Hot topics in compliance part one – Cross-border data transfer: necessity and barriers

Wednesday 5 January 2022

Report on a joint webinar of the China Working Group of the IBA Asia Pacific Regional Forum and the IBA Antitrust Section

Susan Ning

King & Wood Mallesons, Beijing


Session Chair
Susan Ning King & Wood Mallesons, Beijing

Ruth Boardman Bird & Bird, London
Alan Charles Raul Sidley Austin, Washington, DC
Helen Clarke Corrs Chambers Westgarth, Brisbane

With Susan Ning serving as the moderator, the International Bar Association (IBA) invited three prestigious experts with extensive experience in the field of data protection and cybersecurity to participate in the webinar: Ruth Boardman, Helen Clarke and Alan Charles Raul.

Although cross-border data transfer is essential for international trade and the development of the digital economy, the various rules and requirements in different jurisdictions create a dilemma for global companies and may affect international politics. Therefore, the panel mainly discussed the current status quo, barriers and solutions for cross-border data transfer in different jurisdictions.

The speakers first outlined the cross-border data transfer practices in their jurisdictions, discussed their views on relevant regulations and envisioned the possible legislative developments ahead. Alan Charles Raul introduced the relatively loose policy in the United States and explained the due diligence requirements related to cybersecurity. Then Helen Clarke provided a brief introduction to the 13 Australian Privacy Principles, especially APP 8 of the Privacy Act and the latest legislation on data transfer. Because Ruth Boardman has many clients from the European Union, she introduced the General Data Protection Regulation (GDPR), which is 'notorious' and of great significance to the global digital economy, while explaining the United Kingdom's legislation. From Ning's perspective, compared with Western countries, China has specific data localisation requirements stipulated in the Cybersecurity Law, Data Security Law and Personal Information Protection Law.

The panel then discussed the background to current regulations on cross-border data transfer, which was also a question raised by the audience before the seminar. Boardman, whose home jurisdiction has experienced Brexit, made a thoughtful observation and said that what leads to data cross-border restrictions is a general concern about ensuring a high standard of data protection. In addition, Clarke talked about the fact that she often needs to comply with the GDPR rules when solving problems for her Australian clients due to the strong extraterritorial effects of the GDPR. From the Australian perspective, data protection legislation may further refer to the laws of other countries to ensure legal consistency and facilitate the free flow of data around the world. By comparing the US and EU rules, Raul opined that ideology and philosophy are the most fundamental factors behind different data protection regimes in different jurisdictions, and Ning addressed national protection and data sovereignty from China's perspective.

Finally, considering the practice in their jurisdictions, the speakers attempted to discuss how to address business issues arising from cross-border data transfer restrictions in light of current regulatory requirements. In addition, the speakers suggested setting up pilot zones to try new approaches, establishing bilateral or multilateral treaties and reaching international consensus through international organisations such as the Organisation for Economic Cooperation and Development (OECD) to tackle data transfer challenges. Above all, the speakers agreed that it is essential to focus on the similarities rather than the differences in regulatory rules.

Although data protection rules are dynamic and evolving, the emphasis on data security and the digital economy is the same across jurisdictions. How to stimulate the economic value of data as much as possible while safeguarding data security is an important issue on which all regulators and enterprises focus.