Contemplating Basic Global Regulatory Framework to Safeguard Personal Data in the Age of Artificial Intelligence

Introduction

Even though there is a substantial departure in the various detailed personal data protection laws globally, there remains a better consensus at the core of most of the national laws and international regimes upon the certain set of personal data protection principles. This blog post discusses the possibility of having a framework in place, with certain core principles of personal data protection jurisprudence globally.

The impact of Artificial Intelligence (AI) on Personal Data

It is not uncommon to see that any aspect of our lives becomes complex when AI is involved, especially the aspects of our private life. One of the very important aspect of our private being is to maintain privacy. While physical privacy is something that is under our control, but digital data privacy is out of our control because once the data is fed online, the possibilities may be endless. The data may be stored forever, deleted or processed with or without actual consent (this consent may not even be constructive or actual). This issue further leads to perplexity with highly intelligent but non-conscious algorithms like the AI needing more and more data for better predictions; sharing of personal data cross borders because Multinational Companies (MNCs) and other Corporate Houses are involved; and the lack of a proper legal framework to protect and enforce rights. The irony of ‘how to protect data’ is something that affects almost every internet user, and most of the time, the internet user is not even aware.

Corporate Houses; Contract Stories; and Data Protection Laws

On one hand there are companies which function in different parts of the world with their headquarters in one country, maybe their holding company and their affiliates in two different parts of the world. Practically speaking, these holding companies are subject to the laws of the place where they are incorporated, while the subsidiaries are regulated by their own place of incorporation (unless they are foreign companies under their own foreign charter of incorporation). Also, the position might be different in each particular service, deliverables, and/or other kinds of contracts, where the contractual terms will govern. In this scenario, namely in contracts, the parties to the contract will also make sure that the personal data of the stakeholders including their own employees in certain cases, is protected in order to of course avoid the hefty penalties under certain governing laws.

On the other hand, there are data owners like consumers or, say, internet users whose data is raked into AIs. In the absence of a legal framework, which in real terms protects the user comprehensively (which can again be questionable), there is obviously an inefficiency in dealing with the dynamic personal data protection needs under the technical environment.

Will Triggering Global Collaboration help?

As a world community, we have a common global goal of ensuring that our human rights are protected. Time and again at various platforms^[1] International Human Rights law has accepted that a right to privacy exists and should be protected, though the scope of the right remains a tantalising question. Legal theorist Wesley Hohfeld argues that privacy,^[2] to be a right, would have to be possessed either in rem (against the world) or in personam (against individuals), as a contract. In the absence of a correlated obligation under law to observe it, there will actually be no right of privacy because then it’ll not be a claim right. Undoubtedly, much of the legal authority has come to favour of privacy as a right in rem, rather than in personam.

In this context, the issue of personal data protection cannot be seen from a domestic or local perspective because the idea itself will be flawed if there is no collaboration internationally to protect this right. There is a need to i) study the concept of AI and its current development in terms of trade and commerce activities, social interactions and the like; and ii) identify the gaps in legal frameworks globally, to study the various personal data protection regime of different countries/blocs of countries, to see if there are any efforts made (if at all) to protect data. To evaluate in different countries/blocs of countries, if there are comprehensive and updated personal data protection laws or if there are no laws, then why is it so? To identify these gaps and also look into the various International Treaties on personal data protection in order to understand initiatives (even similar initiatives) already in place, given the two relevant principles of international law, namely, monism and dualism.  Further, by looking at these aspects, to determine, possibly, if a regulation with certain core principles of global personal data protection framework will be a better mechanism to govern efficiently as well as effectively.

Some Global Efforts that maybe worthwhile but not enough yet

In this piece, the researcher puts forth her findings from the analysis of the ‘personal data protection’ framework in selected jurisdictions, where empirical research was conducted to contemplate and deliberate along with expert opinion (of limited sample size), on whether a balanced, flexible and internationally compatible data protection regulation with a better outreach will be an effective choice. In the findings, it was observed that the answer to the above question, by the sample of experts, was a unanimous yes, and it was also seen in all the data protection regimes analysed under the study that there were certain core principles in common. In this, can be included, the principles of transparency, collection and use limitation with purpose specification, data minimisation, confidentiality and security, data quality, access and rectification, and accountability principle. Overall, more than 60 jurisdictions around the world have enacted or at least proposed postmodern privacy and data protection laws following the introduction of the European Union (EU)’s General Data Protection Regulation (GDPR). These countries include developed ones like Australia, Singapore, and Japan and even emerging ones like India, Indonesia, or Thailand.^[3]

However, since privacy laws emanate from diverse cultures, they differ considerably across the globe. Although, the fact cannot be denied that there has been a very progressive approach with legit efforts around the globe to work towards better harmonisation of a data protection regime. These developments were brought about in order to encourage global alliances and investment, like the adoption of similar provisions similar to that of the EU’s GDPR by some countries. However, there are still significant endeavours to be achieved in this regard. Also, in some nation states, which hold a globally influential position, data protection regime is still stuck in process because of a variety of different issues.^[4]

The fact that the scope of the aforementioned research was only limited to analysis of the different data protection frameworks of the United States of America, the United Kingdom, the European Union, Oceania and the Asia Pacific Region (only some specific emerging and developed economies in terms of their Gross Domestic Product). It would be the best way to move forward in this regard in the quest to find a comprehensive solution which, in this case, could be to leverage the common principles under different data protection laws. This, in turn, may be conducive to forming a basis to bring in consensus between countries/blocs of countries where such initiatives are in place (or in the pipeline) for better enforcement of the right to data privacy in the use of AI, instead of just hovering around the problem.

