Data Free Flow with Trust (DFFT)
Some of you may be familiar with the picture of Prime Minister Abe, President Donald Trump of the US, and President Xi Jinping of China seated next to one another at a small table.
Though many assume that the picture is from the Osaka G20 Summit, it was taken at a meeting on international data distribution right before the summit, called the Osaka Track. The Osaka Track expanded on Prime Minister Abe’s idea first proposed at the 2019 World Economic Forum called Data Free Flow and Trust, or DFFT.
DFFT’s idea is to guarantee the free flow of data across country borders while protecting security and privacy.
In the 20th century, commodities traded across national borders were often tangible objects such as food, coal, oil, and textiles. Now, in the 21st century, data crosses boundaries in the same way as objects.
Take online shopping as an example; when you buy something, it’s likely that your name, address, date of birth, credit card information, and other data is processed in data centers overseas. Even if the data is processed in Japan, the backup may be stored outside Japan to prevent loss in a disaster.
Companies handle infinite volumes of data; if a company has an overseas manufacturing site or sale network, data ranging from the procurement of individual parts to the individual shipments to customers travel across borders daily. Machine manufacturers use the internet to keep track of their products’ performance by detecting errors and informing customers quickly.
Such data on products sold abroad are often handled at headquarters located abroad. This is most certainly the case for companies with R&D centers on foreign soil that send data internationally.
In addition to the examples above, the 21st century has created new demand for data collection; automated driving software requires an extensive analysis of road and driving data. Even for automated driving software developed in Japan, the software requires data from abroad to ensure it is not limited by geography. The driving data must incorporate information that is uncollectible in Japan, such as icy climates and scorching hot deserts.
Artificial Intelligence requires this vast amount of accurate, high-quality data to create top-grade automated driving software, among other things, that can serve the increasingly technological world. There is no better way to collect data than to share it internationally.
Clearly, international data integration is crucial for economic growth and mere sustainability in this day and age. Yet, as we know, data regulation is on the rise.
In Europe, particularly in the European Union, the central goal of protecting individual rights and privacy has shaped strong regulations restricting personal information misuse. Comparatively, the US leans towards the free flow of data. Then there are countries like China, where the communist governments’ agenda takes priority; the government occasionally forces companies to share data, including their customers’ personal information, with the government. These are just a few examples of how countries and regions have created vastly different data regulations.
In some countries, data regulation is so underdeveloped that the interpretations of the law are arbitrary and without due process. Consequently, even when the regulations serve legitimate purposes, such as protecting a person’s privacy and data security, there are no set-in-stone outcomes for violating the rules. Even when laws are legitimate in both purpose and application, compliance is complex due to the ever-evolving and country-dependent regulations that are always complex and sometimes contradictory.
As a result, countries struggle to enforce their regulations, while companies struggle to abide by them. It is becoming increasingly impractical for firms to oblige with all the different data regulations as they participate in cross-border data transfer.
The issues with international data transfer begin at an even earlier stage. Companies that use the collection and analysis of foreign-based data as a prerequisite for providing their service run the risk of sudden suspension. Take customer services and security diagnostics as an example; data regulations’ broad scope and constantly changing nature can force the sudden suspension of services, which is disruptive to both the company and the customer.
Let’s talk about more examples of data regulation.
Modern-day automobiles are central IoT (Internet of Things) packed with software; data on the car’s surrounding environment is an indispensable part of the software development that controls vehicle operations.
With this in mind, let’s say a country imposes restrictions on cross-border data transfers that disables foreign automakers from exporting data out of their country. Most vehicles will be subject to conditions on data collection for crucial operational information, including spatial coordination information, vehicle IDs, and other things critical to the mere function of the modern-day automaker business.
Suppose authorities arbitrarily enforce restrictions on wide ranges of data with no alternative. In that case, some companies will be forced to reconsider their foreign ventures altogether as a part of following data collection, analysis, and storage rules. Even when there is no protectionist or authoritarian intent behind the restrictions, real-case studies with firms reveal that the regulations often complicate cross-border data flow.
When telecommunication service companies outsource data entry, authentication, and verification work, there are legal requirements to confirm that the outsourced company has the same level of control over the personal information provided by customers as the outsourcer. In reality, monitoring the management status of the outsourced company’s internal departments is quite tricky.
Furthermore, much of company data management relies on the functions and settings of cloud services; even if the company may believe that its outsourced partner complies with regulations, violations can lead to unexpected punishments.
