Global Data GovernancePart One: Emerging Data Governance PracticesUPDATED: Sept. 15, 2021 Show
In FP Analytics’ Power Map, 5G Explained, we detailed the complex physical infrastructure necessary to create 5G networks and broke down the issues surrounding the control of that infrastructure, setting of international standards, bandwidth ownership, and security. In Part I of this series, we examine the emerging regulatory challenges surrounding governance of the data and information that flow through not only 5G networks, but digital infrastructure globally. While 5G networks will be vast, they represent only a fraction of the interconnected computer networks that the entirety of the Internet comprises. As the Internet serves as the circulatory system allowing data to flow to connected users globally, data represents the lifeblood of this system. How it is allowed to move throughout this system has immense consequences for governments, companies, and individuals and has catalyzed governments to regulate data flows at micro and macro levels. Emerging global data governance practices are already impacting the competitive landscape for companies around the world and helping determine how individual users and organizations interact with the rapidly digitizing global economy. Read Executive Summary Thank you for your interest. Please enjoy the Executive Summary below. Power Maps are an exclusive benefit of the FP Insider subscription. For full access to Data Governance, contact us at . Executive Summary Data governance has long been the domain of corporate and organizational strategy, lending a competitive advantage to those able to optimize their data collection, organization, transfer, and discovery practices. With the increasing digitalization of organizations and economies, data governance—and clear establishment of data collection standards, storage, transfer and use protocols—is becoming an increasingly pressing and global issue. While intellectual property and proprietary data have long been governed through strict legal frameworks, relatively scant protections have existed for user data and personal information. This lax regulatory environment for consumer data in particular has enabled the rise and dominance of global tech companies from Facebook and Google to Baidu and Tencent and has spurred a wave of privacy-focused regulation around the world. In FP Analytics’ Global Data Governance Power Map series, we examine the emerging laws, regulations, and technologies that are both enabling greater data collection and impacting cross-border data flows. By cataloging the data localization laws, comprehensive national data regulations, government data collection, monitoring and surveillance technologies, and cybersecurity norms and standards shaping the global data governance landscape, we identify and analyze the wide-ranging impacts for individuals, companies, governments, multilaterals, and non-profits. Emerging data regulations are fundamentally altering how organizations of all types operate internationally. Major data privacy frameworks developed by first movers are serving as templates for other national frameworks under development, many of which are being tweaked to suit prevailing governments’ domestic agendas. For example, the recent passage of the EU’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law—two of the most comprehensive packages of data privacy regulations—have already had cascading impacts on businesses and organizations in these markets and on their trading partners. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, and these types of protectionist measures are rapidly proliferating worldwide. And that is just the beginning. Simultaneously, many national governments are crafting exemptions to their data privacy laws, empowering them to expand monitoring capabilities and build up massive data collection infrastructure. New digital technologies, such as artificial intelligence (AI), biometric monitoring and facial-recognition software, are making data collection increasingly efficient. The onset of the COVID-19 pandemic accelerated the adoption of these technologies as governments began rapidly deploying surveillance technology to enforce quarantines and track the spread of the coronavirus. This mass accumulation of sensitive data can have transformative impacts on societies but pose new cybersecurity and privacy risks as regulation struggles to match the pace of technological advancement. FP Analytics’ Data Governance Power Map series breaks down key emerging trends in global data governance by:
FP Analytics provides the most comprehensive assessment and mapping of data localization and privacy laws to date, as well as one of the most complete assessments and mappings of government data collection and regulation trends around the world. It is a powerful tool for businesses and others seeking to understand how evolving global governance regimes are shaping our digital world. Subscribe to FP Insider below or contact us at for full access to Data Governance.
IntroductionIncreasingly, government regulation is impacting the global flow of data, with varying, interconnected factors and incentives driving this proliferation of regulation. Specifically, governments are debating what information qualifies as personal data, and how private and public entities can collect, utilize, transfer, and monetize this data. The myriad measures implemented to date reflect a delicate balance of political, economic, and social factors, influenced by government officials, private companies, and citizens. Regulators around the world face the challenge of balancing nuanced and fraught issues of access and privacy, support for economic development, and establishing a functional, cross-border framework for the international transfer and collection of compounding volumes of data. Additionally, multiple parties must ensure data security across governmental, commercial, and personal realms. Varying efforts to craft regulations that optimize for national interests and constituencies are producing an increasingly complex mix of global Internet and data regulations expressing differing visions for how digital infrastructure should ultimately function, how big data is managed, and by whom. In this Power Map series, we break down the most comprehensive and impactful of these regulations and explain what they mean for businesses and citizens in our increasingly digital world. Part 1 The Digital Economy and Drivers Behind Increasing RegulationThe massive volume of data flowing through global digital networks fueled the rise of many of the world’s largest companies, including global behemoths such as Alphabet and Tencent. It spawned multinational social media companies, such as Facebook and WeChat, allowing individuals to generate, access, and spread information at unprecedented rates. But new regulations are threatening to break up the party. The data collection practices upon which these companies’ business models are predicated are coming under increasing scrutiny from governments concerned about domestic and foreign companies’ collection and handling of their citizens’ data. This concern, coupled with some governments’ desire to expand their own digital economies and tax bases, is accelerating the global proliferation of data-related laws—from privacy, to data security, to data localization—as these government officials and regulators attempt to assert authority and capture value. Key Takeaways
The Breakdown The Rise of the Digital Economy and the Economic Drivers of Regulation User data is, by far, the most valuable commodity in the global economy.
Click to expand The global digital economy encompasses the vast physical infrastructure enabling the Internet, the full range of Internet-connected user devices, and the immense amount of data flowing through them. The rapid growth of each of these components has collectively generated tremendous economic activity. Over the past 15 years, the global digital economy has grown two and a half times faster than global GDP. One key driver behind this robust growth is the exponential volume of data being generated, processed, and monetized. Every second, there are 2.7 million emails sent, 71,966 Google searches executed, 8,342 Tweets, and a total of 289,351 gigabytes (GB) of new user data generated. For context, 1 GB of data is equal to 677,963 pages of text, meaning that every second the equivalent a 196.2 billion-page book of new data is generated. 5G technology will connect billions more devices to the Internet through the enabling of the Internet of Things (IoT), and the combination of this vast expansion of Internet-connected devices and more of the world coming online in the next decade will exponentially increase the amount of data being generated. Currently, roughly 60 percent of the global population is online, with estimates showing that nearly 90 percent of the world’s population will come online by 2030 as Internet access is expanded throughout the developing world. This growing reservoir of data will fuel the world’s emerging and incumbent technology companies, with the ability to collect and monetize this data a matter of survival for some and a determinant of future growth for all. Among the digital giants, U.S. companies hold a dominant position, which has been gained largely through first-mover advantage, but Chinese companies are rapidly catching up. Led by Google, Amazon, and Facebook, 19 of the world’s twenty largest Internet companies are either American or Chinese. The five largest tech companies by market cap (Google, Amazon, Facebook, Alibaba, and Tencent) had a combined market value of nearly $3.5 trillion dollars at the end of 2020,8 and held dominant market positions. In 2020, Google accounted for 91 percent of the Internet search market, Facebook accounted for 69 percent of the global social media market, Amazon was responsible for 33 percent11 of the world’s cloud infrastructure services market These companies leveraged first-mover advantage by reinforcing network effects—the more users in the network, the more valuable the network is for all users—accumulating a competitive data edge early on, and turning their data edge into integrated services offerings that increase the cost to users if they switch to a competitor’s platform. Chinese companies have been able to replicate this success with domestic Internet and tech companies—such as Alibaba, Baidu, and JD.com—through a combination of limiting outside competition on the Internet, state funding, and the controversial joint-venture policy--which critics say has enabled