As Data Flows Across Boundaries, a Patchwork of Laws Stifles Innovation 

COMMENTARY

The EU-U.S. adequacy decision implemented last month is the latest example of the difficulty of setting up, implementing and enforcing a global data standard to support current and future innovation.

The European Commission concluded that existing U.S. data privacy standards were sufficient to allow personal data to flow safely from the EU to U.S. companies under the EU-U.S. Data Privacy Framework. While the framework aims to provide an adequate level of protection for personal data flowing between the continents, we’re not out of the woods yet. 

The 137-page document is set to frame the processing of personal data and the free movement of such data after the Court of Justice of the European Union in July 2020 invalidated the previous adequacy decision on the EU-U.S. Privacy Shield.

But history could repeat itself. A court could determine this decision also does not adequately protect the privacy of EU citizens’ data when transferred to the United States.

Multinational businesses need to align with the EU’s General Data Protection Regulation, which is one of the strictest data protection laws in the world, but they also need to take into account the U.S. regulation, which does not have a single federal data protection law. Instead, some states have no regulation, while the California Consumer Protection Act mirrors GDPR’s stringent nature, and others fall somewhere in between. 

Here’s an example of how counterproductive non-federal (and non-global) data regulation can be. On New Year’s Day, Montana’s total ban on TikTok goes into effect, but it’s the only state so far to make such a sweeping move. The legislation was signed following discussions about protecting U.S. residents from data gathering through TikTok, creating a very disjointed approach to regulation. 

No one knows how the law can be enforced and what will happen to a user’s mobile when crossing from Wyoming to Montana while scrolling through TikTok. Will the Apple app store block the app while flying from Toronto, Canada, to Seattle, Washington, just as the plane goes over the Treasure State?

This type of one-off legislation demonstrates the difficulties and challenges of implementing regulations across states and countries.

The complexities of crossing boundaries become amplified an ocean away. It took 28 years for the Data Protection Directive, the EU’s predecessor to GDPR, to establish the first phase of a data transaction deal across the Atlantic. Today innovation moves much faster and no such rules or regulations are in place for the new developments happening by the hour.

AI is the perfect current example, and we can’t wait another 28 years for that. There are more than 100,000 AI tools currently.

As more tools emerge and become part of day-to-day life, an agreed-upon ethical framework and regulation are of paramount importance. In May, OpenAI CEO Sam Altman suggested that the U.S. should consider a combination of licensing and testing requirements to develop and release AI models above a threshold of capabilities.

We know there is a need for global regulation, but we also understand the challenges in setting, agreeing and implementing such regulation. There are a number of reasons countries (and states) run into roadblocks when trying to reach agreement on regulation, such as perspective, ethical standpoint, cultural difference, the complexity of the market or changes in governance.

It’s up to organizations, startups, conglomerates and AI pioneers to self-regulate and build the data ethics that will govern every new emerging technology.

We have the responsibility to protect the privacy of users by developing and implementing strong data protection practices, collaborating across industries to share information and best practices, and even developing a common standard for data protection.

This is not a substitute for promoting cross-regional regulation by lobbying governments to adopt strong data ethics laws and working with regulators to develop and enforce global data ethics standards. The EU-U.S. adequacy decision is another step in the long journey of global data regulation, but we need to run together.

More work must be done to achieve a global data regulation that protects not only our data but also our need and thirst for amazing innovation to come.

Rony Shalit is responsible for overseeing global compliance with Bright Data’s products and growing and shaping Bright Data’s ethical approach to web data collection and proxy usage that sets the standard for the industry. Bright Data is the world’s leading web data platform. He can be reached on LinkedIn.