Do I have data transfer agreements in place ?
If you are part of a multinational organisation, and your answer is "no ", you could be closer to breaching data privacy laws than you think .
Organisations with a multi-jurisdictional presence are generally no stranger to data transfers. For data management and cost-saving purposes, many of them store their business and HR data on centralised servers in designated countries. Subject to their individual group structure, most organisations share databases, and subsidiaries transfer personal data from one entity to another, as part of their global business operations. All these activities, to the extent that they involve personal data, are more or less heavily regulated by various data privacy laws depending on the jurisdictions involved. Hence, while this intra-organisation convergence of information may be essential from a business perspective, and as a cost-efficient way of handling data, it may come with a large price tag for those who do not have the appropriate legal structure necessary to regulate it. For one, there is the risk of lack of control and organisational transparency which could result in the contravention of data privacy legislation. Given the severe consequences for such breaches, it is a price no multinational organisation can afford to pay.
So how can your organisation manage intragroup data transfers and a centralised data storage arrangement, while at the same time avoid the pitfalls inherent in performing data transfers? Answer: implement intraorganisational data transfer agreements (DTAs).
What is a DTA?
Intra-organisational DTAs are contracts between separate legal entities of a group company regulating how personal data is transferred, accessed, processed, used and maintained within an organisation. While their content will vary according to the specific needs of the organisation, they typically contain the following key features:
Description of data transfer
This identifies the categories of the personal data transferred including their sensitivity level, the data subjects concerned (for example employees or customers), the data recipients, the data flows, the purpose(s) of the transfer and the method by which the transfer is performed.
Principles for data processing and maintenance
These set out the general principles to which the data recipient must abide. Examples include limitation of the processing purposes, insurance of data quality and proportionality, transparency in collection, data security requirements, limitations of onward transfers and confidentiality obligations.
Obligations of data recipients and indemnity
In addition to compliance with the processing and maintenance principles, data recipients may be required to register themselves as data controllers/data processors with local authorities, implement specific staff training and transfer protocols, provide the transferors with facilities and files for auditing purposes and generally comply with the data privacy laws in specific jurisdictions. Data recipients may also be required to indemnify the data transferor against liabilities arising from the former's handling of the data.
Why do I need a DTA?
There are many reasons for a multinational organisation to establish a DTA-backed data transfer arrangement. The most common one, obviously, is compliance with data protection laws. However, there are also a plethora of incentives for your organisation to implement such an arrangement. We can summarise these incentives into what we call "the 10 Cs".
Abide the law
In some countries in the European Union, DTAs are mandatory for data transfers. However, even in jurisdictions where DTAs are not strictly required, they are nevertheless extremely useful in smoothing the route to data privacy compliance for global corporations. This is achieved by providing for clear data transfer and data processing control mechanisms and ensuring transparency and clear allocation of responsibilities. Conversely, failure to set up DTAs would severely reduce visibility and certainty in respect of data handling within your organisation, thereby expanding the organisation's risk exposure in terms of compliance with data privacy laws.
You don't want to go to jail
In many countries, breach of data privacy legislation is a criminal offence, punishable by fines and imprisonment. Your organisation may also be subject to civil actions by data subjects who were aggrieved by the breach. More importantly, because data privacy breaches committed by large corporations tend to attract a lot of media attention, your organisation's reputation could suffer terminal damage. DTAs help to minimise your organisation's liability profile by providing clarity and certainty in the way data is being handled organisation wide.
Consistency breeds efficiency
A properly executed intraorganisational DTA setup could help to homogenise the data transfer culture in each and every single entity within the organisation, right down to the last employee. This greatly streamlines the data transfer, maintenance and processing procedures at an organisational level, thereby increasing efficiency in data handling across the board.
Cost -effecti veness
Efficiency breeds savings
The enhanced efficiency provided by DTAs not only makes it easier for the organisation to handle data, it is also easier on the organisation's wallet as well. The across the board streamlining of data transfers dispenses the need for the development of entity specific/jurisdictional specific data handling protocols, thereby increasing cost-effectiveness on an organisational level.
Control the data flow
The lack of physical proximity between you and your overseas entities limits your control over them in terms of how they deal with the organisation's data. This lack of control greatly increases your risk exposure to data loss or misuse. DTAs help you "reduce the distance" by giving you the contractual power and certainty to control what data is being transferred and how it is accessed, used and retained.
You can't control what you don't know
DTAs provide clear delineation of the obligations of each entity within the organisation in relation to every aspect of its handling of the organisation's data.
Get it in writing
Intra-organisational DTAs not only provide certainty in terms of how data is handled in your organisation, they also provides fundamental protection such as apportionment of liability, warranties by transferees and termination arrangement in black and white.
Protect your corporate image
A multinational organisation without adequate control over its internal flows of information is simply asking for a PR crisis over its credibility. Imagine a global corporate group having little idea or contractual control of how its business data is being handled by its offshore subsidiaries. Now imagine those subsidiaries selling the data without the parent company's knowledge. This deficiency, if publicised, could devastate the credentials of the organisation in the eyes of the customers who have entrusted it with their personal data. Given that data privacy breaches usually become public, this risk is very real and must not be ignored.
Give your customers confidence
Efficient, disciplined and transparent handling of your customers' personal data, which DTAs help to achieve, gives them the confidence to deal with your organisation. This could only promote your corporate image and hone your competitive edge.
Get some peace of mind
You cannot afford to monitor the data handling of your offshore entities 24/7. With a DTA-backed data transfer arrangement, you can, to a certain degree, rest assured knowing your offshore entities are bound by contract to handle data you specify in the way you want.
In terms of data transfer, DTAs are the glue which holds the entities in an organisation in place and keep them in check in terms of data handling. Their importance is accentuated in the case multinational organisations, where the absence of physical proximity greatly reduces your visibility and therefore confidence over how data is being accessed, used or processed overseas. The more jurisdictions your organisation covers, the greater the risks. Hence, for global corporations, DTA backed data transfer regimes are not a luxury, they are absolutely essential. As the 10 Cs illustrate, DTAs are more than mere tools to achieve compliance. If properly implemented, DTAs can dramatically boost data transfer efficiency and enhance corporate competitiveness.
Arthur Cheuk, based in Hong Kong, is an associate in our dedicated IP team who advises on matters across the Asia Pacific region. You can reach him at firstname.lastname@example.org
Britta Hinzpeter, seconded to Hong Kong from Munich, is a senior associate who specialises in advising international clients on both contentious and non contentious technology related matters. You can reach her at email@example.com
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com