Briefing Paper
Interoperability of Data Governance Regimes: Challenges for Digital Trade Policy
Bacchus J, Borchert I, Marita-Jaeger M, Ruiz Diaz J (2024) Interoperability of Data Governance Regimes: Challenges for Digital Trade Policy, CITP Briefing Paper 12
Published 8 April 2024
Briefing paper 12
Minako Morita-Jaeger, Ingo Borchert, James Bacchus and Javier Ruiz
Key Points
- The global digital economy is growing fast but risks fragmentation along geopolitical lines. This is reflected in diverse approaches to digital governance, particularly around data.
- Bilateral and plurilateral trade or digital agreements have become major policy tools to address the problem of digital regulatory fragmentation. However, the plethora of such arrangements creates a “digital noodle bowl” of different types of rules with different signatories at the international level.
- Most digital trade transactions are associated with cross-border data flows. Therefore, a widely accepted solution on interoperable data flows would constitute the bedrock on which any other agreements about digital trade could rest. However, safe and trusted cross-border exchange of data presupposes the interoperability of data governance regimes.
- Many areas in digital trade require some form of coordination on data flows, ranging from narrowly defined business data in specific domains or industries to cross-cutting, consumer-facing new digital services. Approaches to interoperability that focus solely on the legal aspect of data transfers will neither be effective nor satisfactory.
- We propose and discuss five principal components that would render national data governance regimes truly interoperable: (i) robust legal mechanisms, (ii) rules and safeguards for handling data, (iii) a set of rights for data subjects, (iv) mechanisms for oversight and accountability, and (v) enforcement and redress.
- We highlight the need for more international cooperation and the need for a more inclusive approach towards policy formulation to achieve and sustain such interoperable data governance regimes.
Acknowledgements
The authors wish to thank Michael Gasiorek, Phoebe Li, and Maria Savona for very helpful comments on an earlier draft. All views expressed in this paper are those of the authors, not the institutions they are affiliated with.
Introduction
In this Briefing Paper, we focus on understanding what the interoperability of data governance regimes could mean in the context of digital trade and the main challenges it faces. Interoperability is defined as the ability of two or more systems to work together. Conventionally applied at a technical level, interoperability refers to the use of common data formats and protocols that enable information technology systems to communicate with each other (the ‘Extensible Markup Language’ XML is an example). Analogously, but at a different level, we refer to interoperability of data governance regimes as a set of legal foundations, data handling rules, consumer rights, oversight institutions, and enforcement mechanisms that jointly enable the safe and trustworthy exchange of data flows across jurisdictions.
Digital trade and digital divides
Developments in digital trade are happening faster than regulatory and institutional mechanisms can be developed to ensure that it is beneficial to society. Innovation and technical change are at least one step ahead of policy and underpin the global expansion of exports of digitally delivered services, which reached USD 3.8 trillion in 2022, an almost fourfold increase since 2005, far outstripping growth in goods exports (Figure 1).
Figure 1: Global exports of digitally delivered services (indexed)
Source: WTO (2023), “Global Trade Outlook and Statistics”, Chart 12.
This growth has unfolded despite ongoing concerns about regulatory fragmentation splitting the global internet and putting a brake on prosperity. National policymakers and international negotiators are working hard to come up with governance frameworks for digital trade, driven by a desire for economic growth, while ensuring that this kind of digital trade is beneficial to societies and enjoys citizens’ support. The main issue under consideration is the cross-border flow of data, which is intrinsically linked to agreements on trade, artificial intelligence, and transfers of cutting-edge digital technology. Yet, the current and future growth of digital trade is jeopardised by growing geopolitical rifts and, in their wake, a patchwork of international agreements that reflect rather different approaches.
There are dozens of digital trade agreements between countries or economic blocs that include commitments aimed at facilitating the digital delivery of services. One major example is the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) that the UK is in the process of joining.1 These agreements may bring some benefits to those involved but do not solve the aforementioned fundamental problems. Overlapping trade agreements that create ever-larger groups of “like-minded countries” could deepen geopolitical fragmentation and threaten global prosperity. Low- and middle-income countries are forced to choose between becoming rule-takers or being excluded from new technical developments that can enable economic growth, better governance, and social innovations. Global interdependence is not unique to digital trade, most notably in relation to the environment, but internet services often flow across several jurisdictions and challenge traditional bilateral trade approaches.
