It's getting harder to move data abroad. Here's why it matters and what we can do

Between emails, messages, sensors, machines, platforms, purchase transactions and so on, we are generating data at a furious pace. In 2018, 2.5 quintillion bytes of data was created every day.

Data-driven business models are accelerating, becoming critical to everything from manufacturing to services, some of which involve cross-border exchange. According to McKinsey, the cross-border bandwidth in use grew 148 times between 2005-2017, a proxy for the surge of information on the move.

Data flows also enable scientific advances, such as through the aggregation of anonymized health datasets for research, or to gather accurate data to benchmark progress on the United Nations Sustainable Development Goals (SDGs). Integrated technology – for instance, 5G and mesh networks or facial recognition and DNA barcoding of fish – helps translate biological and socio-economic knowledge sources in the environment into data that can be used for conservation action or law enforcement against illegal fishing, as just two examples.

As data use and movement rises, governments and citizens have taken interest. The Organisation for Economic Cooperation and Development (OECD) documents an increase in the cumulative number of data regulations, from around 50 worldwide in the early 2000s to just under 250 in 2019. The overall level of data restrictiveness as measured by the European Centre for International Political Economic (ECIPE)’s Data Restrictiveness Index has doubled in the past decade.

Restrictions on the movement of data abroad are on the rise, though the specific nature varies. Governments typically impose restrictions on data movement to achieve security, privacy, financial system management, law enforcement or intellectual property protection objectives. These are important and legitimate concerns in the digital economy.

But it’s not always clear how and to what extent data restriction regimes contribute to policy aims. Sometimes, they may even adversely affect the very data they seek to protect. For instance, a regulation on local data storage enforced on the grounds of increasing cybersecurity could do the opposite by creating multiple and sometimes insecure access points.

Conversations on data flows are also taking place alongside important debates on digital taxation, competition and fierce rivalry in the technology space – though wires can get crossed on what’s the best policy tool for specific challenges. A shift towards a world with limited data flows could slow or change the evolution of current business models and social opportunities.

To avoid that scenario, during its G20 presidency in 2019, Japan spearheaded the Osaka Declaration on the Digital Economy, where leaders of 45 economies affirmed the importance of international talks on data governance. Going forward, the Osaka Track will work to build consensus on best practices for allowing data to flow abroad, while not compromising other policy goals.

A newly released World Economic Forum paper highlights a few steps countries could take at home to collaborate on this cross-border challenge:

International collaboration on data can take various forms, and some trade rules are already relevant. For example, the World Trade Organization (WTO) General Agreement on Trade in Services (GATS) applies to services trade that can be digitally delivered, but countries’ commitments and the scope of applicability vary.

Several countries have negotiated free trade agreements with specific rules marrying data flow pledges and data localization bans, with an emphasis on personal information protection. The rules come with exceptions for other over-riding policies.

Since the exceptions are quite wide-ranging, future trade deals may need to add regulatory cooperation to mitigate the need to use exceptions in the first place. In other words, if a policymaker has confidence an objective will be achieved even as it moves abroad, there is less reason to restrict.

For example, trade policy could encourage countries to use international standards as benchmarks for domestic approaches, such as the International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27000 set of cyber and information security standards. On privacy, regional groups such as the OECD and the Asia-Pacific Cooperation Forum (APEC) have set guidelines, though domestic implementation still results in a lot of divergence.

Data transfer mechanisms can bridge this divergence. Existing examples include the EU-US Privacy Shield or the APEC Cross-Border Privacy Rules. These systems have advantages and limitations. Not least, more thinking is needed on how to adapt them for developing countries with less advanced data governance structures, as well as to facilitate small business compliance. ASEAN economies are working on a data transfer mechanism to include certifications for data compliance across the region.

Determining the appropriate balance between permitting data to cross borders with other policy goals is not easy. However, it’s high time stakeholders engage in dialogue on the subject. We may not need to reinvent the wheel – existing tools and frameworks have laid the groundwork. Regulatory innovation and multi-stakeholder collaboration can help determine a workable path forward to keep the internet open.