Data Free Flow with Trust – and How That Trust Should be Built

With the world economy going digital, it has become conventional wisdom to regard data as the new oil. More importantly, cross-border data flows are the lifeblood of this new economy as they strengthen supply-chain resilience, promote innovation and facilitate trade and investment. It is estimated that 65 percent of global GDP will be enabled by cross-border data flows by the end of 2022. 

Given the increasing importance of data and cross-border data transfers, the world has yet to establish any international architecture to coordinate the data policies of individual countries and the cross-border flows of data. Although major economies in the world have recognized the need to build trust so as to unleash the potential of the free flow of data, what “trust” means remains debatable. 

Data and the meaning of “trust” 

Speaking at the World Economic Forum Annual Meeting in Davos, Switzerland, in 2019, Abe Shinzo, then Japan’s prime minister, proposed the concept of Data Free Flow with Trust (DFFT) as a basic principle for rulemaking in the coordination and facilitation of cross-border data transfers. The concept posits that ensuring trust in terms of privacy, security, and intellectual property rights is a prerequisite for free flow of data across border. With a global data governance regime built upon DFFT, Abe believed that the world would be able to “put our personal data and data embodying intellectual property, national security intelligence, and so on, under careful protection” and at the same time “enable the free flow of medical, industrial, traffic and other most useful, non-personal, anonymous data to see no borders.” 

In its position as president of the G20 in 2019, Japan successfully won the support of other members of the grouping, including the United States and China, and wrote the DFFT concept into G20 Osaka Leaders’ Declaration. The importance of DFFT has been acknowledged by G20 members every year since then. Indonesia, this year’s G20 chair, has set DFFT as one of its major priorities in promoting digitalization. Even India, a country which initially rejected DFFT in 2019, has shifted its position to embrace DFFT. In March 2022, it signed a joint statement with the European Union (EU), Australia, Comoros, Japan, Mauritius, New Zealand, South Korea, Singapore and Sri Lanka on privacy and the protection of personal data, which expressed support for the concept. In 2021, meanwhile, G7 leaders endorsed a roadmap for cooperation on DFFT. In May 2022, a G7 Digital Ministerial Declaration made further commitments to promoting DFFT. In addition, DFFT has been operationalized through digital trade pacts such as the US-Japan Digital Trade Agreement and the Japan-UK Economic Partnership Agreement. 

Based on different governance principles underpinning their respective data policies, major economies can be categorized into three groups. These should be analyzed to understand the major concerns that countries have over data and shed critical light on how to build “trust”.

Market-oriented players

The first group includes market-oriented countries. They emphasize the market logic of data and data flows. In other words, to unleash fully data’s economic potential is the main idea underpinning their data governance strategy. The US is a typical example of this group. It has adopted one of the most laissez-faire and minimalist approaches in the world to regulate data. In the US, data is treated as a tradeable commodity and data-flows are regarded as “core inputs” such as iron and coal. The production and use of data, therefore, is treated as a fundamental component of economic activity, parallel to the production and use of services and goods. 

This liberal perspective is manifested in US domestic governance. The federal government has not issued any comprehensive federal data privacy law. With a minimalist approach, the federal government has only released data privacy and security regulations concerning certain sectors including financial services, healthcare, telecommunications and education, and sensitive areas such as health and financial information. The federal government has not established any principal data protection authority. The Federal Trade Commission (FTC) who has jurisdiction over most commercial entities and their data. With a mission to safeguard the “economic life of every American”, the FTC is empowered to issue and enforce federal privacy regulations and to take enforcement action to protect consumers against unfair or deceptive trade practices. 

The market-oriented understanding of data is more evident in the US’s international activities. The country has advocated for removing barriers in cross-border data flows. For instance, while renegotiating the North American Free Trade Agreement (NAFTA), the Washington sought to prohibit its partners, Canada and Mexico, from imposing measures that would restrict cross-border data flows and require the use or installation of local computing facilities. 

Human-rights-oriented players

The second group of countries are human-rights-oriented. Although they recognize the economic value of data, they prioritize ensuing data privacy and security over other data-related economic activities. More importantly, they adopt a human-rights-based approach to data governance. The member states of the EU are the key countries in this group. The EU Charter of Fundamental Rights clearly states that “everyone has the right to the protection of personal data concerning him or her.” This principled approach is reflected in the national constitution of almost every EU member. 

