Business is internationalizing with substantial vigour, unfortunately, in many regions such as Africa and the Middle East data protection is trailing considerably.
Safe Harbor framework was created to establish a mechanism for which data could be freely transferred between the EU and the US. A rapidly internationalizing business world brought to light the inconsistency of data privacy safeguards amongst EU member states. These inconsistencies are cause for unrest for businesses. Hence General Data Protection Regulation (GDPR) was born to ensure constancy with regard to data protection. GDPR also has a wider scope than the previous directive with areas being expanded such as: territorial reach beyond the EU, equal ease for both withdrawal and granting of consent, risk awareness regarding international transfers, breach notification and more substantial penalties and fines.
After a review by the European Court of Justice, regarding the adequacy of the US-EU Safe Harbor Framework, Safe Harbor was invalidated in October 2015. The result of the invalidation was the creation of the EU-US and Swiss-US Privacy Shield which would provide greater accountability and oversight of data protection. Although the European Commission noted room for improvement the shield should provide adequate standards in line with GDPR.
Whilst data protection standards across the EU are high, with GDPR coming into full force as of 25 May, Israel remains the only Middle Eastern or African country with data protection to a sufficient standard from the perspective of the EU. Saudi Arabia has announced vision 2030 in which they want to increase non-oil exports from 16% to 50% by attracting finance companies and investment, although, doing so would require substantial developments in their data protection policies.
The inconsistency across EMEA and the US creates serious complications and uncertainty for firms operating in multiple jurisdictions. Weng Yee Ng and Jimmy Ko outline a few considerations when doing so, these are: Data mapping- such as origin and where it resides, risk management in relation to collection and preservation of data, training personnel on data privacy regulation and transfer protocol, transfer strategy and finally expert advice on privacy and transfer.
Read the full article in GIR’s European, Middle Eastern and African Investigations Review 2018.
Weng Yee Ng, Director
Jimmy Ko, Senior Associate