| News | Interview | “The law alone cannot explain how data protection actually works in different countries.”

“The law alone cannot explain how data protection actually works in different countries.”

In this interview, Professor Kai von Lewinski reveals exciting results from the "Vectors of Data Disclosure" project, a comparative study on the use of personal data.

Personenbezogene Daten und Datenschutz
© stock.adobe.com / Sergey

Most people are familiar with the term “personal data”. This includes, for example, names, addresses, location data and IP addresses. This data is worth protecting, which is perfectly clear to people in the EU. But what do people in other parts of the world think about their data and how do they handle it? Lawyer Kai von Lewinski and his colleagues from the University of Passau have been conducting interdisciplinary research on this topic in a bidt research project lasting several years. This combines perspectives from law, cultural studies and business informatics and has now been successfully completed.

Mr von Lewinski, in which countries are people particularly willing to disclose their data?

Kai von Lewinski: The willingness to disclose personal data depends on the cultural character and legal framework of a country. Individuals also decide whether to disclose personal data in specific situations. For example, do I click on “Accept all” on the cookie banner or do I go to the trouble of rejecting optional cookies?

In the project, we were interested in why data protection is viewed so differently in different regions of the world. One interesting finding is that people in Asia and Africa have a different understanding of “their data”. There, it’s not just about the data of the individual, but also about the data of their own community. Within a group, for example the extended family or a village community, there is less of an understanding of exclusive individual data. But the group wants to protect its data from “the outside”. In Africa and Asia, data protection is understood more collectively than in the individualistic West.

In Europe, we take the protection of personal data very seriously. In other parts of the world, there is a certain lack of understanding for this European fixation on data protection.

Prof. Dr. Kai von Lewinski To the profile

Which countries did you analyse?

von Lewinski: We couldn’t analyse all 200 countries, so we made a representative selection. The EU, our home jurisdiction, and Switzerland. America and China as important players, Ghana as an African country and representative of the global South, Brazil as an “emerging market” for the South American region. In addition, Japan as an Asian country with a different political system to China. Initially, Russia was also included. However, due to the known events, we were unable to conduct representative surveys there.

How do you compare data protection laws in different countries?

von Lewinski: By means of a functional comparison of laws. This means that we not only analysed data protection law as it is written in other countries. A comparison of the terms “data protection”, “privacy”, “data protection” etc. would not have helped us either. Instead, we asked: What is the functional equivalent of data protection as we know it in Europe?

This equivalence is not only found in the legislation of the individual countries. Some of these are quite similar, as there are many emulators of the European GDPR, which is known as the “Brussels effect”. Rather, we need to look at extra-legal vectors in comparison, which we can draw from the empirical approaches of cultural studies and business informatics.

In the project, you used the concepts of “Law in the Books” and “Law in Action”. These deal with the practical application of laws and their actual implementation in society. Does data protection law not apply as it is written?

von Lewinski: Laws apply, of course, but all over the world there is a discrepancy between the written law and its actual application. Law in the Books refers to the formal law, i.e. rights, obligations and penalties for citizens and institutions. Law in action refers to how it is applied in the real world: how law enforcement agencies enforce laws, how judges make judgements and, above all, how citizens or businesses obey or circumvent the law in their daily lives. The written law “lives” in a certain culture that needs to be looked at closely.

Three quite different disciplines worked together on the bidt project. Why was that important?

von Lewinski : We lawyers, i.e. Prof essor Moritz Hennemann, myself and the legal research team, took the data protection laws of the federal states as our starting point. For our project, however, it was clear that the law alone cannot explain how data protection is actually handled in different countries. There must be cultural vectors that determine, shape and are in turn shaped by this handling. The perspective of cultural studies, in the person of Professor Daniela Wawra and her team, was therefore essential. In addition, Professor Thomas Widjaja and his team brought a behavioural economics perspective to the research project. Economics can explain to us, for example, how people make decisions. In particular, they provided insights into individual perceptions of regulation and, building on this, categorisation, which formed the basis for our further approach. This specific interdisciplinary constellation is something special in the German research area and was decisive for the success of the project.

