Will governments work to ensure the free flow of data, or fall back to protectionism? wonder Mike Swift and Matthew Newman

As citizens, businesses and governments mark the 40th anniversary of the first Data Protection Day, the importance of safeguarding sensitive personal data during the Covid-19 pandemic is on the top of everyone’s minds.

Never before has so much of life been lived online, and to some degree there will be no going back. Billions of people are using instant messaging and video calls to work, learn and be entertained, and buying the necessities of life online rather than in a store as social distancing and stay-at-home orders keep people home. Rather than building contact-tracing systems themselves, governments around the world turned to Apple and Google to build the apps to trace infections.

The global struggle to quell the Covid-19 pandemic has underscored the importance of safeguarding citizens’ sensitive personal data held by companies and governments as never before. The massive profits being reported by the world’s largest Internet companies are evidence of how Covid-19 has accelerated the transition towards data-based societies and economies.

“What we are witnessing is the dawn of a second wave of digital transformation sweeping every company and every industry,” Microsoft CEO Satya Nadella said as the company announced record revenue this week — including its first-ever quarter earning $5 billion in revenue from Xbox and other games alone.

The steady march toward more data protection awareness has continued since the EU’s landmark General Data Protection Regulation took effect in May 2018. But in 2021, the most important action on data protection is likely to be elsewhere in the world, particularly in Asia and the Americas.

All over the world, countries are adopting privacy and data protection laws, or strengthening laws they already have. Last year, Brazil adopted data protection legislation, and the world’s three most populous countries, China, India and the US, have all recently adopted or are considering new laws.

“Over the next 12 months, the proportion of the world population subject to data protection laws may very well surge from 10 percent currently to more than 50 percent,” said Omer Tene, chief knowledge officer at the International Association of Privacy Professionals.

That will make life more difficult for Internet companies both large and small. Because of the increasing global fragmentation of data protection laws and the legal uncertainty about the free flow of data, no longer is it certain that a person boarding a plane in San Francisco will see the identically functioning social network and other online services on her phone when she lands in Brussels or Delhi.

Data flows

Twenty-five years ago next month, Silicon Valley essayist John Perry Barlow released a seminal statement about the future of the Internet. Titled “A Declaration of the Independence of Cyberspace,” Barlow’s manifesto declared that the global World Wide Web was a force superior to national sovereignty, eroding the ability to governments to block the free flow of data — or ideas.

A generation later, Barlow appears to have gotten it exactly wrong. As the world observes Data Protection Day, marking the Council of Europe’s international privacy treaty, the Convention 108, national sovereignty is fragmenting the Internet in 2021, rather than the Internet hobbling governmental power.

Europe’s revolutionary GDPR, by requiring that other jurisdictions provide essentially equivalent privacy protections before receiving the personal data of Europeans, has led to the nullification of the EU-US Privacy Shield and undermined the legal basis for data transfers around the world.

The effort to find a successor agreement to the Privacy Shield will occupy the central attention of policy makers in Europe and the United States in the coming months. But data localization laws in force or under consideration in Asia and elsewhere are also raising serious concerns.

Businesses are also concerned that data localization laws in some countries — such as China, Vietnam, Russia and possibly India — could harm international data flows. These laws force companies to store or process data within a certain territory and reflect a growing trend of digital sovereignty. Countries are pushing back against US-based tech companies and are trying to build up their own digital champions.

While China has long blocked Western Internet platforms such as Facebook, YouTube, Twitter and WhatsApp, the US is now engaging in similar conduct in trying to limit the growth of, or even disable, China’s TikTok and “super app” WeChat in the US. The new Biden Administration will have to decide in the next few weeks whether to pursue or drop ongoing litigation in federal courts in Washington DC and California against the Chinese services.

Tighter regulation

With new data protection agencies being born in two countries with among the biggest Internet audiences in World — India and Brazil — and in the US state which is home to many of the world’s biggest Internet companies — California — tighter regulation of personal data continues to be a global trend.

Possessing the world’s largest Internet audience outside of China, India is expected to send comprehensive data protection legislation to its Parliament this winter or spring. A parliamentary committee is drafting legislation to create a new national data protection authority even as lawmakers try to muscle their way through 89 proposed amendments.

Adding urgency to India’s efforts has been the decision by WhatsApp to impose on users a take-it-or-leave-it update to its privacy policy, creating different rules in India and other countries than in the EU. The government’s view is that the inequity of that position is a “major cause for concern.”

From the beginning of its legislative process, however, India’s leaders have declared they do not plan to follow the privacy templates of Europe, the US or China — declaring that India would take its own course. And while previous drafts of India’s data protection legislation echo key elements of the GDPR, such as its financial penalties and a “Right To Be Forgotten,” Indian lawmakers are claiming a strong element of digital sovereignty in considering data localization rules intended to extract the maximum economic value of Indians’ personal data locally.

The governing board of Brazil’s new National Data Authority, or ANPD, took office in November, and it will be able to assess privacy fines starting later this year. For now, though, the regulator is off to a slow start, with a small staff, no permanent office and no permanent budget allocation. Brazil has the world’s fifth largest Internet audience, trailing only China, India, the US and Indonesia.

