Trustworthy data flows: building towards common principles

Event report

The session built on a discussion that started at IGF 2021 on trustworthy data flows, as well as on a White Paper on Trusted Government Access to Personal Data Held by the Private Sector recently published by the International Chamber of Commerce (ICC).

Key points included the separation between personal and non-personal data flows, the relevance of advancing the principles of trustworthy data flows in line with existing policy frameworks, as well as the need to work towards more effective cooperation between countries, businesses, operators, and data protection authorities.

The world of data is diverse and growing, and is prone to overlapping modes of classification between personal and non-personal data. The report We Need to Talk About Data outlines various classifications and the issues related to the free flow of data. The Datasphere Governance Atlas is also helpful for understanding the data governance ecosystem.

The focus of the panel was on government and business data flows, as well as the perspectives of data protection authorities and telecom operators, as all are needed to ensure trustworthy global data flows.

Launched in April 2022, the White Paper on Trusted Government Access to Personal Data Held by the Private Sector documents the value of cross-border data flows for business operations, and discusses the impact of unconstrained and disproportionate government access to personal data as a barrier to the free flow of data with trust. The paper presents a set of eight principles and recommendations for consideration as a starting point towards the establishment of common global rules on obliged access to personal data held by the private sector.

The discussion is therefore two-sided. On the one hand, ensuring the free flow of data is necessary. Cross-border data transfers are at the heart of how the global digital economy functions today. Around the world, governments are erecting walls around data within their borders to ensure they have control over data in their jurisdictions or to prevent other jurisdictions from claiming any authority over their data. One of the reasons for eroding trust in data flows is indeed conflicting government regulation, such as between the US CLOUD Act, China’s Personal Information Protection Law, and European regulation. But data is global and this is at tension with data localisation which tends to fragment the internet and its benefits.

In some jurisdictions, businesses that transfer data beyond borders are asked to make determinations as to whether countries have similar mechanisms in place to determine if there is equivalent protection between the country that is exporting data and the country that is receiving it. This is incredibly challenging for them, as well as for governments and regulators. There is a need for more harmonious regulation based on multilevel cooperation.

On the other hand, human rights and data protection in data flows are necessary. Two approaches were highlighted. On the one hand, there is the very traditional European approach based on adequacy decisions, standard contractual clauses, binding corporate rules, and different approaches based on private sector voluntary compliance with seal certification and codes of conduct. It is very challenging for data protection authorities to navigate the complex network of international data transfer mechanisms, and to establish priorities. Countries tend to agree on the lowest common denominator in international principle-setting, leading to unjust government access to personal data. In contrast, civil society organisations came up with the Necessary and Proportionate Principles on the Application of Human Rights to Communications Surveillance. These principles emphasise transparency, and mandatory user notification, and ask the overarching question of whether surveillance ought to occur in the first place, with respect to a particular subject.

Going forwards, the panel expressed several hopes. A key aspect that should be taken into account is the need for multistakeholder engagement and more operational cooperation to keep in mind the protection of fundamental rights and liberties of citizens. Soft law and technical standards and agreements can be helpful.

It was said that we need a multilateral government approach because businesses on their own will not conduct data transfer impact assessment necessary to maintain a trusted free flow of data. At the same time, businesses and operators should not be caught in between different jurisdictions, and resolving judiciary conflicts is the task of governments. Principles that are adopted have to be specific enough to adequately explain how rights will be protected, and yet flexible enough so they can be revisited as technology changes. With clarity, redress can also be ensured more easily because transparency should go beyond user notice. Lastly, it should be explored how novel privacy-enhancing technologies can help to support transparency and ensure user awareness.

By Jana Misic

The session in keywords