Cloud operations are increasingly common among large and small companies alike, especially as globalization leads firms to hire a more talented workforce from overseas who work remotely from their respective countries.
In such cases, how should authorities regulate material and data exchange via e-mail or virtual meeting room?
How can companies overcome the compromised human resource strategy if employees are restricted from accessing company information from their individual locations?
What about the case of employees’ personal information in a company’s human resource management system? If a firm follows the data protection standards of each country, a worker may not be able to access the same HR management tool.
Currently, the only logical solution is to follow the rules of the country with the strictest privacy protection restrictions and hope that the standards are equivalent or lower elsewhere.
Real-Time Data Transfer:
Japanese electrical machinery manufacturers collect and analyze equipment operation data from their overseas equipment in real time via IoT platforms. Real-time monitoring allows these manufacturers to operate their machines and thus their business more efficiently by doing things such as predicting failures before they occur.
Differing data regulations pose a serious threat to such processes; if a rule prohibits or is unclear about whether specific data is subject to verification or not, it can prevent real-time data transfer from happening.
Dealing with the different cross-border personal data transfer systems is a significant challenge when screening must separate information from personal data, such as medical data. R&D is a field that often runs into this issue.
As companies try to share information among time-differentiated research sites around the clock in the face of intense competition, they will inevitably step away from R&D in regions with excessively intrusive and restrictive cross-border data transfer regulations.
Put shortly, different standards of data regulation across countries leave the technological space less effective than its current potential; individual businesses, overarching R&D, and safety measures are all compromised at the hands of unregulated regulation on data flow.
A country’s level of data regulation is becoming a significant factor for businesses deciding whether and where to expand overseas.
International data transfer frameworks, such as the APEC Privacy Framework, bring foreign investment into participating countries because of the ease of adhering to their rules. On the other hand, countries with confusing regulations, such as data localization provisions requiring domestic data storage, are losing steam as recent social issues related to the risks of cross-border transfers gained attention. Even when a company is not at risk of facing legal problems with its data transfers, businesses are discouraged from expanding into countries with strong regulations out of fear.
To resolve these issues, Japan is advocating for the G7 countries to take leadership in creating an international framework of data flow that will act as a first step towards realizing DFFT.
The plan is to appoint a secretariat that will work with a panel of public and private sector representatives, including governors, firms, researchers, and other relevant organizations, to build the framework. It will be the first general international system for cross-border data transfer and provide concrete solutions to data-related problems incurred by companies and research institutions.
The first task at hand for developing this international framework is to encourage transparency in the regulations regarding data in each country.
National regulations on data are often multi-layered and are enforced differently. While large companies may have in-house lawyers or have the finances to hire a law firm, smaller companies and start-ups are increasingly struggling to stay informed on data requirements when expanding overseas. In addition, countries frequently revise data regulations, making it costly to determine the latest rules. To make matters worse, sometimes there are regional regulations on top of national regulations, as demonstrated by the EU. While large companies may have in-house lawyers or have the finances to hire a law firm, smaller companies and start-ups are increasingly struggling to stay informed on data requirements when expanding overseas. For this reason, we advocate that an international framework first collect and publish a database of the latest data regulations in each country and region and keep it up-to-date at all times.
The next task for the international framework is to clarify the certification requirements for data handling.
When outsourcing data analysis, the outsourcer must ensure that the outsourced company complies with data handling regulations. However, as discussed above, it is difficult to verify the operations of others. A clear set of certification requirements, in conjunction with existing certification systems such as CBPR, can create measurable expectations.
Privacy Enhancing Technologies, or PETs, are software that firms and researchers can use to replace personally identifiable information from collected data in a way that does not affect data processing. This way, the transferred information can be used while protecting personal information.
If multiple countries can agree that a PET’s rule is in line with each country concerned, then the software can certify that those countries can exchange data without fear of repercussions for rules beyond those outlined in the PET. A place where countries’ data regulations align with one another such that there is a PET in place is called a “regulatory sandbox.”
The sandbox not only establishes conditions that each country must meet but also ensures that countries can certify each other’s compliance to build trust.
In the international framework, Japan proposes the sandbox of data regulation to create a mechanism for regulatory authorities in each participating country to cooperate and promote PETs.
Our goal is to establish an international data flow framework at the G7 Technology Ministerial Meeting held in Takasaki, Gunma, on April 29th and 30th and to reach an agreement by May at the summit meeting.