A Introduction

The history of privacy is deeply intertwined with the history of technology. A wealth of scholarly literature tracks and demonstrates how privacy as a normative concept has evolved in light of new information and communication technologies since the early modern period, when face-to-face interactions were challenged by urbanization and the rise of mass communication.Footnote ¹ In the beginning of the nineteenth century, a combination of societal changes, institutional developments, and technological advancements gave birth to a series of new threats to privacy. At the time, innovative technologies – such as telegraph communications and portable cameras – were among the key drivers (interacting with other factors, such as increased literacy rates) that led to growing concerns about privacy protection. These developments also set the stage for Samuel Warren and Louis Brandeis’s highly influential 1890 article The Right to Privacy,Footnote ² which was written, in large part, in response to the combined negative effects of the rise of the ‘yellow press’ and the adaptation of ‘instantaneous photography’ as privacy-invading practices and technologies.Footnote ³ Similarly, advancements in information and communication technologies in the twentieth century, combined with other developments, such as the rise of the welfare state, challenged existing notions of information privacy and led to renegotiations of the boundaries between the private and public spheres.

Later in the twentieth century, the development, adaptation, and use of innovative technologies that enabled increased collection and use of personal information were also among the key drivers that led to the birth of modern information privacy law in the early 1970s. Starting in the United States and then extending to Europe, the increased use of computers for information processing and storage by government agencies was an important factor that led to the first generation of modern information privacy and data protection laws.Footnote ⁴ Anchored in a set of fair information practices,Footnote ⁵ many of these laws were expanded, adjusted, and supplemented over the following decades in light of evolving technologies and changing institutional practices, which – together with other factors – resulted in an ever-growing cascade of privacy concerns. In the 1990s, for instance, the widespread adoption of Internet technology as a global information and communication medium and the rise of the database industry led to a wave of legislative and regulatory interventions aimed at dealing with emerging privacy problems. More recent and more ambitious information privacy reforms, such as the revision of the influential OECD Privacy Guidelines at the international level,Footnote ⁶ the General Data Protection Regulation (GDPR) in the EU,Footnote ⁷ the proposed Consumer Privacy Bill of Rights Act,Footnote ⁸ or the California Consumer Privacy ActFootnote ⁹ in the United States seek to update existing or introduce new information privacy norms for the digital age – again driven, in part, by new technologies and applications such as cloud computing, big data, and artificial intelligence, among others.

Reflecting across centuries and geographies, one common thread emerges: advancements in information and communication technologies have largely been perceived as threats to privacy and have often led policymakers to seek, and citizens and consumers to demand, additional privacy safeguards in the legal and regulatory arenas. This perspective on technology as a challenge to existing notions of and safeguards for information privacy is also reflective of the mindset of contemporary law and policymaking. Whether considering the implications of big data technologies, sensor networks and the Internet of Things (IoT), facial recognition technology, always-on wearable technologies with voice and video interfaces, virtual and augmented reality, or artificial intelligence (AI), information privacy and data protection challenges have surfaced among the most pressing concerns in recent policy reports and regulatory analyses.Footnote ¹⁰

But over the decades, the development and adoption of new technologies across varying socio-economic contexts has periodically culminated in critical inflection points that offered individuals and society opportunities to re-examine and advance the notion of privacy itself.Footnote ¹¹ Arguably, the current wave of privacy-invasive technologies marks another such inflection point. The scale and pace of society’s digital transformation suggest that what is unfolding are not just gradual technological changes, but rather seismic shifts in the information ecosystem that call for a deeper rethinking of privacy.Footnote ¹² The magnitude of this historical moment is reflected in an array of trends: the rise of data colonialismFootnote ¹³ and surveillance capitalism,Footnote ¹⁴ increased privacy-awareness post Facebook’s Cambridge Analytica scandal,Footnote ¹⁵ AI’s ability to amplify privacy risks,Footnote ¹⁶ and many more.

Some current developments already indicate or suggest shifts and innovations within privacy and data protection regimes in response to the latest changes in the socio-technological environment. For example, basic ideas of how privacy should be defined have already begun to change. At a fundamental level, for instance, some scholars propose to (re-)conceptualize privacy as trust.Footnote ¹⁷ At a more granular level, scholars have argued for a movement away from understanding privacy as attached to the individual towards a notion of group privacy.Footnote ¹⁸ In the context of genomics, for example, this idea is particularly important – the exposure of one individual’s DNA data directly impacts the privacy rights of that individual’s entire extended family. Similarly, privacy risks are no longer generated only by exposure of private data; rather, they can also be triggered by inferences made through analytics.Footnote ¹⁹ Thus, privacy advocates have called for regulation that protects individuals in not only the inputs but also outputs of data processing.Footnote ²⁰

As legal and regulatory frameworks gradually adapt to these and other facets of privacy, data-holding entities also face the challenge of figuring out the precise contours of their responsibilities to the individuals whose data they collect and process. The development of new accountability frameworks, for instance in the context of data-processing algorithms, as well as novel mechanisms to delineate the responsibilities of these entities, such as the idea of information fiduciaries,Footnote ²¹ also signal a potential paradigm shift in the ways information privacy and data protection are approached.

This chapter is interested in one specific cross-cutting dimension of what might be labelled as the rethinking privacy discourse. It asks whether and how the interplay between technology and privacy law – both systems that govern information flows – can be reimagined and organized in mutually productive ways. The chapter proceeds in four steps: (i) explaining some of the dynamics that motivate a rethinking of privacy in the modern moment; (ii) developing a historical understanding of the dominant patterns connecting the evolutions of law and technology; (iii) examining a potential way to reimagine the dynamic between these elements moving forward; and (iv) sketching elements of a pathway towards ‘re-coding’ privacy law.

B The Modern Moment in Technology

The culmination of multiple factors at the intersection among digital technologies, market paradigms, social norms, professional practices, and traditional privacy laws has prompted the urgency of the need to rethink privacy and data protection in the current moment. Among the most important drivers behind the intensified debates about the future of digital privacy as broadly defined are increasingly visible shifts in traditional power structures, more specifically towards governments with unprecedented surveillance capabilities as well as large technology companies that amass digital tracking technologies and large pools of data to develop the corresponding analytical capability to shape people’s lives.Footnote ²²

From a historical perspective, it is worth remembering that it was also power shifts that triggered the emergence of the modern information privacy and data protection laws in the 1970s, when the adoption of new technologies in the form of mainframe computers created an imbalance in power between different branches of government.Footnote ²³ Somewhat similarly, contemporary power struggles among governments, technology companies, and citizens/users might mark another milestone with the potential to affect the political economy of privacy in the longer term. In the United States, the significance of these changes are reflected in a backlash: a variety of developments, ranging from increased activity among lawmakers and regulatorsFootnote ²⁴ to critique by leaders of tech companies themselves,Footnote ²⁵ suggest that the ‘data-industrial complex’ (understood traditionally as the symbiosis between the technology companies of Silicon Valley and the US government) has eroded in the aftermath of the Snowden revelations and in light of the Facebook/Cambridge Analytica scandal, which have demonstrated how profound the effects of such power shifts can be. The ensuing flurry of proposals for privacy legislation at the local, state, and national levels can be understood as attempts to course-correct and address some of the previously less visible power shifts between public and private actors.Footnote ²⁶

Different manifestations and perceptions of such power shifts also fuel international and regional debates that point out the urgent need to address the privacy crisis of the digital age. This crisis has inspired the enactment of the GDPR in Europe and similar legislative efforts in other parts of the world,Footnote ²⁷ as well as intensified global debates about ‘data sovereignty’, which can be understood as an immune system response triggered by the power shifts associated with the unprecedented surveillance capabilities of foreign governments and technology companies.Footnote ²⁸

In addition to tectonic power shifts, technology-induced changes also motivate the need to rethink privacy from within the field. A series of conceptual and definitional questions are illustrative in this respect. For example, is ‘personally identifiable information’ in a big data environment still a meaningful classification to trigger privacy laws?Footnote ²⁹ What about the traditional privacy-protecting techniques, such as anonymization? In a world where volumes of ostensibly innocuous data are available on most individuals, composition effects make re-identification of individuals and reconstruction of databases possible, and even likely, in many cases.Footnote ³⁰ How should privacy harms be defined when traditional legal standards do not easily apply to the new types of cumulative, often long-term, and immaterial effects of privacy invasions?Footnote ³¹ These examples are indicative of the need to revisit some of the conventional terms and concepts privacy laws have long relied upon now that they are challenged by technological advances and the socio-economic practices they enable.

