The last decade has seen a spiraling of regulations across the world making it harder and costlier for U.S. companies to expand internationally. A particular stress point has been the need to cope with data privacy regulations where penalties for non-compliance are often without limit.

In this article we report some good news. Less data privacy-related hassles for U.S. companies that are expanding to Europe. We also look more generally at this topic focusing particularly on India and China where a large part of the world’s population, consumers and internet users are based.

What is the Data Privacy Framework?

The European Union was the first to put in place the General Data Privacy Regulation (GDPR) on 25^th May 2018. This caused particular difficulties for U.S. companies seeking to expand to the EU since the U.S. was classified as a non-compliant country.  To help ease this burden and also for largely Ukraine war driven political rather than practical reasons (in the opinion of the author) on 10^th July 2023 the U.S. and EU agreed a new Data Privacy Framework (DPF) which allows U.S. companies to self-certify their GDPR compliance thereby removing the barriers that were previously in place impacting the transfer of sensitive personal data from the EU to the U.S..

Before this framework was adopted, U.S.-based companies transferring data from the EU to the U.S. needed to have in place a cross-border data flow agreement. They were also strongly encouraged to carry out a Transfer Impact Assessment using an EU recommended template. This is now no longer required if the company self-certifies its compliance with DPF principles via the DPF website and publicly commits to such compliance.

This is a boon for countless small- and medium-sized U.S. businesses. However, it is worth noting that if the self-certification is done in vain or without a valid basis, significant penalties, both civil and criminal, could apply.  It is therefore incumbent on U.S. companies to ensure they have appropriate internal data privacy policies, procedures and controls (including IT controls) in place to prevent unauthorized access or even worse the theft of sensitive personal data. This is best done by taking relevant expert consulting help.

Other Data Privacy Law Considerations

The EU and U.S. are not the only ones who have recently passed or updated their data privacy provisions. India has 760 million internet users and is in the process of passing strict data privacy legislation. China has already done so through the China Personal Information Protection Law (PIPL) with a grace period for implementation ending very soon.

Earlier this month, Indian lawmakers passed a Data Protection Bill allowing companies to transfer some user data abroad while also empowering the government to seek information on blocking content in accordance with the advice of a Central Data Protection Board. This Bill also gives users the right to correct or have their personal data erased. Companies doing business in India would do well to prepare now for compliance with relevant provisions of this bill once it becomes law – or risk large fines.

China’s PIPL is likely less burdensome than GDPR. However, some of its provisions could, depending on circumstances, conflict with U.S. regulations leaving the U.S. company pig in the middle. Penalties for non-compliance with PIPL are not unlimited but still significant - the business could be held liable for up to 100% of sales arising in China.

Data privacy risks need therefore to be fully recognized and addressed when a U.S. company expands abroad. Engaging with experts who can support global expansion from a logistical and legal standpoint is therefore critical if these risks are to be minimized when expanding internationally.
_______________

Dr. Shan Nair is the President of Nucleus., a one-stop global expansion solution for businesses and a consultant on international expansion.