Chinese firms to coopt outsiders’ technology. Critically, maintaining these advantages relies heavily on these companies’ ability to collect users’ data across international borders, with minimal if any restrictions, and integrate it into algorithms or sell it to advertisers. The proprietary algorithms used to monetize companies’ collected data are already governed through strict legal protections. However, the broader value of these companies is derived from their ability to generate, freely access, and smoothly transfer vast amounts of usergenerated data with minimal legal restrictions. This access to data enabled the meteoric rise of companies such as Facebook and Google, among others, which rely on being able to collect troves of global data to enable services such as Google Maps. The race to develop artificial intelligence applications is amplifying this demand. Limited regulation of these companies to date has enabled them to capture the majority of revenue associated with data flows across borders. However, countries are increasingly developing measures to regulate data flows and e-commerce transactions to exert greater control over data generated within, and passing across, their national borders. In fact, data localization laws are becoming a standard mechanism for countries to exert control over the foreign collection of their citizens’ data and capture a share of the value. These laws and associated regulations place restrictions on how data can be stored within, and transferred outside of, a country. Their aims vary, from restricting foreign companies’ and governments’ access to sensitive user data, to boosting foreign and domestic investment in server infrastructure, to, in limited cases, handicapping or completely inhibiting foreign companies’ ability to operate within a country’s borders. To date, roughly 75 percent of all data localization measures in place are meant to ensure data privacy and security when data is transferred outside of a country. These measures focus on restricting data transfers to countries that are deemed to have inadequate data privacy frameworks. However, roughly 25 percent of existing data localization measures include more extensive restrictions that aim to exert influence over data flows through physical data storage infrastructure. Countries that are intent on boosting their domestic economy (and tax base) through increased foreign investments in server infrastructure, or developing their domestic data storage industry, use data localization laws to mandate that data collected in a country be stored on a server within that country. This strategy is currently being pursued in Indonesia and Vietnam, for example. In a more extreme case, China has combined data localization laws with tight restrictions on foreign companies’ operations, beginning as early as 1996, to protect and foster the rise of its own multinational digital giants, such as Tencent and Alibaba, which use data to drive services from artificial intelligence to e-commerce. China’s development and increasing protection of its digital giants through regulation have provided a roadmap for other countries to emulate. In contrast, the U.S. and its digital giants have greatly benefited from the ability to collect data internationally through open data borders and have generally been at the forefront of opposition to emerging data localization laws. The modern digital economy constantly generates massive amounts of personal data. Internet of Things (IoT) 26.6Bconnected devices 400 zettabytes of data generated per year Mobile Phones 7.2Bmobile phones 23 billion texts sent per day Mobile Apps 3Munique apps 205 billion annual app downloads Internet Access 4.4BInternet connnections (57.3% of population) 5 billion internet searches per day Digital Platforms 294Bemails sent per day 500 million tweets per day 65 billion whatsapp messages per day Finance Data 111Bcredit card transaction per year (U.S.) 189 countries with financial transaction databases The largest U.S. and Chinese tech companies collect and store extensive personal data.
The largest cloud service, social media, and search engine companies dominate the global competition. Cloud Service Providers Market Share 2020 Sales in USD Billions (estimated) | Market Share Percentage Amazon Web Services$41.28B | 32%Microsoft Azure$25.8B | 20%Google Cloud$11.61B | 9%Alibaba Cloud$7.74B | 6%IBM Cloud$6.45B | 5%Salesforce$3.87B | 3%Oracle Cloud$2.58B | 2%Tencent Cloud$2.58B | 2%Other$27.09B | 21%SOURCES: Amazon Web Service 2019 Earnings, IBM Cloud 2019 Earnings, Microsoft Azure 2019 Earnings, Google Cloud 2019 Earnings, Oracle Cloud 2019 Earnings, Salesforce Cloud 2019 Earnings, Alibaba Cloud 2019 Earnings, Tencent Cloud 2019 Earnings Social Media Platform Market Share 2019 Sales in USD Billions | Market Share Percentage $70.7B | 67%YouTube$15.1B | 14%$14B | 13%$3.46B | 3%$1.14B | 1%$1.1B | 1%SOURCES: Facebook 2019 Earnings, YouTube 2019 Earnings, Instagram 2019 Earnings, Twitter 2019 Earnings, Pinterest 2019 Earnings, WeChat 2019 Earnings Search Engine Market Share 2019 Sales in USD Billions | Market Share Percentage $134.8B | 81%Baidu$15.43B | 9%Bing$7.63B | 5%Yahoo!$5.17B | 3%Yandex$2.83B | 2%SOURCES: Google 2019 Earnings, Baidu 2019 Earnings, Bing 2019 Earnings, Yahoo! 