Finally, in an increasingly digitally connected environment, privacy has become a complex right that requires re-evaluating the trade-offs inherent to the idea of ‘privacy’. Privacy is, of course, not an absolute right; there are limits, barriers, and frequently values that are in tension with each other. Although a concept deeply shaped by technology, it is also directly linked to shifting social norms and normative expectations.Footnote ³² In the age of big data, the balancing act of navigating trade-offs between normative values becomes increasingly important and difficult. For example, the right to be forgotten, by prioritizing privacy interests, necessarily reduces freedom of expression and commercial interests in the data market.Footnote ³³ The real challenge of privacy has now become figuring out how to balance trade-offs in a scalable manner – whether that requires developing decision trees or balancing tests – that is not merely a post hoc rationalization for a particular outcome. As the design and processes of modern technology become more sophisticated, and as big societal challenges, such as climate change or public health, increasingly rely on the collection and analysis of large amounts of data, these trade-offs will only become more pervasive and more difficult.Footnote ³⁴

Taken together, the modern era of digital technology has arguably pushed the need to rethink ‘privacy’ to become something more fundamental – a need to re-examine and potentially renegotiate the very concepts and values that society cares about in privacy. Both in terms of problem description and possible pathways forward, this may require, for example, reaching outside the frame of privacy and data protection law altogether to other areas of law and policy writ large. The interplay between technology and society and law is extraordinarily nuanced, and there are a wide variety of levellers and instruments available to help shape the societal effects of technologies in the human context.Footnote ³⁵ More narrowly, and simplifying for the purposes of this chapter, it might be helpful to examine some archetypical response patterns from when law has responded to technology-induced information privacy concerns in the past.

C Historical Patterns of Interaction between Law and Technology

In considering the fundamentally defensive stance that privacy law has taken historically with regard to technology, it is important to note that law in the broader context of information and communication technology has often transcended its familiar role as a constraint on behaviour acting through the imposition of sanctions.Footnote ³⁶ In areas, such as intellectual property and antitrust, law has sought to engage with technology in a more nuanced way by enabling or in some cases levelling desired innovative or disruptive activity.Footnote ³⁷ With this understanding of law as a functionally differentiated response system, and acknowledging that legal responses to technological innovation should not be understood as a simple stimulus-response mechanism, it is possible to identify a series of historical response patterns that characterize the evolution of privacy and data protection law vis-à-vis technological change. At a general level, three analytically distinct, but in practice often overlapping, response modes can be identified.Footnote ³⁸

1. 1. When dealing with innovative technologies, the legal system – including privacy and data protection law – by default often seeks to apply the old rules to the (new) problem resulting from new technology and its uses (subsumption). One illustration of this default response mode is US courts’ application of privacy torts, for instance, to address complaints about improper collection, use, or disclosure of data by digital businesses, such as Google and Facebook, because these analyses largely rely on tort conceptions of privacy advanced in the late nineteenth century.Footnote ³⁹

2. 2. Where subsumption is considered insufficient due to the novelty of the issues raised by a new technology, the legal system might resort instead to innovation within its own system. One version of this response mode is to ‘upgrade’ existing (privacy) norms gradually, typically by setting new precedent or by adjusting and complementing current norms (gradual innovation). Proposals to introduce a tort for the misuse of personal information by data traders,Footnote ⁴⁰ to provide legal recognition of data harms by extending developments from other areas of the law, such as torts and contracts,Footnote ⁴¹ to enact a Consumer Privacy Bill of Rights Act,Footnote ⁴² and to expand consumers’ rights to access their data records within reasonable timeframes,Footnote ⁴³ are all examples of gradual legal innovations that leave core elements of the current regulatory approach unchanged.

3. 3. A more radical, paradigm-shifting approach is deeper-layered law reform where not only are individual norms updated, but also entire approaches or instruments are changed. In addition to the proposals already mentioned in the introduction, examples in this category include efforts to reimagine privacy regimes based on models that emerged in the field of environmental law,Footnote ⁴⁴ to reformulate the current crisis as data pollution and develop social instruments that address the external harms associated with the collection and misuse of personal data,Footnote ⁴⁵ to create an alternative dispute resolution scheme, such as a ‘cyber court’ system to deal with large-scale privacy threats in the digital age,Footnote ⁴⁶ or to introduce a ‘Digital Millennium Privacy Act’ that would provide immunity for those companies willing to subscribe to a set of information fiduciary duties,Footnote ⁴⁷ to name just a few illustrations.

Perhaps the most interesting, and arguably the most promising, approach to reprogramming information privacy and data protection law in a more fundamental sense stems from such a paradigm-shifting approach: to embrace the multi-faceted, functional role of law and reframe technology, as broadly defined, no longer (only) as a threat to privacy, but as part of the solution space.

Precursors of such a potential shift date back to the 1970s, when researchers under the header of ‘Privacy-Enhancing Technologies’ (PETs) started to develop technical mechanisms in response to privacy challenges associated with new information and communication technologies.Footnote ⁴⁸ Originally focused on identity protection and technical means to minimize data collection and processing without losing a system’s functionality, the scope of PETs and similar instruments have broadened over time to include encryption tools, privacy-preserving analysis techniques, data management tools, and other techniques that cover the entire lifecycle of personal data. Starting in the 1990s, PETs, one instrument in a toolbox of many more, were put into a larger context by the introduction of privacy by design, a ‘systematic approach to designing any technology that embeds privacy into [both] the underlying specification or architecture’Footnote ⁴⁹ and, one might add, business practices. Although still a somewhat amorphous and evolving concept that seeks to integrate legal and technical perspectives, privacy by design can be understood as an important movement that promotes a holistic approach to managing the privacy challenges that result from a wide range of emerging technologies across their life cycles and within their contexts of application. The concept has been endorsed by privacy regulators from across the globeFootnote ⁵⁰ and adopted on both sides of the Atlantic, with the GDPR among the most prominent recent examples.Footnote ⁵¹ In addition to research efforts and scholarly contributions that deepen, advance, and critically examine the privacy by design concept, a range of implementation guidelines and methodologies have been issued by regulatory authorities, standards organizations, and other sources to help operationalize typically abstract privacy-by-design-requirements.Footnote ⁵² Despite all the progress made, careful examinations of the approach have highlighted both conceptual questionsFootnote ⁵³ and implementation challenges,Footnote ⁵⁴ including economic obstacles, interoperability barriers, and usability and design issues.Footnote ⁵⁵ Conversely, additional work is also required to close privacy law’s ‘design gap’, at least in practice.Footnote ⁵⁶

D Reimagining the Relationship of Law and Technology

This relatively recent ‘discovery’ of technology as an approach to address the very privacy challenges it (co-)creates in the law has potential. The more technical dimensions to regulating information privacy have been the focus of intense study by computer scientists and resulted in a rich theoretical literature and numerous practical tools for protecting privacy. Yet, in the past such discussion has by and large occurred in a space separate from the sphere of legal norms, regulations, policies, ethics codes, and best practices. In addition to the larger shifts mentioned earlier in this chapter, a number of specific trends make it now more important as well as urgent to foster knowledge sharing and integration between the two spheres and to embrace technological approaches to support legal privacy across a number of different functions.

