Data transfer regulation is being optimized in many places to balance privacy with utility aims
Unbeknownst to many, there is a quiet revolution underway in data regulation. A number of countries have been looking to extend their existing data protection frameworks to ensure that users have more effective control over their data than their regulations currently allow. These new measures, aimed primarily at unlocking data silos, will make it easier for data to flow from the entity that currently holds it to any other data business that might want to use it with the permission of the data subject.
In Australia, this is taking shape in the form of its Consumer Data Right, a framework that, once fully implemented, will allow consumers in Australia to require any business with which they have a commercial relationship (and which, as a result of that relationship, holds some personal data about them), to transfer that data to any other business of their choice. The first sector in which this new data right is being rolled out is the banking sector, with power set to follow close on its heels.
For its part, the European Union (EU) has begun to put in place a series of legislative proposals that are similarly designed to let users more efficiently transfer data from one data business to another. The EU’s proposed Data Act is intended to implement measures that will create a fairer data economy by ensuring better access to and use of data, and is intended to cover both business-to-business and business-to-government transfers of data. This framework will be supplemental to (and not replace) existing data protection legislation with a strong emphasis on preserving incentives for continued data generation. Along similar lines, the EU has also drafted a Data Governance Act, which when enacted later this year will govern the data exchanges and platforms that will form the infrastructure through which data holders will be connected to data users. It will thus both enable and regulate new data sharing arrangements that will intermediate the transfer of data from data businesses which currently hold it to those that have been permitted to use it.
This flurry of regulatory activity seems to suggest a growing appreciation in regulatory circles that it is not enough to protect data if you cannot also ensure that this data is effectively utilized—either for the benefit of the person to whom it pertains or society as a whole. As regular readers of this column know by now, this is a view I wholeheartedly endorse, having argued time and again in favour of data regulations that do more to empower. But, inasmuch as these are steps in the right direction, I fear they all suffer from a serious shortcoming that could significantly undermine the benefits that they have been designed to deliver.
Modern data businesses are powered by technology. Technology determines how data is collected, processed and used, and, by extension, the manner in which it is transferred. If there is one thing that decades of trying to regulate technology businesses has taught us, it is that laws and regulation simply cannot keep pace with changes in technology. No matter how fast we move, if the only weapon we are using to regulate technology is the law, we will be doomed to play catch-up forever. This is why I am concerned that as good as these new consumer-centric measures that regulators around the world have been cooking up might be, they are likely to fail if they are to be implemented solely through legislation.
India has adopted a slightly different approach to data transfers—one that it is being implemented sector-wise through a set of open, interoperable protocols. This framework, better known as the Data Empowerment and Protection Architecture (DEPA), offers a technology-based solution for consent-based data flows, allowing users to transfer their data from data businesses that currently hold them to those that want to use them. Last week, the country’s Account Aggregator framework—the first implementation of DEPA—went live in the financial sector, proving that this was more than just an idea, but an actual viable solution. At its launch, four large banks were up and running on the framework, with another four set to follow shortly.
As much as I have sung praises of DEPA in this column, I am acutely aware that it too suffers from infirmities that could threaten its success. India still does not have a data protection regulation and implementing a technological solution for data transfers in the absence of a legal framework could bring with it a whole host of problems we could do without.
The fact is that when it comes to regulating technology, you simply cannot have one without the other. Technology businesses are most effectively regulated through a judicious mix of law and technology—strong, principle-based laws to provide the regulatory foundation, with protocol-based guardrails to ensure compliance.
At a high-level ministerial meeting last week, seven countries came together to endorse a techno-legal approach to data regulation which for the first time acknowledged that the solution to our regulatory objectives lay precisely at this intersection. The participating delegates committed to exploring how technical frameworks such as DEPA could be incorporated into the EU’s Data Act and Australia’s Consumer Data Rights policy to enable more effective outcomes. If successful, this would be the first global attempt to adopt a techno-legal solution for data-transfer regulation. And, dare we hope, a harbinger of more to come.
Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina. His Twitter handle is @matthan