2023 could be a monumental year for facilitating DFFT as more and more countries are moving away from the concept of blanket data localisation
Large quantities of data, almost 2.5 quintillion bytes, are being generated and shared daily. These data flows fuel the Internet by enabling constant access to services and fostering innovation. Yet harmonisation on regulating cross-border data flows and facilitating data free flow with trust (DFFT) is still in the works. The absence of well-defined global data governance frameworks limits economic growth, amplifies data privacy risks and restricts governments’ data access for law enforcement. In a notable move to address a significant part of the issue, Organisation for Economic Co-operation and Development (OECD) member countries and the European Union signed the Declaration on Government Access to Personal Data Held by Private Sector Entities on 14 December 2022. This declaration is the first inter-governmental document to facilitate government access to personal data held by private companies for law enforcement purposes while safeguarding privacy.
Japan’s former Prime Minister Shinzo Abe introduced DFFT at the World Economic Forum annual summit in 2019. DFFT encourages countries to devise harmonised approaches to foster openness and trust in data flows. It has a mutually reinforcing impact on regulatory cooperation and trade policy while addressing domestic policy preferences. Seeking inspiration from DFFT, the Osaka Track under Japan’s G20 Presidency in 2019 was launched to promote cross-border data flows with discussions on trade- and rules-related aspects at the World Trade Organisation (WTO).
Different domestic policy preferences for data flow accompanied by a prevailing lack of trust in trading partners have fragmented global approaches to DFFT and led to a substantial increase in proposals supporting data localisation.
But international harmonisation and convergence on data protection and oversight mechanisms remain significant barriers to implementing DFFT. Countries have opposing viewpoints and frameworks on data flows, typically shifting between values of individual privacy, national security and economic well-being. Different domestic policy preferences for data flow accompanied by a prevailing lack of trust in trading partners have fragmented global approaches to DFFT and led to a substantial increase in proposals supporting data localisation.
At present, DFFT is being explored and implemented in e-commerce negotiations at WTO or bilateral/regional FTAs in a limited manner. The trust deficit in data flows becomes especially precarious when data access needs to be facilitated between private enterprises and governments based in different countries for criminal proceedings and national security investigations. For instance, the United States (US) enters into bilateral agreements with countries that meet certain procedural and substantive requirements to support the investigation of serious crimes by enabling access to evidence from US service providers under the Clarifying Lawful Overseas Use of Data Act, 2018. The countries requesting data need to demonstrate commitment to protecting citizens against government surveillance and their support for the free flow of data across borders. The European Commission has also mandated adequacy requirements for international data transfers. Such standards are vital, particularly, in the post-Snowden revelations world where governments demand unfettered access to data from private enterprises and possess capabilities to analyse it with emerging technologies like Artificial Intelligence (AI). Nonetheless, these standards and processes make the task of requesting access to criminal evidence long and arduous for Law Enforcement Agencies. The OECD Declaration aims to address these issues and promote data flows for law enforcement.
The trust deficit in data flows becomes especially precarious when data access needs to be facilitated between private enterprises and governments based in different countries for criminal proceedings and national security investigations.
The Declaration on Government Access to Personal Data Held by Private Sector Entities is the first principle-based intergovernmental privacy agreement signed by 38 member countries and the EU in December 2022. Mathias Cormann, OECD Secretary-General at the launch emphasised the document’s priorities to uphold common standards and safeguards, “It (the declaration) will help to enable flows of data between rule-of-law democracies, with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens”. The principles outlined in the document apply when government agencies take legal action within their territories and have legal frameworks that mandate private enterprises based out of the country to share data. Notably, direct access to data, where governments act extraterritorially is excluded.
The document is an outcome of over 18 meetings convened by the Committee on Digital Economy Policy (CDEP) at OECD. While CDEP's journey in determining common principles began in December 2020, the OECD has been working on facilitating trans-border data flows since 1978. OECD’s Governing the Protection of Privacy and Transborder Flows of Personal Data, 1980 were updated in 2013 to echo the OECD’s mandate of facilitating the free flow of information. The recently signed declaration, in part, addresses the exemption to OECD member countries relating to “national sovereignty, national security and public policy (“ordre public”)” provided in the earlier document. The declaration has laid down seven principles to facilitate access to personal data while ensuring transparency, compliance with legal standards and legitimate aims, and provision of oversight and redressal mechanisms. The document aims to limit data misuse by ensuring compliance with legal standards of proportionality, necessity and reasonableness from governments. For instance, collecting private data by governments to suppress dissent or discriminatory policies against religious, ethnic or gender minorities is expressly proscribed.
The principles outlined in the document apply when government agencies take legal action within their territories and have legal frameworks that mandate private enterprises based out of the country to share data.
2023 could be a monumental year for facilitating DFFT, especially for priority sectors. India's G20 presidency has brought focus to leveraging Data for Development to advance Social Development Goals and within Japan's G7 presidency commitment to DFFT has been re-emphasised. Moreover, India's recent iteration of the Digital Personal Data Protection Bill 2022 has permitted cross-border data transfers to certain notified countries, taking a departure from its hardline push for data localisation. While the OECD Declaration is a non-binding agreement, it signifies a dedicated commitment to promoting DFFT. It has stressed the need for countries to develop national legal frameworks that offer “sufficient guarantees against the risk of misuse and abuse” and define “purposes, conditions, limitations and safeguards” for infusing trust in cross-border data flows. The declaration demonstrates merit in limiting the regulatory scope to ensure consistency and regulatory cooperation on cross-border data flows. Moving forward, countries must refrain from taking extreme positions in support of data localisation or cross-border data flows and instead, identify other priority sectors like law enforcement where DFFT is crucial and outline collaborative principles to facilitate it.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.