Professional Documents
Culture Documents
A Roadmao For Cross-Border Data Flows
A Roadmao For Cross-Border Data Flows
WHITE PAPER
JUNE 2020
3 Preface
5 Executive summary
7 Introduction
24 3. Prioritize cybersecurity
32 5. P
rioritize connectivity, technical interoperability, data portability and data provenance
43 Appendix
46 Contributors
47 Acknowledgements
48 Endnotes
Despite this reality, we are witnessing a We believe that the findings from this work are
proliferation of policies around the world that applicable to both emerging market economies and
restrict the movement of data across borders, highly developed market economies, and that there
which is posing a serious threat to the global are lessons to be learned from each. The World
digital economy, and to the ability of nations Economic Forum is in discussions with parties
to maximize the economic and social benefits around the world that seek to adapt the Roadmap
of data-reliant technologies such as artificial for their own context. We anticipate that the
intelligence (AI) and blockchain. Roadmap will serve as a beneficial, collaborative,
inclusive and safe tool to facilitate cross-border data
We hope that countries wishing to engage in flows given the increased importance of the data
Sheila Warren, cross-border data sharing can feel confident economy for global economic recovery and growth,
Head, Blockchain, Digital in using the Roadmap as a guide for designing as well as technological and societal development.
Assets, and Data Policy, and
Member of the Executive
robust respective domestic policies that retain
Committee, World Economic a fine balance between the benefits and risks of
Forum, USA data flows.
Everyone needs data to succeed in today’s contracts and trade secret protection laws.
world economy. Countries that impose local data storage and
retention requirements to secure better access for
Countries can attract inbound cross-border themselves can expect multinational businesses to
transfers of data and information technologies only stay away and other countries to retaliate. Similarly,
if people, businesses and governments abroad countries that regulate data processing too rigidly
trust them. To earn a reputation as a safe data and with specific restrictions on cross-border data
transfer destination, countries must provide for transfers provoke reciprocal restrictions by other
secure telecommunications infrastructure, respect countries, resulting in reduced access to global
Lothar Determann, individual privacy and confidentiality, exercise self- data and technology, pressures for compromises
Partner, Baker McKenzie
(Project Steering
restraint regarding forced data access, and enact in bilateral trade negotiations, and accumulating
Committee Chair) laws that also benefit people and organizations complexities. Cross-border data transfers require
outside their borders, including data privacy, give and take.
security, contracts and trade secret protection
laws. Moreover, governments must be transparent, Since the outbreak of COVID-19, governments
share data, and encourage their people and around the world have started to realize and admit
businesses to share data across borders if they that restrictions on cross-border data flows not only
want to participate in cross-border knowledge inhibit scientific and economic progress but actually
transfers. Open information societies thrive best in cost lives.
the world economy.
As co-chairs, we thank our fellow Steering
Conversely, people, businesses and governments Committee members, the larger project community
hesitate to transfer data to countries that maintain and the staff at the World Economic Forum
weak data security infrastructure, laws and for their contributions to this white paper on
defences; excessively spy and seize data; fail to cross-border data transfers. We hope that law-
Leanne Kemp, enforce or comply with laws protecting privacy, and policy-makers find the data, insights and
Chief Executive Officer, confidentiality and contracts; cover up data recommendations helpful and we look forward to
Everledger (Project Steering
Committee Co-Chair)
security breaches and risks; suppress media receiving feedback and the continued debate on
reporting; or fail to offer foreign businesses and this important topic.
citizens due process and recourse to privacy,
The challenge
The technologies of the Fourth Industrial border data flows policy has come into its own as
Revolution, including artificial intelligence (AI), a policy lever for ambitious governments seeking
the internet of things (IoT) and blockchain, economic recovery.
are exceptionally reliant on accessing and
processing data. To realize the potential of such Despite these benefits, laws and policies that act
data-intensive technologies, or to fully harness as barriers to this type of international data sharing
the power and efficiency of cloud computing are on the rise,1 threatening to undo this progress,
solutions for start-ups and SMEs, data needs slowing technological innovation and limiting
to be able to move seamlessly across country positive societal impact. While some of this friction
borders. The ability to move, store and process is based on perception, such as the myth that
data across borders is foundational to the data is better protected by restricting it to within
modern international data economy, and as new one country, or a perception that such policies
global growth relies increasingly on digital growth maximize value for local populations, some of it is
in the post COVID-19 era, progressive cross- deliberate and misguidedly protectionist.
The opportunity
Certain regulatory differences across countries economies of scale, particularly at regional level,
cannot be eradicated; they are necessary and and allows governments to create a friendly policy
appropriate because sovereign nations have environment for indigenous and international
different values and strategic priorities. However, investment. Investment breeds opportunity, and
in order to create trust between nations when those countries with a burgeoning technology
it comes to allowing companies within them to sector can start to maximize these companies’
participate fully in the international data economy, opportunities on a global scale, enabling them
there is a clear need for interoperable policy to develop cutting-edge technologies with global
frameworks that can streamline requirements impact as well as experiencing potential knock-on
across borders and create mechanisms to reduce economic and societal benefits.
regulatory overload. Doing so capitalizes on
Cross-border Building trust between nations requires both an that are empowered to take action to open the
data flows policy assurance that countries are like-minded in how gates and allow data to flow relatively seamlessly
is a foundational they approach supporting their data economy and across their borders.
prerequisite to the implementation of a series of backstops that
a functioning reduce risk. Our proposed solution is a practical In the Roadmap, our project community of globally
international data Roadmap for governments of country-level diverse industry experts proposes what best-
economy and thus policy building blocks that, when combined, are in-class data flows policy looks like. For some
requires action fro designed to harness the benefits and minimize the countries, very little will be needed in the way of
the highest levels risks of cross-border data sharing. upgrading as they have inspired the core principles
of power by their own actions, whereas for others the
Cross-border data flows policy is a foundational Roadmap may represent a full suite starting point.
prerequisite to a functioning international data In order to cater for varying degrees of ambition, we
economy and thus requires action from the highest first crystallize the most essential building blocks,
levels of power. In addition, as we look at all types and then offer scope for the most ambitious and
of data in the economy, not just personal data or advanced economies to future-proof their policy-
proprietary information, it is ultimately governments making in this area.
While cross-border data sharing, i.e. the nations can expect to derive increased economic
movement of information across international and social value. Furthermore, in a world
borders, has long been necessary from the disrupted by the COVID-19 crisis, the data
perspective of trade,2 internet-based services and economy has risen in terms of its importance for
e-commerce – more recently cloud computing, new economic growth.
Fourth Industrial Revolution technologies such as
artificial intelligence (AI) and the internet of things Despite such benefits, data localization
(IoT) – rely on access to high-quality data that requirements, e.g. laws, standards or policies
often resides in more than one territory. which mandate that data be stored within a
geographical territory, are on the rise globally,
Through the development and deployment of threatening to deter this progress – sometimes
these data-reliant technologies and solutions, intentionally but often unintentionally.
