By identifying key players, quantifying relative influence, and assessing the competitive landscape, FP Analytics breaks down complex foreign policy issues by mapping out spheres of influence and the risks and opportunities these topics present for Insiders. LEARN MORE

Global Data Governance

Part Two: Evolving Government Data Collection Practices

UPDATED: Sept. 15, 2021
PUBLISHED: June 26, 2020

In Part I of FP Analytics' Data Governance Power Map, we detailed global issues concerning private-sector collection and use of personal data, catalogued emerging regulatory responses and data privacy laws, and broke down critical comprehensive data privacy legislation and global regulatory trends. However, data governance as it pertains to governments themselves is quite distinct. In Part II of this series, we explore evolving government data collection practices, cataloguing key regulations that expand government data collection authority and illustrating how a multi-billion-dollar private surveillance industry is enhancing the sophistication of governments’ data collection across both the developed and developing world. Further, we explore how artificial intelligence (AI) is making government data collection more efficient and ubiquitous, and how the onset of COVID-19 is accelerating the adoption of AI and other digital technologies that facilitate data collection. The increased digitization of society and collection of sensitive personal data by governments and private companies amid the pandemic is exacerbating existing cybersecurity challenges and elevating the urgency of developing international norms for cyberspace.

Thank you for your interest. Please enjoy the Executive Summary below.

Power Maps are an exclusive benefit of the FP Insider subscription. For full access to Data Governance, contact us at insider@foreignpolicy.com.

Executive Summary

Data governance has long been the domain of corporate and organizational strategy, lending a competitive advantage to those able to optimize their data collection, organization, transfer, and discovery practices. With the increasing digitalization of organizations and economies, data governance—and clear establishment of data collection standards, storage, transfer and use protocols—is becoming an increasingly pressing and global issue.

While intellectual property and proprietary data have long been governed through strict legal frameworks, relatively scant protections have existed for user data and personal information. This lax regulatory environment for consumer data in particular has enabled the rise and dominance of global tech companies from Facebook and Google to Baidu and Tencent and has spurred a wave of privacy-focused regulation around the world.

In FP Analytics’ Global Data Governance Power Map series, we examine the emerging laws, regulations, and technologies that are both enabling greater data collection and impacting cross-border data flows. By cataloging the data localization laws, comprehensive national data regulations, government data collection, monitoring and surveillance technologies, and cybersecurity norms and standards shaping the global data governance landscape, we identify and analyze the wide-ranging impacts for individuals, companies, governments, multilaterals, and non-profits.

Emerging data regulations are fundamentally altering how organizations of all types operate internationally. Major data privacy frameworks developed by first movers are serving as templates for other national frameworks under development, many of which are being tweaked to suit prevailing governments’ domestic agendas. For example, the recent passage of the EU’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law—two of the most comprehensive packages of data privacy regulations—have already had cascading impacts on businesses and organizations in these markets and on their trading partners. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, and these types of protectionist measures are rapidly proliferating worldwide. And that is just the beginning.

Simultaneously, many national governments are crafting exemptions to their data privacy laws, empowering them to expand monitoring capabilities and build up massive data collection infrastructure. New digital technologies, such as artificial intelligence (AI), biometric monitoring and facial-recognition software, are making data collection increasingly efficient. The onset of the COVID-19 pandemic accelerated the adoption of these technologies as governments began rapidly deploying surveillance technology to enforce quarantines and track the spread of the coronavirus. This mass accumulation of sensitive data can have transformative impacts on societies but pose new cybersecurity and privacy risks as regulation struggles to match the pace of technological advancement.

FP Analytics’ Data Governance Power Map series breaks down key emerging trends in global data governance by:

  • Pinpointing emerging global data governance trends;
  • Cataloguing specific data localization and data privacy laws by country;
  • Mapping encryption policies around the world;
  • Charting the global sales of data collection and surveillance technology; and
  • Exploring cybersecurity and privacy risks and the implications for businesses and individuals.

FP Analytics provides the most comprehensive assessment and mapping of data localization and privacy laws to date, as well as one of the most complete assessments and mappings of government data collection and regulation trends around the world. It is a powerful tool for businesses and others seeking to understand how evolving global governance regimes are shaping our digital world.

Subscribe to FP Insider below or contact us at insider@foreignpolicy.com for full access to Data Governance.

Introduction

In Part I of FP Analytics Data Governance Power Map, we detailed global issues concerning private-sector collection and use of personal data, catalogued emerging regulatory responses and data privacy laws, and broke down critical comprehensive data privacy legislation and global regulatory trends. However, data governance as it pertains to governments themselves is quite distinct. In Part II of this series, we explore evolving government data collection practices, cataloguing key regulations that expand government data collection authority and illustrating how a multi-billion-dollar private surveillance industry is enhancing the sophistication of governments’ data collection across both the developed and developing world. Further, we explore how artificial intelligence (AI) is making government data collection more efficient and ubiquitous, and how the onset of COVID-19 is accelerating the adoption of AI and other digital technologies that facilitate data collection. The increased digitization of society and collection of sensitive personal data by governments and private companies amid the pandemic is exacerbating existing cybersecurity challenges and elevating the urgency of developing international norms for cyberspace.

Unlike the increasingly restrictive data privacy laws applied to private consumer-facing companies, such as Alphabet (Google) and Baidu, governments largely benefit from a range of exceptions. At least 39 countries also have laws that allow governments notably more access to citizens’ and private companies’ data than private-sector actors can obtain. These expansive and increasing data collection capabilities carry wide-ranging implications for economic growth and social innovation in the digital age —from more efficient public works and smarter cities to breakthroughs in medicine and beyond. However, increased government access to data is also enabling widespread monitoring and surveillance capability—presenting myriad risks for privacy and civil liberties, with some tools being used for a range of political purposes, including the repression of minorities, silencing of opposition movements, and quelling of political dissent. While the harnessing and utilization of big data will undoubtedly drive future economic and social development, Part II of our Data Governance series focuses on the latter—issues that are exceptionally pressing given mounting concerns around privacy, policing, cybersecurity, and governments’ consolidation of power around the world.

Part 1

The Scope and Impacts of Government Data Collection

National governments are rapidly expanding their data collection capabilities, driven by a range of security concerns and policy objectives. Whether a national government sees international terrorism, domestic extremism, popular uprisings, or foreign powers as its primary threat (or threats), nearly all governments in the world are increasing their efforts to collect and access data by monitoring private citizens, gaining permission to use data collected by corporations, or gathering intelligence on foreign governments. The efforts are producing an integrated digital infrastructure enabling mass surveillance within and across borders.

