Our first Data Policy Network event of 2021 focused on data sovereignty. This is a broad term; we use it to refer to the range of measures governments use to manage cross-border data flows and to enable access to data stored outside of their jurisdiction.
We no longer live in a world where data flows freely. ECIPE research found that the number of policy measures restricting cross border data transfers grew from nearly zero in 1960 to around 90 in 2017. The measures vary based on factors including the type of data in question, the purposes for which the data can be used and the recipient. For example, India requires data relating to payments to be stored locally, the US can block data transfers considered sensitive on national security grounds and the EU imposes strict conditions, set out in Chapter 5 (Articles 44 – 50) of the GDPR, on data transfers to third countries.
Restrictions or conditions on the free flow of data can aim to protect individuals. The European Court of Justice ruling in the Schrems II case can be seen as an attempt to protect European data subjects from having their data used in ways that they may not be aware of and cannot challenge – namely as a part of US government surveillance.
However, measures to restrict transfers can have a negative impact on businesses and, in turn, on the individuals those businesses serve. TheCityUK’s recent report on transfer restrictions in the context of the financial services industry concluded that data localisation (one type of transfer restriction) can undermine data protection, hamper regulatory oversight and impose costs on businesses.
These effects arise because a global business may seek to centralise data, drawing data from different jurisdictions together (either into an ‘on premises’ data centre, a cloud service or a hybrid system). Centralising data can make it easier to manage, govern and secure. It can also facilitate analytics and reporting.
To explore the trade-offs between these approaches, our panel of speakers considered the legal instruments underpinning data transfer restrictions, the policy objectives which may be driving lawmakers and the technical options for businesses seeking to achieve some of the benefits of a centralised view on data they hold, without falling foul of the rules.
Tamara Quinn, a data protection partner at law firm Osborne Clarke, set out the current legal and regulatory state of play. She noted that the restrictions fall on a spectrum: with (in theory) fully free flows of data at one end, and tight restrictions on the other. In reality, measures cluster somewhere in the middle. The restrictions are built on different conceptual foundations, for example some allow transfers where the data subject has consented while others focus on the level of protection offered by the data recipient, either through contract or by virtue of the legal context in which the recipient will process the data.
Tamara reflected that the cumulative effect of the regulations in Europe, combined with recent European Court of Justice decisions, such as Schrems II, could be interpreted as a departure from the core principle of risk-based data protection. Refocusing on the approach in Convention 108, which marked its 40th anniversary this year, would empower organisations to assess and mitigate risks with regard to the “likely impact of the intended processing”.
Our second speaker considered the policy objectives. Darrell West, Vice President and Director of Governance Studies at The Brookings Institution, framed data sovereignty in terms of mistrust between countries. He placed data sovereignty in the context of the broader push towards protectionism and, more specifically, mistrust of data transfers rides on the coattails of techlash – encompassing popular concerns about technology and how it is used.
Speaking to us from Washington, D.C. on President Biden’s inauguration day, Darrell was optimistic that better governance arrangements at a global level may partly assuage these concerns. Just as the debate over free trade agreements versus protectionism in the economic sphere gave rise to globally recognised systems for regulating trade and managing disputes (the WTO was a good example). President Biden may herald a US return to multilateralism, providing opportunities to build global consensus.
Finally, Nigel Smart, Professor in the Computer Security and Industrial Cryptography group at the KU Leuven, reflected on whether technology can play a role. From a technical perspective, we often place boundaries around data. The same tools and thinking can be applied whether these boundaries are around an organisation or a country.
PETs like federated learning can address some of the concerns that drive data sovereignty, while allowing organisations to realise the benefits of data sharing. For example, a federated learning model could enable a retailer to centralise insights on transactions taking place throughout its global network without needing to move personal data across borders. The model can be ‘pushed’ out to each locally-held dataset and return only the insights gleaned from that dataset to the centre, usually in the form of updated ‘weightings’ for the central model.
But this comes back to the problem of what the data sovereignty measure aims to protect. Imagine a national government keen to prevent the foreign retailer in our example above from using personalised pricing, on the basis that this exposed citizens to discrimination risk. A federated learning model could still allow the retailer to achieve their personalised pricing objective, even though no personal data had been transferred.
Balancing policy objectives, complying with the letter and the spirit of the law, and using data to drive decisions quickly starts to resemble a game of three dimensional chess. Navigating it requires progress on two fronts. First, more clarity from policymakers on the objectives driving data sovereignty initiatives. Clarity on the objectives and how data relates to them could open up space for technological innovation. Second, using a risk-based approach to balance protecting individuals with reaping the benefits from using data. Organisations have a suite of tools at their disposal to manage risk, lawmakers can complement these by integrating privacy standards into treaties or trade deals. Progress on both could provide real protection for individuals while enabling a range of other policy objectives.