By Ayushi Modi
Analysing the effects that the growth of a global economy has on personal data and how the introduction of data protection laws has evolved from the phenomenon of globalisation.
“The world is a very small place”. Globalisation has brought the world closer than it ever was. Distance is no more the limiting factor that hinder the advancements that the countries can aim to reach. The global economy is built with relations and trade between countries around the world. Thus, communication has increased on a personal and commercial level. However, this level of globalisation could not have been achieved until communication did not take place across the globe. With the growth in the means of communication, personal data was shared between countries and remained accessible across the globe. Protection of personal data has now become inevitable. This research paper aims at analysing the need of the hour to protect personal data resulting from a globalised world. Also highlighting the existing scenario on data protection, the paper puts forth the argument of the importance of a global framework to instigate adaptability and compliance while analysing how the companies are starting to adopt policies for the protection of personal data in a global economy.
Key Words: Globalisation; Data Protection; Privacy; GDPR; Global Framework
Technology and the Internet have adapted into a major part of our everyday lives. We transact, browse, and share news through it daily. What was coupled with good intentions of advancing trade, commerce, and communication while making the world global in its truest sense, now serves as a platform for theft and immoral access of data which is inevitably shared on such platforms. The era of globalisation has brought the world together but has also provoked the existence of crimes that may not transpire in the same place. One of the biggest scandals that led to the concept of privacy and data protection was “The Cambridge Analytica Scandal”. “The firm in 2016 during the US Elections was accused of having access of the data of over 50 million Facebook users without their consent, to analyse and lay predictions based on such data, which led to a trial in the year 2018.” A platform like Facebook was amongst the firsts to attain a global reach. People from across the world share their personal details on such platforms and was accessible to anyone. Data breaches of a company with the access to an abundant amount of personal data led to questions and defined the need for privacy. It highlighted the gaps which laws need to protect from companies hoarding the personal data of its users and using unconsented personal information, without any accountability.
What is Globalisation?
Globalisation is the merging of cultures and resources of territories. It is an experienced phenomenon of the world becoming closer. Initially, the countries divulged in communication for the trading of necessities they had in abundance, in exchange for things they were in scarce of. This led to a massive expansion and growth of trade and commerce by countries communicating and facilitating their products across the world. However, globalisation is not stagnant, it evolved further. “Digital Globalisation” which was facilitated by the Internet and technology, depicts the constant flow of information and data over an electronic or digitalised platform, operated and accessed by the entire world, is what is dominant in today’s world. Such phenomenon is much more inclusive and a bigger idea than globalisation in its ambit of trade and growing infrastructure, ever was.
The Growing Need for Data Protection in a Globalised World
With there being a growth in trade and commerce around the world, import and export of products skyrocketed, enhancing the global economy of the world. With this increase in trade, communications across countries increased piloting to the transfer of personal data across territories. A small example in the context would be a basic order placed from a city in India for makeup from a company situated and operating from the US. This general order placed for personal consumption entitles us to share our name, address, phone number, and credit card or bank details to such company situated in the US. And there is a transmission of personal data – one of several million transfers taking place throughout the day.
International Trade was reserved to be undertaken only by the larger corporations of the developed countries of the world with such disposable resources. International transactions required a certain amount of standing in the market and capital to avoid going under. Today, living in a more digitalised form of globalisation,there have been opportunities presented to developing countries, to small companies and start-ups, and to billions of individuals who can start from any place on the globe and connect to markets that may be physically beyond their reach. A major volume of trade across the globe is now conducted via international e-commerce websites. Small and midsize enterprises all around the world have turned their business into exports and build a market for themselves while also cutting extra office and shop costs by joining such e-commerce platforms. In this increasingly digital era of globalisation, companies manage their international operations in a much effective and efficient manner using a computerised framework over various digital platforms and using such tools to keep their teams connected in real-time, virtually. While living in a pandemic, companies have seized this moment for modifying their organisational structures to accommodate online meetings, virtual transactions of business, virtual presentations and trainings. Educational institutions have also been forced to go digital. Students transact with their teachers and attend classes virtually over platforms such as Zoom or MS teams. Such platforms have thus been given the access to the personal data of not only employees but even students who may be minors. A recent news of a massive data breach where the logins and personal details of over 5 lakhs zoom users were sold on the dark web for less than one pence each surfaced.Data being generated more than ever is also shared more than ever and at the same time is being breached at an alarming rate.
