WS #102 Harmonising approaches for data free flow with trust

17 Dec 2024 06:45h - 08:15h

WS #102 Harmonising approaches for data free flow with trust

Session report
Speakers
Knowledge Graph
In-depth Analysis

Session at a Glance

Summary

This discussion focused on harmonizing approaches for data-free flows with trust (DFFT) in the global digital economy. Experts from various sectors explored the challenges and potential solutions for enabling cross-border data flows while addressing concerns about privacy, security, and economic development.

The panel highlighted the importance of data in driving economic growth and innovation, but noted increasing mistrust and restrictive policies leading to internet fragmentation. Key issues discussed included the need to balance data protection with data utilization, the challenges of government access to data across borders, and the impact of data localization requirements on cybersecurity and economic development.

Participants emphasized the need for multi-stakeholder collaboration and evidence-based policymaking to address these challenges. They stressed the importance of bringing the right experts together to find common ground and develop interoperable solutions. The OECD’s work on trusted government access principles and cross-border privacy rules was highlighted as a positive example of international cooperation.

The discussion also touched on the distinction between personal and non-personal data, the potential of privacy-enhancing technologies, and the need for flexible approaches that can adapt to different regional contexts and emerging technologies like AI. Speakers called for a holistic view of data governance that considers various policy goals and technical realities of the internet infrastructure.

In conclusion, the panel agreed on the need for continued high-level political commitment to DFFT, coupled with expert-driven, collaborative efforts to develop practical solutions that balance data protection with innovation and economic growth in the digital age.

Keypoints

Major discussion points:

– The importance of data flows for the global economy and innovation, balanced with concerns about privacy, security, and sovereignty

– Challenges of data localization policies and internet fragmentation

– The need for harmonized, interoperable approaches to data governance across countries

– Distinguishing between personal and non-personal data flows

– The role of multi-stakeholder cooperation and expert discussions in developing solutions

The overall purpose of the discussion was to examine approaches for enabling trusted cross-border data flows while addressing concerns about privacy, security and sovereignty. The panelists aimed to identify ways to harmonize data governance policies internationally to avoid fragmentation.

The tone of the discussion was largely constructive and solution-oriented. Speakers acknowledged the challenges but focused on potential ways forward, emphasizing cooperation and shared principles. There was a sense of cautious optimism that progress could be made through continued dialogue and evidence-based policymaking. The tone became more action-oriented towards the end as speakers offered final recommendations.

Speakers

– Timea Suto: Moderator

– Bertrand de La Chapelle: Chief Vision Officer at the Data Sphere Initiative

– Maiko Meguro: Director for International Data Strategy at the Digital Agency of Japan

– David Pendle: Assistant General Counsel for Law Enforcement and National Security at Microsoft

– Robyn Greene: Director of Privacy and Public Policy at Meta

– Clarisse Girot: Head of Division for Data Flows and Governance and Privacy at the OECD

Additional speakers:

– Jacques Beglinger: Member of the ICC delegation

– Rapidsun: Audience member from Cambodia

– Evgenia: Online audience member (full name not provided)

Full session report

Expanded Summary: Harmonising Approaches for Data-Free Flows with Trust in the Global Digital Economy

This discussion, moderated by Timea Suto, brought together experts from various sectors to explore the challenges and potential solutions for enabling cross-border data flows while addressing concerns about privacy, security, and economic development. The panel included representatives from international initiatives, government agencies, technology companies, and intergovernmental organisations.

1. Importance and Challenges of Cross-Border Data Flows

All speakers unanimously agreed on the critical importance of cross-border data flows for the global economy, innovation, and development. Timea Suto framed the discussion by highlighting that while data underpins the global economy, it faces increasing mistrust and restrictions. Bertrand de La Chapelle, Chief Vision Officer at the Data Sphere Initiative, noted that despite a fragmented legal landscape, the internet infrastructure inherently enables free flow of data.

Maiko Meguro, representing Japan’s Digital Agency, emphasised the need for data governance to balance utilisation and protection, highlighting the multi-faceted nature of data. This sentiment was echoed by other speakers, who highlighted various challenges:

– David Pendle from Microsoft pointed out that government access requests fuel mistrust in data flows, particularly across borders.

– Robyn Greene from Meta warned that data flow restrictions lead to internet fragmentation, which can hinder innovation and economic growth. She also emphasized the technical limitations of data localization and the importance of considering the global internet infrastructure when creating regulations.

– Clarisse Girot from the OECD reinforced the crucial role of data flows in driving innovation and economic development.

The speakers collectively painted a picture of a complex landscape where the benefits of free data flows are clear, but concerns about privacy, security, and sovereignty create significant obstacles.

2. Approaches to Enable Trusted Data Flows

The panel explored various approaches to address these challenges and enable trusted data flows:

– De La Chapelle proposed focusing on access rights to data rather than data sharing, highlighting the role of APIs and privacy-enhancing techniques in modern data flows. He challenged the binary perspective on data sharing, advocating for a more nuanced approach.

– Meguro advocated for working on concrete interoperability solutions and institutionalising processes to facilitate trusted data flows.

– Pendle stressed the importance of pursuing evidence-based policies that reflect the nuances of the digital economy and solve for real problems rather than misperceptions.

– Greene suggested attaching rights and obligations to data rather than data subjects, potentially simplifying cross-border data governance.

– Girot emphasised the need to bring the right stakeholders together to find common ground on these complex issues. She also highlighted the OECD’s work on privacy-enhancing technologies (PETs) and government access to data, including a declaration on trusted government access and ongoing efforts to promote it.

These diverse approaches highlight the multifaceted nature of the challenge and the need for flexible, adaptable solutions.

3. Differentiating Personal and Non-Personal Data Flows

An important theme that emerged was the distinction between personal and non-personal data flows:

– Pendle highlighted that non-personal data is crucial for the economy, research, and cybersecurity.

– Meguro noted that personal data requires carefully balancing privacy rights with economic value.

– De La Chapelle cautioned that the frontier between personal and non-personal data is not always clear, adding complexity to governance efforts. He also suggested exploring an opt-out system for medical imagery data to support AI development.

– Girot pointed out that health data governance needs special consideration due to its sensitive nature, mentioning the OECD’s recommendation on health data governance.

This discussion underscored the need for nuanced approaches that can address the varying requirements of different types of data.

4. Role of International Cooperation and Harmonisation

The speakers strongly agreed on the need for international cooperation and harmonisation of approaches, though they proposed different methods:

– Meguro called for formalising multi-stakeholder processes at the international level.

– Pendle advocated for harmonising approaches through multilateral and interoperable frameworks.

– Greene promoted the adoption of global cross-border privacy rules.

– Girot suggested building on existing frameworks like OECD guidelines.

– Meguro emphasised the importance of keeping data free flow with trust on high-level political agendas like the G7 and G20.

Despite some differences in specific approaches, there was a high level of consensus on core principles, providing a strong foundation for further international cooperation on data governance.

5. Assisting Developing Countries

The discussion addressed the need to assist developing countries in implementing effective data governance frameworks, as raised by an audience question from Cambodia. Girot mentioned the ASEAN model contractual clauses as an example of regional efforts to address this issue.

6. Unresolved Issues and Future Directions

The discussion also highlighted several unresolved issues that require further attention:

– How to effectively distinguish between personal and non-personal data in practice.

– Achieving legal interoperability across different jurisdictions.

– Balancing data localisation requirements with the need for cross-border data flows.

– Addressing national security concerns while enabling necessary cross-border data access.

– Assisting developing countries in implementing effective data governance frameworks.

Potential compromises and solutions suggested included the use of privacy-enhancing technologies, adopting a gradual approach to harmonisation, focusing on regulatory interoperability rather than strict harmonisation, and using model contractual clauses adapted to regional needs.

In conclusion, the panel agreed on the need for continued high-level political commitment to data-free flows with trust, coupled with expert-driven, collaborative efforts to develop practical solutions. The discussion highlighted the complexity of balancing data protection with innovation and economic growth in the digital age, while emphasising the critical importance of finding workable solutions to enable trusted cross-border data flows. Meguro’s closing remarks highlighted Japan’s efforts to assess regulations in light of digitalization, underscoring the ongoing nature of this work across different jurisdictions.

Session Transcript

Timea Suto: won’t be able to hear us and you won’t be able to hear our speakers online. Okay. Check, check. Everybody can hear me? Channel 1. Yeah. There we go. Good. All right. So welcome, everyone. Thank you for starting your morning with us. This is, if you’re wondering if you are in the right room, this is workshop number 102 on harmonising approaches for data-free flows with trust. And I might ask if we maybe can close the door? Thank you. All right. So why are we here discussing this topic today? We know that data, and we have talked so much about data, we know that data underpins every aspect of today’s global economy, supports everything from day-to-day business operations to the delivery of essential government services, and it enables international and multilateral cooperation. But we also know that despite this core role that data has in facilitating economic activity and innovation, there is continued mistrust in data and data-powered technologies. Some of this mistrust stems from the difficulty of understanding data, its nature, its consequences, and consequently the level of risk of its handling. Trust is also eroded by concerns that national public policy objectives such as security, privacy, or economic safety could be compromised if data transcends borders. This increasingly fuels restrictive data governance policies and regulatory measures such as digital protectionism and data localisation. Such approaches deepen internet fragmentation and desegregate information that actually would underpin the broad range of socioeconomic activities and cybersecurity protection. So with growth and development driven by data flows and digital technologies, disruptions in cross-border data flows have broad reverberations that can lead to issues like reduced GDP gains and adverse impacts on local digital ecosystems. So it is important that we talk about trust in data, it’s important that we talk about how we build policy frameworks that actually facilitate the handling, sharing, and access of data in a way that we use it for its potential for developmental gains and try and avoid some of these fragmentation effects of inept policies. So what we try and do here in this session is try and take stock a little bit of the various regional, international initiatives that try to deal with data governance and try and see whether or not we can move towards some commonality between these, if we can find some ways in talking about data governance that leads to more harmonised or at least interoperable approaches to handling data so we don’t fragment the policy space around it and with that we don’t fragment access to the benefits of data. So to help me have this conversation, I’m actually in a very interesting position because I don’t have to answer these very difficult questions, I just have to ask the questions and we have the experts here that will to talk to me and help me answer these questions together. So we have experts both here in person and online, and I’m very happy to see everybody managed to connect. We have, in order of which I will be calling them to speak, Mr. Bertrand de La Chapelle, who’s chief vision officer at the Data Sphere Initiative, Ms. Maiko Meguro, director for international data strategy at the Digital Agency of Japan Online. We have also Mr. Dave Pendle, who’s assistant general counsel for law enforcement and national security at Microsoft, also online in the middle of the night. Thank you, Dave. We have Ms. Robin Green here in front of me at the table, who’s director of privacy and public policy at Meta. And last but not least, also Ms. Clarice Giroux, who is head of division for data flows and governance and privacy at the OECD. Thank you for joining us, Clarice. It’s also quite early in Europe in the morning. So to jump right in, we’ll talk a little bit first on why is it important that we talk about data and to discuss a little bit the added value of data and give some nuance to the perceptions around what we actually mean around data and the conditions that enable cross-border data flows for the global economy. So Bertrand, if I can turn to you first to share some initial insights.

