The Confusing World of International Data Privacy Law: An Argument for Comprehensive Regulation

Jennifer Peterson-Sharma

Vol. 44 Associate Editor

The need for international regulations on data privacy has never been greater. Data privacy is among the few and relatively new fields of law that were developed across national borders.[1] Without a global regulator, however, states are applying their own laws to this issue that clearly affects transborder activities,[2] complicating the ability of multi-jurisdictional companies to comply with potentially conflicting rules.[3] The practicalities of adhering to the plethora of guidelines is a substantial inefficiency and an “anchor on the health of international business.”[4] These fragmented data regimes also have political consequences, including the ability to hinder international relations. At the individual level, protection of citizens’ data cannot be adequately addressed within a country’s own borders. Websites and social media platforms operate using a substantial amount of personal information, carrying it across the world within seconds. For these reasons and several others, data privacy is an international issue that requires harmonization and comprehensive solutions. Nonetheless, while the necessity for an international regulatory framework is immense, the task of designing and implementing the policy is not an easy one. Part I of this article will begin by pinpointing the various difficulties that exist as a barrier to establishing comprehensive international data privacy law. Part II will then explore potential solutions to the problems, such as adopting the European-style General Data Protection Regulation (“the GDPR”) or, more preferably, an international agreement backed by the United Nations. Difficulties with Comprehensive International Data Privacy Law Perhaps the most challenging issue facing any comprehensive international data privacy law is the vast deregulation of data protection at the national level. States have developed their own approaches and, as a result, cohesively integrating these regimes in order to induce agreement will be a formidable endeavor. This burden is exacerbated by the fact that many laws directly conflict with one another or have differing scopes of the content covered, leading to legal ambiguity and gaps in legal coverage worldwide.[5] Some countries do not have any data privacy laws altogether or lack sufficient understanding of the legal issues surrounding data protection.[6] Addressing these legal gaps will be critical in creating any comprehensive legal framework. Along with the problem of deregulation comes national concerns that underlie each approach. Data localization is motivated heavily by state sovereignty, and as a result, closely aligns with a country’s cultural values.[7] For example, in the European Union (EU), the GDPR centers around the concept that data protection is a fundamental right.[8] When the GDPR discusses privacy, it uses the language of human rights to develop protections for its citizens.[9] On the other hand, in the United States, personal information is a commodity in the market and the focus of information privacy law in the U.S. is policing fairness in exchanges of personal data.[10] And, lastly, China’s Cybersecurity Law (“CSL”) has similarities with both the U.S. and EU approaches;[11] However, China does not depart from its own rationale and creates specificities of its own.[12] What is perhaps most striking in China’s system is its parallel strengthening of protection against private entities along with its increase of government’s access to personal data.[13] Overall, the future of international regulation in this area turns heavily on whether the framework can acknowledge “things that are fundamental” in each legal culture.[14] Solutions The GDPR The first solution to the problem of deregulation could potentially be present in the form of the GDPR, which came into force in 2018.[15] The GDPR is incredibly expansive with its protections of data subjects’ personal information. As an EU Regulation, it has a binding force upon European member states, but the policies are also flexible enough for states to transpose many aspects of their domestic laws and allow for national variations.[16] Perhaps most importantly, the GDPR has extraterritorial application of its legislation.[17] Jurisdiction is triggered by a broad territorial link of an activity or person within the EU, applying to entities and companies not based in the Union due to their targeting or monitoring people inside it.[18] Primarily because of EU extraterritoriality, many scholars have argued that the GDPR currently operates – or is moving in the direction of operating – as a de facto source of international regulatory standards on data privacy.[19] It is true that several countries are following the trend of updating their laws to become GDPR compliant.[20] For example, China’s CSL and the subsequent 2018 Specification provide broad definitions of “data controllers,”[21] “data subjects,”[22] and “personal information” that align more closely with the GDPR approach.[23] Additionally, Japan was the first country to be recognized as a “white listed” jurisdiction, effectively earning an EU approval of its data protection regime.