The modern, digital world has made the world smaller and faster, with information and data transferred within an instant, ignoring any and all physical borders. While this digital highway is an essential pillar for our Internet age, it is also not without its problems. One such area of concern rests with data protection and privacy enforcement laws. International data transfers are the lifeblood of the digital economy. Yet, to date, there are few, if any, binding international-or global-treaties dealing with data privacy. As a result, many technology and financial companies whose global footprints permeate through various international jurisdictions are left in uncertain territory, halting international expansion and stymying economic progress. The consequences for inaction on an international data privacy framework are stark – not only are hundreds of billions of trade dollars at risk, but also it increases the risk of a digital cold war. Thus, the question is not why nations should reach international agreements on data privacy, but rather how such agreements can be made – particularly how agreements can be made between China and the West (i.e. United States and European Union).
Reaching an agreement between China and the West is challenging because these nations have fundamentally different conceptions of data privacy. The Chinese government adopts a control model where its “data protection” regime is “more concerned with what information gets into the country than with what information leaves it.” This is why the Chinese government established its “Golden Shield” initiative, a nationwide digital surveillance network to monitor Internet access. In contrast, the EU adopts a rights model where “[d]ata protection is a fundamental right anchored in interests of dignity, personality, and self-determination.” Finally, the US adopts a market model where “[p]ersonal information is another commodity in the market,” and the “focus of information privacy law . . . is policing fairness in exchanges of personal data.” However, despite these differences, it is still possible to work together to craft an international data privacy framework, as seen with the Safe Harbor and Privacy Shield agreements between the US and the EU.
One such approach is a discretionary enforcement mechanism, such as the one established in the Safe Harbor agreement. The Safe Harbor principles allowed for selection, application and enforcement where US companies only needed to “apply Safe Harbor Principles to the personal data of Europeans” while retaining the discretion as to whether to also apply these standards to US citizens as well. With China, a similar agreement could be reached, where Chinese companies can apply stricter data protection provisions for Western citizens while also having the discretion as to whether to apply these provisions for its own citizens. This approach allows China to harness the economic benefits of international trade while also maintaining control over its own citizens, making it more amendable to cooperate with the West.
Another approach is with a domestic enforcement mechanism, such as the one established in the Privacy Shield agreement, which “deputize[d] US institutions, officials, and private parties to enforce the interests of EU citizens and to do so accompanied by EU oversight.” A similar approach can be applied to China, where an agreement would deputize Chinese institutions to enforce Western interests with some Western oversight. This approach prevents the encroachment of Chinese national sovereignty while also giving certain assurances to Western nations, thus benefitting both sides.
A third approach lies with negotiating trade deals, namely tying data protection standards to pre-requisite conditions for trade agreements. Because of the importance of cross-border data flows to the international economy, the EU sometimes extends “the reach of its data privacy standards in parallel with international trade agreement negotiations.” In fact, the EU used this exact approach to negotiate the safe harbor provision with the US – threatening to withhold up to $120 billion unless the US agreed to more comprehensive data protection standards. Since, China’s reliance on foreign investment “tends to marginalize any suggestion that China would implement policies designed to antagonize the very source of its technological development,” this gives the US and the EU additional bargaining chips to negotiate stronger data protection standards. While aggressive, this approach certainly creates strong financial incentives to induce cooperation.
A fourth approach is with customary international law (CIL). CIL refers to “international obligations deriving from custom, as opposed to obligations arising from written international treaties.” Custom begins with acts that become a “settled practice” and with time, that practice gives rise to the belief that it had become obligatory. Just as national and international laws influence one another, so too can custom. Western legal customs for enforcing data privacy laws can influence Chinese legal customs, such that the two become increasingly similar. This is not as outlandish as it initially appears, since China’s legal system already “identifies closely with the system of continental law operating in France [and] Germany.” While this is the least coercive approach, it may also take the longest time to adequately develop.
Despite some critics’ concern that the digital divide over data privacy issues may lead to a new type of cold war, the incentive structures may be more aligned than previously thought. With the rise of the digital economy, cooperation is not just mutually beneficial, it is essential. The safe harbor and privacy shield agreements between the US and the EU demonstrate that it is entirely possible to cooperate and reach agreements on data privacy laws, despite having fundamental disagreements over the value of data privacy itself. The Internet was designed to bring the world closer, and hopefully, the future path of data privacy law is one that bridges cultural and legal gaps – one of concession, collaboration and cooperation.
* James Wang is an Associate Editor on the Michigan Technology Law Review.