Data governance refers to the governance of data between states and the management of international data flows. It involves the whole life cycle of data – from collection, processing, storage, use, security, and management of data.
Data governance: Moving away from a one-size-fits-all approach
As discussions on data governance mature, 2023 will see a departure from the one-size-fits-all approach towards conversations on how to regulate the different types of data, such as personal, corporate, public, health, etc. In parallel, this will require a holistic approach that takes into account the standardisation, security, human rights, and legal perspectives.
For governments worldwide, 2023 could be a landmark year in their search on how to reconcile two aspects:
- The need to ascertain sovereignty over critical and sensitive data that needs to be stored physically on national territories (registries, health data, etc.)
- The fact that free flow of data across national and corporate borders facilitates economic development and contributes to the public good (e.g. environmental data)
Win-win solutions are of course ideal, but realistically, governments will have to make optimal trade-offs between the two.
Data governance has grown from a mainly privacy-related issue to a multifaceted one, with implications reaching the economy, law enforcement, cybersecurity, and even geopolitics.
Data-driven business models are growing fast and are becoming critical in all sectors of the economy, from manufacturing to services. The processing of personal data (information relating to an identified or identifiable person) also enables scientific advancements in fields that range from healthcare to autonomous driving. Large datasets help lawmakers enact effective public policies and power digital government.
In such a context, the international flows of data have become increasingly important for states and companies, and are playing a key role in various treaties, conventions, and trade agreements around the world. The regulation of these flows, therefore, has become an important matter for stakeholders on a global scale.
There are several reasons why a country might want to regulate its data flows: i) to safeguard the privacy of its citizens, as is the case for most data protection legislation; ii) to meet other regulatory objectives, such as access to information for auditing purposes; iii) for national and cybersecurity reasons; and iv) with the aim of developing domestic capacity in data-intensive sectors, as a form of digital industrial policy.
Data governance has four main facets: technology, economy, security, and law and human rights.
The technological aspect of data governance refers to the development of standards, apps, and services for data management. Not to be confused with the ‘data governance’ term used for an area of corporate and technical governance, the technological aspect of data governance is concerned with ensuring interoperability between systems and actors, widespread adoption of standards, and proper development of technologies that deal with data and related activities.
Standardisation bodies, telecommunication companies, and governments engage in multiple fora to discuss how to better face challenges like the fragmentation of data space, lack of interoperability, portability, and low quality of data, among others.
The national security side of data governance is concerned with how the data of its citizens might be used both to protect national security and to threaten it.
In the first case, governments can use large sets of data as a means of fighting crime, terrorism, and money laundering. The use of data to fight pandemics has recently surfaced as a national security concern as well.
In the second case, openly available data (such as data from social networks) might be used by foreign entities in ways that pose a threat and/or undermine the national sovereignty and interests of a country. The use of personal data to influence elections, for instance, represents a significant threat many governments have expressed worries about.
Law and human rights
Increasingly often, information considered vital for criminal or civil investigations finds its way outside the jurisdiction of the investigative authorities, straining existing international co-operation mechanisms (commonly known as Mutual Legal Assistance Treaties or MLATs) that are not considered efficient and timely enough for the current pace and volume of transnational investigations. This slow pace and uncertainty are undesirable and often encourage policymakers to adopt data localisation measures as the only means of solving the issue. However, other efforts are being made to create new solutions to this problem. Some national instruments like the US CLOUD Act have been established to facilitate international co-operation. Such regulations raise concerns amongst civil rights groups, who argue that these mechanisms might undermine privacy and rights against unreasonable searches of private data and information, since the government could enter into data sharing agreements with foreign countries and affected users would not be notified of the issuing of these warrants.
Data is the core economic resource of the new economy. Governments have been increasingly aware of the impact of data on national economies and have sought to implement policies to foster data-based industries within their borders. Key strategic technologies, like artificial intelligence (AI) and autonomous driving, are largely dependent on large inputs of data to be further developed and successfully implemented.
Some governments have stimulated specific high-tech sectors of their economies, attempting to create local ‘Silicon Valleys’ that can compete globally on the open market.
