Sergio Martinez
In a rapidly evolving world with increasing disruptive technologies, multiple stakeholders across nations, industries and sectors are confronting growing societal demands about the need for ethics and regulatory frameworks on cross-border data flows (CBDFs). What does this mean and how to get started? These and many more are pressing questions facing policy-makers in multilateral forums with the aims of addressing recent quantifiable impacts of digital trade—a trade dimension comprising the global exchanges of emerging technologies, e.g., data flows, e-commerce, in late twenty and early twenty first centuries. While trade agreements and regional regulatory frameworks have intended to dictate principles, norms and rules for several concerns around CBDFs, institutional efforts for setting up an inclusive, multilateral framework are still lacking in the policy arena. With this motivation, the present paper illustrates the case of Euro Zone’s General Data Protection Regulation (GDPR) as the most comprehensive legal instrument up to date that might potentially guide initial policy discussions around the so needed multilateral regulatory and ethical framework on CBDFs.
The late twenty and early twenty-first centuries have brought new opportunities in the way of doing business and rethinking the role of public policies and international law instruments in technological affairs. For the most part, these opportunities have emerged from rapid advances in disruptive technologies that have altered living and working standards, innovation channels of production, among other social and economic dynamics in societies. In 2013, the McKinsey Global Institute identified twenty-five disruptive technologies that gathered four key features transforming the future of work and doing businesses: (a) rapidly-advancing technologies; (b) broad potential scope of impact; (c) significant economic value; and (d) potentially-disruptive economic impact.1
The emergence of disruptive technologies during recent decades has opened the path for the global digital era that is increasingly shaping the future of work and systemic transitions in the world’s economy. Accordingly to the McKinsey Global Institute (MGI, 2016) report, Digital globalization: The new era of global flows, “some 900 million people have international connections on social media, and 360 million take part in cross-border e-commerce.”2 MGI’s further analysis revealed that cross-border data flows (CBDFs) accounted for USD 2.8 trillion in 2014 alone, which represented about 36 percent of global flows of all types valued in USD 7.8 trillion over the same year.3 This trend outlines the significance of economic impact driven by digital trade, e.g., e-commerce, data flows, which along with all types of flows increased world GDP by 10.1 percent.4
With an exponential amount of data and information generated in the digital space during recent years, citizens and consumers of digital platform services have increased their concerns about data privacy and consumer protection. Over the last three years alone, an IBM Marketing Cloud study found that 90 percent of all data online has been created since 2016, with 2.5 quintillion bytes of data being created every day.5 The significant size of data flows managed by digital platforms has led costumers to express concerns about their data privacy across the globe. In the U.S., The TRUSTe/National Cyber Security Alliance (NCSA, 2016) reported that “… 60 percent of Americans are more concerned about not knowing how personal information collected online is used than losing principle income…”6 In the Philippines, Viber conducted a data privacy customers’ survey and obtained that 55.3 percent of individuals expressed they would stop using an app that shares their data with third-parties without their knowledge.7
In response to consumer protection and data privacy concerns around disruptive technologies, the United Nations Conference on Trade and Development (UNCTAD, 2016) has acknowledge the institutional need to establish more compatible legal frameworks at national, regional and multilateral levels.8 While some countries grouped by regional or trade blocks have attempted to develop their CBDFs regulations in unilateral or bilateral basis, remaining gaps on CBDFs universal definitions, legally-binding rules and cross-countries enforcement mechanisms altogether make the case for a CBDFs multilateral framework. In this regard, UNCTAD (2016) identified three categories of gaps existent in the coverage of data protection laws: (a) Absence of country-level data protection legislation—nearly 30 percent of countries with no laws in place; (b) current legislation with broad gaps and exemptions; and (c) allowances for business to exclude certain services or practices from coverage.9
Although multilateral rules governing CBDFs in a universal and comprehensive manner are still missing in the policy arena, regional and international organizations have developed regulatory frameworks addressing data privacy, consumer protection, among other related concerns around CBDFs. The Global System for Mobile Communications Association (GSMA, 2018) identified six mainstreaming data privacy frameworks that have recently been established in regional or international basis: (a) OECD Privacy Framework, (b) Convention 108, (c) Madrid Resolution, (d) APEC Privacy Framework, (e) ASEAN Framework on Personal Data Protection, and (f) EU GDPR.10 On the other hand, privacy has been treated under rules of trade agreements. Regarding this, Aaditya Mattoo and Joshua Meltyer (2018) pointed out privacy treatments across three representative trade agreements: (a) the WTO rules contained in the General Agreement on Trade and Services (GATS); (b) Korea-US FTA, with its Chapter 15 covering Electronic Commerce; and (c) the Comprehensive and Progressive Agreement for Trans-Pacific Partnership—CPTPP, outlining provisions on data data flows and e-commerce in its chapter 14.11 Mattoo and Meltyer (2018), furthermore, stressed on the relevance of four additional privacy and data flows instruments derived from international regulatory cooperation: (a) the OECD Privacy Guidelines; (b) The Council of Europe Data Protection Convention and Additional Protocol; (c) the Asia Pacific Economic Cooperation (APEC); and (d) the E.U.-U.S. Privacy Shield.12
Despite the extensive bulk of regional and international instruments and trade rules including provisions on privacy, data flows and customer protection, almost all of these lack legally-binding conditions as pointed out by several authors and institutions. For instance, the Congressional Research Services (CRS, 2019) emphasized that up-to-date best practice guidelines or principles related to privacy and CBDFs are not legally binding in multilateral basis.13 Summing up this legal constrain to the institutional gaps on data protection laws reported by UNCTAD (2016) support the case that CBDFs should be regulated multilaterally. Though, the question facing policy-makers around the world is where to start?
