Testimony of Denise E. Zheng
Vice President, Policy, Business Roundtable
July 31, 2018
Chairman Wicker, Ranking Member Schatz, Members of the Subcommittee, thank you for the opportunity to testify on behalf of Business Roundtable regarding international policies related to the internet and digital platforms – more broadly referred to as “information and communications technology” (ICT) – and their impact on competitiveness, investment, and innovation.
Business Roundtable is an association of chief executive officers (CEOs) of the world’s largest multinational companies. Collectively, our member companies employ more than 16 million people across all sectors of the economy. It is a commonly held misperception that ICT policies only affect the technology industry. The reality is that few companies can compete and succeed today without making extensive and effective use of data and digital platforms.
Recently there has been a rapid increase in the number of complex, conflicting, and uncoordinated ICT public policies from governments around the world. This trend undermines global digital innovation and trade by creating policy and regulatory fragmentation, business uncertainty, overwhelming compliance costs, and other unintended consequences.
Trends in Global ICT Policy
Governments have a responsibility to develop ICT policies that provide for national security, protect public safety, and ensure individual privacy. But too often, countries are defining security, privacy, and safety in an overly broad manner, resulting in a wide array of laws and regulations that erect barriers to an interoperable and open global internet. In some cases, nations impose ICT policies for the stated purpose of cybersecurity and privacy, even though the policies are designed primarily to keep U.S. companies out and protect local industries. In other cases, the global patchwork of various cybersecurity and privacy requirements creates a compliance nightmare that is cumbersome and costly for large companies and impossible for small companies and startups.
The European Union (EU) and China are currently the most active players in developing and implementing ICT policies. But India, Russia, South Korea, and other Asian and Latin American countries are ramping up efforts to develop and enforce a wide range of cybersecurity, privacy, and data localization policies. Already at least 34 different countries have data localization requirements, while approximately 120 countries have data privacy laws and many more countries are considering legislation in this area.
The following sections highlight a selection of ICT policies that have a significant impact on Business Roundtable members and other U.S.-based companies.
China has the most aggressive data localization laws. China’s Cybersecurity Law that went into effect in June 2017 requires all “important information” and “personal information” to be stored in China. Under this regime, “network operators” are prohibited from transferring covered data outside of China without undergoing a government-mandated security assessment. As currently defined, the law could cover any entity that owns or operates a computer network and applies to a vast and ambiguous assortment of different types of data. China is not the only country with data localization requirements: India, Russia, Nigeria, and South Korea all have enacted laws that prohibit the transfer of a range of business and consumer data outside of their respective jurisdictions. In some cases, these laws mandate physical servers be installed in-country as a condition of doing business.
This growing number of localization requirements is already proving costly for many industry sectors, including health, retail, finance, insurance, energy, manufacturing, and technology. These mandates are making it increasingly difficult for U.S. companies to do business in key markets such as Asia and Latin America.
Cybersecurity regulations are expanding globally. For example, China, which has some of the most heavy-handed regulations, requires companies in industries deemed to be “critical” to demonstrate that their technology systems are “secure and controllable.” Such companies must undergo inspections and assessments of company networks and are mandated to disclose computer program source code to the Chinese government for review. The European Council recently proposed a new cybersecurity regulation (the EU Cybersecurity Act) that would create a security certification regime for ICT products and services. If the law takes a mandatory, rather than voluntary, approach, it could have the effect of dictating how American firms design, develop, manufacture, and deliver ICT products and services.
The financial services sector, in particular, faces an expanding number of international cybersecurity regulations, with more than 40 different international cybersecurity policies already in place, ranging from risk assessments to penetration testing to incident reporting. In this environment, companies must reconcile competing and redundant cybersecurity regulations that divert significant resources from truly effective cybersecurity measures toward time-consuming compliance activity, such as certifications and questionnaires.
In May 2018, the EU’s General Data Protection Regulation (GDPR) went into effect and established the most expansive privacy regime in the world. The GDPR covers nearly all types of personal data and affects business-to-consumer as well as business-to-business firms. The GDPR has an extraterritorial application meaning that its scope covers any company, regardless of whether it is based in the EU or not, that meets the law’s threshold requirements for processing personal data of individuals in the EU.
This means that some companies, such as those that cannot justify spending the resources necessary to demonstrate compliance with the GDPR, are forced to take steps to block EU-based users from using their products and services, including from visiting their websites, to avoid facing steep fines of up to 20 million euros or 4 percent of annual revenue, whichever is higher. The GDPR limits transfers of personal data outside of the EU unless certain adequacy standards are met; it also requires companies to notify EU and national regulators of security breaches of personal data within 72 hours of the incident.
The EU is actively promoting the adoption of the GDPR as a model for privacy regulations in other countries. In addition, Brazil and other Latin American countries are proposing or have enacted laws that adopt many aspects of the GDPR.
The risk of domestic regulatory fragmentation within the United States for privacy is also high. In addition to several existing sector-specific federal and state privacy regulations, California recently passed a consumer privacy bill that applies broadly across many sectors. Numerous other data privacy legislative proposals are pending in state legislatures that, if passed, would further increase the complexity of privacy regulations across the United States. That is why Business Roundtable is working to develop privacy principles that strengthen protections for consumers but also preserve innovation in the digital economy.
