Data globalisation is alive

The march of data localisation as a geopolitical force has been relentless in recent years.?Partly the result of a backlash against globalisation and partly an opportunity to advance economic protectionist policies, data localisation has been embraced by policy makers, regulators and activists in such a powerful way that even the most global companies have had to devise strategies to play the game.?But the reality since before the days we realised the earth was not flat, is that the world is indeed global and the urge to communicate, explore and interact beyond artificial and natural boundaries is intrinsic to our nature.?Put in a slightly more mundane but very real way, global data flows are a basic everyday necessity whether we like it or not.?So the challenge that is worth undertaking is how to protect that data wherever it is, not how to find ways to geographically ring fence our digital world.?Recent developments suggest that we should be hopeful about some of the efforts currently underway.??

In Europe, the fixation with the lawfulness of personal data transfers to the US has remained at sky high levels since the Edward Snowden’s disclosures about intelligence agencies’ surveillance activities nearly a decade ago.?Two European Court of Justice decisions later, the debate about what constitutes necessary and proportional access to European data by other countries’ public authorities rumbles on.?However, in an inspired and thorough assessment of this issue, the European Data Protection Board (EDPB) has recently articulated a position that shows that legal rigour is not in conflict with pragmatism.?Essentially, the EDPB has taken the view that the proposed EU-U.S. Data Privacy Framework may still need to be polished, but it can provide a robust mechanism to legitimise European data flows.?This is relevant to this debate because the US may be nowhere near adopting a GDPR-style law, but the combination of political efforts to moderate government access to data with the adoption of a self-certification system of data protection is still seen as a credible option.

In terms of international credibility in this space, it is also worth noting the momentum behind the Global Cross-Border Privacy Rules (CBPR) Forum.?Launched a year ago as a multilateral cooperation initiative to enable trusted global data flows, its aims are more ambitious than those behind the original APEC CBPR.?The CBPR Forum is seeking to position itself as a truly international platform open to jurisdictions that are aligned with the dual objective of promoting data flows and protecting privacy.?So if this is now taken to the next level and some multi-jurisdictional tangible data protection measures are injected into the model, the CBPR (and the processor version of the same) will likely become an influential mechanism to legitimise data transfers.

Against this background, the UK is aiming to play a very active role in contributing its own approach to this issue.?The UK has not been shy in championing a policy of removing unnecessary barriers to cross-border data flows.?This does not mean doing away with the international data transfers provisions of the UK GDPR, and indeed nothing in the proposed UK data protection reform suggests a radical departure from the current system.?However, alongside this reform there is a firm desire to make the most of the current framework by expanding the number of data adequacy decisions, exploring new mechanisms for transfers and even making BCR more mainstream (dear ICO, if you’re reading this, this is an easy win!).?This is all work in progress but the impetus is definitely there.

Perhaps the most important element in all this is that none of these developments and steps can be isolated from each other.?The CBPR Forum needs the UK’s and EU’s support as much as the EDPB needs to look at the GDPR provisions on international data transfers with an open and realistic mindset.?It is good to see some overlap in the thinking of the various stakeholders behind these developments because it is through that common ground that meaningful progress will be made in the protection of data at a global scale.?Individual efforts are indeed necessary to make these initiatives happen but for data globalisation to take place in a safe and beneficial manner, coordinating those efforts is a must.?This is an achievable outcome that ultimately rests on aligning strategic objectives and implementing practical and workable privacy protections.

This article was first published in Data Protection Leader in March 2023.