The General Data Protection Regulation—or GDPR—is the EU regulation on the natural persons’ privacy, data protection and CBDFs approved by the European Parliament on April 27, 2016, being later enforced on May 25, 2018.14 The GDPR replaces the Data Protection Directive 95/46/EC and according to an educational website, it was designed with three specific objectives: (a) harmonize data privacy laws across Europe; (b) protect and empower all EU citizens’ data privacy; and (c) reshape the way organizations across the region approach data privacy.15 In less than a year since its enforcement, GDPR has proven to redirecting data management procedures across sectors and redefining the roles for key leaders in businesses to some extent. The European Commission (EC) conducted an implementation performance study in early 2019 and found increasing outcomes in rules’ compliance, enforcement and awareness in the EU region.16 In terms of compliance, the number of complaints from individuals to Data Protection Authorities (DPA) increased up to 95,180 from May, 2018 to January, 2019. Individuals have mostly expressed their complaints regarding telemarketing, promotional e-mails and video surveillance/CCTV. Furthermore, GDPR has led to significant enforcement outcomes. Among these, DPAs have been able to start some 255 investigations, out of which 200 have been on the basis of individual complaints. Enforcing the rules has also been materialized by the imposition of fines, e.g., EUR 50 million imposed by France to Google for lack of consent on Ads, and the adaptation of mandated national laws in the EU Member States—23 member states have adopted the required national regulation while five are still pending to do so. Lastly, awareness of the rules from the GDPR has received higher attention in the media in relative terms.17
Is the GDPR a sound instrument to model multilateral regulatory frameworks on CBDFs? There has been a candid debate on whether the GDPR could be a plausible instrument to shape a multilateral approach governing free movements of data, consumer protection and data privacy. Aaditya Mattoo and Joshua Meltzer (2018), among other authors, have presented cases against CBDFs multilateral framework proposals based on the GDPR model.18 On the other hand, authors such as Consumer International (2019) have recently stated to be in favor of CBDFs.19 Whereas the positions against GDPR primarily focus on the instrument’s potentially adverse economic impacts from a doing-business point of view, e.g., possible reductions on export data transfer services from developing countries to developed countries, those in favor of GDPR highlight its balance in managing economic benefits from CBDFs, data privacy and customer protection regulations for both companies and customer, ultimately benefiting the latter to a larger extent.
On the basis of the debate around GDPR, I would argue that GDPR could be a stepping stone in building solid foundations for a multilateral framework on CBDFs, data privacy and consumer protection. The supporting points of my in-favor positions for the GDPR lie in two key broad elements contained in its legal body: (a) precise rules on personal data collection, transference, process and storage; and (b) legally-binding conditions.
GDPR’s Precise Rules on Data Management
According to PrivacyPolicies.com, the GDPR contains at least six categories of articles stating precise rules on the way of how firms collect, transfer, process and store data from their customer while granting EU citizens certain rights and protection concerning their personal information.20 These six categories and their corresponding articles are as follows:
Rights of Individuals:
Art. 6 – Lawfulness of processing
Art. 15 – Right of access by the data subject
Recital 59 – Procedures for the exercise of the rights of the data subjects
Art. 16 – Right to rectification
Art. 18 – Right to restriction of processing
Art. 20 – Right to data portability
Art. 21 – Right to object
Rights to Be Informed:
Recital 58 – The principle of transparency
Right to Erasure (“Right to be Forgotten”):
Art. 17 – Right to erasure (‘right to be forgotten’)
Data Protection Officer:
Recital 97 – Data protection officer
Obligations for Data Processors:
Art. 28 – Processor
Data Protection Impact Assessment:
Recital 85 – Notification obligation of breaches to the supervisory authority
GDPR’s legally-binding Conditions
The GDPR contains two key articles stressing out legally-binding conditions by which the rules and stipulations of its legal body govern the subjected parties. These articles are as follows:
Art. 28 – Processor.
