Taskforce to be chaired by Karen Kornbluh, former OECD Ambassador and Senior Fellow and Director, Digital Innovation and Democracy Initiative of the German Marshall Fund of the United States, and Julie Brill, Chief Privacy Officer and Corporate Vice President of Global Regulatory Affairs at Microsoft Corp and former Commissioner of the US Federal Trade Commission.
With today’s digital transformation shaped by the advent of cloud computing, artificial intelligence, and the Internet of Things, data has become global infrastructure. The responsible use and trusted cross-border flow of data is now essential to the health and safety of modern society and the growth of global economies.
The German Marshall Fund of the United States, in cooperation with American University’s Tech, Law and Security Program, and with support from Microsoft, is convening an independent global taskforce of experts from civil society, academia, and industry to provide proposals on how to harmonize the different approaches to global data use and sharing. Chaired by former Organization for Economic Co-operation and Development (OECD) Ambassador Karen Kornbluh and Microsoft Chief Privacy Officer and Corporate Vice President Julie Brill, the goal of the Global Taskforce will be to explore the common elements of the existing proposals and identify viable paths forward to a harmonized regime that allows data to flow in a trusted, secure, and rights-protecting way.
The seamless flow of data around the world unlocks immense benefits for society. Data enables efficiency in our supply chains, helps address increasing cyber threats such as those we have seen in the war in Ukraine, supports trade and commerce, addresses natural disasters, and plays a critical role in advancing scientific development, especially in data-intensive sectors like healthcare. In addition, the transfer of data contributes more to global GDP than the trade in goods, and is projected to rise to $11 trillion by 2025.
Drawing on the global expertise of the taskforce members, the German Marshall Fund and the Tech, Law and Security Program will develop proposals for achieving progress in three key areas:
- Norms on compelled government access to data,
- Interoperable commercial privacy protections, and
- Data sharing that balances national sovereignty with the need for data flow.
These proposals will be editorially independent and will be informed by the diverse views of taskforce members.
These are complex issues where governments must lead. This project will seek to support the efforts of policymakers through independent multistakeholder engagement.
Guidance on Compelled Government Access
The ability to share data across borders is crucial for the protection and safety of democratic societies that are impacted by a massive growth in cybercrime. Companies and governments need to share information on attacks and vulnerabilities as they monitor malicious threats. And at the same time, individuals expect and deserve to have their fundamental right to privacy protected.
On March 24, US President Joe Biden and the President of the European Commission Ursula von der Leyen reached an important milestone by agreeing in principle to a new Trans-Atlantic Data Privacy Framework to share data between the United States and the European Union. This agreement responds to the concerns raised about previous frameworks by addressing both the scope and proportionality of US surveillance activities, as well as creating a more robust redress mechanism for EU citizens who believe that the US government has accessed their data inappropriately.
While the Trans-Atlantic Data Privacy Framework must still be embodied in an adequacy decision by the European Commission and approved by EU member states, the agreement demonstrates that the United States and the EU can jointly create a framework that provides privacy protections and safeguards for data crucial to societal health and safety.
Even more importantly, considering the Russian invasion and war in Ukraine, it is a tangible demonstration that Western nations are embracing their shared values, particularly in the face of existential threats to those values and the rule of law.
Still, there remain important areas regulating the free flow of data that must be explored by the democracies of the world, including adopting bilateral and multilateral agreements focused on data access and retention practices of law enforcement, and on global norms around appropriate government surveillance.
Interoperable Commercial Privacy Protections
The free flow of data and cloud computing offer enormous potential to individuals, organizations, and economies to drive innovation and usher in advancements that can create a more equitable and prosperous future. However, to achieve the promise of the cloud, it is necessary to address concerns around personal privacy and to fairly distribute the benefits of data-intensive technologies like artificial intelligence and non-personal data.
The current process for determining whether and how data should flow between nations is hindered by divergent privacy regimes and burgeoning rules around access to commercially valuable non-personal industrial data. Efforts to share data seamlessly are hindered by complicated legal requirements which favor large companies. Further, today’s policymakers must also develop a sophisticated understanding of foreign data protection laws, as well as modernize domestic laws in new areas such as automated decision-making.
One example of an effort to address this problem came with the recent announcement by the US government of a Global Cross-Border Privacy Rules (CBPR) Forum. Working with other nations including Canada, Taiwan, Japan, the Philippines, the Republic of Korea, and Singapore, the goal of the CBPR Forum is to support the free flow of data by establishing an international certification system based on existing Asia-Pacific Economic Cooperation Cross-Border Privacy rules.
To help support interoperable privacy protections and facilitate a level playing field for organizations of all sizes, the Global Taskforce will examine ways in which multilateral standards, technical data transfer tools, assessment mechanisms, and other systems can incentivize policymakers to raise standards while supporting cross-border data flows.
Balancing National Sovereignty with Trusted Data Flows
Data localization measures are proliferating as countries mandate the storage and processing of data within their geographic jurisdiction. These data residency requirements are sometimes born out of a concern that domestic human rights protections would be undermined if data were subject to rules in other jurisdictions, as well as a desire to direct the flow of data to drive local economic growth. In other cases, localization is a tool to facilitate local surveillance and censorship. One study found that data localization measures worldwide had quadrupled in just four years, and the accumulating localization measures are expected to cost the EU 1.3 trillion euros in growth by 2030. Additionally, in key developing markets, research found that data localization reduces GDP gains from Internet of Things deployment by more than half.
It is crucial to find the right balance of encouraging more sharing of data in open and constructive ways that benefit economies around the world, while maintaining the necessary substantive protections for safeguarding personal privacy and other fundamental rights.
As the taskforce develops proposals to answer the complex questions around government access, commercial privacy protections, and national sovereignty, this project will leverage the positive momentum of a range of initiatives such as the OECD guidelines for transborder data flows and its ongoing work on government access to data; the G7 and G20 commitments around “Data Free Flow With Trust;” the CBPR Forum; and the Paris Call for Trust and Security in Cyberspace, an agreement recently endorsed by the United States and the European Union, who joined 1200 government and private sector signatories, including Microsoft.
The Global Taskforce will kick off this important work by convening later this spring, and the project will publish independent proposals on these focus areas by spring of 2023.