Data – the gold of the digital world, the oil of industry 4.0, and the basis for the business model of Google and Facebook. Data is irreplaceable for the business world of today’s modern times. With the adoption of GDPR, the European government has found data to be particularly worthy of protection and has focused on drawing in the attention of consumers to the importance of data protection … But is personal information treated just as sensitively beyond European borders, as it is in Germany? Where are the differences? We take a look at the understanding and importance of data protection in other countries, and show what this means for the population, amongst other things.

USA – Sector-specific data protection laws

In contrast to the general data protection regulation in Europe, data protection in the United States is regulated on a sector-specific basis. Companies in the USA are generally obliged to ensure the security of personal data and are subject to a reporting obligation in the event of data leaks. However, in the USA it is regulated in such a way that companies determine their own level of data protection. But where do these different approaches of handling data come from?

The protection of personal data in Europe is laid down in the Basic Law as a fundamental right to informational self-determination. In the United States, on the other hand, data protection is part of consumer protection law and is thus more part of economic life. Supervision under data protection law is in the hands of the Federal Trade Commission  – the issue of data protection is thus viewed from an economic perspective, and is seen less as a personal right.

The USA PATRIOT Act was passed after the terrorist attacks of September 11, 2001, and caused a stir beyond the country’s borders. Security authorities such as the NSA were allowed to access data stored on local servers without a court order in suspicious cases. Internet providers and cloud providers could also be obliged to release personal data. Under certain conditions, investigative authorities were also allowed to oblige companies to surrender data without even informing the persons concerned by means of a so-called National Security Letter.

With Edward Snowden’s revelations in 2013, the American population has become much more vigilant with regard to state surveillance. In June 2015, the then President Barack Obama signed the USA Freedom Act, which again restricted the powers of the investigating authorities.

The Cambridge Analytica scandal followed in 2016. The analysis company had gained unnoticed access to the data of 87 million Facebook users and fed Donald Trump’s presidential election campaign with it. Shortly after the announcement, the state of California drafted a strict law to protect user data, which is to come into force in January 2020. The so-called California Consumer Privacy Act is intended to enable consumers to find out which data is collected and used by which companies and how, and to demand that it be deleted if necessary. There is currently no nationwide law – but the USA has already taken big step towards the European standards of the GDPR.

China – total surveillance?

Since 2015, the coverage using surveillance cameras in the capital Beijing reached 100 percent, many of the devices work with facial recognition software. The citizens of the People’s Republic are monitored all around, 24/7.

In addition, a system is currently being set up to evaluate the behavior of the people in China. The social credit system’s purpose is to record and analyze not only payment morale but also criminal records, shopping habits and even political party loyalty. Kind of sounds like a bizarre socially critical science fiction series? However, a social credit system of this kind has been a reality in the coastal town of Rongcheng since 2014. The approximately 670,000 inhabitants have to show their score regularly to the authorities. If the number of points is not correct, a promotion at work or applying for a loan from the bank could be negatively affected. In Europe, such a social credit system would be illegal, as it would violate the principles of data protection and thus also the Basic Law.

In September 2019, the Chinese App Zao attracted international attention. Using artificial intelligence, the software enabled users to transfer their own faces to those of Hollywood stars in film scenes. When excerpts from Leonardo DiCaprio’s most famous films suddenly appeared on the Internet in which the face of a Zao user was deceptively realistically adapted to that of a Hollywood actor, the app went viral. However, concerns quickly arose regarding the terms of use. The users of the app ceded “completely free, irrevocable, perpetual, transferable and re-licensable rights” to the developers of the app. According to Zao, the controversial passages have been removed, but there is still concern that cybercriminals could use the generated content to outwit facial recognition software that, for example, gives access to bank accounts. The danger of false reports, which could be generated by deep fakes, is also growing as the technology develops.

Also Ant Financial, the subsidiary of the Alibaba trading platform, angered several Chinese citizens. With “Sesame Credit” Ant Financial introduced a service that checks the creditworthiness of users by evaluating their online activities. After users discovered that they had been included in the system by default without their consent, Alibaba apologized due to growing public pressure.

China is increasingly becoming a digital surveillance state. But the People’s Republic also has some laws on cybersecurity: On June 1, 2017, the Cybersecurity Law came into force. Among other things, the aim was network security and the strengthening of data protection. In 2018, the Chinese People’s Congress announced that a general data protection law was planned. The Cybersecurity Law and parts of the e-commerce law from 2018 are intended to provide a framework for the planned law on the protection of personal data. While the new law was being drafted, the Cyberspace Administration of China (CAC), the highest administrative Internet regulator, issued the Data Protection Regulatory Guideline in June 2019. It lays down rules for the collection and processing of customer data. The Guideline forms the foundation for the future orientation of nationally applicable law.

GDPR creates transparency

“With GDPR, not only is the confidence of users towards companies increasing, but also the confidence of the companies towards each other is as well. The processing of customer data is now uniformly regulated and offers more transparency in this area,” says Hornetsecurity’s CISO (Chief Information Security Officer) Olaf Petry about the law. “Data protection laws such as the DSGVO ensure uniform handling of sensitive information across borders.”

In addition to the advantages that the GDPR offers to companies and private individuals in Europe, countries outside the EU can also benefit from it. The GDPR is already a key model for further draft legislation.