Home PublicationsCommentary Policymakers Should Distinguish Between Data Protection and Data Protectionism

Policymakers Should Distinguish Between Data Protection and Data Protectionism

by Daniel Castro
Pump-jack mining crude oil with the sunset

Policymakers are often mistakenly told that “data is the new oil.” Yes, like oil, data is a valuable input to the economy. But unlike oil, data is non-rivalrous—one party using data does not reduce the amount of data available for others to use. And unlike oil, data is non-fungible—one piece of data cannot be substituted for another the way barrels of oils are interchangeable. Unfortunately, the “data is oil” analogy had led to some poorly conceived policy ideas, in particular the idea of data sovereignty.

Many countries now advocate a policy of “data sovereignty,” the concept that governments should keep all domestic data local to ensure it remains subject to domestic rules. These ideas directly follow the economic principles put forth in the 1974 Declaration for the Establishment of a New International Economic Order by the United Nations General Assembly that called for “full permanent sovereignty of every State over its natural resources.” Policymakers following this line of thinking believe governments should treat data like a finite natural resource that must be protected from foreign actors seeking to exploit it for profit. Those who espouse this view see data as no different than any other resources a country may be naturally endowed with like oil or minerals.

India was an early adopted of this perspective on data sovereignty. Its 2019 draft National e-Commerce Policy candidly states “the increasing importance of data warrants treating it at par with other resources on which a country would have sovereign right.” Moreover, India makes clear that its goal is to prioritize domestic access to data. The policy further states: “National data of various forms is a national resource that should be equitably accessed by all Indians. The same way that non-Indians do not have access to the national resources on the same footing as Indians, non-Indians do not have equal rights to access Indian data.”

Australia provides the latest example of this type of muddled thinking. In its recent draft “National Data Security Action Plan” the government declares that “Australia’s data is a valuable national asset requiring robust security settings” and that “inadvertently allowing another country to access Australia’s most critical data will erode our sovereignty and control over that data in the long term.” In other words, Australian policymakers are trying to lock down domestic data out of concern that foreign actors may exploit it for unfair economic gain. In both India and Australia, data sovereignty is thinly disguised protectionism. However, these policies often gain traction because many policymakers conflate data protection and data protectionism.

Data protection is a legitimate effort to ensure the confidentiality, integrity, and availability of data. For example, policymakers should seek to protect sensitive information from inadvertent disclosures. Sensitive information includes both personal data and non-personal data that, if revealed, undermines privacy, safety, economic, and security interests. For example, sensitive information could be personal data about a person’s health that reveals information the individual would prefer to keep private, intellectual property (IP), including trade secrets, that businesses want to protect, or non-personal information such as classified government data that undermines national security. In these cases, stronger data protection measures, particularly enhanced technical safeguards and better cybersecurity practices, can help prevent data breaches or other unintentional disclosures of sensitive information, including to foreign governments or firms.

But data protectionism is not focused on preventing the disclosure of sensitive information. Instead, it is focused on preventing those outside the country from generating value from data. While the goal of these policies is to maximize value for domestic companies, the net impact of these restrictions is almost certainly negative. The problem is that most data has little to no value until businesses do something with it. Therefore, the more businesses can gain access to data, the more value can be generated. Restricting foreign firms from accessing domestic data limits the potential universe of businesses that can add value to data. That means data holders—whether they are consumers or businesses—miss out on opportunities to benefit, directly or indirectly, from their data.

Consider an Australian radiology lab that has thousands of medical images. Data protection rules are completely legitimate to ensure that personal medical records remain private. However, Australia’s data protectionism rules (under section 77 of Australia’s Personally Controlled Electronic Health Records Act) prohibit organizations from transferring health records overseas. This limits radiology labs from using non-Australian AI systems that could be faster and cheaper and more accurately interpret diagnostic imaging results. These restrictions result in potentially higher costs for Australian businesses and consumers, in addition to worse health care outcomes.

Moreover, data protectionism does nothing to enhance data protection. Requiring data be stored in-country (or with domestically owned companies) does not impact the overall security of data. Australian data, for example, is not more secure in an online service simply because that service is owned and operated by an Australian company rather than an American one. The security of the online service depends on a series of technical, logical, and physical controls at the company.

Countries that pursue data protectionism risk reciprocal actions by other governments. For example, Australian mining giant Rio Tinto collects data from around the world as part of its smart mining program to analyze geology, optimize energy use, and automate its autonomous equipment. If other governments prohibited Rio Tinto from sending data back to Australia it would have a negative impact on the company.

The sooner that policymakers learn that data is not oil, and that data protection does not justify data protectionism, the better off consumers and businesses will be in the future.

Image credit: Zbynek Burival (Unsplash)

You may also like

Show Buttons
Hide Buttons