The starting point in this regard could be to bring to the table the consensus between countries/blocs of countries, where personal data protection regime as such is already in place or at least the initiatives have been brought about. Once this starting point is achieved, there can be an emphasis on the key areas where deliberations may be necessary. These may include, amongst others, i) the important policy areas for regional and global groups playing a role in some way in personal data protection, ii) sidestepping fragmentation and duplication in the international and regional approaches of data protection, and iii) focussing on one uniting initiative or fewer number of initiatives which are internationally well-suited and compatible by regional and global organisations.  Where it is so feasible, developing mechanisms for recognizing and bringing compatibility between different frameworks in place so that similarities in their underlying principles can be accordingly leveraged.

The international community no longer feels the need to justify the existence of international law but merely critiques its content. Even though plenty of attempts have been made in order to encourage global harmonization in data privacy laws, there is no sole settled model for a global data protection regime. For instance, the ones that have been led by The Organization for Economic Cooperation and Development (OECD) Data Protection, Privacy Framework and Toolkit For Protecting Digital Consumers, Asia-Pacific Economic Cooperation (APEC) Privacy Framework (2015), or the European Union (EU) Data Protection Framework.^[5] But, none of the initiatives has won complete global support. Even the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), which was open for accession by States which are not member States of the Council of Europe, did not receive much support from the non-member States of the Council of Europe.

The efforts in this regard have mostly remained national and, at other times regional. However, there is no single agreed model for a universal data protection framework at this stage. Although there are some guides on this matter of how to deal with the privacy related issues and the lacking of the data protection regime worldwide. In such a scenario, compatibility shall be the stated objective of many global and regional data protection initiatives.

In “Data Protection Regulations and International Data Flows: Implications for Trade and Development”, a study conducted by the United Nations details that there is a need to reinstate mutual trust among stakeholders of nation-states for any international treaty on stronger personal data protection. It asserts that “when mutual interests are strong enough, and political considerations are not impending, it is not difficult to reach an agreement between States on personal data protection”. Of course, protection of data privacy is still not commensurate with the current and proposed advances of AI. The laws worldwide lack remedies beyond borders most of the time. However, the digitalised and connected modern life, and the transnational nature of the internet has led to more of a consensus. This has also led to the mindfulness of the privacy of personal data worldwide. “The critical moment is not far off, with more globally recognised grounds for personal data protection and more commonly accepted standards, to define and remedy privacy violations under international law”. Therefore, it can be asserted that even though the difference in efforts on data protection laws across the globe since nation states have shown an increasing willingness to treat concepts of personal data protection with varying degrees of seriousness. However, a shared ground on the principles of protection of data exists at the core of almost all of the laws, rules and regimes nationally and internationally, which may act as a preliminary idea to work towards attaining global compatibility.

Conclusion

Apparently, there is a very urgent and pressing need to put in place a framework that regulates the use of data in AI in order to protect pivotal data privacy rights. An international regulatory norm which is balanced, flexible, and internationally compatible to regulate the right to protect personal data as something fundamental. This regulatory norm, instead of various multiple or duplicate provisions at national and regional levels, will have compatible and complementary provisions at a global level. Therefore, in order to attain data privacy as a basic right and to allow innovation and facilitate globalised trade by mitigating violation of this basic right, it is crucial to continue the dialogue between national, regional as well as global multi-stakeholders.

Nevertheless, this is not something that can be achieved immediately. The nation-states will require their own time to look into this issue and come to the table to take up this issue. Though, a timeline can be drawn up in this regard to include these core principles of the data protection regimes globally in the data protection laws of all the other nation-states. For those member states who do not adhere to or who lack the capacity to put in place mechanisms in this regard, it will be the responsibility of the able international community to provide the requisite support, impose peer pressure by persuading them to align or develop data protection laws to comply with these principles.

At the onset, International organizations of universal presence can provide the platform for such dialogue. A regulation, for instance, in this regard can be made applicable to all the member states of the United Nations, given the fact that the protection of natural persons in relation to privacy is a universally recognised right under the Universal Declaration of Human Rights (UDHR). Also, considering the fact that the sovereign agnostic right of states is to be protected, a draft in this regard can be proposed for consideration at the United Nations (UN). Where the UN High Level Panel on Digital Cooperation may take the lead in this regard.

[1] Article 12 of the Universal Declaration of Human Rights UDHR – (1948); Article 17(1) of the ICCPR; Article 11, ACHR; Article 8(2) of the European Convention of Human Rights. Also see, Office of the U.N. High Commissioner for Human Rights, The Right to Privacy in the Digital Age, U.N. Doc. A/HRC/27/37 (30 June 2014), para. 23; U.N. Human Rights Committee, General Comment No. 16 (Article 17 ICCPR), 8 Apr. 1988, para 3.

[2] The Right to Privacy, Harvard Law Review, available at http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm;

[3] Some relevant illustrations in this regard are as follows, Australia’s data privacy regime undergoing an overhaul with significant reforms expected to come out in 2023, https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd2223a/23bd030;

Japan’s Protection of Personal Information (APPI) Act of April, 2022 brings in extraterritorial applicability on personal data being collected outside Japan when the processing involves goods and services offered in Japan, https://www.ppc.go.jp/en/legal/;

In Indonesia, the House of Representatives, in September, 2022, approved the Personal Data Protection Bill this was enacted as Law No. 27 of 2022 on Personal Data Protection (the PDP Law) in October, 2022.

[4] India’s Ministry of Electronics and Information Technology proposed a new draft bill, titled

“the Digital Personal Data Protection Bill 2022 (DPDP)”, https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf;

A five-year long process started by the judgement of the Supreme Court in Justice Puttaswamy (Retd.) and Anr. v Union of India and Ors. (2017) 10 SCC 1, the Data Protection Bill in India is now on its 4^th version.