Until a few decades ago, privacy was a much more abstract than concrete concept. With the spread of digital technology and the consequent need for web users (and others) to provide their personal data to a variety of ‘dematerialised’ subjects, the need to provide protection and control over the processing of these data has become a requirement and objective of all states.
Exponentially and directly, as the number of daily activities that any person carries out on the Web has increased, there has been a rapid shift from the need to have a national regulation to the need to have a European one to the need to have a worldwide regulation.
In recent months, we have seen a marked increase in activity related to cross-border data flow agreements.
Let us first try to understand what is the definition of cross-border data flows according to the European rules that define it as the transfer of personal data to a recipient subject to a foreign jurisdiction.
On this issue, we must point out that the UN General Assembly has published Report A/77/196 ‘Right to privacy’, which not only gives a rather bleak picture of the state of privacy protection on a global level, but also provides a decalogue of standards that should be used in the normative regulation of the topic of data exchange between different jurisdictions (1).
Analysis of the OECD report Cross-border Data Flows: Taking Stock of Key Policies and Initiatives of 12 October 2022
Today we will make a brief analysis of the report published on 12 October 2022 by the OECD on “Cross-border Data Flows: Taking Stock of Key Policies and Initiatives’ (2).
First of all, let us clarify what the OECD is and what it actually does.
The Organisation for Economic Co-operation and Development (OECD) is an international organisation that works to build better policies for better lives. Our goal is to shape policies that foster prosperity, equality, opportunity and well-being for all. We draw on 60 years of experience and insights to better prepare the world of tomorrow.
Together with governments, policy makers and citizens, we work on establishing evidence-based international standards and finding solutions to a range of social, economic and environmental challenges. From improving economic performance and creating jobs to fostering strong education and fighting international tax evasion, we provide a unique forum and knowledge hub for data and analysis, exchange of experiences, best-practice sharing, and advice on public policies and international standard-setting (3).
The word that features most prominently in the OECD report is ‘trust’; in fact, people may be reluctant to collaborate with companies where they perceive a trust deficit and, in turn, companies may struggle to reap the benefits of the digital marketplace if they cannot operate with global trust. The notion of trust also plays a role in how governments and individuals interact with other governments, enabling trust-based cross-border regulatory cooperation.
The report identifies Unilateral policies and regulations (Section 2), intergovernmental process(Section 3), technological and organisational (Section 4) measures that are underway to help make progress on the issue of cross-border data flows. These interventions have the stated aim of enabling a better understanding of the current policy landscape by seeking to stimulate governments to intensify their cooperation efforts to promote reliable cross-border data sharing.
Let us therefore see concretely what is highlighted in the different sections.
a) Unilateral policies and regulations
What are the elements that are consistently found in the privacy policies of different countries? First, they share the common goal of allowing cross-border data flows while protecting fundamental domestic public policy principles. Secondly, these policies and regulations increasingly share the types of provisions, mechanisms and instruments they use or recognise to achieve this common purpose by trying to align with each other.
The instruments used are usually divided into two main subgroups:
(i) The first defined of “open safeguards” that rely primarily on the assigning party/entity to ensure the protection of the public interest objectives involved without, however, being generally prescriptive as to how these requirements should be met.
(ii) The second defined as “pre-authorised safeguards”, which are generally characterised by a greater involvement of the public sector ex-ante to ensure reliable data transfers (e.g. unilateral whitelisting of a recipient country by the public sector, the obligation to incorporate in contracts specific clauses pre-approved by the public sector, or national certification systems whose functioning is monitored directly or indirectly by a public body).
