Recent global crises in intelligence, health, and the military have influenced the evolution of data regulation locally and globally.
This article results from reflection on the workshop “Managing Shocks: Connecting Regional and Global Responses Past and Present,” which took place at Oxford Martin School earlier this year.
With approximately 5.4 billion active internet users worldwide as of April 2024, the volume of data produced and processed daily is beyond imagination. Around 42 million WhatsApp messages are shared every minute, 1.4 million video or voice calls are made, and 180 million emails are sent, generating over 1.1 trillion megabytes of data daily. This volume grows exponentially, increasing by 23 per cent annually. Just as oil fueled the industrial age, data now powers increasingly digital economies. The market for big data, valued at $160.3 billion in 2022, is expected to reach $400 billion by the end of 2030, driven by artificial intelligence (AI), machine learning, and data analytics advancements. The recent Microsoft outage serves as a disturbing reminder of society’s dependence on—and the vulnerability of—digital infrastructure.
Data is not only the lifeblood of the digital economy but also a key resource for shaping political decisions and tackling global challenges. Over the past decade, global crises, or “shocks,” have surfaced in diverse settings, prompting a range of policy and normative responses. But how do these shocks across different regions and policy fields shape the perception, discussion, and regulation of data privacy and security? An examination of recent significant crises—shocks—in intelligence, health, and military sectors demonstrates that (a) these crises may play a crucial role in advancing data regulation and (b) responses have occurred predominantly at the national and regional levels. This highlights how regional responses can often be more agile and effective in addressing crises and have the potential to drive systemic changes for development on a global scale.
Edward Snowden and the GDPR
The Edward Snowden revelations in 2013, which unveiled extensive global and regional surveillance practices by the U.S. National Security Agency (NSA) and its Five Eyes partners (Australia, Canada, New Zealand, and the United Kingdom), challenged existing perceptions of privacy and the legal frameworks meant to protect individuals’ data. The Snowden revelations shed light on several key insights about data privacy and had a substantial impact on data regulation.
The situation highlighted inadequacies and gaps in (inter)national personal data protection laws, revealing that many countries were not equipped to protect their citizens’ data from foreign surveillance. It underscored the significance of reliable encryption practices and the agency of private tech companies in safeguarding data. On a social level, it contributed to the erosion of trust toward big tech and government access to data, even among allies. Increased public awareness and debate around surveillance, privacy, and the balance between national security and individual rights spurred a wider public discourse on the right to privacy in the digital age and the need for transparency and accountability in government surveillance practices.
In response, there was a significant push for enhanced data protection measures at both the national and international levels. The UN Human Rights Council intensified discussions about the right to privacy in the digital age, appointing the first Special Rapporteur on the Right to Privacy in 2015 and urging states and corporate online businesses to respect and protect the right to privacy online.
While multilateral normative initiatives lagged, hampered by eroding trust, national and regional responses, prompted by emerging security risks, were swifter and easier to consolidate. For instance, the European Union expedited the adoption of the General Data Protection Regulation (GDPR), which entered into force in 2016, establishing new standards for data protection and privacy. In many ways, the GDPR represents a successful example of regional normative mobilization that reflects specific values. It has served as a blueprint and inspiration for regulating data privacy worldwide, including in Brazil, Japan, India, Chile, South Africa, and even China.
COVID-19: A “Digital” Pandemic
The COVID-19 pandemic introduced unprecedented challenges to global and regional data regulation as work, education, court hearings, and medical appointments moved online. Among other conundrums, the COVID-19 created a dilemma between the necessity for timely, accurate health data to combat the virus and the protection of individual privacy by data protection laws. On the one hand, transparent and timely access to research data and models was critical in informing public health strategies and the development and testing of vaccines, as well as in designing, monitoring, and assessing the impact of socioeconomic policies implemented in response to the pandemic. On the other hand, many governments resorted to mandatory digital contact tracing apps to track the virus’s spread, raising significant privacy concerns and underscoring the need for robust data protection measures to safeguard personal information. The varied responses, ranging from decentralized, privacy-preserving models in Europe to more centralized systems in parts of Asia, illustrated various approaches to striking a balance between public health needs and privacy rights.
