Today is Data Protection Day. Originally launched by the Council of Europe (CoE) in connection with their Convention 108, it is always a useful reminder that spreading good standards of data protection and enabling data to flow between countries are compatible aims. In fact, precisely because the parties to Convention 108 all agree to play by the same basic rules, the convention can, and does, explicitly prohibit countries from restricting the flow of data between them.
This is just as well, because data, and the effective use of data, is bringing countless benefits to individuals and society, from better products and smarter cities to improved health and disaster response systems. In this increasingly global world, the ability to move data across borders is essential for the digital economy to continue to flourish, enabling innovation and efficiencies.
The challenge is that policymakers sometimes forget that agreeing on data protection standards and unlocking data flows are compatible aims. All too often we see localisation measures creeping in that mandate the use of local suppliers or require data to be kept on local servers. Not only can this have a damaging effect on innovation, it can also mean different degrees of protection for individuals.
Against this backdrop, it is easy to be pessimistic about the prospects for digital to fulfil its potential, but, as the following developments show, there are also good grounds for optimism:
- Europe’s General Data Protection Regulation (GDPR), which goes live in less than 17 weeks, has been inspiring some non-EU countries to align their laws to the GDPR either to increase their chances of being deemed by the EU to have an ‘adequate level of protection’ or simply because they like what they see.
- Convention 108 is expanding its reach, with countries that are not CoE members (such as Mauritius, Senegal, Tunisia and Uruguay) joining and many more invited to join.
- APEC Cross Border Privacy Rules, a system allowing accountable organisations to transfer data based on common principles, is gaining traction. South Korea has recently joined and others are lining up, with non-APEC countries even expressing an interest.
- ASEAN passed its own Personal Data Protection Framework in 2016 and now, under Singapore’s leadership, is looking seriously at solutions for cross-border data flows.
- EU Trade Language: a deadlock within the European Commission has been broken, paving the way for language on cross-border data flows to be added to important trade agreements.
- EU Free Flow of Data proposal seeks to remove ‘localisation measures’ that impeded movement of data within the EU.
What unites these stories is a shared aspiration to strive for alignment of data protection standards so that data can flow and the potential economic and societal benefits of data can be realised. They all move (however glacially) towards a world where large numbers of like-minded countries allow data to circulate relatively freely based on similar standards and cooperation/enforcement. It is these countries that will gain most from the digital revolution.
The GSMA shares in this aspiration. Initiatives such as the GSMA Mobile Privacy Principles, the Privacy Design Guidelines for Mobile Application Development and the IoT Security Guidelines all aim to foster a common high standard across the mobile ecosystem. In its Position on Cross-Border Data Flows and advocacy efforts, the GSMA encourages the development of regional solutions based on the accountability of organisations and is pushing for such mechanisms to become interoperable (it can only be a matter of time before the EU, APEC and ASEAN systems become fully interoperable). The GSMA and its members are also pushing for localisation measures to be used only when absolutely necessary.
The world is getting smaller and faster, with more data being harnessed to deliver greater benefits for economies and for people. It is time for industry, citizens and policymakers to work together and focus on the positives.