First, technological advances enable sophisticated attacks that were unforeseen at the time when many of the still-applicable legal standards for privacy protection were drafted. Computer scientists now need to develop approaches that are robust not only against new modes of attack, but also against unknown future attacks, in order to address challenges posed by next-generation privacy threats.Footnote ⁵⁷ For example, database reconstruction attacks have already demonstrated that large collections of data such as the United States Census – although ostensibly confidential – are now vulnerable to discovery of a particular individual’s personal, private characteristics, so new means of protection for these datasets are required.Footnote ⁵⁸ Similarly, the omnipresence of predictive analytics makes it difficult for individuals to understand and control the usage of their own data, rendering traditional regulatory control paradigms increasingly ineffective against developments in technology.Footnote ⁵⁹

Furthermore, patchworks of privacy laws, the lack of interoperability among them, and different interpretations of their requirements can all result in wide variations in the treatment and protection of data across contexts and geographies, depending on the jurisdictions, industry sectors, actors, and categories of information involved. More robust frameworks for evaluating privacy threats that are based on integrated legal and scientific standards for privacy protection are required to provide more comprehensive, consistent, and robust information privacy protection, thereby furthering the end goals of the law.

Finally, traditional legal approaches for protecting privacy while transferring data, making data-release decisions, or drafting data-sharing agreements, among other activities, are time-intensive and not readily scalable to big data contexts at a time when some of the biggest global challenges urgently require more, not less, privacy-respecting data sharing. Technological approaches need to be designed with compliance with legal standards and practices in mind in order to help automate data-sharing decisions and ensure consistent privacy protection at a massive scale.Footnote ⁶⁰ For example, personalization of the conventional means of ensuring privacy, such as disclosure mandates, could help incorporate more granular legal norms and requirements into an individual’s privacy in a scalable fashion.Footnote ⁶¹

These reasons already indicate that the need for enhanced interoperability between technological and legal approaches to privacy is not limited to the mechanical level of individual privacy-preserving techniques and tools and goes beyond efforts to require companies to protect privacy by embedding it into the design of technologies and business practices. Rather, the scale of the challenge of reimagining the relationship between technology and privacy – as well as the potential benefits of increased levels of interoperability between the two – becomes visible when considering the variety of interrelated functional perspectives that such an approach situated at the law/technology interface would open up when dealing with the privacy challenges of the digital age. The following questions can be raised in this context.

1. 1. How can technological and legal perspectives be integrated more closely to enable more robust problem descriptions and analyses? Approaches like privacy by design signal a departure from binary notations of privacy and ad hoc balancing tests of competing interests toward more holistic and rigorous privacy risk assessment models that rely both on modeling approaches from information security and an understanding of privacy informed by recent theoretical advances across different disciplines. Technical research, for example, may better quantify the privacy risks associated with more traditional privacy-protection techniques like anonymizationFootnote ⁶² and thus help establish a legal framework that articulates which privacy risks should be considered ‘unacceptable’. Similarly, using both computational and sociological measures could establish a more empirical evidence base about consumers’ attitudes and expectations towards privacy.Footnote ⁶³ A growing body of interdisciplinary research demonstrates the theoretical and practical promise of such modern privacy analyses that are based in holistic analytical frameworks incorporating recent research from fields ranging from computer science and statistics to law and the social sciences.Footnote ⁶⁴ Indeed, such frameworks are increasingly recognized by expert recommendations and standards.Footnote ⁶⁵

2. 2. How can legal and technological tools be combined in order to enable more effective, scalable, and accountable solutions to privacy problems, including the need for trustworthy data sharing? A wealth of research and practical examples show how emerging technical privacy solutions, including sophisticated tools for data storage, access control, analysis, and release, can act in concert with legal, organizational, and other safeguards to better manage privacy risks across the different stages of the lifecycle of data.Footnote ⁶⁶ Consider, for instance, the important role encryption plays in securing access to and storage of data,Footnote ⁶⁷ the technological development of a personal data store that enables individuals to exercise fine-grained control over where information about them is stored and how it is accessed,Footnote ⁶⁸ the movement in AI towards transparent and explainable automated decision-making that makes technology more accountable,Footnote ⁶⁹ or the development of technical ways to implement the right to be forgotten by deleting an individual’s records from machine learning models efficiently.Footnote ⁷⁰ Formal mathematical guarantees of privacy can also reliably lower privacy risks. Differential privacy is one such example of a mathematical framework that manages the privacy challenges associated with the statistical analysis of information maintained in databases.Footnote ⁷¹ Secure multiparty computation, to add another example, is a methodology that enables parties to carry out a joint computation over their data in such a way that no single entity needs to hand a dataset to any other explicitly.Footnote ⁷² While some of these technologies are still in development, others have been tested out in practice and are already recommended as best practices in selected fields of application. Real world examples include the implementation of differential privacy in the United States Census,Footnote ⁷³ as well as the use of security multiparty computation to investigate pay gaps,Footnote ⁷⁴ or maintain data on student outcomes in higher education.Footnote ⁷⁵

3. 3. How can enhanced levels of interoperability between technological and legal approaches to privacy enable better matching of solutions to problems? The Harvard University Privacy Tools Project, for example, is a multidisciplinary effort to develop technical tools to address specific, identified policy needs.Footnote ⁷⁶ Among other contributions, the project demonstrates, for certain categories of use cases, including data sharing in research contexts, how interdisciplinary approaches can guide actors to engage in more robust privacy risk assessments and then select the best solution from a set of integrated privacy tools, such as tiered access models, that combine both legal and technical approaches to privacy protection.Footnote ⁷⁷ As another example, the LINDDUN approach, developed at Leuven University, creates a taxonomy of mitigation strategies to address privacy threats in a given high-level system and identifies effective, targeted PETs by creating data flow diagrams, mapping privacy threats, and performing risk analyses on these privacy threats.Footnote ⁷⁸

4. 4. How can a closer integration of technical and legal concepts and applications aimed at protecting privacy make it easier to demonstrate compliance and ‘measure progress’ over time? Again, differential privacy is a key example of using a highly technical conception of ‘privacy’ to give the vague legal words used to define privacy in statutes and regulations more precision, which in turn increases the accuracy of assessment of compliance in individual cases and over time.Footnote ⁷⁹ More generally, legal standards could adopt more technically robust descriptions of an intended privacy goal rather than simply endorsing traditional approaches like de-identification. This would provide a clearer basis for demonstrating whether new classes of emerging privacy technologies are sufficient to fulfil the requirements of these standards. These examples indicate how policymakers and technologists could seek to employ a hybrid of legal and technical reasoning to demonstrate a privacy solution’s compliance with legal standards for privacy protection.Footnote ⁸⁰

Taken together, the integration of legal and technical approaches across different functional areas can help pave the way for a more strategic and systematic way to conceptualize and orchestrate the contemporary interplay between law and technology in the field of information privacy and data protection. The process of re-imagination through enhanced interoperability – here illustrated along four functional areas with the open-ended possibility of adding others – builds heavily upon the concept of privacy by design and is informed by related approaches such as privacy impact assessments. However, as already mentioned, this process is less focused on embedding privacy requirements into the design and architecture of individual technological systems and business practices. Rather, it is more broadly interested in finding ways to overcome the traditional interaction patterns between technology and law in order to offer new system-level opportunities to develop notions and manifestations of privacy that might only emerge after combining different substantive and methodological ‘lenses’. At a moment of rethinking privacy, such an exercise might inform the evolutionary path of privacy and data protection laws at both the conceptual and implementation levels by challenging their underlying assumptions, definitions, protection requirements, compliance mechanisms, and so on.

E Towards Recording Privacy Law

Over time, enhanced interoperability between technological and legal approaches to privacy might ultimately culminate in a deeper-layered recoding of privacy law that transcends the traditional response patternsFootnote ⁸¹ discussed earlier in this chapter by leveraging the synergies between perspectives and instruments from both domains in order to cope with the complex privacy-relevant challenges of our future. The path towards such an outcome, however, is long and faces many obstacles given the economic, geopolitical, and other forces at play that were described earlier in this chapter.

