Data Protection and Global Data Governance
Peter Chase
Senior Fellow at the German Marshall FundIssue
Issue #2Auteurs
Peter Chase21x29,7cm - 186 pages Issue #2, Spring 2021 24€
Governing Globalization
Anda Bologa : We look forward to hearing your views – those of a former U.S. diplomat and vice-president of the U.S Chamber of Commerce for Europe – on privacy, data protection, the GDPR and the European Court of Justice rulings on Privacy Shield, as well as the broader issue of global data governance. The basic assumption underlying European views of privacy seems to be the need to protect human dignity, a concept going back to the right of individuals to preclude unauthorized publications of private information, also known as the “right to one’s own image. Do you agree that privacy is a culture-specific concept? If so, does a different cultural background lead to a different approach to data protection frameworks?
I am convinced that human beings everywhere treasure keeping some part of their personal space private regardless of the culture they come from. In this sense, the need for privacy is not dependent on culture per se. However, there are historical and cultural aspects that affect the specifics of how the broader society in a country may view privacy. For instance, in the US most people think of privacy first as freedom from governmental intrusion. In this sense, most Americans find it difficult to understand that European countries all require citizens to register their residence at the local police station; to most Americans, that’s none of the government’s business. Nonetheless, many citizens in Europe share the desire to limit governmental invasion of their personal space, especially those that have been subject to such intrusions in recent history.
However, there is an important distinction between privacy and data protection, although in the EU these notions are often conflated, as they are even in your question. Specifically, the focus of the EU General Data Protection Regulation (GDPR) of 2016 is essentially to protect the personal data of individuals from unscrupulous corporate advertising (“monetization of their personal data”); it does not address privacy in the sense of protecting people against the government, which is more my notion of privacy. Indeed, the GDPR and its predecessor, the Data Protection Directive of 1995, explicitly carve law enforcement and national security out of scope.
The debate on privacy issues in Europe was stirred in the last decade both by the Snowden revelations and the overall development of internet platforms leading to what is called a “surveillance society”. What are the main threats contemplated in relation to the (mis)use of data in the EU?
Mr. Snowden’s 2013 revelations that the U.S. government was able to access personal information held by American companies is one of the reasons these issues of privacy (generally, against the government) and data protection are so often mixed up in Europe. When most Europeans think of personal data, they think of large social media and technological platforms that scoop up their data and then use it to sell targeted advertisements or other targeted messages. To me, the issue does not lie with the companies gathering and processing data as such, but more specifically with the purpose of the data processing. I am not convinced that the best way to solve the issue of companies monetizing our data is by a general restriction on everyone’s ability to process data. That is to say, perhaps we should be going after the targeted advertisement (and messaging) model rather than data processing per se. That would go closer to the problem that people perceive.
The connection with Mr. Snowden is the ability of U.S. law enforcement and national security agencies to access the data held by internet companies. That of course is a valid and important concern about privacy. But the issue is not if the data is available or can be made available to those agencies, as they have multiple ways to get information on individuals; instead, the concern should be about what limitations are placed on those agencies and their ability to collect and use personal information. In the United States, this always requires the authorization of a judge via a warrant or subpoena, even if some in Europe feel that the U.S. Foreign Intelligence Surveillance Act (FISA) courts were too lenient. (They were, before Snowden; they have demonstrably tightened up since.) Going back to the divide in perception between the US and the EU, the ability French law enforcement has to access a citizen’s data (which again is not governed by the GDPR) is far broader and less restricted that in the United States, and indeed would be unimaginable by American standards.
Since its adoption in 2016 the GDPR has been in the spotlight receiving its fair share of praise and criticism. Do you think it represents a good model of global data governance?
To me, your question is first one of good regulatory practice. That is to say, if a government is going to adopt a law or regulation, it needs to know what societal problem it seeks to address. That is, there should be a theory of harm. In the area of protecting personal data, a clear example is medical data. This information is clearly very private and should be protected by law. So, it is certainly appropriate to regulate protection of some personal data, if the abuse of that data can lead to harm.
To me, the GDPR is written so broadly that it is difficult to find a theory of harm behind it. The GDPR begins with the concept of personally identifiable information, that is, any information that can be attached to an individual. Your name, address, whatever. This is a huge range of information, and the GDPR wants to regulate any and all “processing” of it. If the GDPR sought only to regulate the “harm” caused by using your data to create a “profile” of you and then use that to send you an advertisement or a political message, that would be understandable. However, that would not be regulating all processing of all personally identifiable information, which is what GDPR does.
So, we can think of a good public policy that would involve the protection of a certain amount of personal information, but this is not protecting everything that is done with all personally identifiable information. The extent of regulation should depend on how the data is used, as much as on other things.
Second, when the scope of a regulation like GDPR is so extensive, it is almost by definition impossible to enforce. And if a law is impossible to enforce, this encourages people to start disregarding the law, which is the opposite of good public policy.
