The Three Axis of Data Regulation

Attitudes toward data are a cultural phenomenon, shaped by social, corporate and government narratives

By Xische Editorial, August 23, 2018

Source: Zia Liu/ Shutterstock

Source: Zia Liu/Shutterstock

In this year of upheaval over data privacy, the lack of global data protection standards is harming the international community. From Europe to China, humanity is more connected than ever thanks to the internet’s reach. Yet, protocols for how data should be used and shared evade us. Given each country’s specific legal structures and practices, disunity will remain a challenge; however, the interconnected nature of modern technology means global standards are crucial.

While the debate over data protection is as old as the internet itself, it has taken on a sense of urgency following revelations this year that an obscure analytics company called Cambridge Analytica siphoned data from millions of Facebook users to sway the United States presidential election. The scandal underlines how little users understand about their data as well as the challenges governments face in regulating the industry. Moreover, there is a great divide in how users manage their data depending on where they live. A German Facebook user, for example, has a widely different approach to the platform than an American. In one of the world’s largest markets, Chinese users operate on entirely different platforms due to strict state control.

These differences detrimental to the creation of better platforms and services. Before unpacking the exact way in which this issue could be addressed, let’s survey those three different understandings of data protection: the US approach, the Chinese approach, and the European approach.

Caution and user protection: Europe

As one of the most powerful economies in Europe, Germany’s approach to data is a bellwether for the continent as a whole. While lawmakers understand the need for big data and fast internet infrastructure to stay competitive in the global marketplace, few can agree on how to balance data privacy concerns with rapid expansion.

Given Germany’s sordid history with invasive government snooping into citizens’ private lives (e.g., the East German security force, the Stasi), the country now has strict data protection protocols. Speaking with Politico magazine, the digital affairs spokesman for Chancellor Angela Merkel’s Christian Democratic Union said, “There’s no other country where it’s more difficult [for companies] to work with data. Artificial intelligence, for example, won’t work without massively analyzing data. And at some point, we have to tell people this.”

Germany’s cautious approach to data protection is echoed in the European Union’s General Data Protection Regulation (GDPR), which was passed in 2016 but came into effect this year. The legislation is the most far-reaching set of rules for how technology companies can collect and share personal user data. The new rules are still being defined in practice, but what is clear is that companies collecting data on European users are required to have explicit consent. Additionally, users are empowered to request the information that companies have collected on them. It is a fundamental reorganization of how the internet operates, and its effects are already being felt beyond EU borders.

Powerless users: United States

As home to the technology companies that have created the modern internet, one would assume US data protection standards to be among the highest in the world. The opposite is true. The United States does not have a comprehensive set of laws to regulate the collection and use of personal data. According to the Council on Foreign Relations, US lawmakers have actually enacted “overlapping and contradictory protections” concerning data.

The Cambridge Analytica scandal jolted the US public from its apathetic approach to data protection. Subsequent congressional sessions with Facebook CEO Mark Zuckerberg have ignited debate about how to regulate technology companies and establish safeguards for data protection. The exact complexion of the regulation is unclear, but new laws are almost certainly in the pipeline. The primary question is how lawmakers will balance data protection while allowing technology companies to continue growing.

The three axis of data regulation (source: Xische Strategy Practice)

The three axis of data regulation (source: Xische Strategy Practice)

The state has the final say: China

China’s approach to data protection is fundamentally different from Europe and the United States, despite sharing similar characteristics. In Europe, lawmakers use the power of government to safeguard data protections. The economic calculations for technology companies are, at best, a secondary concern. In the United States, on the other hand, lawmakers are looking to strike a balance between the needs of users and the requirements of the market.

China borrows from both approaches. The state’s primary concern is absolute control over all platforms and information. User privacy is a non-issue, as the government will block any platform that does not grant it unfettered access to user information. While such measures might sound draconian to Western ears, China is actually in the process of adopting GDPR-style laws to protect user data. As long as the state maintains control, users should have strict data protection.

Taken as a whole these approaches to data define three points of an axis on data use. The EU outlined the “citizen” axis, the US embraced the “corporate” axis and China has entrenched the “government” axis. Using these guideposts as a map to create their data policies, emerging market countries that do not have any historical precedents nor have signed on to one of these entrenched approaches can create laws and attitudes on data that strike a balance. Achieving such a balance based on each country’s needs will spur innovation while establishing an equal playing field for companies and users alike. If smaller, emerging countries are able to find the perfect balance, this may be the foundation for international norms on data privacy.