A Roadmap for Cross-Border Data Flows: Future-Proofing Readiness and Cooperation in the New Data Economy - WHITE PAPER JUNE 2020 - Weforum
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A Roadmap for Cross-
Border Data Flows:
Future-Proofing Readiness
and Cooperation in the
New Data Economy
WHITE PAPER
JUNE 2020
A Roadmap for Cross-Border Data Flows 1
Contents
3 Preface
4 A note from the Steering Committee co-chairs
5 Executive summary
7 Introduction
9 A Roadmap for Cross-border Data Flows
11 Part A: Establishing the building blocks of trust
12 1. Allow data to flow by default
19 2. Establish a level of data protection
24 3. Prioritize cybersecurity
27 Part B: Incentivizing cooperation between nations
28 4. Hardwire accountability between nations
32 5. P
rioritize connectivity, technical interoperability, data portability and data provenance
37 Part C: Future-proofing international data sharing policies
38 6. Future-proof the policy environment
41 Conclusion: Operationalizing the Roadmap
43 Appendix
46 Contributors
47 Acknowledgements
48 Endnotes
© 2020 World Economic Forum. All rights
reserved. No part of this publication may
be reproduced or transmitted in any form
or by any means, including photocopying
and recording, or by any information
storage and retrieval system.
2 A Roadmap for Cross-Border Data Flows
Preface
Anne Josephine Flanagan,
Project Lead, Data Policy,
World Economic Forum, USA
The World Economic Forum partnered with the Bahrain’s interest in this project stems from
Bahrain Economic Development Board and a its recent success in launching national policy
Steering Committee-led project community of frameworks to facilitate the flow of data across its
organizations from around the world to co-design borders, including the Personal Data Protection law,
the Roadmap for Cross-Border Data Flows, the Cloud Computing Services to Foreign Parties
with the aim of identifying best-practice policies law, the removal of legacy localization requirements,
that both promote innovation in data-intensive and the expansion of connectivity infrastructure.
technologies and enable data collaboration at the Bahrain is continuously exploring best-in-class
regional and international levels. policies on data flows in order to benefit from deep
cooperation in the international data economy.
Creating effective policy on cross-border data
flows is a priority for any nation that critically The Project Steering Committee provided a set
depends on its interactions with the rest of the of global multistakeholder perspectives over the
world through the free flow of capital, goods, course of the project. This report reflects their
Nada AlSaeed,
Senior Manager, Bahrain knowledge and people. Now more than ever, extensive input, gathered at workshops around
Economic Development Board cross-border data flows are key predicates for the world, including at the Annual Meeting of the
(and World Economic Forum countries and regions that wish to compete in the World Economic Forum in 2020, the Sustainable
Fellow), Bahrain
Fourth Industrial Revolution and thrive in the post- Development Impact Summit 2019 and the Summit
COVID-19 era. on the Middle East and North Africa in 2019.
Despite this reality, we are witnessing a We believe that the findings from this work are
proliferation of policies around the world that applicable to both emerging market economies and
restrict the movement of data across borders, highly developed market economies, and that there
which is posing a serious threat to the global are lessons to be learned from each. The World
digital economy, and to the ability of nations Economic Forum is in discussions with parties
to maximize the economic and social benefits around the world that seek to adapt the Roadmap
of data-reliant technologies such as artificial for their own context. We anticipate that the
intelligence (AI) and blockchain. Roadmap will serve as a beneficial, collaborative,
inclusive and safe tool to facilitate cross-border data
We hope that countries wishing to engage in flows given the increased importance of the data
Sheila Warren, cross-border data sharing can feel confident economy for global economic recovery and growth,
Head, Blockchain, Digital in using the Roadmap as a guide for designing as well as technological and societal development.
Assets, and Data Policy, and
Member of the Executive
robust respective domestic policies that retain
Committee, World Economic a fine balance between the benefits and risks of
Forum, USA data flows.
A Roadmap for Cross-Border Data Flows 3
A note from the
Steering Committee
co-chairs
Everyone needs data to succeed in today’s contracts and trade secret protection laws.
world economy. Countries that impose local data storage and
retention requirements to secure better access for
Countries can attract inbound cross-border themselves can expect multinational businesses to
transfers of data and information technologies only stay away and other countries to retaliate. Similarly,
if people, businesses and governments abroad countries that regulate data processing too rigidly
trust them. To earn a reputation as a safe data and with specific restrictions on cross-border data
transfer destination, countries must provide for transfers provoke reciprocal restrictions by other
secure telecommunications infrastructure, respect countries, resulting in reduced access to global
Lothar Determann, individual privacy and confidentiality, exercise self- data and technology, pressures for compromises
Partner, Baker McKenzie
(Project Steering
restraint regarding forced data access, and enact in bilateral trade negotiations, and accumulating
Committee Chair) laws that also benefit people and organizations complexities. Cross-border data transfers require
outside their borders, including data privacy, give and take.
security, contracts and trade secret protection
laws. Moreover, governments must be transparent, Since the outbreak of COVID-19, governments
share data, and encourage their people and around the world have started to realize and admit
businesses to share data across borders if they that restrictions on cross-border data flows not only
want to participate in cross-border knowledge inhibit scientific and economic progress but actually
transfers. Open information societies thrive best in cost lives.
the world economy.
