Global Data Law

Datafication, Power, and Publics in India's National Digital Health Ecosystem

Photo of EEG reading

While evident for a long time, the COVID-19 pandemic starkly illustrated the need to strengthen India’s public healthcare system. But since 2017, the solution to India’s public health woes takes the shape of the National Digital Health Ecosystem (NDHE) – a digital system for the generation, use, and ‘frictionless’ circulation of health data across healthcare actors through the use of artefacts such as health IDs, electronic health records, data standards, and federated computing architectures. These artefacts are not neutral technological systems. Rather, together with social practices, they constitute a “data infrastructure”. Seeing the NDHE as a data infrastructure allows us to visibilise the regulatory effects of the NDHE, i.e., the ways in which the NDHE creates “communities of the affected” whose access to public health is now mediated by affordances granted by the NDHE. This, in turn, shapes law and regulation of the NDHE, where legal frameworks for (health) data protection are not weakened by accident, but weakened by design. At the same time, the regulatory effects of the NDHE can and should be regulated by law, by channeling law’s commitment to the creation of healthy public spheres to ensure the vitality of a democracy. Accordingly, this paper makes three contributions – one, it provides a brief overview of the political economy and the regulatory effects of the NDHE; two, it analyses the ways in which the regulatory effects of the NDHE shape legal frameworks for health data to disempower individuals and communities who are the generators of this data; and three, it outlines research and policy suggestions for how the law can intervene in limiting the exclusionary data-politics of the NDHE.

This paper originated in the seminar Global Data Law II: Ordering and Power. It will be published by the National Law School of India University’s Socio-Legal Review, Vol 20, Issue 1 (2024).

Zoning Data Flows

This article explores how China is developing a unique location-based data outbound deregulation regime to mitigate the negative effects of its initial security-driven regulations. A major move is repurposing free trade zones with data outbound negative lists. Using an infrastructural-thinking framework, this article examines the evolution of data outbound regulation in China, recent initiatives in the country's free trade zones, and the dynamics between local and central governments. China's data outbound practices are enabled and constrained by its global information and telecommunication (ICT) infrastructural connectivity and domestic distribution. Free trade zones become appealing deregulation testing grounds due to their overlap with critical ICT hub locations and their role as sites for policy experimentation. The ongoing pilot projects, through the interplay of law and infrastructure, present promising potential to channel China's data outbound activities into specific areas, thereby increasing their visibility, making them more amenable to regulation, and fostering both local and national economies.

Published in Tsinghua China Law Review Vol. 16 No. 2 (2024), pp. 191-223. This paper draws insights from Guarini Global Law & Tech’s Global Data Law Project and Institute for International Law and Justice’s Infrastructure as Regulation Project.

Confronting Data Inequality

Control over data conveys significant social, economic, and political power. Unequal control over data—a pervasive form of digital inequality—is a problem for economic development, human agency, and collective self-determination that needs to be addressed. This Article takes steps in this direction by analyzing the extent to which law facilitates unequal control over data and by suggesting ways in which legal interventions could lead to more equal control over data. We use the term "data inequality" to capture unequal control over data-not only in terms of having or not having data, but also in terms of having or not having the ''power to datafy" (i.e., deciding what becomes or does not become data). We argue that data inequality is a function of unequal control over the infrastructures that generate, shape, process, store, transfer, and use data. Existing law often regulates data as an object to be transferred, protected, shared, and exploited and is not always attuned to the salience of infrastructural control over data. While there are no easy solutions to the variegated causes and consequences of data inequality, we suggest that retaining flexibility to experiment with different approaches; reclaiming infrastructural control; systematically demanding enhanced transparency; pooling data and bargaining power; and developing differentiated and conditional access to data mechanisms may help in confronting data inequality more effectively going forward.

Published in Columbia Journal of Transnational Law, Volume 60, Issue 3 (2022), pp. 829-956. The paper was initially written as a background paper for the World Development Report 2021: Data for Better Lives. It draws on ideas developed in Guarini Global Law & Tech’s Global Data Law project.

