How personally identifiable data is used is becoming one of the biggest divisions between the USA, EU and China. The three global economic power houses are each pushing their own agenda when it comes to user data. Ever since DARPA developed ARPANet in the 1960s the USA has set the rules and norms for the Internet globally. Recently, social norms coupled with old fashioned geopolitics are changing the way the internet is governed, with China and the EU setting out their visions. Who controls a user’s data is a key differentiator, with each of the big power blocks developing their own rules and norms.
Up to now we have been used to many “free” services, think about how useful Gmail, Whatsapp and Bing are. All services that we have become used to consuming without paying cash. But of course, these massive companies aren’t charities, users pay by giving their data. Their hugely successful business models are based on exploiting that user data. With so many benefits in terms of jobs and cash flowing into the American economy from these behemoths the American government is motivated to facilitate an unregulated market in user data.
In China the state seeks to avoid social instability. Hence the long development of the Great Firewall and since 2014 the concept of a social credit score (see “Planning Outline for the Construction of a Social Credit System“). The Great Firewall has successfully kept out the American giants like Amazon and Google and seen the rise of national champions like Alibaba and Baidu. Keeping most internet activity in the hands of Chinese companies makes it much easier to gain control over user data. One way the state will use user data is in social credit scores (like Sesame Credit). By 2020 it will be mandatory for all individuals and companies in China to participate in a social credit score system. This update of the baojia system of the ancient Chinese dynasties drives the Chinese government to legislate to protect state control over user data.
Europe has take a completely different approach. Perhaps driven by memories of totalitarian regimes or bitter about not having created its own internet giants, EU grants control over user data to the individual. The General Data Protection Regulation (GDPR) builds upon the 1995 Data protection directive and is regarded as a gold standard for privacy all over the world. By putting in place a system of regulators & penalties across the world’s largest economy, the EU is driving standards for companies handling user data of EU residents. These standards are also being adopted by other countries like South Africa, Israel and New Zealand in an example of the Brussels effect.
Each economic giant has its own agenda and that is now playing out in the laws and regulations corporations have to follow to do business in that territory. One very interesting development is how the remaining ~ 150 sovereign states will legislate. How many countries will choose to favour the corporations versus the state versus the users? Will countries chose according to their own philosophies and perhaps develop a 4th or 5th model or cleave to the state that best protects them?
In summary there are three possible controllers for user data today; Corporations, the State or the Individual. Each backed by a powerful actor, the USA, China or the EU. Each with strengths and weaknesses. For the foreseeable future these three models will co-exist business doing business globally have to navigate three very different systems, or run the risk of legal action.
Note Originally published on 5th of March 2018. Updated on 9th April 2018 to emphasis control of personal data not ownership of personal data.