Vol. 42 Associate Editor
Data is likely to soon be subjected to protective trade barriers, not unlike those erected to control the flow of tangible goods across borders. This post will first explore the existing international data protection regime (or lack thereof). Next, it will highlight the inadequacies of the current regime, as brought into sharp relief by the recent Schrems data privacy litigation. Then, it will argue that two alternatives to our current state of affairs, namely an international regime and a European-led regime, are unlikely to succeed. Lastly, it will predict that countries will choose to protect or control their own citizens’ data, and in so doing begin an era of data protectionism.
Existing Data Protection Regime
The data protection landscape is a patchwork and is ineffectual. The Organization for Economic Cooperation and Development (OECD) developed in its Guidelines some data privacy provisions. The Guidelines have proven influential, but they are voluntary and did not create any permanent international mechanism to implement them. The Council of Europe (to be distinguished from the European Union) established Convention 108, which is open for ratification to nonmembers. But only 55 countries have ratified the treaty, and the US, China, Brazil, India, and other major countries remain on the outside nearly forty years after it was opened. The United Nations (UN) released its Guidelines in 1990, but has since paid little attention to the issue.
In the absence of a global regime, individual countries are adopting their own data protection regimes. The European Union (EU) prohibits the transfer of personal data to non-Member States that fail to ensure an “adequate” level of protection. The United States takes a more sector-specific approach to data protection, and in many (though not all) sectors lags behind protections in Europe. Chinese data protection is fragmented, and certainly lags behind European protections. Without delving deep into specifics, suffice it to say national regimes are varied, with the EU acting as a high-watermark on data protection.
The Existing Regime Is Inadequate
To resolve these differentials in protection, the US and EU embarked on negotiations which produced the Safe Harbor Framework. Safe Harbor allowed US companies to self-certify privacy policies in lieu of complying with legal requirements for the processing of Europeans’ data. Because of Safe Harbor, US companies ostensibly provided “adequate” protection, and thus could receive data transfers from EU Member States.
Safe Harbor was soon torpedoed. In 2013, Edward Snowden revealed extensive cyber-monitoring activities by US national security agencies. This prompted Max Schrems, an Austrian citizen, to petition the Irish Data Protection Commissioner, arguing, based on the revelations, that the US does not offer adequate protection for data transferred from Facebook’s Irish subsidiary to Facebook servers in the US. The Court of Justice of the European Union agreed with Schrems and struck down Safe Harbor. The EU and US embarked on another round of negotiations, resulting in Privacy Shield, which met the same fate as Safe Harbor.
The failure to establish a framework is telling. After a decade of negotiation and litigation, the EU and the US remain at an impasse. It is not obvious that the US will ever implement data protection laws sufficient to meet an “adequate protection” standard required by the EU. (One could also note the persistence of this impasse despite the similarities in political ideology between the US and EU as opposed to, for example, Russia or China.) Indeed, among major countries, the EU has only recognized Argentina, Canada, Israel, Japan, New Zealand, Switzerland, and Uruguay as providing adequate protection. The upshot is that the ad-hoc, bilateral approach has failed thus far to create a coordinated, level data protection regime, which would allow the free flow of data across borders.
The Alternatives Are Unlikely to Succeed
The first alternative would be for the UN or some other international body to establish a data protection framework. This option is appealing if for no other reason than it would save us from the diplomatic and litigative transaction costs associated with the Schrems case. But the benefits of truly international regime would go beyond that: a harmonized global data protection regime would enable companies and citizens of all countries to safely use the internet without fear that their data might be going to an unsavory destination. But saying that begs the question: What would the regime look like? Would Europeans acquiesce to a low-protection international regime? Would China sign on to a regime with high data privacy standards? Would the US? It seems that the problem that plagues the status quo, namely a lack of shared desire, would prevent the UN from establishing a data protection framework. Looked at in this light, it is no wonder the UN has ignored the issue for almost thirty years.
