Emerging Technologies

'Agile governance' could redesign policy on data protection. Here's why that matters

Agile governance: two people write notes by a laptop

Agile governance will be key to driving technology regulation. Image: Scott Graham/Unsplash

Nicholas Davis
Professor of Practice, Thunderbird School of Global Management and Visiting Professor in Cybersecurity, UCL Department of Science, Technology, Engineering and Public Policy
Mark Esposito
Chief Learning Officer, Nexus FrontierTech, Professor at Hult International Business School
Landry Signé
Senior Fellow, Global Economy and Development Program, Brookings Institution
Our Impact
What's the World Economic Forum doing to accelerate action on Emerging Technologies?
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Emerging Technologies

  • Technology regulation is evolving rapidly but remains fragmented across national and regional divides.
  • Agile governance can potentially address the issue by creating a nimbler and more adaptive approach to regulation.
  • But we need to overcome the constraints that agile governance faces in real-world settings to embrace this form of policymaking.

Although technology regulation is evolving rapidly in today's world, such regulation remains greatly fragmented across national and regional divides. Agile governance can potentially solve this fragmentation by promoting nimbler, more fluid, and more adaptive approaches to regulation.

Whether it is privacy, cyber security, cyber warfare, national security, or prohibited content, every hot-button issue in technology governance today seems to be of global concern, yet resides in the hands of nationally-focused lawmakers relying on outdated policies that continue to reinforce the fragmentation of technology regulation.

Have you read?

Take data protection, for example. The EU's General Data Protection Regulation (GDPR), which was first proposed in 2012 and came into effect in 2018, is essentially an international privacy law for data protection. Any organization that processes any personal data from any EU citizen is covered.

Beyond its extraterritorial impact, it has inspired similar efforts to update and improve data protection in other jurisdictions, such as in Japan, Chile, Egypt, and the state of California in the United States.

‘Patchwork’ of data regulation

This flurry of GDPR-inspired activity gave hopes that data protection would become more consistent over time. Indeed, there are established mechanisms for precisely this. For more than 20 years, the European Commission has conferred "adequacy" rulings on national regimes that meet its strict data protection standards, allowing personal data to flow unimpeded across borders. However, only a handful of countries and territories have received the European Commission's "adequacy" decision, including Japan and the United Kingdom.

There is no systematic and all-inclusive privacy law regulating all private parties in other countries. In the US, for example, there is a patchwork of state and federal laws, and most focused on specific industries, such as the Health Insurance Portability and Accountability Act (HIPAA) in healthcare and the Gramm-Leach-Bliley Act (GLBA) for entities in the financial sector.

Meanwhile, China's data protection laws focus on strong government control, public order, and national security. These laws include its 2017 Cybersecurity Law and its 2021 Data Security Law, and the upcoming Personal Information Protection Law. These include broad requirements on data localization and have an extraterritorial effect.


Asia has seen perhaps the greatest transformation in the area of data privacy in the last decade. Before 2020, only six countries had comprehensive data privacy laws. Between 2010 and 2020, 20 jurisdictions enacted new data privacy laws, and seven undertook amendments. Five of these have extraterritorial provisions, and while they all share similar data protection elements, all differ from one another and other regions in important ways.

Furthermore, even if GDPR compliance is equivalent to "gold-plating" your firm's system, a global firm will still need to check that its systems fit the idiosyncratic data protection requirements across 20 markets in Asia alone.

Regulatory fragmentation is more than just about costs to firms, however. It also matters because greater complexity and diversity across jurisdictions means that consumers are less likely to be well-protected. Moreover, less discussed is that fragmentation impedes governments' implementation and enforcement. By contrast, a consistent approach means inter-agency cooperation and information sharing between agencies is far easier to achieve.


How is the World Economic Forum ensuring the responsible use of technology?

The concept of agile governance is one solution to this fragmentation. Just this past December, Canada, Denmark, Italy, Japan, Singapore, the United Arab Emirates and the UK signed the first "Agile Nations" agreement to incorporate the principles of agile governance into their regulatory environment.

Agile governance promotes nimbler, more fluid and more adaptive approaches to governance. It draws inspiration from agile software development, embodied by the principles of The Agile Manifesto.

Agile governance does not prioritize regulatory design or implementation speed, as too much speed can threaten the inclusiveness of policy processes or outcomes.

Instead, the idea of agile governance suggests that more proactive, inclusive and iterative approaches to policy design can create rigorous systems that are more effective and representative than traditional processes, even within compressed time periods.

Data policy should be outcome driven

One central idea of agile governance is that policymaking should be outcome driven and evidence-based while recognizing that contexts and needs change throughout a policy project.

This approach requires ongoing collaboration between a wide range of stakeholders to ensure that knowledge flows into policies effectively and inclusively, which then enjoy greater legitimacy.

Agile governance also recognizes that the architectures and rules that guide our behaviour – particularly in the world of technology – extend far beyond the incentives, regulations and laws created in the public sector.

Business models, corporate policies, software, product design, and technological infrastructure can all influence user behavior and outcomes for citizens more so than public policy. As a result, new models of collaborative governance across sectors are required to meet the challenges and opportunities of the 21st century.


The World Economic Forum has identified eight approaches and more than 100 examples of agile governance worldwide. Many governments are trialling policy labs, sandboxes and crowdsourcing efforts.

Other examples include novel forms of industry-led self-regulation, the concept of super regulators, setting shared ethical principles, new approaches to standards creation and enforcement, and the creation of collaborative governance ecosystems across jurisdictions.

Agile governance puts pressure on governments to innovate in engaging with a broader range of stakeholders. Most public sector institutions and agencies will require an investment in the skills and resources related to cross-sector collaboration and in approaches to knowledge management, systems thinking and design thinking.

Three constraints to agile governance

However, there are three increasingly important constraints to agile governance, the first which is limited policy space. The legal, economic, and technological implications of living in a globalized world mean that not all policy options are fully available to sovereign states.

The second constraint is stakeholder engagement. In addition to privileging their interests, stakeholders often possess very divergent views about what policies are possible and how to weigh different trade-offs – but engaging them is costly.


What is the World Economic Forum doing about healthcare data privacy?

Finally, the third constraint is trade-offs. All policy options come with trade-offs, which are very difficult to assess ahead of time and can be challenging to measure after the event.

Agile governance can help solve the growing fragmentation of technology regulation. However, we cannot reap the benefits of this new mode of governance and policymaking unless we continue to overcome the constraints that agile governance faces in real-world settings.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

AI, leadership, and the art of persuasion – Forum  podcasts you should hear this month

Robin Pomeroy

March 1, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum