Addressing Cross-Border Spillovers in Data Policy: The Need for a Global Approach

FEBRUARY 3, 2021

by Michael Pisa, Pam Dixon and Benno Ndulu

This is a joint blog post by the authors Michael Pisa (Center for Global Development) Pam Dixon (World Privacy Forum) and Benno Ndulu (Professor, Oxford University). This post is also published at the Center for Global Development, along with additional information about the Center for Global Development’s  Governing Data for Development Working Group.

Global debates about data governance standards have primarily reflected the priorities and needs of rich countries, with less wealthy countries left in the role of “standards takers.” More needs to be done to ensure that digital governance policies pursued by the world’s largest economies do not create unintended consequences that make it harder for other countries to support a strong domestic digital economy and participate in the global digital economy.

The COVID-19 pandemic has altered our lives in myriad ways, including by increasing our reliance on online platforms, digital tools, and data (e.g., telehealth, online learning, and the growing use of high-frequency data to monitor the spread of disease and the effectiveness of policy responses). Although countries set off from different starting points and are digitalizing at different speeds, virtually all accelerated on their path towards greater digital dependence last year.

As societies have become more reliant on data and digital tools, they have also become more attentive to the associated risks. 2020 merely continued the trend of mounting concerns over the disruptions that occur when digital space is poorly governed, including through the misuse of personal data, surveillance, algorithmic bias, economic concentration, and the rapid spread of misinformation.

How GDPR became the model

Governments worldwide are still in the early stages of deciding how they want to govern digital spaces. For many of them, establishing data privacy and protection laws is a first step in developing a broader approach to digital governance. The adoption of such laws has sped up dramatically in recent years, catalyzed by growing concerns about online harms, surveillance, and the passage of the European Union’s General Data Protection Regulation (GDPR) in 2016, which provided a more rigorous model for protecting the privacy of individual data, including much greater fines for non-compliance, than had previously existed.

The GDPR’s global influence is impossible to overstate. Of the more than sixty countries that enacted new data privacy laws last decade—most of which are in Africa, Asia, and Latin America—almost all modelled their approach on the GDPR and its predecessor, the EU Data Protection Directive. The widespread adoption of the GDPR model reflects both growing awareness of the risks of data misuse and a desire by countries to achieve compliance with the Regulation’s adequacy framework, which requires the European Commission to determine whether non-EU countries “provide a level of protection for personal data which is comparable to those of EU law” as the basis for transferring data.

Figure 1. Recent adoption of data privacy laws driven by low- and lower-middle income countries

Map showing the countries that have passed data privacy laws since 2010, mostly low and middle income countries. It also shows the countries that have pending legislation

Note: Data from Greenleaf’s Global Tables of Data Privacy Laws and Bills (6th Ed January 2019) and Greenleaf and Cottier’s 2020 Ends a Decade of 62 New Data Privacy Laws. Additional research conducted by World Privacy Forum (2020).

Having governments take data privacy risks seriously and develop frameworks to address them is welcome. But there are concerns that the GDPR model is a poor fit for many countries because of its breadth and complexity. Our research suggests that the gap between data protection “laws on the books” and effective implementation remains wide in many countries, resulting in regulatory uncertainty that can hinder useful data innovation by both the public and private sector.

The GDPR’s extraterritorial compliance and adequacy framework also raises a risk of creating a two-track digital economy, since resource-constrained governments may find it more difficult to receive an adequacy decision from the European Commission, increasing the cost for domestic firms that seek to access the EU digital market (for example, a recent report estimates that UK firms would face an aggregate cost between $1.4-2.2 billion if the UK does not receive an adequacy decision following Brexit).

How the data governance landscape will change in 2021

It is important to address these issues now, as 2021 is poised to be a momentous year for data governance reform. Consider the following events that may take place:

