The data age and the need for more global legal frameworks

The digital age is an age of digital data . Cross-border data flows are increasingly penetrating and transforming all areas of societies worldwide. The potential of this transformation is immense. At the same time, however, the new data-centric age also entails risks. These risks are often related to a problematic handling of digital data or even its misuse. If the enormous potential is to be exploited and the risks minimized, an adequate legal framework - especially at the international level - is needed, which ensures a human-centered handling of digital data. This includes the collection, storage, transport and processing of digital data.

Why is a global framework for the protection of personal data desirable?

To establish such a framework, a focus on developing a global framework for the protection of personal data is reasonable for several reasons. Due to the massive increase of networked systems and new ways of processing very large amounts of data, personal data in the digital age is exposed to far greater risks than ever before. This not only involves significant risks for the protection of privacy and other human rights. Many of today's urgent challenges of the digital age are also closely related to a problematic handling of personal data. These challenges include political disinformation campaigns, state mass surveillance or the dominant market position of digital platforms and their handling of user data. A global regime for the protection of personal data not only addresses risks. It also holds the potential to strengthen trustworthy digital innovations, generate economic growth and reduce the legal fragmentation of the digital space.
​​​​​

A window of opportunity for a global data protection regime

Furthermore, the European General Data Protection Regulation (GDPR) has opened a window of opportunity for a global data protection framework in the digital age. In the course of our session, all experts emphasized that data protection is not only the subject of intense and lively debates in Asia, Latin America and the USA. In many countries, either legal frameworks similar to the GDPR have been created since 2018 (e.g. Brazil) or existing legal frameworks have been at least adapted in the light of the GDPR (e.g. Japan, India, South Korea). Despite a varying pace, a beginning process of legal harmonization of data protection frameworks can be observed worldwide in response to the GDPR. Even in the USA, almost 20 federal states are currently working on new data protection regulations and the state of California - the home of the globally dominant tech companies - has only recently implemented a data protection law that is very similar to the GDPR. Natalie Pang pointed out that a "GDPR effect" could even be observed in China.
 

Challenges for a global data protection regime

Although the current situation seems to be promising, the discussion also revealed challenges for a global data protection regime. For example, there are now more than 140 legal frameworks for the protection of personal data as well as a large number of guidelines from international organizations. However, these frameworks have varying levels of protection, different sanction mechanisms and focus on different priorities in the field of data protection (data localization, trust, data security, innovation). Even though data protection is increasingly becoming a global concern thanks to the GDPR, the specific implementation of data protection at national/regional level could not be separated from its distinct political-social cultural context.

This results not only in a tension that a global framework for the protection of personal data has to address. It also raises the question of which international institutions can integrate divergent perspectives as well as the expertise of different stakeholder groups. Beyond that, institutions or forums in which such a norm-setting process is discussed must be capable of developing a global framework in a timely and impactful manner. In this context, Axel Voss introduced the idea that global data protection could be debated more intensively in the G7 and G20 in a first step. In the course of debates in these forums, however, it is important to integrate also the expertise and networks of multi-stakeholder forums - such as the IGF. Within the G7 and the G20, Europe can promote a norm-setting process as a normative power in the digital age and bring its experience and expertise from two years of GDPR to bear.

These experiences include the insight that a legal framework can only be as effective as the institutions that monitor compliance with it and enforce it through sanctions. Consequently, there is a need not only for a debate about a legal framework, but also for its institutional implementation. In the light of these tasks and challenges, one final conclusion needs to be stressed: A global framework for the protection of personal data is important, but will require a strong and broad-based political will.