Many governments are currently rethinking their policies regarding cross-border data flows. Although cross-border data flows grew 45x between 2005 and 2014, according to a McKinsey analysis, events since 2014 have pushed the pendulum to swing away from unconstrained data globalization.
Some policy makers are concerned about individual privacy rights, consumer rights regarding the ownership of data, domestic law enforcement, and cybersecurity. Others are driven by the desire to control or censor online media. Still others hope to create market barriers for global companies — a form of digital protectionism.
Our view is that too much regulation will create, in effect, data islands, which will in turn prevent citizens and consumers trapped on those islands from enjoying the many benefits of tighter links to the global digital economy. These include access to digital goods and services, being part of global supply chains, accelerating and partaking in the fruits of innovation, and helping citizens access information, entertainment, and connectivity on a worldwide basis.
Data Is Deglobalizing
Many governments have started to question the merits of the kind of the unrestricted approach favored by the Unites States. Some, such as China and Russia, restrict the transfer of most types of data. For example, China’s Cybersecurity Law, in effect since last year, requires personal information and other important data to be stored locally within China.
While China’s approach remains controversial even within China, other governments too are imposing various types of barriers to cross-border data flows. The most prominent of these is the EU’s General Data Protection Regulation (GDPR) which took effect on May 25, 2018. Aimed at strengthening EU residents’ ability to protect their personal information, GDPR permits data transfers only to countries deemed as providing adequate data protection. Exceptions are permitted under certain conditions, such as in the context of binding and enforceable corporate rules.
In India, where the number of digital payments is growing over 30% annually, the central bank has ruled that digital payment enablers must ensure that all payments data be stored only on servers within India. Further, inspired by GPDR, a government task force recently submitted the draft of a broader Personal Data Protection Bill. While proposing that a copy of most types of personal data be kept on servers within India, the bill leaves it up to the government to decide which data cannot be transferred out of India at all. The draft bill has generated much debate, including some concern from global technology giants as well as Nasscom, India’s IT industry body.
What Policy Makers Should Consider
Instead of either extreme — data islands or unfettered data globalization — policy makers should aim for more-nuanced solutions. These solutions lie at the intersection of technology development by companies and policy formulation by governments.
First, policy makers need to adopt a risk-based approach. The flows of extremely sensitive data may need to be controlled strictly. Such data would include most types of personal information including gender, sexual orientation, health record, political orientation, and the like, where specific bits of data are or can be connected to personal identifying information. For such data, the risks of cross-border sharing far exceed any likely benefits. At the other extreme, cross-border flows of certain types of private or public data, such as well production for a global oil producer or anonymous aggregated statistics, may be better left unfettered. For such data, the benefits of cross-border sharing far exceed any likely risks.
Second, a “federated” ecosystem model may be viable in those cases where, though the data is highly sensitive, the benefits of data sharing are strong. The Beacon Project, spearheaded by the Global Alliance for Genomics and Health, illustrates how a federated model could work: Data sets remain protected within national boundaries, but depending on the level of access granted to an organization, they can be queried individually or in aggregate through the Beacon Network. The World Economic Forum is spearheading Breaking Barriers for Health Data, a project that deploys federated database queries for the transferring and processing of health care data.
Third, in some contexts, a multinational company may be permitted to aggregate global data in a secure manner with the condition that a mirror image of the data pertaining to a country’s residents be stored locally. India’s finance ministry has proposed such an approach to the central bank. The ministry’s argument is that, unlike strict data localization, a mirroring approach would achieve both goals better — enabling the central bank access to payments data while also enabling Indians to benefit from integration with the global fintech sector.
Fourth, make largely unfettered data flows part of regional trade agreements. The CPTPP (the former TPP minus the U.S.) includes explicit and binding language for cross-border data flows. The ongoing NAFTA negotiations also include provisions for the free flow of data. The EU too is working on new provisions to be incorporated into all future trade pacts, aimed at striking a balance between the right to data protection and free digital trade.
Fifth, in contexts where digital trade agreements do not exist and are unlikely in the foreseeable future, develop nonbinding norms and principles, leaving implementation to national governments. Global accounting standards have evolved through such a process. International Financial Reporting Standards (IFRS), developed through a principles-based approach, are followed by over 100 countries. In contrast, the U.S. follows Generally Accepted Accounting Principles (GAAP), developed through a rules-based approach. Slowly but steadily, the two sets of standards are converging. A similar bottom-up approach could play a role in the governance of cross-border data flows.
The Asia-Pacific Economic Cooperation (APEC) region, comprising 27 countries including the United States, illustrates the potential for a bottom-up approach. APEC has recently developed the Cross-Border Privacy Rules system, a principles-based framework, aimed at ensuring greater privacy protection as well as greater data flows than might be the case in the absence of a framework.
Last but not least, as blockchain technology becomes more widely implemented, it could underpin some types of cross-border data flows. Blockchain assures security, is tamper-proof, and enables the tracking of every transaction. Companies are rapidly adopting blockchain technology for the storage and sharing of global supply chain data. For example, some have started developing blockchain-based registries of every certified diamond in the world, thereby enabling the complete tracing of the movement of a stone from the mine to the consumer. Because blockchain relies on a distributed ledger system that is immutable and permanent, regulations to protect personal data will become essential when developing such solutions.
As every business becomes a data business, the future of globalization rests increasingly on cross-border flows of data rather than goods. Given the large and growing benefits of digital globalization, this is a welcome development. Yet valid concerns about risks to individual privacy and national security cannot be dismissed. Instead of an all-or-nothing approach, more-nuanced solutions are likely to be the optimal ones.
You can find the original posting here at the Harvard Business Review
Copyright © 2018 Harvard Business Review. All Rights Reserved.