Can the world converge on data protection? It would be a challenge to establish a worldwide regulatory framework that could offer a global, unitary approach to data protection. One argument often put forward about the current, fragmented state of legislation is that it is hard for companies to manage all the different rules and regulations. While this may be true, it misses the point.
Are we heading towards global regulations on sensitive data? That’s the wrong question. The right question is whether we have achieved a certain level of convergence on data protection given the individual laws that have come into force over the past five years, including the GDPR.
And the answer is yes, there has been a convergence, especially when it comes to GDPR. The European market is big enough to compel market players to change their strategies. For those that want more comprehensive sets of rules, the best possible result might be a series of non-binding recommendations and best practices from an international organization like the United Nations.
Countries are not private companies
The main problem with proposals for all-encompassing, border-traversing regulations is that they misunderstand states’ interests and the importance they place on autonomous decision making. Not only that but the enforcement of regulations by a supranational entity is extremely difficult and only works when there is a convergence of interests or when countries deliberately accept to give up their legal powers.
There are considerable obstacles to this sort of proposal. State sovereignty and national security questions are the first to come to mind. International regulations force states to comply with legislation over which they do not have total control and which can undermine their perceived national interest. The United States, for example, almost never ratifies treaties on human rights and environmental issues for exactly this reason.
Governments often invoke their right to access personal information for national security, sovereignty and law enforcement purposes. The extraterritoriality of cybercrime already makes arrests difficult, leading to international cooperation. The FBI and the RCMP in Canada have often collaborated in the past to investigate crimes. The FBI also has a liaison office in Ottawa for closer cooperation.
In this example, prosecution is based on the jurisdiction where the crime was committed. An extraterritorial data protection law would have to address issues of enforcement, delegation of authority and jurisdiction. There is some uncertainty as to whether this is feasible, but more importantly over whether the players who deal with national security would want such a system.
Global governance is complex, and different states have different interests, values and interpretations. Data anonymity for protection purposes is a good example. There is currently a dispute between Denmark and the European Union over how biological material is considered personal data.
The consensus within the EU is that, if the academic protocols in place are respected, the data is anonymized and therefore not personal. Denmark argues, however, that if the material can be linked to the individual with some effort, it is not anonymized and therefore in violation of data protection laws under the GDPR.
Clearly, the current state of data protection laws is a heavy burden for private companies, research and innovation. Without a global data protection law, states have designed their own laws of which the GDPR is an integral part.
The GDPR’s deterrent effect
While there is no global data protection regulation, there seems to be an effect spreading from the GDPR. The European regulation has had a major impact around the world. It set standards for acquiring, managing and processing European citizens’ sensitive data, for example by requiring explicit consent for data collection.
Want an example? The GDPR and the European ePrivacy Directive are responsible for the widespread adoption, at least in North America and Europe, of requests asking individuals to accept or reject cookies when browsing the internet. This is a concrete example of how a standard can spread.
The GDPR has also inspired similar laws in countries outside the European Union. Quebec’s Law 25, for example, is comparable in its application. The province’s cybersecurity experts acknowledge the European legislation’s influence.
There are many other examples of similar legislation. Bill C-27 is in its second reading in Parliament. The Personal Information Protection and Electronic Documents Act incorporates the general principles of the GDPR, showing how they can spread. India and the United Kingdom are other countries with data protection policies that rely on the EU legislation’s fundamental principles.
These principles are also finding their way into business practices. The European Union is an important market, and we can see that the GDPR has changed the landscape. Multinationals and SMEs that want to do business in Europe have all changed their data protection practices to comply with the law and avoid facing substantial fines. This has helped improve data processing practices.
As discussed, global regulations are almost impossible for a number of reasons, including sovereignty, national security, and the complexity of international governance. However, we can already see the GDPR’s influence in certain policies and markets.
This could be a model for the future. Countries want to maintain control over their data protection laws. The European Union is a special case, and renouncing legal powers will not work on a global scale. Who would be in charge of enforcing global regulations? It would be tough to place the power of binding arbitration in the hands of an international institution.
However, the GDPR has established basic principles (we could call them norms) that other countries have adopted in their own legislations. The size of the European market has also led to a restructuring of companies that want to do business in the EU.