The world needs a new approach to enabling data flows to move across borders in a global digital economy, according to the UN Conference on Trade and Development (UNCTAD). The trouble is, the direction of travel appears to be in the opposite direction as a separate study from Salesforce suggests.
In the words of António Guterres, Secretary-General United Nations:
It is more important than ever to embark on a new path for digital and data governance. The current fragmented data landscape risks us failing to capture value that could accrue from digital technologies and it may create more space for substantial harms related to privacy breaches, cyberattacks and other risks…A holistic global policy approach has to reflect the multiple and interlinked dimensions of data and balance different interests and needs in a way that supports inclusive and sustainable development with the full involvement of countries trailing behind in digital readiness.
But in UNCTAD’s Digital Economy Report 2021 - Cross-border data flows and development: For whom the data flows, the main conclusion is rather different:
Existing institutional frameworks at the international level are not fit for purpose to address the specific characteristics and needs of global data governance. For it to be effective, a new global institutional framework is most likely needed, with the appropriate mix of multilateral, multi-stakeholder and multidisciplinary engagement.
Why it matters
There are good reasons for global governance of data and getting cross-border data flows moving, the report argues, citing enabling global data-sharing and development of public goods that could help address major global development challenges, such as poverty, health, hunger and climate change.
There’s also a need to avoid further fragmentation of the Internet infrastructure and the digital space through technical co-ordination. This becomes particularly important as 5G and Internet of Things are rolled out, as well as meeting the crisis demands for data sharing to cope with the COVID pandemic:
Without a coherent underlying global governance framework to create trust, this increases the chance of a backlash in terms of data-sharing. It would also amplify already existing concerns over the lack of transparency in the data value chain, and over the unequal distribution of benefits from data.
But what is happening in practice is an uptick in national regulations on cross-border data flows and data sovereignty that increases compliance costs and does not encourage or facilitate international trust.
Breaking down the top-line findings, the Agency pulls out a number of key points.
Data flows are hard to measure, but growing fast.
UNCTAD notes that two countries dominate the data-driven digital economy, the US and China:
Together, they account for half the world’s hyperscale data centres, the highest rates of 5G adoption in the world, 94 per cent of all funding of AI start-ups in the past five years, 70 per cent of the world’s top AI researchers, and almost 90 per cent of the market capitalization.
This has led to the creation of another data/digital divide at a time when a more unified approach is needed:
In this new configuration, developing countries may find themselves in subordinate positions, with data and their associated value capture being concentrated in a few global digital corporations and other multinational enterprises that control the data. They risk becoming mere providers of raw data to global digital platforms, while having to pay for the digital intelligence obtained from their data.
There is no common understanding what data flows are and what they can empower.
UNCTAD argues that it cross-border data flows cannot be approached with the same mindset as cross-border trade:
There are significant difficulties in reconciling the notion of national sovereignty traditionally associated with country territories and the borderless nature, globality and openness of the digital space in which data flow. Digital sovereignty is often associated with the need to store data within national borders, but the link between the geographic storage of data and development is not evident. Assigning territoriality to cross-border data flows is also a challenge. Data can be better understood as shared, rather than as traded or exchanged.
There are diverging approaches to governing data and cross-border data flows.
UNCTAD isolates three main governance approaches that have particular influence:
The approach of the United States focuses on control of the data by the private sector. The Chinese model emphasizes control of data by the Government, while the European Union favours control of data by individuals on the basis of fundamental rights and values. The current context is one of tensions among these areas, particularly between the United States and China.
From a tech sector perspective, a new white paper from Salesforce, the second edition of its Cross-Border Data Flows Index (CBDFI) comes to similar conclusions. The Index, prepared by Access Partnership, is a quantitative measure of G20 economies’ approach to cross border data flows.
It examines the impact of regulations and provisions governing cross border flows across eight key dimensions - data localisation requirements; explicit provisions allowing for international or extraterritorial transfers of personal data; specific mechanisms by which personal data is allowed to be transferred, subject to conditions; presence of a data classification framework which enables cross-border data flows; consent requirements for the cross-border collection, storage, and dissemination of personal data; GDPR participation; participation in the APEC Cross-Border Privacy Rules; and whether a government has offered indications of being favourably or unfavourably positioned on supporting cross-border data flows.
First published in 2019, the updated Index comes to the grim conclusion that data regulations among G20 economies are becoming more restrictive with data sovereignty concerns on the rise. That all leads to more complexity and compliance demands, which in turn means extra costs for business and less trust and transparency between economies:
Recent policies and regulations in G20 economies risk undermining cross-border flows, ranging from highly restrictive data localisation mandates to policy statements about placing limits on the movement of data. At the same time, among G20 economies, the divergence in the requirements for cross-border transfers of personal data appears to be increasing, even as digital consumption has skyrocketed through the pandemic.
In terms of global rankings, Japan tops the Index for the second time, followed by the UK which is praised for its “open and forward-looking approach in enabling cross-border flows of data and also protection of personal data”. Given that Brexit Britain is now openly looking to move away from full alignment with GDPR and risks losing its data adequacy deal with the EU in the process, the third edition of the Index will make for some interesting reason.
The EU itself, architect of GDPR, is criticised for a growing emphasis on digital sovereignty, which the Index report argues leads to business uncertainty. Meanwhile at the bottom end of the scale are countries like India, China and Russia, all of which have in place or are threatening strict regulations on data transfer.
What to do?
For its part, the Salesforce report makes a number of recommendations, including:
- Promote convergence and interoperability in privacy laws, via governments basing them on international standards, such as the OECD Privacy Principles and APEC Privacy Framework.
- Expand bilateral and multilateral agreements with clear rules on how to provide access to information needed for supervision or law enforcement can enhance trust and confidence among countries.
- Make trusted data sharing frameworks the default by including robust data protection provisions, cybersecurity and data classification frameworks.
- Encourage innovation through forward-looking policies and regulations that can adapt to concerns fuelling data sovereignty.
- Enable government policies directed at helping digitise public and private sector, subject to having settings that enable free flow of data in their jurisdiction.
Stéphanie Finck, VP of Government Affairs, EMEA at Salesforce says:
The pandemic has accelerated the digitisation of the economy, underscoring the importance of data flows to economic recovery and growth. This report highlights that as our customers shift to the cloud - whether governments or businesses - they need predictable rules to enable the free flow of data. This has never been more important in an all-digital, work-from-anywhere world.
The UN report would, inevitably, rather that everyone hands the problem over to it, in the form of a new institutional body dedicated to the issue, arguing:
For global debates on the governance of data and cross-border data flows to be fully inclusive, they should ideally take place under the auspices of the United Nations, the most inclusive international forum in terms of country representation.
Any international framework for governing cross-border data flows needs to complement and be coherent with national policies for making the data-driven digital economy work for development. It will need to be flexible, so that countries with different levels of readiness and capacities to benefit from data have the necessary policy space when designing and implementing their development strategies in the data-driven digital economy.
And it concludes with a warning:
At the same time, national policies or strategies for development in this context are likely to fail if they do not keep the global perspective in mind.
There’s certainly a problem here that needs tackling. Whether the solution to that lies in the shape of another United Nations agency is far from certain, but someone is going to have to take a stronger lead here. Both reports are well worth a read for a good perspective on the issues at stake, although be warned, the UNCTAD version is a lengthy tome to plow through.