The trends of today’s global communication make it extremely easy to interact with people around the world sharing intimate details for the world to see and also help to maintain relations with loved ones who may not be physically together. Such global platforms are made for easy access to anyone and everyone for enhanced communication. Private online communications can be tapped into and be misappropriated from anywhere while having no accountability.
“According to IDC, close to 5 billion consumers interact with data daily and this number is likely to rise to 6 billion by 2025, accounting for nearly 75 percent of the world’s population and each connected person will have at least one data interaction every 18 seconds. IDC predicts that the global volume of data will grow from 33 zettabytes in 2018 to 175 zettabytes in 2025 and 49 percent of the world’s data will be stored in public cloud environments” . The need for the protection of such an abundant amount of data stems from the need to have privacy from online activities of misuse, theft, or leak.
Data Protection is the Force Behind Our Right to Privacy
The term Personal Data has been vaguely defined under Article 4 of the GDPR (General Data Protection Regulations) as “any information which is related to an identified or identifiable natural person. Data can include any information which describes a person’s attributes which may be physical, cultural, mental, genetic, social, or any other personally expressive information that is specific and unique to one certain person.” It also includes other personal attributes of a person’s daily life such as telephone numbers, bank account numbers, address, and any such other information.
It is said that information once shared over technology or the internet remains there forever. This makes it easier for anyone to misuse such data and misappropriate it for the purposes it was not intended for. ‘Right to Privacy’ develops from having the freedom to choose how your information is collected and how it is used. Informational Privacy is instigated from technological innovations making such information available for people around the world to access and manipulate.
Data protection is to be understood as a legal directive to encounter the challenges that emerge from information and communication technologies by curtailing the negative impact of such technologies on individuals by safeguarding such information.It aims at providing the means through rights and obligations, for the protection of the right to privacy and provide an individual the control over his data and ensure accountability for the misuse of such data.
Regulations around the World
With the debate of privacy gaining momentum, countries have started introducing and adopting data protection laws. The pandemic saw major operations of educational institutions, health care, and other organisations and business to go online, growing the need for regulation.
“As of January 2018, over 100 countries around the world have enacted comprehensive data protection legislation, and around 40 countries are in the process of enacting such laws. Other countries may have privacy laws applying to certain areas, for example for children or financial records, but do not have a comprehensive law on data protection.” The year 2018 also saw the advancement and introduction of one of the foremost laws for the addressing of personal data in the EU and its member states. GDPR is considered to be the framework for the international compliance of data protection and the protection of personal data.
In the year 2020, countries like Canada (“Digital Charter Implementation Act, 2020”), China (“Personal Data Protection Law”), India (“The Personal Data Protection Bill, 2019”), California (“California Consumer Privacy Act”), Brazil (“Lei Geral de Proteção de Dados Pessoais, LGPD”) and Thailand (“Personal Data Protection Act”) saw major advancements in the area of data protection by the introduction of their data protection bills and acts.
The EU was amongst the first nations to completely introduce a holistic framework for itself and its member states, by the introduction of the “General Data Protection Regulation (GDPR)”. It was introduced after extensive rounds of consultations, to replace the Data Protection Directive 95/26/EC prevalent in the union till the spring of 2018. GDPR provided a massive and the strictest framework for the protection of personal data in all its forms. It provided for the levy of fines and penalties for the non-compliance across the nation. As discussed earlier, globalisation has bought the world closer and provided for various opportunities for trade and business across countries. It is thus possible that the access to personal data collected, may not be limited to just one territory or in the territory it was collected. “GDPR is thus applicable to all its member states and any company that markets its goods or services to EU regardless of its location making it globally applicable.”GDPR has the framework to set a global standard for compliance laws regarding data protection. It has raised the global standard for legislation, ensuring that the framework is adaptable to a fast-paced globalised world.