2019 Earnings, Yandex 2019 Earnings Government Regulation and the Increasing Demand for Data Privacy and SecurityThe unequal gains from the rise of the digital economy represent a key economic driver behind increasingly restrictive global data governance regimes and the proliferation of data localization laws worldwide. However, the push for data regulation has also been energized by growing social and political concerns over data privacy and data security. Government regulation in these realms is in response to citizens’ demands for data privacy and protection, the increasing frequency and severity of cyberattacks, and concern over foreign governments’ access to citizens’ data. While a simplification, these major drivers provide a framework for breaking down nuanced national, transnational, and local data regulations of varying scope, which may include conflicting elements as each government or regulatory body wrestles with balancing the intended and unintended consequences of regulation. Regulatory agencies, many of which are governed by politicians—not technocrats—are determining what data can be collected, where it can be stored, whether or how it can be transmitted, and how it can be secured, not to mention who is liable for the content. As governments and citizens around the world become increasingly aware of the scope of user data that big tech companies collect, data privacy laws are becoming increasingly stringent, and governments are increasingly pushing to reign in the power of large tech companies through regulatory action. Though laws were on the books in the U.S. and Europe as far back as the 1970s, they did not effectively govern the scope of data collection activities at the heart of today’s big tech companies’ operations. The recent and ongoing regulatory push illustrates governments’ attempts to catch up, as many are racing to update existing privacy laws by placing explicit limits on companies’ collection of user data and enforcing comprehensive data security and data transfer practices. The EU led the push to modernize data privacy laws, enacting the first comprehensive data privacy regulation, the Data Protection Directive, in 1995. In 2018, the EU’s release of the General Data Protection Regulation (GDPR) modernized the framework for data privacy regulation built on enforcing citizens’ civil liberties, individual freedoms, and rights in the digital realm, and it by far represents the most comprehensive legislation to date. Specifically, the GDPR requires that companies obtain consent to collect user data, honor requests to delete user data, enforce tighter cybersecurity practices, and comply with restrictions on the international transfer of users’ data outside of the EU. GDPR implementation rocked the digital world, increasing compliance costs and generating fines of €275 million ($330 million) as of January of 2021. It continues to alter how companies operate, not only in Europe but around the world. As countries such as Brazil and India draft similar comprehensive data privacy laws, the disruptive impact on digital commerce—and these major markets—is set to increase. While other countries are adopting laws similar to the GDPR, the EU has continued to actively push for stronger data regulation measures domestically and among its trade partners. In December of 2020, the European Commission released drafts for the Digital Services Act (DSA) and the Digital Markets Act (DMA), representing a major overhaul of existing EU Internet regulation. These acts aim to put limits on mixing commercially obtained data with personally collected data—a practice that allows tech companies to create more comprehensive data profiles; collecting business competitors’ data; and refusing access to data collected on users and businesses. The EU aims to finalize the DSA and DMA in the first half of 2022, but a number of EU states, including France, Germany, and the Netherlands, have voiced concerns that the regulations are not strict enough. The Court of Justice of the European Union (CJEU) struck down the EU-U.S. Privacy Shield, effectively ending free data flows between the U.S. and the EU, until the two sides reach a new agreement. The UK’s decision to leave the EU has generated further disputes over data protection standards. In February 2021, the Commission presented a draft adequacy decision that would allow EU-UK data flows to continue uninterrupted, but as of July 2021, this adequacy decision has yet to be approved by the European Parliament. Similar to the EU-U.S. Privacy Shield, the decision could be challenged before the CJEU. If adopted, the Commission’s adequacy decision would contain a “sunset clause” of four years, which could lead to diverging standards on data privacy becoming a source of tension between the EU and the UK. Failure to meet EU data protection adequacy could cost UK firms between $1.35 billion and $2.16 billion, according to economists’ projections. These regulations are part of an emerging trend in which governments seek to reign in large tech companies’ power. In the U.S., ten states are suing Google in an antitrust lawsuit, alleging that it has monopolized digital advertising. China has also moved toward tighter regulation on large tech companies, unveiling legislation drafts that include proposals to block companies from using consumer data to set discriminatory prices, or sell products at prices below cost to gain market share. These moves are indicative of a coming comprehensive regulatory push, illustrating governments’ will to establish stricter data governance regimes. Spurred by the threat that incendiary speech and misinformation on social media platforms pose to democratic discourse, governments have also started to take aim at regulating digital content. Existing regulations in the EU and the United States shield social media companies from liability for content on their platforms, but in recent years, some countries have passed laws that introduce so-called intermediary liability for social media companies. Most prominently, under Germany’s 2017 Network Enforcement Act, social media companies can face fines of up to 50 million Euros ($60 million) if they fail to take down certain illegal content, such as criminal online hate speech, in a timely manner. In the U.S., there are bipartisan calls for an overhaul or revocation of Section 230 of the 1996 Communications Decency Act, which shields Internet companies from intermediary liability. Under the DSA, digital platforms would remain protected from liability for user content, but growing backlash against such protections in Europe and the U.S. signals that further regulation could be created in the near future. Despite the complexity of emerging regulations and multiple drivers behind them, characteristics of data governance regimes are emerging around the world, with each nation’s specific regulations reflecting the unique mix of economic, political, and social variables exerting the greatest influence on governing officials. Collectively, the clear global trend is toward increased regulation and protectionism. Part 2 Data Localization and Its Commercial ImplicationsData localization laws encompass the full range of restrictions a country places on foreign collection, storage, and transfer of its citizens’ data. Government regimes are taking different approaches to data localization; for example, Russia has the most restrictive data localization measures in place, and the U.S. is the strongest advocate for open borders with respect to data transfer. The methods that countries use to enforce and enact data localization regulations substantially impact how international companies can operate within their borders, with consequences for commercial activity both domestically and internationally. Key Takeaways
The Breakdown Understanding Data Localization and Its Impact on Business Data localization restrictions are set to re-shape global digital commerce, and their impact is already being felt.
Click to expand Data localization laws stand to have the most significant commercial impact on how businesses operate internationally and can determine whether a company is able to operate in a foreign country at all. They can be included in comprehensive national regulations or international agreements, or they can stand alone as single pieces of legislation. As noted above, the three major forms of data localization restrictions that countries impose include: conditional restrictions, local copy requirements, and local data storage mandates. Conditional restrictions lay out a set of rules that a company must follow to transfer data outside the country in which it was collected. The GDPR encapsulates this form of data localization, which mandates that data may only be transferred outside the EU to designated safe countries, or if there is a legally binding contract in place guaranteeing that certain conditions are met. In the GDPR, “safe” countries are defined by the levels of the data privacy and protection they provide, with transfers to countries deemed to have inadequate data protection regulations allowed only in exceptional circumstances. The establishment of this standard has been the key catalyst in the recent proliferation of data privacy, data protection, and data localization laws. Of the 91 countries with one or more data localization laws in place, 62 have enacted or updated their data localization laws within the last five years. Fifty-one countries have data regulations that put in place similar data protection standards to the GDPR, with data localization clauses allowing data transfer only to other countries with similar standards in place. This has had a domino effect—the more countries that use a similar standard to the GDPR for data transfers, the more countries are forced to adopt similar data protection standards. This effect explains, in part, both the quickening pace of adoption of data privacy and data localization laws and why this trend is likely to continue accelerating. The other forms of data localization regulations currently in place include local copy requirements and local only storage mandates. Local copy regulations allow data to be stored outside of a country only if there is a copy of the same data held on a server inside the country. Local only regulations—the most restrictive form of data localization—require that data be stored on a server within the country. Both of these types of regulatory practices grant governments access to all data collected but increase costs for foreign companies as they need to double the amount of data they store, build new servers, or rent server space locally. The increase in cost is a major objection raised against data localization regulations, primarily by the U.S. government and U.S.-based companies. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, with cost increases being a major contributing factor. For example, the U.S. government estimates the average cost of setting up a data center in Brazil, a country without extensive server infrastructure already in place, to be $60.9 million. The cost of renting one rack of server space in Thailand, where there is already a large domestic server industry, is $1,510 per month. Both countries are crucial markets for U.S. firms with data localization regulations currently in place. A 2016 study found that firms’ inability to operate internationally due to data localization–driven cost increases would result in a GDP decline of 0.1 to 0.3 percent in the U.S., 0.1 percent in Brazil, 0.55 percent in China, 0.48 percent in the EU, and 0.58 percent in South Korea. Despite this, more countries, and most major economies, continue to adopt data localization laws. If adopted, India’s Personal Data Protection Act, which is currently being debated in the Indian Parliament, will include both local copy and local only data localization restrictions—a move that will fundamentally alter India’s digital economy. As recently highlighted in Foreign Policy, eagerness to act before this law is adopted is likely a large driver behind Facebook’s recent $5.7 billion investment, the largest in its history, in the Indian cellular Internet service firm Jio Platforms. While as of this writing India’s Data Protection Act is still being finalized, many other major economies, such as the EU, Brazil, China, and Russia, have already enacted comprehensive data localization regulations, with varying degrees of stringency, which threaten to further fragment, if not completely inhibit, companies’ ability to operate internationally. Data localization will have a broad impact on different tech sectors in the future. Internet communication services Impact: Internet service providers will need to individually craft data policies for each country in which they wish to operate. In other cases, laws may forbid a company from operating in the country at all. Case Study from Russia: In 2016, Russia blocked web access to LinkedIn, citing breach of Russian law requiring websites to store personal data of Russian citizens on servers in Russia. Cloud-based data processing Impact: Cloud-based data processing will need to be done in-country, and companies will need to buy or rent server space in countries with strict data localization laws, such as Vietnam and Thailand. These costs are likely to be untenable for smaller operators, inhibiting them from being able to enter these countries. Case Study from Vietnam: In a country such as Vietnam, where natural disasters are frequent, the risk of losing critical data is amplified by multinationals storing it within the country’s borders. The World Bank estimates that 60 percent of Vietnam’s total land area and 71 percent of its population are at risk of cyclones and floods. E-commerce Impact: Data localization will likely add costs to conducting e-commerce, as countries operating in multiple markets with data localization laws will need to store customer data, including financial transaction records, in those respective countries. Case Study from Turkey: Turkey’s data localization laws requiring all suppliers of electronic payment services to maintain all information systems within Turkey led PayPal to suspend operations within Turkey in 2016. Internet of Things (IoT) Impact: Applying data localization to the IoT will necessitate the creation of new data centers and create an increased number of potential breach sites containing sensitive information. The IoT relies heavily on data being transferred seamlessly, usually in real time, and data localization measures threaten to prevent certain IoT innovations from being able to function. Case Study from South Korea: South Korea restricts the export of location-based data. This policy could potentially prevent autonomous vehicles, which would incorporate traffic updates and navigation, from functioning. SOURCE: United States International Trade Commission: Global Digital Trade Report 2017; FP Analytics. Graphic 5 Global Data Localization Laws and Their StringencyData localization laws are becoming increasingly common around the world, despite U.S. objections. Globally, 74 countries have a form of conditional restrictions on the transfer of data, and 18 countries have more stringent local only, or local copy, data localization laws covering different types of personal data. In most cases, data localization laws do not cover all types of data, and restrictions on the transfer of data may differ, depending on the type of data. For example, local only data localization restrictions are used more frequently to cover financial information and health information than to cover other types of data (such as Internet search results). With the exception of Pakistan, all of the data localization restrictions mapped out below are embedded into wider data privacy protection laws, which are covered in detail in the next section. Hover over the countries for details. Conditional restrictions on data transfers Local copy restrictions on one or more types of personal data Local only restrictions on one or more types of personal data No data localization laws SOURCE: DLA Piper: Global Data Protection Laws of the World Full Handbook. DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide. Part 3 Beyond Data Localization: Other Influential Data Regulations and Emerging Data Governance PracticesIn addition to data localization, varying economic, political, and social factors are driving governments to craft other data governance measures. Due to each country’s unique regulatory environment, data governance practices can differ significantly globally. However, common frameworks, particularly for data privacy laws, are emerging. As with GDPR, to date, a few influential countries with significant market power are leading the way by enacting comprehensive data regulation laws. Key Takeaways
The Breakdown Key Regulations and Emerging Data Governance Practices Comprehensive data privacy regulations in the EU and China are establishing new norms for global data governance.