What digital trade, therefore, really needs is a set of multilateral rules and enhanced digital governance. The World Trade Organization (WTO) is taking steps in that direction. Recently 86 members concluded the Joint Initiative on Services Domestic Regulation, and talks on e-commerce—as digital trade is called in that forum—are underway. There hasn’t been a breakthrough yet, though, and one reason might be that—in line with GATT/WTO tradition—talks follow the “single undertaking” logic, meaning that nothing is agreed until everything is agreed. For something as complex as digital trade, that might just about be too much.
A more flexible, ‘variable geometry’ approach could be a more promising alternative compared to a single undertaking approach.2 The idea is for multilateral talks to adopt a modular, topics-based approach that resembles the structure of the Digital Economy Partnership Agreement (DEPA), signed in 2020 between Chile, New Zealand and Singapore. Digital Economy Agreements (DEAs) are the new kid on the trade block; one of the latest is the UK-Singapore DEA signed last year. DEAs are different from more traditional trade agreements. Instead of an emphasis on hard commitments and enforcement, DEAs aim at fostering soft policy alignment across a menu of optional modules. This modular design allows for faster advancement in areas of agreement without being held back by more thorny issues.
Whereas this approach could offer the flexibility for different groups of WTO members to negotiate, and sign up to, sets of commitments on issues such as the treatment of digital products or digital identities, a principal consensus is needed on foundational issues such as the definition of digital trade and the interoperability of data flows, as these cross-cutting aspects affect almost any kind of digital trade.
Data governance is going to be the linchpin for WTO rules on digital trade for two key reasons. First, one cannot build a house from the rooftop. Most digital trade transactions are associated with cross-border data flows, thus a multilateral solution on interoperable data flows will constitute the bedrock on which topics-based modules could sit. It would be a consensus in principle on qualified data free flow, subject to exceptions to be defined at a later stage. We highlight the extent of current differences in data governance approaches that a ‘consensus in principle’ would have to bridge (Section 2) and what governance interoperability means at different levels (Section 3). We then propose a core set of common elements for data interoperability to work in practice (Section 4). We argue that for these core elements of data interoperability to work, institutional cooperation and a more inclusive multi-stakeholder approach will be salient (Section 5).
Second, the recent proliferation of agreements affecting digital trade has led to the emergence of a maze of digital trade provisions that has been called a “digital noodle bowl” (Figure 2). Very few agreements are open to potential new members in the same way as DEPA is by design. Hence, a consensus on interoperable data flows will prevent further regulatory splintering into ever more digital realms, especially when cross-border data flows are the foundation of much of digital trade. That is also why, in today’s digital economies, data governance rules can be seen as representing one form of digital trade policymaking.
Figure 2: Proliferation of digital trade agreements
Source: Stephanie Honey, “The long road to a seamless global digital economy”, Hinrich Foundation, 30 May 2023, Figure 1.
We start our analysis of routes towards interoperability by showing that the proliferation of digital trade agreements, and resultant different data rules, reflect a diverse set of national data governance regimes. We then set out principles and common elements required for data governance regimes to become more interoperable.
Diversity in domestic data governance
Whereas many digital trade agreements at least notionally aim at facilitating the free flow of data among their signatories, the emerging cobweb of agreements with digital provisions (Figure 2) raises the spectre of multiple, overlapping, and potentially conflicting international data governance regimes. At the same time, it is important to recognise that there are significant data governance divides already at the domestic level. This observation holds even across countries that are signatories to the same international agreement. This is because data governance reflects a country’s political stance, its approach to markets and technology, business interests, institutional capacities, societal values, and consumer preferences.
Domestic data governance regimes have typically been categorised as belonging to one of three ‘digital realms’: the American type that takes the market-driven approach, the European type that takes a human rights-based approach, and the Chinese type that follows a state-driven approach.3 These approaches would then inform the principal preoccupations, respectively, over economic growth, privacy, and population surveillance.
