Operationalizing Data Free Flow with Trust (DFFT)
Data is one of the most valuable resources in today’s global economy—yet the rules that govern it are uneven and not conducive to beneficial cross-border data flows. Four years since former Japanese prime minister Abe Shinzo proposed the “Data Free Flow with Trust” (DFFT) concept to combine the privacy and security of personal and sensitive data with the enhancement of cross-border data flows, the Japanese government, as host of the Group of Seven (G7) advanced market democracies in 2023, is now trying to turn the concept into reality. This brief analyzes the evolution of DFFT since 2019 and provides the following suggestions for how Japan can operationalize the concept:
- Define “trust” and refine its application, both to specific data types and how it is applied;
- Focus on making national data governance systems interoperable, rather than identical;
- Build on existing and emerging governance models, such as the Global Cross-Border Privacy Rules (CBPR) and Organization for Economic Cooperation and Development (OECD) declaration on trusted government access to data;
- Select a single international organization to coordinate DFFT, composed of a permanent secretariat, a government consultative body, and a multistakeholder advisory body; and
- Enable global multistakeholder input to build trust among digital economy stakeholders.
The Need for Trusted Data Flows
Today’s global digital economy is fueled by data. Any action taken in the digital economy, whether it be buying a good, selling a service, or accessing a piece of information, requires the creation and transfer of data—and lots of it. More than 221 zettabytes of data—or roughly enough to store 110.5 trillion movies—will exist in the world by 2026, and much of this data will flow across national borders. These cross-border data flows do not just support the digital economy, they are also invaluable for improving the efficiency and resilience of trade in goods and services online and on the ground. Cross-border data flows also buttress other key government functions, such as efforts to safeguard national security, track cross-border carbon emissions, and deliver global medical assistance.
Despite the ubiquity of cross-border data flows, there exist few globally agreed rules governing the collection, storage, processing, and transfer of data. Instead, global data flows today weave through an increasingly complicated and conflicting maze of unilateral, bilateral, and multilateral frameworks, trade rules, principles, and norms that are unevenly accepted or applied.
Within this context, the digital economy is becoming balkanized by economic blocs building out contrasting data governance models. China is building out a digital regime predicated on authoritarian control; the European Union is crafting a digital ecosystem shaped by heavy regulation; and the U.S. digital economy, without comprehensive federal digital privacy legislation or a coherent strategy, is an arena where leaps in innovation exist in parallel with privacy and equity concerns. For countries such as Japan and others, these three models are suboptimal and hinder the pursuit of a free, open, and interoperable global digital economy.
DFFT has the potential to counteract the balkanization of data governance by fostering a more trusted and interoperable global governance system that enables cross-border data flows. But for this to happen, DFFT must transform from a lofty concept into a tangible reality. Building on prior studies and discussions about global data governance challenges, this brief explores Japan’s plans to operationalize DFFT during its 2023 G7 host year and offers recommendations on how to most effectively put DFFT into practice.
The Evolution of DFFT
In January 2019, former Japanese prime minister Abe Shinzo pitched DFFT at the World Economic Forum in Davos as a new model for global data governance. The DFFT concept, simply put, is to promote the free flow of data across borders while ensuring trust in privacy, security, and intellectual property (IP). DFFT aims to reconcile two related and compatible policy objectives: (1) promoting free data flows to foster economic growth and (2) protecting individual privacy, national security, and IP through trusted regulations. “Trust” is central to the DFFT concept, but the term remains vaguely defined in practical policy terms.
The DFFT concept was first memorialized by the Group of Twenty (G20) in their 2019 Osaka Leaders’ Declaration, which most of the world’s largest economies—with the notable exception of India—affirmed:
"Cross-border flow of data, information, ideas and knowledge generates higher productivity, greater innovation, and improved sustainable development, while raising challenges related to privacy, data protection, intellectual property rights, and security. By continuing to address these challenges, we can further facilitate data free flow and strengthen consumer and business trust. In this respect, it is necessary that legal frameworks, both domestic and international, should be respected. Such data free flow with trust will harness the opportunities of the digital economy. We will cooperate to encourage the interoperability of different frameworks, and we affirm the role of data for development. We also reaffirm the importance of interface between trade and digital economy, and note the ongoing discussion under the Joint Statement Initiative on electronic commerce, and reaffirm the importance of the Work Programme on electronic commerce at the WTO."
