By Alexandra Hathaway Tillman
Think about how your digital footprint has grown since the pandemic began.
Have you used a restaurant delivery app?
Signed up for delivery groceries?
Done a little more online shopping than usual?
The internet has undoubtedly brought us greater convenience, but at a potentially dangerous cost that many do not fully understand. Each click of the “buy” button sends your data to a new place on the internet. And each new place your data is stored increases the chances of your data being leaked or exposed.[1]
In the US, several data privacy laws regulate specific sectors rather than a single, overarching data protection law.[2] The US argument for these weaker policies typically centers around the First Amendment and freedom of speech. The “code” of the internet, at its core, is inherently American[3]—open and First Amendment-centric—and any act to regulate the internet is seen as an attack on free speech, one of the many reasons US policymakers are hesitant to create an all-encompassing data privacy act.[4]
The White House released a report in June 2018 on “How China’s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World”, but little has been done policy-wise to strengthen US data protection laws and regulations.[5]
The European Union (EU) has taken a broader approach, with data protection laws that cover all sectors in a comprehensive rather than piecemeal manner. In the EU, Data protection laws were enacted as early as 1995, with its strongest legislation, the General Data Protection Regulation (GDPR) coming into effect in 2018. The GDPR made data protection a fundamental right that requires strong protections in all member states.[6]
China started small, passing legislation that protected user data in specific sectors as the US had done.[7] But in recent years, China has amped up its policymaking in this area, and has quickly developed broad, EU-style data privacy policies.[8]
But these laws differ greatly from the EU in what and how they protect users’ data.[9] These new laws allow individuals to take legal action against a company or organization that fails to protect their data, but not against the government when it fails to do so.[10] They also require “data sovereignty” or “data localization” in which any company wanting to do business in China must store its data in China.[11] This requirement comes with huge risks since China is known for its heavy surveillance and data collection; companies could very well find their data misused and leaked by the government.[12]
In other words, China’s policies force data to be stored within its borders, and will protect individuals in China from data intrusions by other private individuals and companies—but never from leaks or misuse by the government.
Certainly, the world is in need of strong data privacy laws in the digital age, but the Chinese model is not the answer. Its policies heavily limit not just the freedom of the internet, but who can be held responsible when data leaks and breaches occur.
If the US does not quickly bolster its data privacy policies, it will not only lose influence in the global conversation on data protection, but risk allowing an authoritarian regime (or a surveillance state?) to set the standard for where and how data is protected worldwide.
To keep the internet as open as it was created, the US must develop a strong data protection policy that covers all markets and sectors. Picking and choosing which sectors need data privacy, with a breach in hindsight,[13] is not enough.
As the US falls behind in data privacy policy, it gives countries like China the opportunity to lead. In the midst of a pandemic, we are sharing information online more than ever. Whose policies do we want controlling the future of the internet and our privacy?
[1] See Have I Been Pwned? http://haveibeenpwned.com (showing the number of recorded websites and accounts that have been the subject of data breaches.
[2] Emmanuel Pernot-Leplay, Data Privacy Law in China: Comparison with the EU and U.S. Approaches (Updated on Sept. 27 2020), https://pernot-leplay.com/data-privacy-law-china-comparison-europe-usa/#12_Chinas_Belated_Building_of_its_Legal_Framework.
[3] Lawrence Lessig, Code Version 2.0 33 (2006).
[4] Eugene Volokh, Freedom Of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking about You, 52 Stan. L. Rev., 1, 2 (2000)(stating that broader information privacy rules are not easily defensible under existing free speech law.)
[5] White House Office of Trade and Manufacturing Policy, How China’s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World (June 2018).
[6] Emmanuel Pernot-Leplay, Data Privacy Law in China: Comparison with the EU and U.S. Approaches (Updated on Sept. 27 2020), https://pernot-leplay.com/data-privacy-law-china-comparison-europe-usa/#12_Chinas_Belated_Building_of_its_Legal_Framework.
[7] Huizhong Wu, In land of big data, China sets individual privacy rights, Reuters, May 26, 2020. https://www.reuters.com/article/us-china-parliament-lawmaking-privacy/in-land-of-big-data-china-sets-individual-privacy-rights-idUSKBN2320EF
[8] Id.
[9] Samm Sacks, New China Data Privacy Standard Looks More Far-Reaching than GDPR, CSIS, Jan. 29, 2018, https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more-far-reaching-gdpr.
[10] Emmanuel Pernot-Leplay, Data Privacy Law in China: Comparison with the EU and U.S. Approaches (Updated on Sept. 27 2020), https://pernot-leplay.com/data-privacy-law-china-comparison-europe-usa/#12_Chinas_Belated_Building_of_its_Legal_Framework.
[11] White House Office of Trade and Manufacturing Policy, How China’s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World (June 2018).
[12] Emmanuel Pernot-Leplay, Data Privacy Law in China: Comparison with the EU and U.S. Approaches (Updated on Sept. 27 2020), https://pernot-leplay.com/data-privacy-law-china-comparison-europe-usa/#12_Chinas_Belated_Building_of_its_Legal_Framework.
[13] Lydia Beyoud and Daniel R. Stoller, Equifax Target of Data-Breach Bill Allowing Consumer Lawsuits, Bloomberg Law, Aug. 15, 2019, https://news.bloomberglaw.com/banking-law/porter-taking-aim-at-equifax-with-new-data-security-proposal.
Image Source: https://p1.pxfuel.com/preview/613/409/272/data-protection-security-important-information.jpg