Much remains to be done in privacy to achieve a safer and more secure digital environment that builds trust. 76% of users find it difficult to know what happens to their data and how it is used. This figure is strikingly high considering the advances in data protection and privacy that have been made in recent years. This shows us that data protection in a hyper-connected world cannot be guaranteed by national or regional regulations alone. The solution for moving towards a framework that guarantees the effective protection of people’s privacy in the digital world lies in convergence, i.e. in the harmonization of principles and rights between jurisdictions in different latitudes.
Data protection regulatory frameworks proliferate
Proposals to establish regulatory frameworks that guarantee user privacy in the digital environment have multiplied exponentially. The year 2018 marked a turning point with the entry into force of the General Data Protection Regulation (GDPR) in the European Union and with the export of this model to other jurisdictions around the planet. Not for nothing was this norm baptized as “the gold standard” that served as inspiration in countries such as Brazil or Chile. California also approved in 2018 the Consumer Privacy Act (CCPA) becoming one of the most comprehensive regulations in this area in the United States. These regulatory developments in different continents have improved the levels of digital trust and, in general, users view laws aimed at protecting privacy very positively.
A horizontal, flexible, and technologically neutral regulatory framework
However, the development of cutting-edge technologies, such as Artificial Intelligence or the Internet of Things, which are powered by data in order to function, is challenging the effectiveness of the rules adopted so far. So is their ability to make the territorial borders of States liquid and, with them, the door is opening to an increasing exchange of data between countries, by citizens, companies and government entities. All data is now transported, traded and subject to regulation.
Regulatory frameworks related to advanced technologies and data governance must have common foundations to generate regulatory coherence and simplification, while promoting innovation and privacy protection. The proliferation of ad hoc proposals generates a regulatory jigsaw puzzle where multiple, sometimes contradictory, regulations overlap and make compliance extremely difficult. For this reason, regulation must be horizontal, technologically neutral, capable of evolving in line with technological developments and with a risk-based approach. This will make it possible to precisely avoid this proliferation of sector-specific laws where different obligations apply, as is the case with the GDPR and ePrivacy in the European Union. The principle that should prevail is “same services, same rules, same rights, same protection”.
Regulations must be flexible to promote privacy and innovation in a perfect balance between the two. This is very important at a time when Europe wants to lead the way in creating a European model for the exchange and re-use of personal and non-personal data across sectors. As far as personal data is concerned, the future Data Act will not succeed and a healthy and sustainable data economy will not be created if companies remain subject to rigid and obsolete privacy rules, such as the ePrivacy Directive, which penalizes players in the electronic communications sector vis-à-vis large technology platforms.
Collaboration and convergence: a global issue
Openness to collaboration and the broadening of jurisdictional horizons are essential to achieve a more homogeneous privacy and data protection framework. We cannot forget that the right to privacy is an internationally recognized human right and must therefore be guaranteed worldwide. If data know no borders, the convergence of the regulatory frameworks governing them must also include this global aspiration.
This issue is particularly relevant to ensure a cross-border flow of data that sustains and promotes digital commerce, with the guarantee of compliance with privacy regulations while respecting the rights of users. In this direction, most of the national constitutions of Latin American countries have explicitly enshrined privacy as a fundamental right, however, there is still a long way to go to fully adapt the respective national legislations.
Therefore, it is important for the European Commission to update, based on the GDPR and the jurisdiction of the Court of Justice of the European Union, the small number of Adequacy Decisions that recognize an adequate level of protection in certain countries (e.g. Argentina, Uruguay, Canada…). In addition, the Commission needs to focus on developing further adequacy decisions in countries that in recent years have endowed themselves with new data protection laws and institutional structures (independent National Data Protection Agencies) to ensure that these countries also guarantee an adequate level of protection. Latin America and Africa are geographical areas that the Commission should explore with attention, considering their dynamism in data protection in recent years.
The development of interoperable regulatory frameworks across jurisdictions is essential to ensure the development of a globalized digital world.
Atlantic submarine cables currently carry 55% more data than transpacific routes, much of it personal. Considering the remarkable size of the data flow between the United States and the European Union, the two regions must also cooperate to ensure that data transfer respects democratic values and principles. The U.S.-EU Trade and Technology Council (TTC) includes a specific group on data governance, although discussion of data protection has been avoided. Instead, in the margins of the official talks, this issue is being addressed as it is of vital importance to protect the privacy of individuals and bring regulatory certainty in the cross-border flow of data.
2022 may be a watershed year to move towards a convergence of policy and regulatory frameworks. We have before us an opportunity that we cannot afford to miss. The renewed momentum for international cooperation and the opening of spaces for reflection and collaboration represent a unique opportunity to look to the future and include effective privacy and data protection in the debate and in action. A data flow model that guarantees privacy and data protection and is innovative in the economic sphere is key to reaping the benefits of the digital ecosystem and mitigating potential risks.
Telefónica’s commitment
The duty of States is to protect, and the duty of companies is to respect and promote privacy, following the guiding principles of Human Rights and the United Nations. Telefónica consolidates this commitment in the Global Privacy Policy and in the Human Rights Policy, extending it to all the countries where it operates.
For the second consecutive year, the company continues to be the world’s leading telecommunications operator in Ranking Digital Rights, an index that evaluates the transparency and commitment of technology and communications companies in terms of governance, privacy and freedom of expression.
In addition, since 2020, we have developed Privacy and Security Centers (Transparency Centers) in all the countries in which we offer services. In this way, we have established a channel for information, consultation, rights management, and privacy preferences in a simple, digital and accessible way for our customers and any other stakeholders. The Centers mark a milestone in a more transparent and trustworthy relationship between users and companies. An example of the latter is the Transparency Center in Spain, which makes available to customers access to the data they generate during the use of our products and services.
These ideas must converge to achieve a more uniform, coherent, and standardized privacy and data protection framework. We need the commitment and collaboration of the entire privacy community, from private operators, the public sector, civil society, policy makers and supervisors. In this way, it will be possible to face the technological and business complexity we are facing, providing certainty and viable, agile and flexible solutions that can adapt to these dynamics, always bearing in mind the guarantee and protection of this fundamental right to data protection.