James Thew - Fotolia

International data privacy laws create inconsistent rules

A new cybersecurity law in China highlights the trend of inconsistent international data privacy laws being enacted around the world.

China's new cybersecurity law went into effect and added another international data privacy law, which can cause confusion and difficulty for multinational enterprises.

Like the European Union's General Data Protection Regulation (GDPR), which will give companies until 2018 to become compliant, China's data privacy law was approved in November 2016 and took effect on June 1, 2017. Although the new law mainly applies to "network operators" and "critical information infrastructure (CII)," experts have criticized the law for being overly broad in its definitions.

"The law therefore suggests that any company that maintains a computer network, even within its own office, could qualify as a 'network operator' -- an interpretation expansive enough to include a large number of companies. Companies based outside of China that use networks to conduct business within China also may be swept up by this definition," wrote experts for the Privacy Law Blog at Proskauer, the New York international law firm. "CII providers generally are viewed as those that provide services that, if lost or destroyed, would damage Chinese national security or the public interest -- the law names information services, transportation, water resources, and public services, among other service providers, as examples. The government has the ultimate say in which types of companies may qualify as CII providers."

Although it is somewhat unclear to whom China's data privacy law applies, the responsibilities are laid out clearly, including:

  • requiring user consent to collect personal information;
  • maintaining logs of cybersecurity incidents;
  • remediating vulnerabilities and implementing cybersecurity plans;
  • backing up and encrypting data; and
  • storing Chinese citizen and non-citizen data in China.

Inconsistent international data privacy laws

China's new cybersecurity law adds another layer of difficulty on top of China's complex legal structure for organizations trying to comply with various international data privacy laws.

According to Deema Freij, global data privacy officer at enterprise collaboration software maker Synchronoss, based in New York, the trouble with international data privacy laws is that "we have many privacy laws globally and all of them have their own different interpretations and nuances."

"Some are country-specific and some are industry-specific. Due to technology, data is being transmitted electronically everywhere and crossing borders all the time. This makes it difficult to determine which law applies to your data," Freij told SearchSecurity. "Is it the law of the country in which it is stored, is it the country where it can be decrypted, is it the country through which it passes? As you can imagine, these are all tough questions with no easy answer, and in fact we have some companies taking these very questions to courts to try to get some guidance."

Drew Nielsen, chief trust officer at Druva, said consensus building in terms of international data privacy laws "is more of a chess game based on forcing the will of nation states on the rest of the world to protect certain interests."

"If you look at GDPR, it's all about giving citizens control of their information, yet member states within the EU can impose more stringent requirements on processors and controllers above the current regulation," Nielsen told SearchSecurity. "On the flip side of that, organizations dealing with China's cybersecurity law will have to grapple with the impact of exposing core technologies and intellectual property to the Chinese government."

Rebecca Herold, CEO of Privacy Professor, said there isn't much being done to create consistency between international data privacy laws.

"There are many types of privacy and security laws in existence throughout the world; thousands within just the U.S. alone. There is not a lot of consensus building -- beyond the limited EU Data Protection Directive -- between countries on a large scale. However, for some specific types of activities and data, such as for credit card data, there are standards that must be met worldwide; so that is a type of consensus as well," Herold told SearchSecurity. "There are some limited ways in which some privacy and security consensus building has occurred, but overall there are generally thousands of different laws, regulations and standards throughout the world that can differ wildly from one country, region or even city to the next."

Being compliant with various data privacy laws

With each new international data privacy law, the landscape for multinational enterprises gets more complex and experts said there are no easy answers regarding how to maintain compliance.

Richard Goldberg, principal and litigator at Goldberg & Clements PLLC in Washington, D.C., said the international laws can even contradict each other.

"When the U.S. government demands documents from a company with offices (or data storage) in the EU, the company may be bound by U.S. law to produce documents that EU law prohibits it from transferring to the United States. (In some cases, the company can obtain approval from the employee.) The addition of new restrictions certainly makes it difficult to maintain employees across international borders," Goldberg told SearchSecurity. "In multiple instances, I have advised businesses with opportunities for work abroad that they should simply avoid certain countries -- even those with seemingly lucrative business growth. The risk and associated regulatory cost is just too high."

Herold said organizations need to set up the right processes to ensure compliance with various international data privacy laws.

"Organizations must stay on top of all security and privacy laws, regulations, standards and legal requirements for all locations where they have business offices, employees, customers, clients, consumers, patients and contractors," Herold said. "If they don't, they will find themselves out of compliance with one or more set of compliance requirements, and could face fines, other types of penalties, along with being required to stop doing business in one or more of those locations where they are located."

Some experts, like Ken Spinner, vice president of field engineering at Varonis Systems, said trying to maintain compliance for each region may be too difficult.

"I don't think there's an easy path to across-the-board compliance, especially as more cross-border regulations are enacted," Spinner told SearchSecurity. "However, data protection pros will tell you that if you pick countries with the most stringent laws, say Germany's, you're pretty sure to pass muster just about anywhere else."

Nielsen said the first step was to "understand what your data attack surface looks like and have complete visibility into what kind of data the organization collects and processes and who it affects."

"From there understand the countries and regions your organization does business in. Then choose security and compliance frameworks that have enough overlapping controls that cover the broadest set of requirements in all the regions your organization operates within," Nielsen said. "No compliance framework will ever cover 100% of the controls, but organizations can prevent reinventing the compliance wheel in choosing a framework that is most applicable for their business."

Freij said that although the international data privacy laws have different nuances, "the base is generally the same" and "understanding where your data flows and who has access to it is a good starting point for companies."

"As a baseline framework, companies must make sure that they safeguard data, ensure that they get the consent of the person whose data they are collecting, make sure that their employees are trained in the areas of security, privacy etc. and then define which regulations to apply on top of that, depending on all the geographic regions where they do business," Freij said. "They will need to classify their data, as these laws do not apply to all information that a company holds, but to some of it. Companies need to recognize that many countries are at the outset of defining their laws, or merely in the midst of trying to catch up to fast-moving technological advances, that there may often be a gulf between the regulatory intention and the realities of how electronic data is created, stored, processed and moved."

Next Steps

Learn how companies should prepare for GDPR.

Find out whether privacy laws and regulations are hurting Europe's productivity.

Get info on how the GDPR breach notification rule could further complicate compliance.

Dig Deeper on Security operations and management