The Levers of Data Governance

Levers of data governance exist at super-national, national, and sub-national levels. These include bilateral, regional, and multilateral trade agreements, and a broad range of data-related laws, regulations, standards, and norms. Litigation, particularly class action lawsuits, also has a role to play. All these levers are ways in which governments, corporations, and other key actors in global data governance can technically influence how data flows and is stored, and ways in which they can similarly exert influence in legal and regulatory fashions.

First and foremost is the technical element: governments cannot make decisions about data governance in isolation from the technical layers of the internet. Despite wishes to restrict access to encrypted messaging apps, for instance, the Russian government has proven unable to effectively block the messaging app Telegram from within Russian borders due to technical challenges.¹ Countries looking to design data governance regimes that exclude others from accessing certain data located on websites hosted within their borders, to use another example, cannot do so without consideration for how the internet is currently designed to globally route information. Standards, or technical rules around issues like web traffic security and internet protocol interoperability, play a critical role here. This all means that in practice, limits on free data flows are not simply a matter of government power or legal authority, but also reflect government and corporate technical capabilities—its own subset of the levers of data governance.

In order for governments and firms to influence technical elements of the internet, such as data flows across internet architecture, they leverage policies, laws, and regulations. Even if these rules do not specify exactly how certain practices should be executed in code, they may at least specify certain technologies that should be used for certain purposes, or which organizations are in charge of executing the technical steps. For example, at one time, Brazil required the use of a local email service instead of Outlook, but the effort failed because it wasn’t supportive of attachments and other functions. The policy requirements were ineffective because the technology was simply an obstacle to human and organizational performance.

Technical protocols and standards remain an integral yet poorly understood part of this conversation about the “levers” of data governance. Deeper study and mapping of the standards landscape across categories such as internet architecture, company activities, people, and governments would be helpful as a basis for any international framework.²

At both technical and regulatory levels, there is a need to maintain some level of interoperability between different countries’ internet systems and governance regimes—lest, for example, global internet speeds greatly decline or certain data flows to certain destinations halt altogether. Again, such a discussion should account for how the internet currently works; even if data governance is discussed differently from internet governance, or as a somewhat overlapping but somewhat separate issue, the governance of data flows is inextricably linked to how the global internet operates.

It remains an open question how these issues of interoperability should be handled between countries. For instance, the handling of cross-border data flow and cybersecurity issues at the World Trade Organization (WTO) has been fraught with complications. This includes uncertainty about whether current WTO rules (written in the pre-internet era) apply or not to digital trade issues. Related to that, there have also been disputes over whether certain regulations (i.e., data localization policies) violate member countries’ WTO obligations.³ Rulemaking in bodies like the WTO is going to come with its own set of challenges.

The costs of fundamental incompatibility between systems are not trivial. Conflict could hinder the free flow of data (see Theme 1, the next section), limit the aggregation and use of data to drive innovation, and impose heavy costs on corporations that must duplicatively store the same kinds of data in many different geographies.

Participants identified a number of challenges in creating a global framework using different levers of data governance, including:

• Lack of quantifiable indicators: Unlike with physical goods, there are no clear and universal ways to quantify and track the volume of data flows against the value of those flows.
• Classification challenges: A question that emerged from discussion is whether regulation should treat different kinds of data separately (rather than treating all data the same in bulk). In other words, not all data flows should be treated the same. Sensitive personal information (e.g., from healthcare), manufacturing data (e.g., from factories), law enforcement data, and national security data (e.g., from the Five Eyes intelligence alliance) are in many cases different, even if related or overlapping, and should be handled as such. The question then becomes who has the right to classify that data, and whether this should be a kind of “self-declaration” by companies or come from a regulatory body (which likely would lead to industry pushback). The role of industry and governments in determining what kind of data would be classified as personal data, for example, remains an open question. Related, there is also a separate ongoing discussion as part of the Budapest Convention on Cybercrime about how to handle subscriber data, but not the actual content of communications.
• Conceptual differences: There is a need for a comparative regional analysis on the state of play to understand what levers exist to date, and the conceptual or philosophical foundation upon which those levers are based. A key question is whether an international framework can be created despite these differences.

Different regions may use distinct levers for governing concepts like “privacy” and “security.” For example, the term “data protection” in the European context may be interchangeable with notions of individuals’ autonomy over their own data—something more commonly associated with the term “privacy”—while in the Chinese context, data protection tends to refer more to restrictions put in place to secure data against criminal actors, while allowing unchecked government access to personal data. China may not be unique in this aspect as countries including India, Singapore, and Vietnam similarly have data protection laws or are considering data protection bills that apply to the private sector but not the government.

There is a need for further study into the relationship between privacy and cybersecurity when it comes to data regimes. Will these two concepts increasingly blur, or should they be kept distinct? In the United States, cybersecurity law has tended to grow out of privacy law. The exception is California’s IoT security law, which centers on the protection of the device rather than personal data.

Ultimately, the levers of data governance are also part of broader differences in how countries conceptualize and operationalize national and cyber security, and what impact this has on the use of data in the digital economy. There are also differences in how governments balance objectives around the rights of individuals to control their data and the desire of private-sector players to profit and innovate.

Existing data governance regimes around the world all strike a somewhat different balance in the triad of state, individual, and corporate interests. Is it possible to create a meaningful super-national framework among various governments if we take as a given that national levels are likely to start from different places in this triad?

The issue becomes more complex when we consider that some governments may have more sub-national debate than others when it comes to this triad. For example, while there is often more internal debate within China’s bureaucracy on data issues than gets acknowledged from the outside, the reality is that it will be easier for a country like China to have a more cohesive organizing principle (i.e., state security) that overrides all others interests at play in the triad. The question, then, is whether other systems are able to effectively balance tensions by coming up with their own cohesive view of data governance (i.e., considering economic strength as distinct from state security).