Q&A: Data-Protection Expert Emmanuel Pernot-Leplay

‘Each of These Laws Bears High Stakes for Global Economics, Politics and Our Daily Lives’

By Charles McDermid

Emmanuel Pernot-Leplay is making a career in the space where global privacy laws collide.

The 32-year-old from Paris graduated from law schools in France and China before earning a Ph.D. in comparative data-protection law at Shanghai Jiao Tong University, focusing on the U.S., China and the European Union. 

For the last two years, Pernot-Leplay has worked as a consultant at Deloitte Cyber Risk in Paris, advising clients on data-privacy compliance. This month, he starts a new position as a postdoctoral researcher in technology law at Tilburg University in the Netherlands.

“I first studied theories on the diffusion of laws and the movement of policies across jurisdictions to build the framework I use for comparing laws globally,” he said this week. 

“I apply it to data-protection law because it’s one of the few fields where legal scholars get to work in close connection with the most advanced and dynamic technological developments, and where each of these laws bears high stakes for global economics, politics and our daily lives.”

As Pernot-Leplay puts it, growing public pressure for better protection of personal data and the rapid inception of legal frameworks across the world have created a terra incognita for researchers in comparative law. 

Data-protection is approached very differently in the U.S., E.U. and China, he told Digital Privacy News, and it is increasingly important to understand the rationales behind those differences and their consequences.

In broad strokes, how does China’s legal framework for data-protection compare to the U.S.?

We often think of data-protection in China only through the angle of surveillance. This important question is well documented and discussed, but we tend to overlook the parallel increase of consumer privacy.

China improves its legal framework on consumer privacy at a very fast pace. While the U.S. started to regulate data-protection in the 1970s, the first significant Chinese rules on the matter appeared after 2010. 

Yet, in that short time span, the use of personal data in China has moved from being essentially unregulated to transplanting rules from the highly protective E.U. law.

A new data-protection law is on China’s legislative agenda and could be passed in 2021. It’s expected to be a comprehensive law that would regulate data-protection for the whole country, in the European Union manner, instead of having multiple sector-specific laws, in the U.S. manner. 

As a consequence, the old argument saying that more data-protection requirements for U.S. companies would give an unfair advantage to underregulated Chinese companies becomes increasingly difficult to hold.

Are there any laws in China that would block “sunset” or dismantle the biosurveillance measures introduced to fight COVID-19 once the pandemic has passed?

Chinese laws on data-protection, such as the Cybersecurity Law, are relatively new and often vaguely worded.

Guidelines published in 2018 are more precise and offer more protection to individuals — sometimes more than in the U.S. — but they are not binding. 

The main problem in China is about enforcement of those rules: The country lacks a dedicated data-privacy authority that would have all powers to enforce the law — and penalties provided by law are too weak to be deterrent.

Can you speak a bit about China’s Cybersecurity Law and what, if any, legislation in it is comparable to the U.S.?

China’s Cybersecurity Law is broad and concerns cybersecurity issues beyond personal data. Data-privacy is only a chapter of the law, about 10 articles. 

The law is often vaguely worded and requires the publication of “specifications” (nonbinding guidelines) to give more meaning to its articles. Some of them, such as those on cross-border data transfers, are still at the drafting stage. 

Despite that, the law is still an improvement because data-privacy requirements are somewhat more comprehensive than in previous laws.

Moreover, its accompanying guidelines require even stronger data-protection, sometimes going in the GDPR (E.U.’s General Data Protection Regulation) direction.

In the U.S., data-privacy is sometimes regulated in a law, data-security in another law, and those are usually sector-specific.

As a result, data-protection provisions are scattered in many legal instruments, which is difficult to read and to update.

There are talks about enacting a federal law that would be the U.S. nationwide data-protection law, but that was before the pandemic.

What should the U.S. government learn from the debate in Asia, especially China, over public health versus data-privacy? 

In China, there is a strong data-protection dichotomy: while consumer privacy improves, surveillance of citizens strengthens. 

On the one hand, privacy protections rapidly increase in China, but on the other hand, the state has never collected more personal data from its citizens — and government access to that data remains less regulated than for companies. 

The pandemic is exacerbating this: The government has collected massive amounts of data, but people are now very aware of it, very worried about the data leaks that already happen — and, therefore, demand higher data-protection.

This dichotomy is strong in China but exists in the U.S. and the E.U. as well. 

Because the needs for privacy and surveillance-security both have legitimate grounds, the fundamental question is the balance between them and the risk taken for the future. 

The U.S. can look at those risks already materializing in Asia: collected data has leaked, and certain authorities are expanding health-tracking apps to go beyond their initial purpose.

We see that while using personal data responsively to improve public health should be possible, in real life there are still gaps, such as data-security and data-deletion, which could create future problems.

You wrote in April that the “U.S. data-protection law landscape is moving fast.” Do you still agree? 

It was moving fast following data-privacy scandals — like Equifax, Uber, Facebook-Cambridge Analytica — and the enactment of GDPR in Europe.

Many new state laws improving privacy were passed, the most famous being the CCPA (California Consumer Privacy Act). 

Much hope and attention was put on the Washington Privacy Act, which featured elements from the CCPA and even GDPR, but it failed to pass in March. Shortly after, the pandemic broke out in the U.S., which slowed any other legislative progress. 

Talks about a federal data privacy law also paused, although proposals were on the table.

However, interestingly, data-protection became an even more sensitive topic due to that pandemic and the weaponization of personal data against it.

Because of this, Republicans in the Senate proposed the COVID-19 Consumer Data Protection Act in May, and Democrats responded with the Public Health Emergency Privacy Act the same month, showing that the debates remain very much alive.

How will that U.S. landscape be shaped by the coronavirus pandemic, and also by laws in Asia, the E.U. and elsewhere? 

The COVID-19 pandemic will foster a data-protection dichotomy: individuals are more aware than ever about the risks of personal data processing, while authorities will want to have the option to tap into that data to make better decisions, whether about public health or other concerns. 

This antagonism, and the balance between both interests, will certainly shape future data-protection laws. The solutions will probably be different in the U.S., the E.U. and across Asia, further fragmenting the digital landscape.

What role or responsibility does the U.S. have in shaping global policy on data protection? 

As a tech pioneer and home of Silicon Valley, the U.S. has the potential to shape data-protection rules globally. Yet, this role is currently assumed by the E.U. 

Because the E.U. has a strong domestic market and high legal requirements, companies looking to enter the E.U. market will make the effort to comply with E.U. law.

Then, companies may find it convenient to apply those high E.U. requirements to their global operations — even outside of the E.U. — in order to be compliant elsewhere as well and to avoid fragmenting their compliance strategies, for economic and technical reasons.

This phenomenon is called the “Brussels Effect” by Prof. Anu Bradford of Columbia Law School and isn’t limited to data-protection.

How would you rate Washington’s progress on data-privacy legislation at this stage, especially in regard to Beijing?  

Countries looking to improve their data-protection legal framework will look at the E.U. model, because the U.S. framework is seen as complicated and providing low protection. 

China initially followed the U.S. way, but now wants to strengthen its framework and shows signs of E.U. influence in its new rules.

Today, the U.S. does not have a coherent model to propose against the E.U.’s.

To do that, it would need to enact a nationwide data-protection law that would clearly show the U.S. direction on data-protection.

Charles McDermid is a writer based in Asia.

Filed under: