Data Privacy: It’s Time to Review Your Cross-Border Data Transfers

This BakerMcKenzie blog addresses the increasingly complex regulatory scheme governing cross-border data transfers by US companies and says that companies need to act now to avoid potential compliance issues. It cites the DOJ’s new Data Security Program (DSP), which bars US persons from making certain personal data available to entities in China, Russia, Iran and a handful of other countries of concern.  The blog says that the DSP adds to companies’ existing obligations with respect to cross-border data transfers under other regulations, and that they need to ramp up their compliance efforts in an increasingly tense geopolitical climate:

To keep pace with this evolving regulatory landscape, companies with operations in the U.S. should take proactive steps to assess and mitigate cross-border data transfer compliance risks. This starts with identifying what types of data they hold, including data about individuals, technical materials related to product development, and information about national security-sensitive matters. Next, companies should determine where that data is stored, processed, or accessed from, and to whom the data is disclosed.

Companies should map data flows across their staff members, affiliates, vendors, research collaborators and other business partners, with particular attention to transfers that could involve parties located in jurisdictions that the U.S. government has designated as “countries of concern” (see above). Companies must then assess the data flows based on applicable regulations and potentially update their compliance policies, due diligence procedures, data security measures and contractual arrangements. Ultimately, companies may conclude that they need to terminate certain data flows to avoid contravening the law.

The blog goes on to review the various regulatory restrictions on data transfer to which US companies are subject, including the DSP and regulatory schemes targeting transfers of data relating to military and dual use technologies. It also discusses patent law restrictions on filing certain U.S. patent applications abroad without a foreign filing license.