This is the fourth and final piece in our series focused on nationalism and its threat to digital identity. If you missed it, read the first three parts (1,2,3), now for the full story.
This series was initiated after the E.U. announced it had revoked the Privacy Shield, a transatlantic agreement that enabled the legal transfer of data between itself and the United States (U.S.). Since that ruling, we have also seen the Swiss Data Protection Authority conclude the EU-U.S. Swiss Privacy Shield was no longer a valid method of transferring personal data between the two countries.
This news, and subsequent follow-up, sparked our OWI team to take a step and ask ourselves if there was a broader trend around the rise of nationalism, both political and economical, and its role in disrupting international data sharing agreements. For digital identity enthusiasts like ourselves, we acknowledge that international cooperation and data sharing are essential pillars in furthering inclusive digital identity infrastructures and preventing bad actors from causing undue harm.
This series intends to capture what the roles and positions of the major economies — the E.U., China, and the U.S. — are in the data economy, and illustrate why the current trend towards centralization is counterintuitive to more effective digital identity strategies. In this finale, we will look at how the U.S.’s inability to lead the international community towards a unilateral digital economy infrastructure — by prioritizing companies’ free will over individual rights over its people — indirectly stifles the possibility for interoperable and secure digital identities.
This retrenchment from the national community has forced countries to implement new mandates or remove existing agreements targeted at U.S. technology companies operating abroad. We believe the rise of nationalistic policies is hurting cooperative approaches to interoperable and inclusive digital identity frameworks. To that end, we will conclude with alternative methods forward and offer some examples of companies pursuing digital identity systems that do not necessitate centralized authorities.
The Influence of CCPA
At the time of writing, October 1st, 2020, the U.S. does not have a central federal level privacy law. Data privacy is instead under the purview of several industry-specific laws (e.g., HIPAA, U.S. Privacy Act, Children’s Online Privacy Protection Act (COPPA), etc.) and championed by several privacy-forward states, most notably California with the California Consumer Data Privacy Act (CCPA), in addition to Maine and Nevada.
California’s economic size, political influence, and role as the de facto technology hub of the U.S. have made CCPA a global conversation topic. And it serves as the closest example of what we could expect a federal mandate to reflect. CCPA’s scope and territorial reach are more limited than the GDPR. Additionally, the extent of the Act is restricted to two main categories.
The first applies to for-profit businesses operating in California. A business must collect California citizens’ data and determine the purpose and means of their personal data, meaning that they slice and dice it for commercial purposes. Additionally, the law has specific qualifications for these businesses. They must:
- Have at least $25 million in annual gross revenue
- Buy/sell or received the personal information of at least 50,000 California consumers, households or devices annually
- 50 percent of your annual revenue comes from selling California consumers’ personal data
This data privacy law continues to be contested by several big tech companies in the United States, contending that they are selling access to data instead of selling data.
The second category encompasses entities that control or are controlled by an entity that meets the first set of criteria or shares common branding with the parent entity. This makes the CCPA targeted as companies are in the personal data business.
Users as End-Products
The lack of a federally-administered data privacy law or of any unified governance over the private-sector’s collection and use of personal data has allowed companies to act at their discretion. This freedom to optimize the user’s experience while maintaining a free business model has made the user the end-product. However, these same business practices are not being received well in countries abroad, creating mounting geopolitical tensions that manifest themselves in events such as the revoking of the Privacy Shield.
Countries abroad recognize that their citizens’ personal privacy is being infringed upon for a foreign entity’s monetary benefit. Moreover, countries have legislation maintaining that personal data privacy is an individual human right (e.g., GDPR), and U.S. companies are not abiding by that principle. It would be the equivalent of parents not teaching their children any concept of right and wrong, and during a playdate, the friend’s parents having to ask the poorly-acting child to leave their home before they can learn not to smash their face with spaghetti.
The U.S. should acknowledge its failure to implement legislation that prioritizes individuals’ rights over company profits; doing so would promote free trade in the digital economy. It is important to note that data privacy issues are not the only issue eroding global cooperation. Not only is the U.S. ineffectively governing private sector companies, but it is also actively reducing the number of formal partnership agreements with allies and trade partners. Over the last several years, the United States has pulled away from several high-profile international agreements, including but not limited to the Paris Accords, JCPOA, Open Skies agreement, the U.N. Human Rights Council, and the Trans-Pacific Partnership. The reluctance for furthering international partnerships is forcing other countries to implement legislation, particularly around data privacy, that keeps U.S. companies accountable.
Moreover, the retrenchment from global cooperation around technology and data interoperability is closing the window on a possible future where governments successfully coordinate a standardized approach to digital identity.
The Path Forward
There are 1.1 billion people in the world without access to a digital identity – and even more people lack a mechanism to transfer or port their digital footprint with themselves outside of their native country. This lack of basic identification and interoperability systems perpetuate ongoing barriers for individuals to access goods and services. Digital identity experts, such as the UNDP, argue that the key to solving these issues is ongoing international cooperation and dedicating resources to establish standards for individuals to receive a universally recognized digital identifier. In addition to the lack of U.S. federal standards and frameworks, the rise of nationalism reduces the likelihood of these initiatives gaining meaningful traction.
Thankfully, there are potential paths forward. There are members of the digital identity community who are working tirelessly to promote alternative systems. Of the initiatives underway, a decentralized identity is a popular option that does not require participation from authoritative sources to maintain digital identities for individuals (e.g., Sovrin, DIF, SecureKey, W3C). These systems commonly leverage distributed ledger technology to distribute identity data for users to readily access their sovereignty and leisure. And on the government front, there is still hope. We encourage members of the digital identity, big data, technology, and data privacy communities to keep raising awareness of these issues and garner the attention of more government officials worldwide to the consequences being inflicted on billions of people. Global problems can only be solved together.