Penn Undergraduate Law Journal
  • Home
  • About
    • Mission
    • Masthead
    • Faculty Advisory Board
    • Partner Journals
    • Sponsors
  • Submissions
  • Full Issues
  • The Roundtable
    • Pre-Law Corner
  • Events
  • Contact
    • Contact
    • Apply
    • FAQs
  • Home
  • About
    • Mission
    • Masthead
    • Faculty Advisory Board
    • Partner Journals
    • Sponsors
  • Submissions
  • Full Issues
  • The Roundtable
    • Pre-Law Corner
  • Events
  • Contact
    • Contact
    • Apply
    • FAQs

The Roundtable


Welcome to the Roundtable, a forum for incisive commentary and analysis
on cases and developments in law and the legal system.


INTERESTED IN wRITING FOR tHE rOUNDTABLE?

In the global cyber world of technology policy exists a global legislature

12/12/2020

0 Comments

 
Picture
By Joseph Squillaro
​

Joseph M. Squillaro is a member of the Class of 2022 at the University of Pennsylvania studying Philosophy, Politics and Economics (PPE) with a concentration in cyber policy and internet law.

In the past few years when visiting various websites, how many times have you encountered a salient prompt asking for you to accept “cookie” permissions or select which types of data the website is able to retain? I know I personally have seen more than I can count. Yet prior to 2018, you likely would not have seen any such prompt and that was because it simply was not required, at least not in the European Union. That all changed, however, when on May 25th 2018, the European Parliament implemented a sweeping set of cyber reforms collectively known as the European Union General Data Protection Regulation (GDPR). The GDPR revolutionized the ways in which tech companies can collect and store your data. From that day forward, companies were required to ask your permission to save information to their servers in the form of the aforementioned cookies. This included details such as your navigation history for personalizing results or your IP address to provide location specific content, among many other examples [1]. This policy, on balance, is a great boon for the liberty for all users of technology: to have control on who stores your data and what kind of information they collect. But a large number of users of technology, including myself, do not reside in the European Union, nor are a citizen of any EU country, yet the prompt and intention of the GDPR still applies. Why is this?
A Global NetworkTo answer this question, it is important to keep in mind the way the internet works. The internet, simply put, is a collection of files connected together that exist on servers around the world, likely including redundancy servers located in another part of the world. This means your data is decentralized and is difficult to pin down exactly “where” your information is located and hence, which jurisdiction it falls under [2]. But what can be held accountable are the tech companies themselves by holding them to a set of standards if they wish to continue to operate within a jurisdiction. This is precisely how the GDPR makes its way to you, for example an American, even though you are very far removed from any European country. For the company to operate in such a large and important market as the EU, take US-based Twitter for example, they implement the stringent standards of the GDPR as it is inefficient to tailor data collection strategies to different markets. More significantly, they can’t discern your location in the first place without consent. As a result of the GDPR, every user of that company’s service receives that prompt and gets to opt in or out. In essence, the EU legislated tech policy for the whole world, without other nations’ input, due to the global and indeterminate nature of digital data and the internet [3]. Obviously there have been exceptions to this, where some companies have gone out of their way to exclude millions of users just to avoid GDPR compliance.However, this issue requires a different perspective than what this article entails and will perhaps be discussed at length in a future post. Regardless, it is this type of policy-making phenomenon, in the scope of cyber policy, that I like to refer to as the “global legislature.”
A Global Legislature, Yes. But A Global Enforcer?Elementary-level civics has taught us that in most democracies, the legislatures create policy, but it is up to another system (the Executive branch in the U.S.) to enforce it. This means that if the enforcer chooses not to implement a policy, it is as if the policy does not have any weight. A similar dilemma exists with the scenario created by the GDPR and other similar cyber laws like it. While the company doing business itself in the EU may face punishment if they violate the GDPR due to the EU’s enforcement mechanism, the company likely will not face punishment in other jurisdictions like the U.S. because it is not policy there [4]. This means the sense of protection given to non-EU users is a false one and would not hold up in a U.S. court of law if Twitter, to use our last example, is found in violation of a GDPR-centric data collection limitation. So what does this mean for non-EU users like myself who use such services? It means we are not protected within the modern ideal of digital privacy unless your home country has passed similar GDPR-like laws that can be enforced and thus be used to hold companies that violate such trust accountable. The intention of the GDPR applies, but not its actual legal protective execution [5]. In short, the enforcers must be on the same page as the legislatures, even if it is a global one.
A (Data)Path ForwardAll hope is not lost for having confidence in the protection of our data, however. In the U.S. at least, laws are being formed to provide similarly stringent data protections. Ratified shortly after the GDPR, California enacted the California Consumer Privacy Act (CCPA) which sets forth a set of data rules that fit within more of a U.S.-based legal system but still provides much of the aforementioned protections [6]. While this again is not at the federal level, and hence will not affect (through enforcement) all Americans like those here in Philadelphia, it is a step in the right direction and perhaps a blueprint for federal policy to be mandated by Congress in the future. This would then be taken up by various federal enforcement agencies in the same way the EU does for its own citizens.
The new era of data privacy legislation occurring around the world is exciting not only for cyber policy analysts like myself, but also for everyday users of services like Twitter who can soon feel more at ease and more in control of their digital footprint. As technology and digital services become ever more prevalent in our lives, it is time for us users to press our local legislatures, rather than just relying on the intentions of the “global legislature,” to strength our digital rights. So the next time you come across a GDPR compliance prompt on a website asking for your permission to use your data, thank the global legislature for setting the groundwork and precedent for protecting your information. However, recognize that more must be done closer to home to feel central to making decisions on your digital footprint within the very decentralized nature of our digital future.
Bibliography
[1] Kamleitner, Bernadette. “Your Data Is My Data: A Framework for Addressing Interdependent Privacy Infringements.” American Marketing Association, 2019, https://journals.sagepub.com/doi/10.1177/0743915619858924. Accessed 5 12 2020.
[2] Niemela, Leo. “What Percentage of Your Software Vulnerabilities Have GDPR Implications?” HackerOne, 16 1 2018, https://www.hackerone.com/sites/default/files/2018-01/GDPR%20Implications-ebook.pdf. Accessed 5 12 2020.
[3] Schmitt, Judy, and Florian Stahl. “How the Proposed EU Data Protection Regulation Is Creating a Ripple Effect Worldwide.” IAPP Privacy, https://iapp.org/media/presentations/A12_EU_DP_Regulation_PPT.pdf. Accessed 5 12 2020.
[4] Fox, Chris. “Google hit with £44m GDPR fine over ads.” BBC, BBC, 21 1 2019, https://www.bbc.com/news/technology-46944696. Accessed 5 12 2020.
[5] Eickmeier, Frank. “What does the ePrivacy Regulation mean for the online industry?” ePrivacy, ePrivacy, 14 2 2018, https://www.eprivacy.eu/en/news/news-detail/article/what-does-the-eprivacy-regulation-mean-for-the-online-industry/. Accessed 5 12 2020.
[6] Lapowsky, Issie. “California Unanimously Passes Historic Privacy Bill.” WIRED, Wired, 28 6 2018, https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill/. Accessed 5 12 2020.

