Privacy Plus+

Privacy, Technology and Perspective

Sovereignty and the Need for Consensus Around “Data Privacy.” This week,

Whatever happened to the inter-connected world?  Only fifteen or twenty years ago, national borders seemed so passé. International cooperation was all the rage, propelling the world toward greater harmony through sharing comparative advantages. At the same time, conference attendees debated the true allegiances of multinational corporations and traded assurances like Thomas Friedman’s “no two countries which both have McDonald’s have ever gone to war.” And (of course) the ever-smoother, ever-growing, cross-border flow of personal data was a key feature of the age.

That was then, however. But for whatever reasons — Facebook’s algorithms? US intelligence surveillance? Autocratic data-hoovering? Brexit? Tax/bureaucratic havens? Putin’s unforgivable invasion of Ukraine? — this is now. Now, data is increasingly siloed within its source countries, per local, sovereign requirements. Top-level, generally impersonal insights can still be shared internationally, but until the Free World sorts out how Max Schrems, multinational companies, Meta, and the NSA can all live in it together, moving personal data across borders will be a pain.

For a thought-provoking explanation of this trend toward “the end of borderless data,” see the following article:

What’s coming?  As this trend toward “bordered data” develops, we see a new, two-headed paradigm emerging, roughly divided between autocratic countries and free ones.

For autocracies who insist on access to all of their citizens’ personal data, we expect further data localization rules that restrict cross-border data transfer. Foreign or multinational businesses will likely continue to scale back their operations from those jurisdictions or withdraw altogether. Eventually, business operations in autocratic jurisdictions will become too expensive economically, politically, and socially.

For the Free World, we anticipate that compliance requirements across jurisdictions will continue to become increasingly complicated.  Thus, businesses will likely face increasing friction and costs driven by the divergent requirements across jurisdictions. In our view, such requirements are flawed from their foundation, becoming ever-more costly to manage.

What’s the “flaw” in their foundation?  In our view, there are two.

The first lies in trying to anticipate, manage, and control every imaginable issue, here and yet to come, in too much detail. The GDPR, the CCPA, their continuing updates, new Acts, and new regulations are remarkable in their reach and effort. Still, almost all are “too much” – not because they miss things or overreach into trivia, but because their level of detail and specificity is just too big a lift for too many businesses which handle too-sensitive personal data.

The second lies in relying too much on “notice and consent.” Requiring too much detail in disclosures is a real issue, but the real trouble comes from imagining that “notice and consent” will ever work in the first place – much less be enough – to govern data privacy.

“Notice and consent” sounds good, is well-intended, honors the individual, and works fairly well in some settings. But where it works – in securities markets, for example — it works because a dedicated, highly trained, well-compensated priesthood of analysts divines the meanings of regular disclosures and shares them with knowledgeable investment advisors, all under the eye of the SEC and other enforcers.

That paradigm doesn’t work in a world where nobody has the time, attention span, or incentive to read detailed disclosure notices for themselves. Like the regulations with which they struggle to comply, many privacy notices struggle to predict and provide for every issue or contingency and are true marvels of effort and genius.  But they don’t work, and can’t work, as the following article explains all too well:

A hopeful note:  We see this long season of frustration continuing for a long time as people throughout the Free World struggle to reach a consensus on what we want data privacy to mean and how we want it to be managed.

However, we have some ideas on how it can and should be resolved.  We’ll share some of those ideas next week.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.