In the nearly four years since DFFT was endorsed by the G20, Japan has advanced the concept in several ways. In April 2021, a G7 Roadmap for Cooperation on DFFT was adopted at the G7 Digital and Technology Ministerial Meeting. The roadmap laid out four key cross-cutting areas of cooperation: (1) data localization, (2) regulatory cooperation, (3) government access to data, and (4) data sharing for priority sectors. In May 2022, this roadmap was built upon with a new G7 Action Plan for Promoting Data Free Flow with Trust, which reaffirmed these four areas of cooperation while adding focus to fostering future digital regulatory interoperability, promoting DFFT in the context of digital trade, and sharing knowledge about “international data spaces”—an emerging interoperable data-sharing architecture. Japan has also infused DFFT into new trade agreements, such as the U.S.-Japan Digital Trade Agreement (USJDTA) and the Japan-UK Comprehensive Economic Partnership Agreement (Japan-UK EPA).
This year, Japan aims to shift DFFT from concept to reality. Immediately prior to assuming the G7 presidency, Japanese prime minister Kishida Fumio signaled this goal, saying “Three years ago in Davos, our country advocated DFFT. We are taking the DFFT even further forward.” Tokyo is hoping to secure endorsement of an institutional framework for implementation at the G7 Digital and Technology Ministers’ Meeting in Gunma in late April 2023. To achieve this, Japan and its G7 partners have two main avenues to operationalize DFFT.
Avenues for Operationalizing DFFT
Tokyo has identified two tracks for operationalizing DFFT: a trade track and a regulatory track. These workstreams roughly include building trade rules that can facilitate DFFT; regulatory cooperation and upholding common and good regulatory practices; and cooperation on the development of regulatory technology (RegTech) that can facilitate the interoperability of different data governance approaches. While each route offers promise for transforming DFFT from concept to reality, challenges to international cooperation in these areas remain, both in the G7 and in broader country groupings. For DFFT to advance on these two tracks, international policymakers should consider the following points.
Digital trade is a fractured space. The United States, European Union, and China have all used their large market sizes to develop contrasting data governance regimes that complicate digital trade across borders. Outside of these economies, digital protectionism has reached an all-time high. Between 2017 and 2021, data localization measures doubled across the world, diminishing gross trade output in data-restrictive jurisdictions. Countering the proliferation of data localization remains a priority on DFFT’s roadmap. Bilateral trade agreements with like-minded partners—following the USJDTA and Japan-UK EPA models—are the relatively low-hanging fruit for Japan to begin operationalizing DFFT. Operationalizing DFFT among countries with differing approaches to digital trade or in multilateral trade forums represents a greater challenge.
Digital trade workstreams are fragmented throughout various multilateral forums. No single international organization is responsible for overseeing digital trade. Rather, a number of different organizations and groupings—such as the World Trade Organization (WTO), OECD, G20, and G7—are all engaged in digital trade discussions. At the WTO, Australia, Japan, Singapore, and nearly 70 other WTO members are advancing digital trade negotiations toward a Joint Statement Initiative (JSI) on E-commerce, a plurilateral negotiation aimed at developing global rules for e-commerce. The OECD has been engaged in digital trade conversations as well, with recent work focusing on global data governance as Phase III of the organization’s Going Digital Project. Digital trade has also emerged, to varying degrees, as a priority in G20 and G7 trade ministers’ convenings. DFFT has obvious intersections with digital trade work in each of these venues. The challenge for DFFT’s operationalization is where concentrated work to implement the concept should take place.
