Some studies suggest that data flows yield large economy-wide gains as measured by GDP, productivity, and other metrics. And yet, countries around the world have proposed policies and laws that would limit flows of data and/or require local data storage, degrading and sometimes impeding altogether services that depend on data flows to operate. If these policies are so harmful for the economic and societal progress, then why do countries continue to impose them?
Policymakers cite a variety of reasons for data localization, from concerns about foreign governments’ or malicious non-state actors’ ability to access their citizens’ personal data; to economic and commercial motivations; to a broader desire for digital sovereignty. Underlying many of these motivations is a “trust gap”: governments’ lack of trust that in a world of free data flows, their citizens’ privacy will be respected, national security will be protected, and economic gains will be commensurate with the value of the data.
There are strong arguments as to why data localization is ineffective for achieving these goals—indeed, CIPL will set out some of them in a series of forthcoming papers. But equally, proponents of free data flows undermine their own case if they do not acknowledge that some circumstances demand pragmatic solutions that diverge from the just “Free and Open” ideal.
There is a pressing need to chart a pragmatic path between data localization and full data flow liberalization, to address specific concerns while enabling continued enjoyment of the broad benefits of data flows. These will be solutions tailored to respond to specific public policy concerns through a combination of new multilateral arrangements, oversight, accountability, data governance, and technologies such as encryption and privacy-enhancing technologies (the focus of another, ongoing CIPL project).
With respect to technological solutions, “sovereign cloud” offerings from several cloud service providers and TikTok’s Project Texas and Project Clover are examples in progress that we are tracking closely. At the same time, such solutions are not suited for all cases and must not detract from efforts to advance “Data Free Flow with Trust” (DFFT)—including the multilateral and multistakeholder diplomatic effort under that name introduced by Japan at the 2019 G20 Summit.
We all – governments, global businesses, experts - must support and advance digital and data diplomacy efforts. Additional notable and promising initiatives include:
- government-to-government multilateral trust-building efforts, such as the Global Cross-Border Privacy Rules Forum and the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities. Bilateral efforts, like the US-EU Trans-Atlantic Data Privacy Framework, will also remain important.
- evolving existing data transfer mechanisms and fostering greater interoperability and mutual recognition between various data transfer mechanisms globally, such as Binding Corporate Rules (BCR) and Standard Contractual Clauses.
- building bridges between the EU GDPR certifications and Global Cross Border Privacy Rules.
- revisiting and streamlining cross border data flows national rules to achieve a more sustainable multilateral approach to data transfers and data more generally – what we might call a “New Deal for Data.”
Responding to specific concerns in a tailored manner today can complement and facilitate progress toward free flow over the longer term. It is the erosion of trust, above all, that imperils access to the data flow-based services upon which we all depend. To address this trust deficit, we must renew our focus on free data flows with trust, with creativity, pragmatism, and the continued, open minded dialogue of all stakeholders. CIPL looks forward to being on the frontiers of the new data and digital diplomacy.