Click to expand Data privacy laws have undergone numerous transformations globally since the first national level data privacy law, Bundesdatenschutzgesetz (BDSG), was enacted in Germany in 1970. The rapid advancement of digital technologies in the Internet age and growing consumer awareness, particularly over the past two decades, are putting increasing pressure on countries to update their privacy laws. Currently, 160 countries have a law or laws that reference data privacy, and 102 countries and territories have specific laws dedicated primarily to data privacy. In an early effort to harmonize the increasingly fractured regulatory landscape, international data privacy standardization frameworks emerged. The international framework currently covering the greatest share of global economic activity is the Asian Pacific Economic Cooperation’s Cross-Border Privacy Rules (referred to as the APEC Privacy Framework), which was established in 2011. Twenty-one countries have opted into these data privacy standards, including the U.S., Mexico, Canada, Japan, South Korea, Singapore, and Australia, as well as twenty-three multinational corporations, including Apple, HP, IBM, and Merck. However, this international framework is not legally enforceable as it is not backed by a specific government jurisdiction. Until 2016, it appeared that the APEC Privacy Framework, and similar international data privacy agreements, would foster harmonization of international data governance going forward. However, in 2016, the APEC Privacy Framework and the global data regulatory landscape were upended with the passing of the EU’s GDPR and China’s Cybersecurity Law. Both laws introduced key changes to how data privacy is regulated and were consequentially enacted in two of the world’s largest economic blocs and most globally influential countries. Driven by concerns over civil liberties and foreign companies’ data collection activities, the GDPR introduced an expansive definition of how personal data applies broadly to any business offering services to EU citizens, set higher compliance standards, and is enforceable directly through fines. China’s Cybersecurity Law uses the GDPR principles as a base but built on the GDPR standards by setting significantly stricter limits on data transfers outside of the country, placing export restrictions on data deemed essential to the public interest and granting the government broad access to data collected within its borders. Critically, China’s Cybersecurity Law adapted the GDPR principles to suit its own national interests, effectively creating its own data governance framework and further dividing digital commerce instead of harmonizing it under GDPR standards. The GDPR initially received some criticism from businesses due to increased compliance costs and the risk of fines, with small businesses in particular struggling to meet new requirements. The GDPR also impacted small businesses with little brand recognition, who lacked the established consumer trust necessary for data collection consent. The end result has been that, in practice, many small businesses in the EU have simply opted not to comply with the GDPR—fewer than half of businesses (44 percent) report compliance with key measures in 2019—leaving them vulnerable to being fined. The passage of the GDPR and China’s Cybersecurity Law marked the beginning of a new trend in data governance—the implementation of comprehensive national level data privacy regulations that carry cascading impacts for the global digital economy. The U.S. government and private sector are vocal critics of this trend, broadly preferring the APEC Privacy Framework, as it is more flexible and favorable to business, is less costly, and allows companies to expand internationally with greater ease. However, comprehensive national frameworks are shaping global digital commerce, with the volume of goods and services traded under the EU’s GDPR standard ($8.1 trillion) and China’s Cybersecurity Law ($2.5 trillion), dwarfing the volume traded under the APEC Privacy Framework ($1.2 trillion). Additionally, India and Brazil, two of the world’s top-five countries in terms of Internet users, have both adopted or drafted comprehensive national-level data privacy regulations similar to the GDPR. Overall, thirty-five countries, besides the EU countries and China, have updated or adopted more comprehensive data privacy laws since 2016, generally using the GDPR as a minimum standard from which to construct a unique national data privacy framework. This demonstrates a clear trend toward national-level regulation and stricter data privacy standards enforceable through fines. While there remains a debate on the long-run impact of compliance and which companies it will hit hardest, the GDPR has undeniably impacted EU tech startups, as the overall venture funding for EU tech firms decreased by €12.5 million per month per member state, between May 2018 and April 2019. Additionally, advertisers have been hit particularly hard by the GDPR. Advertising vendors, particularly smaller companies, lost between 18 and 31 percent market reach in the EU, between April and July 2018. If the trend toward more comprehensive data governance regulations modeled after the GDPR standards continues, these impacts are likely to be replicated around the world. As countries adopt similar standards, the ability to fully understand diverse regulatory environments, and to take proactive measures as legislation is adopted, will provide a competitive advantage for businesses with the capacity and resources to comply. Graphic 6 Breakdown of Major Existing Data Governance RegulationsWhile there are hundreds of data governance laws and regulations globally, a handful of comprehensive laws in the EU, China, Brazil, and India are shaping the emerging data governance frameworks globally. Understanding these regulations, and