As co-chairs, we thank our fellow Steering
Conversely, people, businesses and governments Committee members, the larger project community
hesitate to transfer data to countries that maintain and the staff at the World Economic Forum
weak data security infrastructure, laws and for their contributions to this white paper on
defences; excessively spy and seize data; fail to cross-border data transfers. We hope that law-
Leanne Kemp, enforce or comply with laws protecting privacy, and policy-makers find the data, insights and
Chief Executive Officer, confidentiality and contracts; cover up data recommendations helpful and we look forward to
Everledger (Project Steering
Committee Co-Chair)
security breaches and risks; suppress media receiving feedback and the continued debate on
reporting; or fail to offer foreign businesses and this important topic.
citizens due process and recourse to privacy,
4 A Roadmap for Cross-Border Data Flows
Executive summary
The challenge
The technologies of the Fourth Industrial border data flows policy has come into its own as
Revolution, including artificial intelligence (AI), a policy lever for ambitious governments seeking
the internet of things (IoT) and blockchain, economic recovery.
are exceptionally reliant on accessing and
processing data. To realize the potential of such Despite these benefits, laws and policies that act
data-intensive technologies, or to fully harness as barriers to this type of international data sharing
the power and efficiency of cloud computing are on the rise,1 threatening to undo this progress,
solutions for start-ups and SMEs, data needs slowing technological innovation and limiting
to be able to move seamlessly across country positive societal impact. While some of this friction
borders. The ability to move, store and process is based on perception, such as the myth that
data across borders is foundational to the data is better protected by restricting it to within
modern international data economy, and as new one country, or a perception that such policies
global growth relies increasingly on digital growth maximize value for local populations, some of it is
in the post COVID-19 era, progressive cross- deliberate and misguidedly protectionist.
The opportunity
Certain regulatory differences across countries economies of scale, particularly at regional level,
cannot be eradicated; they are necessary and and allows governments to create a friendly policy
appropriate because sovereign nations have environment for indigenous and international
different values and strategic priorities. However, investment. Investment breeds opportunity, and
in order to create trust between nations when those countries with a burgeoning technology
it comes to allowing companies within them to sector can start to maximize these companies’
participate fully in the international data economy, opportunities on a global scale, enabling them
there is a clear need for interoperable policy to develop cutting-edge technologies with global
frameworks that can streamline requirements impact as well as experiencing potential knock-on
across borders and create mechanisms to reduce economic and societal benefits.
regulatory overload. Doing so capitalizes on
A Roadmap for Cross-Border Data Flows 5
The solution
Cross-border Building trust between nations requires both an that are empowered to take action to open the
data flows policy assurance that countries are like-minded in how gates and allow data to flow relatively seamlessly
is a foundational they approach supporting their data economy and across their borders.
prerequisite to the implementation of a series of backstops that
a functioning reduce risk. Our proposed solution is a practical In the Roadmap, our project community of globally
international data Roadmap for governments of country-level diverse industry experts proposes what best-
economy and thus policy building blocks that, when combined, are in-class data flows policy looks like. For some
requires action fro designed to harness the benefits and minimize the countries, very little will be needed in the way of
the highest levels risks of cross-border data sharing. upgrading as they have inspired the core principles
of power by their own actions, whereas for others the
Cross-border data flows policy is a foundational Roadmap may represent a full suite starting point.
prerequisite to a functioning international data In order to cater for varying degrees of ambition, we
economy and thus requires action from the highest first crystallize the most essential building blocks,
levels of power. In addition, as we look at all types and then offer scope for the most ambitious and
of data in the economy, not just personal data or advanced economies to future-proof their policy-
proprietary information, it is ultimately governments making in this area.
6 A Roadmap for Cross-Border Data Flows
Introduction
The importance of cross-border data sharing
While cross-border data sharing, i.e. the nations can expect to derive increased economic
movement of information across international and social value. Furthermore, in a world
borders, has long been necessary from the disrupted by the COVID-19 crisis, the data
perspective of trade,2 internet-based services and economy has risen in terms of its importance for
e-commerce – more recently cloud computing, new economic growth.
Fourth Industrial Revolution technologies such as
artificial intelligence (AI) and the internet of things Despite such benefits, data localization
(IoT) – rely on access to high-quality data that requirements, e.g. laws, standards or policies
often resides in more than one territory. which mandate that data be stored within a
geographical territory, are on the rise globally,
Through the development and deployment of threatening to deter this progress – sometimes
these data-reliant technologies and solutions, intentionally but often unintentionally.
FIGURE 1 The increasing importance of cross-border data flows over time
Post COVID-19
economic growth
Fourth Industrial
Revolution
Technologies
Cloud Computing
Trade & Commerce
1990 2000 2010 2020 +
A Roadmap for Cross-Border Data Flows 7
The problems of unjustified
data localization requirements
For companies, When unjustified, data localization requirements was stark: Start by ensuring your own house is in
an absence of can prove highly problematic. As well as driving up order, otherwise creating trust becomes almost
data localization the cost of cloud computing, upon which SMEs impossible. Without country-level preparedness,
requirements is are highly reliant, it becomes difficult to achieve international participation proves challenging in this
akin to having access to high-quality data at scale, upon which space, and secondly, governments can influence
visa-free travel for technological development relies – and from there, but not fully control the international environment.
their data problems quickly amplify. We see associated
economic consequences when companies need Consequently, this white paper does not represent
to create and maintain multiple data centres in a one-size-fits-all approach to cross-border data
different jurisdictions, at great cost in both monetary sharing, nor does it advocate how countries are
and environmental terms. Furthermore, companies to implement the recommendations outlined in the
relying upon such services may find they avoid various building blocks that we will discuss, but it
certain markets altogether due to the increased does try to identify the policies that countries ought
cost of doing business there. This then has further to consider implementing domestically in order to
knock-on effects for the attractiveness of regions facilitate full participation in the international data
when it comes to investment of capital and economy. As sovereign nations, countries have
retention of talent, with data localization restrictions both their own diplomatic relationships and their
acting as digital walls between countries. own domestic policy considerations to take into
account, and the Roadmap is therefore designed to
For some economies, a deliberate approach to provide a holistic look at what stakeholders believe
restricting the international movement of data can works when it comes to cross-border data flows.