As a precondition of any progress, such a strategy requires significant investments in interdisciplinary education, research, and collaboration.Footnote ⁸² Despite all the advancements made in recent years, there is much yet to be uncovered: development of novel systems of governance requires not only interdisciplinary mutual understandings but also deep inquiry into the most effective roles for law and legal governance in such a dynamic, fast-changing system. Programs designed to stimulate such collaboration and interdisciplinary learning have already started being developed at universities.Footnote ⁸³ Furthermore, technology positions in government, such as the Chief Technologist position at the Federal Trade Commission and the President’s Council of Advisors on Science and Technology, to name two examples from the United States, recognize the need for experts in computer science who can inform privacy regulation and serve as models of cross-disciplinary communication and knowledge-sharing in policy circles.Footnote ⁸⁴ Similarly, it is becoming increasingly important for technologists to understand legal and policy approaches to privacy protection, so that they can implement measures that advance the specific goals of such standards. Doing so will also likely require policymakers to develop mechanisms and resources for communicating their shared understanding of the interface between law and technology with privacy practitioners. Regulatory systems and institutions will also need to support additional research on policy reasoning, accountable systems, and computable policies for automating compliance with legal requirements and enforcement of privacy policies.Footnote ⁸⁵

Reimagining the relationship between technology and privacy law in the digital age can be seen as a key component of a larger effort aimed at addressing the current digital privacy crisis holistically. Under contemporary conditions of complexity and uncertainty, the ‘solution space’ for the multifaceted privacy challenges of our time needs to do more than treat the symptoms of discrete privacy ills. It needs to combine approaches, strategies, and instruments that span all available modes of regulation in the digital space, including technology, markets, social norms and professional practices, and the law. If pursued diligently and collaboratively, and expanding upon concepts, such as privacy by design or privacy impact assessments, as written into modern privacy frameworks like the GDPR, such a turn toward coordinated privacy governance could result in a future-oriented privacy framework that spans a broad set of norms, control mechanisms, and actorsFootnote ⁸⁶ – ‘a system of information privacy protection that is much larger, more complex and varied, and likely more effective, than individual information privacy rights’.Footnote ⁸⁷ Through such nuanced intervention, the legal system (understood as more than merely a body of constraining laws) can more proactively play the leading role in directing and coordinating the various elements and actors in the blended governance regime, and – above all – in ensuring the transparency, accountability, and legitimacy that allow democratic governance to flourish.Footnote ⁸⁸

A Introduction

Commercial use of personal and other data facilitates digital trade and generates economic growth at unprecedented levels. A dramatic shift in the composition of the top twenty companies by market capitalisation speaks vividly to this point. While, in 2009, 35 per cent of those companies were from the oil and gas sector, in 2018 – just nine years later – 56 per cent of those companies were from the technology and consumer services sectors.Footnote ¹ Meanwhile, the share of oil and gas companies, a pillar among traditional industries, declined to just 7 per cent. The share of digitally deliverable services in global services exports more than doubled in the last thirteen years: it increased from USD 1.2 trillion in 2005 to USD 2.9 trillion in 2018.Footnote ²

Data also constitutes a crucial resource for the development, continuous refinement and application of artificial intelligence (AI). The availability of data and its free flow across borders are often viewed as pre-requisites for the development and flourishing of AI technology.Footnote ³ However, in the context of AI, it is not the data itself, but the knowledge and insights obtained with the help of AI algorithms from that data (in other words, the ‘fruits’ of the data) that constitute the main added value. Learning, or ‘digital intelligence’, in the words of UNCTAD, is crucial for the market of big data. One of the upshots of this is that without the necessary infrastructure and technologies, data concerning individual persons or even aggregated data cannot by itself generate value. It is the ‘learning’, and not raw data itself, that constitutes a valuable economic resource and can be used in targeted online advertising, the operation of electronic commerce platforms, the digitisation of traditional goods into rentable services and the renting out of cloud services.Footnote ⁴ For example, personalisation, which is an important component in the production, marketing and distribution of online services, uses AI systems to transform individuals’ online behaviour, preferences, likes, moods and opinions (all of which constitute personal data, at least in the European Union) into commercially valuable insights.Footnote ⁵ Focusing solely on data in the context of regulatory conversations on AI – both in domestic and international trade contexts – may be misguided.

AI development is at the top of the domestic and international policy agendas in many countries around the world. Just in the last couple of years, more than thirty countries and several international and regional stakeholders, including the European Union (EU), G20 and Nordic-Baltic Region adopted AI policy documentsFootnote ⁶ revealing their ambitions to compete for dominance in AI. Digital trade provisions, including rules governing cross-border data flows, access to proprietary algorithms and technology transfers and access to open government data, have taken centre stage in bilateral, regional and international trade negotiations.Footnote ⁷

Different levels of advancement in digital technologies in general, and in AI specifically, as well as the concentration of data in the hands of a few countries, make international negotiations on digital trade challenging. To illustrate the point, according to the 2019 UNCTAD Digital Economy Report, China and the United States account for 90 per cent of the market capitalisation value of the worlds’ seventy largest digital platform companies and ‘are set to reap the largest economic gains from AI’.Footnote ⁸ In contrast, the EU accounts for only 3.6 per cent of this market capitalisation.Footnote ⁹ The report further demonstrates that China, the United States and Japan together account for 78 per cent of all AI patent filings in the world.Footnote ¹⁰ Data – one of the key components of data analytics – is highly concentrated in Asia Pacific and the United States: 70 per cent of all traffic between 2017 and 2022 is expected to be attributed to these two regions.Footnote ¹¹ Representing 87 per cent of the B2B e-commerce, the United States is the market leader in global e-commerce, while China is the leader in B2C e-commerce followed by the United States.Footnote ¹² As a result, economic value derived from data is captured by countries where companies having control over storage and processing of data reside.Footnote ¹³

The high concentration of control over AI technologies, digital platforms and data in specific parts of the world raise concerns about ‘digital sovereignty’ related to control, access and rights of the data and appropriation of the value generated by the monetisation of the data.Footnote ¹⁴ This issue is not limited to the dynamics of negotiations between developed and developing countries. For example, the new European Commission’s Digital Strategy is strongly anchored in the principles of digital sovereignty and shaping technology in a way respecting European values.Footnote ¹⁵ Public policy interests implicated by international data governance and data flows, indispensable for the global governance of AI, stretch far beyond issues of economic growth and development. They also involve a broader set of national and regional priorities, such as national security, fundamental rights protection (such as the rights to privacy and to protection of personal data) and cultural values, to name just a few. Differences in the relative weight accorded to each such priority when contrasted with the economic and political gains from cross-border data flows have resulted in a diversity of domestic rules governing cross-border flows of information, especially when it relates to personal data, and a diversity of approaches to govern the use of AI in both private and public law contexts.

Against this backdrop, this chapter’s aim is twofold. First, it provides an overview of the state of the art in international trade agreements and negotiations on issues related to AI, in particular, the governance of cross-border data flows. In doing so it juxtaposes the EU and the US approaches and demonstrates that the key public policy interests behind the dynamics of digital trade negotiations on the EU’s side are privacy and data protection. Second, building on the divergent EU and US approaches to governing cross-border data flows, and the EU policy priorities in this respect in international trade negotiations, this chapter argues that the set of EU public policy objectives weighted against the benefits of digital trade in international trade negotiations, especially with a view to AI, should be broader than just privacy and data protection. It also argues that an individual rights approach has limitations in governing data flows in the context of AI and should be expanded to factor in a clearer understanding of who wins and who loses from unrestricted cross-border data flows in an age of data-driven services and services production.

The chapter proceeds as follows. The next section maps out the recent developments on digital trade on the international trade law landscape. The third section discusses, from an EU perspective, the limits of data protection in regulating AI domestically and as a catch-all public policy interest counterbalancing international trade commitments on cross-border data flows. The fourth section contains a brief conclusion.