Post COVID-19
economic growth
Fourth Industrial
Revolution
Technologies
Cloud Computing
For companies, When unjustified, data localization requirements was stark: Start by ensuring your own house is in
an absence of can prove highly problematic. As well as driving up order, otherwise creating trust becomes almost
data localization the cost of cloud computing, upon which SMEs impossible. Without country-level preparedness,
requirements is are highly reliant, it becomes difficult to achieve international participation proves challenging in this
akin to having access to high-quality data at scale, upon which space, and secondly, governments can influence
visa-free travel for technological development relies – and from there, but not fully control the international environment.
their data problems quickly amplify. We see associated
economic consequences when companies need Consequently, this white paper does not represent
to create and maintain multiple data centres in a one-size-fits-all approach to cross-border data
different jurisdictions, at great cost in both monetary sharing, nor does it advocate how countries are
and environmental terms. Furthermore, companies to implement the recommendations outlined in the
relying upon such services may find they avoid various building blocks that we will discuss, but it
certain markets altogether due to the increased does try to identify the policies that countries ought
cost of doing business there. This then has further to consider implementing domestically in order to
knock-on effects for the attractiveness of regions facilitate full participation in the international data
when it comes to investment of capital and economy. As sovereign nations, countries have
retention of talent, with data localization restrictions both their own diplomatic relationships and their
acting as digital walls between countries. own domestic policy considerations to take into
account, and the Roadmap is therefore designed to
For some economies, a deliberate approach to provide a holistic look at what stakeholders believe
restricting the international movement of data can works when it comes to cross-border data flows.
be the result of a mistaken belief that localized data
reduces risk. From a business perspective, the We assume that all countries and users of
opposite can hold true: Regulatory certainty this Roadmap wish to have competitive open
breeds business commitment in product and economies, that they want to exist in a globally
service markets. competitive region, and they aim to attract both
local and foreign investments. We assume also that
For companies, an absence of data localization the countries and users of this Roadmap want to
requirements is akin to having visa-free travel for support their technology sector where access to
their data. One still needs a passport (which is data is a key driver, whether it be in AI, blockchain
represented by the trust mechanisms discussed or IoT applications such as smart cities, etc. We
below), but travel is pre-authorized. Removing also assume that no country wants to compel its
barriers to data flows is speedier, cheaper and more industrial players to share data across borders
efficient than the contrary, and it is hugely beneficial if they do not wish to do so and that this choice
in growing international business regardless of size. is best left in the hands of the holders of such
proprietary data.
How can we dismantle arbitrary barriers to cross-
border data sharing by implementing backstops Countries wishing to follow the Roadmap are
that provide assurance of appropriate safeguards to advised to conduct a country-level review of
governments without undermining global economic the current legal and regulatory provisions that
growth? What does a practical approach look like? may complement or obstruct the Roadmap. By
How can countries ensure they have appropriate definition, progress along the Roadmap indicates
policy frameworks in place to maximize benefit and progress, with a full suite round-up representing
minimize risk? forward-leaning cross-border data flows policy in
the Fourth Industrial Revolution.
The World Economic Forum has convened a
multistakeholder group of businesses, civil society Finally, while this Roadmap is designed to examine
actors, academics and governments globally who the issue in the context of the international and
were consulted on what makes cross-border data regional levels, there are learnings here for data-
policy fit for purpose and future-proof. The answer sharing policies at country level.
Policy recommendations
Data localization
Data localization Data localization requirements are broadly defined records by authorities. In practice, it can,
requirements as any laws, standards or policies that require for example, make it illegal to transfer company
have the effect an entity to store data on media that is physically or employee records across borders or limit
of restricting the present in a specific geographical territory: This can an institution’s ability to outsource certain
cross-border flow include the infrastructure and services that support functions offshore.
of data the hosting of data, e.g. servers. Data localization
requirements have the effect of restricting the cross- Because data localization requirements can also
border flow of data. They may be either deliberate emerge as a result of indirect policy measures,
or unintended, explicit or implicit. such as requiring or limiting government
procurement to locally established entities only,
Such requirements can often be found in data and or tax incentives that favour domestic industries
cybersecurity laws, but, in some instances, they over foreign products and services,3 they can
may be invisible. By way of example, there may be sometimes be difficult to identify at first. The result
a clause in a sector-specific law which mandates is that, even when it is technically legal to do so,
that a specific type of data be stored in a specific the transfer of data across borders becomes
geographic location, such as a clause within a law impractical and costly, making data localization an
governing financial services mandating access to inevitable outcome.
We are Some data localization requirements exist as a the region as a whole) and, sometimes more
suddenly legacy of older laws written for the pre-internet insidiously, leading to a potential copycat effect
witnessing an age and are intended to cover the storage in other nations. The result is an increasingly
increase in of physical records in a physical territory, fragmented deglobalized international data
intentional data but they are interpreted as applying also to economy that favours larger nations (which
localization, electronic records. But not all data localization naturally have relatively greater amounts of data
spurred on by requirements are legacy-based in nature. We are within their borders than smaller nations) and risks
the increasing suddenly witnessing an increase in intentional slowing down economic progress for smaller and
importance data localization, spurred on by the increasing emerging nations.
of data for importance of data for technological innovation and
technological general economic growth. Some countries that In reality, nations of all size can benefit their
innovation wish to partake in, or in some cases dominate, the economies by partaking in cross-border data
new global data economy are adopting increasingly sharing because it is not a zero-sum game. Unlike
aggressive measures designed to ensure that commodities, data is not a finite resource. Data
either they, or their indigenous businesses, have begets data,4 i.e. insights can continuously be
access to vast quantities of data. Aggressive derived through combining and analysing quality
deliberate data localization practices of this nature datasets in greater quantities. This concept
can have unintended consequences, including is particularly important for data analytics and
raising the price of entry for foreign investment, machine learning, and a key driver as to why data
disadvantaging neighbouring countries (and thus localization policies often backfire.
Data localization practices are often rooted in a specific territory, but that does not take into
a desire to protect the personal data of private account the guarantee that they will otherwise
citizens, but data localization laws cannot comply with data protection law. Moreover, easier
effectively address privacy concerns. Doing so or mandated government access to personal data
relies on robust country-level data protection when stored in a specific territory may ultimately
legislation and controlling access to data, impede privacy interests. In many cases, such
regardless of where it is stored. For example, a measures are simply misguided, but in extreme
company may be compliant with a data localization cases, data localization laws can actually become
requirement and store personal data only within anti-privacy laws.
Improving cybersecurity
Risk detection, The cybersecurity world offers lessons on why robust security controls, rather than geographic
assessment data localization and residency restrictions can be locality requirements. In addition, distributed and
and response harmful and costly: Data security issues can arise duplicated data on multiple systems leads to
to cyberthreats from storing all data in one geographical territory, variation in local security measures, lower local
require robust which is contrary to the diversification approach investment in security and leaves data more
security controls, most commonly mandated in the cybersecurity vulnerable to breaches. Similar to concerns
rather than industry and often adopted by multinational regarding data protection, data localization
geographic locality companies to ensure robust security across a requirements in the name of cybersecurity are often
requirements geographically dispersed network. Risk detection, misguided policies.
assessment and response to cyberthreats require
Cybersecurity concerns are distinct from national countries have enacted broad data localization
security concerns. Countries deploying isolated or laws so far and international treaties such as the
outdated technology are less able to protect their Trans-Pacific Partnership Agreement (TPPA) and
national security against foreign military and criminal the EU Free Flow of Non-Personal Data Regulation5
threats and may instead benefit from the use of expressly prohibit member countries from
cloud services (which are often more affordable when enacting data localization laws or local data centre
not made to measure and specifically localized). requirements except where justified. International
cooperation between intelligence and police forces –
Most countries consider selective record retention, for example, via INTERPOL and regional cooperation
secrecy and anti-treason laws sufficient to protect arrangements – render even justified cases of data
national security interests. That is why very few localization less useful than previous instances.