Regarding the spread of standard terms and conditions for cross-border data transfers in relation to pre-authorised safeguards, the same report shows how public authorities, in cooperation with privacy enforcement authorities, have developed such contractual clauses that are in turn recommended or sometimes even required for contracts between entities wishing to share data across borders. If included in contracts, these clauses are automatically considered sufficient for a lawful transfer of data. Several countries have already developed this type of clause, including: European countries with ‘standard contractual clauses’ (SCCs), New Zealand, the United Kingdom, Argentina, and the nations of South East Asia (ASEAN).
b) Intergovernmental processes
Among the various processes that are taking place to advance cooperation and standardisation of regulations to create a reliable flow of data between countries, the report lists:
(i) The G7 and G20 deliberations
It starts in 2019 when during the World Economic Forum in Davos, Japanese Prime Minister Shinzo Abe first declared the launch of the ‘Osaka Track’ on Data Free Flow with Trust (DFFT), referring to a vision in which openness and trust in data flows coexist and complement each other.
Later in 2020, G20 leaders meeting in Riyadh confirmed the agreement to ‘further facilitate the free flow of data and strengthen consumer and business confidence‘.
In April 2021, the G7 Digital and Technology Ministers recognised ‘the importance of unleashing the power of data in our economies and societies, while continuing to address challenges related to privacy, data protection, intellectual property rights and security‘.
Finally, in 2022, again the G7 Digital and Technology Ministers declared “that [DFFT] underpins innovation, prosperity and democratic values” by deliberating an action plan to promote the free flow of data based on the criterion of “trust”.
(ii) Multilateral processes
Organisation for Economic Cooperation and Development – OECD
We are talking here about the processes carried out by the OECD itself, which as far back as 2016, with the Cancun Declaration issued by the Organisation’s member countries, stated its will to “support the free flow of information to catalyse innovation and creativity, support research and knowledge sharing, improve trade and e-commerce enable the development of new businesses and services, and increase people’s well-being through policies, based on respect for human rights and the rule of law, that enhance the openness of the Internet, in particular its distributed and interconnected nature, while respecting applicable privacy and data protection frameworks and strengthening digital security“.
The OECD has always advocated the need to proceed to identify common standards on data governance in order to reinforce the concept of ‘trust’ that we find as the unitary basis of this complex subject.
In this context, the OECD has issued a series of recommendations that can promote consistency of regulatory frameworks in different countries. Among them, the main ones are:
– OECD Council Recommendation on Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 2013;
– OECD Recommendation on Cross-Border Cooperation in the Enforcement of Privacy Laws of 2007;
– OECD Recommendation on Improving Data Access and Sharing of 2021;
– OECD Recommendations on Digital Security, including: OECD Recommendation on Managing Digital Security Risks to Economic and Social Prosperity 2015; OECD Recommendation on Digital Security of Critical Assets 2019; and OECD Recommendation on Encryption Policy Guidelines 1997.
In addition, the OECD produces a number of analytical reports and constantly facilitates dialogue on important policy issues, including with a specific focus on the policy agenda of cross-border data flows.
The OECD has also sponsored a study to highlight shared principles on government access to personal data held by the private sector, which can be seen as a key step in recognising commonalities in this regard, where they exist, and in doing so, complement other cooperative efforts to promote trust in data flows (4).
The United Nations has also undertaken relevant processes for the regulation of cross-border data flows.
The activity flagged by the OECD report as most important and topical is in 2022 when the UN Committee of Experts on Big Data and Data Science for Official Statistics announced the launch of a pilot programme to make international data sharing more secure using Privacy Enhancing Technologies (PET) (5). The UN PET Lab is conducting a pilot programme with several National Statistical Offices (NSOs). The lab will demonstrate that PETs can make data sharing between fully compliant organisations possible.
(iii) Regional Agreements
There are numerous regional agreements that have taken the issue of confidentiality related to transnational data flows to heart. More specifically, the OECD mentions the Asia-Pacific Economic Cooperation (APEC) (6), the Association of Southeast Asian Nations (ASEAN) (7), the European Union (EU) and the Council of Europe, pointing out that these entities include G7 members that have developed regional standards or binding agreements to promote reliable cross-border data flows between their members, but not only.
For example, the APEC Privacy Framework (originally developed in 2005 and updated in 2015 and modelled on the OECD Privacy Guidelines) sets out APEC’s principles of information privacy and provides guidance for their implementation at national and international levels.
