‘Data free flow with trust’ (DFFT) – which seeks to enable cross-border free flow of data while addressing concerns over privacy, data protection, intellectual property rights, and security – has been a priority of global digital policy coordination since the G20 first raised it during Japan’s 2019 presidency.
Although positively received by a wide range of countries which recognize the potential economic and social benefits of enabling a greater cross-border flow of data, it is not easy to introduce common legal frameworks to ensure DFFT. Countries often have varied domestic and regional legal frameworks due to different concepts of privacy or data security.
The G7 did put digital policy at the centre of its 2021 agenda, discussing broad digital and technology shifts from physical infrastructure such as 5G, future communication technologies, and technical standards to soft infrastructure, such as rule-making on data flow and internet safety principles. And one notable outcome was the establishment of the G7 Roadmap for Cooperation on Data Free Flow with Trust at the G7 Digital and Technology Ministers’ meeting in April 2021 – also endorsed by two of the G7’s guest countries South Korea and Australia.
But despite shared democratic values of open and competitive markets, strong safeguards for human rights, and fundamental freedoms, the G7 and its partners have different ideas on how best to approach DFFT, and so greater UK-EU-Japan policy coordination to overcome any inconsistencies in approach can play a key role.
UK using soft power
Brexit gave the UK an opportunity to refresh its approach to DFFT, having previously adhered to the European Union (EU) general data protection regulation (GDPR). The UK’s Integrated Review of Security, Defence, Development and Foreign Policy has since set out a number of priority actions, such as promotion of the international flow of data to enable secure, trusted, and interoperable exchange across borders.
The UK is clearly trying to use its ‘soft power’ by establishing regulatory influence - as well as including data flows in trade deals, it is making ‘adequacy decisions’ with priority countries deemed to have suitable and robust safeguards of data. The UK-Japan comprehensive economic partnership agreement (CEPA) – the UK’s first post-Brexit trade deal – includes bans on unjustified restrictions of cross-border electronic information transfers for business purposes, and on unjustified requirements to use or locate computing facilities in the countries in which business is conducted (this is known as ‘data localization’, a barrier to the free cross-border flow of data).
These changes mark a huge step-up from the arrangements made under the earlier EU-Japan trade deal, but it remains to be seen how the UK will adopt DFFT frameworks with broader trade partners in Asia, including via the CPTPP.
The G7 Roadmap – which the UK will lead – aims to deliver tangible outcomes on digital policy while being mindful of harmonization with the efforts of other international forums such as the G20 and Organisation for Economic Co-operation and Development (OECD). But if the UK coordinates this harmonization effectively, expect the global formation of a DFFT area to expand dramatically.
Japan’s contribution to DFFT
Japan is another key leader of DFFT and it maintains a rigorous domestic personal data protection and privacy framework which the EU, with its own privacy protection regime considered the toughest in the world, recognizes as adequate to allow data sharing between the two parties.
Japan has also expanded its area of free data flow through trade agreements, incorporating similar provisions to those of the UK-Japan CEPA in the Japan-US digital trade agreement and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).
The Regional Comprehensive Economic Partnership (RCEP) – the world’s largest free trade bloc of which Japan is a member – has also introduced frameworks for the free flow of data and a ban on data localization, but these frameworks are not as rigorous as those Japan has agreed elsewhere. Implementing parties may decide to ban data flow or enable data localization in exceptional circumstances that other parties are not allowed to dispute – this has generated concern over potential deviations from the original aims of the DFFT framework.
More broadly, there is also often ambiguity over what actually constitutes international standards and principles on data protection which can result in the implementation of slightly different legal frameworks between agreements. For Japan, the ability to set common frameworks with some flexibility has contributed to its engagement with a wider range of parties, including China, in the field of free data flow. But the development of truly common international standards on data protection remains imperative and the challenge of how best this can be advanced through discussion in the international arena continues.
Outside of trade deals, Japan participates in APEC Cross-Border Privacy Rules (CBPR), a government-backed data privacy certification which companies can join to demonstrate compliance with internationally-recognized data privacy protections. The CBPR System implements the APEC Privacy Framework endorsed by APEC Leaders in 2005 and updated in 2015.
EU’s rigorous GDPR protection
The EU has supported the UK in leading the G7 to a consensus on international rule-making regarding free flow of data. Using its rigorous GDPR, the EU has cautiously examined the legal frameworks of each of its trade partners and, where necessary, required additional reinforcements to ensure their laws reach a similar level.
So far the EU recognizes only 14 countries – including Japan – as providing adequate protections, although it is in the process of finalizing arrangements with South Korea and the UK. Although this approach secures the same level of protection as cross-border data flow, it takes a much longer path to realize the free flow of data.
The EU-US privacy shield adopted in July 2016 provides another path for transferring data between the two economies as it allows the free transfer of data to any companies certified in the US which adhere to the Privacy Shield Principles issued by US Department of Commerce. The advantage is this does not require reform to the entire legal system but is still able to maintain a level of privacy protection acceptable to the EU.
However, in its judgment of 16 July 2020 the European Court of Justice ruled the Privacy Shield invalid, underscoring the EU’s strict approach to personal data protection and the protection of individual rights. This has created barriers to data transfer between the EU and US which carry important consequences not only for trade but also for law enforcement and national security, and the US hopes to consult with the EU about this.
Despite differences in approach between the UK, EU, and Japan, they do share a common view that data can harness economic prosperity in a digital society. Ultimately the goal is to propose a set of packages to enable secure cross-border free flow of data, including considerations of how it can be regulated in practice across trade and other agreements.
It could be worth examining whether an APEC CBPR-type mechanism could be applicable to Europe. Although not an easy task – particularly given restrictions faced by the EU – increased UK-EU-Japan policy coordination could help identify a realistic balance between free data flow and privacy protection. Collectively, they are capable of creating innovative mechanisms to enable the world to realise DFFT much more quickly and securely.
Hiroki Sekine, Visiting Fellow, Asia-Pacific Programme.