How to Establish Cross-Border Transfer Systems that Help Protect Privacy

Cybersecurity, privacy and data flows will be key topics at this year’s G7 in Japan. Against this backdrop, it has been a year since last year’s amendments to the Act on Protection of Personal Information (APPI) introduced revised data breach reporting and cross-border data flow rules.  Meanwhile, developments in the Asia-Pacific (APAC) region have introduced data localization obligations in a variety of countries. Amidst these changes, it is important to remember that protecting privacy requires strong cybersecurity. 

Last year (2022), the revised APPI came into force. The amendments range from (i) stricter rules for cross-border transfers, (ii) the obligation to report to authorities and the data subjects in case of material breach of personal information, (iii) the expansion of the right to request disclosure, (iv) pseudonymised information, and (v) the strengthening of penalties, among other provisions. The APPI was amended in the wake of increasing awareness and sensitivity about privacy among individuals worldwide, a rise in cyberattacks affecting privacy, and the increase in data use across borders due to the steadfast deployment of modern information technologies such as cloud technology. One of the most significant new obligations is the requirement for organizations to report data breaches, incentivizing organizations to adopt more sophisticated security measures.

With the increasing demand for privacy protection in APAC countries, in recent years there has been an acceleration in the enactment and revision of privacy laws, including the enactment of Thailand’s Personal Data Protection Act in 2019, the enactment of China’s Personal Information Protection Law and the Data Security Law in 2021, and the enactment of Indonesia’s Personal Data Protection Act in 2022. In addition, the Personal Data Protection Bill is under discussion in India and Vietnam.

Simultaneously, but in contrast to the increased efforts to protect personal data, emerging data localization proposals threaten to misalign data protection priorities. For instance, Decree 53 regarding Cybersecurity Law of Vietnam, which came into force in October 2022, and the Korean and Indonesian regulations on public systems introduce obligations to store certain data domestically. Although they still permit cross-border data flows to a large extent, any kind of data localization requirements could actually limit use of the very cybersecurity best practices for which there is increasing strong consensus around the globe.

In 2023, the world’s largest economies more or less agree as to what constitutes “appropriate” or “reasonable” security for data. Common cybersecurity technologies and practices appear in the ENISA “State of the Art” guidelines, the U.S. Executive Order on Improving the Nation’s Cybersecurity, and the latest guidelines from the New York State Department of Financial Services in line with APPI security requirements (Article 23, General Guideline 3-4-2, 10).

In the light of this consensus, it is also positive to see renewed traction with the concept outlined by the Data Free Flow with Trust (DFFT) proposed by former Japanese Prime Minister Shinzo Abe presented at the annual meeting of the World Economic Forum (Davos Conference) in January 2019. Later this month, Japan will host the G7, and the DFFT is expected to be front and center.

The concept of DFFT means promoting the international free flow of data useful for solving business and social issues while ensuring trust in privacy, security and intellectual property rights. Its objective is to foster a global digital environment that enables the movement of data across international borders while ensuring that, upon crossing a border, data is granted the desired oversight and protection. The Organisation for Economic Co-operation and Development (OECD) recently published the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities through which officials from more than 30 OECD member states adopted an agreement on safeguarding privacy when accessing personal data for national security and law enforcement reasons. The OECD clarifies how law enforcement and security agencies can access personal data using the DFFT’s concept. 

At CrowdStrike, we believe it is important to reflect on what holistic data protection entails. Taking into account that today’s privacy and security conversations often happen in silos, policy makers and government agencies can improve privacy not only by strengthening privacy rights and raising demands to processors of personal data, but also by facilitating trust as a critical factor to facilitate data sharing and across-border data transfers through international treaties. 

Both data sharing at scale and cross-border data transfers are critical to state-of-the-art cybersecurity because more (big) data allows us to spot fainter signals. The CrowdStrike® Security Cloud regularly processes trillions of events from endpoint sensors per day. This enables CrowdStrike to leverage artificial intelligence (AI) and protect against emerging threats, rather than relying upon legacy technology like traditional antivirus (AV) signatures, or virus definition files, to identify and block malware. The decades-old legacy AV approach to prevention means a new malware variant must first be discovered, then a signature for it must be created, and finally, that signature must be deployed to the endpoints. This process opens a time gap between the initial use of the malware and the availability of a signature to block it. That gap gives the attackers sufficient time to successfully initiate an attack or steal credentials they can use later. But more importantly, most attacks today do not utilize malware. According to the CrowdStrike 2023 Global Threat Report, 71% of attacks that CrowdStrike Intelligence detected in 2022 were malware-free. 

To better preserve privacy, it is critical to promote policies that ensure access to security data for global operating cybersecurity teams and incentivize the adoption of best practices to protect data against breaches instead of prioritizing seemingly-arbitrary proxies for privacy like data localization. Today, modern IT infrastructure, cybersecurity and privacy compliance programs are dependent upon global data flows. Introducing frameworks that enhance security and provide certainty for data transfers is an important element to achieving holistic data protection.

Additional Resources

Related Content