systems, On-prem (On-Premise) and in-country Cloud data-center for the restricted data, and cross border cloud datacenter for unrestricted data. On the flip side, Data localization can restrict flow of trade (increase protectionism) and restrict freedom of speech, in some scenarios.

Data sovereignty and the EU GDPR: In the European Union(EU), the Global Data Protection Regulations(GDPR), a law that protects the EU's citizens' privacy and information, applies to not only the countries in the EU, but to companies that have data from organizations or people residing in the EU. The EU GDPR applies to the processing of EU residents' personal data, regardless of where that processing takes place. Moreover, it applies to both data controllers and data processors, so, whether an organisation uses or provides a Cloud service that processes EU residents' data, it must comply.

The Regulation also has mandatory breach reporting, and requires data controllers and processors to implement appropriate technical and organisational measures to protect personal data.

If you are GDPR non-compliant, you risk regulatory fines of up to €20 million or 4% of global annual turnover (whichever is greater), legal action from aggrieved data subjects, and reputational damage in the case of a breach.

The Regulation also has mandatory breach reporting, and requires data controllers and processors to implement appropriate technical and organisational measures to protect personal data.

If you are GDPR non-compliant, you risk regulatory fines of up to €20 million or 4% of global annual turnover (whichever is greater), legal action from aggrieved data subjects, and reputational damage in the case of a breach.

Quick Summary on Data-Transfers Under Gdpr: Chapter 5 of GDPR (Art. 44 – 50) TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS states that personal data can be transferred outside the EU under two circumstances:¹¹

1. On the basis of an adequacy decision (Article 45).

2. When subject to appropriate safeguards (Article 46).

1. Adequacy decisions

As under the EU GDPR transfers of personal data to a third country, a territory or an international organisation may take place only if the European Commission has decided that there is "an adequate level of protection".

To date, the Commission has adopted 13 adequacy decisions – with Andorra, Argentina, Canada (for transfers to commercial organizations that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA)), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified to the EU–US Privacy Shield). The last one i.e. EU-US Privacy Shield just got invalidated in Schrems II case on 16 June 2020 (more details below).

2. Appropriate safeguards

If there is no adequacy decision, controllers or processors may transfer EU residents' personal data to a third country or an international organisation if they provide appropriate safeguards and "enforceable data subject rights and effective legal remedies for data subjects are available" (Article 46).

Appropriate safeguards may be provided by:

• Legally binding and enforceable instruments.

• Binding corporate rules (explained further in Article 47).

• Standard data protection clauses.

• Approved codes of conduct; or

• Approved certification mechanisms.

Schrems I and II

One of the most important international privacy cases in recent history arose from a complaint against Facebook brought to the Irish Data Protection Commissioner by an Austrian privacy advocate named Max Schrems. In the complaint, Mr. Schrems challenged the transfer of his data (and the data of EU citizens' generally) to the United States by Facebook, which is incorporated in Ireland. The case (Case C-362/14, Maximilian Schrems v Data Protection Commissioner "Schrems I") led the Court of Justice of the European Union on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the US. The Schrems II case originated from the 2015 CJEU decision in "Schrems I", due to replacement of Safe Harbor with Privacy Shield for EU-US data transfers.

The key issue in both cases is whether US law ensures adequate protection for personal data, as required to permit international data transfers under EU law.

Mr. Schrems' view is that, in the light of the revelations made in 2013 by Edward Snowden, the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country.

The Privacy Shield (replacement agreement for Safe Harbor) shares many of the same problems as the Safe Harbor framework, including the reliance on self-certification by US companies.

On 16 July 2020, the Court of Justice of the EU (CJEU) issued its judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, "Schrems II"). That decision invalidates the European Commission's adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.

The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country and without any special access to Europe's personal data streams.

While the CJEU validated the Standard Contractual Clauses (SCCs), another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.

However, the decision requires data controllers to assess the level of data protection in the data recipient's country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.

Data Sovereignty in Indian Context

The topic of Data Privacy a subject of heated debates in India and thus beyond the scope of this article. Indian Personal Data Protection Bill 2019¹² is currently with the Standing Committee of the Parliament, report to be submitted by the second week of the Monsoon Session (may get extended due to Covid-19). Let's discuss a few examples in Indian Context.

Payments data localization: RBI (Reserve Bank of India - India's Central Bank) via a notification¹³ on 6th April 2018 had mandated data localization with respect to payments data (excerpt below)

All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.

The RBI Directive was issued under Section 10(2) read with
Section 18 of Payment and Settlement Systems Act 2007. RBI
issued FAQs¹⁴ on June 26, 2019, that while there is no bar on the
processing of payment transactions outside India, the Payment
System Operators (PSOs) will have to ensure that the data is
stored only in India after the processing. In case the processing
is done abroad, the data should be deleted from the systems
abroad and brought back to India not later than one business
day or 24 hours from payment processing, whichever is earlier.
The same should be stored only in India.

Ban on Chinese Apps by India:

On 27 July 2020, the Government (of India) further banned the 47 apps linked with a particular country as clones of earlier banned apps. On 29 June 2020, India had banned 59 mobile apps which were considered as prejudicial to the sovereignty and integrity of India, defence of India, security of state and public order.¹⁵ While in the past, the Government has blocked sites or content, this is the first time they have gone against the apps en-masse connected with a particular country, and with the reason as strong as - national security and defence of India, impinges upon the sovereignty and integrity of India. Government has invoked powers under Section 69A of the IT Act (Power to issue directions for blocking for public access of any information through any computer resource), read with relevant provisions of the IT (Procedure and Safeguards for Blocking of Access of Information by Public) Rules 2009, to ban these apps.

This ban may provide a model for other countries that have expressed concerns about the pervasiveness of apps like TikTok and the privacy threat they pose with regard to their citizens' data. It may also spur the local tech ecosystem to develop alternate apps.

On 27 July 2020, Hon'ble Minister Ravi Shankar Prasad¹⁶ Minister for Communications, Electronics & Information Technology and Law & Justice, Government of India, has been unequivocal in his stand saying:

"Data is an asset and in today's world it is a critical strategic asset we need to have and therefore the question arises as to who will own the data. Data of Indians belong to the Sovereign India. We shall not compromise on Data Sovereignty"

It is clear that the topic of Data Sovereignty of citizens/residents is going to see more conflicts as Governments and Internet Businesses both realize the value of data and informed Citizens are equally skeptical to give it to either of them for the preservation of their Privacy. Let's see who wins this battle of wits or will we see a global consensus/agreement.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.