The recent revelation that Zenhua Data, a Chinese firm based in Shenzhen, harvested the personal information of some 2.4 million global citizens, has caused understandable consternation and brought the dangers of big data analytics back into sharp focus again.
I say “again” because the Facebook – Cambridge Analytica incident previously exposed how the personal data of up to 87 million Facebook users could be collected after just 270,000 people used a Facebook app titled “Your Digital Life” that then gave the app access to the users’ friends’ wider network. That meant only a fraction had consented to that access and the app breached Facebook’s own terms of service when it passed the data to Cambridge Analytica. Cambridge Analytica then used that data for what it termed psychographic analysis, despite the majority of data subjects neither consenting nor being aware of that use of their data.
In the case of Zenhua Data, the data was acquired without any apparent attempt to obtain any consents at all. The ensuing public concern flowed not just from the scale of the constructed database and the sophistication of collection methods but also the purpose behind it. Whilst a significant proportion of the information was from open public sources, such as social media, that proportion was put to ends that were never expressly consented to and for many, never envisaged.
It does not follow that those who use social media or open source platforms wish their information to be made public or, as demonstrated by Cambridge Analytica, used as intelligence or influence tools by unknown parties in unknown locations. Agglomerated data, where vast amounts of personal information is amassed, can be applied to all manner of nefarious applications such as disinformation campaigns, the exertion of political influence, bribery and propaganda.
The question that should spring to mind is ‘how can this still happen?’ In an age where the value of personal data is so recognised as to be described as the new oil, and where laws have been enacted to protect our valuable information, how can any organisation take and use personal data in a cavalier, unregulated fashion?
The General Data Protection Regulations 2018 (GDPR) purport to safeguard the personal information of Europeans (this currently includes the UK) and are extra-territorial in that they can apply equally to non-EU organisations, such as those in China, by virtue of targeting criteria. A key targeting criterion is where the processing of personal information in question is related to monitoring the data subjects’ behaviour in the EU. On any view, monitoring seems to be precisely what took place here. And yet where are the signs of active enforcement?
The impotence of our regulators when it comes to global enforcement is certainly one huge problem. The other, which is often overlooked, is the divergence of culture and philosophy between nation states and their attitude toward data and who should ultimately control it. Geo-politics and differing views as to data sovereignty mean that there is a global tug of war that makes international enforcement of data protection a figment of the imagination. If nations cannot even agree on data sovereignty and who ultimately owns personal data, then they cannot agree on who is to be protected.
So what is data sovereignty? Data sovereignty and data security should not be confused. They may sound similar and there may be overlap, but they are not interchangeable concepts. The principle of data sovereignty is that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located. This, in effect, is the nation state exerting ownership and national macro regulation over information it regards as its property. There may still be micro regulation applied by individuals and/or organisations in order to secure or protect the data, but data sovereignty is governmental: it regulates who may access or control the data.
The approach to the security of data is one of the most significant issues facing governments, corporate entities and individuals. Such has been the understandable fanfare around the implementation (back on 25 May 2018) of the GDPR in all EU Member States, that many are acutely aware and fearful of the current regulatory landscape and fines that will follow non-compliance. What far fewer appreciate is that it had wider cultural ramifications. We are witnessing the start of a philosophical divergence in the treatment of information protection across the globe.
The GDPR was the first attempt at a unified, homogenised law across Europe and beyond to govern the collection, control and processing of personal data. But law is rarely without politics, and politics can be geographically sensitive.
Significantly, the GDPR emphasises the individual citizen and the sanctity of an individual’s personal data. This runs root and branch through the GDPR; from the need to show an individual has given active and demonstrable consent through to the embedded rights of the data subject (individual) to ensure that organisations only keep data for the purposes specified in the GDPR and that a data subject has a ‘right to be forgotten.’
The GDPR sought to ensure that there was a sea change in the way that worldwide entities caught by its provisions, whether inside or outside Europe, treated the personal data of European data subjects. They were to become mere custodians of someone else’s valuable property (namely that individual’s data) and were to be required to deal with that personal data in a way that was consistent with handling someone else’s possession of significant value.
There are individual rights of redress built into the GDPR and evidence can be required to show that dealings in personal data have been conducted appropriately. In Europe then, the rights of the individual in relation to their data have been recognised as paramount. The UK has similarly adhered to this edict of individual empowerment and one might have hoped for uniformity on the regulation and philosophical treatment of information around the globe. Or perhaps not. Significant cyber security legislative initiatives have occurred in China, Russia and the United States. The result is a divergence in philosophy and a rejection of the European model of individual data protection values. In the cases of China and Russia, the role of the state in data protection and management has been placed at the epicentre of regulation. Data sovereignty or data of the state are the guiding, dominant policies at play.