Key Takeaways

  • The Issue

    Government data collection and monitoring capabilities are rapidly increasing beyond the scope of existing data privacy regulations. Government data collection laws differ throughout the world but generally allow governments to bypass data privacy laws, ultimately resulting in increased global data collection and expansion of monitoring infrastructure.

  • The Reaction

    To boost their data collection capacity, many governments are moving to limit or bypass encryption by establishing their legal authority to access encrypted data or end the practice completely. The weakening of encryption often occurs upon request of law enforcement and national security agencies, but it increasingly conflicts with government’s cybersecurity objectives, putting companies’ and individuals’ sensitive data at risk.

  • What’s at Stake

    Since governments often include certain exclusions and exemptions in their own data privacy laws, companies and citizens are often unaware of the scope of data that is collected as well as how it accessed and used within a country, carrying implications for other nations’ national security, companies’ competitiveness, and civil liberties.

The Breakdown
Global Government Data Collection Laws and Surveillance
Global Government Data Collection Laws and Surveillance
Governments are seeking exemptions to domestic data privacy laws, and many are seeking to weaken or bypass encryption – one of the primary means of safeguarding sensitive data.
  • GRAPHIC 1: Global Government Data Collection Laws
  • GRAPHIC 2: Map of Global Encryption Policies
Click to expand

The range of legal and regulatory measures pertaining to data access, protection, and transfer within the country and beyond its borders create the contours of a country’s data governance regime. For individuals and organizations to protect their data and effectively navigate the global data governance landscape, understanding the measures governing both private company and government data collection is critical. Governments’ collection of citizens’ data is certainly nothing new, but technological developments over the last few decades have dramatically increased the scope and scale of this collection. Growing reservoirs of data are strengthening governments’ ability to make more informed, efficient, and strategic decisions across the board. However, the extent of data collection remains largely unknown and inaccessible to the public, and the proliferation of novel technologies enabling governments to collect an array of data raises questions regarding which applications are, in fact, in the public’s interest. Notably, mass-scale data collection is enabling the development of widespread surveillance technology and the corresponding investment of foundational infrastructure to operate the technology by governments throughout the world. Many governments now deploy highly effective surveillance infrastructure, with attempts to access private company data growing, through either formal requests or legal pressure. Increasingly, national governments are establishing the legal authority that exempts their government data collection practices from general data privacy laws.

In the first half of 2020 alone, the U.S., along with other governments around the world, made 103,822 requests for user data from Google—an increase of over 20 percent from the first half of 2019. Over the same time period, Facebook had a total of 173,592 requests to access user data. And Twitter had 12,657, both representing the largest increases in requests between reporting periods since the data started being tracked. These increases mirror the overall trend of governments pushing to increase access to data held by private companies. Such access is enabled by legislation, notably China’s Cybersecurity Law. Early drafts of the law would have required companies to disclose source code for Chinese government review. However, after protests from the U.S. and other nations, this language was removed. The final version of the law contains modified, vague language granting the Chinese government the authority to access data held within its borders that it considers ‘relevant to national security.’ Further, the UK’s Investigatory Powers Act Act includes measures that weaken and circumvent the data protection practice of encryption, with other governments also pursuing means to access private company data held inside and outside its borders. If the country a company operates in weakens encryption standards through legislation, then operating within that country’s borders also puts the company’s data at heightened risk from outside attacks. When a government weakens encryption, companies that are conducting sensitive research, or holding valuable intellectual property, cannot guarantee that their data is secure from foreign governments while operating overseas. It also limits everyone’s ability to communicate privately.

Technological advancements, such as real-time location tracking, voice analysis, and facial recognition, significantly enhance governments’ capacity to monitor the communications of entire groups, companies, and nations on a mass scale, posing new challenges for operating within certain countries and given data governance regimes. Reforms to government data collection laws over the past two decades are granting increased government access to data, and they often circumvent new or existing privacy legislation. This trend is occurring in democratic countries with relatively strong checks and balances, as well as non-democratic and authoritarian systems, thus increasing risks of doing business and potentially having a corrosive impact on civil liberties in both. The proliferation of data localization laws chronicled in Part I of this series has contributed to these concerns over government access to private citizens’ data—particularly in autocratic states where free speech is routinely limited. Critics worry that restrictions on data flows will grant government officials access to massive datasets on their citizens, which can be combed through to target dissidents and religious or ethnic minorities. The correlated rise between governments’ drive and enhanced ability to access citizens’ data, and the increasing regulation of data flows, Internet speech, and big tech companies is amplifying both privacy and human rights concerns.

Technological advancements, such as real-time location tracking, voice analysis, and facial recognition, significantly enhance governments’ capacity to monitor the communications of entire groups, companies, and nations on a mass scale, posing new challenges for operating within certain countries and given data governance regimes. Reforms to government data collection laws over the past two decades are granting increased government access to data, and they often circumvent new or existing privacy legislation. This trend is occurring in democratic countries with relatively strong checks and balances, as well as non-democratic and authoritarian systems, thus increasing risks of doing business and potentially having a corrosive impact on civil liberties in both. The proliferation of data localization laws chronicled in Part I of this series has contributed to these concerns over government access to private citizens’ data—particularly in autocratic states where free speech is routinely limited. Critics worry that restrictions on data flows will grant government officials access to massive datasets on their citizens, which can be combed through to target dissidents and religious or ethnic minorities. The correlated rise between governments’ drive and enhanced ability to access citizens’ data, and the increasing regulation of data flows, Internet speech, and big tech companies is amplifying both privacy and human rights concerns.

Graphic 1

Global Government Data Collection Laws

Government data collection is regulated by different laws than those for private companies. Seven major components found in government data collection laws are catalogued for thirty-eight of the world’s largest economies below.

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Filter by Government Data Collection Laws

Select a law below to filter the country list below

Click + below to expand country laws

Argentina

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Australia

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Austria

  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Brazil

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws
  • Companies can challenge orders to provide personal data to law enforcement authorities

Canada

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Chile

  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

China

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Intelligence services can compel companies to provide access to data

Colombia

  • Intelligence services operate surveillance programs to protect national security
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Czech Republic

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects are notified of surveillance by intelligence services
  • Intelligence services can compel companies to provide access to data

Denmark

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services can compel companies to provide access to data

Finland

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects are notified of surveillance by intelligence services
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

France

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws
  • Companies can challenge orders to provide personal data to law enforcement authorities

Germany

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects are notified of surveillance by intelligence services
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data

Hungary

  • Intelligence services operate surveillance programs to protect national security
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

India

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws

Indonesia

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data

Ireland

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws

Israel

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services can compel companies to provide access to data

Italy

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Intelligence services can compel companies to provide access to data

Japan

  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Luxembourg

  • Intelligence services are authorized to conduct surveillance for economic purposes
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Malaysia

  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Mexico

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Norway

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws
  • Companies can challenge orders to provide personal data to law enforcement authorities

Paraguay

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services can compel companies to provide access to data

Peru

  • Intelligence services operate surveillance programs to protect national security
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data

Portugal

  • Data subjects are notified of surveillance by intelligence services
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws

Russia

  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Singapore

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services can compel companies to provide access to data

South Africa

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • There are public cases of national intelligence services violating surveillance laws
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

South Korea

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects are notified of surveillance by intelligence services
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws

Spain

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • There are public cases of national intelligence services violating surveillance laws
  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services can compel companies to provide access to data

Taiwan

  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Thailand

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • Companies can challenge orders to provide personal data to law enforcement authorities

Turkey

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services can compel companies to provide access to data

United Kingdom

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws

United States

  • Intelligence services operate surveillance programs to protect national security
  • Data subjects have the right to court review surveillance measures taken by intelligence services
  • Companies can challenge orders to provide personal data to law enforcement authorities
  • Intelligence services can compel companies to provide access to data
  • There are public cases of national intelligence services violating surveillance laws

Vietnam

  • Intelligence services operate surveillance programs to protect national security
  • Intelligence services are authorized to conduct surveillance for economic purposes
  • Intelligence services can compel companies to provide access to data
SOURCE: Baker McKenzie – Global Surveillance Law Comparison

Increasing Government Access to Data Through Weakening and Bypassing Encryption

A wave of legislation to bypass encryption could radically enhance governments’ access to user data. Defined simply, encryption is a commonly used method of encoding communications (or information or data) so that only the intended recipient can read or understand them. Encryption can be used to secure data stored on devices, to send data between devices (known as “end-to-end encryption”), or to store data remotely. It is essential to securing banking and e-commerce transactions and to preventing unauthorized access to companies’ proprietary data and intellectual property. For most businesses and individuals, the use of encryption is the cheapest and easiest means of securing data and is commonly used for personal data storage and on messaging applications such as WhatsApp. However, government concerns over malevolent and criminal activity may diminish or dismantle these key protections. Several national governments are establishing legal workarounds with potentially harmful, unintended consequences.

Efforts to end encryption have been steadily mounting over time. In 1993, Colombia banned mobile communications encryption, and in 2011, Pakistan prohibited all Internet service providers and mobile phone companies from allowing users to send encrypted information. Twenty-five countries have already enacted measures that weaken encryption standards. China, Russia, and Australia have all effectively banned encryption by mandating government backdoors to encrypted communications, while Pakistan has banned encryption outright.4 In 2016, Russia passed the Yarovaya Law, an anti-terrorism measure mandating that Internet firms provide backdoor access to encrypted communications for the FSB (the Russian intelligence agency and successor to the KGB). In 2019, China passed a similar encryption law (the Cryptography Law of the People’s Republic of China), which places further restrictions on encryption in addition to the mandated government access to encrypted data that already existed under the Cybersecurity Law. This trend is also reflected in Western countries, with measures in the UK’s 2016 Investigatory Powers Act and Australia’s 2018 Assistance and Access Act already in place to weaken encryption standards by mandating government backdoors. The U.S. is seeking to enact similar legislation, with the U.S. EARN IT Act of 2020, currently being debated in Congress as of June 2020.

While defense interests are largely advancing these measures in the interest of national security, weakening, or dismantling, the ability to encrypt messages and stored data carries broad implications for businesses, organizations, and individuals by potentially exposing sensitive data to bad actors, thus enabling surveillance or infringement of civil liberties. It also raises cybersecurity concerns. Apple has repeatedly clashed with the U.S. government over requests to install backdoors into its iPhones to facilitate federal investigations, warning that technology cannot differentiate between governments and hackers and that such backdoors will invite cyberattacks. In China, government encryption regulation has had a mixed impact. The 2019 encryption law restricted encryption on critical information infrastructure while also liberalizing commercial encryption and the sale of foreign encryption technology in China. However, the Chinese governments extensive restrictions on website encryption enacted in 2020 left sensitive websites created by the People’s Liberation Army (PLA), government ministries, hospitals, and airlines vulnerable to cyberattacks. Despite these cybersecurity concerns, exceptions allowing governments to bypass encryption remain the norm. As the map below shows, there are currently no countries that support the general right to encryption without any additional restrictions or ways for governments to access encrypted data.

Graphic 2

Map of Global Encryption Policies

Encryption Levels

Click titles below to change encryption level

  • General right to encryption
  • Mandatory minimum or maximum encryption strength
  • Licensing/registration requirements
  • Import/export controls
  • Obligations on providers to assist authorities
  • Obligations on individuals to assist authorities
  • Other restrictions
General right to encryption
Mandatory minimum or maximum encryption strength
Licensing/registration requirements
Import/export controls
Obligations on providers to assist authorities
Obligations on individuals to assist authorities
Other restrictions
SOURCE: Global Partners Digital – World Map of Encryption Policies

DIG DEEPER: Explore FP Analytics’ Global Data Governance policy database that provides a comprehensive regional and country-level breakdown of global data governance practices in 138 countries worldwide.

Part 2

The Role of the Private Sector in Government Data Collection and Surveillance

Governments’ exceptions to data privacy laws are further enabled by a well-established, but relatively unknown, surveillance industry in the U.S., the UK, France, Germany, and Israel that is exporting data collection technology, which can be used to enable surveillance in the rest of the world. Sophisticated data collection software and equipment developed by private companies and sold to governments (foreign and domestic) is enabling officials to circumvent data privacy laws that apply to companies and other groups. The utilization of these services is effectively allowing governments unregulated access to data beyond what private companies are permitted to collect.

