The Data Rights Control Shift

I discovered today that China is preparing a rather sweeping new data privacy law. I conjecture this may be part of a turning point in the global power shift of personal data from existing as a property asset under the control of organizations to existing under the principal authority of people, individually and as coordinated populations.

Here’s my reasoning.

I learned about this new Chinese law today from a Wall Street Journal podcast outlining a few key provisions and providing some analysis (podcast embedded here: https://www.wsj.com/articles/china-set-to-pass-one-of-the-worlds-strictest-data-privacy-laws-11629201927).

But what really caught my eye was the inclusion of rules akin to the California Consumer Privacy Act and EU GDPR style individual personal data controls. This jdsupra article does a good job summarizing those provisions of the new law: https://www.jdsupra.com/legalnews/china-s-gdpr-is-coming-are-you-ready-9091000/

The new Chinese law provides the basic set of personal data control rights, including the right to delete or correct the data, and perhaps most interestingly, also the right to access and copy the data.

Here is the relevant part of the jdsupra article on the data access section of the law:

“Data subject is also entitled to access and copy his/her personal information from a personal information controller under Article 45 of the PIPL. Where the data subject requests to access or copy his/her personal information, such information shall be provided in a timely manner. Such right is quite similar to the “right to access” under the GDPR and the CCPA….”

These data control rights are particularly relevant to work I’m doing now with consumer rights groups, industry, and other key players on an open technical protocol for consumers to exercise these types of legal rights to their personal data. This work on the open standard seemed especially timely in view of this new Chinese law. Not necessarily because the standard could be adopted in China per se, but more so because China adopting such a law may be what causes these personal data controls to become a world-wide basic right. Global enforceable rights supported and reflected by open interoperable technical standards could set the conditions for major evolutions.

These types of rights are not new, having first been introduced into laws such as the Privacy Act of 1974 (pertaining to the US Federal government data systems) the Fair Information Practices Act (pertaining to Massachusetts state government data systems), HIPAA (pertaining to patient records held by hospitals and other such covered entities), and a messy, irregular, gap-filled patchwork of other laws.

The advent of GDPR in the EU and the California Consumer Privacy Act were perhaps harbingers of a broader recent shift, the need and logic of which has become ever clearer in the aftermath of cascading revelations in recent years about personal data abuses across the economy and society. Crucially, this newer set of laws applies broadly to organizations across the private sector, and not only to healthcare, or financial records, or government databases, etc.

People of the future may look back on CCPA and GDPR as harbingers rather than the key turning point because as of today, in the United States and across the world, for most individuals these personal data controls remain impractical to use at best and totally unenforceable at worst.

This got me thinking further about the potential impacts of China now providing for these personal data controls as valid, explicit, and enforceable legal rights pertaining to individuals. Could China become the tide-turning example (or comparison?) that finally catalyzes the balance of US state capitols to at last adopt a common legal framework for personal data protection and control? Could this represent the beginning of a new global consensus enshrining these rights as a common expected foundation across states and regions?

Having a consistent international legal framework providing blackletter legal rights is necessary, but generally insufficient to bring about a global personal data power shift. However, one of these specific personal data rights, if available in a standard way at global scale, may provide the bridge needed for a transition to a new deal on data.

Certainly, all of the personal data control rights are important and proper, however, the right to access and possess a copy of one’s own personal data has a uniquely profound potential when it becomes common practice at large population scale. When individuals gain possession and control of copies of their personal data from all of the businesses, networks, and other systems where it is currently fractured then this new class of holistic individual data stores may become even more valuable and powerful than any of the current systems in which various parts of our data currently exist. Much has already been written about the fundamental value propositions and social good to be had if only people could participate in a “data trust” or have a “personal data vault” or be members of a “data union” and so on. I’m speculating that the convergence of emerging global legal and technical standards around a core set of key personal data control rights, particularly data access, may be the bridge needed to support such new models and modes.

Of course, there are still important missing pieces, such as widely available, simple and secure systems where people can easily collect, store, manage, and use all the personal data accessed from companies subject to these new laws. Nonetheless, a common legal infrastructure ensuring people have the right to gain access and collect their own data from wherever it currently resides is an initial foundation needed for individuals to make effective use of the many facets of their own data in a holistic manner and a big step toward gaining some parity with other entities in the new data economy.

This power shift will also be of significant and strategic benefit to businesses and other organizations that rely upon accurate and current personal data. When people themselves have the means and mechanisms for collecting and managing all the different types of data about them from the many different places it currently exists, that corpus of information will be more complete than any of the current options. Critically, situating the locus of control over such personal data with individuals will provide a stable, lawful, and long term means to legitimately access or gain insights from the data based upon actual agreement with the people who the data is about. The current practices by which organizations collect and use personal data are, by in large, seriously flawed and uncertain because as a society we have not yet evolved the terms of a new social compact with respect to exercising principal authority over such information. Moreover, once systems and processes form to provide a way for individuals at population scale to store and manage their personal data, new options for coordinated or collective actions, even large group negotiations, can happen. The new deal on data that can be anchored upon this type of power shift is needed for the economy and society to successfully complete the current transition to a digital, networked basis.

While the political, economic, cultural, and other differences are significant in the context of China, it is very good to see this set of personal data rights gaining traction as a common international norm. I think this global trend tends to further increase the immediate practical value and longer-term potential for being able to exercise these rights in a standard, interoperable manner. The advent of a more standard global legal and technical foundation for the exercise of personal data control rights can provide the predictable foundation upon which transformatively new business models and social constructs may emerge.

Connecting the dots back to my initial conjecture, it is such new business models and social contructs, fueled by individual data stores, that can be the means for a global power shift of personal data from existing as a property asset under the control of organizations to existing under the principal authority of people, individually and as coordinated populations.

Addenda on the New Chinese Privacy Law

A few hours after I posted the above, Reuters broke the story that China has indeed enacted the final version of this measure into binding law (see: https://www.reuters.com/world/china/china-passes-new-personal-data-privacy-law-take-effect-nov-1-2021-08-20). The best translation I’ve found thus far has been published by Stanford as part of a crowd-sourced legal translation effort (here: https://digichina.stanford.edu/news/translation-personal-information-protection-law-peoples-republic-china-draft-second-review).