their impact, will be critical to the future of e-commerce due to the size and importance of their markets. (China’s is the world’s largest e-commerce market with $2.3 trillion in sales in 2020, the EU is third, and India is seventh.) Understanding these data privacy regulations provides insight into what provisions future comprehensive data regulations in smaller regional markets are likely to contain. The key data localization and privacy provisions of each regulation are broken down below. Additional cyber and national security provisions will be covered in Part II of this series. DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide. Breakdown of Major Existing Data Governance RegulationsFour major data privacy regulations in the EU, China, India, and Brazil are reshaping global data governance. Their key provisions are broken down below. Major RegulationsEU: GDPR(Passed: 2016, In effect since 2018) Snapshot: Establishes a comprehensive data privacy framework for EU citizens. Background: Europe has a long history of data privacy laws dating back to 1970, with varying versions of data privacy regulation enacted across its member states. Adopted in April 2016, and enforceable since May 2018, the GDPR is an attempt to harmonize the EU’s Member States’ data collection and data transfer practices. The GDPR increases privacy around individuals’ personally identifying data, makes data laws enforceable through fines, harmonizes data laws across Member States, and makes national data laws enforceable on international firms. To date, €284 million in fines have been levied, with the largest fine being €50 million against Google for having an insufficient legal basis for processing data. Data Localization ElementsPersonal data can only be transferred to another country, and that is acceptable when an “adequate level of protection,” defined as a country with comparable data privacy laws, is provided. Countries and jurisdictions that are currently considered to have an adequate level of protection are Andorra, Argentina, Canada (only commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan. For data transfers outside of these countries, data protections must be guaranteed through a legally binding contractual clause. Data Privacy Elements
China: Cyber Security Law(Passed: 2016, In effect since 2017) Snapshot: Significantly restricts foreign companies’ ability to operate in China through strict data localization laws and increases government private-sector oversight. Background:China’s Cyber Security Law, passed in 2016 and enacted in June 2017, is broad, sweeping legislation that dictates how national companies must approach security and privacy. Critically, it reforms data management and Internet-usage regulations in China, enhancing the government’s jurisdictional control over content on the Internet and data collected by private companies. In addition to the Cyber Security Law, the Chinese government also introduced a draft Data Security Law and a draft Personal Information Protection Law (PIPL) in 2020. These laws differ in scope from the Cyber Security Law, but if passed, they would create new data security requirements and binding obligations on personal data protection for organizations and further restrict cross-border data transfer. The PIPL is a comprehensive personal data protection law, modeled on the EU’s GDPR. Like the GDPR, under the draft PIPL, data processors could process personal data without consent in certain cases, such as when needed to fulfill a contract or perform a legal duty, or when responding to a public health emergency. The PIPL’s jurisdiction would extend outside of China and would require large data processors to store personal data within China. Data Localization Elements
Brazil: Lei Geral de Proteção de Dados (General Data Protection Act, or LGPD)(Passed: 2018; In effect: 2020) Snapshot: Modeled after the GDPR, it establishes a data privacy framework similar to the EU’s in Brazil. Background: Inspired by the GDPR, the Brazilian General Data Protection Act is a comprehensive data governance regulation establishing rules on collecting, handling, storing, and sharing of personal data managed by any organization operating in Brazil or handling Brazilians’ data. The bill differs from the GDPR most significantly in its enforcement mechanisms, having significantly lower maximum fines of €11 million (R$50 million) or 2 percent of annual global revenue and no time requirements for data breach reporting, and places less stringent legal requirements on data processors, thus allowing them additional justifications for collecting and processing individuals’ data (such as to protect an individual’s credit score). Data Localization Elements
India: Personal Data Protection Bill (Draft)(Drafted: August 2018, Pending) Snapshot:Includes stricter local copy data localization provisions than the GDPR, but less restrictive than China’s, and requires written consent for data collection and transfer for sensitive data. Background: The bill is currently up for consideration in the Indian parliament and is still being analyzed by a joint parliamentary committee. The bill represents India’s first comprehensive approach to regulating data privacy and security. If passed, the bill will significantly alter the global digital economy by enforcing data localization standards on the world’s second-largest IT market—India has the second-largest number of citizens online in the world, with 560 million, compared to China’s 854 million. While the bill is modeled after the GDPR to an extent, provisions on data localization, users’ consent for businesses to collect data, and government access to users’ data go significantly further. Data Localization Elements
Graphic 7 GDPR Fines to DateTo date, the EU has levied 714 fines related to GDPR infractions; their distribution is broken down below.
Largest Fines by Company (USD) |