Key Takeaways

  • The Issue

    Global mass surveillance infrastructure is enabled by an opaque multi-billion-dollar surveillance industry that supplies surveillance technology platforms to governments around the world. Eighty-seven percent are in OECD countries. While there is a market globally, the technology is predominantly sold to governments in the developing world, with the Middle East and Africa being the largest importing regions.

  • The Reaction

    The private surveillance industry can sidestep data privacy regulations by selling underlying surveillance technologies directly to governments. By not operating the technology and merely selling the tools, these companies are not subjected to the data privacy laws that apply to companies such as Google and Baidu. This industry is largely self-regulated, with minimal restrictions such as those imposed by sanctions or trade controls.

  • What’s at Stake

    The unregulated sale of data collection technologies to governments of developing countries has been used to strengthen existing autocratic regimes in Africa, the Middle East, and Southeast Asia, while simultaneously boosting data collection capabilities elsewhere around the world. Notably, this industry is a key contributor to the rapid improvement in data collection capabilities throughout the developing world.

The Breakdown
The Private Surveillance Industry Drives the Global Increase in Government Data Access
The Private Surveillance Industry Drives the Global Increase in Government Data Access
The multibillion-dollar private surveillance industry is playing a major role in the global build-up of governments’ data collection and monitoring capabilities.
  • GRAPHIC 3: Types of Surveillance Technology
  • GRAPHIC 4: Number of Monitoring and Surveillance Companies Created Each Year
  • GRAPHIC 5: Global Monitoring and Surveillance Technology Sales
Click to expand

In the 1970s, more developed nations generally held an edge in their data collection and surveillance capabilities, due to their increased technological capabilities. However, in the decades since then, this gap has been rapidly shrinking. Today, most nations possess similar data collection and monitoring capabilities, thanks to a multi-billion-dollar private industry that sells data collection and surveillance technology to governments all around the world. These technologies are developed in a handful of developed countries—predominantly the U.S., the UK, France, Germany, and Israel (and, more recently, China and Japan)—and exported to the developing world, with the Middle East and Africa being the largest importing regions, as noted above. Throughout the Cold War, these industries developed and sold prevailing data collection technology, such as wiretaps and audio-monitoring equipment, but are now harnessing location and Internet monitoring, biometric tracking, and other sophisticated data analysis tools. The industry remains largely opaque, but some key events have given new insight into the industry.

In December of 2010, as the Arab Spring swept across North Africa and the Middle East, the public became aware of the data collection and surveillance infrastructure being used by regimes within the region. Governments across the region were using a wide array of sophisticated data collection tools to monitor their populations, including Internet- and phone-monitoring technologies—many of which were developed and manufactured by private European and U.S. firms. In some cases, governments repurposed the technology they had purchased. This was the case with McAfee software, which is sold as an Internet security platform in the U.S. but was used for mass Internet censorship in the United Arab Emirates. These platforms have been connected to incidents of human rights abuses and political oppression, including individuals having their personal communications read to them while being tortured in Bahrain and opposition activists’ communications infiltrated and monitored in Ecuador. Such incidents are not limited to a few developing countries. In 2013, the whistleblower Edward Snowden leaked documents detailing the extent of surveillance activities of the U.S. and allies, revealing the widespread use of this type of data collection infrastructure for mass surveillance.

Graphic 3

Types of Monitoring and Surveillance Technology

The private surveillance industry is responsible for manufacturing and selling a range of data collection and monitoring technologies that are in use around us every day.

Click + below to expand

Types of Surveillance Technology
Audio Surveillance
Audio Surveillance

Can range from simple uses such as recording and transmitting audio, to more sophisticated techniques such as comparing voice samples to identify speakers. For example, militaries worldwide have deployed acoustic vector systems developed by Microflown Technologies that can pinpoint the sound of a gunshot or a drone, or pick out and record one specific conversation in a crowd.

Video Surveillance
Video Surveillance

When combined with artificial intelligence technology, cameras can employ facial recognition and can be used to track citizens in real time. In Nairobi, a Huawei smart city system deploys 1,800 HD cameras and 200 HD traffic surveillance systems.

Phone Monitoring
Phone Monitoring

Phone monitoring can be used to listen in on conversations in real time, as well as track the location of the caller. Phone monitoring technology developed by the Israeli company the NSO Group was infamously used by the Saudi government to monitor the recordings of slain journalist Jamal Khashoggi.

Location Monitoring
Location Monitoring

Location can be monitored through cellphone and Bluetooth signals and from GPS devices. Location monitoring is being used extensively by governments during the COVID-19 pandemic. The location data sent from cellphones is currently in use for contact-tracing apps, enforcing quarantines, data analytics to track people’s movement patterns, and hot-spot mapping, which uses location data to send public health warnings to people in areas with higher risks of infection.

Internet Monitoring
Internet Monitoring

Gathers information from ISPs. Internet monitoring is popular for both governments and private-sector actors. For example, the company Veriato makes Internet monitoring equipment that can be used to track employees’ online activity within large companies.

Monitoring Center, Forensics & Analysis
Monitoring Center

Combines surveillance technologies into one integrated suite. For example, in 2014, Colombia launched its “Platform for Unified Monitoring and Analysis,” a monitoring center that allows authorities to monitor both telecommunications and IP traffic in one place, enabling them to actively monitor a total of 20,000 means of telecommunications.

Forensics & Analysis

Can extract and visualize device data when attached to an external device. This technology is usually sold in software packages that allow large data sets to be analyzed for patterns and relationships. In 2018, the FBI used forensic analysis of log data from servers and other networking tools to determine that an Apple engineer, Xiaolang Zhang, was stealing trade secrets. The data forensics and analysis software enabled the FBI to build a case, and Xiaolang Zhang was convicted of theft.

Intrusion
Intrusion

Remotely installed on devices to extract data or control functions, the most common form of intrusion technology is commercial spyware. NSO’s Pegasus, for example, allows an operator to surreptitiously activate a target’s phone camera and microphone, turning the device into a ready-to-deploy monitoring and recording device.

Biometrics
Biometrics

Identifies individuals based on physiological or behavioral characteristics. The most common use of biometric software is facial recognition. For example, CLEAR, uses iris and fingerprint data to identify airline passengers, allowing them to pass through airport security checkpoints.

