Free flow of data and data protection – How do we square the circle?

Event report

[Read more session reports and live updates from the UNCTAD E-commerce Week]

The session discussed the free flow of data and data protection within the context of hypothetical digital trade agreement negotiations. Mr Nick Ashton-Hart (Geneva Representative, Digital Trade Network) opened the discussion by asking the panellists how data protection can be dealt with in regards to cross-border e-commerce.

Ms Sophie Kwasny (Head of the Data Protection Unit, Council of Europe) considered the existing regulatory framework regarding data protection. She explained that data protection is a subject that dates back to a few decades ago: for example, Sweden was the first country to introduce a law on this matter in 1973. She then referred to the Fair Information Practice Principles (FIPPs): a list of eight principles regulating information sharing and privacy practices within the government and the private sector. These principles include the specification of the purposes of the data collection, attention to quality and integrity of data, limitation on the collection and the use of data, security safeguards, openness and transparency in the use of data.

She then specified that after FIPPs, other instruments have been drafted to address more specifically the issue of data protection. For example, the Council of Europe (CoE) Convention 108 in 1981 which is currently ratified by all member states of the CoE and is open to ratification also to other states. She also recalled other regional regulatory frameworks such as the EU General Data Protection Regulation and APEC Cross-Border Privacy Rules (CBPRs)

Mr Stephen de Boer (Ambassador and Permanent Representative of Canada to the WTO) affirmed that international exchanges of goods and services are at the centre of international trade. He pushed for a balanced approach towards data protection: the need to ensure sufficient protection while not creating a hostile environment for new businesses, especially small and medium sized enterprises (SMEs). He added that the existing regulatory framework is rather diversified as it encompasses both prescriptive legislation as well as guiding principles. He also maintained that Canada has concluded agreements such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the Canada-United States-Mexico Agreement (USMCA or CUSMA) which allow for the protection of privacy and individuals’ data without hindering the development of e-commerce.

Mr Tilman Kupfer (Vice President Trade & International Affairs, BT Group) considered the existing difficulties in exchanging data among different communities which possess different standards. He explained that his company makes sure that ‘data is delivered on time around the world’. To address the challenge constituting the existence of different levels of protection, he considered that applying the highest standard to the protection of data may be hindering the information exchange as not every country would be able to adequately conform to the demanding standards others. He then encouraged the countries to refer to the example of binding corporate and non-contractual rules that parties develop as a common understanding of the subject and accept each other’s granted level of protection.   

Mr John Carroll (Head of International Business at Santander Corporate & Commercial Bank) focused on the key factors that enable SMEs in succeeding in international e-commerce. Santander has developed a trade alliance based on the following four principles: opportunity (allow an exchange of data to study the market for a potential business), trust (share information on customers and consumers clubs), logistics (e.g. e-signature and e-validation), and finance.

Mr Alastair Tempest (CEO at Ecommerce Forum Africa) considered that the level of protection data is granted in one country travels with the data itself. In his work, he specified that much of the cross-border e-commerce happens between African countries and countries with high standards of protection and concluded that the code of practices developed among countries that are economic partners could be a potential positive solution granting data protection without hindering e-commerce.

Mr Alexander Mora (Chairman LATAM EVICERTIA) maintained that a distinction is needed among different data flows, namely between business data and personal data flows as they would enjoy different legal protection. He explained that his company works as a cost service provider providing single cloud platforms allowing for digital signatures, digital contracting and digital certification. He concluded by affirming that the only way to engage with different countries is to apply the GDPR standard to all the partner countries because when doing cross-border e-contracting the full chain of communication needs to be secured.

Mr Guillermo Beltra (Policy Director, Access Now) summarised the debate into two main questions: ‘are we discussing how can rules intended to address trade fit into human rights standards or are we discussing human rights rules that can also be applied in the specifics of trade?’. He specified that trade fora are not the appropriate venues to discuss human rights provisions.  He concluded by demystifying the belief that data protection represents a barrier to e-trade and by enumerating the existing challenges of the GDPR by referring to the ‘Creating a Data Protection Framework: A Do’s and Don’ts Guide for Lawmakers’ published by AccessNow.

By Marco Lotti