Yet, data governance regimes are more multifaceted than these simple sketches. Looking beyond the pure privacy protection aspect reveals a great deal of heterogeneity along several dimensions. For instance, the Global Data Governance Mapping Project has developed an index that appraises the complex concept of data governance from six dimensions: strategic, regulatory, responsible, structural, participatory and international.
‘Regulatory’ refers to governments’ legal regime around data uses (e.g. personal data protection laws or right of data portability), ‘Responsible’ refers to governments’ legal regime to protect ethical, trust, and human rights of data use and re-use (e.g. data charter, responsive AI initiatives, and guidelines for non-governmental data sharing), and ‘International’ refers to the extent to which governments join international efforts to establish shared governance rules (e.g. the Council of Europe’s Convention 108+, or binding trade agreements on cross-border data flows). The project uses these criteria to rank countries on a multivariate index that reflects the quality of data governance along those criteria.
Their analysis shows that pronounced data governance divides exist among members that are involved in plurilateral and bilateral trade agreements with high-standard digital trade provisions (e.g. UK-Singapore, DEPA, DEA, US-Mexico-Canada Agreement, or CPTPP). For instance, CPTPP prohibits restrictions on cross-border business data transfers, including personal information, with certain exceptions, on the basis that the related data regimes are interoperable. However, the index reveals that individual member countries take rather different approaches in data governance as it relates to ‘regulatory’, ‘responsible’ and ‘international’ dimensions4, respectively (Figure 3).
A similar policy stance across the 11 CPTPP signatories would result in evenly shaped circles for each policy dimension; yet what we see is rather the opposite: irregular shaped lines that reflect differing policy stances, most visible perhaps in the ‘responsibility’ dimension (red line) where very low index values for Chile or Singapore contrast with high values for the UK and New Zealand. Whereas Singapore is a leader in promoting digital trade agreements at the international level, the country takes a market-driven approach and is not active in promoting data governance at the domestic level. The UK’s index, by contrast, reflects (for the time being) the legacy of the EU’s digital regulatory regime.
Figure 3: Divergent data governance across CPTPP members
Source: Global Data Governance Mapping Project (2021 index data); authors representation.
In general, the level of data governance of emerging economies within the CPTPP, especially Malaysia and Vietnam, is much weaker compared to that of its developed economies (Australia, Canada, Japan or New Zealand). However, pronounced differences are discernible even across the wealthier CPTPP members, including those that have high-level digital provisions under their bilateral Free Trade Agreements (FTAs) with the UK (Australia, Canada, Japan, New Zealand, and Singapore).5
Assuming that data governance regimes are particularly salient for services trade, the stakes are also different across CPTPP members. The UK is a prolific services trader and scores high on the Data Hub’s regulatory index (Figure 4). Within CPTPP, however, it will be joined by a diverse set of economies, some of which will have equally ambitious data governance regimes although their stake in services trade is much lower (Australia, New Zealand and Mexico), whereas others are also relatively engaged in services trade but exhibit appreciably lower regulatory index scores (Canada and Malaysia).
The Data Governance Hub’s detailed data implies that international agreements would have to do some (very) heavy lifting to achieve interoperability, even amongst members of agreements as advanced as CPTPP or DEPA. The World Economic Forum (WEF) has discussed various mechanisms for enabling cross-border data flows, as part of discussions on enabling proposals made at the G20 and G7 for “data free flow with trust.”6 These mechanisms include trade agreements, mutual recognition, or even common international privacy frameworks, such as Convention 108+ at the Council of Europe. The WEF concludes that none of those approaches are likely to deal with the fragmentation of digital spheres that we discussed above.
Figure 4: Regulatory dimension of data governance and trade in services, CPTPP members
Source: Global Data Governance Mapping Project (2021 index data); authors representation. Singapore omitted from this figure as its share of services trade in GDP is 120%, rendering other data points
The Organisation for Economic Co-operation and Development (OECD) has also tried to advance common approaches towards the interoperability of privacy and data protection regimes “to work together at multiple levels through policy and practical arrangements and thereby bridge any differences in approaches.” Yet despite efforts at mapping possible approaches, even defining interoperability of data governance regimes remains an open problem. For example, for the EU, interoperability means that other jurisdictions must have “adequate”—i.e. “essentially equivalent”—privacy protections enshrined in their legal systems and practices. Meanwhile, some countries in the Asia-Pacific region are prepared to share personal data purely based on voluntary certifications and private undertakings by companies if there is no domestic law. These two approaches are presented in digital trade agreements such as the CPTPP7 as essentially equivalent, thus solving the problem of interoperability, but this view is contested.8
Against this backdrop, and to break this complex problem into manageable pieces, we now turn to dissect precisely what the idea of data interoperability would entail. In so doing, we distinguish between legal and technical dimensions and show the way forward towards comprehensive interoperability at the international level.