Countries can support their local data economy down local progress in relative terms. Secondly,
through inter alia, offering education, carefully local industry suffers when other countries
packaged deregulation, transparent tax codes and retaliate with their own data localization laws or
strong intellectual property protections. other free-trade restrictions. Thirdly, the lack of
access to international markets makes the territory
Introducing data localization requirements in order to unattractive to foreign investment due to these
create a market for local data centres or the use of inherent limitations.
locally made technology is not an effective long-term
strategy for boosting domestic industries because it In the same way that countries which allow their
limits the growth of the domestic data economy. economies to trade with partners experience
greater economic opportunity, so, too, do countries
First, local data centre facilities often prove costly and that allow their economies to participate fully in the
end up not being globally competitive, which slows international data economy.
Protecting the sovereignty Protecting the nation’s Protecting digital assets Upholding national laws
of the government and economic wealth and from theft or damage and protecting the nation
the democratic system freedom against internal security
threats
For the purpose of securing government access the sovereignty of nations to protect their national
to data, it is usually sufficient for governments to security interests, there are occasions where
require companies to guarantee remote access to countries will prefer to insist on localizing data.
data (wherever it is stored). There are exceptions However, a de minimis approach is recommended
to this in the case of hypersensitive data, such as here to avoid unintentionally localizing data that
information pertaining to military or defence data. is not itself sensitive but which sits alongside
Along similar lines, information that, if accessed by sensitive data that does need to be localized. Any
the wrong pair of hands, could take out a national requirements should be non-discriminatory, non-
energy grid is data that is beyond the comfort arbitrary and should not be disguised restrictions
zone of most governments. In line with respecting on trade.
The Comprehensive and Progressive Agreement (a) is not applied in a manner that would constitute
for Trans-Pacific Partnership identifies permissible a means of arbitrary or unjustifiable discrimination
exceptions for cross-border data flow restrictions or a disguised restriction on trade, and
in Article 14.11.3 and 14.13.3. Participating
members can adopt or maintain data localization (b) does not impose restrictions on transfers of
measures to achieve a legitimate public policy information greater than are required to achieve
objective, provided that the measure: the objective.
A. Isolation is costly
In fact, most businesses incur extra costs in corruption and compliance deficits associated with
complying with data localization requirements, both establishing local presences. Consequently, local
businesses from abroad and local SMEs that would companies and consumers lose access to cloud
like to use cloud service providers as back-end computing capabilities and other advanced foreign
infrastructure, such as software as a service (SaaS). information technologies, pay higher prices and
Those higher fixed costs are ultimately passed on become uncompetitive in global markets.
to SMEs, which often have neither the expertise
nor the budget to afford their own state-of-the-art Local labour markets may suffer from withdrawals
mechanisms to store and protect data, making use or reduced job offers from multinationals. Therefore,
of the cloud an accessible and effective solution. local consumers and economies lose out – in the
While foreign businesses look to where their form of higher-cost and lower-quality services, as
return on investment will be greater, indigenous well as lost job opportunities – as a result of the
businesses also become incentivized to locate impact of localization requirements on both local
elsewhere to avoid additional costs, local taxation, businesses and multinationals.
local government access to data, and risks of
The overwhelming majority of commercial activities individuals to sidestep infrastructure challenges, and
we engage in are virtual, which means they access services directly and affordably. This pace
are facilitated by data travelling over fibre-optic of progress could be quickly unwound were they to
networks across the globe every day. Cloud introduce arbitrary data localization requirements.
services and particularly SaaS offerings allow
businesses of all sizes to access customized Supply chains are another example. Highly
enterprise software at relatively low prices. If distributed and specialized in nature, these are in
you prevent data from being hosted outside of many ways the litmus test for market economics:
your country, most of these services and the Supply chain nodes that are no longer relevant
technologies that drive them become inaccessible. quickly die, so we can expect supply chains to
Data localization can make it impossible for small reasonably reflect real demand for goods and
businesses to get up and running, and it will be services, at least over time.
impossible for them to scale if they cannot benefit
from the economies cloud services provide. Supply chains are so finely balanced and
sophisticated that doing business usually involves
Access to e-commerce, which inherently relies interacting with many niche players, many of
on the flow of data, has helped many developing whom will be distributed globally – and, practically
economies, including countries in Africa, to grow speaking, that requires data to move. Even simply
at great pace, as access to mobile methods of buying goods and services from different places
payment, access, education and business enables around the globe requires the movement of data.
If you want to buy high-quality industrial ball One might think that something as small as a
bearings from Germany for machinery on your micro-sized part of a smartphone may not matter
factory floor, you must contract with a German much, but in fact industry is hyperspecialized – and
supplier. Your German supplier will have sales that’s a good thing. Performance improves in all
representatives and engineers who can recommend of the products and services affected by it, but it
which ball bearings will work best for you. You also requires commerce to move, and commerce
will keep their contact information in your vendor can’t move without data moving, too. Every action
management system – a system that is almost we take online is tracked and recorded. You can’t
certainly electronic and probably located in your create an ordering document, make a shipment,
vendor’s cloud. Your vendor’s cloud is powered by record a payment or issue a receipt without data
infrastructure providers who pass that data back – business, shipping, financial and often personal
and forth in their data centres and across borders to data moves around the e-commerce circulatory
ensure performance and prevent service interruption system continuously.
or failure. These data centres may be located
outside your country and even outside the country
where your vendor does business.
C. It stifles talent
More than 200 countries around the world have between two entities or more (i.e. what is known
enacted data laws of some description,7 with as cross-border data transfers), but the reverse is
many similarities and some significant differences not true, e.g. countries may restrict the contractual
between them. use of cross-border data transfer mechanisms and
yet not have any explicit data residency rules. Data
According to data residency and data retention laws, transfer restrictions and data residency requirements
companies must keep data for certain minimum are conceptually different. Under data residency
time periods and on national territory to ensure that laws, companies must process data primarily in a
government authorities can compel access. particular territory, but they can also transfer copies
of the data abroad. According to cross-border
Data processing regulations with cross-border data data transfer restrictions, companies must not
transfer restrictions originated in Europe in the 1970s transfer data to another country except in cases
and have been adopted by more and more countries where they can assure adequate safeguards for the
around the world. These include both broad-brush transferred data abroad; if companies can meet the
data residency requirements as well as narrower requirements for an exception, they are not required
data retention and residency laws pertaining to to keep a local copy of the data.
communications metadata only.8
Examples of data transfer mechanisms include
Countries that require data residency usually also binding corporate rules (BCRs) or standard
restrict the use of legal instruments that allow for contractual clauses that are discussed below in the
the contractual movement of data across borders “Data protection and privacy” section.
Focusing on access
Ultimately, policy Ultimately, policy that is in favour of cross-border One possible solution to staving off data localization
that is in favour of data access is usually pro-innovation, pro-economic in the data-centre space is the data jurisdiction
cross-border data growth and, frankly, pro-people. Governments law that Bahrain has introduced – where foreign
access is usually will righty have concerns about backstops and governments maintain their jurisdiction over
pro-innovation, safeguards to doing so, which are the subject of data stored in Bahrain-based data centres. This
pro-economic discussion throughout this white paper. By ensuring innovative solution to cloud computing manages
growth and, frankly, that data flow is the default state, governments to create a level of comfort for governments as the
pro-people can concentrate their energy on identifying those data is not technically stored in Bahrain for legal
very high-risk scenarios where they do consider it purposes, even if it physically is. If we consider that
appropriate to localize data. cyberspace is everywhere and nowhere, then what
ultimately matters is access to the data.
Policy recommendations
This Roadmap is designed to cover the principles use might be streamlined to extract a fit-for-purpose
behind the movement of all types of data as it version of the cross-border flow of personal data.
flows across borders. However, personal data or
personally identifiable information is a subset of Mobile phones, fitness trackers, connected cars,
data that is already highly controlled in its cross- medical devices, industrial machines, toys and
border movement. In fact, a significant amount of other IoT devices already generate vast amounts
data qualifies as “personal data” under EU data of data and information. The total amount of
protection laws and as “personal information” stored data worldwide is expected to reach 175
under newer data privacy laws in the US, including zettabytes by 2025.9 Unsurprisingly, the number
the California Consumer Privacy Act. As a result, of corresponding data laws has exploded in
restrictions on cross-border transfers of personal exponential terms in recent years, as seen in the
data affect most data transfers in practice. Below following graph.
we discuss how the various methods currently in
250
200
150
100
50
0
1972
1974
1978
1979
1981
1983
1985
1988
1990
1992
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Forseen
Modifications Count of data regulation
Source: OECD
Data protection and privacy laws governing the countries have full or draft legislation to secure the
Fair and
lawful
processing
Purpose
Accountability specification
Sensitivity Quality
Under these data protection and privacy laws, Asymmetry can act as a soft barrier when both
organizations usually face restrictions and obligations Country A and Country B have robust data
regarding the collection, use and transfer of protection legislation in place, yet significant
data relating to natural persons (personal data). differences exist in terms of how those laws are
Data protection and privacy laws do not apply to implemented and complied with. Compliance
aggregated information, irreversibly de-identified data comes with associated cost, and so to minimize
or data that does not relate to individuals. costs the company may choose not to do business
in Country B, opting instead to stay local or else
The core principles of data protection and privacy expand its business into territories whose regimes
as illustrated in Figure 5 above tend to remain are more similar to Country A’s. The result is that
fairly consistent from jurisdiction to jurisdiction, Country B loses out.
though some differences do appear. When
these differences are significant, a country’s data Finally, but by no means exhaustively, because
protection law can end up acting as both a hard of the relative importance placed on compliance
and soft barrier to the cross-border flow of data. when it comes to protecting personal data in a
dataset (due to regulatory obligations and other
Consider a company resident in Country A that is penalties, on top of the importance of protecting
interested in doing business in Country B. We can private individuals), the entire dataset will often be
assume that doing business will require some sort treated as personal data, even if it contains only a
of cross-border transfer of personal data, such as small amount of personal data. Larger companies
customer purchasing information. can often design data stacks so that personal data
can be stored separately from other kinds of data,
Asymmetry of approach to data protection but SMEs will usually lack the resources to do so
between these countries will act as a hard barrier and may effectively end up treating all data equally
to business in the case where Country A has a in line with the highest standard of compliance
robust level of data protection legislation and required, e.g. as if it is personal data. Thus, laws
Country B has a lighter or non-existent level that are intended to apply only to personal data
of protection. Because Country A cannot be can, in practice, have the effect of applying to all
certain that its citizens’ data would be adequately kinds of data.
protected in Country B, it may restrict the
movement of personal data by the company to
Country B.
Source: UNCTAD
Contractual Data privacy concerns in respect of the cross- collaboration and thus transfers of personal
commitments border movement of data can be addressed by data. Partial restrictions may be helpful to ensure
usually require mandating contractual commitments by foreign sufficient levels of data protection abroad, using one
parties to adhere data importers. Contractual commitments usually or more mechanisms:
to core principles require parties to adhere to core principles of
of various various international data protection and privacy – More and more countries require companies
international data laws. In this way we can see how existing laws can to provide notice or seek informed consent
protection and act as a form of unofficial standardization for cross- from data subjects before their personal
privacy laws border data transfer agreements. data may be transferred abroad. Companies
administer the notice and consent process,
National lawmakers can allow cross-border which adds costs to cross-border trade. While
transfers of personal data, hold data-transferring the approach is flexible and leaves the decision
companies responsible for any consequences to individuals, it places a considerable onus on
caused, and apply and enforce national laws individuals to understand the data value chain
against foreign companies and public-sector and is not optimal in cases where potentially
entities. The United States has taken this approach harmful processes are consented to but poorly
and successfully enforced its laws against understood.
companies around the world based on their nexus
to US markets and jurisdiction. Other countries find – The EU allows data transfers on the basis of
it more difficult to enforce their laws across borders consent only in specific circumstances11 and
if they cannot rely on cooperation from other generally requires that a data importer outside
countries, and the foreign companies involved have the European Economic Area (EEA) be located
less of a nexus to their jurisdiction. in a jurisdiction that the EU has declared
“adequate”, adopts industry codes of conduct,
If a country is concerned that it cannot enforce its implements binding corporate rules approved
data protection or privacy laws against companies by a data protection authority in the EU or
abroad, and does not trust another country’s accepts standard contractual clauses (SCCs)
practices, it can prohibit or restrict cross-border promulgated by the EU. Many multinationals
transfers of personal data. A complete prohibition view adopting the complex and rigid SCCs as
would result in economic isolation because the least burdensome option, even though the
international trade requires communication, SCCs cover only limited data transfer scenarios
Policy recommendations
The security of data when it moves across borders ePrivacy Directive,14 there are stringent penalties
is of fundamental concern to both companies and placed on electronic communications service
governments, both in terms of risk mitigation and providers who snoop on data in transmission on
security of proprietary data and intellectual property their networks. The analogy to trade of physical
(IP). The absence of, or the risk of the absence of, goods is also relevant here: Goods are shipped to
security measures further undermines trust and prevent unauthorized access but inspected at the
produces friction for cross-border data sharing. port of entry to satisfy local law requirements. They
are also labelled to generally describe their content.
Having a civilian Appropriate data protection technologies exist, So too could metadata be tagged to provide
cybersecurity e.g. data encryption and data masking. However, information about data content without necessarily
agency is key to the main challenge is when and how to use these making it available for review.
encourage trusted measures to create trust within data sharing
relationships agreements at a national level. The project If the metadata is tagged with appropriate content
around the community recommended that cross-border notices and securely transmitted using protocols,
world with other data sharing agreements between governments governments could reliably permit data transfer,
cybersecurity mandate a minimum threshold for cybersecurity, while keeping the payload confidential, and
agencies, whose just as already happens for the trade of goods and preserve the rights to inspection.
role is solely to services. Physical goods are assessed by common
protect networks, product specifications. e.g. origin and weight. To create a trustworthy environment for cross-
not to attack them Likewise, minimum thresholds for security can be border data flows by being a trustworthy
agreed between governments to enable the free international player, countries should consider
flow of data. measures at the national level such as enacting
national legislation to require data security
The project community further suggested that breach notification for all types of data; ensuring
cross-border data sharing agreements should compensation for data subjects or businesses for
contain an anti-snooping clause, i.e. a clause that actual harm caused by data security breaches; and
forbids governments and connectivity providers requiring manufacturers of IT products to make
from viewing the data being transmitted across secure products by promoting and supporting
borders, except in certain prescribed instances. investment in good security standards and
It is a well-established principle that connectivity third-party validation. Local laws should protect
providers should not access content data in organizations against cybercriminals and national
transmission (even though they technically have state espionage, and governments should consider
access to it, system controls can be designed to auditing organizations and enforce laws to reduce
make this access more difficult). Under the EU’s security breaches and promote trust.
Policy recommendations
Hardwiring accountability
Governments are inherently incentivized to This is less of an issue when it comes to recourse
implement policies that reduce national risk. Such for theft or the mishandling of proprietary data as
risks may include companies or persons hiding the private international legal space is well built out
data offshore or on a foreign cloud service, for (with some exceptions). Public international law is
the purposes of e.g. tax evasion or evading law also well established when it comes to governments
enforcement. In order to increase trust between sharing information with each other. The complexity
governments, cooperation and accountability arises when these worlds merge, which is the case
mechanisms must be built into any and all data when dealing with big data or data on the scale that
sharing agreements. is useful for machine learning, AI development and
other advanced use cases such as industrial IoT.
Concerns arise on the part of both governments
and the private sector when lines of private legal Private stakeholders who share and trade datasets
recourse break down across international borders. with each other across borders may do so in the
Innovation that progresses without sufficient this technology, providing a baseline for designing
consideration for governance and user systems that preserve the rights of its users. The
protection can lead to undesirable outcomes underlying aim is to bring greater accountability to
for individuals, companies and societies. For the systems that power our societies.
example, blockchain technology, a pillar of the
Fourth Industrial Revolution, can not only unlock The Presidio Principles16 establish guidance on the
radical improvements across the public and following rights:
private sectors, but also enable new business
Transparency and accessibility – the right to
and governance models that enhance security,
information about the system.
accountability and transparency for people
worldwide. Carefully regulated, blockchain can Privacy and security – the right to data
benefit the widest number of people in the fairest protection.
way. However, fractured blockchain systems,
with a hyper focus on efficiency rather than Agency and interoperability – the right for
transparency, risk losing the trust they can create. individuals to own and manage their data.
The World Economic Forum recently released a Accountability and governance – the right for
series of principles to help safeguard the promise of system users to understand available recourse.
The general principle of accountability should mean for fair and reciprocal access to legal action in the
that an agency or organization will be responsible case of commercial disputes.
under local equivalent law for the acts and practices
of a recipient of personal information that is the When it comes to other sensitive data, such as
subject of a cross-border transfer. That is, where data that could undermine public or national
an agency or organization incorporated in Country security, as outlined in the data localization
A transfers information to a recipient in Country B, chapter of this white paper, sovereign
if the acts or practices of that recipient in Country governments may rightly have an interest in
B in respect of the personal information from restricting the movement of that data beyond
Country A would have amounted to an interference a certain jurisdiction. However, as also stated
with the privacy of an individual if undertaken in above, it should only do so when, on balance,
Country A, they should constitute an interference the risk of allowing that data to move is greater
with the privacy of that individual for the purposes than the risks associated with preventing that
of Country A’s laws. Further, the acts or practices data from moving. Moreover, a number of
of the recipient in Country B should be taken to alternative arrangements already exist that help
be the acts or practices of the relevant agency or nations mitigate some of the national security
organization for the purposes of country A’s law. risks associated with cross-border data flows,
such as INTERPOL, Europol, CEPOL and other
In theory, when it comes to the movement of regional cooperation arrangements. Many
proprietary data, the rights and obligations between countries choose to enter bilateral and multilateral
commercial actors are usually detailed in private agreements to solve the operational challenges of
commercial contracts, rendering the regulatory cross-border law enforcement. Such agreements
lift less necessary than for personal information. are designed to facilitate law enforcement access
However, it goes without saying that countries to data across borders and define mechanisms
should adopt policies at the local level which allow for coordinated action.
The UK and the US signed a Bilateral Data There are, however, limitations to this
Access Agreement to allow law enforcement agreement. Law enforcement agencies will not
agencies to gain access to digital evidence be able to request data related to residents of
held by technology service providers located the other country (i.e. UK authorities may not
in these countries. Under the new agreement, request data related to US residents). Moreover,
law enforcement agencies can bypass the agreement does not require data-hosting
the pre-existing Mutual Legal Assistance service providers to turn over decrypted data to
Treaties (MLAT) process, whereby agencies law enforcement agencies.18
need to submit requests through the central
government of the other country; instead, those
agencies can request information directly from
the data-holding service provider.
Companies could be compelled to seek a specific purpose, which is specified at the time of the
derogation for the cross-border transfer of certain application. However, assuming other safeguards are
non-personal datasets that have been deemed to in place, such as a minimum level of cybersecurity
be highly sensitive by certifying that security and and tightly adhered to access controls, adhering
access rights be adhered to, and ensuring that to the conditions of such a derogation should be
this data is processed offshore or in the cloud for a relatively straightforward.
– Governments should appoint respective – National authorities should provide each other
authorities to cooperate with each other with the relevant data and information necessary
to support the free flow of data by the to take the appropriate actions with respect
private sector across borders. This includes to investigation proceedings. Data sharing
cooperation between data protection should be undertaken on a case-by-case basis
authorities, competition authorities and law between the authorities, and it should cover only
enforcement authorities. The authority taking on information that is relevant to an investigation
this role should ensure that the policy developed or proceeding.
through this interaction is consistent with other
national policies, and that there is guidance for – National authorities may choose to impose
private-sector players on how cross-border data conditions restricting the further dissemination
protection policy interacts with other industry- and use of the data shared with foreign
specific policy. Otherwise, compliance becomes counterparts, or exchange confidential data
a more burdensome task for businesses. using confidentiality waivers.
– Governments should review legislation and – National authorities should support each other
regulations that restrict the ability of domestic on a voluntary basis by providing investigative
organizations or individuals to cooperate with assistance as appropriate.
foreign authorities in investigations and law
enforcement matters.
Policy recommendations
For those countries and regions with advanced For 5G builds specifically, encouraging private
ambitions, very high-speed connectivity, 5G and network investment, including new market entrants,
high-performance computing (HPC) offer additional is vital given the relative expense of such a network.
areas of optional harmonization to pave the way Indeed, wealthier nations have responded to the
for the real-time processing of cross-border data challenge by doing exactly that. Again, economies
at scale for advanced use cases such as machine of scale matter here: A network provider will likely
learning or AI development. 5G networks, which find a region to be a more attractive deployment
have perhaps their strongest use case in industrial prospect than a nation on its own. The ability
IoT, can be local in nature, but used cross-border to share data across borders and network
to improve outcomes (due to access to more data), infrastructure roll-out at scale go hand in hand.
Technical interoperability
Fully maximizing At the network layer, technical interoperability cases, this data is either unstructured or structured
the value derived is already an area of international policy in idiosyncratic ways that make it difficult to use
from combining harmonization. However, the same cannot yet be cross-functionally with other databases. It lacks
datasets, whether said at the application layer. a common form or expression, making it hard to
using basic use horizontally across varying industries such as
algorithms or AI, Technical interoperability for data is defined as the healthcare, epidemiology, agriculture and supply
usually requires ability to share data between different systems and chain management as well as the data-intensive
the information to to enable those systems to make use of the data. use cases of the Fourth Industrial Revolution such
be harmonized, Fully maximizing the value derived from combining as AI and IoT.
standardized datasets, whether using basic algorithms or AI,
and stored usually requires the information to be harmonized, Governments can nudge behaviour here by
in structured standardized and stored in structured databases. incentivizing companies in their respective
databases jurisdictions to adopt similar approaches to
Historically, data has been collected and held by technical standards for data, without necessarily
a multitude of organizations at the local, national prescribing specific standards, so as to remain
and multinational level across the globe. In many future-proof.
Key to any interoperable technical framework is the Depending on the use case for sharing data, the
joining and merging of data from different systems, ecosystem could benefit from either syntactic or
without losing meaning. The expectations are that semantic interoperability. While the real world looks
data interconnectivity and interoperability should like a syntactic system of dispersed nodes and
be smooth and seamless when different systems multiple use cases, in reality most cross-border
deliver data to those who need it in the form they data sharing takes place in specific use cases
need it in. and for specific purposes. Semantic models can
therefore provide key insights as to what technical
Interoperability can mean different things to different interoperability for a specific use case might look
systems. Many National Statistical Offices (NSOs)19 like. In addition, AI solutions exist to manage
are adopting open data20 policies. When they semantic interoperability and governments should
publish statistical data openly, it is vital to identify be open to facilitating the same.
the needs of different consumers. For example, an
analyst may use the datasets in a machine-readable Open Data Watch’s Data Value Chain illustrates
format to test a hypotheses and make predictions; the importance of recognizing where in the
a developer community may need to access the data life cycle a use case sits so as to optimize
data through an API, and build dashboards, maps interoperability appropriately; the point on the value
and visualization tools; policy-makers may want to chain at which the user sits will give clues as to the
access the information through a web search or type of interoperability solution required by them.
human-readable reports. Each of these use cases
requires different levels of interoperability. As per the model, data increases in value as
it moves through the value chain, and can be
Looking at the challenge from a broader perspective, continuously recycled. In order to maximize such
there are two main types of interoperability: value, both technical interoperability within the
system and a level of standardization of the data
1. Syntactic interoperability requires multiple are required. While this type of model is ideally
systems to communicate and exchange data suited to a data flows arrangement for specific use
regardless of the different programming languages. cases, it demonstrates why interoperability is key to
amplifying the value of data in a cross-border data
2. Semantic interoperability requires a discrete flows scenario.
system to understand and enable the meaningful
use of shared data or resources by individuals,
organizations and public services.
Feedback
API interoperability
Application Programming Interfaces (APIs) offer Integrating legacy system APIs or converting legacy
a sophisticated way to make data resources APIs into the new Open API framework standards
accessible over the web to various applications is costly: Some organizations need to manage
and users. When APIs behave predictably, they multiple API versions or customize services to
reduce errors and handle users’ requests securely specific applications. An alternative approach to
and repetitively. The OpenAPI Specification has improve API interoperability is to create an API
emerged as the standard format for defining the “middle layer” or “API mashups”. These services
contract between client applications and services draw data from multiple APIs (legacy systems or
exposed via APIs, making it easier to orchestrate multiple services) and repackage them as a new
applications as collections of loosely coupled API endpoint for clients. Such API aggregations
services, each of which supports self-contained improve the integration experience.
business functions).23
Data portability
Data portability, which is the ability to port data relating to, for example, bundling, make it difficult
from one system to another, is an issue that is to leave the current system. Vendor lock-in can
top of mind for SaaS customers who may wish to block the movement of data both domestically and
switch services but can be impeded from doing internationally and furthermore acts as a barrier to
so by back-door data localization restrictions entry for new market entrants. There are further
such as vendor lock-in. Lock-in can occur when implications for the construction of data lakes
pricing models penalize or disproportionately that try to centralize data from different sources.
price the removal of data from a system, when Governments can encourage data portability by
the physical network infrastructure is not fast both disincentivizing vendor lock-in practices and
enough to allow for a real-time switchover to a supporting interoperability standards.
new system, or when unfair contractual clauses
Data provenance
Data provenance identifies the origin of the data Blockchain has the capability to document the
processor and data owner, and documents a origin and complete historical record of any type
record of the history of the data since collection. of data in an immutable or tamper-evident record.
Establishing and maintaining provenance protects Every instance of data changing hands or going
the authenticity of data. through any type of operation is traceable.
Another example of establishing provenance is in The majority of data publishers are secondary data
the personal health data space, with this type of producers. As a result, in some cases the journey
data often residing in an electronic health record of a single data point from its origin to its final
(EHR) system. There is minimal risk in assigning destination is unclear to the end user, and therefore
provenance based on an individual initiating a provenance cannot be easily established. To resolve
connection to their personal data files, in order this issue, the metadata should provide a machine-
to import data from a password-protected health readable map that makes this information available
institution. Once provenance is established and traceable across platforms and data producers.
with EHR data, it is efficient to assume that for When data providers apply semantic web
any additional data uploaded by that individual, technologies to publish the data, this drastically
provenance is therefore effectively already improves the ability to derive insights from the data,
established. This approach, using direct or indirect integrate the decentralized data and easily relay the
data owner validation, could also be applied to large information over the web.
established institutions sharing proprietary data.
For many decades, the diamond industry has By sharing provenance data securely, transparency
operated along opaque supply chains, with data becomes like a two-way street. Information
commonly lost, manipulated, suppressed or flows securely upstream, carrying insights about
destroyed. More recently, mining companies, the origin and characteristics of the diamond or
manufacturers and retailers have taken steps to gemstone. Eventually, the customer at the head of
become more transparent about the provenance the chain can make their valuable purchase on the
of their diamonds and jewellery, in response to basis of increased knowledge and a more thorough
customer demand for ethically and sustainably understanding of the value of the piece.
sourced stones.
Information is also sent back down the chain
Blockchain has emerged as a secure technology to help all stakeholders make better decisions.
for flowing data in an interoperable way. Major The overall impact is higher clarity in a complex
stakeholders such as the Gemological Institute supply chain, which results in closer adherence
of America (GIA) and the jeweller Chow Tai Fook to the aims of the United Nations’ Sustainable
now register the details of their diamonds on the Development Goals (SDGs), whether it be gender
Everledger platform. By combining blockchain equality, decent work and economic growth, or
technology with AI, IoT and nanotechnology, responsible consumption and production.
Everledger creates a digital twin of every diamond,
enabling traceability in a secure, unalterable and
private platform.
While checks In summary, governments should ensure that they to ensure they can compete fully in the Fourth
and balances understand the interoperability space and why Industrial Revolution. Given that network investment
are necessary it matters to ensure that data sharing is nudged is expensive, forward-leaning policies such as
to maintain towards international interoperability, without capitalizing on the economies of scale offered
data integrity, specifically mandating the introduction of any one by regions rather than individual companies can
provenance technical interoperability standard. In this manner, strongly encourage private capital investment in
cannot always be the policy environment can remain supportive to connectivity infrastructure such as 5G.24
easily established technical interoperability without prescribing it with
any specification, thus leaving the window open for Furthermore, governments should be cognisant of
flexibility among private-sector actors. the risk of inaccurate data crossing borders. While
checks and balances are necessary to maintain
In addition to data management interoperability, data integrity, provenance cannot always be easily
backbone infrastructure connectivity (e.g. highspeed established. Policy-makers should take a balanced
broadband or 5G wireless infrastructure) allows approach to minimize the risk of data integrity
for a foundation of data flows activity domestically. concerns, without restricting the movement of data
Lack of connectivity means that countries cannot across borders. Meanwhile, companies can use
be ready to participate fully in the data economy reliability and/or validation studies when data is
in the first instance, so countries would be wise exchanged between entities. These types of studies
to prioritize backbone telecommunications are highly common in scientific research and will likely
infrastructure as well as international connectivity become more common in the data sharing space.
Policy recommendations
– Leaving the door open to future models ensures that policy in this
space remains future-proof and robust.