be the result of a mistaken belief that localized data
reduces risk. From a business perspective, the We assume that all countries and users of
opposite can hold true: Regulatory certainty this Roadmap wish to have competitive open
breeds business commitment in product and economies, that they want to exist in a globally
service markets. competitive region, and they aim to attract both
local and foreign investments. We assume also that
For companies, an absence of data localization the countries and users of this Roadmap want to
requirements is akin to having visa-free travel for support their technology sector where access to
their data. One still needs a passport (which is data is a key driver, whether it be in AI, blockchain
represented by the trust mechanisms discussed or IoT applications such as smart cities, etc. We
below), but travel is pre-authorized. Removing also assume that no country wants to compel its
barriers to data flows is speedier, cheaper and more industrial players to share data across borders
efficient than the contrary, and it is hugely beneficial if they do not wish to do so and that this choice
in growing international business regardless of size. is best left in the hands of the holders of such
proprietary data.
How can we dismantle arbitrary barriers to cross-
border data sharing by implementing backstops Countries wishing to follow the Roadmap are
that provide assurance of appropriate safeguards to advised to conduct a country-level review of
governments without undermining global economic the current legal and regulatory provisions that
growth? What does a practical approach look like? may complement or obstruct the Roadmap. By
How can countries ensure they have appropriate definition, progress along the Roadmap indicates
policy frameworks in place to maximize benefit and progress, with a full suite round-up representing
minimize risk? forward-leaning cross-border data flows policy in
the Fourth Industrial Revolution.
The World Economic Forum has convened a
multistakeholder group of businesses, civil society Finally, while this Roadmap is designed to examine
actors, academics and governments globally who the issue in the context of the international and
were consulted on what makes cross-border data regional levels, there are learnings here for data-
policy fit for purpose and future-proof. The answer sharing policies at country level.
8 A Roadmap for Cross-Border Data Flows
A Roadmap for
Cross-Border
Data Flows
A Roadmap for Cross-Border Data Flows 9A Roadmap for Cross-Border Data Flows 10 A Roadmap for Cross-Border Data Flows
A Part A:
Establishing the
building blocks
of trust
A Roadmap for Cross-Border Data Flows 111 Allow data to
flow by default
Policy recommendations
– Given the overriding disadvantages for respective local consumers,
industries, technological development and job markets, both national
laws and negotiated cross-border data sharing agreements between
governments should prohibit data localization requirements.
– Narrow specified exceptions may be allowed in order to achieve a
legitimate national security or public policy objective, provided that the
measures are: (1) non-discriminatory; (2) not arbitrary; and (3) do not
amount to a restriction on trade.
– The absence or removal of data localization requirements should not
impede national authorities’ access to data for law enforcement and
regulatory compliance purposes.
Data localization
Data localization Data localization requirements are broadly defined records by authorities. In practice, it can,
requirements as any laws, standards or policies that require for example, make it illegal to transfer company
have the effect an entity to store data on media that is physically or employee records across borders or limit
of restricting the present in a specific geographical territory: This can an institution’s ability to outsource certain
cross-border flow include the infrastructure and services that support functions offshore.
of data the hosting of data, e.g. servers. Data localization
requirements have the effect of restricting the cross- Because data localization requirements can also
border flow of data. They may be either deliberate emerge as a result of indirect policy measures,
or unintended, explicit or implicit. such as requiring or limiting government
procurement to locally established entities only,
Such requirements can often be found in data and or tax incentives that favour domestic industries
cybersecurity laws, but, in some instances, they over foreign products and services,3 they can
may be invisible. By way of example, there may be sometimes be difficult to identify at first. The result
a clause in a sector-specific law which mandates is that, even when it is technically legal to do so,
that a specific type of data be stored in a specific the transfer of data across borders becomes
geographic location, such as a clause within a law impractical and costly, making data localization an
governing financial services mandating access to inevitable outcome.
12 A Roadmap for Cross-Border Data FlowsThe new data localization
We are Some data localization requirements exist as a the region as a whole) and, sometimes more
suddenly legacy of older laws written for the pre-internet insidiously, leading to a potential copycat effect
witnessing an age and are intended to cover the storage in other nations. The result is an increasingly
increase in of physical records in a physical territory, fragmented deglobalized international data
intentional data but they are interpreted as applying also to economy that favours larger nations (which
localization, electronic records. But not all data localization naturally have relatively greater amounts of data
spurred on by requirements are legacy-based in nature. We are within their borders than smaller nations) and risks
the increasing suddenly witnessing an increase in intentional slowing down economic progress for smaller and
importance data localization, spurred on by the increasing emerging nations.
of data for importance of data for technological innovation and
technological general economic growth. Some countries that In reality, nations of all size can benefit their
innovation wish to partake in, or in some cases dominate, the economies by partaking in cross-border data
new global data economy are adopting increasingly sharing because it is not a zero-sum game. Unlike
aggressive measures designed to ensure that commodities, data is not a finite resource. Data
either they, or their indigenous businesses, have begets data,4 i.e. insights can continuously be
access to vast quantities of data. Aggressive derived through combining and analysing quality
deliberate data localization practices of this nature datasets in greater quantities. This concept
can have unintended consequences, including is particularly important for data analytics and
raising the price of entry for foreign investment, machine learning, and a key driver as to why data
disadvantaging neighbouring countries (and thus localization policies often backfire.
Debunking myths about data localization
For governments, international data movement
raises legitimate concerns, particularly about
security and access:
Protecting privacy of citizens’ personal data
Data localization practices are often rooted in a specific territory, but that does not take into
a desire to protect the personal data of private account the guarantee that they will otherwise
citizens, but data localization laws cannot comply with data protection law. Moreover, easier
effectively address privacy concerns. Doing so or mandated government access to personal data
relies on robust country-level data protection when stored in a specific territory may ultimately
legislation and controlling access to data, impede privacy interests. In many cases, such
regardless of where it is stored. For example, a measures are simply misguided, but in extreme
company may be compliant with a data localization cases, data localization laws can actually become
requirement and store personal data only within anti-privacy laws.
