Between emails, messages, sensors, machines, platforms, purchase transactions and so on, we are generating data at a furious pace. In 2018, 2.5 quintillion bytes of data was created every day.

Data-driven business models are accelerating, becoming critical to everything from manufacturing to services, some of which involve cross-border exchange. According to McKinsey, the cross-border bandwidth in use grew 148 times between 2005-2017, a proxy for the surge of information on the move.

Data flows also enable scientific advances, such as through the aggregation of anonymized health datasets for research, or to gather accurate data to benchmark progress on the United Nations Sustainable Development Goals (SDGs). Integrated technology – for instance, 5G and mesh networks or facial recognition and DNA barcoding of fish – helps translate biological and socio-economic knowledge sources in the environment into data that can be used for conservation action or law enforcement against illegal fishing, as just two examples.

As data use and movement rises, governments and citizens have taken interest. The Organisation for Economic Cooperation and Development (OECD) documents an increase in the cumulative number of data regulations, from around 50 worldwide in the early 2000s to just under 250 in 2019. The overall level of data restrictiveness as measured by the European Centre for International Political Economic (ECIPE)’s Data Restrictiveness Index has doubled in the past decade.

Cumulative number of restrictions on cross-border data flows (1960-2017)
Restrictions on cross-border data have steadily increased from 1960-2017.
Image: ECIPE

Restrictions on the movement of data abroad are on the rise, though the specific nature varies. Governments typically impose restrictions on data movement to achieve security, privacy, financial system management, law enforcement or intellectual property protection objectives. These are important and legitimate concerns in the digital economy.

But it’s not always clear how and to what extent data restriction regimes contribute to policy aims. Sometimes, they may even adversely affect the very data they seek to protect. For instance, a regulation on local data storage enforced on the grounds of increasing cybersecurity could do the opposite by creating multiple and sometimes insecure access points.

Conversations on data flows are also taking place alongside important debates on digital taxation, competition and fierce rivalry in the technology space – though wires can get crossed on what’s the best policy tool for specific challenges. A shift towards a world with limited data flows could slow or change the evolution of current business models and social opportunities.

To avoid that scenario, during its G20 presidency in 2019, Japan spearheaded the Osaka Declaration on the Digital Economy, where leaders of 45 economies affirmed the importance of international talks on data governance. Going forward, the Osaka Track will work to build consensus on best practices for allowing data to flow abroad, while not compromising other policy goals.

A newly released World Economic Forum paper highlights a few steps countries could take at home to collaborate on this cross-border challenge:

  • Conduct a technical analysis of a restrictive regulation to check whether it’s necessary and proportionate to the goal.
  • Estimate the economic costs of compliance, and whether it’s feasible for small and medium enterprises to bear the burden of such costs of doing business.
  • Be transparent. Clearly communicate about data regimes through publicly available information, advance notice of changes and clarifications on sanctions and enforcement mechanisms.
  • Aim for intergovernmental collaboration on related regulatory issues such as consumer protection, privacy, cyber-security, etc.
  • Put in place data transfer mechanisms – tools companies can use to comply with domestic rules even as data is transferred abroad and prevents overly restrictive approaches

International collaboration on data can take various forms, and some trade rules are already relevant. For example, the World Trade Organization (WTO) General Agreement on Trade in Services (GATS) applies to services trade that can be digitally delivered, but countries’ commitments and the scope of applicability vary.

Several countries have negotiated free trade agreements with specific rules marrying data flow pledges and data localization bans, with an emphasis on personal information protection. The rules come with exceptions for other over-riding policies.

Since the exceptions are quite wide-ranging, future trade deals may need to add regulatory cooperation to mitigate the need to use exceptions in the first place. In other words, if a policymaker has confidence an objective will be achieved even as it moves abroad, there is less reason to restrict.

For example, trade policy could encourage countries to use international standards as benchmarks for domestic approaches, such as the International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27000 set of cyber and information security standards. On privacy, regional groups such as the OECD and the Asia-Pacific Cooperation Forum (APEC) have set guidelines, though domestic implementation still results in a lot of divergence.

Data transfer mechanisms can bridge this divergence. Existing examples include the EU-US Privacy Shield or the APEC Cross-Border Privacy Rules. These systems have advantages and limitations. Not least, more thinking is needed on how to adapt them for developing countries with less advanced data governance structures, as well as to facilitate small business compliance. ASEAN economies are working on a data transfer mechanism to include certifications for data compliance across the region.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact info@c4c-weforum.org.

Determining the appropriate balance between permitting data to cross borders with other policy goals is not easy. However, it’s high time stakeholders engage in dialogue on the subject. We may not need to reinvent the wheel – existing tools and frameworks have laid the groundwork. Regulatory innovation and multi-stakeholder collaboration can help determine a workable path forward to keep the internet open.