Data Governance background from a Legal Perspective for Engineers

This text was written originally in 2011 and updated over the years when GDPR came into effect. It was last updated on April 1st 2024 taking into account some of these perspectives.

Data Residency vs Data Sovereignty vs Data Localisation

Data residency is when an organisation specifies that their data must be stored in a geographical location of their choice, usually for regulatory, tax or policy reasons. By contrast, data localisation is when a (local) law requires that data created within a certain territory stays within that territory.*

Data sovereignty refers to data being stored in a particular country, whereby the data is subject to the country's or state's laws or governance structures. Basically, it refers to governments enforcing their own privacy and data protection laws on the data stored within their jurisdiction.

The organisation specifies that their data must be stored and initially processed in a geographical location within the EU/EES, (data residency) for regulatory, tax or policy reasons. Data localisation is applicable when a law requires that data created within a certain territory stays within that territory. The stricter or more specific of the two requirements must be adhered to.

Impact on business

The rapid take-up of cloud-based data storage exposes companies to issues of data governance. With the rising popularity of cloud computing, data governance issues have become a greater focus for companies concerned about threats to the integrity and security of their data.

Data sovereignty becomes an issue when a company’s data servers are located outside the country in which the business is domiciled, and governments insist that this data is subject to the laws of the country in which it is collected or processed. (transferred & processed)

Organisations should pursue at least two of the following five objectives:

1. To allow data protection authorities to exert more control over data privacy and data retention and thereby have greater control over compliance.
2. To allow regulatory authorities to exert more control over information security often including their right to audit and supervise.
3. Ensure that data controllers store and process data within the EU or within those countries deemed to have the same level of data protection as in the EU, as opposed to moving data to those territories considered to have less than adequate data protection regulation. 
4. Taking a risk-based approach when it comes to current threat-landscape and/or geo-political nature.
5. Tax reporting purposes (mostly when it comes to cloud consumption).

Data Transfer

It is important to note that accessing personal data is considered a "transfer" under data protection law like GDPR. If data is stored in Germany and a company has personnel in a country like India; access the personal data for customer service or support purposes, it has now transferred out of Germany.

Therefore, one can't claim localisation in Germany if there is access by a support function outside the country, but residency is permissible. Additionally, processing functions like offshore backups etc. also sometimes occur in other countries, so make sure to consider them as well. This is an important point that is often missed or misunderstood.

Compliance Requirements:

1. Data Protection by Design
2. Impact Assessments
3. Data Security
4. Principles & Safeguards
5. Data Retention
6. Reporting

Mechanisms For Transferring Data Outside EU/EES

If you move data outside of the EU into a jurisdiction with inappropriate safeguards you must have legal transfer means. The legal transfer means are:

1. Adequacy: A decision by the EU Commission that a country has adequate protection level;
2. Binding Corporate Rules: Binding internal rules of a company to be approved by data protection authorities;
   (Link to European Commission on BCR)
3. Standard Contractual Clauses / Model Clauses: Individually negotiated contracts between controller and processor
4. EU-US Privacy Shield framework (deemed inadequate since June 2020)
5. Approved Codes of Conduct & Certification
6. Explicit Consent

Adequacy Findings

The EU has currently issued 15 adequacy decisions: (link to EC)

• Andorra
• Argentina
• Canada
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• Republic of Korea
• New Zealand
• Switzerland
• United Kingdom / Britain
• United States
  • Invalidated: Privacy Shield framework - Not deemed Adequate! - See Schrems II
  • EU-US Data Privacy Framework - currently deemed adequate, Schrems III announced.
• Uruguay

Important to notice is that this excludes law-enforcement data exchanges as this is regulated under a different law - Law Enforcement Directive - that came into effect the same day. Except for the UK, the above-mentioned are not in such scope.