Bertrand de La Chapelle: Thank you, Tymia. Good morning, everyone. I like the fact that you mentioned it’s important to talk about data because, as you know, this was the title of a report that we produced with Lorraine Portioncoula, who was the executive director of the Data Sphere Initiative. And the title was, We Need to Talk About Data, Framing the Debate Between Free Flow of Data and Data Sovereignty. And the way we handle the question of creating the maximum value for everyone out of data is a constant challenge. I want to highlight first that when we talk about fragmentation, it is not a risk, it is a reality. The legal landscape is fragmented because we have 190 countries and they all have different laws. On the other hand, the technical infrastructure of the Internet is by default free flow of data. And it’s the tension between the two that we’ve in most cases have to address. The second thing is we have a tendency when we talk about data to think in terms of sharing of data. And a lot of people have a sort of image that dates back to older times where you are using the database and you share this database and you basically transfer this database. This is not the way it works anymore. The way it works today is through API, it’s through rights of access to data. So many times the data doesn’t travel really. It is just that you query it from another distant place. And even more, there are new techniques called privacy-enhancing techniques. And some people consider that they should be called partnership-enhancing techniques, such as homomorphic encryption or federated learning that allow to leverage existing data without necessarily having to share this data. Because you can do computation on encrypted data or you can do distributed learning for an AI system. So the landscape is changing. And I was impressed by the fact that in a panel yesterday, Yohichi Iida from Japan was answering to a question that I was raising, highlighting that the notion of data-free flow with trust is a high-level concept that is useful to drive the discussion at an international level, to establish the fact that as a principle, we should aim for the maximum capacity to share access to data. And the final point, because we can come back to a few other things, we have a tendency regarding data to think in a very binary perspective. Either data is not accessible for sometimes very legitimate reasons, it can be for intellectual property, for security, for privacy, or confidentiality in general, and so it is okay that this data is not shared. On the other hand, there is a trend, very positive, towards comments, open data, making data widely available so that people can actually build things out of this. But what I want to highlight is that too often we look at this as just a binary alternative, and we lose the fact that in between there are situations where you can not go to the full open data, but at the same time enable some access and some leverage of existing data that has protections for legitimate reasons, but where this data can be made accessible. And in that regard, in this dichotomy of closed data and open data, what the DataSphere initiative is pushing is that we have a common objective, and we should have collectively a common objective, which is to responsibly unlock the value of data for all. This doesn’t mean that data is available for absolutely everybody, it can be for limited groups of actors, but it is important that we share the objective of creating social and economic, as much as economic value, from data, because there is a tendency to think only in terms of monetizing data and there is a lot of possibilities to create social value and most importantly there is a question of having a more equitable digital society because today the data economy is, because of network effects, because of the fact that this resource is non-rival, there are mechanisms that increase disparities and that make the distribution of the value not sufficiently spread and equitable. So these are a few of the of the ideas that I wanted to share to reframe or frame this.

Timea Suto: Thank you so much Bertrand and you mentioned also that we’ve already had discussions with colleagues from Japan, so we’re turning quickly to Japan, from Japan to Ms. Maiko Meguro, but you also mentioned the role of data for various purposes and for both economic social development and other ones. So I think the question is right to ask from Ms. Meguro, how do you see this from a national perspective, from a government perspective, especially sitting where you are in your other digital agency?

Maiko Meguro: Okay, thank you. Okay, first of all, good morning and a good evening, colleagues, and thank you for the opportunity to speak about this important topic. So as Bertrand just spoke, the issue of data flow is basically both the real needs but also the issue of perception. I basically agree with that opinion and obviously, as Bertrand mentioned, the DFFT started as a high-level concept and this concept’s role is exactly the point to shape people’s perception through the concept of trust, namely to pull everybody out of the silos of sectors, and of course, integrate as a matter of data governance. So when I first started working on this topic of DFFT, which was in 2021, the rhetoric, the data is basically the oil of the 21st century was very popular. But the image of data that this metaphor actually present is a very one-sided, why does it trade centric view of the data governance? So discussion of data governance from our perspective must take in account the multi-facets nature of the subject or concept of data. For example, personal information, personal data is obviously the human rights, but at the same time, it also has economic value as recognized by the antitrust authorities of many countries. As digitalization and data linkage progresses, it will be possible to check probably the implementation status of various labor or environmental regulation in all across the supply chain or even across borders, but the data in companies’ production lanes, which are also related to the implementation is also a highly confidential corporate secrets. So there has been concrete cases of conflict in the past in this type of discussion, such as between investment agreements and environmental regulation in different countries, but the problem with cross-border data transfer is that such conflict friction will occur on the permanent basis. Thus leaving the matter to ex-post responses such as individual dispute resolutions or court cases could lead to a market environment that favors and entitles even for those people. who can take the risk of dispute, such a large company with a lot of financial and human capital. So from our perspective, we must think about the effective means of having both enhancing flow, but also necessary protection according to rights and interests attached to the data. But the necessity of cross-border data transfer is of course very clear, with the shift from the hardware base to a software information system-based social economy by digitalization. Obviously, as the moderator had just set out, data has become relevant to all part of societies. But from our perspective, from the government, then this means that the way money is earned is changed, but also the places where the social problems occur have also begun to change. And these matters also concerns distribution of rights and benefits related to data ownership and accesses. So basically, I must also mind that because of this impact of digitalization and what data can do, many governments started to see the threats posed by the use of data and digital technology. And this could also lead to the series of introduction of the regulation, for example, to banning transfer of data outside the country by foreign companies. But it is also important to remember that many countries are unable to procure the data enough to sustain their own economy and innovation within their own borders. So this is the real needs that we need to have the cross-border data flows as a matter of reality. So therefore, if the country only focuses on restricting the cross-border transfer of data in thinking of data governance, their company will not be able to use the data collected from the other country in turn. So data governance might must be always considered from the perspective both maximizing the utilization and data protection security. But lastly, I must say that the question on how to combine the needs of protection and how we want to use the data depends on the social priorities, cultures, even religions or economic structure with each society and government in principle. So it should not be discussed based on like international single rules of values. So this is our perspective that we the government could perhaps start from the working on certain arbitrary treatment, like arbitrary treatment or lack of transparency or perhaps we could work on the concrete solution of interoperability like technologies or lowering the competence costs. So what is more the institutionalizing these processes by relevant actors, both government and non-government to engage with the issue is very important which I could also touch upon later. But for now, that’s all for me, thank you.

Timea Suto: Thank you very much, Ms. Meguro. I’m going to just write into comments from Dave online because we’ve mentioned this dichotomy between how certain governments or certain regions approach data flows. And I would like to explore a little bit more of what those concerns are that fuel some of those restrictive policies that you’ve mentioned. So Dave, if you could enlighten us about that a little bit.

Dave Pendle: Yeah, thanks, Saman. Thanks for having me and good morning to everyone. My name is Dave Pendle. I’m an assistant general counsel at Microsoft. I work on the law enforcement national security team which is the team at Microsoft that responds to government requests for user data from around the world. And certainly government access requests is kind of one source of the mistrust in data flows but I’m hoping to kind of. of uplevel it a little bit and talk more broadly about some of the other concerns and what they may be rooted in. And for many in this room and who are listening this is probably not very necessarily news or insightful but I think it’s kind of interesting to look at these restrictions as being driven by different sides of kind of the same sovereignty coin. And sovereignty does seem to be kind of a major driver of the loss of trust. And the way I see it is that sovereignty can kind of serve as both a solar and a shield kind of pushing contradictory trends. First, clearly governments have a sovereign obligation to protect their citizens, to protect their national security. And that sovereign interest has led to an expansion in surveillance authorities. And certainly governments around the world have kind of exercised increasingly assertive authority to address public safety and national security needs. You also see this come up in terms of, fears of governments expressing fears about going dark and the needing the need to kind of fasten strain encryption protections that are in place. You certainly also see this where governments are seeking access to or authority to access to I should say, cross-border data. And certainly if a government is, it’s investigating cyber crime or child exploitation because data is global generally, the data outside of their borders may be relevant to really important public safety matters within their borders. So that’s somewhat understandable. And indeed the US government, it’s often pointing to the Cloud Act allows for the US government to seek data outside of its borders. But that is not unique by any means. In fact, that same principle is reflected in the Budapest Convention. It’s reflected in the OECD Trusted Government Access Principles. It’s reflected in the evidence sharing regulations that are going to affect in a couple of years in the EU where the obligations exist regardless of where the data is stored. The other side of that sovereignty coin, the shield, if you allow me to use this kind of metaphor, the sovereign interests and the fears of like third-party access to data generally have led to these walls being erected. Walls trying to contain data within a nation’s borders through privacy laws, through trade restrictions. We’ve certainly seen lots of, you know, mandatory data localization efforts, limitations on the use of global technology, the fragmentation of the internet generally are all in this vein. We often hear concerns about, you know, potentially U.S. government access to data, but even here in the U.S., there are concerns about third countries accessing sensitive data of Americans and U.S. persons in the U.S. government. China is often discussed in that vein. So around the world, we see these kind of concerns materialize through requirements for sovereign controls, through requirements or interests in end-to-end encryption in a variety of transfer restrictions. And these, you know, again, these restrictions kind of serve as that shield to the fear of government access. I can’t speak to the legitimacy or the actuality of all of these concerns, but in my world, I can’t speak to concerns about government access. And I would say that there is always some like myth busting that needs to take place from discussing government access and specifically cross-border government access. You know, we report on cross-border data disclosures every six months. We get about 60,000 legal demands from governments all over the world for about 110,000, 120,000 different users each year. In a six-month period, so we’re talking about 30,000 legal demands, you know, we typically get about 50 to 55 content disclosures that are cross-border. In the last reporting period, there was only one that pertained to an enterprise customer. So the majority of those are consumer users. And, you know, for like the EU folks in the room or elsewhere, that one, you know, enterprise customer was not in the EU enterprise. So like the concerns that we hear about, you know, the perception that if, you know, U.S. technology companies are subject to U.S. law and are handing over the world’s data to the U.S. government, it doesn’t really, you know, bear out if you look at the actual numbers. One other distinct factor here is competition. And there is also a sovereign interest, of course, in creating space for domestic technology and innovation that’s also been a driver of some of these restrictions. So that’s not that’s not an exhaustive list, but there is there’s some themes there about some of the restrictions that we see and the causes for fragmentation. Thank you.

