THE HEADLINES ABOUT the trade wars being touched off by President Trump’s new tariffs may telegraph plenty of bombast and shots fired, but the most consequential war being waged today is a quieter sort of conflict: It’s the new Cold War over data protection. While the Facebook/Cambridge Analytica crisis currently burns as the latest, hottest flare-up in this simmering conflict, tensions may increase even more on May 25, 2018, when the European Union’s General Data Protection Regulation comes into effect.
The Cold War I grew up with pitted Western capitalist democracies, led by the United States, against Communist dictatorships, led by the Soviet Union, in a contest for world domination. Two worldviews competed against each other on a global stage. The contest was ultimately won not on the battlefield, not by armies, but by the sheer productive capacity of the West. Capitalism triumphed by providing TVs and cars and political freedoms to an expanding middle class, while communism foundered on its inability to offer any such prizes. The society that offered the most to its citizens ultimately won the day.
Combatants in the new Cold War are fighting over the currency of the modern age: personal information. The battles are over who controls data. Vying against each other are those societies that believe that individuals have an absolute right to control their personal data—to exercise the same kind of dominion over data that they do over their bodies or their personal property—and those that believe that personal data is a good to be traded on the open market and thus subject to the same market forces at play elsewhere. May the most innovative, efficient company win.
The EU stands firmly for the interests of the individual. The regulatory language of the GDPR cogently expresses its view, harmonizing data protection rules throughout the EU and requiring that any company, anywhere, must respect the data rights of EU citizens, or face stiff penalties. Europeans must provide positive consent for the ways their data is used, and they have the right to access and erase that data, as well as the “right to be forgotten.” In the opposite corner sits the United States and the giant US corporations that trade in personal data for profit, and whose practices have expanded largely unchecked. One ideology puts the control of personal data in the hands of the individual, the other cedes that control to the corporation. (A third approach is state control of data, which is emerging as China’s social credit system, though that remains as yet an internal policy.) But these differing views about data protection cannot jostle for dominance for much longer. As trade grows increasingly global, it’s becoming clear that personal data crosses borders far too easily for contrasting models to co-exist.
Now, weeks before the GDPR goes into effect, the evidence is mounting that the EU’s approach will dominate. One good measure of this dominance is the speed with which countries around the world are recognizing the supremacy of the EU data protection standard by adopting models that align closely with the GDPR. The number of countries that have attained official EU recognition of the “adequacy” of their standards grow steadily; South Korea and Japan will join the list soon. For their part, EU leaders are clear in their intent. “We want to set the global standard,” Věra Jourová, the European commissioner for justice, told POLITICO last year. “Privacy is a high priority for us.” And so it must also be for those who wish to trade with this powerful economic bloc.
Even in the United States, there are signs of movement toward embracing higher standards for data protection. The United States offers a program, called Privacy Shield, that enables American companies to certify that their data protection practices meet EU standards (though this program is questioned by privacy purists in the EU). And some of the most trusted US corporations go to great lengths to respect the data rights of people in other countries (see the recent Microsoft case before the Supreme Court). Likewise, individual states establish GDPR-like laws for their citizens (see New York’s recent cybersecurity regulation). The sheer volume of companies that are willingly modifying their data protection practices, at great cost, to become “GDPR compliant” should be evidence enough that there is appetite in the US business community for the certainty of a unified data protection regime.
Despite the growing power of the EU position, however, several powerful forces sustain the position of those who would trade freely in personal data. First, many of America’s corporate powers are not eager to see systemic change. The economic power of America’s data giants—Facebook, Google, Amazon—is built on individuals freely exchanging their data for “free” services. As noted by the New York Times, “any attempt to curb the use of consumer data would put the business model of the ad-supported internet at risk.”Second, lawmakers at the national level are too embroiled in partisan warfare to pass any sort of general data protection regulation. There simply isn’t enough popular pressure to force a wholesale revision of US policy.
And yet all that may be about to change. The Facebook/Cambridge Analytica case seems to have prompted a level of scrutiny around Facebook’s data protection practices that may transcend the “scandal of the week” news cycle. Whether this scandal fizzles out in a flurry of #DeleteFacebook hashtags or leads to serious legal challenges and widespread public calls for reform is yet to be seen, but it is clarifying the battle lines that will be drawn with the coming enforcement of GDPR. As a student of history, I wonder whether these events will be more like the Cuban Missile Crisis, a brief and dramatic flare-up of hostilities that recedes into business as usual, or something akin to the collapse of the Berlin Wall. Either way, I believe we’re at a pivotal moment in history—a moment when the regime that offers its citizens the most control over their personal data will win the day.
Will the spring of 2018 be remembered as the time when the right to privacy was enshrined as a fundamental human right? Or will we see the status quo maintained, despite months and years of fines and litigation and political pressure? This student of history will be watching closely as the Data Protection Cold War plays out.
Read more at WIRED.