The one area where the logic of the GDPR truly breaks down is where it has absolutes. Although the scope of the GDPR is to my mind far too large, the Regulation has much more flexibility than a lot of EU officials will admit. That is, it is more risk-based and thus not as constraining as some people believe. GDPR, for instance, explicitly allows for direct marketing, when according to the logic some privacy advocates have, it should not allow for it. However, GDPR becomes extremely rigorous when it comes to third countries, as it prohibits the transfer of any personal information to third countries that do not meet certain standards.
To be truly meaningful, the GDPR, like any law, must be enforceable and enforced. The EU, however, often creates what we call “unfunded mandates” – it makes great laws but then leaves it to the Member States to enforce them. This approach creates vulnerability for EU law in the scarcity of budget and limited capacity of the enforcement agencies in the Member States.
In this sense, the GDPR is only now beginning to be tested. The data protection authorities have the right to levy fines, but companies against whom those fines have been levied have then the right to go to court. As we will go through those legal processes it will be interesting to see how the GDPR will be enforced.
In its July 2020 Schrems II judgment, the European Court of Justice declared invalid the European Commission’s decision that personal data of Europeans could be transferred to companies in the United States that adhered to the EU-US Privacy Shield arrangement, because of invasive US surveillance programs, thereby making transfers of personal data on the basis of the Privacy Shield illegal. What is your assessment of this decision, and what does it mean for transatlantic data flows?
The ECJ findings in this case, as well as in the first Schrems case of October 2015, are deeply problematic because they state that personal data can only be transferred to non-EU countries where they enjoy the protections from government intrusion guaranteed by the European Charter of Fundamental Rights. That is, although the Data Protection Directive and the GDPR both explicitly carve a European government’s law enforcement and national security actions out of scope, the ECJ has brought them back in for foreign countries. The ECJ reasons that European countries subject to the GDPR are also subject to the Charter, and therefore the Commission can only determine if a foreign country provides “adequate” protection for Europeans’ data if the government of that country acts as though it were also subject to the Charter.
This has a certain appeal, as the protection of personal data is meant to be a “fundamental right.” But it runs quickly into real practical problems, when, as the ECJ says in Schrems I, the transfer of any personally identifiable information to a country that is not adequate “must be prohibited.” To me, this takes the GDPR to its illogical extreme.
Indeed, I cannot understand how under the two Schrems rulings it is possible to send any personal data at all to Russia, China, Turkey or even Israel, which benefits from a pre-Schrems adequacy decision. In all these cases, the governments are even “better” at reading private communications that include personally identifiable information than America’s NSA – there are no restrictions on their access to that information at all. If indeed European data authorities decide to prohibit transfers of personal data (that is, even the sending of an email which of course has your name) to countries unwilling to subject their domestic security procedures to European evaluation, this will create serious problems for the European economy and society.
Specifically on the Privacy Shield: you have to remember that the EU-US Privacy Shield Arrangement was developed after the ECJ declared the predecessor arrangement, the “Safe Harbor,” invalid in Schrems I. After that happened, and the ECJ brought into these adequacy decisions the question of constraints on a government’s access to information held by private firms, the Obama Administration undertook numerous commitments to ensure that US law enforcement and national security agencies can only access Europeans’ personal data held by companies on the basis of certain judicial procedures. In the Schrems II decision, the ECJ finds that these commitments are not good enough, and indeed that even such mechanisms as the “standard contract clauses” are not good enough in the case of the United States.
This is a problem. I seriously doubt that the US government will make any significant changes to the commitments it undertook when agreeing to the Privacy Shield. Those commitments already go far beyond what most member state governments would accept on the behavior of their own law enforcement and national security agencies. Washington may accept some improvement in the “ombudsman” procedure by which European residents can dispute U.S. government use of their data, but that’s about it. So, if a new agreement is found, that agreement will not look very different from Privacy Shield. The Commission will argue that the alternative of prohibiting all transfers of all personal data to the US would be disproportionate – and it will be right.
Only another decision of the ECJ can rectify this, by stating that a full prohibition on the transfer of any data is not what the GDPR, the Charter or even the ECJ meant. Rather, it will find that restrictions must be done in a proportionate, risk-based, manner, which is what the Commission currently argues – against the EU’s data protection agencies, which are much stricter. It is possible that an ECJ ruling on the Commission’s new adequacy decision on the UK can give us an answer, but it’s certainly not going to be easy.
In light of the Schrems II judgment, could it be expected that an improvement in transatlantic data flows might come from developments in federal privacy legislation in the US? Do you see a window of opportunity for the EU-US cooperation in matters of data privacy?
The US has extensive privacy and data protection legislation, but not a single GDPR that covers all processing of any personal information. For instance, the US has criminal provisions for divulging health and financial data. There is, however, a growing consensus among Senators and Congressmen, both Republicans and Democrats, against the way in which personal data is being used to generate profiles and sell targeted advertising, especially by big tech companies. I think we will have a law in the US protecting personal data from that sort of “abuse.” I think it will be more tailored than the GDPR and most probably will not have provisions regarding transfers to third countries.