The APEC Privacy Framework also forms the basis for the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the APEC Cross-Border Privacy Rules (CBPR) System developed to promote interoperability of privacy rules through the application of minimum standards. To date, seven of the twenty-one APEC economies participate in the CBPR System and the hope is that all countries will be involved in the next decade.
On the other hand, as regards the ASEAN situation, its reference legislation serves to strengthen the protection of personal data in ASEAN countries and to facilitate cooperation between participants not by creating legally binding obligations at national or international level, but by encouraging member countries to strive to cooperate, promote and implement privacy principles.
Again, regional agreements have tended to establish common rules of general application and in fact the ASEAN Data Management Framework (DMF) and Model Contractual Clauses for Cross Border Data Flows (MCCs) were approved in 2021. MCCs are model contractual terms and conditions that can be included in binding legal agreements between companies that transfer personal data across borders to each other. This helps reduce negotiation and compliance costs and time, especially for SMEs, while ensuring the protection of personal data when they are transferred across borders.
The OECD then also analyses the evolution of European legislation starting with the adoption of the EU General Data Protection Regulation 2016/679 (GDPR). The transfer of data to third countries outside the European Economic Area (EEA, i.e. EU plus Norway, Liechtenstein, Iceland) is in fact one of the most relevant and problematic issues among those regulated by the Regulation.
If, in fact, the circulation of data between countries belonging to the EU does not pose major problems since they are all directly bound by the GDPR, greater problems arise instead when other legal systems come into play, giving rise to the need to regulate data transfers to non-EU countries.
Subsequently in 2018, the EU also adopted a regulation on a framework for the free movement of non-personal data within the EU, which stipulates that companies and public administrations can store and process non-personal data wherever they choose within the EU, prohibiting member states from imposing data location requirements.
Finally, in 2022, the EU’s Data Governance Act (DGA) came into force. The DGA regulates the processing of electronic data, both personal and non-personal, with the aim of harmonising data governance between member states and thus ensuring the free flow of all types of data between them while also providing for mechanisms such as adequacy decisions and standard contractual clauses for non-personal data.
(iv) Preferential trade agreements
In parallel to the initiatives summarised by the OECD above, numerous preferential trade and digital economy agreements are increasingly addressing issues of cross-border data flows and trust (in the context of personal and non-personal data). Since 2008, and up to December 2020, 29 agreements involving 72 economies have introduced some form of provisions on data flows.
Approximately half of these agreements include non-binding indications on data flows, while the other half, contain binding commitments on data flows (of all data types), most notably the Comprehensive and Progressive Agreement for the Trans-Pacific Partnership (CPTPP), the United States-Mexico-Canada Agreement (USMCA) and the EU-UK Trade and Cooperation Agreement.
Almost all of these agreements also include exceptions allowing parties to restrict data flows to meet ‘legitimate public policy objectives‘ and, most importantly, all include provisions on the need for national privacy legislation.
To date, the agreements being signed by the EU and the US (which are trying to rewrite the Privacy Shield) and the UK negotiating an agreement with the US and Singapore are topical.
As part of these negotiations, the OECD points out that all countries have started to negotiate broader agreements on the digital economy (DEA) covering a range of issues from artificial intelligence to e-payments.
c) Technological and organisational measures
In its report, the OECD devotes a large section to what it calls ‘data intermediaries’ as an expression of a technological measure to achieve more secure data access and sharing.
Data intermediaries act as mediators between those who wish to make their data available and those who seek to exploit it. The intermediary works to govern the data in specific ways and provides a degree of trust about how the data will be used. They can also be understood as a category of loosely defined actors who broker the relationship between those who share data and those who access it through technical and organisational means, facilitating, if not improving, the use and re-use of data in societies.
The fourth section of the report focuses on data spaces as a type of decentralised intermediary promoting cross-border data flows.
