Morning. Welcome back to the INFOSEC Skills CIPN course. This is our Module 4 on Legal Jurisdictions and Global Data Flows. I'm [inaudible] it's a pleasure to be back talking to you today. Now, one of the things we want to talk about is essentially where and why it's okay to transfer data. Why is data transfer become a thing even. At the heart of the problem is there is a difference between global business and local law. This idea that as we move across the globe, our laws change even though the technology these days doesn't and that creates a fundamental conflict between what the individuals have got the rights in individual laws, but the technology platforms are basically the same, business wants to do things one way globally, and that creates a push-pull scenario here. Looking at where and why, I think one of the biggest organizations that's really looked at the way data is transferred internationally is the EU with the GDPR. We're going to start here with the GDPR, and Article 44, it talks about actually, "You shall not transfer data outside of Europe. Any transfer of personal data to either a third party, a company, or an international organization shall only take place if you can satisfy certain conditions," complied by what they call controllers and processors, so the business you give the data to, the businesses in charge and it's sub-processes and its second party. We've got this real push-pull here between your local laws taking place in Europe, and we get similar international transfer provisions in other laws as well, places like Japan, for example. We've got to really understand exactly where that data is, where that data is stored, who the data would call his own, where it moves around the globe. Especially if you're a US business, we've got data stored in the Cloud, we've got data being globally transferred, we've got to really understand the locations of that data, where the individuals who that data service is resident, and that's an interesting discussion to have. We now got this push-pull between our desire to have a global solution, a global design via data localization, only having data in each country, only having data storage in each place, and that can really be a barrier to the way we implement our solutions, the way we trade internationally, could even make us question where and who we want to do business with, like a question of where and who we want to do business with? Looking at the EU territory extent, it talks about the fact that you are covered by the EU GDPR if you're an organization that's been created within the EU, doesn't matter where the individuals live, it's not about whether you're EU residents or not. It's the fact that your company created in the EU that makes the GDPR apply to you. No matter where the individuals that company serves lives. If your company is created in France, or in Germany, it doesn't matter where your customers are, because the GDPR applies to those customers because the company is established in France or Germany. On the flip side, and this is where the US comes in, it can also apply to companies who are not established in the EU, but who are targeting their goods and services, or monitoring behavior of people who are in it. Again, doesn't matter if they're an EU resident or not, it's enough that you are just targeting your services at people in the EU. Just to make that clear, it doesn't mean that if you've got Internet website, you are automatically covered. It doesn't even mean if you've got an EU customer you're automatically covered. Imagine you are in Massachusetts creating furniture, you've got local business, people coming to buy your furniture. Clearly GDPR does not apply to you. You then decide to have an Internet site, you sell your furniture over the Internet. I didn't think the GDPR applies to you then either mainly because you might be subject to Massachusetts state law or selling under Massachusetts terms and conditions, taking money in dollars, doesn't apply. Even if an EU customer happens to find you on the Internet, they have found you, they have come to you. But if you just decide, actually we can get a lot of the EU customers, I think it's a good idea if we start to market our services. If we take out an advert in Europe, if we create a dotty website, if we take money in euros, for example. If we can be proved that we're actively going after that market, then the GDPR will clearly apply to your business. Then finally, it could apply where member state law applies. What that means is, if you're part of the EU, but you're inside Europe, so that could be, for example, onboard ships, embassy, small little islands that may have been colonial states of an EU member state, French Guiana, or the British Virgin Islands, for example, places where member-state law applies. So what different laws are there across the globe? We know that there is different types of laws, we talked about the European Law. The European Law is what we call an Omnibus Law. One law to rule them all if you like. Based upon a fundamental human rights model, with a number of national privacy regulators with the extra territorial extent, and those rules on international transfer. It's very similar laws in Japan. Contrast that against the laws in the US. Now, as we know, privacy laws in the US, vastly different. Don't