The sovereignty of data
The lack of a unified global approach to data and regulation is a serious impediment to global business, says Dean Armstrong QC, Dan Hyde & Sam Thomas of Cyber Counsel.
Data has been described as the new oil. It may be more important than that. It’s the lifeblood of the world and its value is inestimable. The approach to the security of data is one of the most significant issues facing governments, corporate entities and individuals.
The European model
Next May, the General Data Protection Regulation (“GDPR”) comes into force in all European Union states, although it has ramifications which are even wider. It is the first attempt at a unified law to govern the collection, control and processing of personal data. It has sanctions which are very severe, fines of up to four per cent of worldwide turnover or €20m, whichever is the higher.
It places the sanctity of an individual’s personal data at its root and its principles are based on being able to show active and demonstrable consent, embedded rights of the data subject to ensure that entities only keep data for the purposes specified in the Regulation and it ensures that a data subject has a “right to be forgotten”.
This development will ensure that there is a sea change in the way that entities who are subject to European jurisdiction, treat personal data. They become custodians of someone else’s valuable property and they are required to deal with personal data in a way consistent with an item of significant value. There are individual rights of redress built into the Regulation and evidence will be required to show that dealings in personal data have been conducted appropriately.
EU rights to individual data paramount
In Europe, the rights of the individual in relation to his or her data have therefore been recognised as being paramount. Interestingly, and as if to underline just how important data has become, significant legislative initiatives have occurred in China, Russia and the United States. In the former two cases the role of the state in data protection and management has been placed at the centre of regulation.
The Russian approach
In Russia, on 1st September 2015, the Russian Federation passed a law which required personal data relating to Russian citizens to be stored on servers physically located within the country. Companies including Viber and Ebay complied, and moved relevant personal data to Russian servers. Google reportedly also complied. Facebook, Twitter and LinkedIn, decided not to comply with the new requirements.
Roskomnadzor, the Russian regulator, sued LinkedIn for non-compliance, and won its case twice, first in a lower court in August and then again, on 10 November 2016, in a Moscow city court. At this point access was blocked. Roskomnadzor made it clear compliance would require moving Russian users’ data onto Russian soil and by amending its user agreement that states that the company collects not only personal data of its users but also personal metadata (IP-addresses and cookie files) of its website’s visitors. In the US cookies are not considered to be personal data; however, the Russian approach is consistent with UK Law and EU regulation.
The new Chinese initiative
China has enacted a new Cyber Security Law which commenced on 1 June 2017. This is a sea change because any European model of personal data protection law has, to date, not been recognisable in China. China has not previously passed any meaningful comprehensive data protection legislation that regulated the collection, control and processing of personal information. On 1 June this changed but while China’s Cyber Security Act does give a nod to protection of an individual’s rights it has State interest and sovereignty at its epicentre. The new law impacts on what it terms “network operators” who, when handling personal information, must abide by regulations that chime with GDPR namely (in broad terms) that:
-The collection and use of personal information must be lawful, proper and necessary.
-That the purpose, method, and scope of collection and use is transparent and consensual.
-That they do not disclose, alter, or destroy without appropriate consent.
-That they report data breaches and put in to effect remedial steps.
-That they process a subject request for deletion (akin to the right to be forgotten) or correction.
The definition of “network operators” is widely drawn and would cover even the domestic user with more than a single computer (or indeed device) with access to a printer. Almost everyone is caught and those deemed “critical information infrastructure operators” (CIIOs) are forced to physically store within China (ie within its geographical borders) personal information and important data which was produced within China.
In short this Chinese data must be physically kept on servers within China, thus chiming with the law in Russia. The State may also conduct what are termed “security risk assessments” to trawl through all their data. The new law allows State intrusion and is aimed at keeping “critical” Chinese data in China.
Data Sovereignty at its highest. The definition of CIIOs may be so broad as to ensure the State can exert influence where it sees fit and will apply to non-Chinese operators as well as those in China as no distinction is made between internal or external networks. In theory and likely practice the State will ensure personal information it regards as important remains on servers within China; any attempt to transfer such information will be subject to the “genuine business need” test after an intrusive State assessment.
The United States’ position
In the United States, the right of an individual in relation to data could be said to have been diminished by the repeal of regulations requiring internet service providers to do more to protect customers' privacy than websites like Alphabet's Google or Facebook.
The initiative, founded during the Obama administration, had sought to restrict the ability of internet providers to use information such as location, financial information, information in relation to health and web browsing history for advertising and marketing purposes.
The rules made it unlawful to use such information without obtaining appropriate consent. The decision of the senate to vote down these provisions was based on the assertion that it would lead to a different set of regulations for internet providers and websites.
The sale of personal information collected by retailers is huge business in the US.The Challenges for Businesses and Other entities The really significant issue is how, and is it even possible, to mesh these different approaches. Whilst, certainly in the case of Russia and China, the centre of data protection and management, is the State, that is not the case in Europe and seemingly, the United States. In Europe, the individual is key. In the United States, corporations appear to have scored a major victory.
Where does that leave the possibility of a consistent approach to data protection and management across the world? The potential problems seem to be many. A global entity doing business in each of the jurisdictions discussed above will be faced with regimes and policies which are seemingly at odds with each other.
How will, for example, an entity free to sell data in the US deal with the need to obtain active and demonstrable consent to such a course in Europe? The requirement in Russia or China to ensure that data is subjected to scrutiny by the State will impact on the rights of the subject if they are European.
The General Data Protection Regulation (‘GDPR’) – the EU’s data protection rules that come into force in May 2018 - envisages only allowing data transfers to jurisdictions that have “adequate “ measures to ensure consistency of approach. The ability to sell personal data for advertising purposes does not sit well with the cornerstone of the sanctity of an individual’s personal data.
How will it be dealt with if an entity in Europe has dealings in Russia and has to subject itself to state scrutiny of personal data. Will the relevant Supervisory Authority allow that entity to trade in that jurisdiction without sanction? The global economy is here to stay, but the lack of a unified philosophical approach to data protection and regulation could be a serious hindrance to its development.