Along with the landmark judgement of Justice K.S Puttaswami & another Vs. Union of India, the Aadhaar Scheme sparked the debate of Privacy in India where in the Supreme court recognised the Right to Informational Privacy. The government and companies have commonly invaded the data of consumers but the Aadhaar made a mandatory stipulation to share personal information and biometrics to the government for their welfare schemes. “Following which a bunch of petitions were filed in the court, alleging the Aadhaar enrollment scheme was an invitation of leak of personal data.” Even though the Aadhar scheme was a voluntary creation, it quickly involved itself in the daily lives of the residents and became an official document of identity.
India has yet not enacted a specific legislation to personal data. The only laws covering the enforceability of the Right to Privacy is under the Information Technology Act 2000 and the Rules provided there under. “India has also constituted a committee to propose a draft for a new legislation on data protection following which the government introduced the Personal Data protection Bill (2019) which was expected to be introduced in the year of 2020.”  The bill introduced the possibility of a “Data Protection Authority of India” which would be responsible for ensuring the protection of personal data. While the bill does not provide a bullet proof framework, it does provide an outline that would be followed for the cross boarder transmission of data and an idea on the legality of compliances that would come to be followed. It categories the a framework for “Sensitive Personal Data” such as sexual identity, health records, passwords and biometric information. “Even with these protections, however, the right of the government reserves the right to share information internally and the ability of private corporations to access that information and use it to connect individual users to the data that those companies may have already collected, operates without a statutory framework for the protection of personal data.”
The bill has yet to come into force and restructure as per the growing concerns of security in the digital age by India is on the path for filling the gap and provide a legislation for the protection of personal data and thus privacy.
Some of the largest social media companies in the world, including Facebook, are based in the United States, where there is no federal data privacy regulation. Individual states have their own data privacy statutes, and there are certain types of data for which the federal government does require protection (e.g., healthcare data, financial data, children’s data, student data, and consumer information). A much awaited and responsive law prevalent in the US is the California Consumer Privacy Act (CCPA) which went into force in the year of 2018. The regime of the law covers the residents of California and “such companies that have personal data of at least 50,000 people or that collect more than half of their revenues from the sale of personal data.” CCPA is considered to be the path of development for privacy laws in the country as significant as that of US. A major difference of CCPA is that it does not need there to be a legal basis for the collection of personal data. “Moreover, the CCPA focuses on transparency obligations and on provisions that limit selling of personal information, requiring a “Do Not Sell My Personal Information” link to be included by businesses on their homepage.”
In the year of 2020, CCPA underwent significant changes inspired by the GDPR regime. The state also introduced a framework for a new law called “California Privacy Rights Act (CPRA)” to go into effect in the year of 2023. It reserves a major category and legislation for “Sensitive personal data” and is said to revolutionise the structure of privacy laws across the globe.
China, in the month of October of 2020 unveiled its personal data protection law for the public. The legislation would apply to residents of China, irrespective of their identity and on the entities which regulate personal data for the purpose of provision of products and/or services to the public or for analysing or assessing the behavior of the public in China and other prescribed circumstances.
As the hub of the largest consumer goods and companies, the introduction of privacy laws by China was welcomed all around the world to hold accountability for threats, hacks, and data leak. Overall, the trend in China has been a domestic focus on improving and preserving native internet use rather than following other globalised trends. While the law is not stringent on its imposition of fines, it is a considerable change in the legislation considering the population and the thus the availability of personal data, especially in a pandemic.
The legislation provides for mandatory security scrutiny of the key information infrastructure operators and entities that handle a substantial amount of personal information. “If overseas organisations or individuals are found to have damaged Chinese citizens’ rights to private data or involved in personal data activities that harm national security and public interests, they will be put into a blacklist by the Cyberspace Administration of China.”