Improving cybersecurity
Risk detection, The cybersecurity world offers lessons on why robust security controls, rather than geographic
assessment data localization and residency restrictions can be locality requirements. In addition, distributed and
and response harmful and costly: Data security issues can arise duplicated data on multiple systems leads to
to cyberthreats from storing all data in one geographical territory, variation in local security measures, lower local
require robust which is contrary to the diversification approach investment in security and leaves data more
security controls, most commonly mandated in the cybersecurity vulnerable to breaches. Similar to concerns
rather than industry and often adopted by multinational regarding data protection, data localization
geographic locality companies to ensure robust security across a requirements in the name of cybersecurity are often
requirements geographically dispersed network. Risk detection, misguided policies.
assessment and response to cyberthreats require
A Roadmap for Cross-Border Data Flows 13Securing data availability for national security and law enforcement
Cybersecurity concerns are distinct from national countries have enacted broad data localization
security concerns. Countries deploying isolated or laws so far and international treaties such as the
outdated technology are less able to protect their Trans-Pacific Partnership Agreement (TPPA) and
national security against foreign military and criminal the EU Free Flow of Non-Personal Data Regulation5
threats and may instead benefit from the use of expressly prohibit member countries from
cloud services (which are often more affordable when enacting data localization laws or local data centre
not made to measure and specifically localized). requirements except where justified. International
cooperation between intelligence and police forces –
Most countries consider selective record retention, for example, via INTERPOL and regional cooperation
secrecy and anti-treason laws sufficient to protect arrangements – render even justified cases of data
national security interests. That is why very few localization less useful than previous instances.
Case study: Cross-border data restrictions and anti-money laundering
Data localization and residency restrictions can
severely compromise the ability to detect and
monitor fraud, money laundering and terrorism
financing activities. By limiting the flow of
data across borders, the process of detecting
suspicious activities becomes more complex.
“A criminal rejected in one country can open a
mobile money account and make transactions
in another country.”6
Protecting domestic industries by compelling use of local data centres
Countries can support their local data economy down local progress in relative terms. Secondly,
through inter alia, offering education, carefully local industry suffers when other countries
packaged deregulation, transparent tax codes and retaliate with their own data localization laws or
strong intellectual property protections. other free-trade restrictions. Thirdly, the lack of
access to international markets makes the territory
Introducing data localization requirements in order to unattractive to foreign investment due to these
create a market for local data centres or the use of inherent limitations.
locally made technology is not an effective long-term
strategy for boosting domestic industries because it In the same way that countries which allow their
limits the growth of the domestic data economy. economies to trade with partners experience
greater economic opportunity, so, too, do countries
First, local data centre facilities often prove costly and that allow their economies to participate fully in the
end up not being globally competitive, which slows international data economy.
14 A Roadmap for Cross-Border Data FlowsAre data localization requirements
ever justified?
As mentioned above, every country has the right
to secure the infrastructures and assets vital to its
national security, governance and public safety. As
such, there are legitimate reasons why a country
may wish to restrict or scrutinize data entering or
leaving its borders.
FIGURE 2 Government concerns that prompt data localization requirements
Political security Economic security Cybersecurity Domestic security
Protecting the sovereignty Protecting the nation’s Protecting digital assets Upholding national laws
of the government and economic wealth and from theft or damage and protecting the nation
the democratic system freedom against internal security
threats
Essential infrastructure Environmental Energy and natural
security resources security
Protecting access to critical
infrastructure such as Preventing environmental Protecting access to
transport hubs, network problems such as water energy resources for
communications, banking scarcity, food shortages energy consumption
infrastructure, etc. or climate change
For the purpose of securing government access the sovereignty of nations to protect their national
to data, it is usually sufficient for governments to security interests, there are occasions where
require companies to guarantee remote access to countries will prefer to insist on localizing data.
data (wherever it is stored). There are exceptions However, a de minimis approach is recommended
to this in the case of hypersensitive data, such as here to avoid unintentionally localizing data that
information pertaining to military or defence data. is not itself sensitive but which sits alongside
Along similar lines, information that, if accessed by sensitive data that does need to be localized. Any
the wrong pair of hands, could take out a national requirements should be non-discriminatory, non-
energy grid is data that is beyond the comfort arbitrary and should not be disguised restrictions
zone of most governments. In line with respecting on trade.
Case study: Comprehensive and Progressive Agreement for Trans-Pacific Partnership
The Comprehensive and Progressive Agreement (a) is not applied in a manner that would constitute
for Trans-Pacific Partnership identifies permissible a means of arbitrary or unjustifiable discrimination
exceptions for cross-border data flow restrictions or a disguised restriction on trade, and
in Article 14.11.3 and 14.13.3. Participating
members can adopt or maintain data localization (b) does not impose restrictions on transfers of
measures to achieve a legitimate public policy information greater than are required to achieve
objective, provided that the measure: the objective.
A Roadmap for Cross-Border Data Flows 15How does overreaching data localization really
affect supply chains, the workforce, economic
growth and global society?
