Advancing Data Governance in the G7
Two years ago last month, Japan’s former prime minister Shinzo Abe gave a speech at Davos aimed at starting a global conversation about data governance. With more than 2.5 quintillion bytes of new data created every day, Abe noted, the global economy was increasingly driven by data, yet there were few globally accepted rules on the collection, processing, and sharing of data. In the two years since Abe’s speech, there has been a patchwork of efforts to advance rules and principles in this area, but there is still a long way to go toward creating a coherent global approach. As host of the Group of Seven (G7) in 2021, the United Kingdom has a chance to take the global conversation on data governance a few practical steps forward this year. Abe used Japan’s 2019 presidency of the Group of Twenty (G20) to put his concept of “data free flow with trust” (DFFT) on the global agenda. G20 leaders endorsed the somewhat elusive phrase in their communiqué at the Osaka summit. Abe was less successful in his goal of establishing an “Osaka Track” to carry work on DFFT forward. He did win endorsement of an “Osaka Declaration on Digital Economy” to advance work on electronic commerce rules in the World Trade Organization (WTO), but three G20 members—India, Indonesia, and South Africa—opted out, and the document made only a vague reference to broader data governance issues. A Divided WorldProgress toward a global consensus on data governance has been slow because of philosophical and regulatory differences among key economic blocs. The European Union has been most forceful in pushing its preferred approach, which starts with an emphasis on an individual’s right to privacy and to control of his or her own personal data. These rights were enshrined in EU law through the General Data Protection Regulation (GDPR), which came into force in May 2018. GDPR holds businesses—whether European or otherwise—to a high standard of security and transparency in handling the personal data of EU citizens and has become a de facto global standard. By contrast, the United States lacks federal data privacy legislation or a unified approach to data governance. Washington has taken a mainly hands-off approach, allowing the private sector to largely shape norms in this area. But with consumer privacy concerns rising and no federal response emerging, state legislatures, led by California, began to adopt their own legislative variations on GDPR and other existing models. Despite increasing consensus in the U.S. Congress that federal data privacy legislation is necessary, no bill has garnered broad support yet. However, there could be movement under the Biden administration, driven by both Vice President Kamala Harris’ interest in the issue and rising China-related national security concerns. China’s approach to data governance represents a third global model that has some of the formal trappings of the EU approach but is very different in practice. Data in China are considered a strategic asset of the state and have been subject to tightening regulatory controls. Under a draft Personal Information Privacy Law formally modeled on GDPR and issued for public comment in October of 2020, Chinese citizens will in theory enjoy strict data privacy protections, including high barriers to the collection of personal data. However, the Chinese government holds legal authority to access nearly any data on the basis of national security. The draft privacy law also contains extraterritorial provisions that would apply to foreign entities processing or analyzing data on Chinese citizens. Beyond different approaches to privacy, there is an array of other data-related issues on which global consensus remains elusive. One critical debate is over the rules governing transfer of data across borders. Many countries have imposed data localization requirements, which mandate that data be stored or processed locally. The United States, Japan, and other advanced countries have argued against data localization and advocated for essentially free flow of data across borders, stressing the financial, health, and other benefits of cross-border flows. In addition to these debates, there are significant differences over the national security dimensions of data governance and the appropriate role of government intervention in the digital economy. Clarifying “Trust”The Japanese concept of DFFT could be useful as a lodestar to guide international discussions on convergence toward a global approach to data governance. However, this will likely require greater definition of the “T” in DFFT: trust. At a public event at CSIS in December 2020, Director General of the Economics Bureau of Japan’s Ministry of Foreign Affairs Noriyuki Shikata acknowledged that trust is a broad concept subject to different interpretations, but said the term allowed room for international discussions among relevant stakeholders to develop common rules addressing different dimensions of trust. However, the term’s ambiguity could undermine DFFT’s success, since different actors—citizens, businesses, and government, both within and among countries—have at least some degree of mistrust of each other, and policies to establish greater trust across these groups could impede the benefits of free flows of data. One area in which the debate about trust is playing out is government access to individuals’ personal data held by private companies. The now infamous “Schrems 2.0” decision by the European Court of Justice in the summer of 2019, which invalidated the U.S.-EU Privacy Shield, was the result of an Austrian citizen’s taking issue with U.S. intelligence agencies’ authority to access his personal data; this, he argued, was a breach of his right to privacy through the Charter of Fundamental Rights of the European Union. The court’s ruling had wide-sweeping ramifications: the over 5,000 U.S. companies that relied on the U.S.