Background
The global digital economy depends on cross-border data transfers to deliver crucial social and economic benefits to individuals, businesses and governments.
When data is allowed to flow freely across national borders it enables organisations to operate, to innovate and to access solutions and support anywhere in the world. Enabling cross-border data transfers can help organisations adopt data-driven digital transformation strategies that ultimately benefit individuals and society. Policies that inhibit the free flow of data through unjustified restrictions or local data storage requirements can have an adverse impact on consumers, businesses and the economy in general1 .
Cross-border transfers of personal data are currently regulated by a number of international, regional and national instruments and laws intended to protect individuals’ privacy, the local economy or national security.
While many of these instruments and laws adopt common privacy principles, they do not create an interoperable regulatory framework that reflects the realities, challenges and potential of a globally connected world. Emerging frameworks such as the APEC Cross-Border Privacy Rules and the EU’s Binding Corporate Rules allow organisations to transfer personal data generally under certain conditions. These frameworks contain accountability mechanisms and are based on internationally accepted data protection principles.
However, their successful adoption is undermined by the implementation by governments of ‘data localisation’ (also known as ‘data sovereignty’) rules that impose local storage requirements or use of local technology2. Such localisation requirements can be found in a variety of sector- and subject-specific rules including for financial service providers, the public sector or professional confidentiality reasons and are sometimes imposed by countries in the belief that supervisory authorities can more easily scrutinise data that is stored locally3.
1 International Chamber of Commerce Report: Trade in the Digital Economy — A primer on global data flows for policymakers (September 2016); ECIPE White Paper: The Cost of Data Localisation — Friendly Fire on Economic Recovery (2014)
2 Emory Law Journal: Anupam Chander and Uyen Le, Data Nationalism (2015); and Hague Institute for Global Justice: Jonah Force Hill, The Growth of Data Localization Post-Snowden — Analysis and Recommendations for U.S. Policymakers and Business Leaders (2014)
3 European Commission Paper: Building a European Data Economy Communication, p5
Debate
How can industry, legislators, regulators and civil society engage effectively to develop policy that supports cross-border data flows?
How can data protection safeguards adequately address the legitimate concerns of governments that seek to impose localisation requirements?
Industry Position
Cross-border transfers of data play an important role in innovation, competition and economic and social development. Governments can facilitate cross-border data flows in a way that is consistent with consumer privacy and local laws by supporting industry best practices and frameworks for the movement of data and by working to make these frameworks interoperable. Governments can also ensure that these frameworks have strong accountability mechanisms, and that the authorities can play a role in overseeing/monitoring their implementation. Governments should only impose measures that restrict cross-border data flows if they are absolutely necessary to achieve a legitimate public policy objective. The application of these measures should be proportionate and not arbitrary or discriminatory against foreign suppliers or services.
Mobile Network Operators welcome frameworks such as the APEC Cross-Border Privacy Rules or the EU’s Binding Corporate Rules which allow accountable organisations to transfer data globally, provided they meet certain criteria. Such mechanisms are based on commonly recognised data privacy principles and require organisations to adopt a comprehensive approach towards data privacy. This encourages more effective protection for individuals than formalistic administrative requirements while helping to realise potential social and economic benefits. Such frameworks should be made interoperable across countries and regions to the greatest extent possible in order to seek convergence between different approaches to privacy while promoting appropriate standards of data protection and to allow accountable companies to build scalable and consistent data privacy programmes.
Requirements for companies to use local data storage or technology create unnecessary duplication and cost for companies and there is little evidence that such policies produce tangible benefits for local economies or improved privacy protections for individuals.
To the extent that governments need to scrutinise data for official purposes, Mobile Network Operators would encourage them to achieve this through existing lawful means and appropriate intergovernmental mechanisms that do not restrict the flow of data.
The GSMA and its members believe that cross-border data flows can be managed in ways that safeguard the personal data and privacy of individuals and remain committed to working with stakeholders to ensure that restrictions to cross-border data transfers are only implemented if they are necessary to achieve a legitimate public policy objective.
Resources
United Nations Conference on Trade and Development (UNCTAD) Report: Data Protection Regulations and International Data Flows — Implications for Trade and Development (2016)
White Paper: Christopher Kuner, Reality and Illusion in EU Data Transfer Regulation Post Schrems (2016)
International Chamber of Commerce Report: Trade in the Digital Economy — A primer on global data flows for policymakers (2016)
Business and Industry Advisory Committee to the OECD Report: The Flow of Data Across Borders — A BIAC Trade Committee Policy Perspective (2016)
The post Cross-Border Data Transfers appeared first on Public Policy.