In an application of the 1950 European Convention on Human Rights and to signal its firm stance on data privacy and security, the EU issued the General Data Protection Regulation (GDPR), the toughest privacy and security law in the world, which was implemented in 2018. With GDPR, its proponents argue that the EU has successfully integrated human rights into business practices. Under the law, cross-border data transfers are enabled only when receiving countries satisfy certain requirements. For instance, a receiving country needs to offer an adequate level of protection as determined by a European Commission decision. Unlike market-oriented countries which prefer using trade agreements or international organizations to facilitate cross-border data flows, the EU relies on the extraterritorial reach of the GDPR to make other countries align their practices with theirs.

In past years, China has made tremendous progress in shaping its data governance framework. In 2016, China enacted the Cybersecurity Law (CSL), the first national-level law to address data privacy protection. Building on the CSL, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) came into effect at the end of 2021. DSL pays great attention to data collected and stored in China based on their potential impact on national security. The PIPL, meanwhile, reiterates the role of national cyberspace authorities in regulating cross-border data transfers – security assessments and certification by national cyberspace authorities and other designated institutions. With the CSL, DSL and PIPL, China aims to fight against any data hegemony, particularly if claimed by the US, and is intent on safeguarding its cyber sovereignty. 

India takes a similar stance. To fight against “data colonialism” – when big techs use digital infrastructure to spy on users, process their data and thus violate the data ownership rights of citizens, India puts even more restrictions on cross-border data transfers. The government of India has been actively advocating for safeguarding data sovereignty, that data generated locally, especially critical and sensitive information, should be stored locally. For example, all data related to payment systems must only be stored on servers in India. The proposed National E-Commerce Policy and Personal Data Protection Bills are expected to introduce more requirements for data localization. As the only country which has proposed a protection law for all kinds of data, not only personal data but also non-personal data, the Indian government hopes to maintain sovereignty over all the data that Indians generate. Although the Indian government has faced intense lobbying by tech giants to ease its data rules, Delhi has reaffirmed its approach of imposing data localization requirements, promising not to compromise India’s data sovereignty. 

A global data governance framework? 

In mapping the three groups of countries on a spectrum of levels of restriction on cross-border data transfers, market-oriented countries and national-security- and sovereignty-oriented countries sit on the two opposite extremes. Market-oriented countries prefer no restrictions, while national-security- and sovereignty-oriented countries set up many hurdles for cross-border data transfers. Sitting in the middle are the human-rights-oriented countries. To enable the free flow of data, as promoted in DFFT, it is necessary to build trust among the countries of all three categories. Trust has to be built first and foremost to allay all the major concerns about data. Only when those concerns can be properly addressed and key interests are protected will there be genuine free flow of data. 

But building a global data governance architecture that bridges the divisions among the three groups will not be easy. For market-oriented countries, “trust” means removing all the barriers impeding the free flow of data. Furthermore, following and respecting the logic of market, these countries believe that governments should leave cross-border data governance to the private sector. This is the thinking behind the Cross-Border Privacy Rules (CBPR) proposed by the US within the Asia-Pacific Economic Cooperation (APEC) forum. The CPBR framework would be backed by governments but would rely on self-assessment by organizations. 

For both human-rights-oriented countries and national-security- and sovereignty-oriented countries, governments should play a significant role in data governance. They also agree that there should be some requirements that need to be fulfilled before the data is allowed to cross borders. The two groups can find common ground. Based on such a consensus, the EU, India and eight other countries signed the March 2022 joint declaration noted earlier that calls for international cooperation on data protection and cross-border data transfers. But it is not yet clear to what extent such assertions of intentions to cooperate can be translated into concrete action. 

Coordinating regulatory frameworks between the market-oriented group and the countries focused mainly on human rights and on national security and sovereignty will be more difficult. In criticizing China as a model of “digital authoritarianism”, the US  is trying to ban Chinese companies such as TikTok, WeChat, ZTE and Huawei from the US market. Given the increasing geopolitical tensions and that countries are unlikely to compromise on national security and sovereignty, it will be very difficult for China and the US to formulate a cooperative framework on data in the foreseeable future. What is more, the continuing tug-of-war between the EU and the US on transatlantic data transfers despite a preliminary agreement, probably indicates that until market-oriented countries change their perspectives on data and data governance, cooperation on data transfers between them and human-rights-oriented countries may not be sustainable or even possible.

Although major economies have agreed on the concept of DFFT, namely that trust is an enabler for cross-border data transfers, this does not mean that the future of global cooperation on cross-border data transfers is promising. “Trust” means different things for different countries because their major concerns over data vary. A worldwide data governance architecture will take a long time to build.