As privacy has become an increasingly important issue to people around the world, we have seen scores of countries pass data protection laws designed to give consumers control over the collection and disclosure of their personal information. This is good for consumers, but can be confusing and frustrating for businesses, as these laws are rarely identical and are even, at times, contradictory. As the world embraces cloud computing and data flows are increasingly global in nature, it’s becoming more and more of a struggle for companies to keep track of new laws, or even figure out which apply, and when. If a French company stores data about a Mexican citizen on a data server in the Philippines owned by a U.S. cloud provider, what are the rules?
Over the past 15 years, privacy professionals have thought about this issue primarily in the European context, as the EU’s Data Protection Directive prohibits sending data to jurisdictions that are not deemed “adequate” by European regulators (only a handful of other countries have been so blessed; the U.S., without any baseline privacy law at all, certainly is not one of them). Over time, we’ve developed a few creaky workarounds to the adequacy requirement, such as the US-EU Safe Harbor program and the Binding Corporate Rules process. Both have been widely criticized, however: the former for being toothless, the latter for being too bureaucratic and burdensome.