The global data privacy power struggle
By Christopher Kuner
Tension between different regulatory systems has long existed in certain areas (think of the disagreements between EU and US competition regulators regarding the aborted GE-Honeywell merger in the early 2000s). A similar power struggle is currently underway between different legal regimes regulating the collection, processing, and transfer of personal data (variously referred to in different legal systems as “data protection”, “data privacy”, or “information privacy” law), one that will shape the world in the 21st century.
Data protection law has traditionally been viewed as a dreary subject of interest only to a few specialists. But whether it involves filling out government forms, purchasing items on the web, communicating with friends and relatives online, or checking in for a flight, almost every activity we engage in nowadays involves the processing of personal data. The growing importance of data processing is reflected in the large number of countries (approximately 100) around the world that have enacted data protection laws, and the countries and international organisations (including the European Union, the OECD, and the United States) that are currently in the process of revising them to meet the challenges posed by globalisation and the rapid growth of the Internet.
Much personal data routinely flows across national borders, and the same data processing may result in the application of multiple laws. The ease with which data flows internationally also means that data privacy law has become a point of competition between different legal systems, with each one striving to achieve the seemingly impossible goal of simultaneously protecting the privacy of individuals, striking a balance between privacy and other important values (e.g., public security), and furthering economic growth.
This competition has been most pronounced between the European Union, which has recently asserted that other countries should follow the “gold standard” of its data protection legislation, and the United States, which believes that its system is even better. Such international regulatory spats illustrate that nations too often view the subject largely as a way to score political points, and that they have failed to grasp some basic facts about the processing of personal data:
- Protection of data privacy is not just a transatlantic issue. Data protection laws have been enacted all over the world, including by regional organizations (APEC, ECOWAS, and others) and dozens of nations in Africa, Latin America, and Asia.
- It is also not just an online issue. Nearly every economic and social activity nowadays involves the processing of personal data, including the most basic ones. Too often regulatory attention focuses on the online “flavour of the month” (e.g., social networks, search engines, etc.), and fails to recognize that data processing has become embedded in every aspect of society.
- And it is not just an economic issue, but one that can help further important developmental goals as well. For example, the UN Secretary General has begun an initiative called “Global Pulse” involving projects such as the use of data analytics to better understand the global state of health and socio-economic crises. Other organizations are also using data analytics for purposes of development, which can include projects such as using a centralized text messaging system to allow mobile phone users to report on people trapped under buildings following an earthquake, among others. Data protection law is currently not conceived to facilitate the large-scale use of data mining for purposes related to development, public health, and similar goals, but these uses will greatly increase in coming years, and will challenge our assumptions about the purposes and structure of regulation.
Part of the problem is that while data protection and privacy issues have global ramifications, the legal framework for them is still very much a matter of local or, at best, regional regulation. While some regional organizations (in particular the Council of Europe) are attempting to become more global, there are substantial differences in the way the subject is viewed in different countries and legal systems. In contrast to some other areas of the law, there is also a lack of legal instruments and institutions of a global scope covering privacy and data protection.
Legal regulation of data processing often stands in tension with economic pressures that encourage the processing and transfer of personal data, and political pressures that inhibit the development of coordinated and coherent regulation. States are only too happy to adopt legal requirements for the private sector that they are unwilling to comply with themselves (e.g., with regard to data processing for law enforcement purposes), and technology to process personal data advances faster than the law can keep up with.
From being considered a niche area, data protection law has evolved to the point that it is hard to find areas of human endeavour that it does not concern. The way that the struggles over data protection are resolved in the coming years will determine the kind of world we live in, and the kind of Internet we have.
Dr. Christopher Kuner is editor-in-chief of the journal International Data Privacy Law. He is author of European Data Protection Law: Corporate Compliance and Regulation, and the forthcoming book Transborder Data Flow Regulation and Data Privacy Law in which he elaborates some of the topics discussed here. Dr. Kuner is Senior Of Counsel at Wilson Sonsini Goodrich & Rosati in Brussels, and an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge.
Combining thoughtful, high level analysis with a practical approach, International Data Privacy Law has a global focus on all aspects of privacy and data protection, including data processing at a company level, international data transfers, civil liberties issues (e.g., government surveillance), technology issues relating to privacy, international security breaches, and conflicts between US privacy rules and European data protection law.
Subscribe to the OUPblog via email or RSS.
Subscribe to only law and politics articles on the OUPblog via email or RSS.
Image credit: Laptop keyboard with fingerprint enlarged by magnifying glass – computer criminality concept. Image by Jirsak, iStockphoto.