OECD/ APEC Policy Support Unit International Business Consultation 2015
How emerging regulations on crossborder data flows can affect international trade?
Issues Paper
The OECD/APEC PSU is undertaking a project in support of the development of how regulation of cross
border data flows affects international business. To this end, the OECD/APEC PSU is seeking the views of the business community on the regulatory barriers to cross-border data flows affecting trade today, their effects on business (especially in terms of costs), and alternative regulatory approaches that can address legitimate policy objectives such as privacy and security in the least trade distorting manner.
The objective is to understand how businesses are specifically affected by current cross-border data regulation, more accurately estimate the full costs of current and future policy decisions, and suggest credible alternatives.
In the last few years there has been a proliferation of new regulation, or proposed regulation, related to cross-border data flows. While many of these barriers have been introduced purportedly to meet privacy or national security objectives, it is likely that they will also have an effect on the ability to conduct international business and trade. In 2014 APEC endorsed increased work on the internet economy, including understanding policy issues affecting cross-border data flows. In this context, the
APEC Policy Support Unit is working together with OECD to be able to provide inputs in the policy discussions in APEC going forward.
To do this, the OECD and APEC PSU first need to work with businesses to understand how they use cross-border data flows in their activities, learn more about the effects of these recent regulations and to consider potentially more suitable approaches that would meet regulators’ objectives while minimising costs on international business activity. This information from business will help to ensure the credibility of the analysis undertaken by the OECD and PSU.
Number 1. The role of cross-border data flows in international business 1
Better data on global data flows is needed, particularly for meaningful quantitative analysis. It is clear that recent technological developments have significantly altered international data flows, but little official information is available. Today, data transmissions “occur as part of a networked series of processes made to deliver a business result” 2 but how this translates into ‘dollars and cents’ is a matter of speculation. Electronic international data transfers in areas such as human resources, financial services, education, e-commerce, public safety, and health research are now an integral part of the global economy. The provision of computing resources at a distance, for example, over the Internet, allows organisations and individuals to access services remotely although their data may be stored anywhere in the world. Data transfers are nearly instantaneous, virtually cost-free, and can occur with the click of a button, moving data quickly and easily around the globe.
These new technologies have driven the development of new business models. Organisations can effectively segment tasks or processes and have them performed almost anywhere in the world. They
1 This section draws heavily on Chapter 4 of the 2013 OECD Privacy Framework available here: http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
2 See Paul Schwartz, “Managing Global Data Privacy: Cross-Border Information Flows in a Networked Environment,
2009”, A Report from the Privacy Projects.org available at: http://theprivacyprojects.org/wpcontent/uploads/2009/08/The-Privacy-Projects-Paul-Schwartz-Global-DataFlows-
20093.pdf
1
can take advantage of expertise in multiple locations, thereby meeting customer expectations of improved (and near instant) service while meeting constant demands for increased productivity. The overall result is that organisations have greater flexibility, reduced costs, greater storage capabilities, and more mobility. Such an approach is not just available to large, multinational organisations.
Increasingly, small and micro-sized organisations as well as individuals, are able to take advantage of these global services. Indeed, the pervasiveness of online access has been credited to have been a driving force in the recent surge in global value chain participation.
This discussion area will address how improved cross-border data transfers have led to changes in international business models, identify the types of business tasks that are reliant on these transfers, and seek to estimate how much of each data type businesses are transferring across borders, and to what extent the new business models rely on them. The following questions are intended to guide the discussion:
Where does your company store its data, centrally in one location, or scattered around the world?
What are the considerations for having one or more data storage locations?
What kinds of data does your company transfer across borders in the course of its activities?
How much data does your company transfer across borders in the course of its activities? For example, how much of the total data transfer is in support of operations versus personnel issues?
Are there particular tasks within your company that are more reliant on cross-border data transfers than others?
Have you encountered the term ‘personally identifiable’ data? What do you think it means?