Timea Suto: Thank you. And listening to you, I’m reminded about what Bertrand said in the beginning, that this risk of fragmenting the space because of the lack of trust in data, it’s not no longer a risk. It is the reality. And there are a lot of causes for that, as I as we hear from you. But I’d like to turn to Robin to see, so we heard from Dave the causes, what are the consequences of such an approach to data?

Robyn Greene: Thank you. And thank you for having me here to speak. And thank you to everyone for coming. My name is Robin Green. I’m a privacy and public policy director for Meta. And like Dave, while I don’t work on the legal team, I work on the policy team. I do work on law enforcement and government access issues and anything really to do with internet fragmentation. And I just I don’t think there is a conversation on internet fragmentation more important than one on data flows and the implications of restricting data flows. With that in mind, I’m going to just start with a very brief overview of the kinds of impediments to data flows that we see. Because we sort of skipped over that a little bit and not everybody really sort of understands the different ways that these kinds of restrictions manifest. And so just very briefly, we can see them most often in either express data localization requirements that are requiring that data be stored in a specific jurisdiction. Those requirements can be very prescriptive and not allow data to transfer outside of the jurisdiction under any circumstance. Or they may be somewhat more flexible and allow copies of the data to transfer outside of the jurisdictions. In addition to that, we see de facto localization, which is oftentimes where you have regulatory benchmarks, if you will, that you have to meet in order to be able to transfer data out of the jurisdiction. And oftentimes those benchmarks are out of the private sector’s hands because they are, of course, the purview of the governments that the private sector entities are subject to or simply unattainable for other reasons. And oftentimes those reasons are because we are blurring the distinction between the types of data transfers that actually occur. And so one of the things when I was in particular listening to Bertrand’s wonderful comments was just sort of noticing how we really talk only about the idea around data transfers being from one legal entity to another third party in a different jurisdiction. And it’s very natural to think of it that way, right? Especially when you consider how we have really started to consider this debate in the context of GDPR and things like that. But one of the trends that we’re seeing increasingly is actually the regulation and restriction of the physical movement of data. So the idea that even if you are not transferring data between legal entities, that you still cannot move data outside of the jurisdiction where it was created. For providers such as Meta and the kinds of services that we offer, but also for the sorts of providers that do business-to-business kinds of services, the implications of these kinds of restrictions are really dramatic. But they have the same kinds of implications as the kinds of restrictions when you’re talking about restricting third party and transfers to third party entities abroad. The difference is just that in that case, you’re talking about only some data transfers. In the case of the physical movement of data around the internet because of how the internet’s built, the interoperable and international way that it was built, it is literally not built in a way that is technically able to restrict the flow of data across borders when you’re not changing hands between legal entities. Domestic communications can often go to international switch points, for example, in order to get back to the recipient. And so we deal with these kinds of international data flows in a lot of different contexts, not just in the context of transferring data from one legal entity to another legal entity based in another jurisdiction. And so when we think of the risks of this, I think the first and foremost risk is generally of internet fragmentation. And what that means is essentially building walls around our internets, right? Instead of having one global, interoperable, secure internet, the result of that is to have regional or national silos. And the implications of that are really significant and really hard to estimate in terms of how severe they can be. And this is in part because when you think about how people interact with the internet, there is just so much access to information. There’s so much learning. There’s so much economic development. There’s so much connection between different people and different communities. And so putting up those silos would have a really dramatic impact on cultural, social, and economic norms and the threads that bind us across nations. I mean, when we think about what we’re all doing here and trying to find multilateral approaches to governance, internet fragmentation, I think, is one of the gravest threats that we see to the goals that we all have here at IGF. And so when you think about what is the primary driver internet fragmentation, it’s the restriction of data flows. In addition to that, though, as I mentioned, when you restrict data flows, it has really significant chilling consequences for economic development and innovation. As we are learning from Maiko, at the end of the day, we are a data-driven economy. Innovation is data-driven. And so we need to make sure that we’re able to access data from all over the world in order to be able to build new technologies, in order to improve existing technologies, and grow our economies as a result. Additionally, human rights have really significant deleterious effects when you wind up doing restrictions on data transfers. This results in not only restrictions on freedom of expression, access to information, economic rights, because, of course, economic rights are fundamental human rights as well, and are now reliant on access to the internet and access to information, but also rights around safety and things like that. And so we see a really, really significant range of human rights harms result from internet fragmentation and privacy harms as well. Because ultimately, when you are looking at restricting data flows, the result of that is data localization. And one of the major results of data localization is undermining cybersecurity. When you can’t access data and you can’t have global visibility of what this data environment is, it’s much, much harder to be able to identify and quickly respond to cybersecurity threats. And that’s true whether you are a provider of services to consumers or a business-to-business provider. This is across the board. If you’re a financial services provider, if you are a Facebook or Instagram, or if you are a cloud services provider, or really anything else, the number one thing you need to be able to secure your network is visibility. Or whoever you’ve hired to secure your network, the number one thing they need is visibility of what that global threat landscape looks like. Restricting data flows undermines that. And that has really significant consequences, not only for cybersecurity in the sense of what does that mean for our businesses and the integrity of our data, but for national security as well. Because ultimately, cybersecurity is a national security issue. It’s tied to the security of critical infrastructure. And when we interfere with the cross-border flow of data, we interfere with our ability to protect those kinds of critical infrastructure as well. Thank you.

Timea Suto: Thank you so much, Robin. It was quite a comprehensive list. And I’m sure that there is more. But thank you for highlighting the main important ones. I would like to turn to Clarice and ask you, from the role that you are sitting at at OECD, who works with countries in very different jurisdictions, what is the progress that you have seen on this? Because we’ve been talking about the risks of this for quite some time now. Is the idea, this high-level concept of DFFT, of trying to move us away from silos and trying to get a framework that we can all agree on, is this gaining traction? Are we moving towards some more harmonized policies on data? And what is the OECD’s perspective on this? How do you see this work from your perspective?

Clarisse Girot: Thank you, Tymia. And hi, everybody. Good morning, good afternoon, wherever you are. Thanks very much for having me. I mean, it’s very hard to come last because of course a lot has already been said. So let me build a bit on what the other speakers have been, you know, have said and your specific questions. At the OECD, we’ve been working on cross-border data flows for a very, very long time. If you may recall the privacy guidelines of the OECD back 1980, and of course the, you know, things were very different back then, but still the principles that you had to balance cross-border data flows with the privacy and fundamental human rights of individuals while enabling growth, innovation, et cetera, et cetera, was already there. So frankly, in terms of philosophy, nothing fundamentally new, and in a way, DFFT is nothing new either in many ways. The power of the concept of DFFT is that first of all, it was developed at a time when the internet economy was completely different, you know, and we could see that there was a political, geopolitical need to sort of conceptualize a narrative around the significance of cross-border data flows for global leaders, and not only for technicians, if you will, of data protection laws, and, you know, a discipline that was considered fairly niche, right? And that has changed with the concept of DFFT. But that said, it is very important to emphasize that DFFT does not start, you know, from nothing. There’s a lot we can build on, and this is where the positives come from. We have the OECD privacy guidelines, a lot of data protection laws. If we think personal data have been built based on the principles in the privacy guidelines, GDPR and others, and the Directive 9546 before GDPR, we see many more data protection laws, personal data protection laws, privacy laws are developed around the world, which in itself, a very positive thing, obviously. Now, the risks. of fragmentation that come with that should be addressed. But that’s, you know, let’s see still the positive more than the negative in this development. We need an acknowledgement that there is, there are cross-border data flows and to build the trust you need. Even if you do not need per se data transfer provisions in data protection laws, if you have them, then there needs to be a balance between, you know, business interest, innovation, commerce, digital trade, as Micah was saying, and the protection of individuals vis-a-vis the protection of their fundamental rights. Now, we also have at the OECD, a recommendation on enhanced access to and sharing of data, which is even broader, if you will, because it covers both personal and non-personal data. And it’s sort of, it’s first of all, it is based on the fundamental of data-driven innovation and the fact that to enable data-driven innovation, well, you have to take into account the fact that there is a whole gradation, if you will, of different kinds of interests that need to be protected and therefore different kinds of data openness out there. But there is this idea that there is data openness and data-driven innovation at the heart, you know, of the policy, policies, data policies, if you will, of the OECD economy. So that’s at least 38 member countries and actually, and counting, because we work with many more than 38 countries, actually, or the breadth of our work is much larger. So the positives here is, I would say, greater awareness to the significance of data and DFFT has played a role there, more data protection laws, and therefore a greater community of privacy professionals that, you know, sometimes in policy circles, you know, we’re not aware of, but there are thousands of privacy professionals out there that are used, you know, to look at not only privacy, but data governance issues more generally, because data is an asset in itself, and personal data is only, if you will, a subset of that. Now, it is also important. to highlight that we are trying to increasingly sort of sort out the different sources of impediments to cross-border data flows. And there’s a large array of those. And it is important to go back to the roots of these divergences, because then you can try building solutions on them. And so there will be, for instance, variations between the texts of data protection laws, let’s say privacy laws, and in particular, their data transfer provisions. Now, sometimes this clash in provisions is not intentional at all, or there’s just a need for clarification that some data transfer mechanisms are not there, but it should be there. And so it’s always difficult to change a law, but there is no intention to go against standards and some practices out there. We just need to highlight the fact that these modifications maybe could be required. It’s even easier to do this at the level of regulation, and even easier to do that at the level of regulatory interpretations. And I’m very familiar with this exercise, because when I was based in Asia, that’s a project that I was working on across the entire APAC region, raising awareness as to the impact of these variations and the compliance costs that come with them is really a key part of any advocacy exercise, if you will, to facilitate cross-border data flows in a region and globally. Now, when you come to variations in the very fundamentals, if you will, of these data transfer provisions or restrictions, and in particular data localization, I can only go back to what Robin was saying. I mean, this is much, much harder, obviously, to tackle. But even then, since my role is to close on a positive note, I would say even then, data localization provisions often come from the challenges of national security access, law enforcement access to data in overseas jurisdictions. And as Dave was saying, Let’s do a bit of myth-busting here. It is very important to look at what’s really happening out there. And this is where the work that the OECD has done. Very difficult work, believe me. This was no easy, easy work on the building the declaration on cross-border. I’m sorry, I’m so-called trusted government access to personal data held by private sector entities for national security and law enforcement purposes kicks in. And we believe that we can build a lot actually on this declaration. And I’d be happy to talk to that later. One last thing, just to build very quickly, I hadn’t planned on doing that, if you allow me to just take one more minute to build on what Bertrand was saying about privacy or partnership enhancing technologies. The OECD is working a lot on this. On my team, we have a whole work stream on privacy enhancing technologies. Technology cannot solve everything, but there are extremely promising developments here. What is absolutely key is to look at the sustainability of the business models of best providers. And it’s an ecosystem which is far from stable yet these technologies are very often expensive, can actually disrupt some fundamental business models. So it’s not easy. At the end of the day, it’s all about looking at things in a holistic way. What are the technologies out there? What is the business model behind each technology? How can they be used? Are they sustainable at all? Exactly like data transfer provisions need to be unpacked and data localization requirements need to be unpacked so that in each category of challenges, we can actually try and find solutions. And that’s very much the way to close. We’re looking at the implementation of the DFFT policy agenda is by looking at the big policy objectives, the different challenges under them and how we can build a multi-stakeholder ecosystem to address each of them. And that’s why I think, we can still be very positive and. look ahead. That’s my role, to be positive. So with that, I will hand it over to you, Tim.

