Data Privacy Protection, Consumer Consensus, and International Regulations


I. International Internet Privacy Concerns

Global tech consumers are concerned about the collection and utilization of private data by Big Tech.[1] These concerns in no small part arise from recent instances of consumer data privacy breaches, including the Cambridge Analytica hack,[2] the Equifax breach,[3] YouTube’s violation of the Children’s Online Privacy Act (“COPPA”),[4] etc. Consequently, governments have solidified such concerns into law, particularly in the EU’s General Data Protection Regulation (GDPR),[5] and the California Consumer Privacy Act (CCPA).[6]

The GDPR and CCPA both seek to: (1) provide civil remedies for consumers against tech companies violating the acts; (2) oblige companies to provide an accessible description of the manner and usage in which they collect consumers’ data; (3) give consumers means to withdraw consent of having their data collected by companies; (4) grant consumers the ability to stop companies from selling their data to third parties; and (5) impose hefty fines against companies breaching these regulations.[7] With increasing international concern over data privacy,[8] and eighty percent of Big Tech’s most valuable firms residing in Europe and Silicon Valley, California,[9] Big Tech should implement large-scale private governance to protect consumer data and insulate itself from liability.

II. Private Governance Models

One prominent private governance model is “Transnational New Governance.”[10] In this model, independent businesses modify a State’s traditional regulatory role, incorporating private actors’ expertise, unifying industry standards, and functioning similarly to “hard law.”[11] Over time, these norms evolve from voluntary regulations to compulsory standards.[12] An example is fair trade certification and coffee. Hard law does not mandate fair trade certification; however, industry practices and consumer consensus supporting fair trade certified coffee dominate the coffee market.[13] Presently, fair trade certification in the coffee industry is effectively mandatory, even without State regulation.[14]

Another private governance model comes from private regulatory organizations like the International Organization for Standardization (ISO). The ISO is a private “independent, non-governmental international organization,” which “develop[s] voluntary, consensus-based, market relevant . . . standards.”[15] ISO members range from private-sector representatives to independent government actors, though none are government delegates.[16] Members purchase and implement ISO standards, certifying desirable product quality to consumers.[17] An example of ISO standard implementation is the International Standard Serial Number’s (ISSN) prevalence in media. With the industry adoption of ISO standard 3297 came a wave publication serialization to efficiently categorize and identify magazines, books, academic articles, etc.[18] Presently, the ISSN system is the most comprehensive reference source in the world for serialized publications stemming from market demand.[19]

III. Big Tech’s Best Option

Whereas consumer consensus induced the coffee industry and media into private governance, Big Tech is facing pressure on an additional front. Consumer pressure for an open tech infrastructure providing consumer data autonomy is solidifying itself into legislation like the GDPR and CCPA. To mitigate expanding legal recourse against large firms and the precipitous constraining of the industry’s business practices, Big Tech should, either through industry adoption or international standardization organizations, adopt their own consumer protection policies. However, if Big Tech chooses to create consumer data protection policies independently, it risks being continually constrained by legislation until it implements these policies uniformly. Therefore, Big Tech’s best option lies in the ISO. The ISO’s recent publication of standard 27701 addresses consumer data privacy concerns and provides Big Tech to mitigate the State regulation of consumer data privacy protection expediently.[20] Consequently, large tech firms should purchase, adopt, and comply with the standards set forth by the ISO if they desire to prevent imminent global legislation from stifling their businesses.

  1. U. N. Conference on Trade and Development, Data Privacy: New Global Survey Reveals Growing Internet Anxiety (April 16, 2018), [hereinafter Data Privacy Survey].

  2. Nicholas Confessore, Cambridge Analytica and Facebook: The Scandal and the Fallout So Far, N.Y. Times (April 4, 2018),

  3. Federal Trade Commission, Equifax Data Breach Settlement (Jan. 2020),

  4. Mark Bergen, YouTube Plans to End Targeted Ads on Videos Aimed at Kids, Bloomberg (Aug. 20, 2019, 1:19 PM MDT),

  5. Commission Regulation 2016/679, 2016 O.J. (EU) [hereinafter GDPR].

  6. California Consumer Privacy Act of 2018, CAL. CIV. CODE §1798.180 (2018) [hereinafter CCPA].

  7. GDPR, supra note 5; CCPA, supra note 6.

  8. Data Privacy Survey, supra note 1.

  9. Editorial, Why Big Tech Should Fear Europe, The Economist, March 23, 2019,

  10. Kenneth W. Abbott & Duncan Snidal, Strengthening International Regulation Through Transnational New Governance: Overcoming the Orchestration Deficit, 42 Vand. J. Transnat’l L. 501, 508-510 (2009).

  11. Id.

  12. Id.

  13. Margaret Levi & April Linton, Fair Trade: A Cup at a Time?, 31 Pol. & Soc’y 407, 414 (2003).

  14. Id.

  15. Int’l Org. for Standardization [ISO], (last visited Feb. 28, 2020).

  16. Int’l Org. for Standardization [ISO], ISO Membership Manual 6 (2015)

  17. Int’l Org. for Standardization [ISO], (last visited Feb. 28, 2020).

  18. Int’l Org. for Standardization [ISO], ISO 3297:2017 (last visited Feb. 28, 2019) [hereinafter ISO Standard 3297:2017].

  19. International Standard Serial Number – International Centre, (last visited Feb. 28, 2020).

  20. ISO Standard 3297:2017, supra note 18.