Data protection frameworks must be compatible with international data flows for developing countries to benefit from the global digital economy

National and regional legal frameworks that protect data in the ever-expanding digital economy are often outdated, incompatible or missing, UNCTAD has found. This will store up problems for the future integration of developing countries into the global economy and threaten the amazing benefits they could derive from cross-border e-commerce.

In a new report, Data Protection Regulations and International Data Flows: Implications for Trade and Development, UNCTAD says that coherent and compatible data protection regimes will be ever-more important in the face of new technologies such as cloud computing, big data, and the Internet of Things. More dialogue between all stakeholders is needed to achieve adequate protection, the report urges.

According to UNCTAD’s Cyberlaw Tracker, as of April 2016, only 108 countries have data protection laws and 35 have draft laws. Around 60 developing countries have no data protection laws at all.

Existing national and regional regimes, such as those in the United States and the European Union, often contain similar principles but even they diverge in their approaches to dealing with cross-border data flows.

The report found that differing notions of privacy and a variety of different stakeholder interests creates tensions: individuals are concerned about their right to privacy and being able to safely and confidently use online services; governments are concerned about national security and safety; and businesses are concerned with compliance burdens and regulations that may hamper innovation and trade.

The report tracks the evolution of data protection, outlines and summarizes the current landscape of global, regional and national data protection regimes, identifies common challenges in the development and implementation of regimes, and presents policy options. It draws on contributions from 18 governments, regional and international organizations as well as representatives of the private sector and civil society to offer a single source of information for consultation by policymakers.

The report identifies eight policy options for countries as well as international and regional organizations to consider when adopting or revising data protection legislation and guidelines.

In order to promote international compatibility, it is important to avoid duplication and fragmentation in approaches to data protection.

Instead of pursuing multiple initiatives, the report suggests, global and regional organizations may need to concentrate on one unifying initiative or a smaller number of initiatives that are internationally compatible.

In developing and promoting international and regional data protection initiatives, consideration should also be given to the compliance burden, and the potential for adverse effects on trade, innovation and competition, especially from the perspective of small and medium sized enterprises (SMEs).

In this context, the report says that SMEs should participate in debates related to such initiatives, and underlines that provisions that build consumer trust and confidence in regulatory models will help to grow e-commerce around the world.

UNCTAD, as a convener of stakeholders from both developed and developing countries, offers a forum for discussion on this vitally important subject.

In this respect, the new data protection report was released on April 19, 2016, at an Ad Hoc Expert Meeting on Data Protection and Privacy during UNCTAD’s second annual E-commerce Week in Geneva, Switzerland.

---

Data protection regulations and international data flows: Implications for trade and development

In the global information economy, personal data have become the fuel driving much of current online activity. Every day, vast amounts of information are transmitted, stored and collected across the globe, enabled by massive improvements in computing and communication power. In developing countries, online social, economic and financial activities have been facilitated through mobile phone uptake and greater Internet connectivity. As more and more economic and social activities move online, the importance of data protection and privacy is increasingly recognized, not least in the context of international trade. At the same time, the current system for data protection is highly fragmented, with diverging global, regional and national regulatory approaches.

This study reviews the current landscape and analyzes possible options for making data protection policies internationally more compatible. It also provides a fresh and balanced take on related issues by considering the varied perspectives of different stakeholders. Written contributions from key international organizations, government bodies, the private sector and civil society offer valuable insight into the current state of affairs.

The findings of the study should help to inform the much needed multi-stakeholder dialogue on how to enhance international compatibility in the protection of data and privacy, especially in relation to international trade, and to provide policy options for countries that wish to implement new laws or amend existing ones. The study will serve as a basis for deliberation during the UNCTAD E-Commerce Week and for its capacity-building activities related to E-Commerce and Law Reform.

Importance of data protection and privacy laws

Data protection is directly related to trade in goods and services in the digital economy. Insufficient protection can create negative market effects by reducing consumer confidence, and overly stringent protection can unduly restrict businesses, with adverse economic effects as a result. Ensuring that laws consider the global nature and scope of their application, and foster compatibility with other frameworks, is of utmost importance for global trade flows that increasingly rely on the Internet.