-EU Privacy Shield are now individually tasked with assessing the sufficiency of data privacy laws in the destination country before exporting personal data, an expensive new burden. Schrems 2.0 prompted work by the Organisation for Economic Co-operation and Development (OECD) to develop high-level principles for trusted government access to personal data held by the private sector. A Plethora of PrinciplesThe OECD has become an important player in advancing broader global principles and standards on data governance. The Paris-based organization representing 37 mainly advanced countries is launching a two-year horizontal project on data governance in 2021 and 2022, clearing the way for an organization-wide, interdisciplinary approach. As explained by Andrew Wyckoff, the OECD’s director for science, technology and innovation, at the December CSIS event, the project is designed around four modules: access, control, and sharing of data; cross-border data flows; the impact of data on business models, market dynamics, and market structure; and data measurement and classification. Progress in all of these areas is important to establishing international consensus on data governance. Beyond the OECD, there is a plethora of other efforts around the world to define principles, rules, and norms of data governance. Following the Osaka summit, G20 ministers responsible for the digital economy met and outlined a broad agenda for potential joint work on data governance (though new commitments were few). Meanwhile, industry groups have formed a Global Data Alliance to develop high standards of data responsibility and instill trust in the digital economy. Think-tank scholars have also gotten into the game, including two colleagues from CSIS who in 2019 put forward a set of principles to advance global consensus on data governance. Data rulemaking has also become a central element of global and regional trade negotiations. The WTO’s negotiations on trade-related aspects of electronic commerce were launched at Davos in 2019, with 86 members (including China) now participating. The group plans to make a concerted push to reach agreement on data flows ahead of the 12th WTO Ministerial Conference due to be held later this year, although expectations for early progress in a group of this size and diversity are low. Digital rules have also been embedded in a series of plurilateral and bilateral trade agreements, including the Trans-Pacific Partnership (TPP), the U.S.-Mexico-Canada Agreement, and the U.S.-Japan Digital Trade Agreement. And the Asia-Pacific Economic Cooperation (APEC) forum has been working for a number of years to develop digital norms in the region, including through its Cross-Border Privacy Rules (CBPR), an opt-in alternative for both companies and countries that bridges gaps between regulatory systems. The G7 in 2021As host of the G7 in 2021, the United Kingdom has an opportunity to pull some of these disparate strands of work on data governance together and move closer to global consensus. The G7 has worked for nearly 50 years to coordinate economic policies among the world’s largest market economies. Digital issues have been formally on the G7 agenda since the 2016 Ise-Shima summit. Despite concerns about its representativeness in today’s changed global economy, the G7 still has an important role to play in advancing global economic norms. The United Kingdom has identified digital governance as an important element of the 2021 G7 agenda, both as a standalone topic and in informing policy responses to other challenges such as Covid-19. While acknowledging that the pandemic and the economic disruption related to it will be priorities for the United Kingdom’s host year, Heulwen Philpot, deputy director for G7/20 policy in the Cabinet Office, stressed at the December CSIS event the importance of getting something tangible done on digital issues. She noted that the United Kingdom will convene a meeting of G7 digital and technology ministers in the spring and a broader “future tech forum” later in the year. The G7 presidency is the first opportunity for “Global Britain” to prove its leadership credentials since its withdrawal from the European Union, and data governance is one area where London can steer progress on an important, if complex, issue. A Way ForwardBased on our findings from a series of CSIS expert roundtables last fall, we offer three modest recommendations to the UK G7 hosts for taking the conversation on data governance forward in 2021. First, seek small but tangible progress. Nothing breeds cynicism like a G7 communiqué full of lofty goals and vague “action plans” unlikely to be fulfilled. The G7 host can gain more credibility by laying down some “bricks in the road” toward a long-term goal that most agree is desirable. Agreement on all aspects of data governance will not be possible at one meeting, but incremental progress can be built upon by future G7 hosts and in other international forums. The G7 would do a useful service in 2021 if it were simply to shed light on dimensions of the data story that are not well understood: among other things, by cataloguing different types of data (the flight data produced by an airplane, for example, are very different from data on an individual’s shopping habits); defining key terms such as “access,” “control,” and “trust”; and mapping out the different data regimes in G7 countries and beyond, showing where they align and where there are conflicts or gaps. Second, work toward a set of G7 data governance principles. As noted earlier, there is much good work underway around the world that can be drawn on for this purpose—in the OECD, among industry groups and think tanks, in trade agreements, and so on. Distilling these into a shortlist of core principles on issues such as privacy, security, and data flows would be useful in setting a common baseline for policy, in shaping global rules and norms, and—importantly—in allowing for greater interoperability among different data regimes in member countries. If agreement cannot be reached in one year, G7 leaders could task relevant ministers to work out agreed principles for endorsement by leaders in Germany’s G7 host year in 2022. Third, use the G7’s influence to shape broader global work on data governance. This starts by pulling G7 outreach countries such as Australia, South Korea, and India into the group’s work on principles. Deepening partnerships with the private sector and other nongovernmental actors is also critical. Once they reach a common approach, G7 countries can then use their still-formidable influence as the world’s seven largest advanced market economies to drive debate publicly and via other forums such as the G20 and WTO. As noted in previous writings by the CSIS Economics Program, data governance represents the missing “fifth pillar” of the global economic order, after the three Bretton Woods institutions and the energy-related arrangements of the 1970s (including the G7 itself). Data of all kinds are too important an element of the twenty-first century global economy not to have a system of broadly agreed rules and norms underlying them. Former prime minister Abe planted a useful seed two years ago with his concept of “data free flow with trust.” As this year’s G7 host, the United Kingdom has a chance to lay a few solid bricks in the road toward that worthwhile objective. Matthew P. Goodman is senior vice president and directs the Economics Program at the Center for Strategic and International Studies (CSIS). Pearl Risberg is research associate with the Economics Program.
This piece is made possible through the generous support of the Ministry of Foreign Affairs, Japan. |