Photo: STR/JIJI PRESS/AFP via Getty Images
Despite the rapidly growing role of data in today’s global economy, there exist few agreed international rules in this area. Global governance of data is a patchwork of unilateral, bilateral, and multilateral frameworks, trade rules, principles, and norms that are not universally accepted or applied. As the world’s largest economy and technology leader, the United States has a huge stake in building a favorable system of global governance for data collection, storage, security, and flows that maximizes economic growth, public health, safety, and privacy. In the run-up to the annual Asia-Pacific summits in November, the Biden administration has an opportunity to build consensus around a coherent regional approach and lay the groundwork for a global data governance regime.
The Covid-19 pandemic has had many effects on the global economy, but one of the most significant is accelerating the trend toward digitization. From businesses to students to shoppers, more people depend on technology and the internet than ever before. This trend is bringing both new opportunities and new risks. A digital economy offers tremendous advantages, including faster communication, innovative products and services, and enhanced health and safety. The rise of digital interaction also introduces new vulnerabilities, including cyberattacks and the unauthorized use of personal information.
The lifeblood of the digital economy is data. All forms of digital interaction involve the creation and transfer of data—units of information about personal characteristics or behaviors, business processes, and other digitized facts. The amount of data in today’s global economy is mind-boggling and growing exponentially. One estimate holds that more than 90 percent of the data created in human history has come into existence in the past 10 years. A growing amount of data is crossing national borders. A study conducted pre-pandemic projected that cross-border data flows would raise global output by more than 3 percent in 2020, or nearly $3 trillion; the actual figure is likely to have been much higher.
Despite the size and speed of these trends and the risks and opportunities they present for every economy, there exist few agreed-upon rules or standards about the control, storage, and transfer of data. Global governance of data today is a patchwork of unilateral, bilateral, and multilateral frameworks, trade rules, principles, and norms that are not universally accepted or applied. As major economic blocs build out their own regimes, there is a growing risk of data balkanization, with data trapped in sub-optimal regulatory silos. Such fragmentation would undermine the economic, health and safety, and other benefits that would arise with freer data flows under a more consistent global regime.
While global consensus on a single set of data rules is unlikely for the foreseeable future, like-minded countries can work toward shared principles and institutional arrangements that promote interoperability and convergence of data regimes. In a previous commentary, CSIS looked at opportunities for collaboration in this area among the Group of Seven (G7) advanced market economies. Here the authors turn to the Asia-Pacific region, where there are several promising strands of work on data governance that could be pulled together to help drive efforts toward global consensus in this critical area.
As the world’s largest economy and technology leader, the United States has a huge stake in the outcome of these efforts. A favorable system of rules, principles, and norms for data collection, storage, security, and flows is important to the growth of the U.S. economy, as well as for the health, safety, and privacy of Americans. In the run-up to the annual Asia-Pacific summits in November, the Biden administration has an opportunity to propose streamlining the various strands of work on data governance into a more coherent regional approach. From there, the administration can lay the groundwork for efforts to produce a global consensus.
As discussed in the previous commentary, philosophical and regulatory differences among major economic blocs have driven divergent approaches to data governance, particularly with regards to the regulation of personal data. (Note that there are many other types of data, such as manufacturing statistics and scientific evidence.) The European Union’s approach places the individual’s right to the protection of his or her personal data at its core, enshrining it in Article 16 of the Lisbon Treaty as a fundamental human right. The European Union’s General Data Protection Regulation (GDPR), which came into force in May 2018, holds businesses to a high standard of security and transparency in handling the personal data of EU citizens. By contrast, the United States has no unified federal approach to privacy but instead an array of sectoral rules, state-level legal frameworks, and private-sector practices. China’s model treats data as a strategic asset of the state, placing high standards on privacy for individuals and businesses but allowing broad government surveillance of personal data. All three of these models have some traction across the Asia-Pacific region, but as described in the next two sections, there are various efforts underway to build out a common regional approach.
The costs of this divergent approach to data governance were summed up in the October 2020 report of the CSIS Commission on Affirming American Leadership entitled Sharpening America’s Innovative Edge:
The patchwork of national and subnational laws governing the use, storage, and flow of data risks creating a balkanized, negative-sum outcome. Without federal regulation in the United States and alignment between national regimes, companies will have to comply with different, potentially contradictory legal guidelines to serve their customers. Restrictions on the free flow of data could limit the transfer of information, which will create challenges to financial stability and monitoring. The lack of interoperability can impair sharing of electronic medical records, which are important to managing public health crises. Various localization requirements will force firms to build redundant storage facilities, raising costs and increasing physical access points for bad actors.
