Originally published on LexisPSL and LexisLibrary on June 13, 2019
Data Protection analysis: As part of a series on different data protection regimes across the globe and how UK businesses operate within them, we consider the viability of a ‘one size fits all’ global approach to data protection. Helen Foster, partner, and Rachel Marmor, counsel, in technology, privacy and security at Davis Wright Tremaine LLP consider the benefits and drawbacks of a global approach, and how businesses can best protect themselves against legal conflicts.
In 2018, both Morocco and Brazil aligned their data protection regimes with the GDPR. As the internet is global, is there a possibility to a global law/regime being put in place? Why/Why not?The General Data Protection Regulation (EU) 2016/679 (GDPR) is the closest thing to a global standard that has yet been achieved. But it is hard to envision a truly ‘one size fits all’ global privacy standard because of the stark differences between the commercial and legal systems of Europe and the US—not to mention that there is currently no organisation that could enforce such a global standard. Consumer data in the US has long been a commodity that belongs, not to the data subject, but to the enterprise that collects and analyses the data.
Consider the US credit reporting system for example. In the US, the data about individuals collected by credit bureaus is property of the credit bureau—indeed until 2004—the data subject him/herself would have to pay a fee to review the information a credit bureau collected about them. This system—of monetising data and individual level analysis—forms the bedrock of the US’s consumer credit system, and the comparatively cheap consumer credit US consumers have enjoyed since the end of WWII. The ability of businesses to share and analyse individuals’ data without interference is a staple of US commerce. Data subjects are entitled to protections from harm (in the form of a specific consumer protection statute)—but not to control of that data.
In contrast, information privacy in Europe always has been closely linked with human rights. That perspective emphasises control of personal data uses and flows—particularly as it relates to governmental control. Accordingly, the commercialisation of individual data—when balanced against a fundamental human right—the commercial interest will always lose.
The best path to reconcile the two models is not to discard one model in favour of the other but to develop a set of standards that can accommodate both. For example, the European requirement of requiring a legal basis for processing is inherently at odds with the US model, because the legal basis in the US system is monetisation. However, both regimes rely on the accuracy of the underlying data—so a system that emphasised requirements for accuracy would benefit both models.
What would be the benefits/risks to a ‘one size fits all’ approach to global data protection?Businesses want certainty. They want to know that their data and practices in one location can be accurately and reliability transferred to and used in another location. This fundamental problem is what drives us toward the idea of ‘one size fits all’. But too often in data protection, one size fits all means abandoning all consideration of the context in which the data was collected and intended to be used.
So a singular restrictive approach may create certainty, but at the cost of innovation. New data uses and technologies would be penalised in order to fit everything into the predetermined model.
Is there a risk of two laws coming into conflict (ie if a business’ use of personal data is legal in one jurisdiction but illegal in the other)? How would this be resolved?That different jurisdictions may have differing laws is already the reality for many businesses—for example, US state and EU Member State laws vary regarding many financial activities. The challenges can be more significant in privacy, however, because the behaviour that new and proposed laws seek to regulate is often the collection of data over the internet. Such transactions do not necessarily involve information sufficient to identify the location or residence of the data subject, and therefore creates a question as to whose law applies.
In some cases, a business can choose a ‘lowest common denominator’ approach whereby use that is illegal in any jurisdiction is prohibited everywhere. But many of the privacy requirements now emerging in the US would layer different but similar requirements on the same business in a way that they can’t be combined—such as requiring categorisation of personal information by one set of categories for one state and another set for another state.
These types of conflicting requirements could be detrimental to consumers, because they could result in information being collected and presented in confusing, and even contradicting, ways. Compliance costs could also increase for businesses, but without any measurable increased benefit to consumer privacy.
With the variety of new legislation coming into force across the world, what can businesses with international dealings do to best prepare themselves and ensure their operations remain legal and uninterrupted?
Businesses should look to be strategic with their data protection compliance. The foundational principles of data protection remain essential:
- securing data from unauthorised access
- maintaining accuracy and integrity
- public transparency
- accountability for commercial collection, use and sharing
Businesses should start embedding these principles into their operations before they are forced to do so by new laws, and consider adopting ‘privacy-by-design’ to ensure that privacy controls are integrated into new products and services, and company culture generally.
Finally, many businesses continue to collect and process large amounts of data as a part of their everyday operations, but do not employ dedicated, qualified privacy and data protection professionals—which is like crossing the Atlantic without a chart or compass!
Interviewed by Samantha Gilbert