B Cross-Border Digital Trade and Artificial Intelligence

The immense potential of data to generate economic value has given rise to a so-called ‘digital trade discourse’, which, on the one hand, views the freedom of cross-border data flows as one of the pre-requisites of international digital trade and AI-driven innovation and, on the other hand, predicts that restrictions on data flows will hamper economic growth and undermine innovation.Footnote ¹⁶ This discourse is advanced not only by the United States, which has a strong competitive advantage in digital technologies, and the big tech companies, which invest millions of dollars in lobbying activities on digital trade, but also by the EU.Footnote ¹⁷

Policy debates in international trade negotiations on digital trade, relevant in the AI context, revolve around the liberalisation of cross-border data flows in order to enable accumulation of large data sets to train AI systems and restrictions on those data flows in the public interest. The following subsections provide an overview of recent developments in this area.

Countries have not yet achieved a multilateral consensus on the design and scope of digital trade provisions, which have so far only appeared in bilateral and regional trade agreements and have somewhat overshadowed the multilateral efforts of the WTO in this area.Footnote ¹⁸ Although proposals on electronic commerce in the WTO increasingly focus on barriers to digital trade and ‘digital protectionism’,Footnote ¹⁹ the WTO has not yet made any tangible progress on this issue.Footnote ²⁰ The discussions continue, however. In early 2019, seventy-six WTO members, including Canada, China, the EU, and the United States, started a new round of negotiations on electronic commerce at the WTO in order to create rules governing e-commerce and cross-border data flows.Footnote ²¹ It remains to be seen how these negotiations will play out. Despite a seemingly firm consensus on the use of the terms ‘digital trade’ and ‘digital protectionism’ – the axes around which the discourses governing international negotiations revolve – the value structures underlying these discourses diverge,Footnote ²² as the US and the EU examples below will illustrate. The next section on international trade law governance of cross-border data flows then explicates how trade provisions on cross-border data flows, advanced by the US and the EU, mirror this divergence.

In the spirit of its ‘digital agenda’, the United States has been a pioneer in including provisions on free cross-border data flows in international trade agreements.Footnote ²³ The United States has managed successfully to advance broad and binding horizontal obligations enabling unrestricted data flows in the digital trade (or electronic commerce) chapters of its recent trade agreements. The Comprehensive and Progressive Agreement on Trans-Pacific Partnership (CPTPP), (where the US led digital trade discussions before its withdrawal from the TPP agreementFootnote ²⁴), the United States–Mexico–Canada Agreement (USMCA) and the Digital Trade Agreement with Japan examples are of trade agreements to contain a binding provision requiring each party to allow (or not to restrict) the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.Footnote ²⁵ The US proposal for the ongoing e-commerce talks at the WTO replicates this ‘gold standard’ provisions on digital trade.Footnote ²⁶ All of the earlier mentioned free trade agreements (FTAs) also contain an exception which allows the parties to adopt or maintain measures inconsistent with this obligation to achieve a legitimate public policy objective, provided that the measure (i) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (ii) does not impose restrictions on transfers of information greater than are required (necessary – in the USMCA and US–Japan Digital Trade Agreement) to achieve the objective.Footnote ²⁷

The exception closely resembles the general exception under Article XIV(c)(ii) of the General Agreement on Trade in Services (GATS),Footnote ²⁸ a threshold which has been particularly hard to meet in the past.Footnote ²⁹ Similar to the general exception clause, the FTA text requires that a measure prima facie inconsistent with the data flow obligation should be subject to a two-level assessment. First, it should pass the so-called ‘necessity test’, where the necessity of the contested measure is assessed, based on an objective standard of ‘necessity’ by trade adjudicators. Second, its application should not amount to arbitrary or unjustifiable discrimination or a disguised restriction on trade (pursuant to the chapeau of the general exception provision). Under WTO case law, the ‘necessity test’ requires that a WTO law–inconsistent measure be the least trade restrictive of all reasonably available alternatives allowing to achieve the same level of protection of a public interest, raised by the claimant in a dispute.Footnote ³⁰ In short, just like the GATS general exception, the FTA exception sets a high threshold for justifying a domestic measure inconsistent with relevant trade disciplines. An important difference of the earlier quoted FTA exception from the GATS general exception, however, is that it does not specify the public policy objectives that may be invoked to justify a restriction on the free cross-border data flows. In this sense, the exception is more ‘future-proof’, as it can rest on any public policy interest that may be implicated by the cross-border data flow obligation in the future, such as cybersecurity or even technological sovereignty (not mentioned in Article XIV GATS exception), provided of course that the measure passes the two-level assessment of the exception.

In addition, the digital trade (electronic commerce) chapters of the earlier mentioned agreements contain an article on the protection of personal information (the term used to refer to personal data in the United States), which contains a mixture of binding and aspirational provisions on the protection of privacy by the parties to the agreements.Footnote ³¹

The EU largely shares the ‘digital trade’ discourse on the benefits of cross-border data flows for global economic growth with the United States and, in principle, supports the idea of regulating cross-border data flows in international trade agreements.Footnote ³² Largely but not completely, because there is one important point on which the EU approach diverges very significantly from that of the United States: namely, with regard to the protection of the rights to privacy and personal data. It is for this reason that the EU has until recently been cautious in including provisions on cross-border data flows in its trade agreements.Footnote ³³ Understanding the EU’s domestic framework on the protection of personal data and, in particular, its approach to transfers of personal data outside the European Economic Area (EEA), is essential for explaining its trade policy in the domain of cross-border data flows. Therefore, before delving into the EU’s proposed provisions on the latter topic, let us first briefly discuss the EU’s domestic regime for transfers of personal data outside the EEA.

The rights to privacy and the protection of personal data are protected as binding fundamental rights in the EU.Footnote ³⁴ From an EU data protection law perspective, personal data is distinct from other types of information because of its inextricable link to the data source: individuals. One of the pillars of this protection, as the CJEU has ruled,Footnote ³⁵ is the restriction on transfers of personal data outside the EEA in order to ensure that the level of protection guaranteed in the EU by the General Data Protection Regulation (GDPR)Footnote ³⁶ is not undermined or circumvented as personal data crosses EEA borders.Footnote ³⁷ As a consequence of the broad definition of ‘personal data’, EU restrictions on transfers of personal data apply to a broad range of data that can be essential for developing, fine tuning and application of AI systems. Furthermore, the restrictions also apply to mixed data sets, in which personal and non-personal data are ‘inextricably linked’ – which, as mentioned earlier, fall under the scope of the GDPR.Footnote ³⁸ The restrictions do not apply to non-personal data, including non-personal data in mixed data sets, under the condition that those can be separated from personal data. At the same time, the distinction between personal and non-personal data is not set in stone. If, due to technological developments, this anonymised data can be reidentified, it will become ‘personal’ and the GDPR restrictions will again apply.Footnote ³⁹ Some scholars argue that these restrictions limit the cross-border aggregation of data and thus stifle the development of AI.Footnote ⁴⁰

The GDPR’s restrictions on transfers of personal data apply when personal data is transferred or is accessed from outside the EEA, including when this is done for training AI systems, and in the phase of fine-tuning or cross-border application of already existing AI systems located outside the EEA to individuals located in the EEA.Footnote ⁴¹ This is because feeding an EEA individual’s data to the non-EEA AI system will most likely constitute a transfer of personal data.