  • The US passes a comprehensive data protection law (prognosis: uncertain but increasingly likely)While achieving bipartisan support for a data protection law may seem unlikely to casual observers, there is growing belief among US privacy experts that sufficient support for an agreement exists, boosted by lobbying from US tech firms eager to swap the risk of dealing with 50 different state-level data privacy laws with a single federal one. Such legislation is long overdue and would have a profound effect on global debates on data policy: where the US bill mirrors elements of the GDPR, it would further cement those practices internationally; where it diverges, it would lead to renewed debate in other countries on the appropriate path forward.
  • India passes a comprehensive data protection law (prognosis: likely) Although passage of an Indian data protection law would have less of an immediate global impact than a US one, India’s approach will include a number of innovative measures that could serve as a model for other countries going forward, much like the country’s Aadhaar identity ecosystem has. Innovations in India’s draft privacy bill include criminalizing the reidentification of personal data, invoking the concept of fiduciary duty as a basis for data processing, and broadening definitions of personal and sensitive personal data. The law could be controversial to the extent it includes data localization requirements currently in the draft bill, which require firms to store and process certain types of data only in India.
  • The US and EU resolve data sharing tensions stemming from Schrems II (prognosis: near certain) Schrems II, the decision by the Court of Justice of the European Union in July 2020 to declare “the European Commission’s Privacy Shield Decision invalid on account of invasive US surveillance programmes,” has clouded transatlantic data sharing in uncertainty, putting continued cross-border data flows at risk. Resolving this uncertainty is a high priority for policymakers in both jurisdictions and a solution could be part of a broader package of agreements that seek to strengthen economic ties. But convergence on US and EU approaches to governing the digital economy may be complicated by recent proposals put forward by the EU that point to a more activist regulatory vision, including the proposed Digital Markets Act and Digital Services Act.
  • Multilateral initiatives support greater harmonization of global data standards (prognosis: uncertain) Any agreement reached on transatlantic data flows could serve as a basis for negotiations on global (or near-global) standards for cross-border data sharing, building on incomplete efforts like the G20’s Data Free Flow with Trust initiative. The challenge will be finding the right forum to carry this effort forward, given the incompatibility of the tightly controlled model of digital governance favored by China and Russia with the more open model favored by the US and EU. While the G7 may be better positioned to do this than the G20, given China and Russia’s membership in the latter, the narrowness of the group’s membership raises questions on whether the body can reach agreements that work well for non-members. This has given rise to calls for new multilateral initiatives that would convene a broader group of like-minded countries to work towards digital governance standards (see, for example, calls for a digital stability board and a T-12 Alliance). International organizations focused on specific aspects of digital governance like the Global Privacy Assembly and the OECD (with its focus on artificial intelligence regulation) will also continue to play an important role.
  • The World Bank reforms its approach to data governance (prognosis: certain) Alongside its work on the World Development Report 2021: Data for Better Lives (expected to be published in March 2021), the World Bank is conducting an internal policy review of its data governance policies that considers both how the Bank manages data internally and the data policies that it will encourage its client countries to pursue. The decisions that flow from this review will provide a basis for the technical support that the Bank provides to countries for digital policy reforms and influence smaller development organizations that look to the Bank’s policies as a guide for their own approaches.

Together these events have the potential to reshape the global data policy landscape. And while only a handful of countries will decide their outcome, the decisions they reach will largely determine the set of regulatory options available to policymakers globally.

Accounting for regulatory spillovers in data governance

The concept of cross-border spillovers (or externalities) is commonly used to examine how actions and events in one country can produce intended or unintended consequences in others. In sectors like health and finance where such spillovers can be significant and fast-moving (e.g., financial crises and viral pandemics), national governments have collaborated to create global institutions (like the Financial Stability Board and World Health Organization) to mitigate their risk, including by promoting the harmonization of standards across different jurisdictions and monitoring the buildup of systemic vulnerabilities.

It is well-established that regulatory policies enacted in one country can have adverse effects on others, whether or not they implement the same reforms. A 2018 World Bank study of G20 financial regulatory reforms suggested that financial reforms undertaken by G20 countries had “unintended economic and social spillover costs for individual emerging markets and developing economies (EMDEs).” Similarly, CGD’s Task Force on Making Basel III Work for Emerging Markets and Developing Economies highlighted how Basel III capital standards may have made it more difficult for EMDEs to access loans from advanced economies.

Data policy experts have long debated how different approaches for determining the legality of cross-border data transfers affect economic and security outcomes. But the field as a whole has not grappled with how regulatory actions taken in one country (or not taken, as in the US approach to governing digital platforms) can lead to broader spillovers in others—and how to best manage this.

Supporting a more global approach

At the moment, countries are struggling to translate de facto global standards on data privacy and protection into local contexts, creating a risk that their citizens’ data may not be adequately protected and a hurdle for the development of their domestic digital economies.

While there is broad agreement on the principles put forward in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and Convention 108+, guidance on how to implement these principles effectively and in a manner flexible enough for them to be tailored to the priorities and capacities of different governments is lacking. Developing such practical guidance would be enormously valuable for governments seeking greater clarity on how to best implement these principles. At the moment, however, the institutional arrangements needed to support coordination between government officials working on data policy at the global and regional levels remain underdeveloped.

To address this gap, we intend to hold a series of events in 2021 to bring together policymakers and experts working on data policy in both “standard-making” and “standard-taking” countries to discuss whether existing approaches for implementing data privacy principles match the needs and priorities of resource-constrained governments and, if not, what the consequences are and what should be done to address them. We will also explore ways to amplify voices from low and lower-middle income countries in discussions on data governance standards at the global level.