The Digital Markets Act (DMA): A Procompetitive Recalibration of Data Relations?

Since its publication in December 2020, the European Commission’s regulatory proposal for a Digital Markets Act (DMA) continues to be the subject of sustained political and academic interest, particularly in the United States and Europe. Part of the “European strategy for data”, the DMA is designed to address “the most salient incidences of unfair practices and weak contestability” in the digital economy, responding to concerns about the data-derived dominance of U.S. technology companies operating in Europe. This paper aims to provide the first comprehensive legal analysis of the DMA’s recalibration of data relations in the European Union. Through an analysis of the data-specific obligations imposed on gatekeepers under the DMA and their interaction with existing laws and jurisprudence, this paper finds that the proposed access rights and limitations on the collection, combination and use of data give rise to significant ambiguities and could make “Big Tech” the winners of an act originally designed to tackle their dominance. This paper also finds that the DMA may recalibrate data relations in favor of Chinese tech companies wishing to strengthen their position in the EU against their U.S. competitors. Nevertheless, this paper will show that the adoption of the DMA will be a positive first step in the direction of recalibrating data relations in a way that – once teased out by future enforcement and caselaw – could allow for a more active contestation of digital markets, and a freer flow of data.

This paper originated in the Global Data Law course. It was published by the Illinois Journal of Law, Technology and Policy, Volume 2022, Issue 1 (pp. 101-154).

Governing Data Markets in China: From Competition Litigation and Government Regulation to Legislative Ordering

Data, the most valuable commodity of our age, fuels today’s digital economy. Who owns these data and the rights associated therewith is now an inescapable question and a central concern. Under the current societal backdrop of powerful internet platforms able to wield the increasingly important economic role of data for their own advantage, current legislative frameworks have failed to keep pace with technological progress.

There is of yet no comprehensive nor global legal framework of data property rights. In the People’s Republic of China (“PRC”), as in many other jurisdictions, domestic data ownership law remains unsettled. In this uncertain legal milieu, Chinese platform companies wage intense legal battles with each other and, in rare cases, with their service suppliers over control of user data. Paradoxically, China’s digital economy has boomed without the clear specification of data ownership. How has China managed the massive growth of its data markets and inter-company data disputes without any legal determinations as to who owns data?

This Article finds that the basic rules of Chinese data markets have developed through litigation between private companies under the precepts of anti-unfair competition law, by government mediation in high-profile cases between market-making entities, and by-means-of government regulation using existing and new legal and policy frameworks, including anti-monopoly law and other data-specific government policies on antitrust and cybersecurity. In addition, the Chinese central and local governments have enacted general legislation on key data issues and are refining their policy efforts via experimental pilot projects in various locales to further develop data markets.

The case studies in this Article reveal the present condition and the limitations of a legal regime in which the reality of data monetization precedes the legal issues of “ownership,” and illustrate the efforts taken by the Chinese government thus far. However, in its analysis of the Shenzhen legislative experiment, this Article offers a cautionary perspective on those reform efforts in the absence of a new comprehensive legal framework, by spotlighting the controversy within the Chinese academic and legal communities over issues of how ownership rights granted prematurely can introduce new challenges to the emerging questions of competition, innovation, knowledge, transparency, accountability, privacy, and the broader public interest.

Incremental development and experimentation, in the form of judicial rulings by the Chinese courts and state regulatory guidance as well as legislative actions that influence the evolution of existing law based on established principles of antitrust enforcement, IP regimes, and contracts, is a promising path to allay the concerns of premature legislation on data property rights—as any new legislation that upholds the status quo could run the risk of stifling both market innovation and competition.

Published in the George Mason International Law Journal, Vol. 13, Issue 1, pp. 1-27 (2022). The paper originated in Guarini Global Law & Tech’s Global Data Law course.

