Transborder Data Flow
One of the most interesting concepts I learnt recently… the regulations around data flowing from one country to another. Whenever (Transborder Data Flow) TDF is referenced, it is almost certain to mention the European Union laws (EU data protection directive).
It centers around different standards in data privacy. For example the EU laws ensure that any data controller must have technical and organizational measures in place to meet individual privacy objectives. In summary, you have to get consent if you’re collecting personally identifiable data (think date of birth, social security number, even fingerprint) and be transparent about what you are going to do with it, and if the subjects wish to opt-out, they have that right.
What happens if you don’t comply – you could get a warning, get audited, or corporations could face fines of €10 million or more.
So if you have a global cloud based system with infrastructure in North America and Asia, and European customers who use your service… what does all this mean?
You can store data overseas, it is not a question of storage as much as what you do with the data. It gets more complicated when you consider trust domains and using federations or 3rd party identity management, but simply everyone in the mix needs to comply with the data privacy rules in the not just the spirit but in the words of the directive; to collect only the required data not something you need for future use, if you plan to share it with a marketing affiliate it needs to be known to the subject – they have to agree and must be able to update their data, delete if they want. The data must be protected at all times. All parties that use the data must be disclosed, including the purpose.
US-EU Safe Harbor Privacy Shield
An example of transborder data flow as a concept in practice is the privacy shield between the European Union (EU) and the United States, which basically allows organisations in the two continents to transfer data between each other. The European General Data Protection Regulation (GDPR) is more stringent that the American requirements in terms of data privacy. The shield itself has 7 principles which participating organisations must adhere to (pretty much what is described in the section above). So for this shield to work, companies need to make a self-certifying submission that they meet the EU privacy standards, and pay a fee.
What does this mean for Brexit?
If the UK separates from the EU without an agreement, then data transfers from the UK to the EU and vice versa will no longer be considered as compliant to the EU standards. Which means EU companies could be subject to fines if they transfer personally identifiable data of EU citizens to the UK.