The anatomy of interoperability of data governance
The need for coordination on cross-border data flows arises in a variety of areas of digital trade, which we describe in the first subsection. The remaining two subsections then argue that effective interoperability encompasses the technical and the governance level, respectively. Against that backdrop, we elaborate on the five principal elements of interoperability in the next section.
A. Realms of digital trade that require coordination
Interoperability has typically been easier to achieve at a narrow, technical level compared to cross-cutting services that involve citizens and consumers. As such it is useful to distinguish the interoperability of data governance along the following five different types of cross-border economic activities, which we set out from specific to cross-cutting areas.
Business data in specific domains and industries
Interoperability of data governance has advanced more within specific domains and industries than in the generic clauses found in digital trade agreements. These data frameworks can be quite technical, covering data structures and naming conventions. There are many interoperability frameworks designed to allow for exchanges within a defined area, as in the EU Code that enables the operation of the European energy single market. Trade agreements could support more interoperability of energy data and other critical and industrial systems, also helping with the climate crisis. Much of this data is exchanged in a business-to-business (B2B) context and will not contain personal information. Some of this data may even be available as open data.
Trade facilitation
In a similar vein, it could be possible to advance on the digitisation of traditional trade processes. Paperless trading ought to be the foundation for digital trade and there are many efforts to enable the interoperability of trading platforms, contracts, legal entity identifiers, electronic signatures, deliveries, customs, etc. Most digital trade agreements include commitments or modules on some of these aspects, which do not tend to generate great controversy.
Digital trade facilitation is linked to a wider effort at the UN and in policy spaces such as the G20 to create higher levels of technical operability around the concepts of Digital Public Goods (DPG) and Digital Public Infrastructure (DPI). India is the main proponent, presenting these as an alternative to proprietary (Western) tech platforms. DPI includes identity and payment systems, but also integrated e-commerce frameworks, such as the Open Network for Digital Commerce (ONDC). These technical governance infrastructures are not an alternative to data governance and require legal regimes commensurate to the increased complexity and privacy risks.
E-commerce (digitally ordered goods)
The OECD’s taxonomy of digital trade defines traditional e-commerce as the trade of digitally ordered goods. Ancillary processes such as billing require cross-border transfers of personal and financial information, which need trustworthy privacy protections for consumers. Platforms, banks, couriers and other intermediaries will have a critical role to ensure this information is not abused, including to unfairly advance their own positions. Agreements on these ad-hoctransfers of personal information required to order and deliver goods could advance without the need to agree on a comprehensive data governance regime, as required in the delivery of purely digital services, which by contrast can involve more extensive data collection.
Applications involving consumers and citizens
For digitally delivered services – again using the OECD’s terminology - that are directly used by individual consumers and citizens, interoperability of privacy and data protection becomes more salient than technical standards. One approach could be to build interoperability of data regulations for specific service sectors included in market access commitments. For example, cross-border delivery of health services requires common technical standards and formats for data exchange but also a trustworthy regime for the protection of very sensitive information. The US Department of Health and Human Services has estimated that, prior to the creation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), privacy concerns led 586,000 Americans to delay seeking cancer treatment - leading to $1.6 billion in lost wages a year, in addition to the lives lost. Meanwhile, over 2 million people in the US delayed seeking mental health treatment, and over 1 million avoided treatments for sexually transmitted infections.
