Cross-Border Privacy at the Crossroads

As we approach the GSMA Mobile 360 Series – Privacy & Security event in The Hague, the GSMA’s Director of Privacy, Boris Wojtan considers the upcoming hot topics and issues.

It’s hard to think of a topic nowadays that inspires as much enthusiastic acclamation as privacy and security. Any policymaker or business in today’s data-driven economy would say they take privacy and security very seriously, but scratch the service and the world looks a little more nuanced: How can companies ensure they comply with privacy and security regulation that varies between geographies and, at the same time, leverage data to offer innovative consumer services? How can companies utilise diverse arrays of data in novel ways while also respecting privacy? These are some of the questions that industry leaders, enterprises, regulators and governments will discuss at Mobile 360 - Privacy & Security on 23-24 May, 2017 in The Hague.

Movement of data
One topic they will focus on is the issue of movement of personal (and non-personal) data across national boundaries or cross-border data transfers or CBDTs, as they are otherwise known. It is a topic that has been in the news a lot recently in one way or another. For example, the wrangling over a new ‘Privacy Shield’ in the wake of the Snowden disclosures and the sudden intense focus on oversight of US intelligence services’ access to data were partly down to a CBDT issue. The EU would not have had a say in the matter were it not for an European Union-wide rule that provides that personal data may not be transferred to a country that does not have an ‘adequate level of protection’. In this case, the ‘adequate level of protection’ had been assured by the ‘Safe Harbor Framework’, the forerunner of the Privacy Shield agreed between the EU and the US, but a single individual in the EU was able to bring the whole edifice crashing down by pointing out some deficiencies that could enable interference with EU rights.

Another aspect of CBDTs is the growing number of so-called data localisation requirements that impose local storage requirements or use of local technology for certain data types or economic sectors. A few recent studies and reports have begun to analyse the quantity and impact of these restrictions. Perceived by some policymakers as necessary to protect diverse matters such as privacy rights, security or industrial sectors, there are some clear downsides to erecting barriers on the movement of data: they force companies to duplicate storage and applications, and they can prevent local start-ups and potential growth sectors from accessing efficient cloud-based services or key skills and solutions that would not otherwise be available in their country.

Development of new business & boosting jobs 

A recent study by McKinsey found that the ability to transfer, store and process data globally added USD $2.14 trillion in 2014 alone. The US Chamber of Commerce published a report in February this year concluding that “an open policy and regulatory environment that facilitates cross-border delivery of ICT services will generate significant cost savings, spur the development of new business, boosting jobs, and ultimately add to the overall growth of the economy for those countries studied.” Similarly, the EU has also woken up to this growing concern, citing numerous restrictions within the EU that need to be abolished if they are to complete the Digital Single Market and compete on the world stage. Indeed, the topic of CBDTs now features as a key consideration in international trade deals.

GSMA Report, ‘Safety, Privacy and Security Across the Mobile Ecosystem 

The GSMA, representing mobile operators around the world, has added its weight to the argument that restrictions on the movement of data should be minimised. Both in its policy position and in its February 2017 report, ‘Safety, Privacy and Security Across the Mobile Ecosystem,’ the GSMA accepts that certain restrictions may be justified in very limited circumstances, but it also points to accountability mechanisms such as the APEC Cross Border Privacy Rules and the EU’s Binding Corporate Rules that encourage organisations to implement comprehensive and effective data privacy regimes. These mechanisms, it should be emphasised, promote high standards and reflect an increased understanding of data privacy around the globe.

The mobile industry and the wider digital ecosystem benefit when consumers trust new technologies and business models. Innovation and trust can be better achieved in a world where data can flow freely and where standards converge on a common, global understanding of what an ‘adequate level of protection’ is. That is why this will be one of the hot topics that delegates attending the Mobile 360 – Privacy & Security event will explore.

Author: Boris Wojtan, Director of Privacy, GSMA