Despite these costs, pulling the disparate approaches to data governance together under a single set of rules will be difficult. National authorities place different priorities on data privacy, data security, and data flows. Governments have varying degrees of capacity and political consensus to build out a coherent regime, let alone make it compatible with that of other countries. Rules that work for large, globalized companies or organizations may impose undue compliance costs on smaller entities. And the lightning pace of change in the digital world, combined with the explosion of new data, means there is limited value in a set of rules fixed in time.
Rather than one universal approach, the most realistic system of global data governance to both maximize the benefits of data flows and ensure security and privacy is one involving a variety of interoperable regimes. This in turn requires international agreement on principles governing data access, control, and sharing by governments, businesses, and other users of data. Principles can inform work on international standards to ensure that national data regimes are interoperable, if not ultimately harmonized.
As discussed in the earlier commentary on the G7, there are many efforts underway around the world to develop data principles, including at the Organization for Economic Cooperation and Development (OECD), the Paris-based institution representing 37 countries that has made data governance a priority area of work in 2021 and 2022. But no region of the world has done more to establish data principles, standards, and rules than the Asia-Pacific.
Work on data governance in the Asia-Pacific region is proceeding along two broad tracks: negotiation of legal disciplines in trade agreements and development of non-binding principles. Rules on cross-border digital commerce have been enshrined in regional trade agreements since at least the U.S.-Singapore free trade agreement of 2004, but digital trade rulemaking took a quantum leap with the signing of the 12-nation Trans-Pacific Partnership (TPP) in 2016. As documented by the office of the U.S. trade representative at the time, the TPP incorporated at least two dozen commitments on digital trade. These included enabling most cross-border data flows, creating baseline enforceable consumer protections, and barring forced technology transfer. All of these commitments were preserved in the successor agreement to TPP, which was brokered by Japan among the 11 remaining members after the United States pulled out in early 2017.
The United States-Mexico-Canada Agreement (USMCA), which entered into force in July 2020, incorporated most of the TPP disciplines on digital trade but built upon them in several ways, among them defining the liability of intermediary service providers, protecting non-disclosure of software source code and related algorithms, and ensuring that non-sensitive government data be publicly available. The agreement also recognized the Cross-Border Privacy Rules (CBPR) developed by the Asia-Pacific Economic Cooperation (APEC) forum as a valid data transfer mechanism. Subsequent bilateral deals between Asia-Pacific partners—including the U.S.-Japan Digital Trade Agreement of 2019 and the Singapore-Australia Digital Economy Agreement—have taken digital rulemaking in the region even further by adding new commitments that build on existing trade agreements.
The most recent development in digital trade rulemaking occurred in late 2020, when 15 Asia-Pacific economies—10 Southeast Asian countries plus China, Japan, South Korea, Australia, and New Zealand—signed the Regional Comprehensive Economic Partnership (RCEP). The deal was groundbreaking in scope, with member countries representing 30 percent of global GDP. Like the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), RCEP includes an extensive digital trade chapter. This represents the first-ever commitment in principle by China to binding rules on data flows and localization. However, the agreement provides for significant exceptions, allowing regulatory restrictions on cross-border data flows that are effectively unchecked by a dispute-settlement process. RCEP also allows individual countries to deem when data localization requirements may be necessary, unlike other recent agreements in the Asia-Pacific.
In addition to these intra-regional agreements, Asia-Pacific economies have signed trade deals with non-regional partners that incorporate digital commitments, including Japan’s economic partnership agreements with the European Union (which entered into force in 2019) and the United Kingdom (in 2021). Figure 1 provides a summary of key provisions in all the regional trade agreements mentioned above.
One major benefit of trade agreements as vehicles for advancing data governance is the fact that they are legally binding and enforceable. This is especially important where clear legal obligations are beneficial, like the duty-free treatment of electronic transmissions and the processing of expedited shipments. On the other hand, trade agreements take years and significant political capital to negotiate, and the rules embedded in them are difficult to change, a particular shortcoming when it comes to the ever-evolving digital economy. Moreover, trade is not the whole story; there are a number of other dimensions of data governance, from digital inclusivity to the ethics surrounding artificial intelligence (AI), and it may not be feasible or desirable to embed all of these in trade agreements. This highlights the importance of the second track of data governance work in the Asia-Pacific region: developing non-binding principles.
Data are critical not only because of their role in cross-border digital commerce, but also in an array of non-trade contexts, for example when researchers study anonymized health data to test vaccine efficacy or companies develop AI applications. These uses of data raise a range of domestic legal, regulatory, and policy issues that may not be amenable to binding trade agreements but that clearly have implications for cross-border data flows. This is where international work on non-binding data governance principles can play an important role.
An array of governments, multinational institutions, and private-sector groups are conducting critical work to build out principles and align interests on data governance. In addition to its new two-year focus on the subject (mentioned earlier), the OECD agreed last year to host a new Global Partnership on AI and to develop high-level principles for trusted government access to personal data. For its part, the Global Data Alliance, an industry coalition, issued a set of cross-border data principles in March 2021 covering issues such as transparency, non-discrimination, and interoperability.
Meanwhile, countries in the Asia-Pacific region have been on the forefront of work to develop principles for data governance. At the highest level, Japan has proposed the concept of “data free flow with trust” (DFFT) as an organizing principle for a global approach to data governance. DFFT has won endorsement by both Group of 20 (G20) and G7 leaders. As discussed in the earlier CSIS commentary, there is an opportunity under the United Kingdom’s G7 chairmanship in 2021 to flesh out the concept into a common position on data governance among the world’s largest advanced market economies.
Singapore has also emerged as a leader on data governance work in the Asia-Pacific. In addition to serving as co-convener (together with Japan and Australia) of the e-commerce negotiations in the World Trade Organization (WTO), Singapore has launched a high-profile effort to build out international standards and interoperability through digital economic agreements (DEAs). These can take the form of binding trade agreements, such as the Singapore-Australia Digital Economy Agreement (SADEA) that was signed in August 2020. But a non-binding variety of DEAs has also emerged that could play a critical role in building regional consensus on data governance.
In June of 2020, Singapore joined with New Zealand and Chile to launch the Digital Economy Partnership Agreement (DEPA), a non-binding undertaking to deepen cooperation in the digital economy, including on data governance. DEPA (see Figure 2) is the most advanced model of a flexible, scalable platform for like-minded partners to build out digital principles and standards that promote efficiency, trust, and interoperability. It includes 14 “modules” for joint work, ranging from digital identities and e-invoicing to cross-border data flows and AI ethics. The agreement’s non-binding nature enables experimentation and allows partners to address new issues quickly without getting bogged down in cumbersome trade negotiations.
Singapore is also a key member of regional organizations that are advancing non-binding principles on data governance. In 2018, APEC established a Digital Economy Steering Group (DESG), which looks at challenges in digital and data governance from a broad economic perspective beyond trade. The group is doing important work on a range of issues, from digital infrastructure to broadband access and research-based data sharing. These issues are often grounded in domestic policy, so while they have implications for trade, they are difficult to incorporate in binding agreements. The DESG also oversees APEC’s CBPR efforts.
The Association of Southeast Asian Nations (ASEAN), another key regional grouping, proposed a Cross-Border Data Transfer Mechanism in early 2021 using model contractual clauses to legally transfer data outside of ASEAN countries. If implemented, this will offer a cost-effective and flexible data-transfer mechanism that enables interoperability across different national privacy frameworks. The United States has an opportunity to expand work with ASEAN in a number of existing initiatives, including through annual consultations as an ASEAN Dialogue Partner, through the U.S.-ASEAN Trade and Investment Framework Agreement (TIFA), and through a new project funded by the U.S. Agency for International Development (USAID) entitled Inclusive Growth in ASEAN through Innovation, Trade, and E-Commerce.
The digital economy is a vast and dynamic galaxy. Even the subset of issues that make up the “solar system” of data governance is huge and complex. As argued above, the most coherence we are likely to see in this system over time is a collection of different but interoperable regimes. All of this will be difficult to manage; it will require some kind of coordinating mechanism.
When the 44 allied countries met at the end of World War II to organize the postwar global economic order, they agreed to establish a set of institutions with buildings in Washington or Geneva and overarching rulebooks: the International Monetary Fund, the World Bank, and what ultimately became the WTO. Physical buildings do not seem fit for the purpose of digital economy governance in the twenty-first century. Still, there will be a need for a locus of regional and global coordination of digital rules, standards, and principles.
One solution would be a network of policy officials around the world who meet to share information and best practices, develop agreed principles and standards, and coordinate individual country approaches. One model that has been offered up is the Financial Stability Board (FSB)—the group of financial policy officials and regulators set up during the global financial crisis of 2008. It is not clear who the analogous representatives to a digital version of the FSB would be, since most countries (including the United States) do not have national regulators for data or other digital issues akin to the financial regulators who meet at the FSB.