The pandemic became a catalyst for the quick national and regional emergency policies that, while sometimes effective, have raised questions regarding their compliance with existing human rights laws. Some of these digital solutions and data-gathering tools may have detrimental and irreversible impacts on data governance in the post-pandemic world, with some countries retaining those systems for future emergency preparedness.
On a regional level, the Organization for Economic Cooperation and Development’s adoption of the Principles and Guidelines for Access to Research Data from Public Funding in 2021 aimed to provide “a global framework” under which many of the data-sharing issues can be addressed. The call for global data-sharing agreements, justified on the basis of “solidarity,” led to some emergency data-sharing agreements but raised serious concerns about the disproportionate distribution of the fruits of this data-sharing. In the end, the management and accumulation of data during the pandemic relied on national and regional solutions, with highly heterogeneous national approaches to data collection and sharing emerging as a swift response to the global health crisis. There were no immediate universal systems or standards for the dissemination of coronavirus research data, including associated code and software and global data-sharing, raising questions about benefits for all.
Military Conflicts
Recent conflicts have demonstrated significant risks to the rights to privacy and data protection in contemporary warfare. They illustrate that in the digitally transformed landscape of armed conflict, data is both a critical asset and a target. Data is vulnerable during armed conflicts for various reasons, primarily because many national data protection regimes allow necessary and proportionate exceptions to privacy norms for national security, defense, public safety, and crime prevention. An armed conflict almost always falls under the national security exception and gives freedom to national governments to adopt exceptional measures on the collection, processing, and storage of data. Meanwhile, as Russell Buchan and Asaf Lubin rightfully note, international humanitarian law barely offers any special rules for the lawful processing, analysis, dissemination, and retention of personal information during armed conflicts. In Gaza, the use of intricate surveillance technologies, drones, and other intelligence-gathering tools by Israeli forces raises serious concerns as they collect vast amounts of data on civilians, combatants, and infrastructure with limited transparency. Humanitarian organizations working in Gaza face challenges in securing sensitive data about affected populations to avoid further endangering them.
The Ukraine conflict brought issues of data governance to the forefront in multiple ways: cyberattacks, misinformation campaigns, data security, and the weaponization of data became central to the conflict, teaching many countries about the complexities of interdependency, which can be both beneficial and detrimental. In Ukraine, businesses and governments have had to adapt quickly to ensure the security and integrity of their data amid the ongoing conflict. Shortly after the invasion, Ukraine swiftly enacted new laws to allow the migration of Ukrainian data to foreign servers. This enabled companies such as Cisco and Google to safeguard Ukraine’s data from Russian cyber operations while ensuring that kinetic operations against cyber infrastructure did not result in data loss. At the same time, the comprehensive sanctions on Russia in the tech sector, which led more than 1,000 companies, including Google, Amazon, and Microsoft, to quickly cease their operations and services, illustrated to many countries the importance of autonomy in digital and cloud infrastructure and debunked the myth of geopolitical neutrality of global tech. In Russia, it triggered a reactionary response, strengthening the data sovereignty narrative by developing more restrictions on cross-border data flows in July 2022 and restructuring control over the digital infrastructure.
***
International shocks are inevitable, often triggering shifts of different magnitudes in the digital landscape, including in data governance. In the absence of a robust global data governance framework, national and regional institutions take the lead in responding to and managing these crises. Approaches may differ, driven by unique national interests and values, and are tested over time. For instance, the GDPR has become a de facto global standard, as major tech companies opted to comply with its rules worldwide. The recently adopted EU AI act, locking certain values in, may similarly influence other governments and companies as they navigate the challenges of regulating machine learning.
More agile and adaptable, national and regional data governance frameworks offer the quickest response to the complexities of crises. In the context of the global-regional nexus, these localized solutions have the potential to drive systemic changes, foster effectiveness, and enhance the legitimacy of global data governance efforts.
– Liliya Khasanova is a visiting scholar with the Russia and Eurasia program at the Fletcher School of Law and Diplomacy. Her research interests include national perspectives on the international law of cyberspace, global data governance, and the impact of ICTs on the international legal order. Published courtesy of Lawfare.