Data overdrive

AlixPartners’ director David White has served as special e-discovery counsel for numerous multinational Fortune 100 companies and has investigated financial fraud as part of the US Department of Justice’s multi-agency bank fraud taskforce. China Business Law Journal taps his knowledge on data localization and other hot security issues

CBLJ: Explain data localization, how it may apply to companies large and small, and why in-house counsel and law firms need to be familiar with its implications?

David White: Data localization refers to legal requirements that data be stored within a certain jurisdiction. These requirements come in a number of different flavours, each driven by a different motivation.

The motivations can be based on national security and defence, cyber security and crime prevention, anti-terrorism and government surveillance, data privacy and protection of citizens, etc. The types of data that are required to be maintained in the jurisdiction, and the way the data must be maintained, is typically driven by the underlying motivations.

For example, law protecting national security and defence typically prohibits the export of any data that falls within the definition of the regulations. China’s state secret laws, which make the export of any state secret a criminal act, are a well-known example. A lesser known example is the South Korean prohibition on the export of map data, though any foreigner who has tried to use Google maps when navigating Seoul has felt their impact.

Where surveillance and law enforcement gain access to information is the driving motivation, be it for anti-terrorism, stopping cybercrime or other reasons, and the laws typically apply to telecoms and internet service provider data. Rather than prohibiting export, they also tend to only require that a copy remain within the jurisdiction. Laws focused on data privacy and consumer protection tend to allow export, but with caveats that data will be properly protected after they are transported out of the country.

CBLJ: How do Asian jurisdictions compare with the US or elsewhere with regard to data localization requirements?

David White: In China, for example, the definition of exactly what constitutes a state secret is very vague. The law does provide a very narrow list of items that could potentially be considered state secrets, but then follows with a catch-all provision that includes all “other matters that are classified as state secrets by the national State Secrets Bureau”, with no limitation on what those matters might in fact be.

The outcome is that this vague “state secrets” label allows the government to choose which potential violations to prosecute and which to ignore. In addition to state secrets laws, China also has a wide range of sectoral laws at both the national and regional level that prohibit the exports of all sorts of data types. These range from bank account records, health information, accounting records, online payments, credit references and financial transactions, to name but a few.

These latter types of topical localization laws are commonly found across Asia, but are not found in the US. They also include the previously mentioned requirements that copies of certain telecoms and ISP data remain in the country, bans on the removal of mapping data, data relating to critical infrastructure, and even ride-share data.

Finally, we are also seeing an uptick in some countries trying to protect their technology sectors by requiring that certain hardware and infrastructure systems remain in the country if providing services there, and effectively limiting the use of foreign cloud service infrastructure. These are not localization laws, so to speak, but in the end they have the same impact. If the servers must be maintained in country, so too must the data stored on them.

David White is a director at AlixPartners in New York. He specializes in information life cycle governance, with a focus on electronic discovery, data privacy and security, litigation analytics, and regulatory compliance.