A Seat at the Table: The Risks of Complacent Data Privacy Governance

On October 17, 2022, US Secretary of State Tony Blinken during a talk at the Hoover Institution emphasized that, in the process of setting international norms and practices, “if you are not at the table, you are on the menu.” 

His statement highlights the fact that Beijing is actively positioning itself to influence the global data privacy standards of the 21st century, with ambitious international engagement and domestic policy making. Indeed, in the absence of sound rules, the world is witnessing an ominous tide of privacy governance that neglects human rights, limited government, and consumer welfare. As such, Blinken’s words highlight the need for the US to position itself as a competitor and standard-setter in the field of privacy. However, Western (US and EU) approaches are divisive and incomplete, and should be altered to ensure that the West can provide an optimal model that genuinely preserves citizens’ privacy.

Confronting The Beijing Effect

Western responses to data privacy issues have been largely passive and reactive. The EU’s General Data Protection Regulation (GDPR) was the first to go into effect (on May 25, 2018) and is seen as the gold standard in privacy regulation. One month after GDPR implementation, the US introduced its first state-specific, comprehensive data privacy regulation called the California Consumer Privacy Act (CCPA). Current privacy regulations, however, prioritize governments and firms over consumers. Consequently, these laws not only reinforce the typical American bottom-up approach to governance, but also prevent a united Western front in the data privacy landscape. This sets a bad example for other countries looking to improve their own policies.

The US’s reticence to take affirmative steps to forward individual privacy at home and abroad is something Beijing profitably exploits. Beijing’s economic weight means that many of its domestic regulations will affect foreign actors who need to do business in, or with, China. China’s ability to project data governance norms also stems from its physical exports, particularly in information infrastructure. Influential tech companies like Huawei, for example, are building digital infrastructure around the world, often dominating smaller markets and directly extending the reach of Beijing’s data regulations. Additionally, Hikvision, a major Chinese company, currently exports cameras to over 33,000 cities around the world, with the city of London installing more Hikvision cameras than Beijing, as of December 2021. 

The Chinese Communist Party (CCP) is more than happy to profitably exploit the global demand for surveillance equipment and subsequent lack of consensus on privacy rights. Scholars call this proliferation of norms the Beijing Effect, where Chinese regulatory practices are spread through business engagement. As Nikkei Asia notes, “[t]he world has been flooded with Chinese surveillance equipment, often under the guise of COVID-19 prevention.” 

In response to China’s efforts in marketing the tools of techno-authoritarianism, the US and EU have kneecapped China’s tech industry through methods such as export restrictions targeting Chinese Artificial Intelligence (AI) hardware and chipmaking tools. However, it is not enough to merely punish in the name of human rights, without taking proactive measures to set better privacy standards at home. 

The Need For A United Western Voice

Sajai Singh notes that, “being the first, the GDPR has… provided guidance and the way forward to nations across the world.” Singh is correct, in that the GDPR has served as a wake-up call for many countries, most notably the US, and has created what many people perceive as “strict data privacy legislation [which] is the norm today.” Now, however, any new law on top of the GDPR is simply seen as unsurprising, if not impractical. 

The GDPR does nothing to address potential abuses from data collection and third party sales of personal information. Admittedly, it is a good first step in bringing attention to issues of data security and creating a uniform law enabling consistency among all EU members. However, as de La Lama says, “the GDPR isn’t the end game, but really just the start.” Overall, the regulation is broad and still leaves consumers vulnerable to decisions made by firms. Data minimization, for instance, is enforced but not specified: firms determine the minimum amount of data necessary for operational purposes, potentially resulting in information asymmetry. 

The EU has a safety bubble created by the widely cited Brussels Effect. Its market forces are usually sufficient in compelling companies and countries to voluntarily adapt to the EU’s standards. US influence is similar, albeit more direct. It is capable of introducing a overarching data privacy scheme, and its ability to spread policymaking standards and regulatory norms would allow it to influence global standards with relative ease. Washington has also learned from the flaws in the EU’s GDPR, putting it in a position of corrective action. US data privacy policies, however, continue to prioritize the state and private firm rather than the consumer, exacerbating privacy concerns. For instance, these policies leave governments exempt from compliance. As a result, the US government was permitted to file almost 70,000 data requests from Apple, Facebook, and Twitter during Q1 of 2020. Observing recently established US data norms, other countries are beginning to mirror this social media (SM) surveilling behavior.

Turkey, for instance, just announced that it would be fining Meta $18.63 million for breaking its newly implemented competition law that requires social media companies to share user data with authorities. The influence of all three entities — the EU, US, and China — is visible in Turkey’s decision. Its method of determining fines based on company income, collecting data from SM companies for political gain, and penalizing companies for not removing “disinformation” evokes GDPR, CCPA, and PIPL sentiments. 

As Sinan Ulgen states, the Turkish law poses “onerous requirements,” and companies are wary of “what [it] would mean for their norms of data privacy and confidentiality, and… of setting a precedent that can be used in other jurisdictions.” Turkey’s announcement foreshadows a grim future for data privacy that will persist unless the US inspires better global standards.

If the US government does decide to regulate the rapidly growing big data sector that has now evolved to encompass Fast and Actionable Data, it must do so transparently and in accordance with a proactive stance on individual dignity — in other words, EU values. It is vital that the US alter its perspective to view data privacy as a fundamental human right. Failing to do so will result in more countries adopting a suboptimal China-US synthesis. 

It’s time to dump the “good Europe, bad America” privacy narrative that the US government itself appears to embrace in justifying its approach to commodifying citizens’ private data. American state-specific, sector-dependent policies have proven to be a tool of corporatism, empowering governments and companies over individuals. Absent meaningful reforms to data privacy, the US risks standing idly by as governments around the world craft their own standards, at times inspired by doctrines antithetical to fundamental human rights values. In an increasingly globalized economy, regulations in foreign jurisdictions can and will affect American citizens and firms. Therefore, it is in Washington’s interest to have a seat at the table, prioritizing its own model privacy doctrine.