In one of many quotable Shakespeare-isms, the famous bard wrote in “The Tempest,” “what’s past is prologue.” In the instance of data transfers, national borders and digital trade, the “prologue” stretches back to the early days of the Y2K era with a landmark case against Yahoo! — the big technology player of the day. A French court blocked Yahoo! from selling Nazi memorabilia to French users on its auction sites.
Yahoo!’s lawyers argued this would be technically impossible, as the internet “has no borders.” Internet pundits warned the ruling could set a legal precedent in which a country could have the right to reach across its own physical boundaries to impose its rules on data stored in other nations.
Hindsight is 20/20
More than 20 years later, those pundits’ warnings turned out to be true.
It’s becoming the status quo for governments to pass laws that impose dos and don’ts on businesses’ data processing practices — regardless of where that business is located. While there are many tech issues ranging from content moderation to IP, the focus here is on the data protection laws that have surfaced in the last few years — like the EU General Data Protection Regulation and China’s Personal Information Protection Law.
There are two key innovative elements that have businesses all over the globe paying attention. They are:
- That these laws have an “extraterritorial reach,” meaning that organizations based outside the physical region of the established data protection law are still subject to that law if they process data on individuals known to live within that region.
- If data is to be transferred outside of that law’s physical region, then the business must try to leverage transfer mechanisms to ensure an appropriate level of protection is guaranteed in the country receiving the data.
Global economic implications
These elements have two major real-world economic consequences.
The customer’s loss
A growing number of businesses refuse to broaden their market base into regions with strict data protection regimes. One human resources tech startup company said they do not want to move into the EU market simply because they do not want to deal with the compliance obligations of GDPR. Another tech company, Microsoft Corp’s LinkedIn, shuttered the localized version of its professional networking platform in China due to “a significantly more challenging operating environment and greater compliance requirements.”
Privacy professionals admitted in 2021 that compliance with data transfer rules is the most difficult part of their job. We may be reaching a tipping point in which the risk of doing business in these regions outweighs any potential benefits for the company and their customer base — who are the ones that ultimately miss out.
The rise of data nationalism
The second implication is even more alarming. The regulators in charge of enforcing these data protection laws may not want foreign businesses operating in their region in the first place. The most infamous example of this is the Court of Justice of the European Union’s “Schrems II” decision in which the EU-U.S. Privacy Shield framework — the main method U.S. companies relied on to conduct transatlantic trade — was invalidated because:
- U.S. surveillance programs were not found to be limited to what is strictly “necessary and proportional” according to EU law.
- EU citizens lack actionable judicial redress and do not have a right to an effective remedy for redress.
While the decision still upheld the validity of standard contractual clauses as a valid transfer mechanism, it is unclear whether this method will be sufficient to allow onward transfers to the U.S.
For instance, last year, the Portugal Data Protection Authority ordered the National Institute of Statistics to stop using Cloudfare, a U.S.-based cloud-security company, as it was possible Cloudfare could move data to the U.S. Despite the fact the parties had SCCs in place and Cloudfare said it didn’t transfer any of the data to the U.S., the Portugal DPA cited the “Schrems II” decision, claiming that SCCs were insufficient.
Several months later in the Wiesbaden decision, a German administrative court blocked the use of Cookiebot — a Danish consent management provider that relied on a U.S.-based service to collect data, even though that data never actually left the physical borders of the EU. The court clearly did not care that the data never left the EU, as they never evaluated whether a "data transfer" actually occurred. Instead, the court assumed a transfer occurred as long as the recipient of the data could potentially be subject to legal requests by non-EU authorities.
Most recently, there has been a flurry of activity against Google Analytics thanks to noyb, Max Schrems’ European privacy campaign group. The noyb group filed 101 complaints with DPAs across the EU, specifically targeting websites with regional operators that leverage Google Analytics and/or Facebook Connect integrations. We are at the very beginning of the ramifications of those complaints.
Case in point: The Austrian DPA found this past month that an Austrian health-based website violated Chapter 5 of the GDPR — which deals with transfers outside of the EU — in its use of Google Analytics. It didn’t matter whether the data physically left the EU or even if supplemental measures like standard encryption were used: “As long as [Google] has the possibility to access data in plain text, the technical measures invoked cannot be considered effective.”
Around the same time, the European Data Protection Supervisor upheld a complaint against the European Parliament over its use of Google Analytics on a COVID-19 test booking site it was using in order to “minimize the risk of spoofing and for website optimisation purposes.” This has also led to the Dutch DPA’s public warning on its website that the use of Google Analytics may soon be prohibited within its territory. Privacy experts are fearing the worst as DPAs are expected to issue a coming wave of decisions in various EU member states, such as Cypress, Malta, Poland and Romania.
China has also been active on its data-nationalist measures. In addition to PIPL, it has promulgated a cyber security law, a data security law, and most recently published its latest version of “Draft Measures” (Draft Measures on Security Assessment of Cross-Border Data Transfers).
Multinational companies in China have already been advised to work with local partners and data storage facility centers to comply with government-led security assessments. This suggestion underscores the fundamental aims of these new laws emerging from China: restrict the ability to export data outside of the country while ensuring domestic control over that same data.
