With COVID-19 pandemic, more and more governments started to understand the importance of cross-border data sharing, storage and protection for common good. Before that, governments learned a better understanding of the economic value of data. The logical thing then, as it was with global finance and trade previously, is to come up with global governance for data, that is, with global rules on data flows, privacy, protection and other data-related issues.
Yet, as I argue below we do not have one yet. Rather, global data governance is in its emerging fragmented form. I argue that there two reasons for this fragmentation: a clear divide between winners and losers and a lack of suitable political arrangements that would accommodate their differences.
Winners and Losers
Global regulation of data, should it happen anytime soon, will have clear winners and losers. Among data powers — actors that hold substantial economic and political influence over global data flows — the divide is clear.
US and its globally leading tech industry benefits from the lack of global regulation of data — tech start-ups could not have capitalized on a massive amounts of personal data if global data protection and privacy checks were in the place back in the early 2000s.
EU wants global regulation for data as it is playing a catch-up game with the US. European tech market – fragmentated across start-ups based in different member-states – needs common rules and shared resources to compete with the US and China on an equal ground. EU’s strategy to protect European data and keep it within European borders is its attempt to reject providing free data resource for US tech giants. Without global regulation, the EU knows, chances for keeping up are low.
In a strange alliance with the EU, China would prefer global regulation as well, although of a different kind. In contrast to the EU, it is not a matter of economy for China, as it was able to nurture and grow own tech giants. It is a matter of politics — borderless flow of data equals borderless flow of ideas, values and experience, which pose a risk to the country’s political and social order. As such, China’s vision for global regulation of data is the one where data crosses borders only under the consent, supervision and monitoring of goverments.
In sum, global regulation of data will create costs for the US and bring benefits to the EU and China. The divide is clearly seen in the language these three use to describe global data rules. US likes to emphasize free flow of data in the same manner as they like to speak about free flow of goods, services and capital — in other words, as a matter of international trade. For China, data governance is a matter of national cybersecurity, something that has direct impact on national stability. EU speaks about data governance as part of European integration agenda, and as such, mentions of “data sovereignty” and “cloud federation” are frequent.
Having a clear divide between losers and winners of global regulation of data means that there is no global political arrangement that would accommodate their different and competing preferences.
Policies based on different priorities will lead to different outcomes. As such, China’s global regulation based on respect for digital national borders and the right of the government to access any data that crosses its borders for “security” reasons might be interesting for Russia and Turkey, but the US and the EU will not join their club.
EU’s regulation based on data rights and data protection may appear too burdensome and bureaucratic for the US, and China would oppose any framework that puts strong emphasize to (digital) human rights.
Lastly, the US’s regulation based on free trade will be criticized by the EU for minimal data protection safeguards, and China would argue that data governance is not a matter of international trade.
As of now, there is no global governance for data. Instead, we observe smaller clubs organized around common data rules based on geographic proximity or economic interests. We have EU and its club of GDPR-compliant members. There is US and its club of trade partners that agree to data rules as defined in the e-commerce chapters of their bilateral and mega-regionals agreements. There are smaller regional initiatives such OECD and APEC that provide standards and best practices for their members. Finally, there are standalone actors like China, India and Brazil that do not see themselves fitting anywhere and that may ended up creating a club of their own.
What we observe is fragmentation of data governance at the international level that takes place on two levels. First, we see lack of centralized rules on how to govern data. Instead, data powers and international bodies promote not compatible set of rules. Second, we also observe divergence of policy priorities among different countries: those advocating for regulation, those advocating against regulation, and those, asking “what kind of regulation” and finally those who did not decide for themselves yet.