A particular challenge at present is that the Biden administration in the United States is reluctant to negotiate binding international rules on digital trade. The Biden administration’s Indo-Pacific Economic Framework for Prosperity (IPEF), a novel regional economic agreement, will include a digital chapter, but its scope will be limited. As detailed in a January 2023 CSIS Economics Program and Scholl Chair in International Business report, core digital trade issues related to free data flows have become newly contentious. While the U.S. business community and Congress continue to advocate for free cross-border data flows, labor and certain civil society groups actively oppose negotiating binding international rules on digital trade on the grounds that this would infringe on Congress’s “right to regulate” emerging digital challenges. Given the White House’s sensitivity to domestic labor concerns, the United States is unlikely to support efforts to advance DFFT through binding digital trade rules for the foreseeable future.
Advancing DFFT on a regulatory track can leverage momentum on digital regulatory cooperation and RegTech development. Governments across the globe have long histories of crafting regulations to protect interests such as privacy, security, and IP. However, the ways in which these regulations are enacted can depend on a variety of factors, including culture, business conditions, and legal precedent. Homogenizing data regulations across borders is an impossible task. Rather than trying to make each country’s laws and regulations the same (known as harmonization), the DFFT concept suggests that governments should cooperate on digital regulations based on mutually agreed-upon common privacy, security, and IP principles.
DFFT has the potential to complement existing efforts to make national privacy standards interoperable. Already, principles such as the OECD Privacy Guidelines or the Asia Pacific Economic Cooperation (APEC) Privacy Framework serve as the normative foundations for many national privacy standards. In the Indo-Pacific, the APEC Cross-Border Privacy Rules (CBPR) system has provided a certification mechanism to make privacy standards among APEC economies interoperable to enhance cross-border data flows. Several APEC economies, including the United States and Japan, are championing a Global CBPR system to globalize the APEC model. This effort aligns with the DFFT concept and offers a vehicle to spread DFFT outside the G7 and Indo-Pacific contexts.
Within the G7, divergent transatlantic digital privacy standards will present a challenge to DFFT’s advancement. In 2016, the European Union adopted the General Data Protection Regulation (GDPR), a stringent privacy standard governing the data of EU citizens. The GDPR applies extraterritorially, establishing criteria that other countries must meet in order to permit cross-border data flows with the European Union. The United States has been unable to meet such criteria and has instead entered into two agreements with the European Union—Safe Harbor and Privacy Shield—to permit transatlantic data flows. However, these two agreements were invalidated by challenges in the European Court of Justice, Schrems I and Schrems II. It remains to be seen whether the third U.S. attempt to comply with the GDPR, the October 2022 EU-U.S. Data Privacy Framework, will succeed. Reconciling the European Union’s assertive approach to data privacy with other approaches will be a challenge not just for the G7 but also for broader alignment on trusted data flows.
DFFT can also build upon recent advancements in regulatory cooperation on data flows and security. In December 2022, the OECD adopted a landmark agreement on trusted government access to data “clarifying how national security and law enforcement agencies can access personal data under existing legal frameworks.” This OECD Declaration on Government Access to Personal Data Held by Private Sector Entities sought to “improve trust in cross-border data flows” in line with DFFT and was developed with extensive multistakeholder consultation. It presents a mechanism for making security data regulation interoperable among adherents to boost cross-border data flows and offers a potential model for DFFT regulatory cooperation in other areas, such as IP protection, good regulatory practices, or RegTech development.
Operationalizing DFFT is largely a matter of institutionalizing DFFT. For the concept to be put into practice and scale globally, DFFT must be incorporated into the architecture of the global economic order. Japan hopes to establish a single forum for DFFT where governments and other stakeholders can convene to discuss and develop rules and frameworks for global data governance—ideally at an existing international organization, such as the OECD, with a designated secretariat. In conjunction with this DFFT secretariat, Japan is launching an Institutional Arrangement for Partnership on DFFT, a multistakeholder group involving governments, policy experts, companies, universities, and other relevant entities. Together, the DFFT secretariat and its broader multistakeholder community would develop specific projects and workstreams to implement DFFT, with close coordination and monitoring.
