Elizabeth Denham outlines how an international conference could help to provide 21st century thinking for the 21st century problems that data faces. The speech was delivered at the Oxford Internet Institute.
In July 1944, the world was still at war. Allied forces were fighting to liberate France, with Paris still occupied by German forces. Battles in the Pacific would continue for another year.
In New Hampshire, USA, the mood was a little different. There, at the foot of the White Mountains, and beneath the chandeliers of the recently repainted ballrooms of the Mount Washington hotel, economists gathered in wicker chairs to smoke, deliberate and consider how the world could rebuild once the war ended.
The delegates at the Bretton Woods Conference were an eclectic group. The chief American negotiator would later be accused of being a Soviet spy. Economist John Maynard Keynes represented Britain, at times holding court from his hotel bed, as he struggled with ill health. The Chinese delegate is reported to have focused his energies on throwing the most extravagant parties.
Yet within weeks, the group reached a series of agreements that continue to influence our world today, including the formation of the IMF and World Bank.
Where the delegates succeeded was in appreciating that the challenges individual states faced – in rebuilding and refinancing their own nations – could only be resolved with an international solution.
As the US Treasury Secretary put it “the only genuine safeguard for our national interest lies in international cooperation.”
The challenges we face today are not comparable with that period in history. For all of the difficulties brought by the pandemic, our world is more stable and more prosperous.
But as I want to set out today, the value of international cooperation continues to be fundamental. Our current approach to data protection, considered nation by nation, can only take us so far. If we are to unlock the full potential of data driven innovation, supported by public trust in how data is used, we need an international approach to data protection standards. We need an international solution.
We need a data Bretton Woods.
I’ve worked in data protection in one way or another for four decades. I began my career in the dusty record rooms of the City of Richmond, as an archivist, seeing first-hand how history shapes our present. My career developed, first as a privacy coordinator in the health sector, and then moving into the world of regulation. Often, that work was still in those dusty backrooms. That is where data protection lived in the early 2000s. Our work was considered to be one of legal compliance, of ticking boxes.
The world feels very different today. Data protection had come out of the shadows before the pandemic. And during the pandemic, the benefit of data protection truly shone through.
When the UK government wanted to develop a contact tracing app, it considered data protection at an early stage, and it consulted with my office. It was clear from the outset that the government understood that by answering the questions we posed on transparency, legality and fairness, the final product would be better trusted by the people they hoped would use the app.
We saw a similar situation around data sharing to benefit vulnerable people during the pandemic. Public authorities held data about who was shielding. Supermarkets wanted to help by dedicating scarce delivery slots to those who needed them. A successful partnership was made possible through the consideration of data protection.
But there’s a fundamental problem here, amid this recognition of the value of data protection.
Our digital world is international. Data flows around the world in a heartbeat. I open up my phone, check an app, and in a moment my data travels around the globe. Services like geolocation and cloud computing all rely on international data flows.
But the checks and balances on this data are domestic.
That brings problems.
It means that when a multinational company doesn’t follow the rules, or when there is an international data breach, the ability for regulators to work together across jurisdictions can be limited, as we try to match up our differing legal systems and approaches.
It means that there are companies who develop apps available to people in the UK, but based in jurisdictions with little or no data protection provisions
And it means that our system for international data flows is based on assessments of how other nations’ laws measure up to our own, no matter how many flaws we may be willing to acknowledge in our own systems.
I have to pause here to acknowledge the great work being done already to reduce these problems.
The ambition of ‘data free flows with trust’ was made a central part of the 2019 G20 meeting by then Japanese Prime Minister Shinzo Abe. Speaking in Tokyo at a side event at that G20, I spoke about my hope that we could make progress by working with difference: celebrating our differing laws, cultures and outlooks, but building bridges between them.
That’s been a central philosophy to the work of the Global Privacy Assembly, which I chair. The group now brings together more than 130 regulators and members from around the world to encourage greater cooperation. And we’ve seen real progress through the Assembly, particularly around regulatory cooperation, for instance, and in response to the COVID pandemic.
And only this week I met with my equivalents from the G7 nations, to consider how we could find ways for our existing regimes to work together more closely. That aim of ‘data free flow with trust’ remains central, and the ambition within that group was clear.
I think it is also fair to praise the UK government for taking an international approach here too, particularly in recognising that international partnerships are the key to unlocking the full opportunities that data offers the UK economy. Hell, they’ve even recommended another internationalist as my successor.
But all of this work – from the GPA to the G7 - only goes so far. Ultimately, it feels as though a more ambitious approach is needed.
This is, after all, an international problem that could be costing economies around the world billions of pounds. Recent estimates suggest as much as £11billion worth of trade goes unrealised around the world due to barriers associated with data transfers.1
As many of you will know, the transfer of data between countries is typically limited to where those nations have agreed they share a similar standard of data protection.
