Personal data: a global commodity subject to regional rules


Author: Eddie Powell, Gerald Brent


Eddie Powell, Partner, Fladgate LLP (epowell@fladgate.com)

Gerald Brent, Trainee Solicitor, Fladgate LLP (gbrent@fladgate.com)


 

The introduction within the EU of the General Data Protection Regulation (GDPR) led to frantic scrambles in the EU to achieve compliance. Such behaviour is understandable, given how easily a complaint may be made to a supervisory authority about organisations which allegedly breach data protection rules: in Britain, the Information Commissioner’s Office (ICO) has provided various user-friendly online forms, a live chat feature and a hotline. In the month following the 25 May deadline, the ICO received over 1,100 data protection complaints. In Ireland over 500 data breach notifications were made, whilst supervisory authorities in France and the Czech Republic received over 400 complaints each.[1]

Next comes the new EU ePrivacy Regulation, predicted to come into effect in 2019 with an intention to harmonise electronic communications standards across the EU. The current proposals will catch over-the-top (OTT) communications service providers, e.g. WhatsApp, Skype and Facebook Messenger, as well as imposing stricter electronic direct marketing requirements. Notably, as the proposals currently stand, they appear to grant businesses the same privacy interests as individuals. This has led to criticism that compliance difficulties will arise, especially when the new regulation also makes use of the high GDPR standard of consent.[2]

Arguments have been made that this relatively onerous European approach will be bad for business; that it will stifle innovation, especially with regard to Europe’s tech industry and its data-driven start-ups. Innovative organisations may simply not be able to afford the necessary compliance-spend. The question of whether or not Europe may ever build a technology sector or tech giant akin to the US’s FAANGs or China’s Baidu, Alibaba and Tencent looms large in such debates.

Nevertheless, certain American legislators have called for the US to regain the initiative with regard to progressive data protection rule-making.[3] Indeed, despite opinions differing in the world’s largest market as to whether the European approach is the correct one, California is setting a stand-out example: in June it signed into law its Consumer Privacy Act 2018 (effective 1 January 2020) which follows some of the principles enshrined in the GDPR. Here, Californians will have the right to ask what personal information businesses hold in respect of them, alongside the right to ask for personal information to be deleted.[4]

The California measures also empower consumers to be able to opt out of data sharing; for example companies that sell consumer data to third parties will need to disclose this and supply a link titled “Do not sell my personal information” on their homepages, as just one part of a broader package of consumer rights. However, in representing a set of consumer rights and mandatory disclosures, the Californian act is far narrower than the overarching and multi-faceted European approach of placing the onus on businesses or data controllers to be active from the outset, in particular in respect of data breach notifications and cross-border transfers.[5] Given the concentration of US data-driven business in California, it is possible that these Californian state measures will be used as a model for data protection across the US.

Meanwhile, China has released the latest non-binding standard on personal information protection. The new standard, in certain respects, contains more stringent requirements than the GDPR, and, whilst not legally binding, the government, in referring to them in reviews and approvals, incentivises entities operating in China to adhere to them.[6] The data protection rules (introduced in May) had been written with the GDPR in mind, despite displaying local nuances. For example, the Chinese equivalent of the EU’s ‘right of erasure’ will only be available pursuant to an agreement with the data subject concerned, or if the data controller has breached the law.[7] [8]

At the same time, 1.4 billion individuals in India do not presently benefit from any specific legislation on privacy or data protection,[9] although a draft Personal Data Protection Bill has now been finalised (some of its particular rules having been informed by the GDPR).[10]

It remains the case that only one Asia-Pacific state, New Zealand, has been found by the EU to have an ‘adequate’ standard of data protection, meaning that personal data may flow there freely from the EU.

The Chinese and Indian approaches reflect a wider Asia-Pacific concern, held by legislators, regulators and corporations, that new EU rules may jeopardise global flows of data.[11] Indeed, there is international opinion that Europe is moving forward and that the rest of the world must catch up for fear of being left behind.[12] This is a prime example of European standards driving standards elsewhere: regulatory convergence upon the rules of one of the largest and most technologically-advanced markets on the planet.

The reasons why Europe leads are interesting. The unique framework within which the EU produces law, and the fact that the EU Commission is relatively active and well-funded, may (alongside scale and economics) explain Europe’s initiative. Furthermore, the set of legal reforms led by the GDPR is an acknowledgement by EU policymakers of a world where governments, such as the US’s, may find it easy to access, via the internet, the personal data of people regardless of where they reside globally; as per Edward Snowden’s revelations regarding the NSA.[13]

Explanations for divergent regulatory regimes, in general, may be cultural. Examples are the Chinese and Russian requirements to store personal data on servers physically located within those countries – so-called ‘data localisation’. This is in keeping with the continuously large presence of both governments in the private affairs of their citizens. By contrast, the GDPR may be seen as marking another milestone for human rights-based liberalism and in particular privacy rights, helping to bury further Europe’s 20th century history of authoritarianism, exemplified by the Stasi’s well-nigh omnipresent informant network in East Germany. Such fracturing may indeed be held to be a symptom of cultural disparities with regard to how personal data is used, i.e. differences in privacy norms. In this sense, the divergent approaches regions and states are taking towards regulating this increasingly lucrative commodity may be said to reflect the divergence of values between them.

Such fractures represent a huge threat to globalisation, as global services are increasingly delivered on the basis of international data flows.[14] Nevertheless, they remain underestimated as threats to the globalisation process in the context of other perceived threats, such as Donald Trump or Brexit.