The geopoliticizing of data
Who processes data and how it is processed — especially when it is outside of a national border — is increasingly becoming a geopolitical issue. Laws like GDPR and PIPL offer privacy protections for the citizens that reside in those jurisdictions, but they are additionally being used as a front for economic protectionist aims to better control the profits and opportunities inherent in the data ecosystem.
This intent is never directly stated — for a legal mechanism like SCCs is typically considered insufficient due to fears around U.S. surveillance, rather than a lack of economic protectionism. And to be fair, both the EU bloc and China rely upon the strict civil-law-based legal system, in which courts look to the exact laws published to determine what type of rulings and procedures to follow — rather than a common law system that is based on historical cases and judicial precedent interpreting those laws.
However, parties across the globe are starting to wake up. Cookiebot explained with regards to the Wiesbaden decision that “at the center of this case is the wider political issue between the EU and U.S. on data transfers as manifested in the ‘Schrems II’ ruling.'”
This is in line with recent economic trends in which many countries are undertaking protectionist policies such as:
- Increased tariffs and imports.
- Competitive devaluation.
- Embargoes and other non-tariff barriers.
As Mahananda Ray, author at The Geopolitics, commented: “The number of free trade agreements, by and large, is on the decline since the past few years. In contrast, the numbers of protectionist measures that are still in force have been consistently on the rise … Even when it comes to countries that are largely in favor of free trade and minimal restrictions, such as the countries of the European Union, protectionism and protectionist policies are employed to protect certain domestic industries and producers.”
To complicate matters, there are no set global standards for digital trade. Trade agreements may typically cover physical goods, but do not always cover digital goods. Nations are left to rely upon data localization measures, which aim to limit data flows across borders by requiring foreign companies to store and process data within those national borders — and find themselves subject to additional laws of those nations.
These data localization requirements could be seen as non-tariff barriers to trade. If businesses are unwilling to serve foreign markets due to onerous transfer requirements — or if the regulators in those markets are unwilling to allow foreign businesses to provide services to their citizens — then the free-flow of data is the casualty.
Are these nations cutting off their nose to spite their face? The European Commission has already published its "European Data Strategy" claiming that future laws like the Digital Services Act will provide “fair access to markets to start up, scale up, innovate and compete on fair terms,” but such measures seem to blindly ignore the damaging effects of this protectionism. A report from DIGITALEUROPE found that domestic measures that increase data localization act as a tax on a country’s exports. Their modeling estimates that a loss of cross-border data flows on exports from sectors that rely upon data would lead to an annual reduction in Europe’s GDP worth at least 330 billion euros, or around 2.5% of the total GDP of the EU.
The projected impact to China’s GDP is less clear, but the real-world implications have already been documented. One effect of limiting data flows is that companies in China have grown more reluctant to share information due to the uncertainty of what type of information they can actually share with foreign partners. According to The Wall Street Journal, Chinese companies are unwilling to release standard business data, such as how much material of a given good they have, shipping locations for tracking goods, or financial statements assessing a firm’s creditworthiness. These Chinese firms cite compliance with their security laws, but these restrictive measures make it harder to accurately track the flow of real-world goods and increase the risk of fraud for companies looking to do business in China.
This practice of refusing to share standard business data in the name of data protection can be seen as a clear non-tariff barrier that ultimately hurts China’s ability to do business with foreigners. Meanwhile, regulators in both the U.S. and China are looking with increased scrutiny at variable interest entities, or VIEs — a business structure that’s been used to circumvent Chinese restrictions on foreign ownership of local businesses. Taken together, these two developments will likely have a chilling effect.
Towards a global village
What might the future hold? The year and decade ahead guarantee more burdensome requirements when it comes to processing data across borders.
In addition to the GDPR and PIPL, businesses need to contend with data transfer rules for Brazil, the United Arab Emirates, Mexico and more. India’s proposed data protection law requires consultation with the central government. And, as the U.K. looks to create more business-friendly reforms to its own version of GDPR post-Brexit, it puts its adequacy standing (its ability to bilaterally process EU data without further authorization needed) greatly at risk.
The question is at what point will our global community wake up to how these protectionist measures are taking us backward toward a more balkanized internet — and ultimately a more balkanized world. Instead of moving toward a global standard for digital trade, we are moving backwards towards isolationist policies — all in the name of “privacy.”
Not all hope is lost. While negotiations to replace the struck-down EU-U.S. Privacy Shield are dragging on, they are still (in theory) taking place. As businesses scramble on how to comply with PIPL’s restrictive measures, the U.S. Senate Committee on Foreign Policy called for pursuing a potential digital trade agreement through the Asia-Pacific Economic Cooperation. In both scenarios, we would ideally see robust multinational agreements in place for digital goods — including user data — which would allow for practical mechanisms that permit foreign businesses to freely operate within those nations and better serve those markets.
Media theorist Marshall McLuhan predicted in 1964 that we would live in a “global village.” Since then, we have seen a boon in technology and digital services that allows individuals all over the world to instantly interact with one another for personal and professional purposes. The data output created by this global village should be collected, used, and shared in a responsible manner. As a village, let us find a way to work together to protect our data while enabling its continued flow across borders.
Photo by Kyle Glenn on Unsplash