Art. 47 – Binding corporate rules
In Sum, the GDPR’s specific rules on data management and legally-binding conditions set out solid foundations that may guide cornerstone principles and enforcement mechanisms on CBDFs, data privacy and consumer protection under multilateral basis. From allowing individual rights on data processing consent, access to information, and erasure to dictating obligations for data processors, such as the appointment of Data Protection Officers and the implementation of data protection impact assessments, the GDPR aims at empowering citizens data privacy while harmonizing and organizing cross-countries CBDFs management. While the GDPR has been disregarded as a sound model for multilateral regulatory frameworks on CBDFs, it has demonstrated consistent, positive outcomes in terms of compliance, enforcement and awareness across countries in the EU region, building up in its supportive case to a CBDFs global approach.
1 McKinsey Global Institute, Disruptive Technologies: Advances that Will Transform Life, Business, and the Global Economy, 2013, Pp. 4, https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/Disruptive%20technologies/MGI_Disruptive_technologies_Full_report_May2013.ashx
2 McKinsey Global Institute, Digital Globalization: The New Era of Global Flows, 2016, https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/digital-globalization-the-new-era-of-global-flows?reload
3 Ibid.
4 Ibid.
5 IBM Marketing Cloud, 10 Key Marketing Trends for 2017 and Ideas for Exceeding Customer Expectations, 2017, https://public.dhe.ibm.com/common/ssi/ecm/wr/en/wrl12345usen/watson-customer-engagement-watson-marketing-wr-other-papers-and-reports-wrl12345usen-20170719.pdf
6 Truste/National Cyber Security Alliance, U.S. Consumer Privacy Index 2016, 2016, https://www.trustarc.com/resources/privacy-research/ncsa-consumer-privacy-index-us/
7 Justin Diaz, Viber Survey Highlights Key Consumer Data Privacy Concerns, 2018, https://www.androidheadlines.com/2018/06/viber-survey-highlights-key-consumer-data-privacy-concerns.html
8 United Nations Conference on Trade and Development, Data Protection Regulations and International Data Flows: Implications for Trade and Development, 2016, https://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf Pp. Iii.
9 Ibid. Pp. 8-10.
10 Global Systems for Mobile Communications Association, Regional Privacy Frameworks and Cross-Border Data Flows: How ASEAN and APEC Can Protect Data and Drive Innovation, 2018, https://www.gsma.com/publicpolicy/wp-content/uploads/2018/09/GSMA-Regional-Privacy-Frameworks-and-Cross-Border-Data-Flows_Full-Report_Sept-2018.pdf Pp. 12-16.
11 Aaditya Mattoo and Joshua Meltzer, International Data Flows and Privacy: The Conflict and Its Resolution, 2018, http://documents.worldbank.org/curated/en/751621525705087132/pdf/WPS8431.pdf Pp. 16-21.
12 Ibid. Pp. 21-24.
13 Congressional Research Service, Data Flows, Online Privacy, and Trade Policy, 2019, https://crsreports.congress.gov/product/pdf/R/R45584 Pp. 6.
14 European Union Law, Regulation (EU) 2016/679 of the European Parliament and of the Council, 2016, https://eur-lex.europa.eu/eli/reg/2016/679/oj
15 EU-GDPR, The EU General Data Protection Regulation (GDPR), https://eugdpr.org/
16 European Commission, GDPR in Numbers, 2019, https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf
17 Ibid.
18 Aaditya Mattoo and Joshua Meltzer, International Data Flows and Privacy: the Conflict and Its Resolution, 2018, https://academic.oup.com/jiel/article/21/4/769/5227421
19 Consumers International, GDPR: Will It Be the Global Standard for Data Protection, 2019, https://www.consumersinternational.org/news-resources/blog/posts/gdpr-will-it-be-the-global-standard-for-data-protection
20 Privacy Policies, 6 Key Articles of the GDPR, 2019, https://www.privacypolicies.com/blog/gdpr-key-articles/; EU-GDPR, GDPR Key Changes, https://eugdpr.org/the-regulation/