Timea Suto: Thank you. Thank you very much, Clarice. And in the spirit of continuing on a perhaps more positive note than all the risks that we’ve discussed in the first part of the conversation, I’d like to turn back to all of the speakers and ask your ideas and opinions to what we can actually pull out as tangible solutions to the problems and the fragmentation risks that we’ve outlined in the beginning. I will ask you to keep it to three minutes each if you can, because we’ve been going a bit longer in the first segment. But also keeping in mind, I heard Clarice saying, the OECD works a lot on this. It is 28 countries. That’s a great start. We are at 190 something in the world. So how we can also move towards that objective of elevating some of the existing solutions into the broader spectrum. Bertrand, I’ll go to you first.

Bertrand de La Chapelle: Yeah, I think it’s important also for some of the people who are listening, either here or online. There are some comments that may be mentioned without a full understanding of what is behind. The term electronic evidence and access to government, access to user data. Let me explain just very briefly. If you have a criminal investigation for a crime that is committed in one country, the victim is in this country. The perpetrator or alleged perpetrator is from that country. In order to conduct the investigation, you need to have access to sometimes the email exchanges or the trace of the communications, etc. The problem is that in most cases, this is being stored by a company that is outside of a territory of the place where the crime was committed. This question of electronic evidence is becoming absolutely essential in almost any criminal investigation today. And we do not realize that in some countries, because of the lack of trust, it can take up to one year or two years to get access to this information. And it has been mentioned, but I wanted to emphasize this. And the OECD has done work in this. The Cloud Act in the US and the E-Evidence Regulation in Europe have been mentioned. It is absolutely fundamental for everybody to understand that a lot of the debate about data localization is driven also by this factor, the inability to conduct criminal investigations, because there is no access to the data that is needed. It is a very complex problem. But until we find a solution for this, which is basically that every single country should develop a legislation similar to the E-Evidence Regulation that establish clear due process mechanisms for the requests that are being sent to the private companies in another country, particularly in the US, we will not remove one of the main incentives for data localization. I wanted to explain this, because it went through, and people are not necessarily familiar. The second thing, and again, it is not a justification. It’s just to understand what are the drivers. The second thing is the fundamental difference in perception regarding privacy protection between Europe and the United States. I mean, you’re all familiar with the fact that the European Court of Human Rights, as for the third time, or maybe we’re going to have the third time, or the Schramm’s thing.

Robyn Greene: The CJU, so the Court of Justice of the European Union, so the European Court of Human Rights. It’s the European Court of Justice. And yeah, so Schramm’s 2 happened. The court has not looked at the new decrimes.

Bertrand de La Chapelle: There’s a new one. So anyway, at two occasions, at two occasions, arrangement that was made between Europe and the United States in order to take into account the discrepancy between the privacy rules in Europe and the U.S. has been rejected by the courts. And there is a fundamental difference, and if I can mention an anecdote, there was a G20 digital economy working group that was taking place two years ago, and there was an intense discussion on the wording around should the different countries foster convergence to achieve interoperability, or should they foster interoperability to achieve convergence. It looks completely esoteric until you understand that behind those words is the difference between two approaches. The European approach is about adequacy, setting a standard and asking other countries to basically reach the same level exactly, versus an American approach that is more about model contract clauses that basically says even if the country as a whole doesn’t match the privacy protection, if a particular company is abiding by a certain number of rules, then the transfer of data can happen. So that’s a second tension that justifies or not, and let’s be honest, in many cases the protection of privacy is also an alibi by certain countries that want to have a better surveillance of their citizens. So let’s be clear. But that’s the second criteria. And the third one, very quickly, is that because of the expression, and Meiko has mentioned, the data is the new oil, which is probably the worst analogy you can ever use for this thing, there is a Malthusian approach about data that completely overlooks the nature, the specific nature of the digital data, which is non-revalerous but excludable. You’re all familiar probably with the work of Elinor Ostrom, who has worked on the reverse, on things that are revalerous but non-excludable, the famous commons and governing the commons. We’re confronted here with something that is amazing. We can share it without depleting it. We can use it without preventing anybody else to use it. and there is a feeling because of this wrong metaphor of data is the new oil that we should hoard the data that we shouldn’t give it because it’s bad if I keep it I will make the most value out of it and it is fundamentally wrong because in most cases you need to join forces to leverage groups of data that doesn’t prevent you from using it or somebody else from using it so these are three drivers that do not justify but explain some of the trends towards in particular data localization and and restrictions.

Timea Suto: Thank You Bertrand and I’m turning back online to to to Maiko we’ve talked a little bit about your approach sorry from your approach from active in and then Chloe can you hear me all right actually your voice is breaking down from our side yes yes I so just wanted to ask you you’ve talked about Japan’s approach in the national context how do you elevate that either in the context of the OECD or or even broadly to move some of those perspectives into the international sphere and drive towards a bit more harmonized approach. much for your question I mean in terms of making our approach

Maiko Meguro: in terms of making of our appraoch internationalizing it’s actually stayed the same so we put a lot of emphasis to the clarification across the murky reality of data transfer data collection or access of data throughout the lifecycle data internationally to see clearly where the bottleneck what challenges lies just as Bertrand said many discussion regarding data flow or restricting data flow are based on very unclear understanding of of how actually technology works or how actually data is hosted, right? So it’s really helpful to work with, for example, OECD to actually understand that what is happening at the ground where the risk lies. And we also have to break down the discussion because everybody talk about, whoa, there’s internet fragmentation, data restriction is too much. Yes, this statement basically reflect that one side of the truth. But we also have to think about, we need to break down those statement to see that, we have to make the problem into the size of pieces that we can actually work on. Because if we break down the issue, then we could see where those multilateral incorporation is actually effective, right? So if you start talking about, for example, government access as a whole in a very abstract level, it’s very difficult to actually tackle. But we really have to understand where actual real bottleneck actually lies. And government are quite open to hear your voices, but we’d like to hear the voices in terms of more specific, more, I’m trying to find the right word, but consumable size of the discussion. Because like everybody said, data is multi-phase issue. So if we talk about data in a very vague sense, then here comes the privacy regulators, here comes the security regulators, here comes the trade negotiator, and it’s very difficult to solve the problem. So it’s always helpful to work with the people like OECD to see how the data actually flows, how the data is actually hosted, where the bottleneck is, where people’s actually having the issue. And to work on this discussion, we definitely need to have the people like the panelists from the private sector in this discussion, because often the government do not. understand how actually data is hosted in their clouds, for example. So it’s always helpful to work with multi-stakeholder, like different types of people from a different part of the world. But in order to do so, in order to do so, we definitely need to formalize the multi-stakeholder processes at the international level. We need to have certain permanent places where people can gather and discuss and work on those issues. Because often those digital discussions are ad hoc. We always have this very futuristic, fancy, multi-stakeholder ad hoc discussions, ad hoc places. But ad hoc does not always help, because often the case is we’re talking about security regulation. We’re talking about privacy regulation. And these things are not something you can have a solution in two years. We need to discuss things part by part, and we need to have piling up to reach the solution at the height. So which means we need to formalize the processes. This is where Japan put a lot of political resources to establish the formalizing processes. We call it institutional arrangement of partnership, where the G7 leaders actually authorized. And we really work together with OECD to work on formalizing this process of multi-stakeholder participation, work on the actual solution, very much looking at the solution-oriented processes. So we are really looking at actual problem solving rather than working with abstract discussion. So I think this is really the important approaches where we are really talking about topics like data, which concerns a lot of different policy spheres. And also, we need to also talk about how the actual technology works in the reality of digital economy. I’ll stop here, but happy to continue.

