The Geo-Politics of Personal Data
Over the last forty years, a strong and principled argument that privacy is a fundamental human right deserving special protection in an age of high technology has confronted more pragmatic considerations from a variety of interests. The messy twists and turns of this international struggle have produced a sort of consensus on what it means for an organization to process personal data responsibly. But it is an uneasy consensus, hedged by exemptions and qualifications, and regularly shaken by monumental shifts in the processing powers of technology, and by game changers like the 9/11 attacks.
This conflict is now being played out again with respect to a new Draft Regulation on privacy protection from the European Union. We have heard that this Regulation is too burdensome, that it will block innovation, that it will cost jobs, trade, and investment, that it will kill the online advertising industry, that it will unreasonably extend the reach of European law beyond European borders and exacerbate the transatlantic divide between a more protectionist and regulatory Europe and a more open and innovative United States.
These views are simplistic and misleading. The same fears were expressed twenty years ago when the first set of European privacy rules were proposed. The Internet developed and flourished since that time, and within that framework of national and international privacy law. Privacy protection did not constrain innovation then, and it will not do so today.
Information Privacy and the Geopolitics of Personal Data
Personal data protection, or information privacy law, is all about giving individuals more control over the information that relates to them. It gives certain rights to individuals and also imposes important obligations on organizations. The early laws, introduced mostly in Europe in the 1970s, reflected the technology of the time, and were framed in order to regulate the mainframe “database” and the more discrete, and less networked, systems of records that characterized the early computing era. “Big Brother” was the fear.
As use of the Internet and other digital communication technologies have proliferated, the accessibility of information has grown exponentially, fueling individual empowerment and democratic participation. At the same time, the Internet makes it much easier for organizations to capture, process, and disseminate information about individuals. A wide variety of entities can now observe online behavior by monitoring the network, by tapping into the vast quantity of data collected about individual Internet usage, or by installing spyware directly on individual computers. For as long as individuals have been using the Internet to communicate, shop, apply for services, and network, there has been significant anxiety about the capture and processing of personal information.
However, the processing of personally related information online is not just about privacy. It is also fundamental to the very business models through which the Yahoos, Googles, and Facebooks of the world actually make money. Advertising is the lifeblood of the Internet economy. To the extent that companies can discover more detailed and extensive information about personal preferences and behaviors, they will make more money. Privacy laws constrain that ability. Rules about notification, informed consent, access and correction of personal data and so on, are not just an important constraint on the ability of an organization to monitor consumers, they also have profound economic consequences.
Privacy has, therefore, risen in importance as an economic and political issue. It is increasingly discussed at the highest diplomatic levels. The “geopolitics” of personal data processing far exceeds the scale of the issue since it first gained prominence in the 1960s and 1970s.
The International Privacy Rules
Various agreements from international organizations have been crucial in the spread of privacy protection rules. Some, such as the 1981 Guidelines from the Organization for Economic Cooperation and Development, or the 1981 Convention 108 from the Council of Europe have acted more as models or exemplars for national legislation. Others are more coercive. Most notably, the European Union’s 1995 Data Protection Directive (95/46/EC) mandated all countries of the EU to translate its provisions into national legislation. It also had an extra-territorial effect, imposing an obligation on data controllers to restrict flows of personal data outside Europe to countries with “adequate levels of protection.”