Data Governance in America: Between the Silicon Valley Consensus and California’s Privacy Rules
By Adil Nussipov
Data regulation in the U.S. is driven by the belief that all data should flow freely. California begs to differ, giving citizens more rights over their personal data.
A study by McKinsey Global Institute estimated that already by 2014, trade in data contributed more to global GDP than trade in traditional goods and services. The United States, an incubator for data-driven companies and a leading global exporter of data-driven services, more than anybody else enjoys the economic value of the data flows. It is no surprise then that the creation of an enabling environment for a frictionless free flow of data is a cornerstone of America’s approach to data governance.
However, the state of California has recently introduced new legislation that may change the current situation. A set of principles about how to govern data known as Silicon Valley Consensus have driven much of the data policy in the United States. However, the introduction this year of California Consumer Privacy Act may be a game changer.
The Silicon Valley Consensus
At its foundation, the Silicon Valley Consensus was a belief that technological change leads to economic prosperity for individuals, cities, regions and states, as Michael Piore, a professor at the Massachusetts Institute of Technology (MIT) wrote. This belief has never been formally codified as a coherent economic program, but it rather exists as a set of principles. It had its most visible effect seen in Obama administration’s digital trade policy, known as the Digital Dozen.
In the area of data governance, the Silicon Valley Consensus translates into a set of three principles that guide the government’s data policy: free flow of data, prohibition of data localization and a basic level of data protection, according to Thomas Streinz, a professor of law at New York University.
First, data governance in the U.S. is driven by the notion that the free flow of data, including personal data, should be allowed if the purpose of the exchanges is doing business. This flow can be interrupted only out of public policy concerns, Streinz wrote in 2019. Second, the U.S. advocates against the data localization principle supported by China and Russia where governments require to store and process personal data only within the boundaries of their countries. This ban on data localization applies to cross-border flows of data in the U.S. Lastly, the U.S. guarantees only a minimum level of data protection that would not affect the economic benefits of the free flow of data across borders.
What lies behind these principles is the idea that data protection and privacy inhibit innovation, as explained by Anupam Chander and Uyen P. Le in an academic article published in 2015. The validity of this idea is yet to be tested, but it certainly motivated the US to take the-less-regulation-the-better approach to data governance.
Unlike the EU, which has a comprehensive regulatory framework for data protection that covers all types of data flows, the U.S. has a sectoral approach to data governance where laws that regulate specific types of data provide only a minimum set of guarantees for the free flow of data, Paul M. Schwartz, an expert in privacy law, wrote in 2013.
Domestically, financial data are protected under different regulations on banking data, credit reporting and financial privacy; health data are protected under the Health Insurance Portability and Accountability Act (HIPPA); and privacy of children online is protected under the Children’s Online Privacy Protection Rule (COPPA). Internationally, in 1997 the U.S. issued its first global policy on international data flows, the Framework for Global Electronic Commerce, that prioritized achieving access to foreign data markets over providing adequate data protection, Susan Ariel Aaronson and Patrick Leblond wrote in 2018. Thus, the only body acting as a sort of federal-level data protection agency in the U.S. is the Federal Trade Commission (FTC).
The other outcome of the American approach is that data governance is seen solely as part of regulations on international digital trade rather than an issue that requires itself a comprehensive regulation. Being one of the main crafters of Trans-Pacific Agreement (TTP), the U.S. has used its lobbying power to project the Silicon Valley Consensus onto the agreement’s chapters on regulating digital trade and cross-border data transfers. Even after leaving TTP, the U.S. incorporated the same model into the North American Free Trade Agreement (NAFTA) 2.0, the trade agreement newly negotiated by the Donald Trump administration, and the free trade agreement of the U.S. with Japan.
California Consumer Privacy Act
If it wasn’t for recently introduced California Consumer Privacy Act (CCPA), the divergence of approaches between two major data powers in the world, the U.S. and the EU, would have been more dramatic than it is now.
The state of California is now both home to the American start-up industry and the first legislation in the country aimed specifically at data protection. Starting on 1 January 2020, CCPA provides California’s residents with a range of rights to manage how their personal data are collected and used by private businesses. It is hard to say that CCPA was inspired by Europe’s personal data protection directive GDPR because, although the two regulations are similar in many respects (both acknowledging the rights to access and delete collected data), under GDPR, all citizens can exercise these rights whereas under CCPA only consumers of services can. Moreover, the CCPA differs from GDPR in how, for example, it regulates more types of data.
In spite of all that, however, the CCPA marks a shift in thinking about data protection in the U.S. The effect of this shift may go beyond the borders of the U.S. given the leading role of American tech companies in the global digital supply chain. How this shift will affect global data governance is yet to be seen.
First, it is not clear if CCPA will catalyze data protection regulation on the federal level, and, if it will, whether it will serve as a model law. If the federal government adopts CCPA as its main data policy domestically and internationally, there is an opportunity for convergence of data governance models at the global level. In spite of their differences, GDPR and CCPA still have common points, which may serve as a solid foundation for negotiations of global data standards. However, if CCPA is to be left confined to the borders of California, we will observe further fragmentation of global data rules including fragmentation across and within countries.
Second, with the creation of CCPA, firms operating globally are expected to spend even more money than before to comply with data protection laws. Multinational companies had to totally reorganize their data management system and spent significant amounts of money to comply with GDPR already. They will do the same to comply with CCPA. There is a chance that this patchwork of national data rules and the cost of compliance will prompt these companies to advocate for unified global data governance standards.
It is hard to make predictions about how exactly CCPA will change things. However, what is clear is that the market-driven approach toward data regulation in the U.S. has been at least questioned following a series of data breach scandals, the phenomenal rise of the tech industry and the growth of the online political marketing. The CCPA is only the first outcome of all that.
Adil Nussipov is a researcher working on a project aiming to map the global data governance and to identify the design of the global data governance architecture. He also works on the Media Influence Matrix project at the Center for Media, Data and Society and acts as Global Governance Editor at E-International Relations.
In the next posts, we will discuss data governance in the EU, China, OECD and APEC. You can read the first post here.
References
- Aaronson, Susan Ariel and Patrick Leblond. 2018. “Another Digital Divide: The Rise of Data Realms and Its Implications for the WTO.” Journal of International Economic Law 0: 1–28.
- Chander, Anupam and Uyen P. Le. 2015. “Data Nationalism.” Emory Law Journal 64: 677–739.
- Schwartz, Paul M. 2013. “The EU-U.S. Privacy Collisions: a Turn to Institutions and Procedures.” Harvard Law Review 126: 1966–2009.
- Streinz, Thomas. 2019. “Digital Megaregulation Uncontested? TPP’s Model for the Global Digital Economy.” In Megaregulation Contested: Global Economic Ordering After TPP edited by Benedict Kingsbury, David M. Malone, Paul Mertenskötter, Richard B. Stewart, Thomas Streinz, Atsushi Sunami. Oxford Scholarship Online, DOI: 10.1093/oso/9780198825296.001.0001