Counter-surveillance
Counter-surveillance

Technology to detect and counter surveillance measures. This can come in the form of installable software or services that physically sweep locations to monitor for bugs. For example, the company TSCM America conducts comprehensive sweeps of C-suite meeting rooms and government offices to detect potential telecommunications bugging, cellular based bugging, concealed video cameras, or audio devices.

Equipment
Equipment

Vehicles in which surveillance technology can be installed, usually used to closely monitor specific surveillance targets and not general populations. Since 2001, drones have been one of the preferred forms of government surveillance equipment. The U.S. government uses drone surveillance to enforce the U.S.-Mexico border, but as of 2018 drones had led to only 0.5 percent of border apprehensions, at a cost of $32,000 per arrest.

Types of Surveillance Technology
SOURCE: Privacy International – The Global Surveillance Industry

Graphic 4

Number of Monitoring and Surveillance Companies Created Each Year

Since the late 1970s, there has been uneven, yet significant, growth in the number of private surveillance companies created each year.

SOURCE: Privacy International – The Global Surveillance Industry

How Loose Regulation and Lack of Transparency Benefit the Global Surveillance Industry

The full extent to which national governments and the private surveillance industry collaborate is impossible to quantify, given governments’ lack of disclosure. However, data on the sales and exports of data collection and surveillance technology provides some insight. Most recent data show a total of 528 different companies currently in operation across 47 different countries. There are public records of 2,136 individual surveillance equipment sales by these companies to 130 importing countries. The region with the highest number of known imports was North Africa and the Middle East, with 152, but other countries outside of those regions also had significant imports, with the largest being Mexico (a total of twenty-eight recorded sales). These companies are overwhelmingly based in developed economies, with 87 percent based in Organization for Economic Co-operation and Development (OECD) states. Of the 528 companies, 75 percent have their headquarters within North Atlantic Treaty Organization (NATO) states. Conversely, the countries importing the largest volume of technologies are all in the developing world. Overall, government data collection capability is outpacing privacy legislation, to which most governments have crafted exemptions, and is empowering states across all regimes to build up massive data collection infrastructure.

This growth in data collection and surveillance capabilities is going largely unregulated, with the private surveillance industry largely avoiding regulation and public disclosure by transacting directly with governments. To date, a handful of EU states have attempted to reign in this industry through sanctions, trade controls, and of legal amendments. In 2012, for example, the EU embargoed the transfer of surveillance technologies as part of “restrictive measures” against Syria and Iran. In October of 2020, German authorities raided the offices of FinFisher, a German surveillance tech company, after the companies’ software was found on devices owned by journalists and dissidents in Bahrain and Turkey—countries to which Germany restricted exports of surveillance tools. The following month, the EU passed a new regulation requiring member state governments to publicly disclose the sale and buyers of surveillance and dual-use technologies (technologies that have military applications). In response to reports on China’s expansive domestic surveillance system, the U.S. implemented restrictions on trade of dual-use technologies, including surveillance tech, between China and the U.S. In 2020, the U.S. Department of State issued voluntary guidelines for U.S. surveillance technology companies on the human rights implications of their exports. Internationally, the most significant effort to restrict the export of surveillance technology is the Wassenaar Agreement, which includes 42 signatories and coordinates export controls on arms and dual-use technologies. In 2013, the agreement was updated to include digital surveillance tools. While these regulatory efforts are slowly gaining traction, they have not significantly slowed the spread of data collection and surveillance equipment throughout the developing world.

Graphic 5

Global Monitoring and Surveillance Technology Sales

Data collection and monitoring technology has predominantly originated from the U.S., the EU, and Israel and has been sold to governments across North Africa and the Middle East. Some of the largest exporters and importers of these technologies are below.*

*Data compiled from publicly available reports on sales as of 2016–2017. Total quantity of sales remains unknown as most information on this industry is not made public.

Imports

Number of purchases

Exports

Sales in billions of dollars

SOURCE: Privacy International – The Global Surveillance Industry
Part 3

Future Data Governance Challenges: Emerging Technologies, COVID-19, and Cybersecurity

As data collection technologies continue to evolve, artificial intelligence (AI) technologies are making data collection and processing exponentially more effective while enabling the collection of new types of data through facial recognition software, geo-locating applications and sensors, and predictive algorithms. These technologies are revolutionizing the way, and the degree to which, governments and private companies can access data. The onset of the COVID-19 pandemic pushed more people than ever online and spurred a global movement for governments to begin collecting sensitive health data to mitigate the pandemic. The massive increase in online activity accelerated several existing trends, including the adoption of AI technologies, more devices connecting to the Internet-of-Things (IoT), and the proliferation of cyberattacks. Driven by both new technological abilities and the imperative of stopping the pandemic, the collection of sensitive, personal data by governments and private companies has outpaced the implementation of regulatory and security safeguards. The increasing effectiveness of data collection, and the amount of sensitive data that has now become accessible, are creating new vulnerabilities as foreign governments and non-state actors can breach and misuse this data for malign and criminal purposes. National governments have begun to take steps to address these concerns through regulatory actions, launching national cyber strategies, integrating cybersecurity into existing regulation, and participating in international cybersecurity agreements. Private-sector firms and civil society organizations have also proposed norms and frameworks for responsible behavior in cyberspace, but there are wide-ranging disagreements among the relevant governments and organizations as to which rules to adopt. Despite these efforts, regulation on both cybersecurity and new technologies is still in its infancy, and governments’ decisions on how to regulate these emerging challenges will be critical in determining the future of international data governance.

Key Takeaways

  • The Issue

    Artificial intelligence (AI) technology is making the global surveillance technologies significantly more effective. Chinese and U.S. companies lead the world in exporting global AI surveillance technology, including facial recognition, predictive policing, and sensors enabling 24/7 monitoring of digital and physical infrastructure as public spaces, which are currently in use across seventy-five countries.

  • The Reaction

    The COVID-19 pandemic has accelerated the digitization of societies bringing more devices and individuals online and increasing cybervulnerabilities. Widespread lockdowns and the transition to remote working pushed more people and devices online, particularly within developed economies. The increase in online presence has correlated with more prevalent cyberattacks, motivating governments to accelerate cybersecurity regulation initiatives.

  • What’s at Stake

    The use of digital and AI technologies to help tackle COVID-19 expanded national governments’ access to sensitive biometric and location data as private citizens adopted new technologies such as contact-tracing applications. The forced transition of individuals and companies to a virtual environment is creating a critical need for governments to enforce regulatory oversight and implement robust safeguards to limit access to sensitive data and mitigate cybersecurity risks.