Privacy concerns, which are evident in the change in behaviour even for Americans, take on a whole new dimension in an international context. However, the sectoral approach has limitations. In the case of health data, the absence of general privacy laws means that once that medical information has been taken to a new context, sector-specific protections vanish. For example, despite the introduction of medical privacy laws in the US, it is still legal for US marketing companies to sell lists of persons suffering from “ailments, illnesses and medical conditions”, including 1.8 million “clinical depression sufferers”. US marketing companies skirt around medical data protections by removing and later reattaching personal identifiers, or using novel health-related analytics, sometimes under the label of wellbeing. This may make many Europeans recoil in horror at the prospect of their health information being sent to the US.
For the UK, the Centre for Inclusive Trade Policy recently conducted a consultation exercise with the general public on the subject of privacy and data-sharing. It explored public views on the complex trade-off involved when lowering barriers to cross-border data flows enables the transfer abroad of a critical mass of health records that could lead to potential breakthroughs in health research. Public views were divided, with objections to data flows being based on attitudes towards risk in relation to data privacy. Interestingly, support for freer cross-border data flows increased (from 49% to 67%) when prospects for medical advancement were higher. We argue, later on, that one lesson from this consultation exercise is that a more inclusive stance in formulating data governance regimes is feasible and worthwhile.
New data-driven cross-cutting digital services
The ambitions of certain areas of digital trade go further than trade facilitation or even enabling cross-border provision of services such as health. Seamless delivery of cross-border fully digital services such as cloud computing, social media, or generative AI can cut across many sectors, and the associated complex data flows can include non-monetary exchanges that are harder to regulate domestically, let alone to connect internationally. Indeed, online behavioural advertising and the provision of free services form the nexus at the heart of the modern internet economy. Hence, outcomes that further consumer trust and are satisfactory for all stakeholders involved will depend on generally applicable privacy regulations, such as the General Data Protection Regulation (GDPR), as opposed to sector- or service-specific solutions. The generality of any such approach, though, renders international cooperation most difficult because of entrenched geopolitical conflicts.
B. Technical interoperability
As we discussed above, Bacchus has proposed to break up the bundling of digital trade areas to advance where it is possible to agree.9 Yet applying this approach to data governance is challenging because data and information flows are foundational to every aspect of digital trade. One approach would be to find some minimum technical and legal dimensions for the interoperability of data governance regimes to work. In a way, this is how the internet operates but, as we explain below, this approach may not work for data.
The main conceptual model used in discussions of internet technology and policy is based on layers that build on each other, from basic infrastructure to value-added consumer services. As we move higher up in the layers model we shift from big telecoms and engineering firms to web services and public-facing brands. The key principle is that each layer abstracts from the traffic in layers higher up and is agnostic about the contents being transmitted.
The Internet Protocol (IP) provides the technical basis for most data flows, and it is supported by thousands of technical standards. Besides technical interoperability, internet data transfers also rely on a layer of commercial interoperability, but the contracts for wholesale internet interconnection have become standardised in practice without the intervention of a global body.
Maintaining technical interoperability and a global internet infrastructure is a prerequisite for digital trade, but it would be difficult to create a minimum common approach or a basic “layer” for data governance in digital trade beyond what is already in place.
The primary focus of “interoperability” within internet policy is to ensure that technical innovations at the firm level are not abused or harm the open internet. In addition to divergent national standards, large internet companies can end up setting different rules and building their own infrastructure, straining the common architecture and governance of the internet. The use of incompatible technical systems is also a risk to competition in the digital sector, if it is used to lock customers in and competitors out.10
The flip side of interoperability is the risk of stifling innovation towards higher standards. There is a constant push to make the modern interactive internet faster and more private, which makes it harder for technical systems to remain compatible. We can see this tension in the state-of-the-art technical protocols for privacy in instant messaging software, such as WhatsApp or Signal. The developers have made a very strong case for creating a brand-new technology rather than trying to retrofit privacy to existing internet standards such as email. They argue that this is impossible because of the need for interoperability, although this view is not universal.
Extending the minimum technical interoperability approach to data governance risks anchoring everyone to the lowest common denominator that can be agreed between all the parties, dragging down higher standards of consumer and privacy protections. Nuanced discussions of technical interoperability see it as “a foundational element of more complex policies aimed at nurturing healthy and just digital ecosystems”.
C. Data and internet governance
Outside the auspices of trade policy discussions, governments, businesses and civil society have spent the past twenty years arguing over the jurisdiction that should apply when information travels across the globe, and what common rules should remain. Data governance is a key element, together with rules on access to information.