On 1 September 2015, the Russian Federation passed a law which required personal data relating to Russian citizens to be stored on servers physically located within the country. For Russia, such information belonged to Mother Russia and it would remain within its national borders. Companies including Viber and eBay complied, and moved relevant personal data to Russian servers. Google reportedly also complied. Facebook, Twitter and LinkedIn decided not to comply with the new requirements. Roskomnadzor, the Russian regulator, sued LinkedIn for non-compliance, and won its case twice, first in a lower court in August and then again, on 10 November 2016, in a Moscow city court. At this point access was blocked.
Roskomnadzor made it clear that compliance would require moving Russian users’ data onto Russian soil and by amending its user agreement, which states that the company collects not only personal data of its users but also personal metadata (IP addresses and cookie files) of its website’s visitors. In Russia, then, nation state regulation – data sovereignty – trumps individual data rights. The GDPR, its notions and philosophies of individual protection have no place in Russia.
China’s new Cyber Security Law commenced on 1 June 2017. It should be noted that prior to 1 June 2017, any European model of personal data protection law had not been recognisable in China. Indeed, China had not previously passed any meaningful comprehensive data protection legislation that regulated the collection, control and processing of personal information. On 1 June 2017 that changed, but whilst China’s Cyber Security Law does give a nod to the protection of an individual’s rights, it has state interest and sovereignty at its heart. In addition, recent updates that purport to introduce standards that better reflect the GDPR European model are voluntary and, in essence, a code of practice that need not be practised.
The Chinese Cyber Security Law impacts on what it terms ‘network operators’ who, when handling personal information, must abide by regulations that seemingly chime with the GDPR, namely (in broad terms) that:
- the collection and use of personal information must be lawful, proper and necessary
- the purpose, method, and scope of collection and use is transparent and consensual
- they do not disclose, alter, or destroy personal data without appropriate consent
- they report data breaches and effect remedial steps
- they deal with requests for deletion (akin to the right to be forgotten) or correction.
But this nod to the protection of the individual is secondary to the interests and sovereignty of the state. The definition of ‘network operators’ in the Cyber Security Law is so widely drawn that it would cover even the domestic user with more than a single computer (or indeed a device such as a phone) with access to a printer. In short, almost everyone is caught and those deemed ‘critical information infrastructure operators’ (CIIOs) are forced to physically store within China (i.e. within its geographical borders) personal information and important data which was produced within China.
In short, this Chinese data must be physically kept on servers within China, thus chiming with the law in Russia. The state may also conduct what are termed ‘security risk assessments’ to trawl through all their data.
The Cyber Security Law allows extensive state intrusion and is aimed at keeping ‘critical’ Chinese data in China. This is nation state data sovereignty at its highest. The definition of CIIOs may be so broad as to ensure China can exert influence wherever it sees fit and it applies to non-Chinese operators as well as those in China, as no distinction is made between internal or external networks. In practice, the state will have to ensure personal information it regards as important remains on servers within China: any attempt to transfer will then be subject to the ‘genuine business need’ test after an intrusive state assessment.
In the US, the right of an individual in relation to data could be said to have been diminished by the repeal of regulations requiring internet service providers to do more to protect customers’ privacy than websites like Google or Facebook. The initiative, founded during the Obama administration, had sought to restrict the ability of internet providers to use information such as location, financial information, information in relation to health and web browsing history for advertising and marketing purposes. The rules made it unlawful to use such information without obtaining appropriate consent. The decision of the Senate to vote down these provisions was based on the assertion that it would lead to a different set of regulations for internet providers and websites. The sale of personal information collected by retailers is huge business in the US, and corporates, not individuals, are paramount. In the US, a principle of corporate data sovereignty appears to be at play.
The really significant issue is how to one can ever align these different approaches to data sovereignty? Whilst, certainly in the case of Russia and China, the centre of data protection and management is the state, that is not the case in Europe and seemingly, the United States. In Europe the individual is paramount. In the United States, corporations appear to have scored a major victory. So where does that leave the possibility of a consistent approach to data protection and management across the world? In tatters.
A global entity doing business in each of the jurisdictions discussed above will be faced with regimes and policies which are at odds with each other. How will, for example, an entity free to sell data in the US deal with the need to obtain active and demonstrable consent to such a course of action in Europe? The requirement in Russia or China to ensure that data is subjected to scrutiny by the state will impact on the rights of the subject if they are European. The GDPR envisages only allowing data transfers to jurisdictions that have ‘adequate’ measures to ensure consistency of approach. The ability to sell personal data for advertising purposes in the US does not sit well with the cornerstone of the sanctity of an individual’s personal data.
It is plain that even where laws exist to protect an individual, the misuse of their personal information will continue unabated and, in many instances, the perpetrator will go unpunished. Moreover, the lack of a unified philosophical approach to data protection and regulation will be a serious hindrance to its development and to effective international enforcement. So long as nation states decree that your information is their sovereign property, and data philosophies diverge as to the weight to be given to individual rights, there can be no uniformity in global data regulation or enforcement. For me, the only surprise is that anyone should be surprised.