In Fragmentation in International Data Protection Law, panelists discussed the rapidly spreading and often contradictory laws protecting consumer data, incorporating the perspectives of corporations (Geff Brown, Microsoft), consumer activist groups (Carolina Rossini, Access Now), academia (Peter Swire, Professor of Law and Ethics at Georgia Tech), and government (Justin Antonipillai, formerly of the Department of Commerce and currently of WireWheel). Here are five key take-aways:
- Data protection laws have gone from a parochial European phenomenon to a global trend.
Traditionally, European countries have been particularly active in pushing for data protection, as shown most recently in the EU’s enactment of the General Data Protection Regulation (GDPR). However, laws are spreading rapidly, with over one hundred countries implementing some sort of protections. All four of the BRICs countries have adopted or are considering data protection laws and the U.S. Congress is increasingly debating the issue. U.S. states are also passing data protection laws, including the recently enacted California Consumer Privacy Act and initiatives to pass laws in Vermont, Washington, and Massachusetts.
2. Data’s move into the cloud means that data protection laws anywhere affect data everywhere.
Today, users anywhere may be accessing data on a server located anywhere and, as a result, domestic or regional data protection laws impact the entire world. U.S. organizations scrambling to comply with the EU’s GDPR are familiar with this, but the impact flows in the opposite direction, too. Before the recent passage of the U.S. CLOUD Act, a police officer who was investigating a local crime in the EU but needed evidence from a server in the U.S. might have to wait a year or more to get a warrant form a U.S. judge under the Electronic Communications Privacy Act. These concerns are not hypothetical- as a Belgian audience member heatedly complained, Microsoft’s Skype is currently fighting for its right not to provide wiretaps ordered by Belgian courts.
- Fragmentation between data protection laws stems from different regions’ fundamentally different privacy frameworks.
European countries view privacy as a basic human right, enshrined in their Constitutions, the European Convention on Human Rights, and the Charter of Fundamental Rights of the European Union. This contrasts sharply with the U.S.’s strong emphasis on freedom of information. Typically, Americans assume that personal data can be used, unless there is a justification for prohibiting it, while Europeans assume that personal data cannot be used, unless there is a justification for permitting it. One panelist reported that an EU official privately confided that big data is probably illegal under the GDPR. If this conflict is not resolved, it will upend industries that have premised their future on massive use of big data.
- Compromises have broken down.
For years, U.S. companies and European countries accommodated their conflicting frameworks through a deal in which U.S. companies publically pledged to comply with EU data protection laws, allowing the U.S. Federal Trade Commission to take action against the companies for misrepresentation under U.S. law if the companies violated EU law. However, the future of this deal is in doubt, as the EU grows increasingly concerned with privacy. In 2015, the European Court of Justice (ECJ) struck down the original version of the deal, called the U.S.-E.U. Safe Harbor, in Maximillian Schrems v Data Protection Commissioner, C-362/14. Although the U.S. Department of Commerce quickly negotiated a new deal, now dubbed the EU-U.S. Privacy Shield, Schrems challenged the new deal, too, and it is again headed back to the ECJ, its future dubious. If the ECJ decides that U.S. privacy protections remain inadequate, this will impact not only tech companies in the U.S. but in any country that does not share the EU’s high level of privacy protection.
- Consistent laws are needed- but not necessarily uniform laws.
The fragmentation of data protection law has left tech companies scrambling to reconcile hundreds of conflicting laws. Within the U.S., many now advocate for a single, national data protection law, including the Chamber of Commerce and panelist Justin Antonipillai. However, even panelist Geff Brown of Microsoft believed that it was not only unlikely but undesirable to push for uniform laws internationally. Instead, he encouraged countries to develop a global forum that would allow them to create laws that reflect their own values but are consistent enough to be interoperable.