As countries worldwide are adopting data governance framework and cybersecurity law, we see rules that are aimed at preventing cyber-espionage and guarding data. It has also caused chaos and confusion in the foreign business community. Companies are scrambling to understand how it will affect their daily business operations and their intellectual property. One part of the law that has particularly riled foreign tech companies in China centres around “data localisation” or “data Sovereignty”. Even in Turkey, the Parliament has approved personal data protection, causing vast aberrations in the method and compliance regime governing data. After the law was imposed, the e-money operator PayPal withdrew from Turkey, citing “incompatible regulatory requirements,” due to data localisation. Therefore, this article aims to look into the need for data protection regulations, cross-border data transfer and the various questions revolving around the rise of data havens.
So, why is data regulation needed?
Data regulation is directly related to trading in goods and services in the digital economy. Insufficient protection can create an adverse market effect by reducing consumer confidence and restricting business from a business perspective. Therefore, the challenge is to ensure that laws consider the global nature and scope of their application and foster compatibility with other legal data governance frameworks. It will facilitate international trade and enhance reliance on the Internet. However, the question remains: What kind of regulation do we require for this?
Diversity in data regulations around the world
The underlying privacy principles are interpreted differently in different jurisdictions. The social and cultural norms highlight this difference. In fact, according to this research, some protect privacy as a fundamental right, while others base the protection of individual privacy in other constitutional doctrine or tort. Therefore, we must look forward to knowing the difference between the interpretation of privacy principles globally and how it affects individuals, businesses and international trade.
All users who use Google, Facebook and WhatsApp enter into contracts with these companies under American law with a dispute resolution clause that requires them to arbitrate disputes with these companies in California. Most users do not even know they are giving up their rights under the local or national regulatory bodies when they agree to use them. Once the new law is enacted, these companies have to change the terms of their user agreement and they will have to spend a significant amount ensuring compliance. However, let us presume that some foreign data companies decide that the Indian market’s value does not justify the cost of complying with Indian law ”and the penalties that follow” especially provisions like data localisation, isn’t it still possible to use their services? This aspect also leads us to think about the use of services provided by “Data Havens”.
Perception Vs. Reality
Several studies have also tried to estimate the potential impact of data protection requirements that place an unreasonable burden on businesses or disrupt cross-border data transfers. For example, the proposed economy-wide data localisation requirements would negatively impact GDP in several countries where such conditions have been considered. For many countries considering forced data localisation laws, local companies would be required to pay 30-60% more for their computing needs than if they could go outside the country’s borders. However, if services trade and cross-border data flows are seriously disrupted between the EU and US, the negative impact on EU GDP could reach -0.8%. However, the data localisation policy has also facilitated the domestic IT ecosystem in China. There, the transaction cost economics for cross border data flows is a critical aspect to solve.
It’s easy for users to take for granted that data collected online can flow between borders, in part because there are so many different types of data companies can manage and move. For example, when users input their phone number on a foreign social media app, that data might be stored on the company’s servers overseas. Therefore, from an international business perspective, regardless of where they are located, “Where should data be hosted?” And the easy answer – it is wherever the business wants. However, regulation considers the business perspective on data governance and security and social perspective.
From a business perspective, it makes sense for data collected worldwide to be “centralised” in one location. Businesses have to make arrangements with cloud services providers in the country or build their own data centres and either way, there is a cost involved. Data-driven organisations and companies engaged in cross-border data transactions transport data from one point to another, often using multiple nodes of data transit points scattered throughout the world to relay the information in the process. The Internet automatically locates and funnels data through the closest available data node, switching directions and transferring data packets in seconds. These data nodes are located in different countries and are shared by Internet users all over the world. Because the origin and destination points are scattered across every corner of the globe, one single piece of legislation cannot account for all the necessary measures that need to be in place to enforce the protection and privacy of transferred data. However, having disjointed or overlapping legislation, especially when dealing with an issue with drastic international repercussions, further exacerbates the already difficult problem of trying to figure out a way to deal with the novel challenges of handling data and emerging digital technologies.
Therefore, most businesses choose the centralised system for ease of doing business and avoid regulatory requirements and compliance costs. However, many researchers point out that regulation contains monopolisation and improves healthy competition. However, this increase in regulation is also giving rise to data havens. The countries with a lenient data-regulatory framework are perceived to be more business-friendly and, therefore, likely to benefit.
Moreover, in the past decade, we have also seen the rise of data havens simultaneously with adopting a data protection regime. To bring into perspective, a data haven, like a tax haven, is a physical location that offers extra protection and refuge for unregulated data. Data havens are locations with legal environments that are friendly to the concept of a computer network freely holding data and even protecting its content and associated information. Tor’s onion space, HavenCo and Freenet (decentralised) are three modern-day virtual data models. In 1978, the Data Protection Committee of Britain studied and presented an analysis with expressed concerns that different privacy standards in other countries would lead to personal data transfer to countries with weaker regulation of data. Today, we see this to be more accurate than ever.
Is the context more political?
We have seen that international businesses favour lenient data regulation and a centralised system of data governance. However, national governments worldwide do not share the view selected by companies that data should live and move wherever they want. Yet the motivations behind these disagreements vary by country and other regions have taken different approaches to square private and corporate attitudes on data. For example, the EU has made it clear it believes data belongs to the individual, not to the companies that collect it. Therefore, it’s the government’s responsibility to protect it, in the name of ensuring privacy. And one way to do that is by keeping it inside Europe’s borders. However, it also recognises that the free transfer of data is critical for free and fair trade. It has worked out agreements on how commercial and personal data originating in one region can be protected when it moves to another.
Cyberpeace Dialogue on the “Data Havens Vs. Data Regulation” is aimed to understand the thought process or ideology behind the data regulation/protection regime globally. The objective of the dialogue give a clear picture on this issue. There will hopefully be better coordinated international regulatory policies developed to address certain essential aspects of cross border data transfer, regulatory framework and data havens. Such coordination is necessary to prevent an uncontrolled regulatory race to the bottom, while at the same time preserving the benefits of privacy-centric applications. As a result of the dialogue, we will better understand how to enhance international compatibility in the protection of data and privacy, especially concerning international business and trade.
By Sanjana Rathi
For more information, please visit: https://twitter.com/diplomacy_cyber