Theme 1: Growing Restrictions on Free Data Flows

At the most basic level, policymakers seeking to create a global data governance framework must address a number of fundamental questions when it comes to transferring data across borders: To what extent does data flow freely across borders today? Should the free flow of data exist in the future? Are free data flows beneficial and inevitable? If so, what safeguards need to be in place and what obstacles need to be overcome to create interoperability across regions with different perspectives on the issue?

Countries that restrict cross-border data transfers could have several (often overlapping) motivations for doing so. The first reason could be to increase some notion of security (based on the assumption that data’s location is more important for its security than the measures taken to secure it). Data restrictions could also be motivated by a government’s desire to impose content-based controls on communications that occur online. Another possible driver is to promote domestic digital industries by ensuring that value from local citizen data remains in-country. Governments may also seek to enhance their ability to access data for law enforcement purposes as well as for other political or social uses by security and intelligence services.¹

Most experts agreed that the free flow of data is more or less the status quo today (though it may not be that way forever). While there are filtering mechanisms in place on internet data in various parts of the world, and there are also data localization policies that mandate data stays in certain geographies, the majority of data does flow relatively uninhibited over the global internet because (a) existing restrictions do not block all kinds of data or are enforced unevenly, and (b) there are many technical barriers to enforcement, as demonstrated by the use of internet censorship work-arounds (i.e., Virtual Private Networks) in countries like China and Russia. That said, there are a range of geolocation-based internet traffic blocking protocols, data transfer restrictions, and other measures being imposed all around the world that are restricting data flows across borders.

To maintain free flows of data in the future, the question is what rights and obligations should come with the movement of data. In other words, what levers of data governance should be used to establish “trust” at the center of Prime Minister Abe’s vision?

Answering this question requires first taking into account fault lines or areas in which there may be conflict. According to Sadanori Ito, the official from Japan’s Ministry of Economy, Trade and Industry who was in charge of the digital component of the G20 Leaders’ Statement, the three main fault lines are as follows:

1. Advanced economies vs. emerging market economies
2. United States (and European Union) vs. China
3. United States vs. European Union

First, when it comes to conflict between advanced and emerging economies, some governments are pushing for restrictions on data flows based on the premise that countries like the United States reap a disproportionate share of benefits. While policymakers and industry groups in Australia, Canada, Japan, Singapore, parts of Europe, and elsewhere tend to advocate free data flows to promote global commerce, other stakeholders in emerging economies like India argue that this is not necessarily in their best interest. India’s unwillingness to sign onto the G20 Osaka Agreement underscores a trend of pushing back against “data colonialism” by western tech giants, arguing that restrictions on cross-border data transfer may bolster the competitiveness of India’s domestic startup ecosystem, protect the privacy of Indian citizens, and position India as a global player in data regulation.²

But not all emerging economies subscribe to India’s view of “data nationalism,” instead embracing rules that support data flows, such as among “Pacific Alliance” members in Latin America (Chile, Colombia, Mexico, and Peru), Vietnam, and Malaysia.³ However, if India’s approach advances domestically, and other countries take a similar path, restrictions on data flows could become more of a norm for the global internet (or at least large parts of it).

The second fault line is competition between the United States and China, particularly when it comes to data-intensive technologies like artificial intelligence, and underpinning architecture like 5G telecommunications networks that will enable the deployment of these technologies. Washington and Beijing are increasingly concerned about access to data on their respective citizens by the other government. Many different forms of restrictions on data flows could thus be implemented as a result.

Both the United States and China are also rolling out new regulatory tools to limit data flows based on national security concerns. China’s Cybersecurity Law introduced provisions that would require certain kinds of data (“important data” and “personal data” produced by critical information infrastructure operators) to be stored inside China or undergo a security audit before being sent out.⁴ Meanwhile, the U.S. government has made access to “sensitive data” on U.S. citizens a major new focus of reviews of transactions under the Committee on Foreign Investment in the United States. Sen. Josh Hawley (R-Mo.) is working on legislation that would prohibit data transfer to a list of blacklisted countries like China.⁵

The third major fault line is between the United States and Europe. The Court of Justice of the European Union already once—and may very well again—restricted data flows from Europe to the United States because of a concern about the absence of sufficient privacy protections in the United States. The European Union also takes a different approach to the United States in dealing with data flows and privacy issues in trade agreements: excluding privacy from trade agreements, instead dealing with them in a separate legal arrangement under the General Data Protection Regulation (GDPR) called an “adequacy agreement” to allow for data exchange with the European Union.

One point of convergence, however, between U.S. and European officials appears to be shared concerns over Beijing’s data regime. EU officials have indicated that China may never be eligible for “adequacy.” Chinese companies may find that it’s impossible to comply with GDPR and China’s cybersecurity law at once. Although those who drafted China’s data-privacy rules looked to GDPR as a model, the version of GDPR they created for China’s political system—where the government has expansive surveillance authorities—makes it hard to imagine how the Chinese and European systems could ever be reconciled.⁶ Therefore, as EU officials grow increasingly concerned about China’s approach, there could be more alignment between Europe and the United States.

As conflict over data grows more fraught, data may not flow freely across all of these fault lines in the future. In other words, free flow of data may only be possible among certain groups, or “coalitions” (as discussed in Theme 3).

The question of legal nexus underpins the conflict over what safeguards should be in place to facilitate cross-border data flows—that is, determining responsibility and accountability when multiple countries assert jurisdiction over the same data: the nationality of the individuals and organizations owning data, service providers storing data, individuals and organizations accessing data, and individuals described in the data.⁷ Some argue that as long as a firm operates in a given country, then that country’s data rules apply and should be enforced. Doing so would then negate the need for data localization by that country to maintain control over its own data. In the case of a crime, for example, the most important factor would be where the investigating entity is located rather than where the data is located. This leads into the next section, where we discuss the relationship between domestic and international levers.