Turning to the intersection of the GDPR with international trade law, only one FTA to which the EU is a party includes a binding provision on cross-border data flows. The 2019 Economic Partnership Agreement with Japan (Japan–EU EPA), where such a provision was initially proposed by Japan, merely includes a review clause allowing the parties to revisit the issue in three years’ time after the agreement’s entry into force.Footnote ⁴² The EU and Japan have agreed to use a mutual adequacy decision following the route for cross-border transfers of personal data laid down in the GDPR.Footnote ⁴³ This was due to the inability of EU institutions to reach a common position on the breadth of the data flows provision and exceptions from it for the protection of privacy and personal data, following a strong push back from academics and civil society to an attempt of including such provisions in the – currently stalled – plurilateral Trade in Services Agreement (TiSA) and the Transatlantic Trade and Investment Partnership (TTIP) between the EU and the US.Footnote ⁴⁴

In 2018, the European Commission reached a political agreement on the EU position on cross-border data flows. This position was expressed in the model clauses, which, in particular, include a model provision on cross-border data flows (Article A) and an exception for the protection of privacy and personal data (Article B).Footnote ⁴⁵ The EU has included these model clauses in its proposals for digital trade chapters in the currently negotiated trade agreements with Australia, Indonesia, New Zealand and Tunisia,Footnote ⁴⁶ as well as into the EU proposal for the WTO rules on electronic commerce,Footnote ⁴⁷ which are intended to co-exist with the general exception for privacy and data protection modelled after Article XIV(c)(ii) GATS included in the same agreements.Footnote ⁴⁸ The 2021 EU-UK Trade and Cooperation Agreement (TCA), however, contains provisions different and, arguably, awarding less regulatory autonomy to protect privacy and personal data, than those in the above-mentioned model clauses.Footnote ⁴⁹ It is unclear whether the TCA provisions are merely outliers or represent the new model approach of the EU. Given that the above-mentioned model clauses have not been amended following the TCA and still represent the EU position in multiple ongoing trade negotiations, including those at the WTO, this chapter assumes that they still represent the EU mainstream approach and, therefore, the discussion below focuses solely on these clauses.

Model Article A provides for an exhaustive list of prohibited restrictions on cross-border data flows. Model Article B on the protection of personal data and privacy states that the protection of personal data and privacy is a fundamental right and includes an exception from the provision on cross-border data flows. The model clauses, on their face, safeguard the EU’s broad regulatory autonomy, much more so than the general exception for privacy and data protection in existing trade agreements. This is made manifest in five different ways. First, as compared to the US model provision on cross-border data flows, the prohibition of restrictions on cross-border data flows in Article A is formulated more narrowly, in that it specifically names the types of restrictions that are outlawed by this provision. Second, the provisions of Article B(1) assert that the normative rationale for the protection of personal data and privacy is the protection of fundamental rights. This rationale – as opposed to economic reasons for protecting privacy and personal data – signals a higher level of protection and, therefore, arguably requires a broader autonomy to regulate vis-à-vis international trade commitments.Footnote ⁵⁰ This provision is likely to be interpreted as a part of the digital trade exception for privacy and data protection in Article B(2) of the proposal. Third, the proposed exception for privacy and the protection of personal data establishes a significantly more lenient threshold – ‘it deems appropriate’ – than the ‘necessity test’ of the general exception under the GATS. Drawing the parallel with the threshold in the GATS national security exception – ‘it considers necessary’Footnote ⁵¹ – one can argue that the proposed exception affords an almost unlimited autonomy to adopt measures inconsistent with Article B(2) to protection of privacy and personal data.Footnote ⁵² Fourth, the exception in Article B(2) explicitly recognises the adoption and application of rules for cross-border transfers of personal data – the gist of the EU’s framework for transfers of personal data – as one of the measures that a party may deem appropriate to protect personal data and privacy, in spite of its international trade commitments. Fifth and finally, the provision of Article B(2) protects the safeguards afforded by a party for personal data and privacy from being affected by any other provision of the trade agreement.

At the same time, despite these apparent strengths of the EU proposal in view of privacy and data protection, Article B suffers from at least four clear weaknesses. First, declaring that the protection of privacy and personal data are fundamental rights is EU-centric and does not leave the EU’s trading partners any autonomy to choose another level of protection of these public policy interests they might see fit for their own legal and cultural tradition. Given that, as things stand now at least, the fundamental rights protection of privacy and personal data is, essentially, a European phenomenon, EU trading partners may be reluctant to commit to this level of protection in a trade agreement. Second, the exception for privacy and data protection in Article B(2) of the EU’s proposal is designed for digital trade chapters and fails to clarify its relationship with the general exception for data protection, which remains intact – at least in available draft trade agreements – in which the EU has included the proposed model clauses.Footnote ⁵³ Third, modelling an exception for privacy and data protection after the national security exception essentially creates an almost unconditional escape valve from virtually any trade commitment, as long as there is at least a remote nexus to the protection of privacy and personal data. Although this may seem justified at first glance given that privacy and data protection are fundamental rights in the EU, it creates a precedent for using this wide margin for a variety of public policy interests (other than national security), which may undermine the global rules-based trading system. Fourth, and most relevant in the context of this chapter’s discussion, the public policy interests that can justify violation of Article A under Article B(2) are limited to the protection of privacy and personal data. Although this underscores the relative importance of the rights to data protection and privacy as opposed to the goal of digital trade liberalisation on the values scale, the limitation of the exception to these particular rights may have negative effects. Given that the threshold for important public policy interests, such as public morals, safety, human, animal or plant life, in the general exception clause is narrower than the threshold in model Article B(2), the regulatory autonomy to protect personal data and privacy ends up being much broader than the protection of other rights that are also recognised under the EU Charter of Fundamental Rights.Footnote ⁵⁴ This elevates privacy and the protection of personal data above other rights that are equally protectedFootnote ⁵⁵ and may even create an incentive to – artificially – frame other public policy interests, especially those not mentioned in the GATS general exception, as protection of privacy and personal data. In the context of AI, this could steer domestic AI regulation in the EU deeper into the realm of data protection as opposed to creating a separate regulatory framework – an issue currently discussed in the EU institutions.Footnote ⁵⁶ Public policy interests, such as industrial policy,Footnote ⁵⁷ cybersecurityFootnote ⁵⁸ and digital sovereignty,Footnote ⁵⁹ are cited as public policy interests that may require restricting digital trade in general or data flows in particular. The first is especially relevant for developing countries, for which free data flows essentially mean ‘one-way flows’, as these countries’ data flows are constrained by the limited availability of digital technologies and of the skills necessary to produce digital intelligence from data.Footnote ⁶⁰ This issue, as already mentioned, has gained prominence in the European Commission’s 2020 digital strategy. In its European Strategy for Data, the European Commission stated:

Turning to cybersecurity interests, they may require restrictions on data flows, data localisation or restrictions on import of certain information technology products.Footnote ⁶² These interests are relevant for both developing and developed countries. The blurring boundary between public and private spheres in the surveillance context – where governments increasingly rely on private actors for access to data for surveillance purposes – explains why cross-border data flows may raise sovereignty concerns as well.Footnote ⁶³

To sum up, although the regulation of cross-border data flows, especially in the context of AI, implicates a variety of public policy interests, the EU trade policy on this topic has solely focused on one of them – namely privacy and the protection of personal data. This, arguably, has something to do with the institutional dynamics between EU institutions. However, it may not be sustainable either in the EU or in a multilateral context, such as with regard to the electronic commerce negotiations at the WTO. According to UNCTAD, the early meetings of the group on data flows at the WTO have, so far, mainly reflected the views of proponents of the free flow of data.Footnote ⁶⁴ However, for these negotiations to result in concrete WTO legal norms, members will have to reach a consensus on how to balance the economic gains of free data flows with multiple competing interests, which include not only the protection of privacy and personal data – the main point of contention for the EU – but also other fundamental rights, as well as industrial policy, cybersecurity and economic development interests of other countries involved in the negotiations.Footnote ⁶⁵

In contrast to the position taken both by the United States and the EU that data flows should be free (unless their restriction can be justified by an exception), when it comes to the protection of the source code, or algorithms expressed in that source code incorporating the learning derived from processing of data – the position is the exact opposite. As explained in the introduction, learning, or digital intelligence, is where the real economic value of personal and other data lies. Thus, while data and data flows are viewed as ‘free’, the value obtained from data are up for grabs by whomever possesses the infrastructure and resources necessary to process that data. At this juncture, these entities are concentrated in the United States and China. Two recent US-led FTAs, namely the USMCA and the US–Japan Digital Trade Agreement (DTA), contain specific provisions on the protection of source code and algorithms.Footnote ⁶⁶ The EU’s proposal for the WTO negotiations on e-commerce also contains a prohibition on access to and forced transfer of the source code of software owned by a natural or juridical person of other members.Footnote ⁶⁷ Similar provisions are included in the EU proposals for digital trade chapters of currently negotiated FTAs, such as with Mexico,Footnote ⁶⁸ AustraliaFootnote ⁶⁹ and New Zealand.Footnote ⁷⁰

