To prevent the United States from monitoring EU citizens, Europe and the United States compete on data sovereignty

 To prevent the United States from monitoring EU citizens, Europe and the United States compete on data sovereignty

21 Financial app Huang Wanyi reports from Guangzhou

The European and American privacy shield, which has been in effect for four years, was officially ruled invalid by the European Court of justice on July 16. The European Court of justice held that the agreement allows the United States to conduct large-scale monitoring of the personal data of EU citizens, which does not meet the EUs requirements for privacy protection.

How to balance data sovereignty and data sharing?

European and American privacy shield is a set of mechanism about personal data circulation between the EU and the United States, which makes relevant provisions for enterprises to transfer EU user data to the United States. Many American technology companies, including Amazon, Microsoft and Facebook, are members of the European and American privacy shield.

Liu Yushu, director of macro research department of Chongyang Institute of financial research, Renmin University of China, said in an interview with the 21st century economic report: this judgment will bring challenges to the Internet giants in the United States. For example, these enterprises will be forced to stop storing the data and information of EU residents on the servers in the United States.

In fact, the products of science and technology Internet companies have penetrated almost every corner of the global village, holding massive user data. For these multinational companies, the contradiction between data sovereignty and data sharing cannot be avoided if user data can be transmitted freely between different countries and regions.

According to Liu Yushu, data sovereignty and the asset attribute of global free flow of data are not contradictory. Liu Yushu said: the ambiguity of the property rights boundary of digital assets is the key to hinder the cross-border flow of data. When the property rights are not clear, the sovereignty attribute will be more emphasized. At present, there is no unified global understanding of data right confirmation, classification of data assets, personal privacy right, property right and so on

At present, the definition of data sovereignty refers to the independence of a country in the management and utilization of its own data, that is, the data collected by a country is subject to its own laws. Different from the traditional concept of state sovereignty, data sovereignty comes from virtual Internet space. As network data can be transmitted in real time around the world, with the increasingly prominent problems of network security and information security, how to ensure the control of data by a countrys sovereignty has become a practical problem.

Many countries require local storage of user data

Storing user data locally is the main method adopted by various countries. Including China, Russia, Canada, India and other countries have different degrees of provisions for enterprises to set up local data centers, requiring them to store user personal data in their own territory.

Taking Chinas network security law as an example, Article 30 stipulates that the personal information and important data collected and generated by the operators of key information infrastructure in China shall be stored in China. If it is really necessary to provide it abroad due to business needs, safety assessment shall be conducted.

Russia amended the information law in July 2014, requiring all information communication networks and operators to store personal data in Russia. British Columbia and Nova Scotia require that all public sector data be stored locally.

Although the European Union, which has signed the European and American privacy shield with the United States, has not made any requirements on the location of personal data storage, it has made strict provisions on the data transmission between the EU and non EU regions in the EU standard contract terms (SCCs).

It is not popular for enterprises to set up independent data centers to store local user data in every place. On the issue of data sovereignty, India is easy to know and difficult to do.

Tiktok, standing in the forefront of the international storm, has been banned in India by the government on the grounds of privacy risks. Previously, tiktok said its Indian user data was stored in third-party data centers in Singapore and the United States. In order to allay the Indian governments concerns, byte hop said in July 2019 that it would invest $100 million to build a data center in India to store Indian user data locally.

Although international technology giants have targeted at India, due to the high cost of electricity and weak infrastructure in India, technology companies, including Google and Facebook, have failed to store Indian user data in India.

Cross border data flow conflicts

Due to the different provisions of privacy protection laws in different countries, the degree of administrative intervention in the control of personal data is also different, which is another puzzle for data with global transmission characteristics.

Until there is no international unified agreement on cross-border data circulation, it is the only choice for multinational enterprises to respect each others data sovereignty and legally carry out business activities in accordance with the relevant laws of the host country, Liu said

Wang Xinrui, a partner of Beijing Anli law firm, said in an interview with 21st century economic report: there are conflicts in cross-border data flow among countries. In particular, many countries have requirements for localized data storage in different fields. Faced with the differences in data protection legislation among countries, a small number of large multinational companies will comply with the highest standards such as gdpr all over the world, while most of them will comply with the laws of the countries or regions where they operate.

Take the European Union and the United States for example. Although the two economies have close economic and trade exchanges, they have obvious differences in privacy protection attitudes. In May 2018, the EU formally implemented the general data protection regulation (gdpr), which has been widely regarded as the most stringent data protection law by the international community. In terms of attitude towards personal data, the EU puts individual rights in the first place, stipulates that EU residents have absolute control over personal data, and takes a strict attitude towards cross-border data export.

Europe has a strong tradition of privacy protection, and privacy and personal information protection have been placed at the height of the constitution, Wang said. It is generally acknowledged that the highest protection standard of the EU is the unified legislation, while the legislation of the United States is relatively more flexible and decentralized, and the rules are scattered in various legislations in specific fields. From the perspective of enterprises, if the European and American privacy shield fails and requires us enterprises to implement gdpr, it will actually bring some new obstacles to the whole data flow, which will certainly bring some compliance problems to American companies in the European Union, but it may also have adverse effects on the development of European digital economy It expresses concern.

In contrast, the U.S. law on the clarification of overseas legitimate use of data (also known as the cloud act) passed in 2018 allows us federal law enforcement agencies to force technology companies located in the United States to provide required data stored on servers, whether the data is stored in the United States or abroad.

As Europes mobile Internet market is almost occupied by American technology companies such as Facebook and Amazon, the digital hegemony of the United States has seriously threatened the data security of Europe. In 2013, Snowden, a former CIA employee, exposed the prism gate plan in the United States. The US government wiretapped European leaders by tapping data from platforms such as Microsoft and Google, which ignited distrust in privacy protection between Europe and the United States.

Liu Yushu said in this analysis: this is the continuation of US hegemony in other fields in the past in the digital age. In the digital age, the United States also wants to follow the pattern of World Police in the past, requiring other countries to transfer part of their digital sovereignty to maintain their long arm jurisdiction. However, the world pattern in the digital era is undergoing dramatic changes.

(author: Huang Wanyi, editor: Cao Jinliang)

Source: responsible editor of 21st century economic report: Wang Fengzhi_ NT2541