The opinions and views expressed in this publication are the opinions of the designated authors and do not reflect the opinions or views of the Penn Undergraduate Law Journal, our staff, or our clients.


0 Comments

Your comment will be posted after it is approved.


Leave a Reply.


    Categories

    All
    Akshita Tiwary
    Alana Bess
    Alana Mattei
    Albert Manfredi
    Alexander Saeedy
    Alexandra Aaron
    Alexandra Kanan
    Alice Giannini
    Alicia Augustin
    Alicia Kysar
    Ally Kalishman
    Ally Margolis
    Alya Abbassian
    Anika Prakash
    Anna Schwartz
    Ashley Kim
    Astha Pandey
    Audrey Pan
    Benjamin Ng'aru
    Brónach Rafferty
    Bryce Klehm
    Cary Holley
    Christina Gunzenhauser
    Christine Mitchell
    Christopher Brown
    Clarissa Alvarez
    Cole Borlee
    Connor Gallagher
    Dan Spinelli
    Dan Zhang
    David Katz
    Davis Berlind
    Derek Willie
    Dhilan Lavu
    Edgar Palomino
    Edna Simbi
    Ella Sohn
    Emma Davies
    Esther Lee
    Evelyn Bond
    Filzah Belal
    Frank Geng
    Gabriel Maliha
    Georgia Ray
    Graham Reynolds
    Habib Olapade
    Hailie Goldsmith
    Haley Son
    Harshit Rai
    Henry Lininger
    Hetal Doshi
    Iris Zhang
    Irtaza Ali
    Isabela Baghdady
    Ishita Chakrabarty
    Jack Burgess
    Jessica "Lulu" Lipman
    Joe Anderson
    Jonathan Lahdo
    Jonathan Stahl
    Joseph Squillaro
    Justin Yang
    Kaitlyn Rentala
    Kanishka Bhukya
    Katie Kaufman
    Kelly Liang
    Keshav Sharma
    Ketaki Gujar
    Lauren Pak
    Lavi Ben Dor
    Libby Rozbruch
    Lindsey Li
    Luis Bravo
    Lyndsey Reeve
    Madeline Decker
    Maja Cvjetanovic
    Maliha Farrooz
    Marco DiLeonardo
    Margaret Lu
    Matthew Caulfield
    Michael Keshmiri
    Mina Nur Basmaci
    Muskan Mumtaz
    Natalie Peelish
    Natasha Darlington
    Natasha Kang
    Nayeon Kim
    Nicholas Parsons
    Nicholas Williams
    Nicole Greenstein
    Nihal Sahu
    Omar Khoury
    Owen Voutsinas Klose
    Owen Voutsinas-Klose
    Pheby Liu
    Rachel Bina
    Rachel Gu
    Rachel Pomerantz
    Rebecca Heilweil
    Regina Salmons
    Sajan Srivastava
    Sandeep Suresh
    Sanjay Dureseti
    Sarah Simon
    Saranya Das Sharma
    Saranya Sharma
    Sasha Bryski
    Saxon Bryant
    Sean Foley
    Sebastian Bates
    Serena Camici
    Shahana Banerjee
    Shannon Alvino
    Shiven Sharma
    Siddarth Sethi
    Sneha Parthasarathy
    Sneha Sharma
    Sophie Lovering
    Steven Jacobson
    Suaida Firoze
    Suprateek Neogi
    Takane Shoji
    Tanner Bowen
    Taryn MacKinney
    Thomas Cribbins
    Todd Costa
    Tyler Larkworthy
    Vatsal Patel
    Vikram Balasubramanian
    Vishwajeet Deshmukh
    Wajeeha Ahmad
    Yeonhwa Lee

    Archives

    March 2023
    January 2023
    December 2022
    November 2022
    September 2022
    June 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    May 2019
    April 2019
    March 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    December 2017
    November 2017
    October 2017
    August 2017
    July 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    April 2016
    March 2016
    February 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    November 2014
    October 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    December 2013
    November 2013
    October 2013
    September 2013

Picture
Picture
​