Cross Border Data Transfer in a Global Economy
Globalisation cannot be achieved without the presence of communication between territories. Digital Globalisation entails the constant transfer of data in one form or another between countries. Absence of enabling provisions for data export through a privacy shield mechanism that facilitates compliance for cross-border data transfer can create roadblocks for data export. In order to recognise the inevitable need to ensure cross border communication, GDPR was introduced to cover this growing gap in the global world. Under the GDPR legislation there has been provided the need and procedure for the transfer of such data to third countries or International Organisations. While GDPR applies to the EU and its member states, it provides for exceptions for situations by ensuring compliance even from such organisations receptive of personal data outside the EU.
Even if GDPR is one of the most influential and strongest frameworks which creates a benchmark for legislations all over the world, it is not yet applied globally, in every aspect. As discussed earlier every country recognises a different need for the legislation around data protection which results in no uniformity and mazes of compliance for an organisation that may have its operations around the world. Cross-border data flows are crucial for companies’ everyday operations. Such movement of data makes operations much more efficient and possess the ability to control the fate of the company. Globally functional organisations may need to document their data in one place. Since cross border transfer of data is inevitable, different legislations in different countries may result in a barrier to trade and opportunities at the same time increasing compliance costs. Different legislations will never be able to facilitate a smooth transfer of data.
“Cross-border data flows have also been a driving force behind the emergence of so-called global value chains (GVCs) in which businesses’ operations are fragmented across borders to increase efficiency, lower costs, and speed up production.” And such cross-border information flowing digitally in every transaction, it is the need of the hour for data protection to be in a global framework, now more than ever, to suffice the confidence of the public in their government and the companies they interact with and which may have access to such data. Laws need to be strengthened and modified according to the growing globalisation to ensure that privacy is accounted for.
Adoption of Data Privacy as a Corporate Social Responsibility
The education around the topic of privacy is growing tremendously. Companies that are given access to our personal data are now made to share a framework on their privacy policies. Adopting a sound data management system provides the company with a competitive advantage and consumer reliance in a competitive market. With the growing need to protect privacy, in the times of global communication, a company has benefits along with a responsibility to adopt and comply with a framework to protect, store and manage personal data, responsibly. With the growing levels of globalisation and conversations taking place, companies have adopted privacy policies, and have changed them over time to reflect their commitment to the protection of personal data. For example, in 2004 Facebook gained popularity because of its data privacy credentials, with a privacy statement fitting on a single page – today it is significantly longer. Recently with the launch of the I-phone 12 by Apple, “they launched a campaign stressing the importance of privacy in a digital world and their commitment towards the same.” A company in a global operation today deals with multiples volumes of personal data ranging from employee data to the personal data of the consumer. They cannot afford to mishandle and leak such data, or they risk public boycott.
Even with companies now starting to recognise the need for privacy, countries need to adapt the activity of protection of personal data as a viable Corporate Social Responsibility.This will not only provide benefits to the company but also will instigate a value in their system for protecting personal data by the framework of the law. This would make a global compliance easier and make companies more receptive to a global framework for the protection of personal data.
Conclusion-A Global Framework is the need of the hour
Even with the introduction of privacy laws across the globe, we are far from keeping up with the pace of the trend of Globalisation. Data and information sharing are being shared at a fast pace and on a large scale. Thus there is an extensive rift in the growing global economy which can lead to massive downfalls of major companies if they do not employ an appropriate and tailor-made framework that suits their organisation depending on the volumes of personal data that the company deals with.
To regulate such an arena, regulators need to factor in attributes to make such a framework as efficient and effective as possible which can be applied globally. There is a need for a global framework to be introduced to facilitate accountability for misuse of data across the world. To achieve the stage of enabling a global framework, countries need to instigate the corporations to follow the process of protection of personal data by the recognition of the importance of such implantation for easy adaption of a global framework. Such a framework on a global scale would ensure homogeneity in policies and uniformity in compliance for keeping privacy intact. The framework would need to be flexible, capable of identifying the key risk factors which the policies should regulate, provide security while governing data and their identities. A global framework should be adaptable to all countries, thus reducing compliance confusions.
