Data Is Deglobalizing

Many governments have started to question the merits of the unrestricted approach favored by the United States. Some, such as China and Russia, restrict the transfer of most types of data. For example, China’s Cybersecurity Law, in effect since last year, requires personal information and other important data to be stored within China.

While China’s approach remains controversial even in China, other governments too are imposing various barriers to cross-border data flows. The most prominent of these is the European Union General Data Protection Regulation (GDPR), which took effect May 25, 2018. Aimed at strengthening EU residents’ ability to protect their personal information, GDPR permits data transfers only to countries deemed as providing adequate data protection. Exceptions are permitted under certain conditions, such as in the context of binding and enforceable corporate rules.

In India, where the number of digital payments is growing by more than 30% annually, the central bank has ruled that digital payment enablers must ensure that all payment data is stored only on servers within India. Further, inspired by GPDR, a government task force submitted a draft of a broader personal data protection bill. While proposing that a copy of most types of personal data be kept on servers within India, the bill leaves it up to the government to decide which data cannot be transferred out of India at all. The draft bill has generated much debate, including some concern from global technology giants as well as Nasscom, India’s IT industry body.

What Policy Makers Should Consider

Instead of either extreme—data islands or unfettered data globalization—policy makers should aim for more nuanced solutions. These solutions lie at the intersection of technology development by companies and policy formulation by governments.

First, policy makers need to adopt a risk-based approach. The flows of extremely sensitive data may need to be strictly controlled. Such data would include most types of personal information including gender, sexual orientation, health record, political orientation, and the like, in which specific bits of data are or can be connected to personal identifying information. For such data, the risks of cross-border sharing far exceed any likely benefits. At the other extreme, cross-border flows of certain types of private or public data, such as well production for a global oil producer or anonymous aggregated statistics, may be better left unfettered. For such data, the benefits of cross-border sharing far exceed any likely risks.

Second, a federated ecosystem model may be viable in those cases in which, though the data is highly sensitive, the benefits of data sharing are strong. The Beacon Project, spearheaded by the Global Alliance for Genomics and Health, illustrates how a federated model could work: Data sets remain protected within national boundaries, but depending on the level of access granted to an organization, they can be queried individually or in aggregate through the Beacon Network. The World Economic Forum is spearheading Breaking Barriers for Health Data, a project that deploys federated database queries for transferring and processing health care data.

Third, in some contexts, a multinational company may be permitted to aggregate global data in a secure manner with the condition that a mirror image of the data pertaining to a country’s residents be stored locally. India’s finance ministry has proposed this approach to the central bank. The ministry’s argument is that, unlike strict data localization, a mirroring approach would achieve both goals better—enabling the central bank to access payment data while also enabling Indians to benefit from integration with the global fintech sector.

Fourth, largely unfettered data flows should be part of regional trade agreements. The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (the former Trans-Pacific Partnership minus the United States) includes explicit and binding language for cross-border data flows. The ongoing NAFTA negotiations also include provisions for the free flow of data. The European Union too is working on new provisions to be incorporated into all future trade pacts, aimed at striking a balance between the right to data protection and free digital trade.

Fifth, in contexts in which digital trade agreements do not exist and are unlikely in the foreseeable future, develop nonbinding norms and principles, leaving implementation to national governments. Global accounting standards have evolved through such a process. International Financial Reporting Standards (IFRS), a principle-based standard, are followed by over 100 countries. In contrast, the United States follows Generally Accepted Accounting Principles (GAAP), a rule-based standard. Slowly but steadily, the two sets of standards are converging. A similar bottom-up approach could play a role in the governance of cross-border data flows.

The Asia-Pacific Economic Cooperation (APEC) region, comprising 27 countries, including the United States, illustrates the potential for a bottom-up approach. APEC developed the Cross-Border Privacy Rules system, a principle-based framework for greater privacy protection as well as greater data flows.

Finally, as blockchain technology becomes more widely implemented, it could underpin some types of cross-border data flows. Blockchain ensures security, is tamper-proof, and enables the tracking of every transaction. Companies are rapidly adopting blockchain technology for the storage and sharing of global supply chain data. For example, some have started developing blockchain-based registries of every certified diamond in the world, enabling the complete tracing of a stone’s movement from the mine to the consumer. Because blockchain relies on a distributed ledger system that is immutable and permanent, regulations to protect personal data will become essential when developing such solutions.

As every business becomes a data business, the future of globalization rests increasingly on cross-border flows of data rather than goods. Given the large and growing benefits of digital globalization, this is a welcome development. Yet valid concerns about risks to individual privacy and national security cannot be dismissed. Instead of an all-or-nothing approach, more nuanced solutions are likely to be the optimal ones.

TAKEAWAYS

Several governments have begun to question the unrestricted cross-border flow of data, but too many regulations could create data islands, trapping consumers on safe islands but cutting them off from the benefits of tighter links to the global digital economy such as access to digital goods and services. Policy makers should aim for more nuanced solutions to avoid the extremes of unfettered data or data islands.

• Policy makers should adopt a risk-based approach that controls the flow of extremely sensitive data, such as most types of personal information. For this data, the risks of cross-border sharing far exceed any likely benefits.
• For data that is highly sensitive but the benefits of sharing are strong, policy makers could create a federated model in which data sets remain protected within national boundaries but could be queried depending on the level of access granted to an organization.
• Policy makers should make largely unfettered data flows part of regional trade agreements. For contexts in which digital trade agreements don’t exist and aren’t likely in the foreseeable future, policy makers should develop nonbinding norms and principles and leave implementation to national governments.
• As blockchain becomes more widely implemented, policy makers should see where that technology replaces the need for cross-border data flow restrictions.

Authors’ note: The views and opinions expressed in this article are those of the authors alone and not those of the World Economic Forum or the University of Maryland at College Park.

Adapted from content posted on hbr.org, August 30, 2018 (product #H04IRY).