Data Governance Principles for the Global Digital Economy
In January 2019, Japanese Prime Minister Shinzo Abe called for the upcoming G20 summit in Osaka to “be the summit that [starts] world-wide data governance.” The rise of the data economy has driven unprecedented growth and innovation in recent decades but is also generating new policy challenges for global leaders. Figuring out how to govern the complex data ecosystem, both enabling its potential and managing its risks, is becoming a top priority for global policymakers.
In partnership with the Omidyar Network, the CSIS Technology Policy Program and Project on Prosperity and Development developed a set of data governance principles for the G20 member states, which can inform the development of data governance frameworks around the world.
Discussions of data governance are not happening in a vacuum. Laws, conventions, frameworks, norms, and protocols around data have existed for decades. Data governance is implicitly or explicitly wrapped up in existing governance mechanisms around privacy, digital trade and e-commerce, and human rights law. Few of these, however, anticipate emerging technology trends that have extended the reach of digital tracking into the physical world and have allowed us to derive detailed insight from the immense ocean of data generated by the digital economy.
We set out to fill four key gaps in the existing global architecture of data governance.
First is the need for consistency, interoperability, and coordination of the myriad international, regional, national, and local laws and regulations that impact data. The data ecosystem is fundamentally global and cross-functional, and gaps and inconsistencies between jurisdictions create uncertainty and limit the tools available to address harmful uses of data. Second, existing rules and frameworks and the current debate around data governance often focus almost exclusively on personal data and privacy with little thought to broader impacts of data, for example on competition, mobility, and trade. Third, most existing data governance frameworks, and much of the global debate around data governance, focus on controlling access to data instead of how it is used. Fourth, these debates are often framed around the rights and freedoms of data subjects at the expense of other stakeholders and society broadly.
To address these gaps, we convened a series of multi-stakeholder meetings to help us identify a set of data governance principles that can be applied in a range of institutions, organizations and national and sub-national laws and regulations. Through this process, we developed ten principles, three core objectives, and seven essential mechanisms that can inform the development of consistent and effective data governance structures around the world. We have presented these principles in the form of a model G20 statement articulating the principles and the logic behind them.
We affirm that national and international data governance frameworks should support the following objectives to:
- empower people and societies to make informed choices about how digital data is generated, used and shared;
- protect human rights, including the right to privacy, against infringement, and utilize data and digital systems to promote citizens’ rights; and
- safeguard the ability of innovators, entrepreneurs and service providers to collect, share, and use data, as long as they do not violate any of these other principles.
We further call for these frameworks to be risk-based, appropriately tailored, and include specific mechanisms to:
- preserve the free flow of data across borders and between jurisdictions, and protect the mobility of people, goods, and services;
- facilitate the portability of data and ensure the interoperability of digital systems around the world, as well as compliance with global standards;
- provide meaningful transparency and accountability and enable the enforcement of rights;
- hold data processors responsible for the security and integrity of data and digital systems;
- reflect the needs of a diverse range of stakeholders, including private industry, civil society, and governments;
- discourage data practices that serve as a barrier to fair and open competition; and
- provide that data processors respect all laws and regulations, and the unique culture and customs, of all jurisdictions in which they operate, irrespective of location in which data is collected, stored, processed or used, as long as those laws or customs do not violate any of the above principles.
What is this document? It is meant to be a consensus document, with all the strengths and weaknesses thereof. Our meetings convened a broad range of stakeholders with very different views on these issues and very different goals for the global data governance effort. We were alternately criticized for being too privacy-centric, not privacy-centric enough, too statist and so private-sector focused that we were undermining sovereignty; all of this suggested to us that we were near to a middle path in this debate.
This document is NOT a “data bill of rights,” but neither does it preclude the development of one. While individual rights are an essential part of a successful governance framework, alone, they are not sufficient. Instead, this document seeks to identify principles that protect the rights and equities of a broader range of stakeholders, including consumers, business leaders, innovators, governments, and broader society.
It is also not a comprehensive set of rules and regulations for data governance. Data governance is fundamentally a cross-cutting issue that must be embedded into the fabric of international governance at multiple levels and across many domains. It is also an issue that will be heavily influenced by the cultures and customs of the people it seeks to empower and protect. Instead, we sought to develop a series of principles that can inform the development of laws, rules, and regulations at the international, sub-national, and local levels in a variety of domains—from bilateral or multilateral treaties and trade agreements to international institutions and standards bodies.
Our “Data Governance Principles for the Global Digital Economy” are designed to establish a baseline of global norms of data governance that go beyond privacy and individual rights, to empower innovators and entrepreneurs to leverage data to solve problems while also managing risks, and to form the basis of a consistent and interoperable global data governance architecture.
Produced thanks to the generous support of the Omidyar Network to the CSIS Technology Policy Program and the CSIS Project on Prosperity and Development.