In reality, many of these threats are connected. For example, the proposed reform of the Committee on Foreign Investment in the United States has as its goal an increased scrutiny of cross-border transactions and a heightened protection of US intellectual property.[15] The reform can also be seen as part of a broader array of measures taken by the US against the Chinese economy, in which trade sanctions play a leading role. Here, although privately-owned data centres/server providers on the Chinese mainland are theoretically free of state control,[16] there would perhaps be little surprise if it was revealed that state monitoring pervades Chinese server providers’ data processing operations – or at the very least that the state has easy access to such servers. In this context, data localisation and the mandatory storage of data within mainland China is intimately connected with the charge levelled by the US administration of mass intellectual property theft and, as a result, it is also related to the arguments underwriting the imposition upon China of trade sanctions.

Personal data resembles (in its economics) the human being it relates to: its value is in part determined by the body of law which protects it. In this sense, the GDPR and the incoming ePrivacy Regulation in Europe, like the California Consumer Privacy Act in the US, will do much to increase the protection individuals residing in the developed world already benefit from. Therefore the extent to which an individual’s personal information is protected under law represents another global inequality to wrestle with.

The peculiar thing about this inequality is that its burden may fall most heavily on the ‘global elite’ (international business and its prime beneficiaries), whose profit-models depend on international services accompanied by largely unrestricted flows of personal data. The hope is that the rest of the world catches up with the EU quickly, although perhaps the day the European Commission has exhausted all adequacy decisions possible is a future sought after by European globalists only.


[1] A Ram and H Murphy, “Companies under strain from GDPR requests”, The Financial Times, published on 2 July 2018, viewed on 15 August 2018, https://www.ft.com/content/31d9286a-7bac-11e8-8e67-1e1a0846c475

[2] J Apostle, “We survived GDPR, now another EU privacy law looms”, The Financial Times, published on 13 June 2018, viewed on 15 August 2018, https://www.ft.com/content/8fc3ae5c-6eee-11e8-8863-a9bb262c5f53

[3] S Delbene, “If the US fails to protect citizens’ data, it will lag behind”, The Financial Times, published on 28 June 2018, viewed on 15 August 2018, https://www.ft.com/content/d8a70f22-7a12-11e8-af48-190d103e32a4

[4] A Woodie, “California’s New Data Privacy Law Takes Effect in 2020”, Datanami, published on 6 July 2018, viewed on 15 August 2018, https://www.datanami.com/2018/07/06/californias-new-data-privacy-law-takes-effect-in-2020/

[5] K J Matthews and C M Bowman, “The California Consumer Privacy Act of 2018”, Proskauer, published on 13 July 2018, viewed on 15 August 2018, https://www.proskauer.com/blog/the-california-consumer-privacy-act-of-2018

[6] S Sacks, “New China Data Privacy Standard Looks More Far-Reaching than GDPR”, Centre for Strategic and International Studies, published on 29 January 2018, viewed on 15 August 2018, https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more-far-reaching-gdpr

[7] L Lucas, “China emerges as Asia’s surprise leader on data protection”, The Financial Times, published on 30 May 2018, viewed on 15 August 2018, https://www.ft.com/content/e07849b6-59b3-11e8-b8b2-d6ceb45fa9d0

[8] R Bird, “Where are we now with data protection law in China?”, Freshfields Bruckhaus Deringer, published after 1 June 2018 (no specific date specified), viewed on 15 August 2018, https://www.freshfields.com/en-gb/our-thinking/campaigns/digital/data/where-are-we-now-with-data-protection-law-in-china/

[9] No specific author specified (DLA Piper), “Data Protection Laws of the World: India”, DLA Piper, last modified 24 January 2017, viewed on 15 August 2018, https://www.dlapiperdataprotection.com/index.html?t=law&c=IN

[10] N Christopher, “The India draft bill on data protection draws inspiration from the GDPR, but has its limits”, The Economic Times, published on 28 July 2018, viewed on 15 August 2018,  https://economictimes.indiatimes.com/tech/internet/the-india-draft-bill-on-data-protection-draws-inspiration-from-gdpr-but-has-its-limits/articleshow/65173684.cms

[11] (Various authors/contributers) Hogan Lovells, “Asia Pacific Data Protection and Cyber Security Guide 2018”, dated 2018 (no specific publishment date specified), Hogan Lovells, viewed on 16 August 2018, https://www.hldataprotection.com/files/2018/06/Hogan_Lovells_Asia_Data_Protection_and_Cyber_Security_Guide_2018.pdf

[12] A Toth, “New EU data protection law a milestone in privacy regulation”, The National, published on 23 May 2018, viewed on 16 August 2018, https://www.thenational.ae/business/technology/new-eu-data-protection-law-a-milestone-in-privacy-regulation-1.733347

[13] P Vernon, “5 years ago, Edward Snowden changed journalism”, Columbia Journalism Review, published on 5 June 2018, viewed on 16 August 2018, https://www.cjr.org/the_media_today/snowden-5-years.php

[14] J Manyika, S Lund (and others), “Digital globalization: The new era of global flows”, published in March 2016, viewed on 16 August 2018, McKinsey & Company, https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/Digital%20globalization%20The%20new%20era%20of%20global%20flows/MGI-Digital-globalization-Executive-summary.ashx

[15] H Sender and D Weinland, “Private equity groups fear US clampdown on Chinese investors”, published on 5 August 2018, viewed on 16 August 2018, The Financial Times, https://www.ft.com/content/c481575e-988b-11e8-ab77-f854c65a4465

[16] Y Wei, “Chinese Data Localization Law: Comprehensive but Ambiguous”, published on 7 February 2018, viewed on 16 August 2018, The Henry M. Jackson School of International Studies, https://jsis.washington.edu/news/chinese-data-localization-law-comprehensive-ambiguous/


 

 

View by date:


View by author: