The world is awash in data, yet policymakers are just beginning to develop a system of rules to govern that data. Many Asian nations are transitioning to a data-driven economy built on large, often multinational data sets from individuals, machines, satellites, firms, and governments. Much of this data is personal data, and some of it is in the public domain or obtained by government agencies. However, few nations have organised a public discussion about the use and governance of public and personal data, especially as it flows across borders.
Data is disruptive. While the use of data can improve our quality and standard of living, in recent years, we’ve seen that cross-border data flows can bring down governments, alter the trajectories of firms, international organisations, and treaties, and create other unanticipated spillovers. Given the potential for both positive and negative spillovers, policymakers around the world recognise they must develop some interoperable system of rules to govern and if necessary, restrict certain types of data flows such as disinformation or malware.
Much of the data flowing across borders is personal data- data about or created by an individual. But in most countries, that same individual has little control over how their data is used. Moreover, the firms that are building these data sets don’t have to let people know what data they have collected, whether it is accurate, and if they will sell this data.
Not surprisingly, many people are concerned by this situation and have demanded that policymakers provide them with both greater control and transparency as to how data is utilised. The European Union General Data Protection Regulation is an example of how governments might regulate such use and grant their citizens greater control over how their personal data is used. While many Asian countries have or are debating such laws, these laws are not interoperable, creating a patchwork of rules that could impede the cross-border data flows that underpin much of trade today.
Meanwhile, many developing countries are not ready for this new age. Although developing countries are rich in data, many developing country officials don’t yet see data as a resource. Without greater understanding of the economic and political use of data, these officials may hoard data or fail to advocate for their citizens’ interest. Their citizens may miss an opportunity to use their data as leverage for development funding or economic diversification.
In the belief that cross-border data flows are just like cross-border exchange of goods, policymakers have turned to trade agreements to govern these flows between nations. Asian countries will be among the first with binding rules to govern these flows. On January 1, the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) went into effect. Its signatories agreed that they would not restrict the free flow of data unless necessary to achieve important domestic public policy goals such as protecting public morals or national security. On February 1, EU-Japan will go into effect. This agreement will also make the free flow of data a default, while also giving their citizens greater control over how companies and governments use personal data. Nations such as Mexico, Canada, and South Korea are increasingly attracted to this approach because it builds trust among internet users, governments and companies.
But even the EU-Japan model with its strong personal data protection is inadequate to meet the challenges of governing cross-border data flows. First, these agreements use retrofitted language governing e-commerce. But many data driven services are not directly affiliated with a transaction (such as a Facebook post, a tweet, or a free meditation app). Hence, many cross-border data flows are not really “traded”, where one exchanges a good or service for money. Secondly, under trade agreement rules, policymakers must rely on exceptions to protect their citizens from possible data harms such as disinformation or malware. But data breaches and disinformation occur on an almost daily basis. Hence, they should not be governed by exceptions. Finally, these rules do not distinguish among the sources of data or address how individuals should be protected if their data is misused or if data causes societal harm.
In sum, while data may flow across borders, it is not always traded, and its misuse can lead to significant upheaval if not regulated properly. If we want to move towards a data driven economy, we must begin with a broader international debate over how data can be used and how it should be regulated as it travels across borders. In short, we need to think differently at the global level about how to govern data.