Towards One Global Privacy Law
The move towards one global privacy law is not a matter of “if,” but “when.” Business is increasingly conducted online and over transnational cloud computing environments. With estimated data flows of 400 terabits per second, online business is now generating value equivalent to the global trade in physical products.
The successful import and export of goods and services online hinge on the ability to simply “do business” in a legal manner. A small or medium enterprise should be able to cope with issues in compliance, privacy, liability, data protection, copyright, and IP. The imperative is to prevent trade from falling apart when technology and privacy laws are misaligned.
However, when working in cloud computing environments, businesses can easily come in contact with multiple laws and jurisdictions. For example, in 2012, 12 international phone manufacturers were investigated, then cleared, by Taiwanese regulators for suspected violations of the country’s Personal Information Protection Act. This was triggered by allegations that Xiaomi phones were sending personal data to the Chinese company’s servers without users’ consent. As the 2017 International Conference of Data Protection and Privacy Commissioners concluded, there is a pressing need for alignment in data protection laws, or for the establishment of a global legal framework—without requiring countries to compromise their national interests.
Reluctance to Adopt the EU Data Privacy Framework
Over the past two decades, EU data privacy law has been promoted as “global” law, but there has been little or no acceptance of this position in the Asia-Pacific region. For an example, we look to Convention 108, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. It is pitched as the “first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data.”
Over the past two decades, EU data privacy law has been promoted as “global” law, but there has been little or no acceptance of this position in the Asia-Pacific region.
The convention has been strongly promoted by the Council of Europe in terms of moving from “a European reality to a global treaty,” but since its inception in 1981, only four non-European countries—Mauritius, Senegal, Tunisia, and Uruguay—have ratified this treaty, and these are not major economies. Clearly, countries outside of Europe do not accept Convention 108 as being truly global. This reluctance to adopt the convention may stem from its lack of consideration of non-European views, and inadequate discussions with non-European players during its formulation.
The imposition of EU laws on Asian-Pacific countries is inadvisable not only procedurally, but also substantively. Many Asian-Pacific countries would find it difficult to comply with Convention 108, which mandates that each signatory country implement “necessary measures in its domestic law to give effect to the basic principles for data protection” as set out in the convention. In contrast to the well-developed privacy frameworks of most European countries, privacy initiatives in many Asian-Pacific countries are still evolving. Some countries in the region are also reluctant to extend privacy legislation to cover government agencies and activities, and issues surrounding democracy, terrorism, and the rule of law further complicate matters. In our opinion, it is fruitless to try to pressure Asian-Pacific countries into accepting EU laws, as these countries are not likely to go against their national interests, especially when the law in question fails to take all viewpoints into consideration.
A Bottom-Up Approach in Asia
Some privacy scholars believe that a “bottom-up” approach should be adopted in the Asia-Pacific, in contrast to the EU’s “top-down” approach. We at the Data Privacy Foundation are pushing for this bottom-up approach. This would mandate the involvement of local experts and stakeholders in local and regional alignment and the rationalization of laws. It would allow for an exploration towards a common denominator for data privacy across the Asia-Pacific.
EU privacy laws are not global by design, but are based on local imperatives and created by groups that largely focus on the European context, protecting European businesses and individuals. Yet there is an approach that pushes non-European regions to adopt these “global” standards, often under threat of exclusion.
The threat of exclusion is now being used to provide global reach and coverage for EU data privacy laws, and the EU has powerful pan-European institutions that can engage and enforce. There are no powerful Asian-Pacific-centric organizations or institutions that can directly engage with European institutions, and which can place Asian-Pacific data-privacy interests—based on sovereign, societal, commercial, and personal imperatives—center-stage. This hampers the move towards the development and alignment of an Asian-Pacific data-privacy legal framework, and leaves the region vulnerable to external pressures to conform.
EU privacy laws are not global by design, but are based on local imperatives and created by groups that largely focus on the European context.
In many cases, Asian-Pacific countries accept EU legal implants under pressure, out of consideration for maintaining competitive positions in international trade. Conviction, not commerce, should be the only valid reason for accepting laws as one’s own. There should be stronger initiatives to broaden the scope and scale of discussions that may lead to the refinement and adoption of a truly global privacy law and framework.
Before this global privacy law can be developed and established, we must ensure that regional laws and frameworks can work together in a more harmonized manner. We support the call for legal coexistence before the move to global law, but it must bring about purposeful alignment towards a common baseline in an Asian-Pacific context. The alignment of laws within the Asia-Pacific is the first step, in our opinion, towards eventual alignment with EU or global laws. There has been some prior work accomplished in establishing an Asian-Pacific baseline, particularly by the APEC group, and the APEC framework may provide a viable path forward for the region.
A Window of Opportunity for Alignment
The current area of opportunity for privacy law is the Asia-Pacific, as unlike the EU and US, where privacy frameworks are well-developed and ratified, there are plentiful opportunities for discussion and alignment in the Asia-Pacific. Organizations such as the Asian Business Law Institute may be in a position to spearhead this initiative. Implementation will not be easy, given the current configuration on the ground, which sees multiple stakeholders and groups working to push their own agendas. The responsible approach is to work purposefully towards a solution.
We are seeking to achieve pan-Asian-Pacific alignment in data privacy laws and frameworks as a primary step [towards a global privacy framework].
The 2017 Asian Privacy Scholars Network (APSN) International Conference held at The University of Hong Kong was a revelation. During the rich and fruitful discussions, it was pointed out that more focus is needed in a purely Asian-Pacific context. We are therefore seeking to achieve pan-Asian-Pacific alignment in data privacy laws and frameworks as a primary step.
The Data Privacy Foundation was formed in 2017 and launched during the APSN conference to assist in this agenda by initiating broader debate and collaboration. We invite all interested experts to contribute to the advisory and validation work we are undertaking. The foundation’s alignment project builds upon earlier work in the field. For example, in the Data Privacy Matrix by Scoon and Ko (2016), data privacy regulations from 12 countries were aligned as initial proof of concept for the automated alignment of technology to privacy law requirements across jurisdictions. This work has been validated by experts in Hong Kong, Singapore, and New Zealand. However, the Data Privacy Matrix was a theoretical exercise and much more work needs to be done upon this foundation.
As a first step, a comprehensive mapping of legislation and regulations needs to be initiated to catalyze a move towards greater understanding and alignment. To make this happen, we need to facilitate more discussion fora, expert groups, country interest, and technical tools. The organizations mentioned above are leading the way, providing the Asia-Pacific with a voice and leadership in working towards a truly global alignment of data privacy laws.