On Data Privacy, Building Trust Means Asking the Right Questions

WASHINGTON—A representative of German industry aptly observed in a recent meeting on Capitol Hill that data has assumed the importance of oil in today’s economy. Data packets flow through global networks and are reassembled in computers around the world to give commands to machinery, store information, analyze patterns, and glean insights that create value.

Digital data are the new raw materials making our economies and societies hum. But unlike oil, the information contained in data packets and on computers sometimes includes human communications, personal identifiers, and intellectual property. How we treat data is therefore more sensitive than if it were merely used to efficiently operate electric grids, remotely adjust robotic assembly lines, or track shipments. Reaching international agreement on novel legal questions presented by cyberspace will take time and patience, but there is little public understanding of the parameters of debate, in part because the technical specifics and terminology used are confusing.

Cyberspace is a term that focuses on the entire system of globally networked electronics and electromagnetic transmission mechanisms, primarily the Internet. The term digital draws attention to electronic devices themselves and the data they hold in the form of ones and zeroes. A non-networked computer is not part of cyberspace but is still a digital device, although by design ever more electronic devices are “plugged in” to cyberspace via the Internet as a default setting. Clarifying the catch-all terms Internet, digital, and cyberspace as distinct phenomena would help speed important debates on legal principles.

Questions of digital privacy, international data transfers, and extraterritorial access to data are high on the U.S.-EU agenda. The Judicial Redress Act passed recently by Congress is critical to ongoing negotiations over the EU-U.S. Privacy Shield agreement. The Microsoft Ireland warrant case and discussions over a U.S.-UK data deal address questions of when law enforcement has extraterritorial access to data-as-evidence through due process. Meanwhile, public debate rages in the United States over the recent Apple v. FBI case and if Apple should be required to provide technical assistance through court order in helping the FBI unlock the iPhone of one of the killers in the December San Bernardino terrorist attack. Whether it is technically possible to do so without also breaking security for iPhones around the world is a heated point of debate. Concern about how various governments around the world might use intrusive capabilities without adequate protections for citizens has many people concerned.

Building a workable international legal framework for cyberspace that promotes economic efficiency while protecting civil liberties, privacy, public safety, and national security is one of the most difficult challenges of our time.

A key variable in the equation is trust. How do you create trust between companies and security services of one state with citizens of another state? What legal protections, judicial mechanisms, and engineering solutions are necessary, and do they unduly hamper law enforcement in protecting citizens from violence, exploitation, and theft? Do they make it too difficult to do business or accidentally create perverse incentive structures? What role should data encryption play? Building general consensus between the United States and European Union on answers to these questions is important in advancing the global debate on cyberspace governance, and a more robust dialogue on general principles is necessary between governments and among citizens.

The core legal questions surrounding extraterritorial access to data primarily concern jurisdiction, liability, and control. What state or entity should have jurisdiction over data created by people on specific territory but that is immediately shipped across the planet at the speed of light for storage or analysis? How do we cooperate across borders when a crime is committed or an attack perpetrated via the Internet with a data trail of evidence traversing servers and computers in 40 different countries? In what situations are companies, individuals, and governments liable for damages to citizens of other countries, whether through negligence or malice? How much information should computer-robotics and information management companies such as Google, Microsoft, or Baidu be required to share with governments, and under what circumstances? How can legal access to data through due process move quickly enough across international borders so law enforcement can do its job effectively?

Law ultimately derives from norms, and debating norms as a society requires a common knowledge base. This means it is our duty as citizens to educate ourselves about the new realities presented by modern cyberspace, taking time to struggle with new material and learn the parameters of debate. Misperceptions, conceptual and linguistic confusion, and caricatured views of highly complex, novel situations are a challenge to reestablishing trust in our saturated media landscape, enabling simplistic political messaging to capture the attention of an understandably angry and frustrated public. Discussing the depth of these challenges and asking the right questions together can help speed the process of creating cyberspace norms and rebuilding trust.