C The Limits of Personal Data Protection in the Context of Trade Law Policy on Cross-Border Data Flows in AI Context

The earlier discussion demonstrates that the only public policy interests that are fully accounted for in the exception from a proposed provision on the free cross-border flow of data in draft EU trade agreements are privacy and the protection of personal data. In the context of AI, this mirrors the currently prevailing approach in the EU to regulate AI through the governance structure of the GDPR. This section focuses on two limitations of this approach. First, this approach is based on a distinction between personal and non-personal data, because only data that qualifies as personal falls under the EU data protection framework. The distinction is increasingly hard to make, especially in the context of AI. Second, EU privacy and personal data protection takes us to an individual rights framework that does not account for the value produced from data and the impact of applying the learning derived from AI to larger societal groups or populations.

D Conclusion

The analysis in this chapter of recent developments in the governance of cross-border data flows in international trade law showed that the main public policy interests discussed in the context of EU trade policy on this issue are the protection of the fundamental rights to privacy and personal data. This chapter argued that other policy objectives, such as cybersecurity and digital sovereignty – which have recently become one of the anchors of EU’s internal AI policy – should also be considered. The chapter has also shown that the individual rights–centred data protection framework has limits in governing AI both in domestic and international trade policy.

A Introduction

Pantha rhei (‘everything flows’) turns out to be a very fitting metaphor for how terabytes of digital data rush through the network of networks. Attributed to the philosopher Heraclitus panta rhei connotes that change is the fundamental essence of the universe.Footnote ¹ Data flows are the undercurrent of digital globalization that transforms our societies. How data flows will likely underpin digital services in a not so distant future is vividly described in Anupam Chander’s contribution (Chapter 5) in this volume. Data’s liquidity tends to undermine outdated regulatory formations and erode the paradigms that used to underpin a society’s conventional right to self-governance.Footnote ² Everything is in flux.

Human rights do however remain valid currency in how we approach planetary-scale computation and accompanying data flows. As we enter ‘the age of digital interdependence’, a UN expert panel urges ‘new forms of digital cooperation to ensure that digital technologies are built on a foundation of respect for human rights and provide meaningful opportunity for all people and nations’.Footnote ³ Today’s system of human rights protection, however, is highly dependent on domestic legal institutions, which unravel faster than the reconstruction of fitting transnational governance institutions. The transnational protection of data privacy is a case in point, which required legal reforms in order not to fall into the cracks between different domestic legal systems. Furthermore, the transnational provision of artificial intelligence (AI) is going to have a bearing on the conditions of human freedom prompting calls for a human rights–based approach to AI governance.Footnote ⁴

Through the contribution in this volume it emerges that international trade law has successfully co-opted cross-border data flows as a desirable baseline for digital trade. This raises the question how the inclusion of the free flow of data in international trade law would affect the prospects for the transnational protection of human rights. As a stand-alone commitment, the free flow of data namely lacks any normative underpinning and only through the interplay with domestic legal frameworks do human rights become recognized.

In my contribution I argue that the inclusion of cross-border data flows as a new trade law discipline would be opportunistic in light of the morality to protect human rights online. International trade law, which has been criticized for the ‘economization of human rights’,Footnote ⁵ would subtly reinforce the transformative power of data flows leaving human rights enforcement to domestic institutions which in themselves have been found inferior to deal with the issues at hand. In other words, the opportunity structures offered by international trade law will not advance the construction of a global information civilization that is founded on the respect for human rights. Rather, multilevel economic governance should provide for constitutional pluralism and sufficient margin for experimentation with novel strategies to give effect to human rights in the online context.Footnote ⁶ I conclude with a plaidoyer for a new quid pro quo in digital trade in which the liberalization of cross-border data flows recognizes better the enhanced need for human rights accountability. This contribution intersects human rights law with international economic law, liberally borrowing from transnational legal theory and Internet governance literature. It advances its arguments through a combination of doctrinal and critical legal research with a certain predisposition to European legal thinking.

This chapter proceeds as follows: after the backdrop has been set, the following section takes a critical look at the construction of the data flow metaphor as a policy concept inside international trade law. The subsequent section explores how the respect for human rights ties in with national constitutionalism that becomes increasingly challenged by the transnational dynamic of digital era transactions. The last section turns to international trade law and why its ambitions to govern cross-border data flows will likely not advance efforts to generate respect for human rights. In the conclusion, the different arguments are linked together to advocate for a re-balancing act that recognizes human rights inside international trade law.

B Data Flow as a Policy Metaphor

Data is the building block of today’s digital economy. As a virtual unit data can represent any type of digital infrastructure, platform, or system, that undergird an infinite range of virtual goods, services, transactions and expressions. Digital supply and value chains are ultimately representations of data which are assembled to perform varying functionalities.Footnote ⁷ Besides data is exponentially generated from any human and machine activity, which in turn are a key input for machine learning and algorithmic decision-making. Everything that can be expressed in data is inherently liquid because it can be de-assembled, moved across space and re-assembled again.

In social theory ‘flow’, ‘fluidity’ or ‘liquidity’ are used as a metaphor to connote how circulation and velocity forge a new kind of information or network society.Footnote ⁸ According to Castells, contemporary society is constructed around flows: ‘flows of capital, flows of information, flows of technology, flows of organizational interaction, flows of images, sounds, and symbols. Flows are not just one element of the social organization: they are the expression of processes dominating our economic, political, and symbolic life’.Footnote ⁹ Sociologist Deborah Lupton, by contrast, criticizes that writers on digital technologies rely on liquid concepts when discussing the circulation of digital data.Footnote ¹⁰ For Lupton, ‘[t]he apparent liquidity of data, its tendency to flow freely, can also constitute its threatening aspect, its potential to create chaos and loss of control’.Footnote ¹¹ Lupton nevertheless resolves that such conceptions can help making sense of the phenomenon. It must be conceded that the recourse to the data flow metaphor should not divert from analyzing actors, the epistemology and affordances of concrete sociotechnical systems.Footnote ¹² Globalization researchers, however, consistently use the cross-border movement or flows of persons, capital, goods and services as a conceptual lens, which is currently complemented by data flows. It is precisely the circulation of data which underpins the processes that lead to the reconfiguration of the spatial organization of social relations and transactions that characterize globalization.Footnote ¹³ A 2016 report by the McKinsey Global Institute proclaimed that globalization had entered ‘a new era defined by data flows’.Footnote ¹⁴

A powerful coalition of international and intergovernmental organizations, including the G7 and the G20, the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF), among others, have intensified their work on promoting cross-border data flows as an international economic policy principle. For instance, following the initiative of Japan’s government on ‘Data Free Flow with Trust’, the 2019 G20 Osaka Leaders’ Declaration states:

While the statement correctly reflects the unabated tension between cross-border data flows and domestic legal frameworks, it falls short of identifying common strategies that would mitigate this tension and thereby forging trust in legitimate cross-border data flows. The endorsement of ‘Data Free Flow with Trust’ perfectly encapsulates the influential narrative of innovation, growth and development associated with cross-border data flow while leaving the intricacies of protecting human rights and societal values to domestic institutions that are themselves increasingly contested in an interdependent world. From the perspective of domestic public policy, the cross-border flow of data more fittingly compares to a maelstrom that potentially erodes constitutionally guaranteed rights and societal values.

