ITI’s Rob McGruer takes stock of the latest data privacy developments and sets out what’s needed to push forward with a truly global approach.
January 28th marks Data Privacy Day, an annual event recognized around the world to raise awareness for privacy and data protection, and to remind us all that privacy policymaking and regulation are ongoing exercises, in constant need of tweaks, adjustments, and the occasional full-scale revamp. The date reflects the Council of Europe’s signing of the first legally binding international data protection agreement, ‘Convention 108’ in 1981.
While some privacy agreements and rules date back decades; it is only in recent years that the global regulatory landscape has really taken off. In the past year alone, the sheer volume and complexity of privacy frameworks and enforcement actions around the world has massively accelerated.
ITI has been at the forefront of these developments, helping lawmakers around the world construct clear, flexible policies and laws that promote both high privacy standards for individuals and enable the benefits of cutting-edge data innovation for society. Privacy only works when it goes together with end-to-end security of systems, processes and people. ITI members provide much of the global infrastructure and new privacy tech innovations that help keep our data secure — from the development of zero trust cybersecurity architecture, to innovative privacy enhancing tech solutions, to everyday consumer tools such as multi-factor authentication.
Much of our work is about enabling different actors in the tech ecosystem to use data in a responsible and secure way, so that people can access and use the services they need with confidence and trust. This means maintaining a dual focus, on privacy and data innovation, and approaching laws and regulations in a way that balances different considerations to maximize public policy outcomes — for individuals, society, and the economy. With that in mind, here are some of the big questions for global privacy in 2023:
Keeping up the momentum on global data flows
2022 ended with a flurry of positive announcements, marking a gear change in progress towards a more robust global system for cross-border data transfers.
Following a ‘two-and-a-half-years-and-counting’ gap since the invalidation of Privacy Shield, the EU-U.S. Data Privacy Framework has now received the European Commission’s seal of approval and, once fully adopted, will provide a clear set of rules giving consumers and businesses confidence to unlock greater value from the transatlantic relationship.
The recent OECD Declaration on Government Access to Personal Data shows that there is more common ground than difference among leading economies when it comes to balancing privacy rights with legitimate law enforcement and national security requirements. The agreed principles demonstrate that shared values can overcome national legal differences, and that there is space for likeminded countries to unite behind and work towards a global framework for data flows.
The Cross-Border Privacy Rules Forum is gathering steam as a valid, accountability-based international certification system for data transfers. Based on an earlier APEC effort, the CBPRs provide a more flexible multilateral avenue than the EU’s GDPR-based country-by-country data adequacy decisions, and 2023 will be an important year for the Forum to establish legitimacy beyond its existing country membership.
Consistency on legislation and enforcement
Another big development has been the continuing expansion of privacy legislation around the world, and an acceleration in accompanying enforcement activity.
Europe’s GDPR remains the go-to legislative blueprint for many countries establishing new privacy laws, and it has framed the global debate, bringing a common language and lens to all continents. However, as the GDPR approaches its five-year enforcement anniversary, there are legitimate questions about how it is being applied across the EU. Different national data protection authorities are reaching different conclusions on the interpretation of core GDPR concepts, such as the legal bases for data processing that underpin many of the services we rely on today. This lack of regulatory stability risks dampening business confidence and the ability of companies to operate and innovate confidently within a clear set of rules.
Countries around the world looking to draw on the GDPR for national legislation should recall that it is a risk-based framework, and that rules and obligations need to be crafted and assigned with as much specificity as possible, but also with sufficient flexibility to allow for technological change. Clearcut privacy rules and consistent interpretation are all the more important as new spheres of digital market and content regulation begin to emerge around the world.
The missing puzzle piece
Momentum for a comprehensive U.S. federal privacy framework seems to grow each year – before hitting familiar hurdles and stumbling just before the finish line. Legislation that includes effective, consistent data privacy rights for all Americans is long overdue, and ITI will continue to work with Congress to accelerate progress - privacy reform is one of the top issues in ITI’s recently released 2023 Tech Policy Roadmap for U.S. Competitiveness and Growth.
As more U.S. states introduce their own flavors of privacy laws this year, and some key state enforcement provisions begin to bite, this inconsistency is likely to weigh on consumers and businesses. Perhaps more importantly, the lack of a unified federal law is making it much harder for the U.S. to credibly reassert global leadership in this space, and across digital regulation more broadly. But the debate is active and alive, and bipartisan leaders in Congress, as well as President Biden, are dedicated to seeing a national privacy standard signed into law
So, we do not underestimate the challenge ahead. Privacy is not a fixed, finite, or objective issue. It means different things to different people in different contexts. But a common understanding is emerging that in the digital world we need to work towards systems and processes that allow responsible data practices that both respect balanced privacy rights and contribute towards data innovation and maximizing progress. Pragmatic global data agreements need to be struck between countries that share democratic values and trust each other (essential equivalence need not mean absolute equivalence). Rules and regulations need watertight definitions and consistent application. And the U.S. needs to be at the front and center of these developments.