We need a global framework for data protection law

The rise of Big Data and AI is happening fast and ubiquitous. Meanwhile, legislation is happening not just cumbersomely but is limited to single jurisdictions. This becomes especially clear on the topic of Data Protection Law. As the engines of AI run on data, often personal data, regulations on data thereby mean regulating access to AI. But unlike, e.g., the TRIPS agreement IP Law, there is no international framework for Data Protection Law. There is momentum in this direction displayed by meetings between the G7 Data Protection Officers or bodies like the Global Privacy Assembly. However, the road to an international framework is still a long way to go.

The following contributes to this question of how such an international framework for Data Protection Law should be approached. First, one should compare the existing Data Protection Laws and establish a common nominator (1). Second, one should establish principles with the philosophical foundations of privacy (2). Third, one must test whether these considerations align with an economic analysis (3). To demonstrate this approach’s feasibility, the following exemplarily develops a legal framework for tracking cookie policies linking the Californian CCPA and the European GDPR.

1. When comparing different jurisdictions, most of them provide Data Subjects with sovereignty over their Personal Data. What differs are the definitions of personal data and the scope of application of the respective law. California’s CCPA and the EU’s GDPR similarly define personal data as information relating to an identifiable natural person. However, the CCPA only applies to businesses of a certain size or processing activity. The GDPR applies to all acts of data processing and only exempts purely personal activity. Therefore, when a subject is browsing an online store for Christmas decorations which saves their preferences and links them to their device for personalized advertisement, the store is processing personal data under each regulation.

2. Philosophically, Data Protection is an essential safeguard of individual freedom in a society. If others knew everything one was doing, individuals would discontinue behaviors that do not conform to the social norm. Not every data point has the potential to socially harm the subject and hence influence its behavior when becoming public. This shows that the perspective of the subject is decisive. As only the subject can determine how influential a particular data point is to their behavior, all Personal Data needs to be protected equally. Further, for the subject, it does not make a difference if the company is processing a lot of data or only the subject’s data. The subject’s individual freedom is at stake equally. Therefore, an approach like the CCPA’s that only applies to specific processors is too narrow. Whenever data is processed commercially, Privacy Law needs to apply. As privacy protects the subject’s individual freedom, the subject’s freedom to give away their data must also be regarded. Most subjects would not care if an online store knew which Christmas decoration they preferred. However, giving away data is only a free decision if sufficient information is provided. Hence, under GDPR and CCPA, the processor needs to state which data is processed by whom and for what purpose. Therefore, when an online store tracks the subject’s Christmas decoration preferences, it should only be done with the subject’s informed consent with no regard to how much other data the online store processes or how large the store is.

3. Economically, companies have an interest in using data for Big Data and Machine Learning applications. In doing so, they generally increase economic welfare. Social welfare is increased if all costs are priced in and no external costs (like CO2 emissions in old industries) are incurred. Disregarding privacy can be classified as external costs that result in immaterial damage to the subject. This damage is hard to calculate. Especially as subjects often lack interest in their own data. This is why informed consent is so valuable. The remaining question is whether this consent has to be given actively (opt-in). An opt-in approach like in the GDPR results in subjects facing an information overkill when confronted with all the processing information on each website they visit. Alternatively, legal provisions can allow the processing (i.e., tracking) whenever the risks for the subject are generally low (opt-out). Opt-out models increase the usability of websites and decrease, therefore, prima facie, the transaction costs of consenting. However, to reduce transaction costs, subjects must trust that the processor is only processing data with generally low sensitivity. This would not be given when looking at a website that, e.g., reveals information about sexual orientation. Therefore, an online store selling Christmas decorations needs to inform users about tracking and provide a possibility to opt-out.

In conclusion, a framework for Cookie Policies should include (1) a definition of personal data as data that can identify an individual, (2) a scope of application governing every commercial use, and (3) require the informed consent of the subject which can be substituted by an opt-out consent in areas where the potential influence on the subjects’ decisions is low.

This shows that an approach that builds on the fundament of comparative law and relies on philosophical and economic deliberations should be used to draft a framework of global privacy law. This could also be of value for the ongoing discussion of a federal US framework for Data Privacy Law. Doing such an in-depth analysis of every provision of international Data Protection laws is a research task that is still outstanding.