Cross-border data flows for a brighter future

As privacy regulators from around the world descend on Brussels this week for the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC), the GSMA is preparing to host a discussion on cross-border data flows.

Barriers to data flows could stifle opportunities for mobile operators to roll out new services that enable IoT and connected cars or to leverage the efficiencies of the cloud, ultimately disadvantaging consumers. Data flow restrictions could also mean a lost opportunity for the local data-driven economy to grow.

Against this backdrop, two discernible policy trends are vying for dominance: ‘pro-flow’ policies that recognise the importance of data flows for society and for the economy and therefore aim to facilitate data flows while protecting consumers’ data and privacy rights; and ‘no-flow’ policies (sometimes referred to as data localisation or data sovereignty requirements) that aim to restrict movement of data on various grounds, ranging from national security to data privacy to protecting the local economy.

Recent developments such as the agreement between Japan and the EU to allow data to flow freely between their markets on the basis that consumers are adequately protected, or the increasing reference to data flows in trade negotiations, highlight the importance of data flows to economies of all sizes. However, this stands in stark contrast to a growing number of countries that force companies to keep a copy of the data in-country (increasing the costs of producing physical and digital goods and services in that market) or even prohibit companies from moving data at all.

To this end, it is crucial that data protection authorities (DPAs) attending their global gathering this year get to grips with this issue and that they do so now when the world stands at a crossroads. As bodies whose opinion must be sought for data privacy-related legislation proposals in many countries, their opinions really matter, but it goes further than that: without DPAs to validate the equivalence of laws, to check accredited certification bodies and to investigate and enforce on each other’s behalf when things go wrong, any data flow system would lack credibility. If data is to flow, then individuals must be protected and if individuals are to be protected, DPAs must continue to build on their cooperation arrangements.

In its recent report, Cross-Border Data Flows: Realising Benefits and Removing Barriers, the GSMA argues that each of the concerns proffered by would-be localisers can be satisfactorily addressed without resorting to data localisation:

  1. While national security concerns around having access to relevant data for serious investigations are valid, the mere fact of the data being held abroad should not, in itself, prevent justified access. Local entities can still be held accountable and new models for international cooperation on gathering electronic evidence are beginning to emerge. If anything, collating data on a central, cost-effective, efficient platform should make the job of data retrieval for government access requests easier, not harder.
  2. Data privacy concerns, in the GSMA’s view, should never be held out as an excuse to impose localisation restrictions when there is a whole range of tried and tested mechanisms for protecting individuals whose data is transferred abroad.
  3. Finally, imposing localisation in order to protect or promote local industry is short-sighted. A data-connected market will face some external competition, but also has the potential to grow and for its home-grown innovators to compete in foreign markets.

In a second recent report, Regional Privacy Frameworks and Cross-Border Data Flows: How ASEAN and APEC Can Protect Data and Drive Innovation, the GSMA explores the role of regional privacy frameworks in driving towards a common high standard of data privacy that will facilitate the flow of data. These frameworks not only have the effect of driving further alignment of data privacy laws and cooperation between enforcement authorities within a region, but also between regions. While the GSMA report focuses on the interoperability between the APEC framework and the more recent ASEAN arrangements, the lessons from Asia are relevant for regions everywhere.

The ICDPPC official side event, ‘Privacy Perspectives from the Asia Pacific: Moving Toward Interoperability’, will take place on Thursday, 25th of October at 14:30 at the Radisson RED Brussels and will be hosted by the GSMA in partnership with law firm Crowell & Moring International. The session will provide an opportunity for government and industry stakeholders to discuss best practices for facilitating global data flows, the path forward for policy in the Asia Pacific region, and how APEC, ASEAN and EU officials can lead the way in facilitating global interoperability. Registration for the ICDPPC is not necessary to attend this event.