Other states have attempted more direct and protectionist approaches. Some have embedded data localisation measures in legislation so that data is stored within national borders. This is the case of Russia’s data localization law, which has been fining foreign companies hundreds of thousands of dollars for failing to store their data within Russian borders. Some states have implemented other related policies that force companies to establish facilities and subsidiaries in the country. This is often the case in the EU, where the General Data Protection Regulation imposes such restrictions on the destination of transborder flows that companies have no choice but to establish physical and legal presence in the EU. Others, like China, have actively banned foreign tech firms from operating within the country, on claims of protecting ‘Internet sovereignty’, as well as prohibiting the outward flow of its data as a means of protecting and ensuring a monopoly over its large volume of this key resource. The impacts of choosing to restrict the free flow of data or not is still uncertain. Some scholars argue that data localisation and data protectionism are bad for a country’s economy as they increase the costs associated with this important resource, while others argue that, due to long term strategic goals, restricting the free flow of data might be worth the short-term economic disadvantages.
Such situations raise the question of whether legislation, policies, and institutional incentives for the localisation of data, restriction of outward flows, or the deployment of national data-intensive industries might be a new form of economic protectionism, while the calls for the free flow of data between jurisdictions might be a new form of trade liberalism, each motivated by state and corporate economic and/or political agendas. Digital protectionism, as it has been labeled, has risen as a relevant concern to governments, international organisations, and companies alike. Either by restricting outward flows or by promoting the free flow of data, actors such as the US and China have been using data governance as an important instrument to achieve geopolitical and geoeconomic goals.
Data governance in 2023
In 2023, data will be prominent on the development and trade agenda. India has put data and development high on the Agenda of India’s G20 presidency this year. Data will also be a central theme in e-commerce plurilateral negotiations at the WTO. Most likely, Japan – as a promoter of free flow of data – will also try to put data high on the agenda of the IGF, which will be hosted in Kyoto, Japan in October 2023.
So what can we expect these discussions to focus on? There are at least four main policy questions that these forums, as well as other national and regional spaces, are expected to tackle.
(a) How to develop and apply adequate and appropriate regulation to specific types of data
We tend to group all kinds of data into one basket, but in reality, there are different kinds of data – from personal data to sector-specific and open data – all of which need a dedicated data governance approach.
In 2023, data governance will mature with the realisation that we need as many governance approaches as there are types of data. Thus, the way we govern personal data needs to be different from the way we tackle scientific, business, or communal data.
This realisation will be gradual and will be initiated in organisations and systems that manage specific data (e.g. World Health Organization for health data, World Meteorological Organization for weather and climate data, etc.).
(b) How to address data governance issues in multidisciplinary ways
In 2023, countries, companies, and international organisations will have to address the multidisciplinary nature of data governance in holistic ways. It will require organisational, procedural, and practical changes in order to address the following levels of data governance:
- At the technical level, data needs standards in order to be interoperable. Here, the work of standardisation and technical bodies becomes essential.
- At the security level, data is subject to many breaches. Data security is at the centre of activities of the tech industry and governments worldwide.
- At the economic level, the internet business model is based on data. The role of tech companies which process user data, and the role of authorities to ensure users and their data are protected, come into play.
- At the legal and human rights level, the main issue pertains to the protection of users’ rights, including the right to privacy and data protection as well as protection from mass surveillance. Since rules are anchored in geographical spaces, jurisdiction is often the main issue that arises in disputes. Courts have increasingly become de facto rule-makers. Civil society plays an important role in advocating for users’ rights.
(c) How to incorporate data governance into traditional policy fields and practices
As data becomes critical for all fields of global cooperation, international organisations will need to intensify the use of data in their activities in 2023, be it health, migration, or trade. Increasing their reliance on data will contribute to more evidence-based policymaking.
At the same time, the growing relevance of data will also make data governance more political. As has already been happening in the health sector, countries will need to negotiate what type of data they are willing to share with international organisations and how this data will be used.
(d) How data regulation will likely affect the use and development of AI
AI is built on data, which means that data governance and AI governance go hand in hand. Emerging AI applications such as ChatGPT will trigger more discussions on the deeply-rooted relationship between the two.