Timea Suto: Thank you so much, Michael. That was very clear on what we need moving forward. And a huge thank you also to Japan and to the OECD for all the work that you are doing and the evidence-based and expert discussions that are being driven here. Because you’ve said there needs to be political will, but it also needs to be expert conversation. And sometimes the two go hand in hand. Sometimes there is also an issue there of what the political conversation is. is and what is the actual evidence-based expert discussion. To respond to your call on breaking things down a little bit, we’ll try to do that with the next speakers, at least differentiating between what are the issues when we talk about non-personal data and what are the issues when we talk about personal data. So I’ll turn to Dave first online and focus a little bit about what policy frameworks enable the cross-border flows of non-personal data and then I’ll ask Robert to talk about the personal side.

Dave Pendle: Sounds good, thank you. Yeah and I would also just want to reiterate my appreciation, respect and thanks to both Japan for leading the way on DFFT for so long in such an impactful way and also the OECD for convening these discussions and bringing together the right stakeholders to really kind of move the needle in ways that I think that have accelerated and a lot of folks didn’t think were quite possible not too long ago so I think things are getting better in a pretty quick fashion due in large part to some of the contributors here. Non-personal data obviously comprises just a massive amount of global data and it’s a big driver in the global economy but of course it’s usefulness, you know, it’s ability to solve problems related to global health, medicine related to global warming and scientific research, detecting cyber attacks and protecting critical infrastructure depends on its ability to flow across borders and maybe I’ll pause there for just a second mindful to may have the three-minute request but you know Robin’s point about the impact on cybersecurity is a really good one and the ability to detect cyber malicious actors today and to thwart them depends on observing certain telemetry and signals that are traveling across the internet. Microsoft you know has publicly said that we scanned about 78 trillion signals every single day. in trying to detect malicious cyber activity. And we’re tracking something like 1,500 threat actors. And that has resulted in a lot of really good ability to protect the internet as a whole. And that is made oh so much harder if you have limitations on the ability to see that data across borders. That’s like one really concrete example that kind of maps security, cybersecurity space probably doesn’t get enough attention, but it’s really a critical one. But so any restrictions that are placed on non-personal data really do need to remain balanced. They need to reflect the very specific purposes of that non-personal data. And of course, ensure that access and usability and the transfer capability remain. Most importantly, and this is probably the theme throughout the entire panel, of course, is that the approaches need to be harmonized and it’s critical that they be multilateral and interoperable. Nothing will stifle innovation more than a patchwork of onerous and sometimes conflicting regulatory requirements across jurisdictions. So that part is just so critical. So policymakers, of course, have to work together and learn from each other and pursue evidence-based policies to kind of reflect the nuances of this discussion and debate and are mindful of how the digital economy operates and the many ways that society benefits. There is some really important work going on with non-personal data. DFFT and OECD are at the top of the list. There are also just some really valuable success stories and precedents, many of which are on the personal data side. And I suspect Robin will touch on those. But if I could just quickly note, like the OECD Trusted Government Access Principles, one of the reasons why those were so successful is because they did exactly what we just discussed about bringing policymakers together, kind of bringing all of the stakeholders into a room. So often different audiences in these discussions almost talk past each other. They speak from their own vantage points. I’m certainly guilty of that as well. But the way the OECD convened those discussions and brought in privacy people and national security stakeholders, which are often kind of not part of these discussions, as well as the law enforcement stakeholders and others, was, I think, why it was probably so successful when they were able to find as much consensus as they did. So kind of convening the right people is such an important part of that formula. And we’ve seen, you know, this success with the data privacy framework, the current evidence sharing negotiations between the U.S. and the EU are really critical to show that these kind of bilateral multilateral discussions are blossoming. And it’s just a start. We need a lot more. There are a lot more countries out there that need to be represented. But when governments sit down and work on these hard problems together, they find they have more commonalities and differences. Thank you.

Robyn Greene: Thank you, Dave. Robin? Oh, is this working? Okay. Well, first, I want to echo everything that Dave just said in terms of thanks to the government of Japan, to the OECD, and also, Bertrand, to you and the DataSphere Initiative around the years of work that you’ve done and the incredible progress that we’ve made, having these kinds of permanent places to have these conversations, which I hope we have more of, and discussions around sort of exploratory, you know, or experimental approaches to regulation, like sandboxes and things like that. Given the three-minute limitation, I’m going to just burn through what I think are the sort of seven key things that we should keep in mind when we’re thinking about how to make sure that we are protecting personal data and promoting data free flows with trust. Many of them are covered by Dave, because ultimately, even when you’re talking about non-personal data, it’s the same kind of like technical issue. And so, some of this will sound a little similar. I think the first thing, and this is very specific to personal data, is to attach rights and enforceability of obligations to the data rather than to the data subject. By doing this, you can ensure that the rights and obligations travel with the data, irrespective of where in the world the data is stored or transferred, and you don’t have to worry about whether the actual like data subjects seeking to enforce their rights are in that same jurisdiction. In addition to that, international collaboration is key beyond things like the trusted government access principles and the sort of forums for discussion like the IAP. There are opportunities for collaboration and multi-stakeholder engagement and adopting shared norms around the basic things that are interfering with, or that might facilitate better data free flows with trust. So, this would be things like promoting adoption of global cross-border privacy rules, global CBPRs. It would also be things like promoting countries becoming party to the Budapest Convention, which would also give those jurisdictions the benefits of the access to the kinds of data sharing that will happen under the second additional protocol. And so, that I think is one of the most important things that we can do, because that will also help to do one of the other really important things, which is increased interoperability and harmonization across laws and legal standards. And so, you know, by joining the Budapest Convention, I think that’s something that can actually be, can help to achieve that kind of interoperability. But when you’re talking about sort of like non-cyber crime and evidence sharing regulations, I do think it’s still extremely important to be focusing on whether and and how you can improve the interoperability of domestic regulation with other jurisdictions regulation. The next thing is a holistic assessment of the policy goals. I think one of the problems that we have is not only that we have these conversations in silos and silo at sectors, but we also think think about digital policy and silos. We think about privacy as living in its own silo, and safety as living in its own silo, and cybersecurity. But increasingly, the reality is that all of those things are in a melting pot together. And we need to be able to look at what the various policy goals are when we’re assessing what our data governance frameworks are, and figure out what’s the best way to get to the end goal, rather than how to regulate each individual silo as perfectly as possible. Because then you’re not going to build that kind of intersectionality that you need, and you might wind up having data governance approaches that undermine economic policy goals, or cybersecurity goals, or the like. In addition to that, I think having an understanding of the legal and policy environments that invite foreign investment in data centers is critical. One of the things that we see as many of the jurisdictions that are considering data localization requirements are doing it as a means of forcing domestic investment. And that is really not an effective way to encourage foreign investment in jurisdictions. The most successful jurisdictions that are inviting for foreign investment in building data centers have certain qualities, like rule of law, have an open regulatory environment that is very predictable, and basically have economic environments that make it possible for companies to build data centers. And then there’s infrastructure issues and things like that, making sure that you have the kinds of stability in electricity access, and clean water, and things like that. In addition to that, though, I think we need to do a lot more work at the outset of drafting regulations, particularly where those regulations may restrict the flows of data, making sure they’re technically compatible with the internet infrastructure and consistent with the values of an open, interoperable, and secure internet. If that can be the North Star for all of the regulations that we put forward, then I think we’ll do a much better job at promoting data flows while accomplishing many of the other policy goals. And finally, look to the future. We cannot just regulate for what the technology of today is. We need to be regulating for what the technology of tomorrow will be. AI may be one of the best current examples of that. Restricting data transfers internationally is very deleterious to the development of effective and accurate AI models. They, of course, require diverse data sets, accurate data sets, and significant amounts of data in some cases. And so when we’re thinking about this, not only in the context of AI development, but also in the context of what’s going to be the next technology, I think we should be thinking about today’s regulations in the context of how it will impact the future.

Timea Suto: Thank you, Robin. Quite a lot of mentions of expert conversations needed, overviews of policy systems, trying to figure out commonalities, holistic approaches, and a lot of mentioning of the OECD. So Clarice, if you’d like to respond to any of this, but also if you’d like to highlight anything in particular that the OECD does to try and drive forward these frameworks.

Clarisse Girot: Yeah, thanks so much. much. And thanks to everyone for, you know, praising the work of the OCD, which, you know, in this space and of Japan, of course, I mean, you know, I just took a board of the train, as it had already left the station, all credit to Audrey Plonker really initiated this work at the OCD on government access. I think the, you know, to build on what Bertrand was saying, indeed, we we have a globalization of criminal evidence, you know, criminal evidence now is, you know, 80% of the time located in another jurisdiction, if I listen to what, you know, experts around us have been telling us, and we also see that national security agencies are now part of the global ecosystem on data flow. So it is a fact of life, right? And and it was very difficult to touch these issues beforehand, also, because there is no such thing as a national security community, if you will, like there is a privacy community or a global privacy assembly for privacy regulators, and just saying national security, I think, where, indeed, to build on what Michael was saying, what is key is to bring the right people into the room. And we shouldn’t understand how difficult it can be, and particularly in the area of government access, but if we’ve done it, in this particular field, which is probably one of the hardest, it is definitely possible in other other areas. Just FYI, you know, we’ve been talking a lot about the declaration since adoption, and there’s not so much out there about what we’re doing with it. But you know, there’s a lot of work happening behind the curtain. So we haven’t stopped with the adoption of the declaration, we’re promoting it very hard, we’re working, we’re inviting non OECD countries to adhere to the instrument, we’ve been doing a lot of work, which is extremely promising. And we hope that, you know, in 2025, we see more, more interesting developments to share with you. Just another another example, and I will close with that the possibility of doing the right thing once you have the right people in the room, building on the data free flow with trust community. that we have built at the OECD as part of the so-called IAP. There is a working group that feeds into a very complex area of work on the intersection of cross-border payments and data frameworks, work which we do with the Financial Stability Board, Financial Action Task Force, IMF, BIS, et cetera, et cetera. It is the first time that everybody comes in the room to discuss the challenges met by cross-border payments. And the intersection with cross-border data flow regulations. This is happening at a fairly fast pace. It is extremely technical. It’s extremely complex. You cannot make any progress without having everybody in the room talking to each other, making efforts to understand each other. It takes here again, a lot of effort and a lot of resources to be honest. The Data-Free Flow with Trust community, this particular working group is exceptionally useful because we bring in all the payments operators and financial institutions that feed into the expertise that we need to do the right policy work on the site. So it’s just an example. If you bring the right people, there is hope. I could mention also work with young privacy enhancing technologies. Very happy to keep discussing with Dave and Robin on long personal data and cybersecurity issues in particular, as long as there is a space to meet and a team that can animate a network of experts, there is hope. And I think really, I don’t want to sound naive or anything because this takes a lot of hard work. Believe us, we know what it takes at the OECD. But to go back to what I was saying earlier, I think there is greater awareness as to the risk of the actual risks for society as a whole, not only in terms of compliance challenges for businesses to impede cross-border data flows. I think this has come top of the agenda for global leaders. a greater awareness of the solutions that are already out there, that we’re not starting from scratch, as I was saying earlier, there are communities of experts out there. There is, you know, there are a number of legal frameworks out there that we can build on. And some conversations remain exceptionally hard, and maybe we need to keep working on those. Data localization, there, here again, a gradation of data localization requirements, exceptionally hard. But, you know, again, if we’ve made progress in these very complex areas, there is no reason why we cannot have, you know, sound, stable, long-term discussions here. And of course, fora like the IGF are absolutely fundamental in that respect. And with that, I will stop.

