Earlier this year, India banned scores of Chinese-owned mobile apps, including TikTok, as the government cited complaints about breaches of user data privacy,  specifically alleging that these mobile apps were “stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers outside India.” At the same time, other countries have indicated their own misgivings with this app and others owned by China, citing similar data security concerns. In the United States, two months after India announced its widespread ban, President Trump signed  twin Executive Orders that essentially banned both TikTok and WeChat, another Chinese-owned app. The orders alleged that both apps had the capacity to automatically capture and transmit “vast swaths” of “personal and proprietary information” about US users and visiting Chinese nationals to the Chinese Communist Party.

Despite the recency of these developments, these user data privacy concerns are not new. In 2018, the world faced an uncomfortable realization when Facebook CEO Mark Zuckerberg revealed, while testifying before the United States House of Representatives, the staggering amount of data that Facebook had not only collected from 87 million of its users, but had subsequently shared with third party Cambridge Analytica, a political consulting firm accused of using the data given it by Facebook to influence American voters. This scandal highlighted the potential consequences that could result from exploitation of online users’ data and made painfully obvious the lack of a comprehensive global standard for protecting and securing such information. In light of these concerns, it is critical to develop a comprehensive global standard specifically for ensuring online data privacy.

During the thirty-ninth United Nations Human Rights Council (UNHRC) session, the UNHRC reaffirmed that the right to privacy is a fundamental human right recognized in both the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, among other regional and international instruments. The UNHRC further urged, in its report entitled “The Right to Privacy in a Digital Age,” that the right to online data privacy is a logical subset of this broader, fundamental right. The report stated that the “right to privacy is not limited to private, secluded spaces, such as the home of a person, but extends to public spaces and information that is publicly available.” The collection and use of user data inevitably raises privacy concerns, even when those users have opted to make the information collected public. Exploitation of mass user data can be used for nefarious means. When public data can be compiled and analyzed without limitation, a number of divisive practices – including government surveillance, targeted manipulation of human behavior, and user discrimination by advertisers – can become commonplace.

We live in a plugged-in world. Currently, estimates place the percentage of the world’s population that is online every single day to be over 50%. Research further predicts that over 90% of the world’s population aged 6 and above will likely be online by 2030. At the same time, the continuing advancement of technology and artificial intelligence means that tools for aggregating and analyzing user data are only going to become more sophisticated.

As we see from the growing number of countries concerned with TikTok and user data privacy as well as the patchwork efforts to secure that data, it is not enough to leave it to individual countries to address the growing possibility of personal data exploitation. If we truly consider user data privacy to be an international human right, it would be irresponsible to leave it up to States to address data privacy breaches as they see fit because standards will inevitably vary across States. Data privacy regulations cannot be left subject to each State’s respective lobbying powers to mold the privacy baseline.

As the Universal Rights Group has discussed, the creation of a common standard for protecting data privacy can serve as a baseline for States to work off. It can encourage both the development and “convergence of [State] data privacy regulations.” A common global standard can also bring relevant stakeholders together to collaborate so as to ensure robust protection of data privacy worldwide. Furthermore, an international standard could level “privacy protections offered by States” and provide for “uniform protection” for people in all countries.

The European Union’s General Data Protection Regulation (GDPR) can serve as an example as to what a global standard could look like. The GDPR protects the data privacy of EU users, regardless of the location of the company collecting the data or the data processing site. But even then, companies still fail to comply with regulations because many do not know precisely where user data is located. A global standard can start to address this “lost data” issue since companies will need infrastructure to reach a baseline level of data privacy if they wish to operate globally.

Like the tragedy of the commons dilemma in fighting climate change (where it is not enough for one or even a few countries to curb carbon emissions – every country needs to contribute in order for the effort to have an impact), protection of user data privacy faces a similar difficulty. Here, consumer data privacy is the scarce resource, and companies and States are politically and economically incentivized to exploit user data. In order to ensure that every individual’s data is protected, we must reach a critical mass of States signed on to protecting user data in their countries.

As indicated in the widespread use of TikTok, technology companies often span across borders. In order to ensure an adequate framework for protecting online user data privacy, the world needs a concerted global effort. Certainly, the creation of a more comprehensive international standard for cybersecurity and protection of user data is not the golden bullet to solve all data privacy concerns, but it opens dialogue for finding a solution.

---

Amy Zhan is a 2L at the Georgetown University Law Center, where she is a Staff Editor for the Georgetown Journal of International Law. She graduated from Harvard University in 2017, with a degree in Government and Economics. Prior to law school, Amy spent two years working as an internal consultant for Fidelity Investments in Boston. As a law student, she was a research assistant for Professors Gregory Klass and Kevin Tobia.