The Breakdown
AI’s Role in Augmenting Global Government Data Collection
AI’s Role in Augmenting New Technologies and Global Government Data Collection
Artificial intelligence and the spread of COVID-19 are accelerating government data collection capabilities, making them both more effective and widespread.
  • GRAPHIC 6: Global Sales of AI Surveillance Technology
  • GRAPHIC 7: Industry Leaders in Global AI Surveillance Technology Sales
  • GRAPHIC 8: Increase in Internet Activity and Cyberattacks During COVID-19
  • GRAPHIC 9: International Initiatives on Cybersecurity Governance
Click to expand

The private surveillance industry has largely contributed to the spread of sophisticated data collection technology, and the recent application of AI-driven technology to data collection technologies is making them significantly more efficient and effective. These powerful technologies are currently being adopted across industry and government, from stock exchanges to smart energy metering. However, a growing number of states are deploying advanced AI data collection tools to boost surveillance efforts and to monitor, track, and surveil citizens to accomplish a range of policy and political objectives. The COVID-19 pandemic led to a surge in the adoption of AI across both the public and private sector as governments leveraged AI technology to fight the pandemic and businesses shifted much of their product and service offerings online.

Even before the onset of COVID-19 AI was used for a wide range of data collection, monitoring, and analysis activities, and three main types of comprehensive data collection and surveillance systems are quickly proliferating around the world: “smart city” platforms, facial recognition, and predictive policing. “Smart city” platforms are among the most common. In addition to improving resource allocation, reducing traffic congestion, and boosting energy efficiency, these systems are also drastically increasing surveillance capabilities in urban spaces. Facial recognition systems use an interconnected web of cameras and sensors to actively monitor activity across cities and compile citizens’ images into a database, thus enabling officials to use it to identify and locate citizens through facial images. Smart policing systems use predictive algorithms to calculate where crime is most likely to occur and then concentrate a greater number of law enforcement officers in those areas. At least 75 have been documented using one or more of these AI systems, with 56 countries deploying “smart city” platforms, 64 countries using facial recognition, and 52 countries use predictive policing.

Like technologies supplied through the private surveillance industry, AI-driven monitoring technology is primarily produced in a handful of countries and then exported to the rest of the world. China is the world’s largest supplier of AI data collection and surveillance technology. AI-monitoring technology linked to Chinese companies is in at least 63 countries worldwide, with Huawei alone responsible for providing AI-based surveillance technology to at least fifty countries. The next largest non-Chinese supplier of AI surveillance technology is Japan’s NEC Corporation, whose technology is present in 14 countries. France, Germany, Japan, and the United States are major exporters of AI technology in this sector as well. U.S.-based companies are the second-largest providers. AI data collection and surveillance technology developed in the U.S. is present in 32 countries. Having some resource and public benefits, the rapid proliferation of this technology and its use in citizen surveillance and monitoring is also enabling ethnic and racial profiling, including the well-documented utilization of AI-surveillance technology by Chinese authorities to profile and track the ethnic minority Uighurs in Xianjing. These powerful tools are also imperfect; they have misidentified individuals with serious ramifications. The risks of these technologies’ misuse have come to the fore in the wake of George Floyd’s murder and amplified concerns over racial profiling in policing, with technology giants such as IBM raising the alarm and calling on the U.S. Congress for a national dialogue on the responsible use of technology in policing. On June 10, 2020, Amazon put a one-year pause on the sale of facial recognition software to police departments, stating that it hoped the moratorium would give Congress enough time to put in place appropriate rules. A year later, Amazon extended this indefinitely. However, as of July of 2021, Congress has yet to pass any legislation on the use of facial recognition by police.

As the adoption of AI-enabled surveillance and monitoring technologies spreads, some governments are seeking to limit the use of these tools. In April 2021, the EU unveiled a proposal for a comprehensive set of rules governing the use of AI. The proposed regulations would ban AI technologies deemed to carry an “unacceptable risk,” such as systems that manipulate the behavior of minors in a dangerous manner. “High risk” AI technologies, including in the transport sector, border control, and certain law enforcement applications such as biometric identification systems, would be strictly regulated. This framework seeks to set global standards for the ethical use of AI, similar to those established for data collection and transfer in the GDPR. If successfully adopted and enforced, it could inspire other governments to adopt similar AI-governance frameworks or integrate AI-provisions into their existing data governance legislation.

Graphic 6

Global Sales of AI Surveillance Technology

AI data collection and monitoring technology is currently in use in seventy-five countries. The type of technology in use and its country of origin are mapped below.

Type of Technology

Click titles below to change technology type

  • Smart City
  • Facial Recognition
  • Predictive Policing
Smart city technology
Facial recognition technology
Predictive policing technology
Country of Origin

Click titles below to change country of origin

  • Chinese Technology
  • U.S. Technology
  • Japanese Technology
Chinese technology
US technology
Japanese technology
SOURCE: Carnegie Endowment – AI Global Surveillance Index

Graphic 7

Industry Leaders in Global AI Surveillance Technology Sales

Huawei leads in AI surveillance technology sales, but both the U.S. and China are home to three leading AI surveillance companies.

SOURCE: Carnegie Endowment – AI Global Surveillance Index

The COVID-19 Pandemic Accelerated the Adoption Digital Technologies and Increased Governments and Companies Exposure to Cyberattacks

The ongoing COVID-19 pandemic has fueled the ongoing digitization of society and the global economy and accelerated the adoption of digital technologies such as AI, contact-tracing applications and the IoT. Throughout the pandemic, global internet traffic and the number of internet users spiked—average global internet traffic increased by 55 percent in 2020—and governments became increasingly reliant on digital technologies for public health data collection and surveillance measures. The pandemic highlighted both how new data collection technologies can be leveraged in the public’s interest, while raising concerns over privacy and the potential for technologies developed during the pandemic to be used for monitoring and data collection beyond its end. Countries such as France, Canada, and the UK used AI and machine learning-based technologies to screen for COVID-19 symptoms, analyze the how the coronavirus spreads, and discover new treatments. Both national governments and private companies developed contact-tracing applications that collect GPS data from smartphones, and some medical institutions began using new devices that used AI and Wi-Fi to remotely monitor COVID-19 patients’ vitals. Some governments, such as Russia, Poland, and China, used AI-driven facial recognition software to enforce quarantines, and Amazon began using AI systems to enforce social-distancing and identify potentially ill workers. Due to the public health emergency, many of these technologies were adopted at a faster pace and without public input, regulatory oversight, or implementation of legal safeguards, such as sunset clauses or data-anonymization measures.