Mitigating data sovereignty risks

The business needs to have a robust and comprehensive data security strategy and vigorous internal procedures to protect and secure data. We must understand how our data is stored, who owns it and how it is transferred and shared with others. The purpose limitation of the use of data is also of critical importance.

We must:

• Ensure that their cloud service provider will not replicate data onto servers in other countries
• Ensure that the data stored overseas is done so according to local laws.
• De-identify data before storing it in the non-territorial cloud. (De-identification is removing people's identity from the data.)
• Ensure that our cloud service provider has insurance to cover data breaches (in the case of SaaS).
• Have a privacy & data protection plan which besides ICT-risks also addresses business continuity and disaster recovery; before moving it offshore, as a loss of data can be catastrophic for the business.

Considerations when using Binding Corporate Rules as means of Legal Transfer

If there is no adequacy decision, controllers or processors can only Transfer personal data to international organisations (or third countries) if the proper safeguards are in place, if there are possibilities for data subjects to exercise their data subject rights and if there are effective legal possibilities for data subjects in case these legal remedies would be needed.

Binding Corporate Rules are covered in Article 47, where they are part of Chapter 5 on the transfer of personal data to third countries or international organisations. Using Binding Corporate Rules as means of Legal Transfer requires a lot of effort. One must prove, GDPR compliance is attained, personal data processing principles are respected, data subject rights are ensured, legal grounds for lawful processing are in place, data practices are streamlined and governance and reporting (by means of proof and measure) is in place.

In order to get Binding Corporate Rules approved, in accordance with the consistency mechanism of the GDPR, Binding Corporate Rules must:

• Be legally binding.
• Apply to every concerned member of the multi-national or international organisation.
• Be enforced by each of these concerned members.
• Have clear ways for data subjects to exercise their data subject rights.
• Mention specific information with regards to the organisation, the processing and more.

and must at least contain and include:

• Structure of the group of undertakings or group of enterprises sharing joint economic activities and their members.
• Contact details of the concerned group (and each member).
• Details on the data transfers or sets: which personal data, what processing purpose, what types of processing, what type of concerned data subjects, which countries,…?
• Legally binding nature, both internally and towards the outside world.
• Application of the general data processing principles and the general data protection principles (purpose limitation, data minimisation, storage limitation, data quality/accuracy, protection by design and by default, legal basis for lawful processing, special categories of data, measures to ensure data security and more).
• Data subject rights, ways to exercise those rights, right to lodge a complaint and so on.
• Liability of controller or processor in EU with regards to breaches of the BCRs by any member outside the EU (except if proven not responsible).
• Provision of information on the BCRs towards data subjects, in accordance with duty and right of information of the GDPR.
• The tasks of any DPO or other entity charged with compliance monitoring.
• Complaint procedures and handling.
• Data protection audits and methods of correction to protect data subject rights.
• Various obligations towards the supervisory authority.
• The proper data protection training for staff with regular or permanent access to personal data.

Definitions:

• GDPR Article 1: a "group of undertakings" means a controlling undertaking and its controlled undertakings.
• GDPR Article 47: group of undertakings or group of enterprises engaged in a joint economic activity, including their employees.

Specific Information:

The BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in a joint economic activity and of each of its members. The BCRs must also specify its material scope, for instance the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the types of data subjects affected and the identification of the recipients in the third country or countries. (WP29)

Mentions:

A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity (GDPR: Recital 110)

Important: All agreed Binding Corporate Rules that are valid, are deposited by the Data Protection Authorities. Without this approval, one cannot use Binding Corporate Rules as a means of Legal Transfer.

Resources

• Binding Corporate Rules (BCR) Corporate rules for data transfers within multinational companies: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en

* Data is "often" allowed to be duplicated, but all data processing must happen first in said country. Examples of such are Russia and China. Further processing of said data is usually not allowed as it is supposed to happen in the country of origin only. It basically allows for "read-only" access to the data with very heavy purpose limitations on what is allowed to be done besides reading it.