Solving the Missing Puzzle in Data Governance
By Sarthak Luthra, 7 June 2019
‘Isms’ are self-contained hypothesis generators. For example, could we really understand what Data Protectionism is without an understanding of what data protection means?
Tackling the 21st era of protectionism is gaining more importance, and the policy makers, globally are attempting to strike a fine balance between regulation and technology. While some are allowing technology to evolve ahead of the imposing regulation, others are creating a protectionist perception by imposing restrictions on cross-border data flows.
In the former league countries such as Japan, Singapore and the Philippines have shown acceptance to promoting cross-border data flows. However, in the ASEAN region, which is observing an exponential growth in the e-commerce sector and unicorns, countries such as Vietnam and Indonesia are widely touted for their data localization requirements. Beyond ASEAN, India is also looking at imposing data localization requirements across different policies in the making – the Data Protection Bill and the E-commerce Law.
It is evident that governments across the globe are concerned about data stored overseas, to which they have less oversight and limited enforcement to access. The missing puzzle to this data governance school of thought is that not all data is sensitive – some personal information related to national security must be protected – categories of which could be some categories of personal and non-personal, and anonymous data that can be excessively used across varied sectors, including medical records in the healthcare for cross-border healthcare services (medical tourism), real time data sharing in cross-border manufacturing and production process, among others.
As part of global efforts, the G20 summit scheduled to be hosted in Japan on 28–29 June 2019 in Osaka, can be a stepping stone to fill the missing puzzle. The Abe’s proposal to create a Data Free Flow with Trust is one such regime that bundles data flows with trade. For example, if Vietnam removes the blanket data localization requirements, SMEs and entrepreneurs operating in the rest of the world are more likely to trade with Vietnam and expand in the country without worrying about storing their data in Vietnam or opening mini-data centres, which comes with its own opex and capex. Relatedly, companies already operating their subsidiaries in a data protectionist country, will not be able to transfer data from their overseas subsidiaries, long-term implications of which could not only be a trade war but a data war, i.e., paying a tax on transferring the data from an overseas subsidiary
Amidst the trade war between China and the U.S., the thought of factories and manufacturing firms looking to shift their bases to the other countries including Indonesia and Vietnam, could experience pre-mature obstacles if strong data protectionist regime prevails. Protecting personal data and security are a key components of any data protection regime, but regulations that go beyond could throw the baby out with the bathwater.
So far it is observed that regulatory developments have been reactive, whereas technology developments are relatively more proactive in nature. To address this gap, one of the fundamental elements that needs attention is the implementation and the timeline of a implementing a regulation. Not to mention, the concept of trust needs to be defined clearly, when it comes to data flows.
The recently published paper on Principles and Policies for “Data Free Flow With Trust” by ITIF, effectively elaborates some of the key Call to Action items:
- Rather than tell firms where they can store or process data, policymakers should hold firms accountable for managing data they collect, regardless of where they store or process it.
- Countries should revise the inefficient processes and outdated legal agreements that govern law enforcement requests for access to data stored in another country’s jurisdiction.
- Countries should develop the legal and administrative frameworks (with respective checks and balances) that allow Internet service providers to block data flows that involve the illegal distribution and use of unlicensed content.
- Countries should support and not undermine encryption’s role in securing data flows and digital technologies.
A shared approach that ensures data is protected irrespective of the location, helps people and companies maximize the socio-economic benefits, promotes innovation, and avoids prescriptive regulation, should be the foundation of rethinking to integrate in a global digital value chain.