Different Strokes

March 01, 2022

There are divergent approaches to data regulation across the US, China, and Europe. The US has a laissez-faire approach, China tends to be oriented towards state-centric control, and Europe is overtly rights-based. The growing schisms between these approaches are causing fragmentation, leading to a call for a common ground in global data governance.

This article was first published in The Mint. You can read the original at this link.

One of the more interesting sections of the Justice Srikrishna Committee Report was its analysis of how different countries think when it comes to regulating data. Since the release of the report in 2018, the divergence between the US, European and Chinese approaches has, if anything, only increased. A recent paper titled ‘The Transnational Data Governance Problem’ looked into what this means for the future of global data governance.

Different Approaches

The US has always had a laissez-faire approach to data regulation. It tends to look at personal data as property and believes that anyone who has a legitimate claim over data also has the right to alienate it. As a result, rights over personal data can, in the US, be adjusted by simply agreeing to the terms of a privacy policy.

In China, tech companies tend to be regulated in much the same laissez-faire manner as their US counterparts, except that in China data is also perceived as an asset that the state can use to secure the country’s financial and economic stability. As a result, Chinese regulations tend to focus on ensuring state access to data, while at the same time allowing private companies to innovate with it. Europe has taken a rights-based approach, conferring on all natural persons a set of statutory rights, which ensure that the consent they provide doesn’t extinguish their rights over personal data.

The EU’s General Data Protection Regulation (GDPR) sets out these rights along with the legal mechanisms that can be deployed to enforce them, including such provisions as an individual’s right to require that data in the hands of a data controller be deleted or ported to another data controller.

Cross Border Data Flows

These differences extend beyond data protection—to the manner in which these countries think about cross-border flows of data. The US, in line with its philosophy of liberal market capitalism, supports the unrestricted flow of data across borders; the Trans-Pacific Partnership is an example of this, requiring participating parties to commit to maintaining legal frameworks that promote cross-border data transfers.

Europe, in keeping with its human rights-based approach, prioritizes data flows to countries whose legal systems meet their high standard of adequacy—requiring all other countries to go through a set of additional hoops if data is to be transferred to them. While it is possible to conclude bilateral arrangements for data transfers, they are subject to review and—as the US discovered to its dismay with both the Safe Harbour and Privacy Shield arrangements—repeal.

China has adopted perhaps the hardest line of all. Two decades ago, it built the ‘Great Firewall of China’, a massive surveillance and censoring system that it uses to control the movement of data packets across its borders with the level of fine-grained accuracy only possible with the use of technological tools.

Digital Sovereignty

The most important consequence of all this is that we now have widely divergent approaches to the issue of digital sovereignty. Thanks to their first-mover advantage, US tech companies currently have effective control over all the three layers of the modern internet: the infrastructure, the code and the content layer. Given the global reach of these companies, they exert an influence well beyond the sovereign territory of the US, which lets them function as de facto ambassadors of the US liberal market approach in every country where they operate.

China, thanks to its Great Firewall, has aggressively enforced its sovereignty over data within its land borders, but increasingly, through initiatives like the Digital Silk Road, has also begun to export this uniquely Chinese approach to any other country looking to replicate its state-centric approach.

Europe, which, unlike the US or China, has neither the technical infrastructure with which to ring-fence itself, nor any domestic alternatives to the US tech giants, has chosen to strictly enforce its human rights and fair business conduct regulations on all international tech companies that operate within its sovereign territory—requiring them to comply or pay hefty fines.

Schisms

With each passing year, the schisms between these different approaches to data governance are only getting deeper. As our world becomes increasingly dependent on data, the level of fragmentation that this divergence has begun to cause is bringing with it costs and complications that we can ill afford.

What we urgently need is to find common ground between these different approaches so that we can come up with a base normative framework for governance that everyone agrees upon. We need to hard-code that into our technical and regulatory systems. Once that is done, we will be able to layer on top of that the regional variations which reflect the historical, cultural and developmental objectives of individual nation-states, incorporated to address their own unique concerns.

The Srikrishna Committee analysed the three dominant approaches to data governance with a view to proposing a fourth path for Indian data governance. It proposed a framework that rather than focusing solely on the protection of personal data also allows this data to be used for empowerment.

As convinced as I am of the benefits of this approach, unless we can align the core of our data governance framework with the common principles shared by other governance models around the world, I fear we will end up making an already fragmented space even more divided.