The ANPD’s director, Miriam Wimmer, said last week that authority will eschew “traditional regulation” in favor of “responsive regulation,” a form of “dialogue-based regulation” in which the ANPD will strive to avoid fines and “encourage” companies to correct behavior that violates the law.

And in California, which would be the world’s fifth largest economy if it were an independent country, the process of appointing the board to run the California Privacy Protection Agency — the first standalone US data protection authority — has begun, with the five-member CPPA board expected to be in place by mid-March. By July, the new CPPA board will assume rule-making authority from the California attorney general.

One jurisdiction that isn’t poised to get a new data protection authority in 2021 is the United States, which continues to stand out as the largest developed country in the world without a national privacy and data security law.

Beset by a pandemic that new President Joseph Biden said is likely to kill 600,000 Americans, the pandemic and the economy will be higher priorities for the US Congress in 2021. If Congress does dig into tech regulation this year, it is more likely to tackle online platform content moderation first by making changes to Section 230 of the Communications Decency Act, the legal shield for user content that both Democrats and Republicans say needs to be changed. The incoming US Secretary of Commerce, Gina Raimondo, told senators this week that she supports Section 230 reform.

For multinational Internet companies, that all adds up to a confusing picture that is unlikely to resolve soon. “We are definitely in a period of unbelievable uncertainty,” Google’s chief privacy officer, Keith Enright, said recently. “There are multiple legal regimes that are in a state of unprecedented flux right now.”

EU’s Big Tech regulations

New privacy rules aren’t the only international concerns for Silicon Valley tech giants.

In Europe, policymakers have proposed two major measures — the Digital Services Act and the Digital Markets Act — that will set rules on how companies manage data. While EU officials insist that the measures aren’t protectionist, these plans are raising concerns from US companies that European markets may no longer be as open as they once were.

With the DSA and the DMA, which were proposed in December, EU policymakers are signaling a much tougher approach to Big Tech companies such as Google, Facebook and Amazon. The DSA would force these platforms to accept responsibility as content moderators, and the DMA would introduce rules to rein in digital “gatekeepers” in e-commerce markets.

The free-wheeling days are over of allowing Big Tech to take advantage of the EU’s internal market of 450 million people in 27 countries without any real barriers to how they operate.

The worry for US companies isn’t so much that the EU will drive a regulatory wedge between itself and rest of the world — creating a Balkanized Internet such as the walled-off markets in China — but that the draft bills will increase costs and complexity and heap compliance burdens on the biggest platforms.

EU officials insist that “digital sovereignty” means boosting home-grown companies. The EU doesn’t want to miss the next wave of digitization with the arrival of ultra-high-speech mobile 5G networks. In 2019, Europe contributed only nine out of 46 companies — including SAP, Yandex and Zalando — to the global platform business market, according to researcher Gartner. The top eight companies, with a market capitalization of $10.4 trillion, were either American or Chinese: Apple, Microsoft, Amazon, Alphabet (Google), Tencent, Tesla, Facebook and Alibaba.

EU Internal Markets Commissioner Thierry Breton, the former CEO of France’s Orange and Atos, knows that the EU has missed the chance to leverage personal data to create the next digital social-media goliath. His goal is to take advantage of the bloc’s trove of industrial, transportation and national health data. While US companies have had a strategic first-mover advantage by creating network effects with social-media, the EU wants to boost innovation through its Data Strategy.

Breton is also promoting the EU’s Gaia-X cloud-infrastructure project, which will provide infrastructure for companies to share and store data in the cloud under the protection of EU privacy rules. Most companies that have joined the project are European, but this alternative to US cloud providers Amazon and Google has also attracted interest from at least 30 non-EU companies.

The concern for US companies is that the EU measures will raise barriers for US cloud providers and smaller start-ups. Critics have argued that the Data Governance Act, part of the EU’s Data Strategy, could promoting a protectionist agenda.

Next steps

In the EU, complaints about protectionism are regarded as out of place. The EU sees itself as a beacon for safe and trusted data flows globally, with the GDPR as the “gold standard” in protecting privacy and easing international global flows. The US will have to hew to that standard in 2021 as Biden’s Commerce Department attempts to negotiate a successor to the Privacy Shield which, to respond to the European Court of Justice “Schrems II” decision, will require changes on the US side in how Europeans get redress for privacy violations by US intelligence agencies.

As the world today celebrates Data Protection Day — in another example of fragmentation it’s called “Data Privacy Day” in the Americas — and continues to confront Covid-19, it remains to be seen how the pandemic will inspire companies to integrate privacy policies into their products and services.

Will governments be inspired to pass strict data protection laws, or shrink back into a protectionist mode by erecting walls and applying data localization policies?

Predictions of a borderless Internet have been undermined in recent years, but citizens’ demand for more privacy protections and better online services may shift the balance toward high data protection standards and free flow of data.

 

Mike Swift, Chief Global Digital Risk Correspondent – Mlex 
Matthew Newman, Chief Correspondent – Mlex