Internet Data Privacy Regulation: Not If, but How and by Whom
When it comes to security and privacy legislation, what happens abroad does not stay abroad. While the United States remains muddled in a complex patchwork of state and industry-focused regulations, other countries are moving full-speed ahead to shape the future of digital security and privacy, with authoritarian frameworks gaining traction globally. We are at a significant inflection point, where decisions made now will dramatically shape the future of the internet, security, and privacy for generations. The United States originally created and shaped the internet with utopian aspirations, but U.S. leadership continues to wane in the creation of both formal and informal standards. There is too much at stake to give in to the growing digital authoritarianism that leaves US companies and citizens in reactive mode to external forces that infringe on security and privacy.
Absent global leadership, there are two distinct frameworks that are gaining traction – the digital authoritarianism best epitomized by China’s national standards and a democratic counterweight under the European Union’s General Data Protection Regulation (GDPR). Given this leadership vacuum and the absence of global cyber norms, the authoritarian model is gaining traction with significant impact on democracy and the future of security and privacy.
In China, personal data protection falls under the umbrella of cybersecurity and thus must be viewed within this broader framework and government activities. China’s recent cybersecurity law is far-reaching and includes government-led security reviews of technology products, including source code and data. While it has been haphazardly implemented, China can ramp up these reviews under the auspices of national security. China also requires data to be stored on local servers, and has forced encryption keys to be stored within its borders.
In many regards, the description of personal data protection may sound similar to the GDPR with China’s updated national standard on personal information protection focused on how data is collected, stored, and shared. Implementation, however, will be difficult as the standard runs up against the Cybersecurity Law and China’s social credit system that rates citizen trustworthiness based on a broad range of inputs, and can impact everything from dating sites to loan qualifications. Recent breaches also offer dystopian insights into data collections focused on tracking citizens via DNA and assessing women’s fertility status.
This approach to data localization and cyber sovereignty is gaining traction. Roughly half of all countries have enacted some form of data localization laws, with many mimicking aspects of the Chinese approach. Vietnam’s cybersecurity law came into effect earlier this year, and requires data storage within their borders, outlaws government criticism, again justified as “ (protects) national security and ensures social order and safety on cyberspace, and responsibilities of agencies.” Thailand’s government recently passed cybersecurity act offers sweeping governmental powers to access computer data and networks, make copies of information, and seize computers or any devices.
Other countries are seeking even greater control and aspiring toward complete sovereign control over cyberspace. Attempting to copycat China’s Great Firewall, Venezuela, Iran, and Russia are all seeking their own sovereign internet. Venezuela introduced a bill that would create an all-powerful authority to manage and control the internet over cyberspace. In Russia, a recent bill similarly called for an autarkic internet that would allow the Russian government to flip the switch on the internet. Iran similarly has aspirations for a sovereign internet, and seeks to block and control the flow of information within its borders. Across the globe, many governments experiment in internet blackouts and censorship to address domestic instability and opposition.
In each of these cases, these new laws are justified under national security. This is an important point as weakened encryption is currently justified under same auspices in democracies, providing authoritarian regimes no recourse in making similar claims. Australia’s new law requires access to data that essentially weakens encryption, and was passed despite significant opposition from the security community. Fergus Hanson, head of International Cyber Policy Centre at the Australian Strategic Policy Institute was prescient when he stated, “What happens here will ricochet everywhere.”
In fact, India is considering new rules where tech companies would be required to hand over any information demanded of them by government or law enforcement agencies and “enable tracing out of such originator of information on its platform.” This is specifically aimed at WhatsApp to trace original sourcing of viral disinformation and would require WhatsApp to break its end-to-end messaging encryption. The law also would prohibit unlawful information or content, which has many worried about growing censorship.
As these growing infringements on data privacy spread globally, the EU’s GDPR currently is the dominant counterweight in favor of individual data privacy and protections. With core features such as consumers’ right of access to their data, the right to be forgotten, breach notification, and consent requirements, the GDPR seeks to empower individuals – not governments – with better data protections.
While the GDRP tackles the data access issues, it also similarly opposes the data localization and storage requirements and advocates for the free flow of information. With the EU created based on the free flow of goods and services, the GDPR similarly allows for the free flow of data across borders but requires similar protections for that data abroad. Preferential trade agreements are another source countering local data storage. The CPTPP requires the free flow of data and may well be the first test for Vietnam’s data storage requirements. The USMCA (aka NAFTA 2.0) – which is still under discussion – also includes the free flow of data and runs counter to Canada’s data storage requirements.
As countries across the globe progress with new cybersecurity and data privacy regulations, the U.S. continues to muddle through with a patchwork of state and industry-specific regulation. There are currently over 90 different digital privacy proposals in state capitols, many of which follow the lead of the California Consumer Privacy Act (CCPA), which comes into force in 2020. There are also over 50 different data breach notification laws, one for each state as well as Washington, DC, Guam, Puerto Rico, and the Virgin Islands.
Despite muddling through, there finally seems to be some movement toward a federal data privacy regulation within the U.S. Over the last year, public opinion has shifted in large part due to the confluence of unauthorized data access thanks to high profile breaches such as Marriott, the Cambridge Analytica scandal, as well as the GDPR coming into effect. Tech companies – potentially seeking preemption from the CCPA – have also acquiesced that some regulation may be needed.
From hearings to a range of potential data privacy proposals, the world is watching the U.S. for leadership in data privacy that could reverberate globally. There is a significant need for a U.S. data privacy model focused on privacy as a fundamental right to counter the spread of the authoritarian approach to data access and storage.
As Cybersecurity Policy fellow at New America Samm Sacks has noted - “..the United States is becoming more isolated globally on data policies, with U.S. companies in reactive mode as new data rules increasingly shape operations in major markets globally.” While there certainly is a need for a public debate surrounding the details of a U.S. federal data privacy law, there isn’t much time to lose. The longer the absence of U.S. global leadership in this area, the easier it is for the authoritarian model to spread.