[24] Other countries have followed similar trends to be GDPR compliant, including South Africa,[25] India,[26] and even the U.S. in the form of the California Consumer Privacy Act (CCPA), which has been described as “GDPR-lite.”[27] Some would argue that the GDPR is an accessible model precisely because its principles have been applicable to legal systems as diverse as Japan and California.[28] However, the GDPR approach is not the most ideal solution. First, there is a high cost that companies and countries have to undertake in order to make their businesses and laws compliant.[29] Furthermore, continuing to allow the GDPR to operate as a de facto standard without acting to solidify an international agreement would mean that countries would have to alter their own national laws in order to adhere to regulations they had no part in creating.[30] Thus, allowing every state to have a seat at the table when discussing global regulations with worldwide impacts will allow for greater efficiency and fairness in the realm of international data privacy. The United Nations An international agreement enforced by the United Nations is a more preferable solution. The UN formally recognized the importance of the issue when it declared privacy a fundamental human right in Article 12 of the Universal Declaration of Human Rights of 1948 and the International Covenant on Civil and Political Rights of 1966.[31] Furthermore, the General Assembly’s recent resolution, “The right to privacy in the digital age”, signals both renewed international interest in the human right to privacy as well as a commitment by UN institutions to explore the current-day interpretation of this right.[32] In addition to the UN’s commitment, precedent for such an agreement exists in the form of the World Intellectual Property Organization (WIPO), which was seen as a unifying bridge between scattered agreements and jurisdictional divides pertaining to the transnational interests of intellectual property.[33] Many lessons learned from WIPO can be applied to the creation of a UN international agreement on data privacy, such as how WIPO utilized the UN Guidelines to establish a UN agency.[34] Such an agency could provide a single forum for enforcing a right of action, along with other beneficial enforcement mechanism features. The ultimate goal of the international treaty should be to balance data privacy with other competing interests, including different countries’ philosophies regarding privacy laws. National individualization should be similar to the GDPR approach.[35] Other aspects of the GDPR could further be used as a starting point for the UN solution, such as its definition of “personal information,”[36] which allows business’ focus to be kept “squarely on the user in question, as opposed to the windfall of information that would be deemed necessary to protect under the CCPA’s household information requirement.”[37] In this way, the UN approach could serve as a means to appropriately alter and build upon the GDPR in a manner that every country can agree to. Conclusion Overall, the UN avenue will allow for greater international cooperation and discussions on the contentious or different approaches that countries have taken when creating their domestic data privacy laws,[38] including taking into account countries’ own cultural values that heavily influence data localization. Given the UN’s history of protecting privacy and serving as a pathway for countries to come together to sort out deregulated issues that affect the international community, it should be the preferred avenue to iron out these legal gaps. More importantly, an international agreement will help the world step forward together to address this issue that is growing more pressing by the day.

[1] Paul De Hert & Vagelis Papakonstantinou, Three Scenarios for International Governance of Data Privacy: Towards an International Data Privacy Organization, Preferably a UN Agency, 9 ISJLP 271, 273 (2013). [2] Cedric Ryngaert & Mistale Taylor, The GDPR as Global Data Protection Regulation?, 114 AJIL Unbound, 5 (2020). [3] Haksoo Ko, Law and Technology of Data Privacy: A Case for International Harmonization, 3 Asian J.L. & ECON, 14 (2012). [4] Scott Resnick, Easing the Burdens of a Patchwork Approach to Data Privacy Regulation in Favor of a Singular Comprehensive International Solution – The International Data Privacy Agreement, 46 BROOK. J. INT’l L. 277, 304 (2020). [5] James Y. Wang, The Best Data Plan Is to Have a Game Plan: Obstacles and Solutions to Reaching International Data Privacy Agreements, 28 MICH. TECH. L. REV. 385, 388 (2022). For example, in the EU, internet protocol (IP) addresses may be considered as “personal data”, whereas divergence in court decisions exists on this point in the United States. Also under the GDPR, personal data collected may not be exported to a country outside of the EU unless such country provides an adequate level of data protection, contrasting with the US’ lack of specific rules for data transfers. See W. Gregory Voss, Obstacles to Transatlantic Harmonization of Data Privacy Law in Context, 2019 U. ILL. J.L. TECH. & POL’y 405, 422 (2019). For more examples of different data privacy laws across the world, see generally Michael L. Rustad & Thomas H. Koenig, Towards a Global Data Privacy Standard, 71 FLA. L. REV. 365, 431-48 (2019). [6] Wang, supra note 5, at 391 (“A study conducted by the United Nations Conference on Trade and Development [. . .] found that roughly thirty percent of countries have no data privacy laws in place, and more than sixty percent of government representatives in forty-eight countries in Africa, Asia, and Latin America reported difficulties in understanding legal issues related to data protection and privacy.”). [7] Id. at 389; See also Ariel E. Wade, A New Age of Privacy Protection: A Proposal for an International Personal Data Privacy Treaty, 42 GEO. Wash. INT’l L. REV. 659, 661 (2010) (“Various countries and regions around the world regulate privacy rights in different ways. These differences allow countries to develop privacy laws that aim to serve their unique cultures [. . .]”) [8] Paul M. Schwartz & Karl-Nikolaus Peifer, Transatlantic Data Privacy Law, 106 GEO. L.J. 115, 123 (2017). [9] Id. at 127. [10] Id. at 132. [11] See infra Part II. [12] See Emmanuel Pernot-Leplay, China’s Approach on Data Privacy Law: A Third Way between the U.S. and the EU?, 8 PENN St. J.L. & INT’l AFF. 49, 54 (2020). (“[T]here is a ‘data privacy with Chinese characteristics,’ made notably of the consequences of the cyber-sovereignty principle and the separation between privacy from private actors and privacy from the government. This reflects both the country’s sociopolitical context and geopolitical ambitions, and defines China’s own approach to the question.”) [13] Id. at 107. [14] Schwartz & Peifer, supra note 8, at 179. [15] Shannon Togawa Mercer, The Limitations of European Data Protection As A Model for Global Privacy Regulation, 114 AJIL Unbound, 20–25, 20 (2020). [16] Alex B. Makulilo, The GDPR Implications for Data Protection and Privacy Protection in Africa, 1 INT’l J. DATA PROTECTION OFFICER, PRIVACY OFFICER & PRIVACY Couns. 12, 13 (2017). [17] The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour . . . within the Union.’ It also conditions data transfers outside the EU on third states having adequate (meaning essentially equivalent) data protection standards.” Ryngaert & Taylor, supra note 2, at 5. [18] Id. at 6. [19] See, e.g., Voss, supra note 5, at 458; Rustad & Koenig, supra note 5, at 342; Mercer, supra note 15, at 20 (“The consensus view is that European-style data protection [. . .] is becoming the global standard.”). [20] Rustad & Koenig, supra note 5, at 453 (“The authors’ global survey shows that at least twenty countries are currently updating their privacy laws to become GDPR compliant.”). [21] A data controller is “an organization or individual that has the authority to determine the purposes and/or methods of the processing of personal information.” Pernot-Leplay, supra note 12, at 80. [22] A data subject is “a natural person identified by personal information.” Id. [23] Rustad & Koenig, supra note 5, at 435. See also Schwartz & Peifer, supra note 8, at 804. [24] Rustad & Koenig, supra note 5, at 435. [25] Id. at 432. [26] Id. at 437. [27] Resnick, supra note 4, at 293. [28] Paul M. Schwartz, Global Data Privacy: The EU Way, 94 N.Y.U. L. REV. 771 (2019). [29] According to a 2020 article, GDPR compliance cost the world’s 500 largest corporations $7.8 billion. See Resnick, supra note 4, at 280. Breaches of personal data under the GDPR also attract huge fines that are not accessible or efficient for all countries. See Makulilo, supra note 16, at 18. Ultimately, GDPR-like regulation may not justify the cost of corporate compliance. Mercer, supra note 15, at 23. [30] For example, the GDPR has come with new legal concepts such as privacy impact assessment, data portability, privacy by design and by default, the right to be forgotten, etc., most of which are not reflected in data protection laws in many African countries and would require reform to update laws. See Makulilo, supra note 16, at 18. [31] Wade, supra note 7, at 660. See also Respectively, Articles 12 and 17.1 of these Conventions set forth that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks” and “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation.” De Hert & Vagelis Papakonstantinou, supra note 1, 280. [32] Anupam Chander & Molly Land, United Nations General Assembly Resolution on the Right to Privacy in the Digital Age, 53 INT’l LEGAL Materials 727, 727 (2014). The resolution identifies the collection of communication data, or metadata, as a human rights concern, and emphasizes the human rights impact of extraterritorial surveillance and data collection. Id. [33] Resnick, supra note 4, at 305. [34] Id. at 321. [35] See Wade, supra note 7, at 679. [36] Resnick, supra note 4, at 308. (“Under the GDPR’s standard, data subjects are identifiable if they can be directly or indirectly identified, by reference to a name, identification number, location data, an online identifier, or one of several special characteristics which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons.) [37] Id. [38] For example, many states have adopted alternative views on a private right of action for consumers, definitions for terms such as “personal information”, and an “opt-out” versus “opt-in” structure to consent. “Opt-in” and “opt-out” refer to cookie style banner options that consumers may partake in in order to communicate their understanding as to how their data is being processed on a given website. See Resnick, supra note 4, at 307; Wade, supra note 7, at 679. The views expressed in this post represent the views of the post’s author only.