#ISC2Congress: Global Factors Driving Data Privacy Regulation (Part 2)

[ This article was originally published here ]

By Andrea Little Limbago, Chief Social Scientist, Virtru

Limbago presented during the Governance, Risk and Compliance track at the 2019 (ISC)2 Security Congress in Orlando. The session, Global Factors Driving Data Privacy Regulation, explained data localization, how it is progressing and what that means for organizations. In two parts, Limbago recounts the information covered in her session.

Limbago-2In the previous post, we discussed the growing influence of digital authoritarianism, which has now contributed to nine consecutive years of a decline in internet freedoms across the globe. We’ll now turn to two other competing global influences that are further shaping data protection – data localization and free flows of secure data. Absent a federal data protection regulation on global engagement, security and privacy in the United States, we will continue to be influenced by these external forces.

Data Localization

Data localization – data storage within sovereign borders – is a core contributor to a fractured global internet and has been on the rise for the last decade. While not all data localization is equal, authoritarian governments leverage data localization for greater information control within their borders.  

Increasingly, many of the new data localization policies (e.g., new laws in Vietnam and Thailand) fall under broader cybersecurity legislation that also involves elements of censorship, especially with regard to controlling anti-government rhetoric. Russia’s new sovereign internet law that came into effect in early November, as well as China’s Great Firewall reflect extreme versions of data localization and digital sovereignty, and are inspiring similar approaches in Iran and Venezuela

The Push for Secure and Open Data Transfers

While data localization reflects protectionist measures to isolate data, preferential trade agreements reflect the opposite movement in favor of secure and open digital trade. For instance, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the USMCA prohibit restrictions on cross-border data flows for business purposes. 

International forums are additional venues where countries are advocating for secure and open data flows. The Asian Pacific Economic Forum (APEC) has outlined a privacy rules system with a set of principles and guidelines for its member-states, with an emphasis on collection and rules limitations and security safeguards. At this year’s G20 Summit, Japanese Prime Minister Shinzo Abe prioritized ‘data free flow with trust’ as essential to the global economy as well as individual privacy rights.

The Necessity for an American Data Protection Framework

These external forces continue to shape data protection in the United States and highlight the need for American engagement and framework that grants individual rights to control and access data, including security safeguards to counter the growing threats, while reaping the benefits of a digital economy. 

The United States currently has a patchwork of sector-specific regulations, while various U.S. states are implementing their own data protection legislation in response to the threats and shifting American public opinion in favor of data protection and privacy regulations. This makes US federal data privacy legislation increasingly likely within the decade, if not within the next few years. If done well, a U.S. federal privacy framework could play a pivotal role in providing global leadership focused on protecting individual data rights and privacy, enhancing security, and prompting greater innovation. 

Given the unmatched impact and size of American companies as well as the American economy, an American data protection framework could counter the spread of digital authoritarianism. The United States has both the opportunity and the responsibility to be this countering force, renewing its role as a defender of freedom while enacting a legislative framework that puts individual digital rights and privacy at its foundation.