A. Isolation is costly
In fact, most businesses incur extra costs in corruption and compliance deficits associated with
complying with data localization requirements, both establishing local presences. Consequently, local
businesses from abroad and local SMEs that would companies and consumers lose access to cloud
like to use cloud service providers as back-end computing capabilities and other advanced foreign
infrastructure, such as software as a service (SaaS). information technologies, pay higher prices and
Those higher fixed costs are ultimately passed on become uncompetitive in global markets.
to SMEs, which often have neither the expertise
nor the budget to afford their own state-of-the-art Local labour markets may suffer from withdrawals
mechanisms to store and protect data, making use or reduced job offers from multinationals. Therefore,
of the cloud an accessible and effective solution. local consumers and economies lose out – in the
While foreign businesses look to where their form of higher-cost and lower-quality services, as
return on investment will be greater, indigenous well as lost job opportunities – as a result of the
businesses also become incentivized to locate impact of localization requirements on both local
elsewhere to avoid additional costs, local taxation, businesses and multinationals.
local government access to data, and risks of
B. It confines e-commerce and supply chains
The overwhelming majority of commercial activities individuals to sidestep infrastructure challenges, and
we engage in are virtual, which means they access services directly and affordably. This pace
are facilitated by data travelling over fibre-optic of progress could be quickly unwound were they to
networks across the globe every day. Cloud introduce arbitrary data localization requirements.
services and particularly SaaS offerings allow
businesses of all sizes to access customized Supply chains are another example. Highly
enterprise software at relatively low prices. If distributed and specialized in nature, these are in
you prevent data from being hosted outside of many ways the litmus test for market economics:
your country, most of these services and the Supply chain nodes that are no longer relevant
technologies that drive them become inaccessible. quickly die, so we can expect supply chains to
Data localization can make it impossible for small reasonably reflect real demand for goods and
businesses to get up and running, and it will be services, at least over time.
impossible for them to scale if they cannot benefit
from the economies cloud services provide. Supply chains are so finely balanced and
sophisticated that doing business usually involves
Access to e-commerce, which inherently relies interacting with many niche players, many of
on the flow of data, has helped many developing whom will be distributed globally – and, practically
economies, including countries in Africa, to grow speaking, that requires data to move. Even simply
at great pace, as access to mobile methods of buying goods and services from different places
payment, access, education and business enables around the globe requires the movement of data.
16 A Roadmap for Cross-Border Data FlowsTrade and e-commerce realities
If you want to buy high-quality industrial ball One might think that something as small as a
bearings from Germany for machinery on your micro-sized part of a smartphone may not matter
factory floor, you must contract with a German much, but in fact industry is hyperspecialized – and
supplier. Your German supplier will have sales that’s a good thing. Performance improves in all
representatives and engineers who can recommend of the products and services affected by it, but it
which ball bearings will work best for you. You also requires commerce to move, and commerce
will keep their contact information in your vendor can’t move without data moving, too. Every action
management system – a system that is almost we take online is tracked and recorded. You can’t
certainly electronic and probably located in your create an ordering document, make a shipment,
vendor’s cloud. Your vendor’s cloud is powered by record a payment or issue a receipt without data
infrastructure providers who pass that data back – business, shipping, financial and often personal
and forth in their data centres and across borders to data moves around the e-commerce circulatory
ensure performance and prevent service interruption system continuously.
or failure. These data centres may be located
outside your country and even outside the country
where your vendor does business.
C. It stifles talent
In this hyperconnected, increasingly specialized – to their teammates, managers, your customers,
world we live in, talent matters, is hard to find and is vendors and many others. If employee personal
unique. The flight of graduates out of countries that data can’t be hosted on cloud servers outside
offer few opportunities internally due to localized their country of residence, how will you gain the
measures, usually never to return, has a long-term local talent you need? Moreover, how will the local
impact on the development of a country’s expertise talent be available for opportunities if the market is
and economy. closed to outside vendors? The impact on the local
workforce will be profound.
At the international level, if you want to develop
software in the US or the EU for use in the Middle It is not seriously questioned any more whether
East, you need experts on your development remote workers are a critical segment of the
team who understand the regional languages and workforce, and to work remotely, data must
cultures. You may want to increase your investment travel – financial data, business data, design
in local talent in the region to do so, and hire them data, health data, etc. It is all coursing along the
directly or through a third party, but in any case, you information superhighway. Data localization greatly
will have to onboard them, train them and work with disadvantages the remote worker, foreclosing
them locally (and often virtually). opportunities for professional and economic growth.
This will require you to transfer their personal data
and your proprietary data in and out of the country
A Roadmap for Cross-Border Data Flows 17How countries instil data localization requirements
More than 200 countries around the world have between two entities or more (i.e. what is known
enacted data laws of some description,7 with as cross-border data transfers), but the reverse is
many similarities and some significant differences not true, e.g. countries may restrict the contractual
between them. use of cross-border data transfer mechanisms and
yet not have any explicit data residency rules. Data
According to data residency and data retention laws, transfer restrictions and data residency requirements
companies must keep data for certain minimum are conceptually different. Under data residency
time periods and on national territory to ensure that laws, companies must process data primarily in a
government authorities can compel access. particular territory, but they can also transfer copies
of the data abroad. According to cross-border
Data processing regulations with cross-border data data transfer restrictions, companies must not
transfer restrictions originated in Europe in the 1970s transfer data to another country except in cases
and have been adopted by more and more countries where they can assure adequate safeguards for the
around the world. These include both broad-brush transferred data abroad; if companies can meet the
data residency requirements as well as narrower requirements for an exception, they are not required
data retention and residency laws pertaining to to keep a local copy of the data.
communications metadata only.8
Examples of data transfer mechanisms include
Countries that require data residency usually also binding corporate rules (BCRs) or standard
restrict the use of legal instruments that allow for contractual clauses that are discussed below in the
the contractual movement of data across borders “Data protection and privacy” section.
