• Opinion
  • November 22, 2018
  • 8 minutes
  • 2

GDPR is not enough: the world urgently needs a global data governance regime

Opinion: Competing national rules will impede the global flow of data

This opinion piece was written by Jia Hao Chan, a research analyst in the Institute of South Asian Studies at the National University of Singapore. It appears in our digital government newsfeed.

Last month, at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels, Apple chief executive Tim Cook called on US regulators to start making their own digital privacy laws at the federal level. Cook called the European Union’s General Data Protection Regulation (GDPR), implemented earlier this year, “transformative work”.

The development of data protection rules has been an important step in government’s response to the rise of big data. But national rules aren’t comprehensive enough to deal with complex transnational issues, and they can even threaten global cooperation and transfers of data. The world urgently needs a global regime for data governance.

Cook’s call comes in response to what he termed a “data-industrial complex” that has dominated trade in digital data, ignoring the privacy of individuals and the interests of society at large. The term is a parallel to President Dwight D. Eisenhower’s 1961 warning about a “military-industrial complex”: an informal alliance between the military and defence manufacturers, shaping public policy in pursuit of their mutual interests.

Fast forward to today’s data-driven economy. Cook is essentially calling out a similar ecosystem, comprised of data collectors, purchasers, brokers and assemblers. They consolidate fragments of individual data to serve more complex functions of digital companies such as user experience, product design and consumer surveillance. Cook, by contrast, envisions national governments minimising customer data collection and making users owners of their own data.

Today, the environment for data collection, usage and migration has evolved into a highly complex one

His concerns have some merit. While the big data software market is estimated to make up 0.3% of the entire global digital economy, already 83% percent of firms worldwide surveyed by Accenture claim to be pursuing big data projects to secure competitive advantage.

The build-up of this complex has been significant. Just five years ago, according to Forbes, firms like Google, Amazon and Microsoft earned less than 1% of their total revenue from big data. Today, the environment for data collection, usage and migration has evolved into a highly complex one, with actors colluding for reasons beyond mere profit motives.

Data exchanges between governments and technological companies, for example in the case of the recent Five Eye Pact calling for transnational firms to allow their governments backdoor access to encrypted information, are expected to rise. Transnational technology giants are also themselves contributing to this “data fluidity”. Amazon’s Snowball, Google’s Transfer Alliance and IBM’s Cloud Mass Data Migration are a few prominent examples of data-migration appliances, built for storing and physically transporting petabytes of data in order to reduce risks of downtime.

But these developments have not seen data becoming more transparent and secure. Over 7.1 billion identities have been exposed in data breaches worldwide since 2010. Facebook’s huge data breach in September 2018 was joined by one at Google last month. The company now plans to shut down its Google+ social network after exposing hundreds of thousands of users’ private data.

Many national data protection regimes are falling short

But Cook’s call for a GDPR-equivalent in the US may not be the answer. In fact, it could further fuel a nationalist turn in data protection — which will not yield the kind of transnational data governance regime the world needs.

The European GDPR is often mistaken as an exemplar of liberal data protection. But in some respects it stands in the way of the free and open flow of data. As a result of treating personal data protection as a fundamental right in the EU, the European Commission only allows data flows between the EU and countries that conform to specific mechanisms spelled out in its EU data protection legislation. Less than 15 countries have so far been recognised by the Commission as having the adequate level of data protection.

Some international groupings, like the APEC Cross Border Privacy Rules (CBPR), bring countries and transnational companies together to develop effective privacy protections without creating barriers to information flows.

But many national data protection regimes are falling short in the task of moving beyond protection and management towards policies for exchanging data under such protections. For instance, China’s Cybersecurity Law requires personal information of Chinese citizens and other important data collected by “key information infrastructure operators” to be kept within its borders.

If it is not, China’s Law on Protection of Consumer Rights and Interests give regulators permission to de-register local businesses. In Russia, similarly, the outflow of personal data requires consent from the data subject, unless the receiving jurisdiction has been deemed by local authorities as having adequate protection.

In this environment of data protectionism, a US data protection regime might further aggravate the situation

In this environment of data protectionism, a US data protection regime might further aggravate the situation. As the US government continues to look at ways on establishing new export controls on emerging technologies such as artificial intelligence and surveillance, it comes no surprise that data — the ‘raw material’ of these technologies — may be treated with a similarly tough stance.

That kind of conservative and assertive data regime may be exactly what Cook hopes for, given his doubts about the ethics of trading data. But before he and other prominent figures back such conservation, they must realise that other countries won’t necessarily fall in line with strengthened US rules. On the contrary, it could mean more proliferating national protections, obstructing the free flow of data.

As cross-border data flows are expected to quadruple by 2025, there needs to be a fresh push for the building of a global data governance regime. Tech leaders at this year’s International Joint Conference on Artificial Intelligence issued a call to “create a future with strong international norms, regulations and laws” on data management and usage. Tim Cook — and, more importantly, governments worldwide — should heed that call. — Jia Hao Chan

(Picture credit: Pixabay)


Leave a Reply

to leave a comment.
Master the skills you need for the public service.

Discover inspiring resources, tools and policies.