come from a place of human rights, actually. Come from a place of more consumer rights. Be nice to your customer. There's no privacy regulator as such. It's monitored by people at the FCC and the FTC, the Federal Trade Commission, the Federal Communications Commission. There's no real privacy regulator. Actually, if you're not a US citizen, under US law, you actually might not have any rights at all. The approach is you are more of an opt-out than an opt-in. Even though they don't have one single privacy law, what you tend to have in the US obviously, is what is called a more sectoral approach, HIPAA for health, FERPA for education, COPPA for children. You can actually be a little bit more specific in your laws. Then you've got that difference between state and federal law. You might have the California Consumer Privacy CCPA or CCCI as it now is going to be. You have varying state laws, it actually depends where you are in the US. Your rights to privacy may differ depending on what state you're in. Across the world, we see privacy laws, I'd say are more state-focused, more in favor of the state. Russia, China, North Korea, you get the sort of organization. It doesn't mean the individuals don't have privacy rights. It just means they might have to make in some businesses, but very little against the state. In other countries, they tend to vary an awful lot across the globe. A lot of what I call EU 95 Directive laws, they're pre-GDPR laws; laws that look at data protection with the same principles we have in the GDPR, but don't have the accountability side of things because they are still reflecting the 95 Directive we had in the EU, certainly areas where the Europe hasn't a lot of influence, such as Africa, South America, such as certain parts of Asia, perhaps ex-colonies, perhaps Singapore, Hong Kong, those places. We do see data protection laws, but what might be common in those countries is pretty poor enforcement, low fines, poor regulators, no regulators, no ability for a regulator to administer fine, have to go through the courts. Privacy rules do vary enormously across the globe and they're changing. This is a pretty old slide now, but I put it in place just to give you some idea of all the different types of laws we've got across the globe and now how many new privacy laws that we're seeing every month, every year, absolutely incredible amount of change. In the US itself, for example, you're going to find that there are a number of different Colorado, I believe, Washington, California, all number of different states who are currently progressing privacy laws through their own attorney generals in each state. Let alone across the globe, let alone looking at the rise in South America, the rise of privacy law in Africa, the rise of privacy laws in the South Pacific, for example. A number of different privacy laws all coming up across the globe. We've got to understand the differences between these privacy laws when all we want to do as a company is release one global product. Let's just go back to the EU for a minute because we've got to understand how big the EU is and where we really have to be conscious of data going in and out of Europe. What is the EU? It's an economic and political union which allows freedom of movement of goods, services, people, and capital. I mean, here's their website. No, that's the European Economic Area website. Here's the EU website. It gives you an idea of the scope of the 27 countries: Austria, Belgium, Bulgaria, Croatia, you can read the list. These countries all have got similar laws essentially. They've entered into a pact with each other that they will have freedom of goods, services, people, and capital. You know anywhere you go within that club, you have similar data protection laws. Of special note, of course, here is the UK, and as we know the UK this year has ultimately decided that it's going to leave the EU. No more United Kingdom as part of the EU, gone. Even though it has gone though, we think it's worth mentioning the United Kingdom has retained in its law this concept of data protection, and it's now got what we call the UK GDPR, it has retained the GDPR in its law, roughly similar, roughly equivalent law. We'll talk about the UK law a bit in the next session. The final thing I just want to mention is it's not just the EU that also has EU law. There's this another organization called the EFTA, European Free Trade Association, and that is Norway, Iceland, and Liechtenstein. Actually, it's also Switzerland as well, but actually, interesting enough, Switzerland decided not to be in the European Economic Area. The EFTA states, Norway, Iceland, Liechtenstein, essentially, join up with the EU. You've got the EU 27 countries, you've got the three free EFTA states, Norway, Iceland, Liechtenstein, and together we call them the European Economic Area, the EEA. That's the 27 EU member states, plus Norway, Iceland, and Liechtenstein, that creates this blue area here on the map. No Switzerland, no UK, but Lichtenstein, Norway, Iceland, and the EU 27 together form the EEA. What EU law says, if state is leaving the European Economic Area, well, you can't do that unless you've got a justification. That's what we're going to talk about in the next session, justifying those transfers outside of the European Economic Area. Thank you.