Focusing on access
Ultimately, policy Ultimately, policy that is in favour of cross-border One possible solution to staving off data localization
that is in favour of data access is usually pro-innovation, pro-economic in the data-centre space is the data jurisdiction
cross-border data growth and, frankly, pro-people. Governments law that Bahrain has introduced – where foreign
access is usually will righty have concerns about backstops and governments maintain their jurisdiction over
pro-innovation, safeguards to doing so, which are the subject of data stored in Bahrain-based data centres. This
pro-economic discussion throughout this white paper. By ensuring innovative solution to cloud computing manages
growth and, frankly, that data flow is the default state, governments to create a level of comfort for governments as the
pro-people can concentrate their energy on identifying those data is not technically stored in Bahrain for legal
very high-risk scenarios where they do consider it purposes, even if it physically is. If we consider that
appropriate to localize data. cyberspace is everywhere and nowhere, then what
ultimately matters is access to the data.
Case study: Bahrain’s data jurisdiction law
According to the Legislative Decree No. 56 of To facilitate cross-border cooperation between
2018 in Respect of Providing Cloud Computing authorities, the law allows foreign public authorities
Services to Foreign Parties, data of government to issue binding orders to provide access and
and business entities stored in data centres in disclosure of the data, or requests to preserve or
Bahrain is subject to the exclusive jurisdiction of maintain the integrity of the data, as per the laws
the foreign state in which the entity is domiciled, relevant to the foreign state.
constituted or established.
18 A Roadmap for Cross-Border Data Flows2 Establish a level
of data protection
Policy recommendations
– Participating governments should be required to have national legal
frameworks in place that protect the data of individuals, e.g. a data
protection law.
– Cross-border transfers of personal data should generally be permitted
under national laws.
– A clear cooperation mechanism between national authorities needs to
be established to enhance trust and allow for regulatory compliance
across borders.
– Compatibility or policy interoperability between data protection and
privacy laws is encouraged to ensure certainty and security.
– Governments should investigate the possibility of reaching explicit
agreement on the adequacy of other countries’ data protection and
privacy regimes where the respective legal systems offer substantially
similar privacy protections so as to create a common space for the
movement of personal data.
– Lawmakers should encourage and enable secure data sharing and
focus legislation and law enforcement on abuses such as cybercrime,
fraud and harmful discrimination.
– If lawmakers enact broadly applicable privacy laws to define baselines,
they should be technologically neutral so as to remain future-proof.
A Roadmap for Cross-Border Data Flows 19Data protection and privacy:
Why it matters for cross-border data sharing
This Roadmap is designed to cover the principles use might be streamlined to extract a fit-for-purpose
behind the movement of all types of data as it version of the cross-border flow of personal data.
flows across borders. However, personal data or
personally identifiable information is a subset of Mobile phones, fitness trackers, connected cars,
data that is already highly controlled in its cross- medical devices, industrial machines, toys and
border movement. In fact, a significant amount of other IoT devices already generate vast amounts
data qualifies as “personal data” under EU data of data and information. The total amount of
protection laws and as “personal information” stored data worldwide is expected to reach 175
under newer data privacy laws in the US, including zettabytes by 2025.9 Unsurprisingly, the number
the California Consumer Privacy Act. As a result, of corresponding data laws has exploded in
restrictions on cross-border transfers of personal exponential terms in recent years, as seen in the
data affect most data transfers in practice. Below following graph.
we discuss how the various methods currently in
FIGURE 3 A growing number of data regulations
Cumulative number of data regulations
250
200
150
100
50
0
1972
1974
1978
1979
1981
1983
1985
1988
1990
1992
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Forseen
Modifications Count of data regulation
Source: OECD
Data protection and privacy laws governing the countries have full or draft legislation to secure the
28% collection and processing of personal data and
personally identifiable information vary from country
protection of data and privacy. The 28% of countries
that do not have data protection and privacy
of countries do not to country, from the highly sophisticated, such as the legislation in place face the risk of missing out on the
have data protection
EU’s General Data Protection Regulation (GDPR),10 benefits of cross-border data flows, digital trade and
and privacy legislation
in place to some emerging market jurisdictions that lack investments in emerging technologies.
any explicit data protection laws. Almost 72% of
20 A Roadmap for Cross-Border Data FlowsData Protection and Privacy at the Cross-Border Level
FIGURE 4 Core principles of data protection and privacy
Core principles of data protection and privacy
Fair and
lawful
processing
Purpose
Accountability specification
Security and Minimality
confidence Core
principles
Sensitivity Quality
Data subject Openness or
participation transparency
Under these data protection and privacy laws, Asymmetry can act as a soft barrier when both
organizations usually face restrictions and obligations Country A and Country B have robust data
regarding the collection, use and transfer of protection legislation in place, yet significant
data relating to natural persons (personal data). differences exist in terms of how those laws are
Data protection and privacy laws do not apply to implemented and complied with. Compliance
aggregated information, irreversibly de-identified data comes with associated cost, and so to minimize
or data that does not relate to individuals. costs the company may choose not to do business
in Country B, opting instead to stay local or else
The core principles of data protection and privacy expand its business into territories whose regimes
as illustrated in Figure 5 above tend to remain are more similar to Country A’s. The result is that
fairly consistent from jurisdiction to jurisdiction, Country B loses out.
though some differences do appear. When
these differences are significant, a country’s data Finally, but by no means exhaustively, because
protection law can end up acting as both a hard of the relative importance placed on compliance
and soft barrier to the cross-border flow of data. when it comes to protecting personal data in a
dataset (due to regulatory obligations and other
Consider a company resident in Country A that is penalties, on top of the importance of protecting
interested in doing business in Country B. We can private individuals), the entire dataset will often be
assume that doing business will require some sort treated as personal data, even if it contains only a
of cross-border transfer of personal data, such as small amount of personal data. Larger companies
customer purchasing information. can often design data stacks so that personal data
can be stored separately from other kinds of data,
Asymmetry of approach to data protection but SMEs will usually lack the resources to do so
between these countries will act as a hard barrier and may effectively end up treating all data equally
to business in the case where Country A has a in line with the highest standard of compliance
robust level of data protection legislation and required, e.g. as if it is personal data. Thus, laws
Country B has a lighter or non-existent level that are intended to apply only to personal data
of protection. Because Country A cannot be can, in practice, have the effect of applying to all
certain that its citizens’ data would be adequately kinds of data.
protected in Country B, it may restrict the
movement of personal data by the company to
Country B.