In which countries do written data protection law and its application differ particularly strongly?

von Lewinski: In Brazil, for example. Our research shows that people there tend to trust the written law less. There is a relatively large discrepancy between the law in the books and the law in action. On the one hand, there is an attempt to move closer to the European legal framework and, on the other, a completely different cultural setting of systematic, bureaucratically sceptical non-compliance. Nevertheless, the rules are reliable. Everyone knows that it works differently to the way it is laid down in the law, but people can cope with it. Trust in data protection practice is significantly higher than trust in data protection laws. We saw a similar situation in Africa.

This is of course a somewhat disturbing finding for us lawyers. It all works and people are not dissatisfied. But that doesn't have much to do with the written law.

Prof. Dr. Kai von Lewinski To the profile

All the countries analysed have data protection concepts. What are the most significant differences?

von Lewinski : The GDPR here in Europe works according to the principle of prohibition. The law states that personal data processing is generally prohibited. In other countries, particularly in the USA and Japan, the processing of personal data is not generally prohibited, but individual types of processing are regulated.

This is interesting because two economic giants, the EU and the USA, are wrestling with each other across the Atlantic. The Europeans’ instrument is pressure through regulation, and of course this does not only affect the USA: legal systems such as Ghana or Brazil are adapting to EU regulations because they do not want to jeopardise economic relations. This means that legislators there simply use the GDPR as a template. Our research showed that the practice works differently – despite the clearly text-like regulations – and that data protection can also feel very different for people in these countries.

The European digital market is heavily dominated by American companies. Some key EU regulations should therefore be read in this way: How do we tame the Americans?

Prof. Dr. Kai von Lewinski To the profile

Which project results surprised you?

von Lewinski: Overall, data protection is viewed positively. I would not have expected that, especially in the USA, a very entrepreneurial society. As part of the project, we surveyed consumers and compliance experts. It is possible that entrepreneurs would answer differently because data protection plays a different role in their activities.

It is interesting that people consider data protection to be important on the one hand, but do not always act accordingly in specific cases. In economics, this is called the privacy paradox and can be explained as follows: The tangible violation of privacy is not particularly great when I click on a cookie banner. Actively protecting your own data, on the other hand, is inconvenient. This “convenience” has been confirmed in our studies to the extent that substantive regulation that is perceived as stricter generally leads to individuals being more willing to disclose their data.

People are relatively willing to share personal information, although they also consider data protection to be important.

Prof. Dr. Kai von Lewinski To the profile

Are there any recommendations for action for public players that you can derive from your research?

von Lewinski : If you only compare what is written in different national legal codes, you cannot understand how data protection actually works in the respective country. The law in action is an essential factor that is difficult to grasp. This important realisation can be applied specifically to the activities of data protection authorities: European authorities are often helpless against US companies; the greatest European data protection laws are of no use if they cannot be effectively enforced. In contrast, the much more selective regulations in the USA are also enforced – the spectacular sums of punitive damages make it into our headlines from time to time.

Are you satisfied with the current EU law on artificial intelligence?

von Lewinski: Not really. AI technology needs to be regulated, that’s clear. But with this early regulation, we are taking away a lot of innovation potential in Europe. The consequence will be that we will live with AI-trained models that do not function according to our cultural parameters. Because they were developed elsewhere, but are of course still used here.

What advice do you have for private individuals when it comes to disclosing personal data online?

von Lewinski: The Internet feels the same all over the world. Just as when we travel to other countries, some things seem very familiar. When travelling, however, we are aware that both the formal and informal rules are sometimes very different from those at home. So we move more cautiously. We start by observing how things work in this country. The same applies to the Internet and the issue of data disclosure. Websites and online providers operate against the backdrop of their national legislation and cultural context. You shouldn’t forget that when browsing.

Thank you very much for the interview!

The interview was conducted by Miriam Rummel.