There are also more technical limitations. In many parts of the world, a right to data privacy, let alone protection, is not recognized. International organizations are not modeling their own data privacy rules according to those of others, resulting in a lack of any growth in international consensus. And, even if the UN did establish a framework, it is unclear what regulatory options are available to enforce the framework.
The other alternative would involve other major countries eventually catching up and adopting an EU high watermark standard. Indeed, some countries are already taking this path. However, the EU data protection model has its shortcomings. It is built on assumptions about the structure of European state organization and thus is not applicable everywhere in the world. That is, various institutions and frameworks, for example the European Convention on Human Rights, have ingrained the right to (both general and data) privacy into EU consciousness over the decades. Thus, the legislative and regulatory apparatuses of the EU reflect the assumption that data protection as a fundamental right. Outside of Europe, parallels are sparse. Many countries may simply not want to offer their citizens such extensive data protection.
The Coming Data Protectionism
We may soon see the emergence of a fragmented (one might even say multi- or tripolar) data protection global system. For all intents and purposes, two poles might already exist. The EU’s valves for data transfer are only open with twelve countries. The EU strict-adequacy pole would thus include those countries taking a citizen-interested data protection approach. A second, loosely grouped pole would include countries that focus more on national security concerns, thus limiting individual privacy. The strict-security pole might include China, Turkey, and Russia, among others. It is unclear if the data borders between these countries would be open at all. A third pole might comprise countries somewhere in between—balancing privacy and commercial interests, while maintaining a distrust of data flows to the strict-security pole. Indeed, the US, although failing to join the strict-adequacy pole, seems to be taking steps to protect itself from the strict-security pole. The end result will seemingly be a world where countries data valves are closed up except to a few like-minded partners. What the internet looks like in this world is anyone’s guess.
 Paul De Hert & Vagelis Papakonstantinou, Three Scenarios for International Governance of Data Privacy: Towards International Data Privacy Organization, Preferably a UN Agency, 9 ISJLP 271, 286 (2013).
 Id. at 277.
 Id. at 286-87.
 Council of Europe, Chart of Signatures and Ratifications of Treaty 108 (2020), https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures?p_auth=y8JTSCdB.
 De Hert & Papakonstantinou, supra note 1, at 288.
 Ralph H. Folsom, Principles of European Union Law: including Brexit, 282-84 (West Academic ed., 5th ed. 2017).
 Shawn Marie Boyne, Data Protection in the United States, 66 Am. J. Comp. L. 299 (2018).
 See Yongxi Chen, Privacy and Freedom of Information in China: Review through the Lens of Government Accountability, 1 Eur. Data Prot. L. Rev. 265, 265-67 (2015).
 Alan Butler & Fanny Hidvegi, From Snowden to Schrems: How the Surveillance Debate Has Impacted US-EU Relations and the Future of International Data Protection, 17 Whitehead J. Dipl. & Int’l Rel. 55, 64 (2016).
 Id. at 56-59.
 Id. at 64.
 Case C-362/14, Schrems v. Data Prot. Comm’r, 2015.
 Case C-311/18, Data Prot. Comm’r v. Facebook Ireland, 2020.
 Adequacy decisions, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
 De Hert & Papakonstantinou, supra note 1, at 288.
 Id. at 316.
 Id. at 317.
 Id. at 318.
 E.g., Samantha Diorio, Data Protection Laws: Quilts versus Blankets, 42 Syracuse J. Int’l L. & Com. 485, 509-10 (2015).
 De Hert & Papakonstantinou, supra note 1, at 314.
 See Chen, supra note 8.
 Rachel Fefer, Cong. Research Serv., R45584, Data Flows, Online Privacy, and Trade Policy 11 (2020).
 Id. at 10-11.
 Arjun Kharpal, U.S.-China tensions could split the internet—and data will play a key role in how far that goes, CNBC (Oct. 19, 2020, 11:54 PM), https://www.cnbc.com/2020/10/20/us-china-tensions-could-split-the-internet-and-data-will-play-a-key-role.html.
The views expressed in this post represent the views of the post’s author only.