Global Privacy Goal Complicated by Multiple Players

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Bryce Baschuk

May 13 — Too many institutional cooks may spoil the globally harmonized privacy broth.

Nevertheless, international data privacy policymakers told Bloomberg BNA that ceding power to some centralized forum isn't the answer. The multifaceted nature of the Internet and global data flows mean that there will always be a crowded privacy kitchen.

Multinationals would likely welcome a harmonized set of global privacy standards to ease their compliance burden, but only if the standards weren't too burdensome to begin with. And that may be the rub.

There are at least a half-dozen major international organizations collectively researching privacy and security in the online space in the hope of establishing a harmonized international framework. Each of the groups have issued proposals with crosscutting themes that seek to aid governments in crafting their national privacy laws, set up privacy management programs and notify individuals when their data are breached.

The international community hasn't settled on an overarching framework to protect privacy rights in the digital age and policymakers say that's okay.

“This particular issue is studied and debated in more forums than you can possibly believe,” Daniel A. Sepulveda, deputy assistant secretary of state and U.S. coordinator for international communications and information policy, said.

Defining and implementing the right to privacy “is unbelievably complex,” he said. “The degree to which people value privacy and how they define their relationship with their digital information, their personal identity and its relationship to the collector—whether its a government or a private entity—differs from culture to culture; from market to market,” Sepulveda said.

Right now, nobody has a global answer, he said.

Human Rights Issue

Following the revelations of Edward Snowden, a former employee of a National Security Agency contractor, that the U.S. was engaged in mass surveillance programs (121 PRA, 6/24/13), U.S. officials repeatedly stated that the matter should be regarded as a human rights issue and addressed accordingly.

That human rights approach taken by the U.S. was more akin to what one would expect from European officials.

The United Nations took up the task in 2014 with the General Assembly adopting Resolution 69/166 and the High Commissioner for Human Rights publishing a report on the right to privacy in the digital age.

“This is complex work and I think it's okay if it's discussed in the U.N. Human Rights Council,” Raul Echeberria, the vice president of global engagement at the Internet Society, said.

“But I think that we have built a system around the intergovernmental forum and we need to continue having this discussion through the Internet governance mechanisms,” he said.

(Click image to enlarge.)

Global Privacy Goal

Multifaceted Approach

In addition to the work of the U.N., several other major international organizations have pursued binding and non-binding accords with international privacy safeguards and legislative guidelines.

Since 2004, the Asia-Pacific Economic Cooperation has maintained a privacy framework aimed at helping Asia-Pacific nations ensure information privacy protection and the free flow of data (233 PRA, 12/6/04). Also in 2004, the Council of Europe signed a treaty regarding the protection of individuals in the automatic processing of personal data and cross-border data flows (180 PRA, 9/17/04).

In 2012, the Organization of American States developed a set of 12 basic principals that seek to prevent harm from the wrongful and unnecessary collection or use of personal data and information. That same year, the International Conference of Data Protection and Privacy Commissioners adopted a resolution on the future of privacy (217 PRA, 11/9/12) .

Additionally, in 2013, the Organization for Economic Co-operation and Development published a set of guidelines for the protection of privacy and cross-border flows of personal data (178 PRA, 9/13/13). In the same year, the International Telecommunications Union held a stakeholder consultation to review its legislative framework on privacy and data protection. In addition, the U.N. Conference on Trade and Development (UNCTAD) investigated the implications of data protection policies on international data flows.

More recently, the Inter-Parliamentary Union in 2015 adopted a resolution to address democracy in the digital era and the threat to privacy and individual freedoms.

Greater Collaboration

Oleg Logvinov, chairman of the Institute of Electrical and Electronics Engineers' Internet Initiative, said that “there are many organizations focused on this area but what we're seeing more and more is collaboration among those organizations.”

“It is a multifaceted subject and it requires a multifaceted experience,” Logvinov said. “I think this is an environment where collaboration among multiple organizations can enhance the outcome by bringing a variety of experiences.”

“I wouldn't say it's better—it's reality,” he said. “We have different constituencies, different stakeholders, different geographies and people have different ways of doing things that they are accustomed to.”

“The positive effect of having a multitude of organizations coming from different perspectives is that it is a cross-pollination of different expertise that actually enriches the process,” Logvinov said.

EU-U.S. Privacy Spat

Despite various international initiatives, the world's major economies continue to struggle with the best way to ensure their citizens' personal data are protected from international surveillance.

The most recent and noteworthy example was the EU-U.S. Privacy Shield negotiations. The Privacy Shield—a proposed data protection framework for the personal data of EU citizens that is transferred to the U.S.—is intended as a replacement for the U.S.-EU Safe Harbor framework that had been relied on by over 4,400 U.S. companies and thousands of EU companies, but was invalidated by the European Court of Justice in October 2015 because it didn't offer sufficient privacy protections (194 PRA, 194, 10/7/15).

After months of tense negotiations the parties developed the Privacy Shield, which seeks to align U.S. privacy policies with those mandated by the EU Data Protection Directive (95/46/EC)(22 PRA, 2/3/16).

Sepulveda said that “the primary purpose of the Privacy Shield is to ensure that whenever American actors or American collectors are involved in the collection of European data that it is done in accordance with European law and European values—and the reverse is also true.”

“I don't know if there is utility in excluding local, regional and other conversations on the subject,” he said. “In part because you learn a lot more about what people's sensitivities are and what the interactions are going to be.”

Uneven Approach Remains

UNCTAD's Deputy Secretary-General Joakim Reiter, believes that the regulatory approaches to privacy and data security across countries remain “uneven.”

A recent UNCTAD report found that many developing countries still lack even the most basic legal frameworks to secure the protection of their citizens' online data privacy.

As of 2015, only about half of all countries had approved any form of data protection and privacy legislation, and many of those countries had not adequately ensured the full implementation of such policies, the report said.

“Trust is the basic currency of the Internet,” Reiter said. “As such, we need to promote data protection and privacy measures to tap the potential of the digital economy.”

To contact the reporter on this story: Bryce Baschuk in Geneva at

To contact the editor responsible for this story: Donald G. Aplin at