The smart money is on the prediction that the more sophisticated regulatory frameworks around the world shall tend to balance technology growth and privacy protection if they are to retain their political legitimacy in an environment where both consumer rights and economic competitiveness have attained nearly equal status in policy debates around the word.
Skilled regulators have already begun to justify new reforms on the basis of privacy measures stimulating considerable technology progress.
Consequently, the growing concerns of consumers about the abuse of their personal data and the misuse of targeting algorithms to interfere with their decision-making autonomy are spurring some of the most fascinating work in the platform architecture design space today. A broad range of blockchain applications, for instance, is now anchored to the premise of facilitating greater user control over their own data, and provisioning of this data to service providers based solely on the wishes of the data owners.
Savvy governments have recognised this development and have begun developing regulatory frameworks that focus more on rewarding creative privacy management rather than stymieing novel business models and technologies based on some misguided, precautionary, principles. Others are just starting to align with the times.
Consider, for instance, Costa Rica’s Executive Decree # JP-40008. Enacted in December 2016 to amend extant provisions on privacy, the subsidiary legislation considerably transformed what, in the beginning, had been a wholesale, “precautionary approach”, regime into an innovation-compatible system of rules specifically designed to facilitate investments, business, and technology development in the data-rich arts and sciences. How does decree JP-40008 achieve these goals precisely?
Firstly, it retires the provision in Executive Decree # 37544-JP, an annex to primary Law # 8968, which had introduced a highly restrictive requirement for the “registration” of databases, registers, and other data repositories with the main data ombudsman in the country, the PRODHAB. Instead, it calls for the vetting of the security protocols employed to safeguard such data repositories against malicious breaches or inadvertent disclosures of personal data.
Furthermore, regulated financial institutions in the Central American country are exempt from the requirement of database registration with PRODHAB. The dynamics of inter-party certification in the financial industry, whereby such security and privacy certification is very often a prerequisite for interoperability (PCI-DSS plus being an obvious example), already delivers a higher standard for personal data protection in a more efficient and decentralised manner than can be achieved by most purely government-managed regimes.
The amendments also take into account the reality of cross-border data movements within federated entities by focusing on systematic compliance and downplaying overplayed concerns around jurisdictional fragmentation. The mere act of data crossing a border does not necessarily invoke jurisdictional issues if the technology platform observes uniform standards that may be higher than domestic requirements. The ability to investigate claims of abuse in electronic systems is rarely hindered, in practice, by such jurisdictional fragmentation, yet policymaking on “data sovereignty” and “data domiciliary” considerations frequently operates on unscientific notions that suggest that physical borders are determinate.
Costa Rica’s focus on ensuring that the country’s Data Protection Law evolves to reflect the growing appreciation of its technocrats for “embedded regulation” vindicates the hope that fast-paced technology progress can be aligned with pro-privacy regulatory regimes.
Embedded regulations seek to strengthen industry standards and promote cross-network accountability among industry actors in a relatively more decentralised fashion. Thus, whereas in the previous regime, “written individual consent” was required, the amendments now enable the use of digital assent, bringing the process more closely in line with the fast-growing trend of “e-signature management as a service”. The pace of innovation in the e-signature management space is such that the cost of complying with “individual consent” shall continue to drop dramatically without sacrificing the quality of compliance.
The experience of Singapore is also instructive in clarifying this “embedment” notion of weaving of regulations into the fabric of a country’s technology enterprise culture.
In Singapore, the Personal Data Protection Commission (PDPC) sees itself as a “capacity building” institution mandated to bear a significant portion of the costs and capacity burden of transitioning business, particularly small and upstart businesses, from complacency and ineptitude to readiness and vigilance. PDPC strives to transform enterprises of varying levels of sophistication into data-savvy operators equipped with the latest tools for complying with the law, whilst contributing at the same time to the tiny entrepot’s declared vision of becoming the world’s “data hub”.
Singapore’s government has invested in a significant range of compliance tools for seamless compliance tracking and reporting so that small businesses seeking to create disruptive technologies would not be distracted from that state-sanctioned mission.
This does not mean however, as it might seem at first, that consumer needs and rights have been deprioritised. On the contrary, the country is convinced that improved privacy protection is a technical-investment public good that must be addressed as a baseline for its technology industry to leverage for leadership.
The government of Singapore, in the context of dynamic privacy protection, refers to the “embedded regulations” notion used above as, “data protection by design”. This language has become popular in recent years within stringent regimes, but the assumption in such regimes has usually been that businesses are responsible for rebuilding critical infrastructure in order to comply. The Singaporean government, on the other hand, takes the view that this is best achieved through the cultivation of an “ecosystem of trust”, and that the key role of the public sector is not primarily that of a police service, enforcing aloof laws on a suspicious crowd of businesses, but that of an investor safeguarding a key resource: trust.
The Singaporean government’s posture on this matter is summed up in this quote from the country’s data ombudsman:
“The key challenge lies in enabling the use and disclosure of data to support the progress of technology and innovation, whilst protecting personally identifiable information, to allay privacy concerns.”
By highlighting the fact of businesses confronting considerable reputational and business-disruption challenges when data is mishandled, Singapore’s privacy regulators have succeeded in driving consensus on a baseline of “data hygiene and ethics” that fosters collective action. Such action when backed by public investments contributes to advancing the state’s preferred motif of an “ecosystem of trust” beyond rhetoric into substantive interventions in critical data governance areas such as disputes resolution, advanced notifications of disclosure, profile reviews, and aggregation.
Whilst many countries focus on writing laws that merely heighten the risk barriers for legitimate enterprises but do nothing in facilitating the identification and penalisation of rogue operators, Singapore prefers a broad principles-based regime coupled with an active, co-investing, regulator that is respected by consumers for operating a transparent and highly communicative process, and trusted by businesses for a pro-innovation mindset that welcomes joint exploration of how to advance risk-fraught emerging disciplines such as big data, supervised machine learning on live diagnostic data, and behaviour profiling.
It is too early to conclusively judge whether or not role modelling in the international community will be sophisticated enough for the experiences of the likes of Singapore and, even, Costa Rica to become yardsticks of emulation. But with the heating up of competition in the machine learning space, it is very likely that international data treaties among like-minded countries shall in due course begin to drive the formation of “smart country leagues” akin to “free trade areas”. Data treaties should, in places like East Africa, prevent unnecessary replication of infrastructure whilst at the same time addressing concerns about “sovereign” data control. Should this happen, the world is likely to witness some short-term schism in the trajectory of data innovation, a veritable new digital divide between countries in pro-innovation “data leagues”, and those locked out due to incompatible privacy and data protection regimes.
In the long-term, however, the sense that only the rapid advancement of above-board, and done in the open, technology can safeguard consumers and citizens from powerful, malicious, actors, who do not give a toss about privacy, is likely to prompt an overall race to the top.
 Leong Keng Thai quoted on the website of the Info-communications Media Development Authority in an article titled: “Balancing Innovation & Personal Data Protection”, posted on 3rd November, 2017.l