A Roadmap for Cross-Border Data Flows 21FIGURE 5 Data protection and privacy legislation worldwide
Legislation Draft legislation No legislation No data
Source: UNCTAD
Cross-border data transfers
Contractual Data privacy concerns in respect of the cross- collaboration and thus transfers of personal
commitments border movement of data can be addressed by data. Partial restrictions may be helpful to ensure
usually require mandating contractual commitments by foreign sufficient levels of data protection abroad, using one
parties to adhere data importers. Contractual commitments usually or more mechanisms:
to core principles require parties to adhere to core principles of
of various various international data protection and privacy – More and more countries require companies
international data laws. In this way we can see how existing laws can to provide notice or seek informed consent
protection and act as a form of unofficial standardization for cross- from data subjects before their personal
privacy laws border data transfer agreements. data may be transferred abroad. Companies
administer the notice and consent process,
National lawmakers can allow cross-border which adds costs to cross-border trade. While
transfers of personal data, hold data-transferring the approach is flexible and leaves the decision
companies responsible for any consequences to individuals, it places a considerable onus on
caused, and apply and enforce national laws individuals to understand the data value chain
against foreign companies and public-sector and is not optimal in cases where potentially
entities. The United States has taken this approach harmful processes are consented to but poorly
and successfully enforced its laws against understood.
companies around the world based on their nexus
to US markets and jurisdiction. Other countries find – The EU allows data transfers on the basis of
it more difficult to enforce their laws across borders consent only in specific circumstances11 and
if they cannot rely on cooperation from other generally requires that a data importer outside
countries, and the foreign companies involved have the European Economic Area (EEA) be located
less of a nexus to their jurisdiction. in a jurisdiction that the EU has declared
“adequate”, adopts industry codes of conduct,
If a country is concerned that it cannot enforce its implements binding corporate rules approved
data protection or privacy laws against companies by a data protection authority in the EU or
abroad, and does not trust another country’s accepts standard contractual clauses (SCCs)
practices, it can prohibit or restrict cross-border promulgated by the EU. Many multinationals
transfers of personal data. A complete prohibition view adopting the complex and rigid SCCs as
would result in economic isolation because the least burdensome option, even though the
international trade requires communication, SCCs cover only limited data transfer scenarios
22 A Roadmap for Cross-Border Data Flowsand require pass-through to onward transferees, should reflect on their needs and requirements
which multiplies costs and burdens. SCCs before using the expertise and experience of others.
work less well for cross-border data sharing at Every country should aim for a minimum level of
scale, and are not ideal for modern-day cross- data and privacy protection12 at a domestic level
border data sharing use cases such as machine that can then be operationalized in an international
learning; however, in current use they are an relationship for cross-border data transfers.
important instrument for SMEs that lack the
resources to build tailor-made legal solutions for Fundamental to ensuring that two different nations
the cross-border transfer of data. with two different data protection laws can act
harmoniously is ensuring that, at a principle level,
– The member states of the Asia-Pacific there is a degree of commonality. Once this
Economic Cooperation (APEC) agreed on a commonality is either recognized or achieved,
privacy framework in 2004 and cross-border companies will find it easier to comply with both
privacy rules (CBPR) in 2011. As of February regimes when constructing private-level cross-
2020, eight jurisdictions have implemented border data transfer mechanisms such as standard
these rules (Australia, Canada, Japan, Mexico, contractual clauses. However, there are inherent
South Korea, Singapore, Taiwan and the difficulties with this approach, because it requires
United States). Only 23 businesses are listed case-by-case analysis and bilateral arrangements;
as participants so far, because none of the as the number of countries participating in the
member states demands cross-border transfers process increases, countries should seek to
of personal data on participation. achieve adequacy between them when it comes to
a minimum standard of data protection and privacy.
– Other countries have followed the EU approach, In this way, private data transfer mechanisms
with country whitelists and requirements to may still be required at an operational level,
execute protective contracts. The whitelisting but businesses can effectively treat the two or
approach provides countries with opportunities more countries involved as effectively a singular
Personal for privacy law harmonization and bilateral trade jurisdiction for the purposes of data protection and
data transfer negotiations. Companies can manage contract privacy. Thus, adequacy is a passport that allows
minimization requirements better if they are generally stated, personal data to travel across relevant borders.
and prohibitive e.g. not overly prescriptive, but if every country Mutual recognition of agreed international principles
regulation requires its own contract clauses for cross- as a way of defining minimum standards for data
writ large is border transfers at the same level of complexity sharing is therefore more practical for the most
counterproductive and word count of the EU SCCs, then ambitious nations.13
to pursuing the multinationals would have to review and execute
many opportunities millions of pages of contract terms, resulting Although there is no uniformly agreed-upon model
of data-driven in an undue burden on international trade. A for data protection, many countries have been
innovation, which more efficient alternative to country whitelists adopting European-style concepts in their data
is why policy- is mutual recognition of OECD countries processing legislation, including, recently, Brazil and
makers should or signatories to the Council of Europe’s India (a draft bill is pending at the time of writing).
focus on specific Convention 108 principles. This places the onus Despite the significant differences, many of those
privacy harms and on countries to opt in to such an approach. models also share communalities in terms of core
craft legislation data protection principles. These can provide
that balances – Compatibility or policy interoperability between a place to start to achieve harmonization and
privacy and data protection and privacy laws ensures interoperability and reduce friction over cross-
other interests certainty and security in EU-US Privacy Shield border data flows.