Within a few months of the outbreak of COVID-19, dozens of countries had implemented some form of increased surveillance measures, with the most common measures being state access to cellphone data, or downloadable contact-tracing apps. While some countries committed to ceasing surveillance measures after the pandemic, anonymizing the data they collect, or writing explicit sunset clauses into COVID-19 legislation expanding data collection, many implemented extensive surveillance measures without any safeguards in place. Additionally, many governments outsourced varying degrees of their COVID-19 response to the private sector. For example, Apple and Google partnered with national governments and developed contact-tracing technology currently being released in 38 countries. Governments have also partnered with private companies to use AI to manage public health data during their COVID-19 vaccine rollouts. The UK partnered with a private AI company to monitor vaccine side effects among its population, and in the U.S., several cities are using technology from an Israeli firm to analyze social media and news posts, among other data, to gauge public attitudes toward vaccines. This raises additional privacy and cybersecurity concerns, as these private companies now collect and hold citizens’ sensitive health information, which under other circumstances users would likely be more reticent to share.

The rapid digitization of society and the accelerated adoption of digital technologies and data collection without necessary safeguards during the pandemic increased governments’, private firms’, and individuals’ exposure to cyberattacks. Attacks on organizations involved in the COVID-19 supply chain—from hospitals to pharmaceutical companies—doubled from 2019 to 2020. Many of the apps developed to track COVID-19 and collect public health data were launched without proper cybersecurity protocols. A June 2020 study found that out of the contact tracing apps deployed across 17 different countries, only one was fully encrypted and sufficiently protected from cyberattacks. When governments began vaccine rollouts in December 2020, cyberattacks on healthcare apps increased by over 50 percent. The pandemic also increased the number of interconnected devices, expanding the IoT and granting hackers more targets, which led to a 56 percent year-over-year increase in malware attacks targeting IOT devices in 2020. Drivers behind the increase in cyberattacks during the pandemic range from financial gain for cybercriminals to nation states using cyberattacks for espionage and intellectual property theft. For example, Chinese, Russian, and Iranian state-sponsored hackers repeatedly attacked universities and companies conducting COVID-19 vaccine research in attempts to steal proprietary information.

In response to the threat posed by cyberattacks, governments have enacted legislation to bolster cybersecurity and limit cybercrime. As of April 2020, 154 countries have either enacted specific cybercrime laws or included cybercrime provisions in existing criminal codes, and nearly 80 countries have developed an overarching national cybersecurity strategy. These new laws and strategies have been underpinned by a surge of global spending in cybersecurity, by both governments and private firms, with global cybersecurity spending set to exceed $150 billion in 2021. However, existing cybersecurity laws vary widely in scope and enforceability, and nearly two-thirds of private companies report not properly managing cybersecurity risks throughout the pandemic. As country-level regulations and increased spending on cybersecurity have been insufficient to deter cyberattacks, international organizations, private-sector firms, and civil society organizations are now coordinating to develop international norms and principles to govern cyberspace. To date, the only binding international treaty on behavior in cyberspace is the Convention on Cybercrime of the Council of Europe, also known as the Budapest Convention, which currently has 66 signatories. There are still no comprehensive, binding rules for state and non-state behavior in cyberspace accepted by all relevant stakeholders. Existing approaches and initiatives are highly fragmented and often do not include major governments or companies that shape the cybersecurity landscape. As governments and tech companies continue to collect more sensitive data through AI-enabled monitoring tools, the need for internationally accepted cyber norms will only become more pressing. Future development of regulation on new technologies and cybersecurity is likely to have a profound impact on international data governance, interacting with and affecting existing rules for data privacy, transfer, storage, and encryption.

Graphic 8

Increase in Internet Activity and Cyberattacks During COVID-19

Global Internet Traffic
SOURCE: TeleGeography Global Internet Map
Global IoT Malware Attacks 2019-2020
SOURCE: SonicWall

Graphic 9

International Initiatives on Cybersecurity Governance

Public

Convention on Cybercrime of the Council of Europe (Budapest Convention)

The Budapest Convention, agreed to in 2001 and ratified by 66 countries including the US and most of Europe, is the only binding international treaty on cybercrime. It seeks to harmonize domestic criminal policy on cybercrime, strengthen domestic legal powers to prosecute those crimes, and foster international cooperation toward that end.

Public

United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security

Now in its sixth iteration, the first GGE was convened in 2004, with a mandate to study cyber matters and advise the UN Secretary General. The consensus reports produced between 2010 and 2015 made landmark progress by recognizing that international law applies to state behavior in cyberspace and in recognizing 11 norms for responsible state behavior. The most recent GGE (2019-2021) went a step further in its final consensus report in recognizing international humanitarian law and its application in cyberspace. The GGE has been limited to between 15-25 member states.

Public

United Nations Open-Ended Working Group on Developments in the Field of ICTs in the Context of International Security (OEWG)

The OEWG was created following a 2018 UN resolution sponsored by Russia, China, Iran, North Korea, and several other countries. In addition to aligning with the work and norms of the 2019–2021 GGEs, it calls for the protection of medical and electoral processes from cyberattacks. Whereas membership in the GGEs has been limited, the OEWG was opened to all UN member states participating in the cybersecurity dialogues for the first time. The OEWG’s mandate was renewed through 2025.

Private

Digital Geneva Convention

The Digital Geneva Convention was proposed by Microsoft in 2017 and seeks to establish legally binding international rules to govern state behavior in cyberspace. It calls on governments to refrain from attacks on critical infrastructure, institutions essential to the global economy (such as financial institutions), and journalists and electoral processes. It also calls on states not to engage in intellectual property theft; not to establish backdoors in commercial technology; and to limit the development, sale, and use of cyberweapons.

Private

Charter of Trust

The Charter of Trust was launched by the German industrial company Siemens at the 2018 Munich Security Conference. It includes 17 companies, mostly from the technology and industrial sectors, and eight partner organizations, including universities, think tanks, and government agencies. It has developed 10 principles to strengthen cybersecurity in the digital supply chain, foster cooperation between governments and industry, introduce cybersecurity education in schools, and develop new multilateral regulatory frameworks for cyberspace.

