Skip to content

Rulefinder Cross Border Data Transfer helps a market struggling with increased focus on privacy

03 July 2014

Rulefinder Cross Border Data Transfer (CBDT) is the latest service in the suite of highly successful online subscription services provided by A&O’s affiliate, Derivative Services LLP.  CBDT provides an instant point of access to analysis of global data protection, secrecy and outsourcing laws affecting cross-border transfers.

This is an area in which organisations are finding they have to adapt quickly to deal with increasing regulation as well as increasing customer expectations relating to confidentiality and strong media interest. The expansion of in-house teams comes at a cost and many organisations are looking for a system that can provide quick answers to common questions. They also need something which will keep them up to date by alerting them to changes and highlighting longer term developments which may impact on expensive data centre or other outsourcing projects.

There is a large rise in the number of data protection and financial secrecy Laws: China, Slovakia, Malaysia, Singapore, Taiwan, New Zealand, the Philippines, South Korea and Australia are amongst those which have introduced new regimes over the last couple of years. Many less well developed countries are also introducing restrictions and it can be hard for in-house teams in those countries to find reliable up-to-date advice.

At the same time, the EU is inching its way towards creating an EU Data Protection Regulation. This will have direct effect in each Member State with the provisions on cross-border transfers being the first provisions to be agreed (subject to agreement of the whole) by the EU Council of Ministers in early June 2014.

The EU discussions on the proposed Regulation and inter-governmental agreements on the exchange of information have gained urgency as a result of the NSA surveillance scandal. While the EU tries to develop a Regulation with direct effect in each Member State, there are growing challenges from Member States on the European Commission’s decisions on the “adequacy” of protection provided in specific jurisdictions. The basis of these challenges is that the decisions do not reflect the current level of protection in such jurisdictions. Last year the German Conference of Federal and State Data Protection Commissioners challenged the U.S. safe harbor on the basis that there was a substantial likelihood that the safe harbor principles were being violated. In June of this year an Irish court made a referral to the European Court of Justice on the question of whether national data protection authorities can conduct their own investigations into “adequacy”.

While there are increasing restrictions on disclosing customer information, there are also increasing numbers of regulatory requests for information involving disclosure of client data. In some cases, such as in the LIBOR and Forex trading investigations, this is incidental to investigations into the institution’s activities rather than those of the client.

There is also increasing intergovernmental co-operation on exchange of information agreements. Many such agreements channel information through authorities, with built-in confidentiality and procedural protections. Whilst this removes some of the risk from the institution, it is important that they follow the procedures when faced with a request or demand for information. Others (like some of the FATCA agreements) require disclosure to be made directly to the foreign authority, leaving the burden on the institution to satisfy local laws for the disclosure.


It is important to keep up with changes in any area of law. The different approaches to protecting data across the world and the fact that the issues straddle data protection, financial secrecy, IT, technology and risk management mean that issues can fall between in-house teams. In addition, identifying the sources of relevant laws can be difficult: new rules or interpretations can appear from a variety of sources including case law and guidance notes or circulars from data protection or industry regulators. This is why the CBDT team monitor hundreds of sources for changes.

As well as dealing with immediate questions such as how to respond to a regulator’s request for client data, managing a supervisory authority’s site inspection or whether to comply with a court order to produce information, laws affecting customer data can also have major implications for outsourcing projects. Many of our enquiries come from IT or outsourcing project managers as, particularly in Asia Pacific countries, there are some major hurdles in relation to offshoring data.

Rulefinder CBDT currently covers 56 jurisdictions of the 60 on its initial roll-out plans. Please visit or contact Marc-Henri Chamay,, +44 20 3088 3955, Clare Godson,, +44 20 3088 2880 or Anita Anand, +44 20 3088 2831 for more information.