Anyone who has even a passing familiarity with data privacy knows it is a frustrating endeavor to comply with the ever-expanding list of data privacy laws worldwide. For companies with a global footprint, every transaction involving personal information requires consideration of domestic and international data privacy laws, in addition to unique contractual requirements and conditions. If these requirements were static, that would be one thing.
However, the requirements keep changing, and that requires a continual reexamination of companies' compliance positions. That effort is only complicated by a complex and inconsistent regulatory landscape. With no global, common understanding of what "good" data privacy protection looks like, companies end up spending significant time tweaking privacy policies and tussling with third parties about terms and conditions, the outcome of which is by no means uniform. A clear, practical and global adequacy standard is needed to ensure consistent data protection across industries and encourage more consistent data privacy compliance.
The General Data Protection Regulation is the EU's comprehensive data privacy regulatory scheme that provides the European Commission with the power to determine whether a country outside the EU affords an adequate level of data protection for EU data subjects. The GDPR arguably represents the closest thing we have to an existing global adequacy standard given it has become the measuring stick or model for other regulations. However, the GDPR only applies to organizations established in the EU or who offer goods or services to or monitor the behavior of EU data subjects. Moreover, in the U.S. and elsewhere, some companies simply refuse to accept GDPR-compliant terms and conditions because they do not accept that they should have to abide by the terms of foreign laws in the conduct of what they see as their domestic business.
For those that attempt to comply with GDPR, there are practical hurdles. Countries have found it challenging to acquire and maintain an adequacy decision from the European Commission. It took Japan two years to obtain one. Post-Brexit, the EU and the U.K. had a prolonged, tense negotiation relating to an adequacy decision (which has yet to be finalized and is not a foregone conclusion) despite the U.K. having previously been an EU member state. Meanwhile, the commission agreed to data transfer protocols with the U.S. twice, only to see those protocols invalidated by the Court of Justice of the European Union. As a result of the CJEU's recent "Schrems II" ruling, many U.S. companies are now engaged in a labor-intensive risk assessment exercise to validate whether their existing data transfers subject to the GDPR provide an adequate level of protection. While the European Data Protection Board has provided guidance about adequacy thresholds, each company's risk assessment necessarily will be subjective and result in inconsistent application of the GDPR's data privacy scheme.
Like the EU, other countries and regions have implemented comprehensive data privacy legislation. U.S. states are passing privacy legislation in fits and starts, and hope springs eternal that the U.S. Congress will eventually enact federal privacy law. Switzerland, Brazil, Australia and other countries have similarly adopted national data privacy regimes. However, no individual state or national privacy law will have the jurisdictional or enforcement reach to have a true global effect.
There once was an effort to have a global standard. Specifically, there is a largely ignored data privacy international treaty, the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Agreed to in 1981, the treaty is, in many ways, the precursor to the EU's data protection law. Despite having 55 national signatories, countries have not uniformly followed through on their commitments, rendering the treaty largely ineffective.
With the knowledge that a global standard was once attempted, in considering how a global adequacy standard could be implemented today, it may be instructive to think about the limitations and challenges presented by the current data privacy landscape.
Territorial interests: Not surprisingly, countries are usually not enthusiastic about accepting the laws of another country. National laws are more likely to be shaped by local interests and political difficulties. Any law enacted by one country or a select group of countries is more likely to include parochial interests that may further alienate other countries.
Tension between national security and human rights: At the heart of the data privacy conflict between the U.S. and EU is the U.S. government's stated need to collect certain personal information for national security purposes and the EU's stated concern that the collection impermissibly infringes on the rights of EU data subjects.
Genuine disagreements on approach: The panoply of international data privacy laws illustrates that countries have different views on the extent personal information should be protected and the extent to which control over a person's personal information is a fundamental right.
Complicated and impractical requirements: The existing international data privacy regulatory schemes understandably try to address many complex and dynamic data privacy areas and cover many different types of data transfers. However, the result is that full compliance is not reasonably achievable for most, and many companies are uncertain about what to do or are unwilling to expend the resources to comply.
Given the inherently local — and competing — interests that nations face when they attempt to regulate in an extraterritorial fashion, the pathway to a global data privacy regime may run through a central authority, perhaps through the United Nations or the Hague, where countries already come together to debate global issues. The appropriate central authority could make adequacy determinations for countries based on baseline security standards that consider individual rights, national security and the burden on businesses. The benefits of such an approach are that it should accelerate the process for making adequacy determinations, remove the adequacy decision-making process from the whims of regional and political forces, allow countries to join a loose affiliation of data privacy alliances, and enable countries to be free to adopt their own privacy laws within a principles-based rubric.
Since a global adequacy standard would need to consider multiple approaches and interests, it is more likely to result in a less administratively burdensome and, therefore, more uniformly applied data privacy set of regulations. A global standard would likely address the most significant data privacy risks and protect individual rights while still facilitating the continued and inevitable cross-border flow of data worldwide. Understandable and standardized terms and conditions could be developed. Countries and companies whose attitudes toward data protection currently range from hostile to agnostic might be more willing to engage. In short, there are multiple benefits to finding a workable, global standard based on principles that are generally acceptable to the international community and the average business can implement.
The real question is whether an international organization or group of countries is brave enough to begin the endeavor and bring us a step closer to a comprehensive, global privacy framework.
Photo by Duangphorn Wiriya on Unsplash