[INTERVIEW] International trends in data protection and privacy regulations: 3 questions to Fabian DELCROS

Fabian Delcros has an extensive experience practicing and teaching data protection and trade negotiations. He teaches a class on “International Data Regulation : Case Studies And Negotiations” at the Sciences Po’s Masters in Public Policy and in European Affairs as well at the Paris School for International Affairs. During his carrier, Fabian was successively legal officer for the EU Commission in WTO disputes, EU negotiator in Geneva for WTO negotiations, head of the EU Delegation trade services in Brazil, General Electric EU Director for EU Government Affairs; international trade policy consultant for large multinationals and now is responsible for negotiating on international Data Protection issues with the European Commission. Fabian graduated from Sciences Po in 1992 and holds an LLM in international Trade Law from Georgetown University.

Interview by Can Şimşek

How would you describe the current trends in data protection and privacy regulations around the world?

There is a clear global trend towards increasing convergence in the area of data protection, as we see more and more countries around the world adopting privacy laws with similar features. As the OECD noted in a recent interesting report, data regulations in many countries around the world are indeed converging towards adopting similar data protection frameworks which share many ‘commonalities’.  This is a global trend. Today more than 120 countries have privacy laws in place. Recently, for example, India, Indonesia, Brazil, Argentina, Thailand, Kenya, Egypt, Tunisia, Morocco or Chile took initiatives to strengthen their data protections regime, following the path opened by Japan and Korea some time ago.

And it is not surprising that we are converging towards similar standards as we are all confronted with similar challenges. Suffice to remind the Cambridge Analytica scandal, the Snowden or more recently the Pegasus revelations… These unfortunate events make us all realise how much there is at stake also for the society as a whole, including for a functioning democracy and the integrity of the electoral process. To address these challenges in a global digital borderless world, citizens from all over the world want to benefit from similar rights and make sure that their personal data are protected according to similar principles, including when they are transferred abroad.

You are talking about “global convergence” although there is no federal data protection law in the US. Aren’t the EU and the US diverging on their approaches to data protection  and privacy anymore?

In the past, privacy and data protection have often been presented as a point of dispute in the transatlantic relationship. Over the last couple of years, and it seems to me with increasing speed, we see a lot of movement in the area of privacy also on the US side.

Compared to only a few years ago, the question in the US is no longer “why” one should regulate privacy but rather “how”. And that’s first and foremost because there is a strong demand for privacy – and for robust privacy rules – also in the US. As shown by opinion polls, this demand increased throughout the pandemic as everyone is relying, more and more, on digital tools in their daily life.

So far, this evolution has not yet led to a general, cross-sectoral privacy legislation at Federal level (although there are several privacy bills before the Congress), but things are clearly moving at State level. (This includes the adoption of privacy laws in California, Colorado, Connecticut and Virginia, while more legislation is expected to be passed in States like Florida, Ohio or New York…).

It is important to recall that, in Europe, one of the main drivers for the adoption of the GDPR was at the time  the fragmentation of privacy rules within the single market and the need thus to establish a uniform data protection law for the EU, not the least to ensure a level playing field for business. 

Talking about business, note that the same Silicon Valley companies, who, a few years ago, fought against the adoption of the GDPR, are now spending millions to convince the world that they are compliant with this legislation… In fact, Silicon Valley increasingly uses data protection as a ‘selling point’, also in an effort to distinguish itself from its Chinese competitors. 

Another factor that contributes to putting data protection at the top of the US political agenda is that, in Washington, policy makers are increasingly vocal in stressing the importance (notably for national security) of privacy protections against excessive government surveillance and massive data collection by certain countries. Last year, after raising national security / data protection concerns, Pdt. Trump took an executive order against TikTok or ordered the sale of Grindr by the Chinese owner… And the Biden Administration is following the same trend: Pdt. Binden recently adopted an executive order imposing sanctions against Chinese technology companies involved in surveillance of persons…and, in his first foreign affairs speech, Secretary Blinken insisted that technologies must “protect your privacy, make the world safer and healthier, and make democracies more resilient”. 

Intrusive surveillance by States is a global issue which is also being fueled by the developments in digital technologies. What can democracies do to tackle this problem? 

It is indeed a global issue where there is a governance problem, as there is no such thing as international global standards to guarantee trusted governmental access to personal data. Effective safeguards against disproportionate government access to personal data are a key element of differentiation between like-minded democracies, on the one hand, and countries with techno-authoritarian regimes engaged in abusive surveillance practices on the other hand.  

Take, for example, China, who adopted an ambitious data protection law … which, contrary to other modern data protection regimes (including the GDPR), does not foresee any rules to frame its surveillance arsenal… Also note that while this law shares some similarities with the GDPR and other privacy laws around the world, it should be recalled that for us in Europe, as well as for democracies in general, data protection is first of all a human right that emerged as part of a broader struggle for liberty and democracy. In particular, it involves that individuals can effectively exercise their rights (including against government surveillance) before an independent supervisory authority and independent courts.

Fight against disproportionate access of foreign public authorities to citizen’s data is a global problem that requires first that like-minded democracies with similar values, work together on identifying common safeguards so as to adopt common responses. And there are more and more voices, including from prominent US business leaders, who stress this problem also in the context of Artificial intelligence (see the report from former Google CEO Eric Schmidt where he insists that ‘We must work with fellow democracies and the private sector to build privacy-protecting standards into AI technologies and advance democratic norms to guide AI uses so that democracies can responsibly use AI tools for national security purposes.’).

Addressing this issue is a priority for the EU: in its 19 February Communication “A European Strategy for Data”, the Commission reiterated its determination to combat these abuses by working with like-minded partners. And this is also “an urgent priority requiring further international collaboration” for the OECD who recently has put in place a drafting group to work on identifying common democratic guarantees against foreign state’s surveillance / disproportionate access to personal data. This work is a promising avenue for global governance of privacy, if the OECD comes up with effective principles, it could indeed provide a concrete contribution to the upcoming Pdt. Biden’s summit for democracies.