A world of seamless information flows, which many forecast a decade or so ago — a world of “information internationalism” — looks less and less likely today. We are moving ever closer to three “data-governance zones” characterized by three often sharply different sets of rules for regulating personal and business information and enormous amounts of data flowing within and through nations: a world of “information nationalism.” Differences among these zones and countries include: the role of government in obtaining access to data; limits of various types on the ability of companies to collect, store and utilize data; differing levels of transparency required for obtaining and utilizing data; divergent rules on localization of data storage; and sharp variations on the level and methods of user consent.
In many ways these rules and approaches reflect differences among the histories and governmental systems, as well as attitudes about individual rights in this countries or zones. These sets of differences raise new challenges to cross-border interoperability of information-related technologies and the nature and degree of information flows and management among individuals, businesses and services.
These zones may be porous enough to continue to permit substantial international data flows and avoid imposing such tight restrictions that large numbers of individuals and companies are prevented from actively communicating at various levels —but with a range of new constraints in some key areas. And compromises are certainly possible in order to permit efficient use of new technologies and far greater cross-border data flows in certain but more limited areas. However, current and emerging divergences could be quite stark in numerous ways, posing challenges to flexibility and openness. And because they represent differences among histories, social values and government systems, many differences will be difficult to reconcile. Moreover, there is no international institution to establish common rules or norms, or to at least narrow them in key areas.
The zone that has focused most on privacy and rules has been the European Union (EU). Its system is largely based on General Data Protection Regulation (GDPR). While Europe’s system of regulations is continent-wide, including the United Kingdom after Brexit, the United States, largely because of its federal structure, is characterized by rules promulgated by individual states. And China’s system is nationwide but in one major area takes a very different view from both Europe and the U.S. — government’s nearly complete access to all information and data. There are other countries with very different sets of policies and regulations, but these three are likely to be the ones that will set trends.
Europe: Protection of personal data in Europe is tied to the view that privacy is a fundamental right. This view has taken hold since World War II. Data privacy has become a major issue in many quarters. And European-wide nongovernmental organizations and collective governmental institutions have strongly advocated for privacy rights.
As Oxford Analytica has noted, the European Parliament has blocked the export of banking and travel data to the U.S. This was done in spite of U.S. pleas that this was needed for effective anti-terrorism measures. And the European Court of Justice established what is known as the “right to be forgotten” and then invalidated the U.S.-EU Privacy Shield arrangement. The GDPR includes such features as minimized data collection, increased transparency, greater localization and broad use of “user consent.” It is enforced by the European Data Protection Commissioner and data protection institutions in member countries. Its provisions will need to be updated periodically as technologies and business models emerge. EU member governments with stronger and more data-intrusive central governments may differ from the focus on privacy.
United States: America’s leaders have not adopted the European view that there is a generalized “right to privacy” in this area — even though several cases in other areas have emphasized the need and priority for protection of privacy. Congress passed the Privacy Act in 1974, but it applies only to federal databases.
As Oxford Analytica notes, much of the U.S. privacy and data protection is regulated by individual pieces of legislation related to such areas as consumer protection, health and financial information. In contrast to Europe, where rules are largely related to private companies, American rules and laws have been more focused on this country’s history of limiting government power, which can mean limiting the amount and kind of information it collects on citizens. But government-business frictions over this subject have been growing.
Much of the new movement so far, as Oxford Analytica notes, is at the state level. The California Consumer Protection Act confers the right to know about how data is used, options to delete personal data, the choice to opt out of the sale of personal data, and non-discrimination vis-à-vis users. Then Virginia came in with its own set of rules — as have other states. Support is growing for a federal law on privacy and the use and collection of data.
China: Until recently, China did not have broad data protection rules similar to those in Europe or the U.S. The government has avoided anything that might interfere with its ability to obtain citizens’ information. But lately, as the digital economy expands, China has produced new legislation.
Beijing has enacted laws on consumer protection, and is working on legislation on personal information protection for some sectors and some kinds of technology companies. Some language even appears to be modeled from the GDPR.
The big difference, of course, is there are no protections of individual information and data from the state. China’s Data Security Law, as described by Oxford Analytica, protects what is called “important data” — that which the destruction, distortion, alteration or disclosure of would affect China’s national economic, social and cultural security. Beijing has developed a five-tiered system, with increasingly strict cybersecurity and data protection requirements for higher tiers.
The three models reflect the different priorities for the zones/countries. This tri-zone system and the prospect of further regulatory policy divergence presents formidable challenges for global communication and data management/flows of all sorts, with much of the impact likely to be on businesses and services dependent on cross-border data transfers or business models that differ from provisions laid out in regional or country laws and regulations. More broadly, each of these zones/countries sees its system as a model for others. For example, China’s system may be a model for other nations with strong central governments that want to maintain tight state control over information. Europe’s approach to data protection is seen as a model for some other countries; several influential groups in the U.S. and elsewhere have argued for emulating regulatory features contained in it. And some changes being made or contemplated in the U.S. may exert considerable influence in other nations. So the three zones, in time, may have geographical scope and influence well beyond their borders.
Whether rules, norms and practices can be forged to avoid greater digital nationalism or divergence remains to be seen. But the global system clearly will be a lot less seamless and probably a lot more complicated to navigate than most of us had imagined a decade or two ago. In some cases, this will be a source of new types of 21st century international friction that will require new sets of policies and new types of “technology diplomacy” from Washington.
Robert Hormats is managing director of Tiedemann Advisors, a New York-headquartered financial firm. He was undersecretary of State for economic growth, energy and the environment, 2009-13; a senior official of Goldman Sachs from 1982-2009; assistant secretary of State, 1981-82, and a former ambassador and deputy U.S. trade representative, 1979-81. As senior economics adviser to three White House national security advisers from 1969 to 1977, he helped to oversee the U.S. opening to China. Follow him on Twitter @BobHormats.