Such global framework can be adopted through a combination of all of the various legislations which are being introduced by countries all around the world. A global framework in the form of a convention applicable as an international law will not only evade the issues prevalent through out the world but can also educate about such adoption to the countries which do not have any such regulation in place. Adoption of such regulations from the basis of legislations such as GDPR and other privacy laws will lend a very strong foundation to the structure of such implementation for around the globe compliances made easier.
 Nicholas Confessore, “Cambridge Analytica and Facebook: The Scandal and the Fallout So Far”, The New York Times (2018)<https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html> accessed 23 November 2020.
 Sebastian Reiche, ‘Digital Globalization: The New Era and its Implications’ (IESE Business School, 17 March 2016) <https://blog.iese.edu/expatriatus/2016/03/17/digital-globalization-the-new-era-and-its-implications/> assessed 20November 2020.
 James Manyika and others, ‘Digital globalization: The new era of global flows’ (McKinsey Global Institute, 24 February 2016) <https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/digital-globalization-the-new-era-of-global-flows#>accessed 21 November 2020.
Monit Khanna, ‘Zoom Data Breach: Over 5 Lakh Zoom Login Data Being Sold On Dark Web For Less Than Rupee’ India Times (4 May 2020) <https://www.indiatimes.com/technology/news/zoom-data-breach-over-5-lakh-zoom-user-login-data-is-being-sold-on-dark-web-512407.html#:~:text=Zoom%20was%20soon%20made%20aware,implementing%20additional%20technology%20solutions%20to> accessed 22 November 2020.
Pence is a UK currency which converts to 1 GBX= 0.99 Rupee.
David Reinsel and others, ‘The Digitization of the World From Edge to Core” (International Data Cooperation, 2018) <https://resources.moredirect.com/white-papers/idc-report-the-digitization-of-the-world-from-edge-to-core> accessed 25 November 2020.
 Article 4 of General Data Protection Regulations, 2018. <https://gdpr-info.eu/issues/personal-data/#:~:text=GDPR%20Personal%20Data&text=The%20term%20is%20defined%20in,identified%20or%20identifiable%20natural%20person.&text=For%20example%2C%20the%20telephone%2C%20credit,address%20are%20all%20personal%20data> accessed 20 November 2020.
 ‘What is Personal Information Under Privacy Laws’(TermsFeed, 15 August 2020) < https://www.termsfeed.com/blog/personal-information-privacy-laws/> accessed 26 November 2020. The definition under GDPR is not exhaustive. Various other laws define personal information in different ways.
Misuse of data often occurs when data is used in a different aspect than it was initially collected for. “Purposeful Limitation” is required to be added in governance to ensure that data is only used for the purpose for which it was intended and nothing else to avoid misuse and mishandling of data.
Privacy International, ‘A Guide for Policy Engagement on Data Protection- The keys to Data Protection’ (August 2018) 18 <https://privacyinternational.org/sites/default/files/2018-09/Data%20Protection%20COMPLETE.pdf> accessed 25 November 2020.
 Bill C-11,An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, 2d Sess, 43rd Parl, 2020 <https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading> accessed 20 November 2020.
 Gil Zhang and Kate Yin, ‘A look at China’s draft of Personal Data Protection Bill’ (IAPP, 26 October 2020) <https://iapp.org/news/a/a-look-at-chinas-draft-of-personal-data-protection-law/#:~:text=China%20unveiled%20its%20draft%20of,21%2C%202020.&text=The%20draft%20PDPL%20also%20specifically,retention%2C%20data%20accuracy%20and%20accountability> accessed 20 November 2020.
 The Personal Data Protection Bill, 2019 <http://22.214.171.124/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf> accessed 20 November 2020.
 California Consumer Privacy Act of 2018 <http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5> accessed 20 November 2020.
 Hunton Andrews Kurth LLP, ‘BREAKING: Brazilian Data Protection Law in Effect’ (Privacy & Information Security Law Blog, 18 September 2020) <https://www.huntonprivacyblog.com/2020/09/18/breaking-brazilian-data-protection-law-in-effect/> accessed 20 November 2020.