In terms of cooperation, I can see a window now. There is no doubt that many things about the GDPR have had a positive impact on the debate in the US. In addition to the benefit to the EU of being the first mover, there is also a cost, which is that people will look at what the first mover has done and will want to do it better. So maybe in three years’ time you’ll see Europeans saying that the US version of the GDPR is better than the one the EU has.
As we speak, 76% of countries across the globe have in place or are developing data protection legislation. To what extent is the trend of adopting data protection legislation stirred by the GDPR? Do all jurisdictions that adopt privacy legislation similar to the GDPR do it for the same motives?
Indeed, the European notion that individuals should have the power to control the use of their data has had a global influence. Many countries have copied the GDPR, and its echoes are being felt increasingly in the other regulatory camps of the United States and China – what Anu Bradford called the “Brussels effect”.
And if governments actually understand that people can and should have private spaces and that those should be protected, this is a positive trend. However, precisely because the GDPR does not protect the citizens against abusive authoritarian governments, it does not do what is necessary in many places to protect people’s privacy.
More significant, perhaps, is that the most important aspect lies not just with the law, but with its enforcement.
The EU has a systemic need to regulate as it seeks to remove government-imposed barriers to the free movement of people, goods, services and capital among the member states. Regulation is the only instrument of public policy the EU has, given its relatively small financial capability. However, as mentioned earlier, if the law is not properly enforced and this stops citizens believing in it, that’s a problem. Hence, the translation of the GDPR in many different countries might appear to create a public good, but it will do so in the end only if those countries properly enforce it.
Global data governance is an integral part of internet governance. It is generally understood as the governing of cross-border data flows through norms, principles and rules applied to various types of data. Is the EU on its path to set data governance standards at the global level?
The perceived success of the GDPR feeds the EU desire to set the global norms for a human-centric internet, an ethical AI, common data spaces, and similar notions. Currently the EU aims to create universal governance structures for all data, not just personal data. When people in Brussels discuss data governance, they envisage legislative frameworks for all data that can be gathered and measured, even if it does not relate directly to a person. In my view, creating rules for all data we can record is not a wise approach.
When we talk about data governance and global data governance, we have to be very careful not to make the mistake of GDPR by trying to decide in a single instrument how all data is governed. What we should do is to come up with internationally-accepted regulations for specific sectors where we can define a societal harm that needs to be addressed.
Do you think that we are moving towards a further Balkanization of the internet, or can international cooperation be achieved through multilateral institutions?
This is a different issue from internet governance. The Balkanization of the internet already exists, as China has already cut itself from the internet. The filters in China are so deep that the experience of the internet in China is very different from the one we have here in Europe. I am afraid that a lot of other governments will want to use something similar to the many technologies that China has created for the great firewall. They too would prefer to be able to censor the internet to stop distribution of information that is critical of those governments. That to me is a serious concern because it goes directly to what democracy is about – the relation between the individual and the government, and the capacity of the individual to question and even change the government. A lot of people in public administration in different countries do not like the public questioning the way the government works. In that sense, I’m afraid there will be a Balkanization of the internet, but it’s not going to be a Balkanization that’s caused by differences in data protection rules, as much as one driven by governments that want to be able to prevent or censor criticism of them.
This to me goes to the heart of the issue of internet governance, because you have a real difference going on in the International Telecommunications Union and other places about whether or not governments should be able to censor some or even all of the content that is available on the internet. Against that you have the theory that the internet offers access to information to anyone, anywhere. I like this liberal idea.
I like the idea that I am able to use the Internet to read newspapers from India, Brazil and other parts of the world, without a government that would control that.
While there are several multi-stakeholder international institutions which coordinate the process of internet governance, the struggle today is largely geopolitical. What is the EU’s role in internet governance and how do you see the interrelation between its normative power in setting data protection standards and its leadership in internet governance?
The EU is constantly trying to build coalitions of countries that support the open internet and the applicability of international law to cyberspace. Generally, this is a good approach, and the EU is on a good path.
However, because of the effect of the GDPR on data transfers, I think the EU will face a major issue in building coalitions on internet governance with other countries. In particular, the Schrems II case has unveiled the tension between the EU’s general good sense of what internet governance is and should be, and the very restrictive application of the GDPR. You cannot say a country is “inadequate” to receive EU personal data on the one hand, because it does not adhere to the EU Charter standards, and on the other hand ask that same country to support your approach to the governance of the internet.
This tension has to be addressed by the EU, and in order to do so the EU has to be willing to bring more proportionality to the application of the GDPR and the Charter to international data transfers. In this way, by escaping the most absolute parts of it, the GDPR can become a better law and a better model for global internet governance.
citer l'article
Peter Chase, Data Protection and Global Data Governance, Aug 2021, 133-136.