Timea Suto: Thank you so much, Clarice. I think we have about maybe 10 minutes for one or two questions from the audience. If there’s anything that those who are listening to us online or here in the room might want to raise. I’m sorry, I can’t see everybody from here, but yeah, maybe I’ll pass the mic to you.

Audience: Good morning, I’m Rapidsun from Cambodia. So based on the discussion, so I would like to ask, how do you, like Meta or Microsoft or OECD, assist the developing country on the data governance? Because in, for example, like in Cambodia, not only the, we don’t have a national data governance, but the policy maker also not well aware or see the comprehensive of the data governance, especially the cross-border data flow. So my question, how you can assist the developing country? Thank you.

Timea Suto: Thank you for your question. Are there any others that we could maybe group together or should we take them one by one? No, I don’t see anything online either. No, I see, sorry, apologies for jumping in. I see someone online. Let’s go to Evgenia. Can the speaker who raised their hand online try and speak? And then we have another question here in the room and maybe we’ll go back online to the speaker. Jacques, please. Thank you.

Audience: My name is Jacques Beglinger. I’m also a member of the ICC delegation. But what I see in practice is also a certain difficulty when it comes to regulation and when it comes to handling data to distinguish between personal data and non-personal data. And I think this is an absolute crucial thing for industry in particular, consumers to know exactly to look into which policies. So maybe the panel can enlighten me somehow how to distinguish.

Timea Suto: Okay. I think I’ve heard something online, so we might be able to hear the question from online. If you would like to please try again. Yeah.

Audience: Thank you. Glad to see you. It’s a very interesting discussion. So my question may be more general. You touched many aspects. I guess it’s very interesting. So I would like to highlight an intervention of my colleague who mentioned G20 legislation between the United States and Europe. So I guess it’s a real problem in terms of how we may not to approach, but to maximize approach like GDPR in Europe and approach more flexible regulations. In this case, how we can find common ground? Thank you. trying to collaborate on personal data or market data or whatever, we should use less restrictive or higher restrictive approach. In both cases, each country will be not happy because in case of Europe, GDPR provides enough restrictive limitations or regulations. In Russia, we have very similar. But when we are going to Asian market, for example, yes, we should have bilateral cooperations and regulated case by case. If we try to find common ground like for less restrictive, I’m not sure could my country, could Europe, agreed to degree level of these regulations. How we could proceed, how we find middle ground in this case? Because each country like the United States, Europe, or Japan, have own reason why we have regulation like we have. What is the possible approach? Because frankly speaking, I do not believe to have some global equal or unified regulations. I guess it’s impossible to reach for the next years. Thank you.

Timea Suto: Thank you. Thank you everyone for your questions. So I could turn it back to the speakers and see if anybody would like to pick one question in particular or address all of them together. I think there’s a common thread there of how do we drive to actual tangible solutions to this? How do we assist developing regions or those who have questions or different approaches to this? And how do we drive for commonalities? We know that it’s impossible to have one single global regulation. I don’t think anybody is driving for that. But I’m just wondering. if there’s a way, I think if speakers hear solutions to how we drive towards more harmonized or more interoperable approaches. We’ve lost the online room, but I hope that we can, yeah, we see you now. Okay, perfect. Now I see all the speakers. Who wants to go first? Yeah, Bertrand first and then Clarice. Go ahead.

Bertrand de La Chapelle: Quickly, a few elements. The first thing is that we’re using the term interoperability and legal interoperability is actually an expression that I personally have pushed a lot in the last few years. But at the same time, this is a very good concept, but its implementation is not really something that we are able to describe very, very clearly. So it’s an aspirational element, but I think we need to have a serious discussion of what do we mean by interoperability, because we know what technical interoperability is. Legal interoperability is a little bit difficult. It’s envelopes of regulation what is required, what is acceptable, and what is forbidden, which is what in logic is called the deontic operators. How do you combine the overlap of legislations when you have a situation where they actually both apply? So the debate that I was mentioning regarding is it an adequacy or is it a CBPR type of approach is a typical core. I think we need to explore this topic a little bit more. The second thing is, to go to what Jack was saying, we don’t pay enough attention to non-personal data. Personal data is an extremely important element, but there is so much value that can be created by non-personal data that we need to be very careful not to be just obsessed by one dimension, and we need to go to other things. What is really interesting in his question is, as he said, the frontier between the two is not as clear-cut. and particularly a field that I’m particularly interested in which is the medical data, I think there is an enormous potential in the training of AI for diagnostic. This requires an enormous amount of data to train the AI. I think it is, and Clarice was mentioning the work done on pets, this is typically something that can be done using federated learning, which is very applicable, and medical imagery is something that can relatively be anonymized without too much fear of de-anonymization. So this is a perfect example of something that leverages a new technique, which is federated learning, which is different from just sharing the databases. Using anonymization to bring the data that is normally a very sensitive data to something that is anonymized, to develop something that is clearly an AI application beneficial for humanity. And if I want to throw an idea here, for people who are familiar with how organ donation function, in most cases when you have an accident, your organs can be used if you have opted in, to say yes my organs can be used. In some countries, and I think it’s the case in France, they’ve moved to an opt-out. Like unless you say I don’t want it to be used for transplants, if you have an accident and it can be used, the organs are going to be used. I’m wondering whether on medical imagery an equivalent shouldn’t be explored to say you have the right to the personal information that is related to your medical imagery and your personal data. Absolutely. But there is a global public interest to making the anonymized picture available under certain conditions for the training of AI. And I think this is a discussion that is typically around trust, it’s about new technologies like pets that respond to the motto I was mentioning of responsibly unlocking the value of data for all. I think we need to have a more innovative approach to how we leverage data and how we responsibly share data.

Timea Suto: Thank you for that. Clarice, you wanted to comment on that?

Clarisse Girot: Very quickly. So, first of all, to the comment, the question of our colleague from Cambodia, I think it’s very important. You know, Cambodia sits within ASEAN and there are lots of very interesting developments within ASEAN. I was part of an expert group, you know, working with the ASEAN Working Group on Data Governance to put it very shortly. And together, we put together a set of contractual clauses, ASEAN model contractual clauses, which were sort of a simplified version that worked for the ASEAN and basically, you know, the Asian region. And that could be articulated with the EU standard contractual clauses, which, you know, were made back for some of them in 2001. And it was actually very interesting to do this sort of benchmarking exercise, like in ASEAN, given the state of the laws at the national level, we do not need more than this. And actually, it works. It’s plug and play. The ecosystem locally is less, you know, used to complex data protection laws like we have them in Europe and in the US and elsewhere. And therefore, you know, it works. Like I was in Singapore a few weeks back, and actually, practitioners there told me that for their ASEAN based business, they actually, clients, they actually use this model ASEAN clauses. In other words, no one size fits all, for sure. And they are similar in nature. initiatives in Latin America, which are extremely interesting to watch as well. I would point you to a report that we published last year called Moving Forward on DFFT, on data free flow with trust. We did actually a huge range of interviews with global at the global level, you know, in all regions of the world to understand what the particular challenges were. Government access, always a challenge, but, you know, generally speaking, lots of very positive findings in there. Lots to build on. So I think there is room for cooperation here at the OECD. We’re not limited by the boundaries of the 38 member countries, far from. We do work with a lot of stakeholders outside, including governments, of course, outside of the membership. Very happy to keep discussing this. It’s very important to not impose the idea of harmonization. And I know we’ve talked a lot about the Brussels effect, which is a fact. It’s true, like the GDPR sort of exported in a way. But that does not mean that beyond the principles and some key rules and like accountability, for instance, and basic data subjects, right, you have to export sometimes a complexity, which in turn protects that, you know, builds on a long legacy with the principles. And I think there is a global acknowledgement of that. So that’s that’s a good point. I won’t go too far into the PETS conversation because it is extremely complex. Just to say that at the OECD, we also have an important recommendation on the health data governance, which looks in particular at the sharing of health data, health data being understood very broadly. And indeed, the border between personal and non-personal data can be a bit blurry and there can be worked on here. But still, there is a very clear difference between non-personal data, like in the cybersecurity space, you know, attacks on infrastructure, et cetera, et cetera, that has nothing to do with personal data at all. So we need to look at the at the border in the middle, like anonymized data, how anonymized is it? to be de-anonymized, de-identified. There is still here a margin of maneuver and of cooperation between privacy regulators in particular with the support of industry and civil society groups whose expertise is sometimes underestimated in this case. Anyway, there’s too much to say in an hour and a half, but I’m happy to continue the conversation offline.

Timea Suto: Thank you so much, Clarice. With, I think we have three minutes left on the panel, so, and three panelists who haven’t spoken in this last round. Any last words, key takeaways from Maiko, Dave, Robin? Go ahead, Maiko.