C Human Rights Do Not Flow Easily across Borders

Adopted over seventy years ago, the Universal Declaration of Human Rights (UDHR) protects a canon of universal and indivisible human rights the interpretation of which evolves with the time.Footnote ¹⁶ Already twice the UN Human Rights Council has affirmed that human rights must be protected offline and online regardless of frontiers.Footnote ¹⁷ International human rights law is addressed to states which are bound to respect and uphold the obligations in their domestic legal system. Whereas international human rights law can take different levels of commitment from non-binding to binding, its enforcement overwhelmingly takes place at the domestic level.Footnote ¹⁸ ‘The multilevel human rights constitution’, as Ernst-Ulrich Petersmann explains, ‘remains embedded into national constitutionalism as protected by national and regional courts’.Footnote ¹⁹ Human rights thus wield universal protection from their geopolitically fragmentated implementation by states. This construction has largely been workable in an offline and static world where different jurisdictions could coexist by the intuitive demarcations of territoriality. In the age of digital interdependence, however, interferences with human rights frequently take a transnational dynamic. According to Julie Cohen, domestic protections for human rights that are built on outdated regulatory formations have begun to fail comprehensively.Footnote ²⁰ Different trends, such as the intermediation of human transactions by digital platforms, and strategies that would outsmart national legal frameworks have been held responsible for the sad state of affairs.Footnote ²¹ From the outset the Internet-mediated sphere has attracted much libertarianism and utopism,Footnote ²² but in hindsight too little concern about the impeding policy and regulatory challenges online.

D International Trade Law Laying Claim to Free Data Flows

The flow of data crucially undergirds the organization of international production, trade and investments into global value chains (GVC).Footnote ⁴² Activating international trade law for cross-border digital trade issues can be seen as ‘forum shopping in global governance’,Footnote ⁴³ where trade venues are traditionally more conducive to economic interests than for that matter the multi-stakeholder Internet governance fora.Footnote ⁴⁴ What is more, since trade rules on e-commerce could not advance under the auspices of the World Trade Organization (WTO), a number of countries have turned to preferential trade agreements instead, be they bilateral, regional or plurilateral.Footnote ⁴⁵

The United States has been the key force behind efforts to proliferate its digital trade agenda through international trade law, albeit with a mixed record.Footnote ⁴⁶ On the one hand, a new generation of mega-regional trade agreements that were negotiated between the United States and like-minded countries incorporate a new set of digital trade rules that introduce horizontal provisions on the free flow of data, such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)Footnote ⁴⁷ and the United States–Mexico–Canada Agreement (USMCA).Footnote ⁴⁸ On the other hand, the liberalization of the cross-border flow of data has been controversial in negotiations for the EU–US Transatlantic Trade and Investment Partnership (TTIP) and for a multilateral Trade in Services Agreement (TiSA), which both stalled in 2017 over uncertainties over the stance of the incoming US administration under President Trump.

Repeated efforts to multilateralize digital trade rules through the WTO have not so far yielded tangible outcomes.Footnote ⁴⁹ Initiated in 1998, the WTO Work Programme on Electronic Commerce has stalled until in early 2019 seventy-six WTO members agreed to launch negotiations on trade-related aspects of electronic commerce.Footnote ⁵⁰ The resurrection of the e-commerce negotiations, however, takes place during a rather dire crisis of the multilateral forum of the WTO that has left its Appellate Body as a part of the dispute settlement system incapacitated.Footnote ⁵¹ The very capacity to adjudicate disputes, however, has oftentimes been referred to as the ‘jewel in the crown’ of the WTO that made it the centre of the rule-based international trading system. The timing of the negotiations seems to support Jane Kelsey’s argument that e-commerce has turned into a ‘proxy battleground for the future of the WTO’.Footnote ⁵²

Absent a broad international consensus in key areas of public interest regulation, already the General Agreement on Trade in Services (GATS)Footnote ⁵³ curtails a member’s regulatory autonomy by subjecting public interest regulation to certain trade-conforming conditions.Footnote ⁵⁴ The GATS preamble explicitly recognizes the right of a member state to regulate in order to pursue its national policy objectives.Footnote ⁵⁵ This right to regulate is however confined as follows: a member may adopt a measure that is from the outset not inconsistent with its GATS commitments or, in case of a GATS inconsistent measure, to justify the measure under one of the general exceptions.Footnote ⁵⁶ Even though the deregulation of services is not the objective of the GATS,Footnote ⁵⁷ a member’s behind-the-border regulations that aim to afford a high level of protection of human rights run the risk to be deemed protectionist under international trade rules. The EU’s regulatory framework on personal data protection makes for a well-researched example. We have concluded elsewhere that ‘unreservedly committing to free cross-border data flows likely collides with [the EU’s] approach of affording a high level of protection of personal data as is called for by Article 8 of the Charter and as implemented by the GDPR’.Footnote ⁵⁸

With eminent cross-border trade in AI, individual and societal implications can be critically larger and more pervasive.Footnote ⁵⁹ The circulation of AI raises the stakes for human rights–based governance given that the technology can be deployed fairly location-independent.Footnote ⁶⁰ Not only data and machine learning code can be moved across today’s digital ecosystem but the predictive outcomes of an AI system can be applied at a distance.Footnote ⁶¹ Societies have diverse set-ups of rights, freedoms and indeed also ethics. Take facial recognition systems, for example, which are the state policy in China but have prompted calls for strict regulation in Western democracies.Footnote ⁶² Chander rightly notes in this volume that transnational transplants of AI might prove problematic if they do not correspond to the social and legal contexts of the society it interacts with.

The prospect that the first binding framework for the international governance of AI might be international trade law can be frightening unless WTO members retain sufficient margin for experimentation with novel strategies to give effect to human rights in the cross-border context. Susan Aaronson points at the disconnection between efforts to promote the free flow of data and efforts to promote digital human rights at national and international levels.Footnote ⁶³ As trade agreements have gone beyond import tariffs and quotas into regulatory rules and harmonization, Kelsey has criticized that new e-commerce rules impose ‘significant constraints on the regulatory authority of governments, irrespective of their levels of development, and includes matters that belong more to Internet governance, than to trade’.Footnote ⁶⁴

E Conclusion

Everything is in flux. Cross-border data flows are pervasive and a defining characteristic of the age of digital interdependence. So far, our global information civilization is not founded on a shared commitment to protect human rights regardless of jurisdiction, citizenship and location of data. Engendering respect for human rights remains for the foreseeable future a paramount function of domestic legal institutions which must be reactive to respond to the challenges of cross-border data flows.Footnote ⁶⁵ We are also beginning to grasp that the challenges for the multi-level governance of human rights are not just about overlapping claims of authority and the transnational export of rules but go to the core of the conditions of human freedom and the democratic constitution of societies.Footnote ⁶⁶

International trade law is laying claim to the governance of cross-border digital trade and the liberalization of cross-border flow of data. From the domestic protection of data privacy and how data privacy rules may conflict with international trade law, we can draw lessons for the emerging multi-level governance of AI. With respect to AI governance, the EU’s fundamental rights approach holds unique value in an international context where the other major players, like the United States and China, move ahead without paying much attention to these underlying human values. It will be important to critically assess the impact of the WTO e-commerce negotiations on the human rights–based governance of AI before the ‘free trade leviathan’Footnote ⁶⁷ further restricts the policy choices not only of individual states but also of the EU itself.Footnote ⁶⁸

Where international trade rules prevail, they should provide for constitutional pluralism and a sufficient margin for domestic experimentation with novel strategies to give effect to human rights in the online context.Footnote ⁶⁹ This should not be construed as an argument in favour of a uniform interpretation or even a mandate for the positive harmonization of (digital) human rights through international (trade) law.Footnote ⁷⁰ Yet, trade law should not move ahead in setting the rules for cross-border trade in the era of big data and AI without recognizing the members’ responsibility to take appropriate measures that would ensure that artificial intelligence and overall data governance are fully accountable to domestic human rights frameworks. Identifying strategies and approaches that effectively ground individual interests and societal values in transnational algorithmic systems ought to strike a balance between the rule of law and innovation policy that crucially undergird a robust information civilization.