Many social and cultural norms around the world include a respect for privacy. While underlying privacy principles contain many commonalities across countries, interpretations and applications in specific jurisdictions differ significantly. Some protect privacy as a fundamental right, while others base the protection of individual privacy in other constitutional doctrines or in tort. Still others have yet to adopt privacy protections. Such differences will increasingly affect individuals, businesses and international trade.

The information economy is increasingly prominent and promises to provide many opportunities, but could also generate some potential drawbacks. Internationally compatible data protection regimes are desirable as a way to create an environment that is more predictable for all stakeholders involved in the information economy and to build trust online.

New technological developments are adding urgency to this need. Cloud computing has quickly risen to prominence, disturbing traditional models in various areas of law, business and society. Certain projections estimate that the cloud computing industry will have a projected global market worth of $107 to $127 billion by 2017. The Internet of Things is also rapidly developing, and has a direct nexus to management of data. While forecast reports vary greatly, one report estimates that value-added services related to the Internet of Things will grow from around $50 billion in 2012 to approximately $120 billion in 2018, and that there will be between 20-50 billion connected devices by 2020. Another report forecasts a potential economic impact of between $3.9 and $11.1 trillion per year in 2025.

Data protection regulation must carefully correspond to the evolving needs and possibilities associated with these changes in order to facilitate potential benefits. In 2014, approximately $30 trillion worth of goods, services and finance was transferred across borders. Around 12 percent of international trade in goods has been estimated to occur through global e-commerce platforms like Alibaba and Amazon. The international dimension of flows has increased global GDP by approximately 10 percent, equivalent to a value of $7.8 trillion in 2014. Data flows represent an estimated $2.8 trillion of this added value.

Key Concerns

As the contributions to this study demonstrate, concerns related to data protection and privacy online manifest themselves in many different dimensions.

Governments – specifically in those developing countries attempting to adopt data protection legislation – are having problems modeling their data protection regimes, though most opt for an approach consistent with the EU Directive. Common challenges include (1) the length of time it takes to pass legislation, (2) financial costs associated with implementing and enforcing a data protection regime, and (3) a lack of public and private sector knowledge and cooperation among governmental entities regulating in parallel. In some countries, a lack of understanding and fear within society can also exacerbate one or more of the aforementioned difficulties.

On the consumer side, concerns related to payment system integrity, hidden costs, fear of fraud and product quality are often more pronounced in the context of international e-commerce. Building trust in the online environment is key, and there has been a decline in trust with regards to transactions with both government and private actors. Studies show that consumers are concerned about how their personal data are collected and used, and that these concerns are increasing. A lack of clarity with regard to protection and avenues for redress tends to further aggravate these concerns.

Businesses are concerned that (1) too stringent protection regimes will unduly restrict activities, increase administrative burdens and stifle innovation; (2) a lack of clarity and compatibility between regimes add uncertainty, with negative effects on investments; and (3) given the nexus between cross-border e-commerce and data protection, divergent regimes will inhibit the adoption and proliferation of emerging technological developments, reducing potential accompanying societal benefits.

Key messages

Although there is significant divergence in the detailed data protection laws of the world, there is more common ground around the core set of data protection principles that are said to be at the heart of most national laws and international regimes. This set of core principles can serve as a useful starting point for efforts towards achieving more compatibility and harmonization.

There is no single agreed model for data protection law at this stage. However, compatibility is the stated objective of many global and regional data protection initiatives.

Numerous challenges in the development and implementation of data protection laws exist. This study concentrates on seven areas where action is particularly needed.

1. Addressing gaps in coverage

2. Addressing new technologies

3. Managing cross-border data transfers

4. Balancing surveillance and data protection

5. Strengthening enforcement

6. Determining jurisdiction

7. Managing the compliance burden

Policy options for developing and implementing national laws

The number of national data protection laws has grown rapidly, but major gaps persist. Some countries have no laws in this area, some have partial laws, and some have laws that are outdated and require amendments. The study includes key policy options for nations that are developing, reviewing or amending their data protection laws.