This highlights the need for better coordination of digital and data policy within the major countries that would be party to a coordinating body in the Asia-Pacific region or beyond. The starting point for the United States is passing federal privacy legislation that pulls together the various frameworks that exist at the sectoral and state levels. There is also a need for a single locus of responsibility for digital policymaking at the White House. In addition to coordinating the work of various relevant agencies across the U.S. government—including the State, Commerce, and Treasury Departments and the Office of the U.S. Trade Representative—this White House designee would serve as Sherpa, or presidential representative, to the international coordination group envisaged above.
The Biden administration faces a serious tension in its strategy toward the Asia-Pacific region that a thoughtful approach to data governance could help ameliorate. On one hand, the administration has made clear by its words and actions that it intends to work closely with allies and partners on global challenges. It has put a special emphasis on key Asia-Pacific allies, particularly Japan, Australia, and the Republic of Korea. On the other hand, the administration has been explicit in its aversion to traditional trade agreements and has been particularly clear that it is in no rush to rejoin TPP.
The tension arises because Asian allies and partners expect the United States to be actively involved in regional economic integration efforts, including comprehensive trade arrangements like TPP. Key regional partners such as Japan have made no secret of their hope that the United States will rejoin TPP eventually. The U.S. absence from regional trade arrangements is particularly troubling to partners because of perceptions that China has seized the initiative in this regard, having steered RCEP to conclusion last year and subsequently expressed possible interest in joining TPP.
The United States has a particular interest in ensuring that China’s model of data governance—one based on state control of personal and other information, data localization requirements, and data protectionism—does not prevail in the Asia-Pacific region. This would not only harm the commercial interests of the United States and its partners but also jeopardize the health and safety of Americans and make it more difficult for the United States to maintain its innovative edge, by limiting the substantially free flow of data. Thus, aligning with like-minded partners in the Asia-Pacific on data governance should be a priority for U.S. strategy in the region.
Nothing would give a more powerful boost to U.S. strategy in the Asia-Pacific than President Biden’s publicly signaling an interest in rejoining TPP, even if this is presented as a longer-term goal. The general consensus in Washington is that such is signal is unlikely to be forthcoming in the near term. As a second-best alternative, a number of analysts have called for the Biden administration to initiate sectoral trade negotiations as potential building blocks to an eventual regional deal. This approach is certainly worthy of consideration. However, as mentioned earlier, prioritizing digital trade negotiations in the Asia-Pacific would have a significant price in terms of time and political capital. This could distract from other important work in the digital arena, including the WTO e-commerce negotiations, efforts to find middle ground with the European Union on digital issues, and promoting other useful work on digital and data governance in the Asia-Pacific region. Before embracing digital trade negotiations as the centerpiece of its strategy, the Biden administration should consider the relative benefits of docking onto the various non-binding efforts to promote data governance in the region, discussed above.
U.S. president Biden and Japanese prime minister Yoshihide Suga in a joint press conference on April 16, 2021. Photo: MANDEL NGAN/AFP via Getty Images.
The Biden administration has a major opportunity in 2021 to seize the initiative on data governance in the Asia-Pacific region and beyond. By pulling together the different strands of work in the region, the administration can kill two birds with one stone: first, encouraging progress toward U.S.-preferred principles and standards in this critical area; and second, offering a skeptical region a credible form of economic engagement in the Asia-Pacific at a time when the administration is not ready to signal an early return to TPP. The initial goal of these efforts would be to create a common regional approach, which other countries would be invited to join, and which could inform work in groups with overlapping membership, such as the G7, the G20, the Quadrilateral Security Dialogue (the “Quad”), and a potential “T12” technology alliance. Eventually, all of this work could lead to a global regime for data governance—the missing “fifth pillar” of global economic governance to accompany the three Bretton Woods institutions and the energy-related arrangements of the 1970s.
Specific recommendations for the U.S. government follow.
Matthew P. Goodman is senior vice president for economics at the Center for Strategic and International Studies (CSIS). Pearl Risberg is research associate with the CSIS Economics Program.
Akhil Thadani, CSIS Economics Program research intern, provided research support.
This brief is made possible through the generous support of the Japan External Trade Organization (JETRO).
CSIS Briefs are produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2021 by the Center for Strategic and International Studies. All rights reserved.
