Cross-border data flows underpin every aspect of our lives. From business—cloud services and customer relationship management—to distance learning, medical, scientific and clinical research, telemedicine, the fight against crime online, the processing and transfer of personal and non-personal data are integral to many of these exchanges, making data a key pillar of our economies and society at large. Data is a crucial infrastructure – both statistical data and sectoral data – to foster the Sustainable Development Goals.
At the Internet Governance Forum (IGF), which took place in Addis Ababa from 28 November to 2 December 2022, the International Chamber of Commerce organized a workshop on building trust in cross-border data flows and the issues which arise when personal and sensitive data are being exchanged. The discussion unraveled some interesting takeaways on how to share personal data while respecting rights, such as data protection and privacy, and how balancing this highly complex challenge is manifesting across different policy contexts and geographic regions.
This blog captures key takeaways from a conversation at the IGF between Timea Suto, Global Digital Policy Lead at the International Chamber of Commerce (ICC), and Carolina Rossini, Director of Research and Partnerships at the Datasphere Initiative, and offers ways forward.
The recording of the IGF workshop can be accessed here.
What is the role of international data flows in the economy and society?
Carolina: From health, mobility, and trade to AI and technological developments and humanitarian aid, data affects all sectors of the economy and society. By allowing it to flow freely, both public and private actors are able to provide better services. Cross-border data flows raise various concerns however, presenting overlapping technical (e.g. quality, replicability, and interoperability), security (e.g. breaches), economic (e.g. various interpretations of “data value”), and human rights challenges (e.g. privacy and consequences of Equality, Freedom of Expression and Assembly).
Additionally, with an increasing number of the manifestation of different actors and communities via the publication of sets of values and principles, collectors and users of data, especially, personal data, have to recognize and navigate such needs. Yet, we do believe that the value of data is maximized when it is flowing and used with trust and a rights-respecting way across borders and sectors.
Why do we need to build trust in international data flows?
Timea: Growing mistrust in data and data flows is seriously impacting global trade and everyday business operations across all sectors.
Estimates show the consequences of this mistrust can cost European economies alone an average of 4% in export reduction or up to 1.3 trillion euros in market value loss annually. The same scenario applies to all data-reliant economies. This is an increasingly pressing issue as governments over the world are looking to rebuild following the Covid-19 pandemic and supply chain and geopolitical crises.
However, trust in international data flows is being eroded over concerns that government demands to access data may conflict with universal human rights and freedoms, including privacy rights, or cause concerns and conflicts with domestic laws when such access transcends borders. These increased concerns and reduced trust have led to the uncertainty that may discourage individuals’, businesses,’ and even governments’ participation in a global economy, negatively impacting inclusive and resilient economic growth. In particular, when they are used as a rationale for compelled data localization measures.
What are the challenges?
Carolina: One of the fundamental challenges to address when building trust to enable the free flow of data is the diversity of cultures, even within a country, and legal contexts.
Different communities approach data governance from diverse perspectives and against different historical backgrounds that temper their trust, which adds to the complexity of the issue and contributes to a currently fragmented setting.
The lack of common definitions and vocabulary – which not only impacts the legal realm but also the technical – in addition to the multiplicity of stakeholders involved only adds to the complexity. The challenge is, therefore, how to build agreement and bring people together to find some form of common ground or, at least, clear paths for interoperability at the various layers of this challenge. Inclusion is a fundamental element in these discussions to support trust in outcomes, and needs to be transversal to all policies, frameworks and solutions developed.
Timea: Addressing the trust deficit also requires robust and comprehensive privacy regulations, with firm commitments to protecting the rights and freedoms of individuals.
Government access to personal data is necessary to protect public safety and national security, but access without safeguards inevitably leads to abuse, violations of individuals’ fundamental rights, and a loss of trust in data flows.
The extent and means by which a government can compel access to private organizations’ data on behalf of the public interest are governed by domestic regulatory frameworks. Legal barriers to data transfers can arise from differences in laws governing government access and discrepancies in safeguards when data transcends borders. At the same time, companies that receive government requests for data they hold must decide (a) whether the demand is lawful; (b) whether any cross-border demand presents a conflict of law between jurisdictions in which they operate; (c) how much data they are compelled to disclose; and (d) what information about their responses to these demands may be disclosed to customers and the public. These concerns also significantly contribute to the public sector’s reluctance to deploy digital technologies broadly, fearing that this would potentially expose their public sector data to third-party governments that may demand access.
How can we build this trust?
Timea: High-level principles and safeguards for government access to personal data held by the private sector are an essential first step in addressing cross-border data flows with trust, providing a much-needed foundation that can lead to more scalable measures and global dialogues.
These principles must be based on international human rights law, which may demand protections that some countries do not currently have in place.
In addition, cooperation is needed between governments and stakeholders, including business and multilateral organizations, to advocate for interoperable policy frameworks that would facilitate cross-border data flows, enabling data to be exchanged and used in a trusted manner, thereby aiming for high privacy standards.
Carolina: Collective action is now more needed than ever before. In order for collective action to effectively help build trust and unlock the value of data for all, bridging silos and fostering dialogue is key. Dialogues should bring to the table stakeholders from all groups (from civil society and academia to policymakers, technicians, and the private sector) to find common objectives and have a more nuanced conversation around data.
Another tool that we are exploring at the Datasphere Initiative to build trust and experiment with new types of ways to share data is through sandboxes (both regulatory and operational). We are also embarking on a project with core organizations in the field, such as the Ostrom Workshop and Aapti Institute, to bridge vocabularies. Bringing together all types of stakeholders to participate in these safe experimental spaces could be another way to build trust and engage all actors to facilitate cross-border data flows.
Can you share some other examples of initiatives seeking to foster trust and build principles?
Timea: On 14 December 2022, ministers responsible for the digital economy of OECD countries adopted a ground-breaking Declaration on Government Access to Personal Data Held by Private Sector Entities. This is the result of two years of multilateral and multistakeholder discussions in the OECD Committee on Digital Economy Policy, which for the first time brought together privacy, national security, and law enforcement officials. On behalf of our network of over 45 million companies worldwide, the International Chamber of Commerce has actively contributed global business evidence to this process, in particular through our White Paper on Trusted Government Access to Personal Data Held by the Private Sector.
The adoption of this Declaration is but the first step. It has the potential to set impactful and practical basic international standards and norms for trusted government access to personal data, held by the private sector. This will provide a solid foundation for further development of the free flow of trusted data among OECD countries and beyond. This is where we will be focusing much of our work going forward and we would love to hear more from other organizations in the Datasphere Network.
How can we kick work into action?
Carolina: We should start by opening up more conversations about data and how to responsibly unlock its value for all, identifying what is that value and what its relevance is for different actors. These conversations should not only happen at the highly technical and policy levels but with all actors involved. For example, civil society is also working on relevant principles and rights-respecting frameworks such as “Necessary and Proportionate Principles” or “13 Principles” to give just one example, many other initiatives are out there not only at a policy level but also using technology is support trustworthy mechanisms for the exchange of data. To this end, learning spaces and training in more innovative solutions are fundamental.