Singapore Deputy Commissioner at PDPC Yeong Zee Kin talks about digitalisation and data flows.
Data is a non-rivalrous resource. Different organisations can work on their respective copies of the same dataset, each having an opportunity to benefit from it. The ability to benefit comes down to having imagination and the drive to acquire the skills to work with data. Therefore, data should not be treated as a resource or commodity to be hoarded within national borders.
With accelerated digitalisation, we have seen an exponential increase in data generation and data flows. Data flows are foundational to the digital economy, and there has never been a more compelling time for economies to build common standards and principles together, to allow data to flow smoothly and safely across borders.
Accountable transborder flows: a prologue to Data Free Flow with Trust
As early as the turn of this century, there was keen recognition that data (including personal data) needed to be transferred across borders in a trustworthy manner. In the context of data protection laws, this was articulated as the principle of accountability.
Accountability is a core principle of data protection regimes based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (also known as the OECD Privacy Guidelines). In the context of cross-border transfers, it manifests as the requirement that a data controller transfer data to an overseas recipient only after being assured that the recipient can accord a comparable standard of protection to the data it receives. An early example is Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which requires organisations to use contractual or other means to provide a comparable level of protection while the data is processed by a third party1.
The Accountability principle is also the cornerstone of the APEC Privacy Framework and its certification systems for accountable cross-border transfers of personal data: the APEC Cross-Border Privacy Rules (CBPR) and the Privacy Recognition for Processors (PRP) systems. I will speak more about these systems later.
More recently, during the Japanese chairmanship of the 2019 G20 Leader’s Summit, then-Prime Minister Abe mooted his concept of Data Free Flow with Trust. This was endorsed by the G20 Osaka Leaders’ Declaration, committing to “further facilitate data free flow and strengthen consumer and business trust”.2 A group of 23 countries – including the Republic of Korea and Singapore – along with the European Union, joined to launch the “Osaka Track”, affirming the importance of “harnessing the full potential of data and data economy”, and committing to “promote international rule-making on trade-related aspects of e-commerce at the WTO”.3
Building convergence for data flows: Digital Economy Agreements
Over the years, global norms have begun to emerge. The first principle is that countries should refrain from restricting cross-border data flows. An early articulation may be found in the 1980 OECD Privacy Guidelines, which exhorted member countries to “avoid developing laws, policies and practices…which would create obstacles to transborder flow of personal data that would exceed requirements for [ensuring equivalent] protection.” More recent articulations may be found in the E-Commerce Chapters of both the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, or CPTPP, and the Regional Comprehensive Economic Partnership Agreement, or RCEP.
Both the CPTPP and RCEP commit signatories to two complementary obligations. First, to allow for the cross-border transfer of information (including personal information) by electronic means, for the conduct of business. Second, not to require businesses to use or locate computing facilities within the country as a condition for conducting business. Restrictions to these commitments are permitted if they are non-discriminatory and necessary to achieve legitimate public policy objectives.
Although we have been a party to various Free Trade Agreements (FTAs) with E-Commerce Chapters, with the shift towards a Digital Economy, we need an updated set of global norms for the free and trusted flow of data across borders. It is with this objective in mind that Singapore pioneered the Digital Economy Agreements (DEAs), which align common digital standards and systems for digital trade, thereby facilitating cross-border data flows.
It is necessary for building the Digital Economy to entrench as a global norm the principle that the cross-border transfer of data by electronic means, be it personal, business or machine data, should be allowed. Any restrictions imposed should be limited to those necessary to achieve legitimate public policy objectives. An example of an established public policy objective is the assurance of equivalent protection for personal data transferred across borders. Requiring the use of local computing facilities or the local storage of data, as a condition of conducting business, restricts trade and should therefore not be recognised as a legitimate public policy objective. These clarifications are important for the Digital Economy. They enable businesses to access cloud-based services, which can help lower costs or grow new markets through e-commerce.
So far, we have signed DEAs with Chile, New Zealand, and Australia. We are negotiating a DEA with Korea and recently launched negotiations with the UK. Through DEAs, we hope to deepen cooperation and alignment in digital and data issues, with like-minded partners.
Building convergence for data protection: ASEAN MCCs & APEC CBPR
Since restrictions on personal data transfers to ensure equivalent protection is a legitimate public policy objective, how then should transfers of personal data be facilitated? When the Asian Business Law Institute conducted a comparative review of transfer mechanisms recognised by Asian jurisdictions4, it identified contracts, binding corporate rules, and certification as having the greatest potential for convergence, while consent remained adequate for residual circumstances.
Consent and contracts are part of the global norm for personal data transfers, and upon which interoperability of global data protection and privacy regimes can be built. While consent is adequate for residual circumstances, it is not ideal for systematic or recurrent transfers, especially when it is common for businesses to change service providers periodically. Contractual clauses are widely used by businesses around the world. They allow a business to impose data protection and security requirements on the receiving party. A widely known example is the EU Standard Contractual Clauses, which were first promulgated in 2001 and updated this year. In ASEAN, we have the ASEAN Model Contractual Clauses (MCCs), a more flexible template recognised by all 10 ASEAN members and ready for use since January 2021.
Aside from recognising binding corporate rules, we need to also recognise contract-based mechanisms for intra-group transfers, which are essential for supporting the centralisation of corporate functions within multi-national corporations. Even though binding corporate rules and intra-group agreements differ in their legal nature, both serve to accomplish the same corporate objectives.
The acceptance of consent and contracts (including binding corporate rules) as extant global norms for permissible safeguards may be uncontroversial but cannot be taken for granted. We hope that our efforts in DEAs and other upcoming trade agreements will contribute towards their acceptance as global norms.
In the longer term, the use of certification as a mechanism for personal data transfers holds great promise as a new norm. Several countries such as the Republic of Korea, Japan, and Singapore have domestic data protection certification systems, and the EU GDPR recognises certification as a transfer mechanism. A tried and tested certification system for cross-border transfers is the APEC CBPR and PRP systems, which I mentioned earlier. CBPR and PRP are comprehensive certification mechanisms for cross-border data transfers. They have the advantage of allowing for intra- and inter-company transfers between certified companies in participating APEC member economies. There are currently nine participating economies including Singapore, Japan, Chinese Taipei, the Republic of Korea, Philippines, and the USA. Their total population is about 645M and their combined value of trade is about 3.3T USD.
ASEAN has intimated an intention to develop a certification system as part of the ASEAN Cross-Border Data Flows Mechanism, to complement the ASEAN MCCs. This builds momentum for certification to become a global norm for cross-border transfers. The Centre of Information Policy Leadership, a global privacy and data policy think tank, even suggested the possibility of a global certification mechanism requiring only one approval process. This could happen if non-APEC countries adopt mechanisms like and interoperable with the CBPR.
There is still much work to be done in articulating and establishing new global norms concerning data flows. What I have discussed is uncontroversial, yet there are new areas which require further discussion at the appropriate platforms for example, the ability for law enforcement to request for and access data across borders.
Convergence for data flows and data protection through international rules, frameworks, agreements, and other mechanisms are key steps that countries must take to harness the full potential of the digital economy. The digital economy is a fast-evolving area, and we look forward to more countries and partners participating in these regional and international processes.