Between emails, messages, sensors, machines, platforms, purchase transactions and so on, we are generating data at a furious pace. In 2018, 2.5 quintillion bytes of data was created every day.
Data-driven business models are accelerating, becoming critical to everything from manufacturing to services, some of which involve cross-border exchange. According to McKinsey, the cross-border bandwidth in use grew 148 times between 2005-2017, a proxy for the surge of information on the move.
Data flows also enable scientific advances, such as through the aggregation of anonymized health datasets for research, or to gather accurate data to benchmark progress on the United Nations Sustainable Development Goals (SDGs). Integrated technology – for instance, 5G and mesh networks or facial recognition and DNA barcoding of fish – helps translate biological and socio-economic knowledge sources in the environment into data that can be used for conservation action or law enforcement against illegal fishing, as just two examples.
Have you read?
As data use and movement rises, governments and citizens have taken interest. The Organisation for Economic Cooperation and Development (OECD) documents an increase in the cumulative number of data regulations, from around 50 worldwide in the early 2000s to just under 250 in 2019. The overall level of data restrictiveness as measured by the European Centre for International Political Economic (ECIPE)’s Data Restrictiveness Index has doubled in the past decade.
Restrictions on the movement of data abroad are on the rise, though the specific nature varies. Governments typically impose restrictions on data movement to achieve security, privacy, financial system management, law enforcement or intellectual property protection objectives. These are important and legitimate concerns in the digital economy.
But it’s not always clear how and to what extent data restriction regimes contribute to policy aims. Sometimes, they may even adversely affect the very data they seek to protect. For instance, a regulation on local data storage enforced on the grounds of increasing cybersecurity could do the opposite by creating multiple and sometimes insecure access points.
Conversations on data flows are also taking place alongside important debates on digital taxation, competition and fierce rivalry in the technology space – though wires can get crossed on what’s the best policy tool for specific challenges. A shift towards a world with limited data flows could slow or change the evolution of current business models and social opportunities.
To avoid that scenario, during its G20 presidency in 2019, Japan spearheaded the Osaka Declaration on the Digital Economy, where leaders of 45 economies affirmed the importance of international talks on data governance. Going forward, the Osaka Track will work to build consensus on best practices for allowing data to flow abroad, while not compromising other policy goals.
A newly released World Economic Forum paper highlights a few steps countries could take at home to collaborate on this cross-border challenge:
- Conduct a technical analysis of a restrictive regulation to check whether it’s necessary and proportionate to the goal.
- Estimate the economic costs of compliance, and whether it’s feasible for small and medium enterprises to bear the burden of such costs of doing business.
- Be transparent. Clearly communicate about data regimes through publicly available information, advance notice of changes and clarifications on sanctions and enforcement mechanisms.
- Aim for intergovernmental collaboration on related regulatory issues such as consumer protection, privacy, cyber-security, etc.
- Put in place data transfer mechanisms – tools companies can use to comply with domestic rules even as data is transferred abroad and prevents overly restrictive approaches
International collaboration on data can take various forms, and some trade rules are already relevant. For example, the World Trade Organization (WTO) General Agreement on Trade in Services (GATS) applies to services trade that can be digitally delivered, but countries’ commitments and the scope of applicability vary.
Several countries have negotiated free trade agreements with specific rules marrying data flow pledges and data localization bans, with an emphasis on personal information protection. The rules come with exceptions for other over-riding policies.
Since the exceptions are quite wide-ranging, future trade deals may need to add regulatory cooperation to mitigate the need to use exceptions in the first place. In other words, if a policymaker has confidence an objective will be achieved even as it moves abroad, there is less reason to restrict.
For example, trade policy could encourage countries to use international standards as benchmarks for domestic approaches, such as the International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27000 set of cyber and information security standards. On privacy, regional groups such as the OECD and the Asia-Pacific Cooperation Forum (APEC) have set guidelines, though domestic implementation still results in a lot of divergence.
Data transfer mechanisms can bridge this divergence. Existing examples include the EU-US Privacy Shield or the APEC Cross-Border Privacy Rules. These systems have advantages and limitations. Not least, more thinking is needed on how to adapt them for developing countries with less advanced data governance structures, as well as to facilitate small business compliance. ASEAN economies are working on a data transfer mechanism to include certifications for data compliance across the region.
What is the World Economic Forum doing on cybersecurity
The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.
Our community has three key priorities:
Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.
Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.
Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.
Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.
The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.
For more information, please contact us.
Determining the appropriate balance between permitting data to cross borders with other policy goals is not easy. However, it’s high time stakeholders engage in dialogue on the subject. We may not need to reinvent the wheel – existing tools and frameworks have laid the groundwork. Regulatory innovation and multi-stakeholder collaboration can help determine a workable path forward to keep the internet open.