proportionally programme and Executive Agreements under the
US Cloud Act, such as the UK-US agreement, Personal data collection, usage and cross-border
whereby mutual standards are respected sharing will increase – in fact, must increase – to
regarding the processing of personal data. better research and cure diseases; treat patients
with personalized, precision medicine; develop
Lawmakers should encourage and enable secure AI; enable autonomous cars to recognize and
data sharing, and focus legislation and law protect people; support global communications;
enforcement on abuses such as cybercrime, fraud create reliable blockchains; ensure the effective
and harmful discrimination. If lawmakers enact fight against financial crime, modern slavery and
broadly applicable privacy laws to define baselines, corruption; enable firms to manage vendor/supplier
they should be technologically neutral so as to risk; safeguard against cyberthreats; and protect
remain future-proof. national and international security. Personal data
transfer minimization and prohibitive regulation writ
Each country must find the right balance for its large is counterproductive to pursuing the many
people’s privacy and data needs. The legal, cultural opportunities of data-driven innovation, which is
and societal differences between nations and why policy-makers should focus on specific privacy
regions mean that wholesale adoption of privacy harms and craft legislation that balances privacy
requirements in one country/region may not work and other interests proportionally.
for another in the same way. Therefore, countries
A Roadmap for Cross-Border Data Flows 233 Prioritize
cybersecurity
Policy recommendations
– Governments should endorse the concept of cybersecurity as a
fundamental condition of doing business in an economy.
– Governments should enact robust data security legislation to position
themselves as trustworthy data transfer destinations, including data
security requirements on public- and private-sector organizations and
data security breach notification requirements.
– Governments should create, support and respect robust data security
infrastructures and refrain from demanding data access without due
process or technology back-door systems.
– Cross-border data sharing agreements between governments should
in turn mandate data security measures.
– Cross-border data sharing agreements should contain an anti-
snooping clause, i.e. a clause that forbids governments and
connectivity providers from viewing the data being transmitted across
borders, except in certain prescribed instances.
– A clear cooperation mechanism between authorities needs to be
established to enhance trust.
24 A Roadmap for Cross-Border Data FlowsWhat governments can do
The security of data when it moves across borders ePrivacy Directive,14 there are stringent penalties
is of fundamental concern to both companies and placed on electronic communications service
governments, both in terms of risk mitigation and providers who snoop on data in transmission on
security of proprietary data and intellectual property their networks. The analogy to trade of physical
(IP). The absence of, or the risk of the absence of, goods is also relevant here: Goods are shipped to
security measures further undermines trust and prevent unauthorized access but inspected at the
produces friction for cross-border data sharing. port of entry to satisfy local law requirements. They
are also labelled to generally describe their content.
Having a civilian Appropriate data protection technologies exist, So too could metadata be tagged to provide
cybersecurity e.g. data encryption and data masking. However, information about data content without necessarily
agency is key to the main challenge is when and how to use these making it available for review.
encourage trusted measures to create trust within data sharing
relationships agreements at a national level. The project If the metadata is tagged with appropriate content
around the community recommended that cross-border notices and securely transmitted using protocols,
world with other data sharing agreements between governments governments could reliably permit data transfer,
cybersecurity mandate a minimum threshold for cybersecurity, while keeping the payload confidential, and
agencies, whose just as already happens for the trade of goods and preserve the rights to inspection.
role is solely to services. Physical goods are assessed by common
protect networks, product specifications. e.g. origin and weight. To create a trustworthy environment for cross-
not to attack them Likewise, minimum thresholds for security can be border data flows by being a trustworthy
agreed between governments to enable the free international player, countries should consider
flow of data. measures at the national level such as enacting
national legislation to require data security
The project community further suggested that breach notification for all types of data; ensuring
cross-border data sharing agreements should compensation for data subjects or businesses for
contain an anti-snooping clause, i.e. a clause that actual harm caused by data security breaches; and
forbids governments and connectivity providers requiring manufacturers of IT products to make
from viewing the data being transmitted across secure products by promoting and supporting
borders, except in certain prescribed instances. investment in good security standards and
It is a well-established principle that connectivity third-party validation. Local laws should protect
providers should not access content data in organizations against cybercriminals and national
transmission (even though they technically have state espionage, and governments should consider
access to it, system controls can be designed to auditing organizations and enforce laws to reduce
make this access more difficult). Under the EU’s security breaches and promote trust.
Establishing a sophisticated governmental
approach to cybersecurity
Having a civilian cybersecurity agency is key to government when it comes to cybersecurity. It is
encourage trusted relationships around the world a foundation in the cybersecurity framework of a
with other cybersecurity agencies, whose role is country, showing that the government has identified
solely to protect networks, not to attack them.15 cybersecurity as a priority, and explicating how it is
In establishing its national cybersecurity agency, a intending to protect itself and its citizens. It maps
government needs to consider the responsibilities the different relationships at national level between
of that agency. The role of the cybersecurity agency the different entities dealing with cybersecurity.
can vary greatly, and if at first it will be mainly to react
to attacks, gradually it should seek to define effective When it comes to increasing a country’s
methodologies, inform the private sector about cybersecurity posture, it is absolutely vital to define
current threats and have a more proactive role. a framework for critical services by mapping
the functions that are critical for the country to
The second step is to define a cybersecurity function. These vary between countries, but usually
strategy and, in that strategy, define how and cover essential services such as the financial
where the cybersecurity agency should be set up. sector, energy, water treatment, the military and
In the absence of any agency, a white paper by telecommunications. For each of these sectors,
government can build goodwill and lay a foundation it is then important to define the thresholds at
for appetite. Such a high-level document, signed which companies would be considered critical to
off by the government, shows the intention of that that sector. Defining these thresholds allows the
A Roadmap for Cross-Border Data Flows 25You can also read