Private

Cybersecurity Tech Accord

The Cybersecurity Tech Accord was founded in 2018 and now includes more than 150 global technology companies. Its members are committed to four principles: protecting users from cyberattacks, opposing and not participating in government-sponsored cyberattacks, supporting capacity-building to defend against cyberattacks, and cooperating with likeminded organizations and initiatives. Among the signatories are several leading Internet and tech companies, 85 percent of which are from North America and Europe. However, Alphabet, Amazon, and Apple, as well as the Chinese companies Alibaba, Tencent, and Baidu, have not signed the accords.

NGO/Civil Society

Carnegie Endowment for International Peace, International Cybersecurity Norms Project

Housed within the Carnegie Endowment’s Cyber Policy Initiative, this Washington, D.C.-based think tank program studies and develops international norms for cyberspace. It provides a detailed timeline of international cybersecurity norms, in partnership with the UN. The project has proposed norms to protect financial data from cyberattacks and provides frequent analysis of efforts by multilateral organizations to develop rules for cyberspace.

NGO/Civil Society

CyberPeace Institute

The CyberPeace Institute is a non-governmental organization focused on supporting vulnerable populations on the Internet and advocating on behalf of civilian victims of cyberattacks. Founded in 2019 and located in Geneva, the CyberPeace Institute is primarily funded by Microsoft, MasterCard, and the Hewlett Foundation and coordinates with a large network of partner organizations. It has advocated for governments to refrain from cyberattacks on the healthcare sector and from preventing the spread of mis- and disinformation that creates opportunities for cybercriminals, among other issues.

Multistakeholder

Paris Call for Trust and Security in Cyberspace

The Paris Call was launched by French president Emmanuel Macron in 2018. It is one of the largest cross-sector initiatives on cybersecurity and has gained support from nearly 80 countries, more than 700 companies, and nearly 400 civil society organizations. The Paris Call advances nine principles. It calls on supporters to refrain from cyberattacks on individuals and critical infrastructure, on the core Internet infrastructure, on electoral processes, and on intellectual property; and to limit the proliferation of malware, strengthen cybersecurity features in products, support cybersecurity education, not engage in counter-hacking, and develop international cyber norms. Notably, the U.S., Chinese, and Russian governments as well as Amazon, Apple, and most of the large Chinese tech companies are not among the supporters of the Paris Call.

Multistakeholder

Global Commission on the Stability of Cyberspace (GCSC)

The Global Commission on the Stability of Cyberspace is an organization dedicated to developing policy recommendations and norms for a secure and stable cyberspace. It consists of 26 expert commissioners and is funded by several government ministries and agencies (mostly from Europe and Asia), multilateral and regional organizations, tech companies, research institutions, and civil society organizations. It has proposed a set of eight cyberspace norms, including norms to protect the core infrastructure of the Internet, to protect electoral infrastructure, not to tamper with products, not to weaponize public ICT infrastructure as botnets, to publicly disclose and mitigate cyber vulnerabilities, to implement cyber hygiene regulations, and to limit offensive cyber operations by non-state actors.

Multistakeholder

Global Cyber Alliance (GCA)

The Global Cyber Alliance is a non-profit organization dedicated to reducing cyber risk. It was created by the Manhattan District Attorney’s Office, the City of London Police, and the Center for Internet Security in New York and is supported by a wide range of tech companies and other private-sector firms, national and local governments and government agencies, multilateral organizations, and civil society organizations. The GCA has developed cybersecurity toolkits for small businesses, elections, journalists, financial institutions, and non-profit organizations. It also has developed several cybersecurity software tools, including an email security tool that has been implemented by government organizations in the U.S., the UK, the EU, Australia, and New Zealand.

Looking Ahead

Both governments and private companies are rapidly expanding their data collection capabilities, unleashing potential for transformative public benefits and more concerning impacts on civil liberties. In Part I of our series, Emerging Data Governance Practices, we chronicled how private-sector data collection methods have faced recent public backlash, resulting in the widespread adoption of data privacy laws and data localization measures. The proliferation of regulations is restricting companies’ and organizations’ access to user data (and increasing operational costs), creating new challenges for large tech companies, already facing widespread government backlash. However, governments are not imposing similar limits on themselves, often moving to expand their legal authority to collect data and monitor citizens’ activities through legislation aimed at limiting or ending encryption. These efforts are being further enabled by the private surveillance industry and new developments in AI technology, creating significant risks as increasing amounts of sensitive data are exposed to cyberattacks. The rapid digitization of society and expansion of AI during the COVID-19 pandemic accelerated the adoption of new data-collection technology, but regulation and oversight have been lacking. As more emerging technologies such as machine learning and quantum computing are developed, the pace and volume of data collection will further accelerate, prompting new security challenges and highlighting more regulatory gaps. Together, these forces are shaping data governance regimes globally, carrying immense implications for accessing, monetizing, and analyzing data in the digital age.

Many monitoring technologies have transformational potential for society, but the lack of government accountability, to date, and limited ability of the public, the private sector, or research institutions to access this data remains controversial. This underscores the need for multi-stakeholder engagement on, and development of, legal frameworks ensuring greater transparency and accountability. Open-government data legislation, such as the U.S.’s Open Government Data Act, which gives the public access to “non-sensitive” government data, is one effort that could help ensure that data is used responsibly and for public benefit. Such legislation allows private companies, research institutions, and other organizations or individuals to benefit from government data on matters such as weather, traffic, the census, and national budgets. At the same time, governments, private-sector firms, and civil society organizations must collaborate to develop rules and establish norms on ethical data collection and usage and must press state and non-state actors to engage in responsible behavior in cyberspace. Existing efforts by each of these groups present an important starting point, but in order to be effective, coordination and enforcement must improve. As the digitization of the global economy continues, it will require continual efforts by all stakeholders to ensure that its full potential is realized.

Written by Christian Perez. Edited by Allison Carlson. Copyedited by David Johnstone. Design by Andrew Baughman and Jon Benedict. Development by Andrew Baughman. Art direction by Lori Kelley. Graphics by Remie Geoffroi for Foreign Policy.

FP Analytics

Learn more about how FP Analytics can enable your organization to act strategically through data-driven insights at ForeignPolicy.com/FP-Analytics.

[ related articles heading here ]:

References