Lorand Laskai is a research associate at the Council on Foreign Relations. You can follow him @lorandlaskai.
2018 was the year of data protection legislation. The year began with a patchwork of laws and standards governing data protection and user privacy around the world. It ended with a comprehensive data protection framework in Europe, another data protection regime developing in China, and growing momentum for a federal law to protect users’ privacy in the United States. The big story was Europe’s General Data Protection Regulation (GDPR), but equally noteworthy was how GDPR energized efforts to protect users' data elsewhere in the world.
Here is a summary of the important developments in data protection last year:
The European Union:
After six years of deliberation and preparation, Europe’s General Data Protection Regulation (GDPR) went into force on "GDPR Day," May 25, 2018. GDPR overhauls and harmonizes the European Union’s data protection framework, putting in place the world’s strongest data protection regime. Broadly speaking, the legislation requires companies to ask for user consent when they collect data and allows users to amend or delete data once collected.
As “GDPR Day" approached, companies raced to comply with the law, flooding users’ inboxes with updated privacy policies and pleas for users to consent to remain of their mailing lists. Compliance with GDPR, however, has turned out to be more of a process than an endpoint as lawyers, regulators, and watchdog groups debate how to interpret GDPR’s various provisions. Much of the confusion originates from the fact that GDPR is organized around “principles,” rather than clearly-defined requirements. Despite the uncertainty, European regulators are backing the law with steep fines for companies found in violation. In October, the Irish data protection commissioner opened an investigation into Facebook for a data breach affecting 50 million users. In December, regulators in Germany announced an investigation into Mobike, a Chinese bike-sharing app that has expanded its presence in European cities.
GDPR marks a clear revolution in data protection. As such, it has produced a heated debate over what the law means for the future of data-intensive technologies in Europe. Some have argued that requirements within GDPR spell the end of big data analytics in Europe while others believe the law will allow big data to flourish on a larger scale. Similar debates are raging about GDPR’s impact on blockchain and artificial intelligence. Seven months after GDPR went into effect, the jury remains out on many of these issues—in large part, because European courts and regulators have not provided clear guidance on how various principles within GDPR should be interpreted. However, what has become clear since GDPR went into effect is that the privacy framework disproportionately benefits large tech companies like Facebook and Google, which have the resources to comply with the law, at the expense of European startups.
The United States
Across the Atlantic, GDPR has reinforced growing support for a federal data protection law. The debate over data protection and privacy in the United States has traditionally bifurcated between proponents of a laissez-faire approach to data protection and privacy and those that favor regulating big tech. At first, the Trump administration response to GDPR fell squarely within the laissez-faire camp. In July, Commerce Secretary Wilbur Ross complained Europe’s data protection framework might constitute a trade barrier. By mid-summer, however, the administration had changed its tune, endorsing the idea of legislation to protect consumer privacy online. In July, the White House said it was formulating a blueprint for a consumer online privacy law in consultation with major tech companies.
Behind the administration’s U-turn are a series of data breaches that have called into question the ability of big tech to self-regulate. In March, Facebook disclosed that Cambridge Analytica gained access to the data of tens of millions of Facebook users without their consent. The scandal also shined a spotlight on the Federal Trade Commission's role in protecting users. Critics argue that the F.T.C. has been too cautious in disciplining tech giants. Others argued that without reform, the watchdog agency is ill-equipped to protect digital privacy. In September, executives from Google and Facebook called for Congress to pass an EU-style privacy law.
No content waiting for federal action, several states have begun to enact their own data privacy rules. In July, California’s state legislature passed the California Consumer Privacy Act, which many have likened to the ‘American GDPR.’ Though less expansive than GDPR, the Californian privacy bill is likely to powerfully shape how tech companies collect and use personal data when it goes into effect in 2020.
In China, officials and regulators have greeted GDPR as an opportunity to further develop China’s incipient regulatory regime for personal information security. In May, the country’s first comprehensive privacy standard, the Personal Information Security Specification went into effect. The standard, which is loosely based on GDPR, intended to provide user protections without being overly cumbersome to businesses. While non-binding, authorities have cited the standard when investigating privacy violations, creating an incentive for compliance.
To a certain degree, China has pinned its ambitions of becoming a ‘cyber superpower’ on developing standards and regulation that it can export abroad. With data privacy, Chinese officials have decided that China can chart a course between GDPR and the current laissez-faire approach of the United States, creating a regulatory framework that offers GDPR-style protections while not hindering commercial applications of big data and AI.
The Chinese government is also responding to a groundswell of anger among internet users that are fed up with the lax handling of user data, which has created numerous opportunities for identity theft and fraud. In March, Baidu founder Robin Li courted controversy after suggesting that Chinese users do not care about online privacy. The remarks provoked a backlash online, highlighting popular discontent with Baidu’s data collection practices, which many have argued are excessive. A similar user backlash led government regulators to censure Alibaba-affiliated Ant Financial in January for automatically enrolling users in Sesame Credit, a credit rating system that many have likened to an episode of Black Mirror.