Sometimes the Technological solutions exist that allow data insights levels when it comes to data sharing. But what
algorithm itself to flow between entities/countries without the data would happen if and when a government decides
can travel, rather leaving the local server. Local data is tagged or to restrict the movement of the hash, the algorithm
than the data referenced and the reference can then be shared. or the insight (IP) from the data rather than the
The reference may be completely random or may data itself? Such a scenario would undermine
contain minimal information about the original data data sharing policies at the cross-border level,
and may therefore be considered to be less sensitive potentially acting as a back door to backward-
or be classified as a lower-risk piece of data. The leaning protectionist policies and more importantly
data reference can be used by the country of origin would reduce the value of the insights that may be
and, if necessary, it can be used to make a request gleaned from a critical mass of data.
to the data repository in the receiving country. Each
of those requests can then be authorized by the The solution would seem obvious:
local country. Innovations such as this are especially Intergovernmental agreements for data should not
useful for machine learning on sensitive data. only cover the movement and protection of data,
Indeed, sometimes the algorithm itself can travel, they should also recognize and protect the free
rather than the data, and in doing so the algorithm movement and protection of proprietary algorithms,
learns by moving from dataset to dataset, while their distributed nature and value.
the data itself remains on site wherever it is stored.
The result is that it is the insights from the data, the Below, we explore how these models work and why
metadata or the IP that move. it is in our view necessary for governments to offer
affirmative cohesive policy frameworks that consider
Techniques such as the above open the door to a such models.
myriad of new options and can increase comfort
The solution to enabling broad data sharing policies through access to data in another jurisdiction. An
lies in part in understanding who the true data obvious situation where this might be crucial is in
rights holders are – whether they be governments, the analysis and investigation of genetic markers for
businesses, institutions or individuals – and rare disease or pools of biodiversity genomic data
their needs for data to move across any and all across entire biomes such as the Amazon Basin
borders in a way that protects those rights and to mine for novel protein and biological molecules
interests. This becomes ever more complex when with high value to society and the economy. Such
it comes to trawling datasets for machine learning an approach increases the intelligence of end-user
purposes, effectively creating a distributed data applications both at the edge and system-wide.
lake. It is usually the case that more data leads
to better learning outcomes, provided that data Considering the real scaling potential of federated
is accurate and somewhat useful to begin with. data learning, a systems-view approach is needed
Even if a country finds that it has “enough” data to consider how to best manage federated learning
within its own borders to achieve meaningful at an international level, including attributing
learnings by algorithms and is thus not highly rights appropriately. This approach enables the
incentivized to develop proactive cross-border application of machine learning to a data pool
data sharing policies, it is still often the case that that can exist in many locations simultaneously,
the relevant insights from analysing the data lake, including across borders, while also protecting
or the algorithm that is developing and refining on against privacy breaches.
the basis of those learnings, would be improved
Data trusts
A data trust is a system or entity that manages the system-wide architecture would address privacy
rules of the game in a created data ecosystem, protection, transparency and end-to-end traceability
particularly the contributed data on behalf of as well as the data supplier’s ability to exercise
the data suppliers. Trust ownership rights can rights. Of course, underlying all of this is the fact
be exchanged for data contributions by the that such a framework must be allowed to happen
data supplier. Compensation to data suppliers legally, whether explicitly mandated or not.
can accrue because interested parties such as
governments and businesses want the insights An alternative model to an international data trust
derived from the data inputs. Depending on the is a series of national data trusts that reside in
scenario, they may pay for access and use.25 Data different jurisdictions. Under this model, multiple
trusts are often enabled by federated learning trusts may be hosted within sovereign borders,
techniques, as above, as well as by private when required by local regulations or other key
computing architectures. Data trusts may exist requirements (which, as argued earlier, should
somewhere or in many places, usually determined be discouraged in general and applied only in
by where the data suppliers (inputs) are located. the narrowest justifiable circumstances, such as
for national security concerns) and federated as
Data trusts do not need to be international in part of a single system. This type of solution can
nature. However, to enable countries that wish to enable “learning sovereignty” with fair and equitable
capitalize upon innovations and research learnings value attribution for data suppliers while at the
from data trust models that require access to data same time enabling important societal benefits
in different jurisdictions, it is essential that such and commercial innovation opportunities that
activity does not inadvertently become illegal. otherwise would not be possible in current settings
Currently, international legal norms on cross-border without data sharing. Federating data between
data trusts are simply not explicitly accounted for in independent data trusts can provide access to
many instances, putting their legality in question. data that would otherwise be isolated. In many
cases, this data might not be available at all, as
Should governments wish to explicitly authorize inter-entity trust is required to readily access many
or encourage the use of an international data trust types of private or sensitive data.
framework, governance rules and a fit-for-purpose
Hashing, Hashing, data trust models and federated learning While the specificities of recognizing any one model
data trusts all offer innovative options for unlocking siloed data, are at a sovereign government’s discretion, it is
and federated which is ultimately a key aim of cross-border data recommended that the existence of such models
learning models flows policy. By creating space for such innovative, be considered as a reality when constructing
all offer innovative new or alternative models (including other and data flows policy so as to avoid any unintended
solutions for future models for unlocking data or data learnings consequences and potentially choke sectors of
unlocking siloed or even algorithms across borders), governments the economy. To give the example of AI, machine
data, which is can ensure that their digital borders remain open learning could be severely curtailed by the
ultimately a key for business and that both their international and prevention of algorithms or findings travelling across
aim of cross-border national policies remain future-proof in respect of borders should that ever be a policy position.
data flows policy the data economy.
Empowering governments to adopt robust but relevant analysis needed to both build trust with
safeguarded cross-border data sharing policies is of their counterparts in the digital economy space and
critical importance to ensure that economies do not facilitate their own domestic data economy.
get left behind in the Fourth Industrial Revolution.
The Roadmap deliberately does not prescribe the
Building trust between governments is ultimately implementation of these measures at a country
There is no
a matter that rests with sovereign nations. level, as such measures are highly context-specific
one-size-fits-all
Nevertheless, businesses can help governments set and countries need to conduct their own analysis of
approach; after all,
fit-for-purpose policy that allows for interoperability their readiness in the various policy areas examined.
every inter-country
from country to country or region to region. There However, the gauntlet is firmly thrown to countries
relationship is
is no one-size-fits-all approach; after all, every inter- to stress-test the Roadmap and determine how to
unique
country relationship is unique. implement it. This exercise will be critically important
as the world moves towards post COVID-19
However, by considering a common set of policy economic recovery and the need for cross-border
levers – as represented in the Roadmap – nations data flows becomes ever more acute.
can feel confident that they are engaging in the
AICPA SOC 2 Type 2: SOC stands for “system and Providing Cloud Computing Services to Foreign
organization controls”, and are a series of standards Parties, data from government and business entities
designed to measure how well a given service stored in data centres in Bahrain is subject to the
organization conducts and regulates its information. exclusive jurisdiction of the foreign state in which
The purpose of SOC standards is to provide the entity is domiciled, constituted or established.
confidence and peace of mind for organizations
when they engage third-party vendors. A SOC- Data localization requirements: Any obligation,
certified organization has been audited by an prohibition, condition, limit or other requirement
independent certified public accountant who provided for in the laws, regulations or
determined that the firm has the appropriate SOC administrative provisions of a jurisdiction or resulting
safeguards and procedures in place. from general and consistent administrative practices
in that jurisdiction and in bodies governed by public
More specifically, SOC 2 is designed for service law, including in the field of public procurement
providers storing customer data in the cloud. It that imposes the processing of data in a specific
requires companies to establish and follow strict territory or hinders the processing of data in any
information security policies and procedures other territory.
encompassing the security, availability, processing,
integrity and confidentiality of customer data.26 Data portability: The ability to port data from one
system to another; this is an issue that is top of
Anti-snooping clause: A clause that forbids mind for B2B customers of data hosting services.
governments and connectivity providers from
viewing the data being transmitted across borders, Data porting: Moving data from one backbone
except in certain prescribed instances. system to another in order to use it on that different
system, which may or may not be compatible.
APEC CBPR: Asia-Pacific Economic Cooperation
Cross-Border Privacy Rules. Data processing: As defined in the GDPR (Article
4), any operation or set of operations that is
Artificial intelligence (AI): The capacity of a performed on personal data or on sets of personal
machine to imitate intelligent human behaviour. data, whether or not by automated means, such
as collection, recording, organization, structuring,
Binding corporate rules (BCRs): A cross- storage, adaptation or alteration, retrieval,
border transfer mechanism of the GDPR whereby consultation, use, disclosure by transmission,
multinational corporations can seek explicit approval dissemination or otherwise making available,
for their actions. alignment or combination, restriction, erasure
or destruction.
Cloud computing: On-demand computer and
storage systems that are managed by a third party Data processor: As defined in the GDPR (Article 4),
and often exist across multiple data centres in a natural or legal person, public authority, agency or
multiple locations. other body that processes personal data on behalf
of the controller.
Confidentiality: Property such that information is
not made available or disclosed to unauthorized Data protection and privacy laws: Laws that
individuals, entities or processes. govern the collection and processing of personal
data and personally identifiable information
Cross-border data flows: The regular unimpeded and which vary from territory to territory. These
movement of data across international borders. differences can act as both a hard and soft barrier
to the movement of data across borders and can
Cross-border data transfer restrictions: cover personal and/or non-personal data.
Restrictions on companies that mean they must not
transfer data to another country unless they can Data provenance: Identifies the origin of the data
assure adequate safeguards for the transferred data processor and data owner and documents a record
abroad; if companies can meet the requirements for of the history of the data since collection.
an exception, they are not required to keep a local
copy of the data. Data residency laws: Under these laws,
companies must process data primarily in a
Data jurisdiction law (Bahrain): According to the particular territory, but they can also transfer copies
Legislative Decree No. 56 of 2018 in Respect of of the data abroad.
The information security management system Technical interoperability: The ability to share
preserves the confidentiality, integrity and availability data between different systems and to enable those
of information by applying a risk management systems to make use of the data.
process and gives confidence to interested parties
that risks are adequately managed. Threat: Potential cause of an unwanted incident,
which may result in harm to a system or organization.
Francis Jee
Steering Committee Fellow, Blockchain and Distributed Ledger
Technology, World Economic Forum
Lothar Determann
Partner, Baker McKenzie and Adjunct Professor, Rosetta Jones
Free University Berlin; University of California, Senior Director, Global Strategic Initiatives, Visa
Hastings College of the Law; Lecturer, Berkeley
School of Law (Chair) Maisie Mahoney
Head of the Digital Project Management Office
Leanne Kemp
Chief Executive Officer, Everledger (Co-Chair) Allan Millington
Director, Data Management, EY
Juan Carlos Castilla-Rubio
Chairman, Space Time Ventures Adrien Ogée
Chief Operations Officer, The CyberPeace Institute
Elizabeth Davies
Senior Director, Data Protection, Splunk Diana Paredes
Chief Executive Officer and Co-Founder, Suade
Jan Huizeling
Vice-President Digital Farming, Yara International Sheila Warren
Head, Blockchain, Digital Assets, and Data Policy,
Robert Charles Kain and Member of the Executive Committee, World
Chief Executive Officer and Co-Founder, LunaPBC Economic Forum, USA
1. Ferracane, M.F. (2017), Restrictions to Cross-Border Data Flows: A Taxonomy,European Centre for International Political
Economy (ECIPE): https://ecipe.org/publications/restrictions-to-cross-border-data-flows-a-taxonomy/ (link as of 15/5/20).
2. World Economic Forum (2019), Exploring International Data Flow Governance: https://www.weforum.org/whitepapers/
exploring-international-data-flow-governance (link as of 19/5/20).
3. Ursic H., Nurullaev R., Olmedo Cuevas M. and Szulewski P. (2018), Data Localisation Measures and Their Impacts on
Data Science. In: Mak V., Tjong Tjin Tai E. and Berle A. (eds.) (2018), Research Handbook in Data Science and Law.
Research Handbooks in Information Law. Cheltenham: Edward Elgar: pp. 322–353: https://ssrn.com/abstract=3102890
(link as of 15/5/20).
4. Press, G. (2020), 6 Predictions About Data in 2020 and the Coming Decade, Forbes: https://www.forbes.com/sites/
gilpress/2020/01/06/6-predictions-about-data-in-2020-and-the-coming-decade/#3d3c658c4fc3 (link as of 15/5/20).
5. Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the
free flow of non-personal data in the European Union.
6. Scharwatt C. (2019), The Impact of Data Localisation Requirements on the Growth of Mobile Money-Enabled Remittance,
GSMA: https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2019/03/GSMA_Understanding-the-impact-
of-data-localisation.pdf (link as of 15/5/20).
7. Casalini F. and Lopez Gonzalez J. (2019), Trade and Cross-Border Data Flows, OECD Trade Policy Papers, No. 220,
OECD Publishing, Paris: p. 15.
8. Determann, L. (2020), Determann’s Field Guide to Data Privacy Law, 4th Ed., #0.14 et sequ.: www.elgaronline.com/view/
9781789906189/9781789906189.xml (link as of 15/5/20).
9. Reinsel, D., Gantz, J. and Rydning, J. (2018), Data Age 2025: The Evolution of Data to Life-Critical, IDC: https://www.
seagate.com/files/www-content/our-story/trends/files/Seagate-WP-DataAge2025-March-2017.pdf (link as of 15/5/20).
10. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation).
11. Article 49 (1) (a) EU General Data Protection Regulation.
12. Determann, L. (2019), Healthy Data Protection, SSRN: http://ssrn.com/abstract=3357990 (link as of 15/5/20).
13. This approach is similar to the EU-US Privacy Shield, whereby mutual standards are respected regarding the processing
of personal data.
14. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic
communications).
15. ENISA (November 2016), NCSS Good Practice Guide: https://www.enisa.europa.eu/publications/ncss-good-practice-
guide; whitehouse.gov (September 2018), National Cyber Strategy of the USA: https://www.whitehouse.gov/wp-content/
uploads/2018/09/National-Cyber-Strategy.pdf; ITU (2018), Guide to Developing a National Cybersecurity Strategy:
https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-CYB_GUIDE.01-2018-PDF-E.pdf (links as of 18/5/20).
16. World Economic Forum (2020), Presidio Principles: Foundational Values for a Decentralized Future: https://www.weforum.
org/communities/presidio-principles (link as of 28/5/20).
17. APEC Policy Support Unit (2018), Study on Single Window Systems’ International Interoperability: Key Issues for
Its Implementation: https://www.apec.org/Publications/2018/08/Study-on-Single-Window-Systems-International-
Interoperability (link as of 18/5/20).
18. Thomson C., Ludlam J., Peddie J. and Grimmer T.J. (23 October 2019), UK and US Sign Data Access Agreement to
Expedite Digital Evidence – Sharing in Criminal Investigations, Baker McKenzie: https://www.bakermckenzie.com/en/
insight/publications/2019/10/uk-us-data-access-agreement (link as of 18/5/20).
19. UN, National Statistical Offices: https://unstats.un.org/home/nso_sites/ (link as of 18/5/20).