How hard would it be for your business to identify/separate the use of such data amongst other uses?
How much of your data is likely to relate to ‘personally identifiable’ data?
Who would be the person(s)/ department(s) generally in charge of overseeing these issues?
Number 2. Regulation and effects
Regulations restricting cross-border data flows are an emerging trade policy issue. These barriers are being planned or implemented with increasing frequency by governments across the world. These barriers can be highly specific, targeting certain types of data (such as personal, or financial data) or they can be broad, covering all types of data generated in a country. Likewise, the restrictiveness of the measures varies from a total ban on cross-border data transfers (including local data storage requirements) to requiring general user agreementprior to any transfer.
Business models that rely on international data transfers, particularly personal data transfers, are likely to be affected by data transfer regulation. The nature and size of that impact will be influenced by a range of factors, including the strength of the regulation, the importance of the transfer to that business or sector, and the ease with which businesses can change to comply with the regulatory requirements, including any opportunity costs arising from that change. This impact can range from zero added costs, should the business not rely on cross-border personal data exchanges, to prohibitive costs insofar as they affect the underlying business model.
This topic covers the regulatory requirements that are in place or have been announced by governments, including examples of well designed policies. It will also touch on the types of regulation that could be implemented in the future if the current trend continues. This session will discuss how business will have to change to meet the current or potential data regulation, including differing
2
approaches across jurisdiction, and what those changes will mean to current global production and trade networks. Finally, the discussion will also touch on the aspects of data regulation that are expected to be the most costly to meet. To that end, the following questions are intended to guide the discussion:
Which are the 3 most burdensome pieces of cross-border regulation that your company is facing? What makes them burdensome?
What are some examples of high-quality cross-border regulation currently in place?
The proliferation in cross-border data regulation has been recent. What kind of potential regulation does your company consider could be implemented in the future?
What would be the least burdensome (trade distorting) regulation that a government could enact to genuinely address privacy and data security concerns without distorting business activity?
How has (or will) your company change to comply with these regulations (e.g. change user terms and conditions, anonomyse or aggregate personal data prior to transfer, increase foreign storage capacity, pack up investments and and leave the country)?
How is your company affected by different approaches to these issues across different jurisdictions?
Number 3. Solutions: Suggestions from the business perspective
The complexity of the issues related to international data transfers poses challenges to its regulation. including meeting legitimate objectives while avoiding unnecessary restrictions on trade. A number of international agreements and guidelines recognise governments’ need to balance trade-offs between competing policy issues.
Many FTAs and WTO rules exempt governments from their commitments for regulation concerned with legitimate policy objectives.
The 2011 OECD Recommendation on principles for Internet policy making states that “while promoting the free flow of information, it is also essential for government to work towards better protection of personal data, children online, intellectual property rights, and to address
cyber-security”.
The OECD’s 2013 Guidelines governing the protection of privacy and transborder flows of
personal data notes “any restrictions to transborder flows of personal data should be proportionate to the risks presented, taking into account the sensitivity of the data, and the purpose and context of the processing”.
This session will discuss businesses’ views on how cross-border data flows should be regulated, and will consider the adequacy of relevant existing international rules and guidelines in shaping that regulation, and the nature of any required changes. Additionally the session will cover what high-quality regulation could look like, and the necessary processes that governments should follow to develop them. The following questions are intended to guide the discussion within the session:
Are current international trade rules sufficient to guide regulation development in this area? If not, how should they change?
Do current international guidelines for regulation development regarding privacy and security adequately consider the regulatory impact on beyond those issues? If not, how should they change?
What could high-quality cross-border data regulation look like? Give concrete examples where available.
3
Contact details
Please indicate the appropriate person with whom the OECD and APEC can follow-up concerning the issues raised above, and the project more generally.
This form will be collected at the meeting on 17 March.
Name:
Title:
Company name:
Company industry:
Email:
Phone:
4