Maiko Meguro: Perhaps like from myself. So it was great to have this discussion across the private sector, international organization and also government, which is myself, because we really see that we need to actually have the right people in the room in building the DFFD and working on the real problem and setting the right questions. This is also really proved by this panel. That’s how I see this panel. But also we really see that, so today we really heard a lot of private sectors, heard from a lot of private sectors that, you know, difference of regulation, uncertainty in government access are really the issue. And I think that through the DFFD, we really should sit together and put together the legal and technical perspective together to identify what is the real genuine problem that company has, and also what are the actual purpose and function that those regulation actually need to tackle on, because Japan is actually working on this sort of exercises with expert to assess more than a thousand regulations with view to the changing assumption and the condition following the digitalization. So we’re really trying to work on integrating the privacy sensing technologies with our governance. And we’re really trying to have, to see that we are trying to see where the regulation comes from. and what has been changed and what needs to be changed in order to adapt our society into those digitalizing realities. So we really think that DFFD is materializing this sort of approaches to bring together the people from the different sectors and trying to break down the silos so that we could have more innovative solution towards a new situation which is set by the DFFD. Also, one last note that it is very important to keeping DFFD as the agenda for high-level political discussion like G7, G20 or other forums because high-level political instruction is very important to push the government to move towards innovative approaches. So of course, Japanese government is keep trying, always politically leveraging the DFFD at the high-level political discussion, but also please remember those people from the different sectors that actually those high-level forum really means to set those important topics as a priority for the governments. So this ends my words, but thank you very much.

Timea Suto: Thank you, Maiko. Dave?

Dave Pendle: Just take maybe 15, 20 seconds, but I mean, cooperation on data governance requires trust and you’ll never achieve that unless you’re talking to each other. So it’s been really encouraging to see a lot of governments roll up their sleeves and do just that. And then to make one point that I think has been made a few times, but is probably the most critical is that these conversations about problems must be grounded in real world experience. And it’s important that policymakers not solve for misperceptions, but they solve for problems and risks that are evidence-based. So bringing in those right people is key to that. So maybe just close with, in the words of Clarice, if you bring in the right people, there is hope. Thank you.

Timea Suto: Robin?

Robyn Greene: Sure, it’s fair for me to have to follow this group of folks circling up their final thoughts, but I really do agree with everything that’s been said. I think the only other thing that I would add is the really critical importance of keeping in mind the technical limitations and the importance of the technical compatibility of regulations with the global internet infrastructure and the importance of ensuring that you’re looking at each of these policy issues, not in a silo. but in the larger context of what the policy and data governance environment looks like and what the implications of one regulation that restricts data flows or promotes data flows could be on other policy goals. Thank you.

Timea Suto: Thank you so much. I’m being signaled that we’ve run over time so I won’t take too long in wrapping this up. I would just like to highlight that we’ve heard quite a lot of commonalities here around needing common principles at the top, common direction at the top, and political will at the top to want to address this. That needs to then translate into a holistic view based in understanding and evidence of what the issues actually are and that that needs to be followed up by action by experts in multi-stakeholder forums such as this one to ensure that the will and the principles translate into actionable solutions that are not just looking good on paper but are actually implementable by those who work on it on the ground. And we’ve heard quite a few examples on this from the work of the Internet and Jurisdiction Policy Network back in the day on e-evidence, to the work of the data sphere, to the work by Japan and the OECD and what companies are doing on the ground and also what they need to progress on this. So if you want to hear more about what the private sector thinks, come by the ICC Basis booth. We have a QR code there with our publications and data. Please make sure to take a look. You’ll also find us online. And with that, I just want to say a huge thank you to the panelists for being here and for this very rich discussion. To all of you who have stayed up late or woke up very early, thank you as well online and everybody who joined us here in the room and the line. And of course a huge thanks to my team, many just, and I know who has helped us pulling this session together. So with that, thank you so much and a huge round of applause to the panelists.

T

Timea Suto

Speech speed

145 words per minute

Speech length

2281 words

Speech time

943 seconds

Data underpins global economy but faces mistrust and restrictions

Explanation

Data is crucial for the global economy, supporting business operations and government services. However, there is mistrust in data and data-powered technologies, leading to restrictive policies and regulations.

Evidence

Concerns about national security, privacy, and economic safety compromising if data crosses borders

Major Discussion Point

Importance and challenges of cross-border data flows

Agreed with

Bertrand de La Chapelle

Maiko Meguro

David Pendle

Robyn Greene

Clarisse Girot

Agreed on

Importance of cross-border data flows for global economy

B

Bertrand de La Chapelle

Speech speed

135 words per minute

Speech length

2162 words

Speech time

958 seconds

Legal landscape is fragmented but internet infrastructure enables free flow

Explanation

The legal landscape for data governance is fragmented due to different laws in 190 countries. However, the technical infrastructure of the Internet inherently allows for free flow of data, creating tension between legal and technical realities.

Major Discussion Point

Importance and challenges of cross-border data flows

Agreed with

Timea Suto

Maiko Meguro

David Pendle

Robyn Greene

Clarisse Girot

Agreed on

Importance of cross-border data flows for global economy

Focus on access rights to data rather than data sharing

Explanation

The current approach to data sharing is outdated. Modern data usage involves API access and privacy-enhancing techniques rather than transferring entire databases.

Evidence

Examples of homomorphic encryption and federated learning that allow leveraging data without sharing it

Major Discussion Point

Approaches to enable trusted data flows

Differed with

Maiko Meguro

Differed on

Approach to data governance

M

Maiko Meguro

Speech speed

144 words per minute

Speech length

1816 words

Speech time

753 seconds

Data governance must balance utilization and protection

Explanation

Data governance should consider both maximizing data utilization and ensuring data protection and security. Countries need to find a balance that aligns with their social priorities, cultures, and economic structures.

Evidence

Example of conflict between investment agreements and environmental regulations in different countries

Major Discussion Point

Importance and challenges of cross-border data flows

Agreed with

Timea Suto

Bertrand de La Chapelle

David Pendle

Robyn Greene

Clarisse Girot

Agreed on

Importance of cross-border data flows for global economy

Differed with

Bertrand de La Chapelle

Differed on

Approach to data governance

Work on concrete interoperability solutions and institutionalize processes

Explanation

Governments should focus on addressing arbitrary treatment and lack of transparency in data governance. They should work on concrete interoperability solutions and institutionalize processes for relevant actors to engage with data governance issues.

Major Discussion Point

Approaches to enable trusted data flows

Agreed with

David Pendle

Robyn Greene

Clarisse Girot

Agreed on

Need for multi-stakeholder approach and international cooperation

Keep data free flow with trust on high-level political agendas

Explanation

It’s important to maintain data free flow with trust as an agenda item for high-level political discussions like G7 and G20. High-level political instruction is crucial to push governments towards innovative approaches in data governance.

Major Discussion Point

Role of international cooperation and harmonization

D

David Pendle

Speech speed

164 words per minute

Speech length

1706 words

Speech time

624 seconds

Government access requests fuel mistrust in data flows

Explanation

Government requests for user data are a source of mistrust in cross-border data flows. This issue is driven by sovereign interests in protecting citizens and national security, leading to expanded surveillance authorities.

Evidence

Microsoft receives about 60,000 legal demands from governments worldwide for about 110,000-120,000 different users each year

Major Discussion Point

Importance and challenges of cross-border data flows

Pursue evidence-based policies reflecting nuances of digital economy

Explanation

Policymakers must work together and pursue evidence-based policies that reflect the nuances of the digital economy. It’s crucial to solve for real problems and risks rather than misperceptions.

Evidence

Success of OECD Trusted Government Access Principles due to bringing together diverse stakeholders

Major Discussion Point

Approaches to enable trusted data flows

Agreed with

Maiko Meguro

Robyn Greene

Clarisse Girot

Agreed on

Need for multi-stakeholder approach and international cooperation

Non-personal data crucial for economy, research, cybersecurity

Explanation

Non-personal data is essential for the global economy, scientific research, and cybersecurity. Its ability to solve global problems depends on its capacity to flow across borders.

Evidence

Microsoft scans about 78 trillion signals every day to detect malicious cyber activity

Major Discussion Point

Differentiating personal and non-personal data flows

Agreed with

Timea Suto

Bertrand de La Chapelle

Maiko Meguro

Robyn Greene

Clarisse Girot

Agreed on

Importance of cross-border data flows for global economy

R

Robyn Greene

Speech speed

152 words per minute

Speech length

2362 words

Speech time

932 seconds

Data flow restrictions lead to internet fragmentation

Explanation

Restrictions on data flows can lead to internet fragmentation, resulting in regional or national silos. This fragmentation has significant implications for cultural, social, and economic norms and international cooperation.

Evidence

Examples of express data localization requirements and de facto localization through regulatory benchmarks

Major Discussion Point

Importance and challenges of cross-border data flows

Agreed with

Timea Suto

Bertrand de La Chapelle

Maiko Meguro

David Pendle

Clarisse Girot

Agreed on

Importance of cross-border data flows for global economy

Attach rights and obligations to data rather than data subjects

Explanation

To ensure data protection while enabling flows, rights and obligations should be attached to the data itself rather than to data subjects. This approach ensures that protections travel with the data regardless of its location.

Major Discussion Point

Approaches to enable trusted data flows

Promote adoption of global cross-border privacy rules

Explanation

International collaboration is key to enabling trusted data flows. Promoting the adoption of global cross-border privacy rules can help achieve interoperability and harmonization across legal standards.

Evidence

Example of the Budapest Convention and its second additional protocol

Major Discussion Point

Role of international cooperation and harmonization

Agreed with

Maiko Meguro

David Pendle

Clarisse Girot

Agreed on

Need for multi-stakeholder approach and international cooperation

C

Clarisse Girot

Speech speed

170 words per minute

Speech length

2827 words

Speech time

994 seconds

Data flows are crucial for innovation and economic growth

Explanation

Cross-border data flows are essential for innovation and economic growth. The OECD has been working on this issue for a long time, recognizing the need to balance data flows with privacy and fundamental human rights.

Evidence

OECD privacy guidelines from 1980

Major Discussion Point

Importance and challenges of cross-border data flows

Agreed with

Timea Suto

Bertrand de La Chapelle

Maiko Meguro

David Pendle

Robyn Greene

Agreed on

Importance of cross-border data flows for global economy

Bring right stakeholders together to find common ground

Explanation

To address data governance challenges, it’s crucial to bring the right stakeholders together. This approach has proven successful in addressing complex issues like government access to data.

Evidence

OECD’s work on the intersection of cross-border payments and data frameworks

Major Discussion Point

Approaches to enable trusted data flows

Agreed with

Maiko Meguro

David Pendle

Robyn Greene

Agreed on

Need for multi-stakeholder approach and international cooperation

Build on existing frameworks like OECD guidelines

Explanation

There are existing frameworks and communities of experts that can be built upon to address data governance challenges. It’s important to recognize and leverage these resources rather than starting from scratch.