The assessment of which countries have high enough data protection standards are known as adequacy assessments. For instance, the EU’s GDPR sets a consistent standard of data protection across the Union, and then allows for data to flow outside of the Union, to countries whose data protection standards the EU considers to be essentially equivalent to its own.
The EU recently granted adequacy to the UK, and already has agreements in place with the likes of New Zealand and Japan.
You may have seen the UK making its own announcements in this field last month, setting out the first countries that the UK will consider when granting its own adequacy agreements.
These adequacy agreements provide clear benefits. Data can fuel economic growth, digital innovation and more efficient public services, and adequacy agreements remove barriers for organisations to take an international mindset, whether that’s in attracting customers, working with partners or looking for backroom efficiencies.
But there are challenges associated with this approach too.
Firstly, considering whether another nation’s law offers the same protections as your own is a difficult process. Countries’ laws reflect their histories, their cultures and their societies. Trust in police access to information can be low in countries that historically had secret police forces with government links, for instance. And there’s a difference between a European approach founded in human rights, versus a North American approach which has historically focused on consumer rights. Throw geopolitics into the mix, and it’s no surprise that adequacy assessments can be far from simple.
We know too that, even when agreed, these adequacy agreements can prove fragile. We have seen the EU’s partnership with the USA falter on several occasions, amid concerns over the collection and analysis of data by the latter’s intelligence services. Where agreements appear vulnerable to court challenge, they fail to offer the surety businesses crave.
And finally, relying on adequacy agreements alone leaves nations with a binary choice: a country’s data protection regime is good enough, or it is not. It emphasises the differences between our approaches, and leaves the overwhelming majority of countries outside of the tent. That feels like a significant hand brake on digital innovation.
Data can still be transferred to the long list of companies without agreements, but the responsibility is on organisations to keep data protected, and the process can be cumbersome, labour intensive and expensive.
Again, it’s difficult to shake the sense of a series of domestic solutions being applied to try to solve an international problem.
Which is where we return to Bretton Woods.
The 1944 conference was attended by 730 delegates from almost 50 nations around the world. The group included economists, politicians and subject specialists. Delegates came from diverse cultures, and brought diverse ideas, but with a united understanding: the old system had failed, and a new one, built on international cooperation, was needed.
It is my view that a Bretton Woods conference for data is required today.
It is accepted that the digital world is borderless.
It is accepted that the flow of data, from individual to organisation, from organisation to organisation, from country to country, is integral to digital innovation.
It is accepted – I hope – that such data flows rely on the public trust earned through sensible data protection regulation.
And yet we continue to consider those protections domestically. That needs to change.
Let’s be clear from the outset: this is not about creating a global law that everyone must follow. It is not about deciding there is only one law to rule them all.
As I said at the G20 in Japan, we will only make progress by respecting the differences between our laws, our cultures and our societies. We need to build the architecture to allow those differences to work side by side.
Or to put it another way, every country can choose its own taps, we just need to find the pipes and plumbing to better join them all together, to maximise the data flow.
A Bretton Woods conference could provide the melting pot of ideas needed to take this forward.
It could consider how best to provide that plumbing.
My own view is that a global data protection accord could find common ground between nation’s data protection regimes.
Membership would rely on countries demonstrating their commitment to data protection, backed by independent regulation. And organisations within those member nations would be able to transfer low risk data to countries who were fellow members.
Crucially, the bar for membership would be lower than adequacy. Membership of a global data protection accord would not require countries to demonstrate their law offered the same safeguards as, say, the GDPR.
Businesses would benefit from the surety of a system less vulnerable to legal challenge, and much broader than partnerships with individual nations.
And consumers would know that simple protections are in place for their data around the globe.
That is one idea. But to quote the man who contributed so much to the original Bretton Woods conference, John Maynard Keynes, “The difficulty lies, not in the new ideas, but in escaping from the old ones.”
That is the challenge.
I know the data protection community stands ready to be part of the solution. I see that in my work with the GPA. I see the ambition when I talk with my G7 colleagues.
But that challenge must now go further.
The challenge must go to governments and international organisations like OECD, Council of Europe and WTO: you are the ones with the convening power to make a Bretton Woods conference for data happen.
And then the challenge must go further afield. Data is such a broad, cross societal issue that impacts every facet of our lives. And so the solutions must come from the bright minds across society from civil society, from think tanks, academia, from businesses and from the people whose trust so much relies on.
The challenge is clear. The appetite for solutions is clear. What we need now is 21st century thinking for a 21st century problem.
1 UNCTAD Technical Notes on ICT for Development:: International Trade in ICT Services and ICT-enabled Services: Proposed Indicators from the Partnership on Measuring ICT for Development, via UK unveils post-Brexit global data plans to boost growth, increase trade and improve healthcare - GOV.UK (www.gov.uk)