Government Access to Data
The growth of digital communications over the past two decades has created new challenges as well as opportunities for law enforcement. For instance, several countries have sought to restrict the use of encryption or imposed data localization mandates to facilitate law enforcement’s access to data for investigative purposes or government surveillance.
Both China and Russia mandate companies decrypt and localize data for law enforcement and surveillance. In 2016, Russia passed a law that explicitly required internet service providers to provide backdoor access to encrypted data and store all consumer communications for six months. France, the United Kingdom, Brazil, India, and other countries have also enacted laws that regulate the use of encryption in digital communications.
Not only do these laws erode security and privacy on the internet, they also have a significant impact on the interoperability of digital platforms across borders and undermine consumer trust in technology.
Consequences of Uncoordinated International ICT Policies
The current state of global ICT policy is complex, chaotic, and fragmented and could undermine growth and innovation in the digital economy and emerging technologies.
Fragmentation and Legal Uncertainty
As CEOs that run the largest American companies, Business Roundtable members operate in many jurisdictions and serve customers around the globe. The international regulatory environment for ICT policy is forcing companies across all sectors to reconcile overlapping, duplicative, and sometimes conflicting requirements. The legal uncertainty that results from policy and regulatory fragmentation undermines investment, growth, and job creation. Ambiguous requirements and inconsistent enforcement in some countries increases the risk of doing business and can lead companies to reject, defer, or reconsider investments.
The GDPR alone is estimated to cost Fortune 500 companies a combined $7.8 billion to comply, or about $16 million per firm. Another survey found that large organizations of 25,000 or more employees each are budgeting an average of $30 million to comply with the GDPR. Much of the cost is related to “check the box” exercises that demand significant investment from companies regardless of their risk profile. Some companies have decided to discontinue offering products and services in the EU because compliance costs are so high that they can no longer justify being in the market. It is not unusual for those surfing the web in the EU to come across websites from vendors that have nothing more than a note saying that due to GDPR requirements, the site cannot be accessed.
Data localization requirements can impose significant compliance burdens that raise the cost of hosting data by 30 to 60 percent for companies that are covered by such requirements. A study done by the European Centre for International Political Economy estimates that enacted or proposed data localization mandates in China could cost up to 1.1 percent of its GDP and the cost of data localization requirements in the EU could cost nearly 0.4 percent of its GDP.
A fragmented international ICT policy landscape will likely have the most significant and adverse impact on startups and small- and medium-size companies with limited resources to navigate ambiguous requirements and opaque reviews in countries like China or excessive paperwork associated with complying with EU policies. These compliance costs will make it more difficult for such promising and innovative companies to thrive and expand.
Emerging technologies such as artificial intelligence and blockchain are also hindered by regulatory uncertainty and are the next likely targets for policy and regulatory fragmentation. The data minimization, automated decision-making, and “right to erasure” provisions of the GDPR can create barriers to the commercial development of important emerging technologies which improve and innovate new products and services for consumers. I will give you two specific examples of this: First, the GDPR imposes restrictions at every stage that a company collects, processes, uses, and retains personal data, and the impact of these restrictions on the development of machine learning tools is uncertain. Some companies may decline to integrate machine learning into their business to avoid such hurdles. Second, companies using blockchain and distributed ledger systems, technologies rooted in the notion that information should not be unilaterally amended or deleted from networks, will face difficulty in responding to data subject requests, authorized by the GDPR, to amend and delete their own data.
Congress has an important role in creating and fostering a global policy environment for an open, interoperable, and global internet and to promote the continued economic growth of the digital economy. To that end, Business Roundtable recommends the following actions:
- Establish Alliances with Like-Minded Countries to Counter Protectionist ICT Policies. The U.S. government should build alliances with like-minded countries to counter technology restrictions, protectionist cybersecurity and data localization requirements, and requirements for businesses to transfer technology and intellectual property as a condition to accessing foreign markets.
- Lead in Development of International Norms, Best Practices, and Standards for ICT. The U.S. government and U.S. companies should lead in developing norms, best practices, and standards for the internet and digital platforms. Areas of focus include cybersecurity, privacy, and cross-border data flows. At the same time, emerging technologies such as artificial intelligence, autonomous vehicles, blockchain, internet of things, and robotics require serious attention, because rules do not yet exist.
- Seek to Align or Harmonize Requirements to Avoid Global Fragmentation. In the face of an already fragmented environment, the U.S. government should play a leadership role to align or harmonize where possible existing ICT policies, regulations, and standards globally, and maintain that same approach for emerging technologies to avoid costly fragmentation. The United States cannot afford to be missing from important international forums on ICT issues, as China and other countries are actively seeking to rewrite the rules of the internet and digital economy that are fundamentally at odds with open markets and democratic values.
- Protect Transatlantic Cross-Border Flows. Congress should act to protect the EU-U.S. Privacy Shield by making the Privacy Shield Ombudsperson a permanent position of the U.S. Department of State. It should also act swiftly to confirm the nominees for the Privacy and Civil Liberties Oversight Board, which plays a critical role in fulfilling the requirements of the EU-U.S. Privacy Shield.
Mr. Chairman, Ranking Member Schatz and Members of the Subcommittee, thank you for the opportunity to present Business Roundtable’s views on information and communications technology and their impact on competitiveness, investment, and innovation. The global policy environment around ICT represents a serious concern to leaders of these American companies that drive economic growth and job creation in the United States and across the world.