A Guide to International Expansion

Technology

Sector and state specific

The U.S. has several sector-specific national privacy or data security laws, applicable to financial institutions, telecoms companies, personal health information, credit report information, telemarketing and direct marketing.

However, the U.S. also has hundreds of relevant privacy or data security laws among its states and territories. These include requirements for: safeguarding, disposal, privacy policies, appropriate use of Social Security numbers, and data breach notifications. California alone has more than 25 separate privacy and data security laws.

In addition, The U.S. Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial sectors through its authority to prevent and protect consumers from unfair or deceptive trade practices, which include materially unfair privacy and data security practices. The FTC issues regulations enforces certain privacy laws, and takes action against companies who:

• Fail to implement reasonable data security measures
• Make materially inaccurate privacy and security representations, including in privacy policies
• Fail to abide by applicable industry self-regulatory principles
• Transfer (or attempt to transfer) personal information to an acquiring entity in a bankruptcy or M&A transaction, in a manner not expressly disclosed on the applicable consumer privacy policy
• Violate consumer privacy rights by collecting, using, sharing or failing to adequately protect consumer information, in violation of the FTC’s consumer privacy framework or certain national privacy laws and regulations.

The Attorneys General of many states have similar enforcement authority to the FTC.

Even though no geographic transfer restrictions apply in the U.S., except with regard to storing some governmental records and information – we recommend you definitely seek local guidance if you’re importing or exporting data to the U.S.

LGPD

The Brazilian General Data Protection Law (LGPD) [Federal Law no. 13,709/2018] has been in force since September 2020, but penalties were not enforceable until August 2021, giving businesses a grace period to improve their procedures and systems. The LGPD is Brazil’s first comprehensive data protection regulation and it’s generally aligned to GDPR.

The LGPD applies to any processing operation carried out by a natural person or a legal entity, of public or private law – irrespective of the means used for the processing, the country in which its headquarters is located, or the country where the data are located – provided that:

• The processing operation is carried out in Brazil;
• The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil;
• The personal data was collected in Brazil.

When it comes to data transfers, like GDPR, Brazil requires that the LGPD is complied with and prior specific and informed consent gained, unless:

• The transfer is to countries or international organisations with an adequate level of protection of personal data;
• There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form of:
  • Specific contractual clauses for a given transfer
  • Standard contractual clauses
  • Global corporate norms
  • Regularly issued stamps, certificates and codes of conduct;
• The transfer is necessary for international legal cooperation between public intelligence, investigative, and prosecutorial agencies;
• The transfer is necessary to protect life or physical safety of the data subject, or of a third party;
• Authorisation has been provided by the National Data Protection Authority (ANPD);
• The transfer is subject to a commitment undertaken through international cooperation;
• The transfer is necessary for the execution of a public policy or legal attribution of public service;
• The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.

As with GDPR, it’s recommended you get legal advice before transferring data to or from Brazil.

Federal Law on protection of personal data

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (“the Law”) entered into force on 6 July 2010. This regulation was followed by seven other directives from 2011 to 2018, all of which delve further into Data Protection specificities.

Essentially, regulations apply to all processing of personal data when:

• Processed in a facility of the data controller located in Mexican territory;
• Processed by a data processor, regardless of location, if the processing is performed on behalf of a Mexican data controller;
• Where Mexican legislation is applicable as a consequence of Mexico’s adherence to an international convention or the execution of a contract (even where the data controller is not located in Mexico);
• Where the data controller is not located in Mexican territory, but uses means located in Mexico to process personal data, unless such means are used only for transit purposes.

The Law only applies to private individuals or legal entities that process personal data, and not to the government, credit reporting companies governed by the Law Regulating Credit Reporting Companies, or persons carrying out the collection and storage of personal data exclusively for personal use (and not disclosed for commercial use).

Regarding data transfers, where the data controller intends to transfer personal data to domestic or foreign third parties other than the data processor, it must provide the third parties with the Privacy Notice provided to the data subject and detail the purposes to which the data subject has limited and specified. Processing by the third-party must be consistent with what was agreed in the Privacy Notice, which shall contain a clause indicating whether or not the data subject agrees to the transfer of their data. The third-party recipient assumes the same obligations as the data controller who has transferred the data.

However, domestic or international transfers of personal data may be carried out without the consent of the data subject where the transfer is:

• Pursuant to a law or treaty to which Mexico is party;
• Necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management;
• Made to the holding company, subsidiaries, or affiliates under the common control of the data controller, or to a parent company (or any company of the same group) of the data controller, operating under the same internal processes and policies as the data controller;
• Necessary by virtue of an executed contract between the data controller and a third party in the interest of the data subject;
• Necessary or legally required to safeguard public interest or for the administration of justice;
• Necessary for the recognition, exercise or defence of a right in a judicial proceeding;
• Necessary to maintain or comply with an obligation resulting from a legal relationship between the data controller and the data subject.

The Regulations state that the data subject doesn’t need to be informed or consent to communications or transmissions of personal data to data processors. However, the data processor must do all of the following:

• Process personal data only according to the instructions of the data controller;
• Not process personal data for a purpose other than as instructed by the data controller;
• Implement the security measures required by the Law, the Regulations and other applicable laws and regulations;
• Maintain the confidentiality of the personal data subject to processing;
• Delete personal data processed after the legal relationship with the data controller ends or when instructed by the data controller, unless there is a legal requirement for the preservation of the personal data;
• Not transfer personal data unless instructed by the data controller, the communication arises from subcontracting, or if required by a competent authority.

It’s recommended you seek advice from legal partners before transferring data to or from Mexico.

UK GDPR

As part of the EU, the UK originally enforced the EU’s GDPR laws. Post-Brexit, the UK Government has transposed GDPR into UK national law – creating UK GDPR in early 2021. Though the law has a number of technical differences to the original, the material obligations of data controllers and processors are essentially the same as Europe’s version.

Supplementing UK GDPR is the Data Protection Act 2018 (DPA), which deals with some matters exempt from EU GDPR, and merging some other EU regulations into UK law. For example, Part 3 of the DPA covers EU Law Enforcement Directive (EU2016/680), creating a regime specifically for personal data processing by law enforcement.

UK GDPR, like its cousin, applies to any organisation that processes personal data of data subjects within the United Kingdom, including “offering goods and services” and “monitoring of their behaviour”.

When it comes to data transfers, the UK Government has the power to make an adequacy decision – involving the UK Secretary of State determining that the third country provides an adequate level of data protection and personal data may be freely transferred. The countries currently on the list have been rolled directly from the EU version, and the UK treats all EU and European Economic Area Member States as adequate – at least for the moment. All these adequacy decisions will be reassessed before the end of 2024.

There’s also a list of appropriate safeguards to permit data transfers to third countries, just like EU GDPR, and DPA Schedule 21 allows EU Commission approved standard contractual clauses to continue to be used for transfers under the UK GDPR, until they replaced by clauses issued by the UK Government.