Cookie Compliance and International Data Transfers: China and Russia
Taking a global approach to cookie compliance should be part of every organization’s privacy strategy. This is important as you have online visitors from countries all over the world who live in areas that have different jurisdictions and guidelines for how personal data is captured, stored and transferred. In this blog post, we’ll touch on the challenges organizations are seeing when capturing, transferring or accessing data from abroad, specifically in China and Russia.
Cookie Compliance in China and Russia
Data localization is a challenge that global organisations are facing when processing personal data in countries like Russia or China. Personal data subject to localization measures is data that is intended for collection by the controller (as opposed to data gathered incidentally), relate to citizens of that country, and must be stored in that country. In jurisdictions with localisation measures, controllers must comply with certain obligations before transferring personal data out of the country or disclosing to a third party.
Personal data of Russian or Chinese citizens must initially be entered, and updated in, a locally hosted database or server. This data may then be transferred to servers or third parties located abroad. Observing international data transfer obligations in both countries is a complex challenge, especially in China where the restrictions are stricter than in Russia.
According to the prevailing approach to China’s and Russia’s localisation requirements, prior to engaging in international transfers of data or to access data from abroad, the data controller must:
- ensure that the initial collection takes place using locally hosted databases;
- inform the data subject(s) of the purpose of the transfer to a third country, and obtain explicit consent from the data subject before the personal information is shared, disclosed or transferred;
- host the data locally before any transfers take place (e.g. store a copy in China);
- carry out a self-assessment: DPIAs and security assessments are essential;
- ensure that any modifications, additions, categorizations or updates to the data must be carried out in the local database first.
When a non-Chinese website owner or publisher is based in China but uses a foreign CMP, it becomes trickier to put a stop to accessing or sending data to another country before complying with the pre-requisite of storing a copy of data within China.
Global companies facing these types of challenges must come up with ad hoc solutions, such as setting up a “back-end relay” in each of the countries with data localization requirements. This solution can be challenging, time consuming and expensive.
How CookiePro Can help:
CookiePro offers a cookie consent solution that is in line with the legal and technical requirements of countries, such as Russia and China. CookiePro as a consent management platform (CMP) captures and stores consent. We additionally store pseudonymised IP addresses that are accessed from or sent to other locations to be able to provide functionalities such as the right banner, based on geo-targeting, or to enable users to choose their settings. Here’s how we can help:
- Leverage geolocation rules to not capture records of consent from certain countries at all
- Only process truncated IP-addresses
- In case you still want the data to be stored in Russia or China, use a proxy that stores the data on a local server as well as on the OneTrust servers
- Download scripts to local and host them on local servers in those regions for assuring a reliable solution that does not need to call any foreign server