Potential Expropriation Claims Against Data Sharing Requirements

This paper explores potential expropriation claims against data sharing requirements. It finds that in formulating a viable claim of expropriation against mandatory data disclosures, the nature of the disclosure requirement matters. If the disclosure is likely to substantially affect the investor’s ability to benefit from the investment, it is likely to be considered an expropriation. As most data-driven businesses derive an economic benefit from their data through revenue and profit, it is likely an expropriation will be found where follow-on disclosure of data collected through a mandatory data disclosure regime to third parties substantially disrupts the investor from deriving revenue and profit from that data.

This paper was published as a commentary in the New York University Journal of International Law & Politics, Vol 54, Number 1 (Fall 2021), p. 249. The paper originated in the Global Data Law course.

The Evolution of European Data Law

This new chapter for the 3rd edition of Paul Craig and Gráinne de Búrca’s Evolution of EU Law conceptualizes European data law as an area of EU law that gravitates around but transcends data protection law. It traces the origins of the EU’s data protection law to national and international antecedents, stresses the significance of recognizing data protection and privacy in the EU’s Charter of Fundamental Rights, and explores the gradual institutionalization of data protection law through exceptionally independent data protection authorities, firmly embedded data protection officers, and emergent structures for supranational coordination. It then contrasts the EU law on personal data with the EU law on non-personal data and scrutinizes two other domains of European data law that intersect in complicated ways with data protection law: data ownership laws and access to data laws. European data protection law has been globally diffused through extraterritorial application, conditionalities for transfers of personal data, international agreements, and the “Brussels Effect” but whether the EU will retain its role as global data regulator is far from certain. As the European Commission is executing its data strategy, it needs to move beyond simplistic understandings of data as a resource, recognize the salience of data infrastructures, and confront the reality that data is more than a regulatory object.

The chapter draws on ideas from Guarini Global Law & Tech’s Global Data Law project.

Transparency as a First Step to Regulating Data Brokers

Over the past few years a number of legislative bodies have turned their focus to ‘data brokers.’ Data brokers hold huge amounts of data, both personally identifiable and otherwise, but attempts at data regulation have failed to bring them sufficiently out of the shadows. A few recent regulations, however, aim to increase transparency in this secretive industry. While transparency alone will not fully address concerns surrounding the data brokerage industry without additional actionable consumer rights, it is an important and necessary first step.

These bills present a new course for legislatures interested in protecting consumer privacy. The primary effect of these measures is to heighten transparency. The data brokerage industry lacks transparency because these companies do not have direct relationships with the consumers whose data they buy, package, analyze, and resell, and there is no opportunity for the consumer to opt out, correct, or even know of the data that is being sold. For companies regulated by the Fair Credit Reporting Act, such as traditional credit bureaus, customers have the right to request their personal data and request corrections if anything is wrong. But most collectors of data are not covered by the FCRA, and in those instances consumers often agree to click-wrapped Terms of Service provisions that include buried provisions allowing the collecting company to resell their data. Customers are left unaware that they have signed up to have their data sold, and with no assurances that that data is accurate.

Concerns with data brokers center on brokers’ relative opacity and the lack of public scrutiny over their activities. They control data from consumers with which they have no relationship, and in turn, consumers do not know which data brokers may have their data, or what they are doing with it. Standard Terms of Service contracts allow the original data collector to sell collected data to third parties, and allow those buyers to sell the data in turn, which creates a rapid cascade in which consumers, agreeing to the terms of service of one company, have allowed their personal data to proliferate to numerous companies of whose existence they may not even be aware. Proposed legislation would increase consumers’ access to information about how their data is being used, shining a light on the data brokerage industry and enabling consumers to limit the unfettered sharing of their data.

This paper was published by the NYU Journal of Legislation & Public Policy. Dillon took the first iteration of the Global Data Law course and worked subsequently as a Student Research Assistant in the Global Data Law project.