The shift of these discussions to the realm of trade does not immediately solve the entrenched conflicts between the promise of the internet to connect humanity by bringing universal access to information on the one hand and the priorities of governments and powerful private actors on the other hand, e.g. as between the aforementioned three ‘digital realms’ of China, the US, and the EU.
The potential for rules and policies over data to influence trade adds a new layer of complexity to existing discussions framed under the prisms of human rights, national security, economic development or broader geopolitical debates. For example, data flow disputes between the EU and the US are often seen as a conflict between the European notion of privacy as a fundamental human right, and the US view that any restrictions on information, even personal information, are more akin to censorship. From a trade perspective, the question may be whether the EU is unfairly making life harder for US companies, or the US is unfairly undercutting EU companies through its laissez-faire approach to privacy. The original conflict remains unresolved, and not surprisingly the diverse approaches have real practical impacts. For instance, the ChatGPT service from OpenAI was banned in Italy for several weeks in April 2023 due to data protection concerns. Although the service was reinstated after the company implemented some changes, formal privacy complaints have been launched by EU privacy advocates.
Common elements of interoperability
We suggest that effective interoperability that covers both the technical and the governance aspects of coordination needs to encompass a set of five principal elements. A programme to build interoperability of data regimes will need to delve deep into the details and not reduce interoperability to a single scale. Rather, we argue that interoperability will entail a consensus on legal mechanisms, data handling rules, a set of rights, oversight provisions, and enforcement mechanisms.
A. Legal mechanisms
Data governance regimes create legal mechanisms to enable cross-border data transfers, which can include top-down legal interoperability, as in the case of EU adequacy, safeguards like contracts, certification regimes such as the APEC Cross-Border Privacy Rules (CBPR) system, or simply consent. These mechanisms could be the same nominally, e.g. consent or a legal mandate, but work differently in practice. For example, the EU’s high standards for unequivocal informed consent may not match the concept of consent in other countries. Consent is widely perceived as the bedrock of privacy and in many jurisdictions is the preferred basis for data transfers. Therefore, international agreement on what constitutes consent and whether it should be used with safeguards is a vital part of interoperability. Contracts are another area where interoperability can advance. One example is the Ibero-American Data Protection Network’s guidance on model contract clauses for use across countries with different data regimes.
B. Data handling rules
Principles for handling data include ensuring security, proportionality of the data used to the needs, limitations on data reuse, and accuracy, amongst others. These generally follow the OECD Guidelines from the 1980s, centred on the concept of fairness, but there have been many advancements since then, particularly around the GDPR. These principles will interact with, but not substitute, the legal mechanisms outlined in the previous paragraph. For example, whether data is transferred using a certification, a private contract or an adequacy decision, the organisations involved must ensure that there are security measures in place to prevent any abuses.
C. Rights of data subjects
This aspect refers to a rights regime for people affected by their data being transferred abroad. At a minimum, the basic right is to know what organisations know about a person, the right of access or habeas data in some jurisdictions. Additional rights to correct and erase data are also common. These data rights do not normally include economic rights for individuals over the exploitation of their data, although this issue – and the corresponding nascent debates over the value of data - generate a lot of interest. Some novel rights, such as data portability, are less common and even if the right exists domestically at both ends of the data transfer, its
cross-border application may be difficult in practice. The right to demand the deletion of one’s own data under some circumstances (also known as the right to be forgotten) is controversial, particularly in the US, where it is perceived as enabling censorship.
These data rights are conceptualised differently in each jurisdiction. In the EU, data rights emanate from data protection itself being a right under the EU Charter of Fundamental Rights, linked to privacy as a fundamental human right; therefore, they apply to people outside the EU if their data is processed there. In contrast, the US Privacy Act creates rights – only over Federal government use of data – for US persons only. The US state of California creates consumer rights in cases similar to GDPR, but over commercial data only. Such divergent approaches are not necessarily a block to interoperability, but many countries, including the EU, will require a minimum framework of human rights and the rule of law to enable data transfers, which may limit the options for interoperability.