An innovative approach known as ‘data spaces’ or “data industrial platforms” is gaining popularity as an option to overcome some of the challenges of sharing data, including across borders, especially with regard to ‘industrial’ or ‘non-personal’ data.
Data spaces are a system where data are shared on the basis of open and transparent standards with the aim of enabling cooperation, reducing barriers to entry and promoting innovation in the digital economy.
OECD cites some recent examples:
– Gaia-X is a European initiative to develop a software control and governance framework and implement a common set of policies and rules to be applied to any existing cloud/edge technology stack to achieve transparency, controllability, portability and interoperability between data and services. Gaia-X services are to be created, managed and adopted by the market through operators who voluntarily decide to adopt the Gaia-X standard. A first example of the application of Gaia-X is Catena-X. Catena-X intends to organise itself as a registered association in Germany. Catena-X sees itself as an extensible ecosystem in which vehicle manufacturers and suppliers, dealer associations and equipment suppliers, including application, platform and infrastructure providers, can participate equally. The aim of the association is to create a uniform standard for sharing information and data along the entire automotive value chain.
– Another example is the open space created by International Data Spaces (IDS) for data platforms that could be used for the development of specific data spaces. In particular, IDS aims to enable new ‘smart services’ and innovative business processes to operate across companies and industries, while ensuring that self-determined control over the use of data (data sovereignty) remains in the hands of data providers.
Research on the data space has received a major boost from the draft law published by the European Commission in 2022 (‘Proposal for a Regulation on harmonised rules on fair access to and use of data’) (8). According to the proposal, the main features of a common European data space would include:
(i) A secure and privacy-compliant infrastructure to pool, access, share, process and use data;
(ii) A clear and practical structure for accessing and using data in a fair, transparent, proportionate and non-discriminatory manner, and clear and reliable data governance mechanisms;
(iii) European standards and values, in particular data protection, consumer protection law and competition law, are fully respected;
(iv) Data controllers will have the option in the data space to grant access to or share certain personal or non-personal data under their control;
(v) data made available may be re-used against remuneration, including financial remuneration, or free of charge;
(vi) participation of an open number of organisations/individuals.
Overall, the common characteristic of ‘data spaces’ is the goal of bringing together data providers, users and intermediaries, increasing interoperability and trust to improve data sharing between entities and individuals. This can be applied both horizontally across sectors and vertically within sectors.
At the technical level, data spaces are based on common standards for grouping or linking, accessing, processing, using and sharing data between different end points. They are based on a shared understanding of data governance and data-related policy objectives.
Depending on how they operate, data intermediaries may be more or less important in enabling reliable cross-border data flows. Data spaces depend on common rules developed for the space to overcome legal and technical barriers to data sharing between organisations, achieving trust through technical, semantic, organisational and legal interoperability.
Quoting the OECD report, it can be concluded that ‘Data and its cross-border flow are key to realising the potential of digital technologies for thriving digital economies and societies, enabling the development of new and innovative business models and enhancing traditional ones that depend on moving and aggregating data around the world. In this context, maintaining a high degree of trust in cross-border data flows for businesses, citizens and societies is critical to realising the benefits of digital transformation for our global economy, while meeting high standards of data protection“.
The report has no other objective than to provide a starting point for the G7 and G20 countries to move more quickly in standardising this matter, which must be based on mutual trust between the actors involved; and to achieve trust in the modern world, the only solution is to provide clear, transparent, consistent and, above all, practically enforceable legislation.
Niccolò Lasorsa Borgomaneri
1) See “Tutelare la privacy attentata dal digitale: i consigli dell’ONU” a cura di Angelo Alù in https://www.agendadigitale.eu/sicurezza/privacy/digitale-privacy-a-rischio-cosi-si-puo-tutelare-secondo-lonu/
4) CDEP (2020), “DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INNOVATION COMMITTEE ON DIGITAL ECONOMY POLICY Statement of the Committee on Digital Economy Policy”, http://www.oecd.org/digital/trusted-government-access-