 Personal Data Protection Act BE 2562 (2019) <https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf> accessed 20 November 2020.
 Juliana De Groot, ‘What is the General Data Protection Regulation? Understanding & Complying with GDPR Requirements in 2019’ (Data Insider Digital Guardian’s Blog, 30 September 2020) <https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection> Accessed 22 November 2020.
 Krishnadas Rajagopal, ‘The lowdown on the right to privacy’ The Hindu (29 July 2017) <https://www.thehindu.com/news/national/the-lowdown-on-the-right-to-privacy/article19386366.ece> Accessed 20th November 2020.
 Talwar Thakore & Associates, ‘Data Protected – India’ (Linklaters, March 2020) <https://www.linklaters.com/en/insights/data-protected/data-protected—india> accessed 22 November 2020.
 John Butz, ‘Data security in a Global Economy’ (2020) 17 (2) Northwestern Journal of Technology and Intellectual Property 3 <https://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1332&context=njtip> Accessed 22 November 2020.
 Maria Korolov, ‘California Consumer Privacy Act (CCPA): What you need to know to be compliant’ (CSO India, 7 July 2020) <https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html> Accessed 22 November 2020.
 ‘Comparing privacy laws: GDPR v. CCPA’ Data Guidance, 5 <https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf> accessed 23 November 2020.
Gil Zhang and Kate Yin, ‘A look at China’s draft of Personal Data Protection Bill’ (See n 13).
 Cao Siqi and Chen Qingqing Source, ‘China unveils first law on personal data protection’ Global Times (13 October 2020) <https://www.globaltimes.cn/content/1203363.shtml> accessed 22 November 2020.
Arya Tripathy, ‘Cross-Border Data Transfer – India’s Attempt At Data Localization’(PSA Legal Counsellors, 17 February 2020) <https://www.psalegal.com/cross-border-data-transfer-indias-attempt-at-data-localization/> accessed 20 November 2020.
Lydia F de la Torre, ‘What are the requirements for ‘cross-border data transfers’ under EU Data Protection Law?’ (Golden Data, 15 March 2019) <https://medium.com/golden-data/what-are-the-requirements-for-cross-border-data-transfers-under-eu-data-protection-law-e59bfce908f0> accessed 23 November 2020.
Magnus Rentzhog and others, ‘No Transfer, No Trade: The Importance of Cross Boarder Data Transfers for Companies based in Sweden’ (National Board of Trade, 2014) 1st edn, 11 <https://unctad.org/system/files/non-official-document/dtl_ict4d2016c01_Kommerskollegium_en.pdf> accessed 23 November 2020.
 ‘Data privacy and the link to corporate social responsibility’ (ICASS, 12 February 2020) < https://myicaas.com/business/data-privacy-and-the-link-to-corporate-social-responsibility/> accessed 24 November 2020.
Ashley Bill, ‘Corporate Social Responsibility and Data Privacy – the future?’ (IM&G Blog, 25 June 2020) <https://community.microfocus.com/t5/Information-Management-and/Corporate-Social-Responsibility-and-Data-Privacy-the-future/ba-p/2807982> accessed 23 November 2020.
Andrew Griffin, ‘Apple launches new privacy campaign amid iPhone 12 launch and tensions with Facebook’ The Independent (3 September 2020) <https://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-iphone-12-release-date-privacy-ad-facebook-security-campaign-a9703246.html> accessed 23 November 2020.
Emily Tan, ‘Seven out of 10 customers would boycott a brand that mishandled their data’ (PR Weekly, 9 February 2018) <https://www.prweek.com/article/1456805/seven-10-customers-boycott-brand-mishandled-data> accessed 26 November 2020.
 Micro Focus, ‘A Global Framework for Privacy Protection and Value Creation’ (August 2019) <https://www.microfocus.com/media/flash-point-paper/a-global-framework-for-privacy-protection-and-value-creation-fpp.pdf> Accessed 23 November 2020.
About the Author
Ayushi Modi is pursuing LLM in Corporate from O. P. Jindal Global University. She is also an in-house researcher with The Digital Future – Privacy Team.