First stepsWe expect countries to proceed step-by-step in small groups, self-selecting into specific arrangements and gradually deepening them. As a first step, data source countries may still specify conditions and determine conformity unilaterally, but lend additional transparency and predictability to their requirements by listing them, for example as Additional Commitments under Article XVIII of the GATS. A further step could be for data source countries to recognise conformity assessment in specific data destination countries when there is trust in enforcement,even though norms diverge. In parallel, groups of countries could also make collective additional commitments when they converge in regulatory requirements – say, in a WTO Reference Paper on Privacy – building on OECD and APEC principles (OECD 2013, APEC 2017). These steps could pave the way ultimately for mutually binding obligations on source and destination countries, which is one of the most innovative elements of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). In this agreement, data source countries agreed not to restrict the flow of data, in return for legal obligations on data destination countries to protect the privacy of foreign citizens.
Apart from a bilateral or plurilateral approach, there may also be scope for multilateral discussions, for example as part of the recent initiative on electronic commerce. Such discussions could help forge a broader consensus on both data protection standards and mechanisms to ensure compliance.
ReferencesAsia Pacific Economic Cooperation (2017), Privacy Framework.
Bauer, M, F Erixon, M Krol, H Lee-Makiyama, and B Verschelde (2013), The Economic Importance of Getting Data Protection Right: Protecting Privacy, Transmitting Data, Moving Commerce, European Center for International Political Economy.
European Commission (2018), "Adequacy of the protection of personal data in non-EU countries", accessed 22 May 2018.
European Union (2018), General Data Protection Regulation.
Financial Times (2017), "Global groups face big bills to comply with new privacy rules", 20 November.
Greenleaf, G, D Korff, and I Brown (2010), Different Approaches to New Privacy Challenges in Particular in the Light of Technological Developments – Country Studies B.4 India, European Commission D-G Justice, Freedom and Security.
Glassman, C A (2000), “Customer Benefits from Current Information Sharing by Financial Services Companies,” Financial Services Roundtable, December.
Kitchenman, W F (1999), U.S. Credit Reporting: Perceived Benefits Outweigh Privacy Concerns, The Tower Group.
NASSCOM-DSCI (2013), Survey of the Impact of EU Privacy Regulation on India’s Services Exporters.
OECD (2013), Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-border Flows of Personal Data.
Privacy Shield Framework (2018), Privacy Shield Overview.
WTO (1995), General Agreement on Trade in Services.