The UK Government is currently passing legislation to remove references to the EU-inherited right to data protection from the UK GDPR and replacing these instead with the more general right to privacy under the European Convention of Human Rights, which is not part of the EU. At face value, this should not impact the interoperability of the UK and EU’s data regimes, but this change will have practical consequences, particularly for personal information that is already public. Going back to our example of US data marketeers, in that country there is a huge industry based on the collection and reselling of personal information that is publicly available, such as educational or court records.11 In principle, trading on publicly accessible personal data is currently restricted in the UK. There is a more limited market for such data in the UK as GDPR and other privacy laws make this more difficult. The proposed changes could bring the UK closer to the US in that particular aspect of data subjects’ rights.
Some trade agreements include human rights requirements, but these clauses are generally created with the purpose of limiting the exploitation of people – including workers – in the countries of origin of goods. This is different from data flows in digital trade, where the objective is to protect the human right to privacy of people in the country receiving the service. Governments that operate under a human rights framework have a duty to protect people under their jurisdiction; hence the EU’s reluctance to allow consent for routine data transfers to countries without protections or safeguards.
D. Oversight and accountability
Data regimes can entail administrative requirements for reporting, documentation, or procedures for risk management such as impact assessments, which can be considered ‘onerous’ on private businesses. The GDPR is notoriously prescriptive on such elements down to minute instructions. Yet some administrative requirements mean that consumer protections are substantially better. This trade-off between resource costs and effectiveness poses a challenge for interoperability, as these high requirements could be difficult to fulfil in countries with fewer resources, potentially becoming discriminatory trade measures subjected to exception regimes. Conversely, a jurisdiction with the same general regime but much lower compliance costs – or fines – could undercut data processors elsewhere.
E. Enforcement and redress
Both aspects are central to any data governance regime if things go wrong, as inevitably they might sooner or later. Some form of supervision or enforcement body is found in most countries that have data regulation laws. The EU puts great emphasis on the independence of these entities from the executive branch to avoid potential abuses of power. Many are public bodies, but some regimes rely on private companies.
Enforcement and effective redress, linked to data rights, are central to ensuring consumer trust. There are diverse mechanisms for redress, ranging from complaints to a regulator leading to specific changes, to financial compensation via private litigation or even class action. The EU GDPR has had a huge impact because the fines of up to 4% of global turnover create a perceived risk.
Conclusions
Currently, most discussions of data governance interoperability focus on legal mechanisms for the transfers of personal data, and perhaps some safeguards. Yet the full life cycle of data continues once that data has been transferred. To be sustainable and to ensure consumer trust, governance regimes for cross-border data flows must also include technically, legally, and institutionally solid mechanisms for the cross-border enjoyment of data rights, enforcement, and redress options. This will require both more international cooperation and a more inclusive approach towards formulating governance regimes.
A. The need for institutional cooperation
Fostering more and deeper cooperation between data protection authorities is a key plank for improving the interoperability of data governance. Most data protection regimes rely on a regulatory body, with a lot of variation on what this may look like. In some countries, this agency must be a public body independent from the government, so it can hold any governmental or executive agency to account if needed. Other approaches, e.g. the CBPR, are instead centred on private certification companies and private litigation. In this case, there may not be incentives, or indeed ability, to enforce prevailing rules against public or private infringement. Proposals to create new types of institutions to act as data intermediaries, ranging from data trusts to data sharing pools, could improve data governance domestically but often miss the implications for cross-border cooperation.
The G7 has started the process of creating a new institutional agreement for partnership (IAP) spurred by proposals from the World Economic Forum. This new body, likely hosted by the OECD, could improve the state of cooperation, but it should go beyond a narrow focus on overcoming regulatory fragmentation to promote higher standards. The partnership framework should also be extended to non-OECD countries to mitigate against a widening digital gap between developed and developing economies.
In addition to these supra-national approaches, the diverse set of national bodies and agencies involved in data governance should have the legal remit and the incentives to cooperate with corresponding agencies abroad to give effect to interoperability. This includes other bodies beyond data protection. The UK’s Digital Regulation Cooperation Forum (DRCF) is a step in the right direction, but it lacks statutory footing and resources. The technical and financial capacity to regulate and cooperate internationally is even more limited in developing countries. Hence, capacity building and assistance should be part of any initiative that attempts to widen data governance interoperability beyond the traditional three digital realms of the US, EU, and China.
