The Realpolitik of Data Protection Laws and Regulations
Around the world, policymakers are grappling with a huge dilemma when it comes to putting consumers in control of their personal data: where, actually, is the data?
The question is rarely simple to answer. The location of the physical servers that store personal information can often vary from where the operator of that hosting service is itself incorporated, which too can vary from the location of the person whose data is being processed — and the company who collected the information in the first place. And this is before we consider the locations of all the other third parties who can be involved in processing personal information, from vendors, contractors, tech teams, and infrastructure providers, through to the registrars and registries that assign domain names and IP addresses that are essential for data to technically flow from one place to another.
These overlapping and typically conflicting territorial criteria make it extremely difficult to safeguard privacy, because the separation of sovereignties and non-interference between nation-states that has for hundreds of years underpinned the international legal system renders national laws and court decisions difficult to enforce. And if there is anything I have learned, it is that businesses do not always do the ‘right thing’ when they can’t be compelled to.
This situation represents a real concern for all stakeholders. For governments, the Internet and the free flow of data presents an unprecedented threat to the Peace of Westphalia treaties, and can also be very embarrassing, because an inability to enforce national laws threatens a government’s legitimacy. For industry, the inapplicability of jurisdiction when it comes to data flows poses economic and reputational risks and threatens business certainty. For civil society groups, witnessing the growth in disputes being resolved and mediated privately, and not through the courts, poses serious threats to civil liberties and accountability. For individuals, this situation not only threatens their human rights — it creates a sense (if not a reality) that one is powerless to protect themselves and their privacy.
The solution to this problem is not easy to identify, but without an answer, we will never be able to strengthen the accountability of data controllers while at the same time meaningfully empowering individuals so that their personal information is protected. Both, ultimately, are the holy grail of every data protection law that has ever been envisioned.
But we shouldn’t reinvent the wheel. Other industries have operated across national borders for decades and have had to determine which laws are applicable even when the territorial nexus is uncertain. When I began my Mozilla fellowship, I settled upon a theory of change for my work that involved not only interacting with organizations and stakeholders I already knew, but I said I would step into a new theatre. That’s why I began engaging with the financial services sector earlier this year to understand how they deal with jurisdictional challenges and data flow issues.
I travelled to conferences in Dubai in March and Bangkok in May to speak with executives and senior leaders from some of the world’s largest retail banks, along with growing banks in emerging economies, about how they have operationalized a new wave of data protection laws. In a nutshell, they don’t have the answer to this challenge either.
Many of these financial institutions have been perplexed by the disconnect they see between sectoral laws that require transparency and ‘open banking’ APIs, and generic, omnibus privacy laws that apply to all data controllers. As banking executives explain it, how they can be expected by policymakers to address vulnerabilities as data flows throughout their supply chains, while at the same time being expected to be more transparent with people about how their data is being used and to introduce ‘open banking’ APIs that make it easier for consumers to switch from one financial institution to another? In some territories, any company — no matter how small, no matter whether insured, no matter their business model — can have a legal entitlement to suck up customer data through ‘open banking’ laws if they just happen to coerce a consumer into consenting to sharing their data.
On one level I feel like the problems here have to be possible to address.
I think the objectives that policymakers have in wanting both transparency and privacy is quite reasonable. Individuals should be empowered to have a say in how information concerning themselves is used, and they should have the capacity to easily port this over to another service, for their own purpose, if they so desire.
The deficiencies in notice-and-consent are well-known and supervisory authorities should be able to take enforcement action against those companies which do not secure meaningful consent and abuse their access to personal information. The problem is, we see that the supervisory authorities do not consistently enforce the law. Whether that’s because they are under-resourced or politicized or it’s just impossible, we can debate the reasons…
Ultimately, enforcing the law here is essential, because providing the tools to access great volumes of personal information with ease does, necessarily, open up the potential for abuse. We’ve all seen how ineffective Facebook has been at safeguarding personal information, allowing at one point any developer to download nearly anything it liked about a user without doing any due diligence beforehand. Enabling the further and unrestrained flow of sensitive data, while perhaps seen as empowering and facilitating competition, is simply not a privacy protecting behavior. That does not mean it should not be permitted; it only means that there should be safeguards in place to address abuse.
But this is the catch-22. We can’t prevent abuse, because we can’t enforce data protection laws, because where the data is stored almost always varies from where the user is or other actors are. And the solution is not national clouds or mandating data sovereignty, because that impedes Internet traffic routing patterns and has previously been abused by some governments to engage in Internet censorship, shutdowns, and content blocking. That hasn’t been possible to date, because what is remarkable about the Internet in its present form is its resilience. Data can flow from A to B without limits and without respect to national borders.
Now some think that the Internet’s global reach should change. I do not. Much like when cars first came to the market, early automobile pioneers focused on permissionless innovation and getting more people driving. It was only when cars started to crash and damage arose that authorities introduced regulations and legally-binding traffic rules. New rules make sense, and we should work to develop them — just not at the expense of everything that makes the Internet such a transformative social tool and economic engine.
For now, it seems like voluntary, private mediation is the only way we can even attempt to try to fill the institutional gap that exists given our lack of transnational cooperation frameworks for protecting privacy across borders. It’s not a great solution and it doesn’t always work. But as an interim bridge until we find something else, it’s all we have. And if we improve these processes and push for more transparency, hopefully they can reduce some of the harm and uncertainty. Much like how traffic rules have not entirely eliminated car crashes, a whole lot less people are harmed than would be without them.