Selecting the right institution to be a steward of DFFT’s next phase is essential. The OECD, which represents all G7 countries, is a strong candidate, with its history of work on global data governance and recent success in advancing multistakeholder workstreams related to trusted data flows. However, the OECD represents only 38 member countries—lacking the near-universal membership of organizations such as the WTO. Another proposed approach, convening a more flexible forum of data regulators akin to the model of the G20’s Financial Stability Board, would expand inclusivity but at the expense of existing institutional capacity. Whichever approach is adopted, the institution that is selected to house DFFT must be made up of similarly like-minded and ambitious countries and organizations. This institution should serve as a focal point for disparate conversations on data governance occurring in global forums such as the WTO, OECD, G20, and G7, as well as in plurilateral groupings such as APEC and IPEF.
Japan has the opportunity to leverage its G7 host year to operationalize DFFT by having the leaders of the world’s largest advanced liberal democracies endorse an institutional framework for implementing the data governance concept. The CSIS Economics Program recommends that Japan take the following steps to move DFFT forward this year:
- Define “trust” and refine its application. While trust is central to the DFFT concept, it remains vaguely defined. Japan should seek an agreed-upon definition of trust from the G7 that incorporates both basic privacy, security, and other protections but also avoids being so rigid or prescriptive that it precludes interoperability of data regimes (see next recommendation). Japan and its partners should also refine the specific priority data sectors that DFFT should apply to, and how this definition of trust can be applied in each specific data context.
- Focus on making national data governance systems interoperable. As Japan operationalizes DFFT, it should focus on the important and realistic option of ensuring that all countries’ approaches to privacy, cybersecurity, financial oversight, and other data-related issues are compatible. Governments have, and will continue to have, heterogeneous approaches to these issues. Rather than driving toward a single global regime of harmonized laws and regulations, the DFFT concept should be focused on building interoperability between national data systems based on shared principles and mutual recognition.
- Build on existing and emerging trusted models to advance DFFT. While data flows continue to fragment globally, progress is being made in advancing trusted data flows in specific sectors and spaces. Japan should leverage momentum behind Global CBPR discussions and the OECD’s trusted government access declaration, working with these movements to advance DFFT.
- Select a single international organization to coordinate DFFT advancement in various areas. While the DFFT concept should be advanced in a variety of trade and regulatory settings, both bilaterally and multilaterally, its projects should be coordinated by a single international organization, such as the OECD. In institutionalizing DFFT, this body should include a permanent secretariat, a government-to-government consultative body, and a multistakeholder advisory body.
- Enable global multistakeholder input. Japan should build on its domestic multistakeholder input processes to solicit meaningful feedback on DFFT operationalization from governments, businesses, research institutions, and civil society organizations across the globe. Building trust among digital economy stakeholders will be essential to make DFFT a durable and practical concept.
In the four years since former Japanese prime minister Abe Shinzo introduced the concept of DFFT, the idea has spread through the G20, G7, and bilateral arrangements. This year, Japan has a unique opportunity to take DFFT to the next level during its G7 host year. Japan must define and refine what “trust” is and how it is applied, make national data governance systems interoperable, build on existing and emerging trusted models, select the right international organization to coordinate DFFT, and enable continued global multistakeholder input. Accomplishing these tasks will enhance the potential for DFFT to transition from a lofty ideal into a tangible reality.
The need for globally agreed rules that enable trusted data flows is urgent and significant. Japan’s G7 leadership and the outcomes for DFFT at Gunma and Hiroshima could help meet this crucial need.
Aidan Arasasingham is a research associate with the Economics Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Matthew P. Goodman is senior vice president for economics at CSIS.
Research intern Luna Khanh Linh Bui provided valuable research support.
The authors would like to thank experts from the government, civil society, and the private sector consulted for this brief for their time and insights.
This brief is made possible through the generous support of the Japan External Trade Organization (JETRO).