MANAGING CROSS-BORDER DATA PRIVACY COMPLIANCE

RC: Could you provide an insight into how evolving data privacy legislation presents challenges to multinational companies? How would you compare the global flow of data today, compared to, say, 10 years ago?

Gerlach: Ten years ago, the first iPhone had only just been launched, and the Android operating system was still in Google’s pipeline. Fast forward to 2017, and SMS and email are giving way to social media apps for private, but also increasingly, for business communication. We order food, books and accommodation, and conduct our banking through handheld devices. Simultaneously, bring your own device (BYOD) policies and similar practices are blurring the lines between corporate and private data. The world of technology and the data flows it supports have changed beyond recognition over the last decade. We have seen an explosion in the generation, use and dissemination of data around the globe, bringing with it the question of who owns the data, and how and against whom or what it should be protected. The EU has a long tradition of protecting the personal data of its residents, including from unwanted commercial exploitation by companies, even those not necessarily based in the EU. Regulators, both at national and EU level, have become progressively more rigorous in applying and enforcing data protection laws in part as a reaction to the globalisation of data flows. The ongoing major reform of data protection laws in the EU, which brings with it the new General Data Protection Regulation (GDPR), is a testament to that shift. The GDPR certainly aims to reach beyond the EU borders. At the same time, we have also seen a movement toward the concept of data localisation, with China and Russia being prominent examples. Combined, there is a very complex web of rules for multinationals to operate in.

Jan-Mar 2018 Issue

Cleary Gottlieb Steen & Hamilton LLP

GE Healthcare

Hogan Lovells US LLP

HSBC

Winston & Strawn LLP