G20, Cop26, G7 – in the past weeks, numbered nations have been gathering at numbered events, all of them emitting a constant stream of news.
Among the steady noise, a significant announcement in late October from the London meeting of trade ministers from the G7 nations – comprising Canada, the United States, Japan, Germany, Britain, France and Italy – slipped past without much fanfare even in the international business press. And yet, in trade terms, Britain called it "a breakthrough".
This was an agreement on principles for digital trade, a broad category of commerce that includes everything from online purchases to professional services – basically, anything bought, enabled or delivered digitally. The agreement focuses on cross-border data flows, a complex area due to the seven nations' varied rules and regulations.
The best example of the perplexities that arise from such differences is the ongoing data back and forth between the EU and the US. Data transfers are supposed to be adequately protected by the two sides’ Privacy Shield agreement, which replaced its forerunner, Safe Harbour, after the European Court of Justice declared Safe Harbour inadequate to meeting the data protection standards guaranteed by the EU’s General Data Protection Regulation (GDPR). That Europe’s highest court has had to produce (at this point, several) major decisions regarding a negotiated data transfer agreement, with more likely on the way, signals the challenges at hand.
While three of the G7 are within the EU, four are not. The most irksome country in the group is easily the US, as it has enormous domestic and international surveillance capabilities (as revealed by Edward Snowden’s leaked documents) and national laws permitting them to be used in ways that, to date, have created fundamental conflicts with EU data protection laws and human rights guarantees. The Brexited UK has a similar surveillance infrastructure.
Data flow regimes
Any agreement among these wealthy nations might be viewed as a major public statement and indication of how they propose to mesh their disparate digital trade and data flow regimes in a legally acceptable way, at nation state and group level.
Reuters noted the countries believed they had met a middle regulatory ground. But the devil, as always, will be the detail, and going on the British communique on the announcement, that detail will be vexing. The UK began with the not entirely promising nor conciliatory statement, “We oppose digital protectionism and authoritarianism and today we have adopted the G7 Digital Trade Principles.”
Reuters quoted an unnamed official who said: “For years, the global rules of the game have been a wild west that have made it difficult for businesses to seize the immense opportunities on offer.”
Oh dear. This sounds worryingly like the new, Brexity approach the UK is pushing in its current consultation on data-handling. Announcing the consultation process back in September, the UK 's then-digital secretary Oliver Dowden suggested the GDPR is full of irritating "box ticking" and noted, "Now that we have left the EU, we have the freedom to create a new world-leading data regime that unleashes the power of data across the economy and society."
In a series of tweets on the G7 agreement, Dr Gabriela Zanfir-Fortuna, vice-president for global privacy at Washington DC-based think tank Future of Privacy, observed, “Don’t get your hopes high just yet. On a close read, they don’t seem to be substantial in addressing the current barriers to lawful cross-border data flows.” She added, “The principles seem to reinforce the current state of affairs and refer to the need of co-operation ‘to explore commonalities in our regulatory approaches’.”
Protection and privacy
The “commonalities” won’t confront the deep problem, which is the G7’s fundamental, substantive differences in mindset about – and therefore, regulatory approach to – data protection and privacy.
As Zanfir-Fortuna points out, just as the G7 announced their trade principles, the Global Privacy Assembly, representing 100 international privacy commissioners and data protection authorities, adopted a resolution (https://globalprivacyassembly.org/wp-content/uploads/2021/10/20211025-GPA-Resolution-Government-Access-Final-Adopted_.pdf) on "Government Access to Data, Privacy and the Rule of Law", contrasting with the G7's focus on finding ways to unlock greater data use for trade.
The Privacy Assembly supported principles such as the need for clear and transparent legal access, especially to regulate government access to (often trade-generated) data held by private companies; independent oversight; remedies and redress for violations; time limits on holding data; and blocks to weakening encryption with government-mandated surveillance “back doors”.
The main points in the detailed resolution are precisely the issues underlying the major uncertainties about the adequacy of data transfer protections between the EU and the US, including the continuing doubts many have over Privacy Shield.
Guess who abstained from the supporting the resolution? The US member, the Federal Trade Commission. Curiously, Britain's Information Commissioner's Office voted yes.
While it’s good to see the G7 talking about these issues – and whatever its EU members might agree to in principle – don’t expect the G7 agreement to resolve any substantive digital data transfer and trade problems anytime soon.