Evidence

OECD privacy guidelines and recommendation on enhanced access to and sharing of data

Major Discussion Point

Role of international cooperation and harmonization

Agreements

Agreement Points

Importance of cross-border data flows for global economy

Timea Suto

Bertrand de La Chapelle

Maiko Meguro

David Pendle

Robyn Greene

Clarisse Girot

Data underpins global economy but faces mistrust and restrictions

Legal landscape is fragmented but internet infrastructure enables free flow

Data governance must balance utilization and protection

Non-personal data crucial for economy, research, cybersecurity

Data flow restrictions lead to internet fragmentation

Data flows are crucial for innovation and economic growth

All speakers agreed on the critical importance of cross-border data flows for the global economy, innovation, and development, while acknowledging the challenges and risks associated with these flows.

Need for multi-stakeholder approach and international cooperation

Maiko Meguro

David Pendle

Robyn Greene

Clarisse Girot

Work on concrete interoperability solutions and institutionalize processes

Pursue evidence-based policies reflecting nuances of digital economy

Promote adoption of global cross-border privacy rules

Bring right stakeholders together to find common ground

Speakers emphasized the importance of bringing together diverse stakeholders, including governments, private sector, and civil society, to develop effective and balanced approaches to data governance and cross-border data flows.

Similar Viewpoints

Both speakers advocated for a shift in approach to data governance, focusing on access rights and attaching obligations to the data itself rather than traditional notions of data sharing or subject-based rights.

Bertrand de La Chapelle

Robyn Greene

Focus on access rights to data rather than data sharing

Attach rights and obligations to data rather than data subjects

Both speakers emphasized the importance of building on existing frameworks and pursuing evidence-based policies that reflect the realities of the digital economy.

David Pendle

Clarisse Girot

Pursue evidence-based policies reflecting nuances of digital economy

Build on existing frameworks like OECD guidelines

Unexpected Consensus

Importance of technical compatibility in regulations

Bertrand de La Chapelle

Robyn Greene

Focus on access rights to data rather than data sharing

Data flow restrictions lead to internet fragmentation

Despite coming from different perspectives (DataSphere Initiative and Meta), both speakers highlighted the importance of considering technical realities and compatibility when developing data governance regulations, which is not always a primary focus in policy discussions.

Overall Assessment

Summary

The speakers generally agreed on the importance of cross-border data flows for the global economy, the need for multi-stakeholder approaches, and the importance of balancing data utilization with protection. There was also consensus on the need for evidence-based policies and building on existing frameworks.

Consensus level

High level of consensus on core principles, with some variations in specific approaches. This suggests a strong foundation for further international cooperation on data governance, but also highlights the complexity of implementing these principles in practice across different jurisdictions and stakeholder groups.

Differences

Different Viewpoints

Approach to data governance

Bertrand de La Chapelle

Maiko Meguro

Focus on access rights to data rather than data sharing

Data governance must balance utilization and protection

While de La Chapelle emphasizes a shift towards access rights and privacy-enhancing techniques, Meguro stresses the need for a balance between data utilization and protection, considering social priorities and cultural differences.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement revolve around the specific approaches to data governance, balancing data utilization with protection, and the methods for achieving international cooperation and harmonization.

difference_level

The level of disagreement among the speakers is relatively low. While there are some differences in emphasis and approach, the speakers generally agree on the importance of cross-border data flows, the need for trust, and the value of international cooperation. These minor differences in perspective are unlikely to significantly impede progress on the topic of harmonizing approaches for data-free flows with trust.

Partial Agreements

Partial Agreements

All speakers agree on the need for international cooperation and harmonization, but they propose different approaches. Pendle emphasizes evidence-based policies, Greene advocates for global cross-border privacy rules, and Girot focuses on bringing diverse stakeholders together.

David Pendle

Robyn Greene

Clarisse Girot

Pursue evidence-based policies reflecting nuances of digital economy

Promote adoption of global cross-border privacy rules

Bring right stakeholders together to find common ground

Similar Viewpoints

Both speakers advocated for a shift in approach to data governance, focusing on access rights and attaching obligations to the data itself rather than traditional notions of data sharing or subject-based rights.

Bertrand de La Chapelle

Robyn Greene

Focus on access rights to data rather than data sharing

Attach rights and obligations to data rather than data subjects

Both speakers emphasized the importance of building on existing frameworks and pursuing evidence-based policies that reflect the realities of the digital economy.

David Pendle

Clarisse Girot

Pursue evidence-based policies reflecting nuances of digital economy

Build on existing frameworks like OECD guidelines

Takeaways

Key Takeaways

Cross-border data flows are crucial for the global economy and innovation, but face challenges of mistrust and restrictions.

A fragmented legal landscape exists alongside internet infrastructure that enables free data flow.

Data governance must balance data utilization and protection.

Restricting data flows can lead to internet fragmentation and hinder economic growth, innovation, and cybersecurity.

International cooperation and harmonization of approaches are needed to enable trusted data flows.

Differentiating between personal and non-personal data flows is important but not always straightforward.

Multi-stakeholder engagement and evidence-based policies are crucial for developing effective data governance frameworks.

Resolutions and Action Items

Continue work on formalizing multi-stakeholder processes at the international level

Promote adoption of global cross-border privacy rules

Keep data free flow with trust on high-level political agendas like G7 and G20

Work on concrete interoperability solutions for data governance frameworks

Pursue evidence-based policies that reflect the nuances of the digital economy

Unresolved Issues

How to effectively distinguish between personal and non-personal data in practice

How to achieve legal interoperability across different jurisdictions

How to address the tension between data localization requirements and the need for cross-border data flows

How to balance national security concerns with the need for cross-border data access

How to assist developing countries in implementing effective data governance frameworks

Suggested Compromises

Use of privacy-enhancing technologies to enable data sharing while protecting sensitive information

Adopting a gradual approach to harmonization rather than seeking immediate global uniformity

Focusing on interoperability of regulations rather than strict harmonization

Using model contractual clauses adapted to regional needs, as done in ASEAN

Thought Provoking Comments

The way it works today is through API, it’s through rights of access to data. So many times the data doesn’t travel really. It is just that you query it from another distant place. And even more, there are new techniques called privacy-enhancing techniques.

speaker

Bertrand de La Chapelle

reason

This comment challenges the common perception of data sharing and introduces new technical concepts that are reshaping how data flows work.

impact

It shifted the discussion towards considering more nuanced and modern approaches to data flows, beyond simple data transfer models.

So from our perspective, we must think about the effective means of having both enhancing flow, but also necessary protection according to rights and interests attached to the data.

speaker

Maiko Meguro

reason

This comment highlights the need for balance between data flow and protection, emphasizing the complexity of the issue.

impact

It led to a more holistic discussion about the multifaceted nature of data governance, considering both benefits and risks.

In a six-month period, so we’re talking about 30,000 legal demands, you know, we typically get about 50 to 55 content disclosures that are cross-border. In the last reporting period, there was only one that pertained to an enterprise customer.

speaker

David Pendle

reason

This comment provides concrete data that challenges common perceptions about the frequency and scale of cross-border data disclosures.

impact

It introduced an evidence-based perspective into the discussion, encouraging a more factual approach to assessing risks and concerns.

Nothing will stifle innovation more than a patchwork of onerous and sometimes conflicting regulatory requirements across jurisdictions.

speaker

David Pendle

reason

This comment succinctly captures a key challenge in global data governance and its potential impact on innovation.

impact

It reinforced the importance of harmonization and interoperability in data governance approaches, shaping subsequent discussion on policy frameworks.

I think we need to be regulating for what the technology of tomorrow will be. AI may be one of the best current examples of that.

speaker

Robin Greene

reason

This comment introduces a forward-looking perspective, emphasizing the need for adaptable regulations.

impact

It shifted the discussion towards considering future technological developments in current policy-making, particularly highlighting AI as a key area.

There is a global acknowledgement of that. So that’s that’s a good point. I won’t go too far into the PETS conversation because it is extremely complex.

speaker

Clarisse Girot

reason

This comment acknowledges the complexity of privacy-enhancing technologies (PETs) while also noting global progress in understanding data governance issues.

impact

It balanced the discussion by recognizing both progress and ongoing challenges, setting a realistic tone for future work in this area.

Overall Assessment

These key comments shaped the discussion by introducing nuanced technical perspectives, challenging common perceptions with data, emphasizing the need for balanced and harmonized approaches, and encouraging forward-looking policy-making. They collectively moved the conversation from theoretical concepts to practical considerations, highlighting the complexity of data governance while also pointing towards potential solutions and areas for future focus.

Follow-up Questions

How to implement legal interoperability in practice?

speaker

Bertrand de La Chapelle

explanation

The concept of legal interoperability is aspirational but its practical implementation is not clearly defined. This needs further exploration to understand how to combine overlapping legislations.

How to distinguish between personal and non-personal data in practice?

speaker

Jacques Beglinger (audience member)

explanation

There is difficulty in distinguishing between personal and non-personal data when it comes to regulation and handling data. This distinction is crucial for industry and consumers to know which policies apply.

How to find a middle ground between restrictive (e.g., GDPR) and more flexible data protection approaches?

speaker

Evgenia (online audience member)

explanation

Different countries have varying levels of data protection regulations. Finding common ground between restrictive and flexible approaches is challenging but necessary for international collaboration.

How can developed countries and organizations assist developing countries in establishing data governance frameworks?

speaker

Rapidsun (audience member from Cambodia)

explanation

Many developing countries lack national data governance frameworks and policymakers may not be fully aware of comprehensive data governance issues, especially regarding cross-border data flows.

How to explore innovative approaches to leveraging and responsibly sharing medical data for AI training?

speaker

Bertrand de La Chapelle

explanation

There is potential in using anonymized medical imagery data for AI training in diagnostics. This requires exploring new approaches, such as opt-out systems for data sharing, to balance personal privacy with public interest.

How to formalize multi-stakeholder processes at the international level for addressing data governance issues?

speaker

Maiko Meguro

explanation

There is a need for permanent forums where diverse stakeholders can gather to discuss and work on data governance issues over time, rather than relying on ad hoc discussions.

Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.