During a keynote address at the Digital Advertising Alliance Summit 19:DC in Washington, Acting Assistant Secretary James Sullivan, Jr., gave spirited support for such innovation – and detailed the wide-ranging efforts by the International Trade Administration at the U.S. Department of Commerce to promote “interoperability” among countries’ privacy regimes through global data flow certification mechanisms.
Photo: Acting Assistant Secretary James Sullivan, Jr., U.S. Department of Commerce – International Trade Administration provided a keynote address at DAA Summit 19:DC on global data flows for commerce.
“The mission of the International Trade Administration is to help create the conditions for U.S. industries to innovate and compete, both at home and abroad,” said Sullivan who had just returned from meetings in Japan with U.S. trading partners to discuss data protection surrounding the G20 Summit. “With the accelerating digitization we are now seeing across the global economy, a core focus of that mission is to promote the free flow of data across borders in a way that ensures both privacy and data protection.”
At the G20 Summit and previously at the World Economic Forum in Davos, Prime Minister Shinzo Abe of Japan specifically called on G20 member countries to advance the free flow of data with privacy protections. “Referring to technologies like 5G, the Internet of Things, robotics and AI, the Prime Minister made it clear that the next wave of digital innovation is already here, and that countries today have a choice,” Sullivan said. “We can welcome this wave of data-driven innovation, by preparing for it and riding it to greater levels of prosperity that will help to improve living standards and address critical environmental and public health and safety challenges … or we can ignore the changing tide and miss this wave.”
Clearly, the United States is not planning to miss that wave.
Cross-Border Data Flows – A Trillion-Dollar Driver of GDP
“The world is experiencing extraordinary increases in connectivity,” Sullivan continued. “There are now more than 4 billion Internet users across the planet, and each day they help generate close to 2.5 quintillion bytes of data—a figure expected to increase ten-fold in the next five years alone.”
Sullivan went on to emphasize the importance of cross-border data flows to commerce and to trade—for all types of companies and consumers—explaining that they drive about 22 percent of global economic output and will add up to US $11 trillion to global GDP by 2025.
“Cross-border data flows are indispensable—not just for big, multinational technology companies, but for traditional industries, and for small- and medium-sized businesses as well,” he said. Sullivan stressed that individual start-ups and small businesses are leveraging data access to global markets and global value chains at unprecedented rates.
He took exception to characterizations of data as the ‘new oil’, noting that, unlike oil and other finite resources, data can be replicated, moved quickly, and actually grows more valuable with use. “We should be mindful of the myriad of ways data can used and reused to generate value and insight, both in our economies and in our societies,” said Sullivan. “Because these data flows so often involve personally identifiable information, we must also recognize privacy and data protection as essential.”
Photo: Acting Assistant Secretary James Sullivan, Jr. – of the International Trade Administration at the U.S. Department of Commerce – outlines what steps national governments must take to embrace the next wave of digital innovation.
An Emerging World of Fragmented Data Protection Regimes
Sullivan did report that because there is no global definition of data privacy, and no global framework governing online and data protection, a variety of regimes for regulating data are evolving. Stronger national data governance laws, both in liberal democracies and authoritarian states alike, have led to a more fragmented landscape, and to a more ‘Balkanized’ internet.
“We see increasingly prescriptive rules on cross-border data flows and personal data that a growing number of countries are trying to emulate to varying degrees.” he said. “China, of course, focuses on security, whereas Europe prioritizes privacy concerns.” Sullivan noted that, countries like Brazil and India are looking to the European Union’s General Data Protection Regulation (GDPR) for inspiration.
He went on to say that many countries, including the United States, appreciate GDPR’s aim of harmonizing data protection requirements across the EU’s 28 member states and believe that GDPR has compelled organizations to bring some greater order to the information they collect.
”The current debate here in the United States is over the appropriate balance between privacy and prosperity,” stated Sullivan. “Among other things, policymakers are looking closely at GDPR’s implications for legal compliance costs for small businesses, for free speech and expression, and for innovation and research.”
Sullivan noted that governments around the globe are monitoring the extent to which GDPR is actually creating greater data protection, privacy and consumer trust in the EU. “Time will tell what form U.S. privacy legislation may take, but calls to simply copy GDPR in its entirety in the United States are impractical and most likely implausible,” he said.
The Costs of Regulation Burden Must be Calculated and Assessed
Sullivan emphasized that the costs of GDPR compliance have not been insignificant. Organizations have had to purchase and modify technology, create new data handling policies, hire additional employees, and dedicate millions of dollars to compliance efforts. “By some estimates, the average U.S. firm with 500 employees or so has spent about US $3 million to comply with GDPR, and total GDPR spending by U.S. firms is projected to total up to US $150 billion annually. Since GDPR came into force, over 1,000 U.S. newspapers, including the Los Angeles Times, have voluntarily blocked access from Europe …”
“The burden on organizations of complying with the rapidly growing number of unaligned regulatory requirements around the world threatens to become overwhelming for companies and to undermine innovation and economic growth for nations,” Sullivan said.
He stressed that the multiplying multi-billion-dollar regulatory costs for U.S. and foreign companies means that startups and entrepreneurs in nearly every industry will need to devote greater resources to managing inconsistent regulatory regimes at the expense of innovation and market expansion.
How We Can Bridge Fragmented Regimes
“For countries that embrace common principles about privacy and data protection, the solution lies in developing innovative structures to bridge our regulatory differences,” Sullivan said, noting that the International Trade Administration administers two such “proven mechanisms” on behalf of the U.S. Government—the EU-U.S. Privacy Shield and the APEC [Asia-Pacific Economic Community] Cross-Border Privacy Rules System (CBPR).
“To date, Privacy Shield has enabled nearly 5,000 U.S.-based companies to be certified to receive personal data from the EU,” he said. “For nearly three years, following two constructive joint annual reviews by the U.S. and EU, Privacy Shield has operated successfully as data-sharing mechanism for entities holding EU data.”
APEC’s CBPR System is another flourishing “certification mechanism system”, he reported. “Over the last two years, the APEC CBPR system reached a critical mass of participation among APEC member economies. This transfer mechanism is now recognized by most of the United States’ top ten trading partners.” Eight APEC economies—the United States, Australia, Mexico, Japan, Canada, South Korea, Singapore, and Chinese Taipei—have all joined the System. The Philippines’s application is in process.
Sullivan suggested that both Privacy Shield and the CBPR System can be “instructive in developing a global certification mechanism.”
Both Privacy Shield and the CBPR System require:
- Organizations to respect comparable privacy rules and protections that are based on the OECD Privacy Guidelines and on U.S. Fair Information Practices,
- Legally binding obligations on organizations, which are enforceable in the United States, for example, by the Federal Trade Commission (FTC),
- Independent dispute resolution mechanisms as an avenue for individuals to address privacy complaints, and,
- Annual re-certification to program requirements.
“International regulatory harmonization and convergence on privacy and data protection will take years, if not decades,” Sullivan cautioned. “In the meantime, digital innovation is accelerating. If countries that do embrace common values around privacy and data protection do not move quickly to bridge our regulatory differences, we will miss the wave of the digital revolution.”
Sullivan concluded by noting that nations’ advancements in science and industry, respect for privacy and data protection, and obligations to improve the lives of their citizens, all require governments to build on the proven success of using certification mechanisms to make different approaches to privacy interoperable.