B. The need for more inclusive trade policy
Currently, existing FTAs or digital economy agreements tend to focus heavily on free data flow without sufficient consideration of personal data protection and privacy, apart from the EU’s FTAs since the EU prefers to deal with data privacy issues outside of trade negotiations. For example, recent trade agreements led by Asian-Pacific countries require signatories to commit to free cross-border data flows of the WTO type (GATT Article XX and GATS XIV definition of legitimate public policy objective clauses) that limit signatories to adapt exceptional measures.12 While these agreements notionally affirm the importance of personal information protection, the only requirement is for signatories to adopt or maintain a legal framework of personal information protection, or to take into account principles and guidelines of relevant international bodies such as the OECD. Signatories are encouraged to promote interoperability through recognising regulatory outcomes either unilaterally or by mutual arrangements. Against the backdrop of core elements that we argue are needed for effective and equitable interoperability—including a rights regime, accountability, and redress, the aspirational language in many trade agreements is unlikely to deliver on the much-heralded “data free flow with trust.”
Yet, trade agreements could be potent devices for mitigating conflicts (or gaps) between national laws and international commitments, thereby potentially promoting free cross-border data flow. However, most national processes of trade policy formulation are not sufficiently inclusive to do justice to the complexity of data governance regimes. The lack of inclusivity prevails both within and across government.
Regarding the former aspect, many regulatory bodies or institutions involved in data governance, including national data protection authorities, are not ordinarily involved in trade negotiations. As a result, the legal and technical implementation of trade agreements in relation to domestic regulatory arrangements and enforcement becomes unclear. Regarding wider participation outside of government, private sector stakeholders are typically more capable of articulating their interests compared to non-business stakeholders. Therefore, the design and implementation of core elements that underpin effective interoperability would benefit from a multi-stakeholder approach to policymaking, in particular insofar as the rights of data subjects, oversight, and redress mechanisms are concerned.
Footnotes
- The UK concluded negotiations to join the CPTPP on 31 March 2023 and signed the Protocol of Accession on 16 July 2023.
- See Bacchus, James (2021), “The Digital Decide – How to Agree on WTO Rules for Digital Trade”, Special Report for the Centre for International Governance Innovation (CIGI).
- See Anu Bradford (2023), “Digital Empires – The Global Battle to Regulate Technology” Oxford University Press, ISBN: 9780197649268.
- In the construction of its index, the Global Data Governance Mapping Project distinguishes six dimensions, of which ‘Regulatory’ refers to governments’ legal regime around data uses (e.g. personal data protection laws or right of data portability), ‘Responsible’ refers to governments’ legal regime to protect ethical, trust, and human rights of data use and re-use (e.g. data charter, responsive AI initiatives, and guidelines for non-governmental data sharing), and ‘International’ refers to the extent to which governments join international efforts to establish shared governance rules (e.g. Convention 108+ or binding trade agreements on cross-border data flows).
- Other organisations that have carried out extensive work on data governance include the Govlab and the UK-based Ada Lovelace Institute.
- See also Minako Morita Jaeger, “Can trade policy enable ‘Data Free Flow with Trust?’”, CITP Blog, published 11 December 2023.
- CPTPP’s Article 14.8 includes a footnote explaining that members may comply with the obligation to enact legal privacy protections through a variety of measures “such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.”
- For instance, by Greenleaf, Graham (2018), “Asia-Pacific Free Trade Deals Clash with GDPR and Convention 108i”, 156 Privacy Laws & Business International Report 22-24.
- See Bacchus, James (2021), “The Digital Decide – How to Agree on WTO Rules for Digital Trade”, Special Report for the Centre for International Governance Innovation (CIGI).
- See e.g. Riley, Chris (2020), “Unpacking interoperability in competition”, Journal of Cyber Policy 5:1, pp. 94-106, DOI: 10.1080/23738871.2020.1740754.
- See the Federal Trade Commission’s report on data brokers.
- Bartels, Lorand (2015), “The Chapeau of the General Exceptions in the WTO GATT and GATS Agreements: A Reconstruction", American Journal of International Law109, pp. 95-125.