For those countries that still do not have relevant laws in place, governments should develop legislation that should cover data held by the government and the private sector and remove exemptions to achieve greater coverage. A core set of principles appears in the vast majority of national data protection laws and in global and regional initiatives. Adopting this core set of principles enhances international compatibility, while still allowing some flexibility in domestic implementation.

Strong support exists for establishing a single central regulator when possible, with a combination of oversight and complaints management functions and powers. Moreover, the trend is towards broadening enforcement powers, as well as increasing the size and range of fines and sanctions in data protection.

Addressing the issue of cross-border data transfers using specific text and promoting one or more mechanisms that businesses can use to enable international data flows is crucial. In an increasingly globalized economy where more and more economic activities are undertaken online, remaining silent on the issue is not a viable option. Allowing a range of options for companies to consider appears to be the accepted, modern approach to managing this issue.

National data protection laws should avoid (or remove) clear obstacles to trade and innovation. This may involve avoiding or removing data localization requirements that go beyond the basic options for the management of cross border data transfers. A useful test that has emerged in this area is the requirement that such provisions should not be ‘disguised restrictions on trade’.

It is also increasingly difficult to ignore the need to balance government surveillance requirements against data protection. In some jurisdictions, data protection laws will be the appropriate place to address this issue. In others, it may be addressed through different legal arrangements. Countries need to implement measures that place appropriate limits and conditions on surveillance.

Policy options for global and regional data protection initiatives

The study discusses key policy areas for global and regional groups that play a role in data protection.

In order to promote international compatibility, it is important to avoid duplication and fragmentation in the regional and international approaches to data protection. It would be preferable for global and regional organizations to, instead of pursuing multiple initiatives, concentrate on one unifying initiative or a smaller number of initiatives that are internationally compatible. Where possible, similarities in underlying principles can be leveraged to develop mechanisms for recognition and compatibility between different frameworks.

Future work towards achieving greater compatibility will require the effective involvement of all stakeholders, including government, private sector and civil society representatives. Their involvement needs to go beyond general discussions to include formal engagement in the policy development process. This active involvement will also help develop measures that promote a higher level of certainty and confidence amongst stakeholders, which will increase the overall efficiency of legal frameworks.

The study includes some detailed guidance on the growing consensus around key conditions and limitations on surveillance initiated by governments. Most regional and global initiatives are silent on the issue of surveillance. It is essential that national laws and global and regional initiatives acknowledge the existence of surveillance issues and attempt to address these issues directly. While surveillance issues often have an international or cross-border dimension, the extraterritorial nature of data flows and surveillance, as it relates to state sovereignty, must be specifically addressed. The United Nations statement on digital rights may serve as a platform for considering the connection between data protection and surveillance.

In developing and promoting international and regional initiatives on data protection, consideration should also be given to the compliance burden, and the potential for negative impacts on trade, innovation and competition, especially from the perspective of SMEs. In this context, SMEs should be consulted and participate in debates related to such initiatives. Finally, prioritizing provisions that build consumer trust and confidence in regulatory models will help grow e-commerce activity.

Developing efficient policies across the globe is of utmost importance, especially with the advent of recent technological advances. Policies should strive to balance various legitimate stakeholder concerns while also carefully avoid solutions that will overly restrict trade. Getting the balance wrong can have serious consequences for either the protection of fundamental rights or for international trade and development. The study provides various examples of good practices that can be built upon.

Striving for balanced, flexible, and compatible data protection regulation has become an urgent goal. Some countries have powerful regulatory mechanisms, while others have outdated legislation or none at all. In order to achieve adequate protection that allows for innovation and facilitates trade, it is essential to continue national, regional and global multi-stakeholder dialogue. International organizations dealing with trade and development, such as UNCTAD, can provide the platform for such dialogue.