Trade flows and data flows
Preparing for the threat of no-deal Brexit produced vital insights on what restrictions on data flows mean for global trade flows.
Three reasons make this a good time to take stock of lessons learned: while seemingly unconnected, these give data flows a central place in the bigger picture.
The first reason is that, as of January 1st 2020, the newly approved Californian Consumer Privacy Act, CCPA, mandates compulsory accounting of the dollar value of consumer data held by data-rich corporate business. This innovative legal accountability tool is a global first: a searchlight pointed at the market for personal data. The CCPA does not mandate a specific accounting methodology: the dollar-value-of-data debate is still in its academic and accounting infancy. Businesses will have to adopt a valuation methodology and justify their reporting criteria.
The second reason pertains to a gear shift in Brexit dynamics. Having secured a large parliamentary majority, the current U.K. ruling party looks determined to take the country out of the entire legal framework of the European Economic Area at the end of an agreed transition period, on December 2020. Past diplomatic history points to the prospect of an additional year when U.K. and EU negotiate a trade agreement whilst leaving the threat of a no-deal Brexit firmly in place. Personal data tends to be a low-priority bilateral agreement topic, as it follows the non-trade logic of data protection principles. It would be a negotiating mistake on both sides to keep it out of next year’s talks and out of public awareness: adjustments in global data flows are critical to prevent a Brexit-induced recession with world-wide knock-on effects.
The third reason is that data localization requirements are an increasingly prominent feature of data laws in force or in preparation across jurisdictions. Russian localization laws are comparatively little-known: since 2015 Russia mandates that all data relating to Russian citizens be stored or processed using data centers located in Russia. In a regulatory tightening of the rules, as of December 2nd 2019, both businesses and individual “data operators” can incur monetary penalties ranging between USD 16,000 and 288,000, and between USD 1,600 and 12,800 respectively for flouting data localization requirements. India’s new Personal Data Protection Bill mandates that certain categories of personal data relating to Indian citizens, deemed “critical personal data”, may be stored and processed exclusively on Indian soil. Both are important reminders of the tit-for-tat potential of the extraterritorial effects data protection.
Ten Brexit lessons are worth keeping front of mind on both sides of the Atlantic and both hemispheres when devising valuations of personal data sets; whilst negotiating trade agreements; before legislating further localization laws.
Lesson One: Every organization is a data organization
Every business is a data business and handling personal data is an inextricable part of any business transaction. The distinction between personal data and non personal data is theoretical and does not map easily onto business reality.
When legislating for data privacy there is little benefit in discriminating data-driven companies from those that are perceived not to be data rich and there is real risk in creating small business exemptions. All businesses share one, single personal data ecosystem. Whatever protection is afforded to individuals’ personal data, that protection has to flow throughout the data ecosystem, be it when the personal data is used by not-for-profits, by small and micro-enterprises, or by large platforms.
Lesson Two: To be in business is to move personal data across borders
Whatever your product or value proposition, you are always first and foremost a personal data importer and exporter.
This is the hardest shift in mindset for businesses to adopt. The misleading common assumption is that only data brokers should worry about rules for exporting personal data. Yet, if you export wine or cheese, you also export personal data along your products as business data: although personal data is not one of your products, it is what enables you to trade them.
Lesson Three: Personal data is only an asset to your business if you can move it across borders lawfully
Data asset valuation theories that do not include this simple truth ought to be re-written.
Lesson Four: Data flows are decoupled from trade flows
Data import/export rules are not necessarily aligned to other product import/export rules: personal data follows human rights and/or consumer rights laws, not trade laws. A cross-border trade agreement might wave past products but has no jurisdiction to “wave past” personal data flows.
Brexit negotiators would do well to keep this front of mind, as any trade agreement with the EU would be hollow unless personal data flows remained unrestricted.
Lesson Five: Mess with data flows and you mess with global trade flows
No data flows, no trade flows
Lesson Six: Map your data flows as you map your critical supply chains
All businesses rely on other businesses’ data-sets to some extent. Just like any product or service is a link in value chains crisscrossing the globe, one business’ data assets are a link in the global data supply chains. Broken links can be mended if you know where to look: when a data link is broken, few businesses can clearly map the strategic role personal data flows play in their value chain.
Lesson Seven: Calculating the dollar value of personal data is hard
Personal data plays six, very different, corporate functions. Some are vital for your business, so do not have a measurable ROI. Any measurable ROI should be calculated differently for each corporate function played.
Personal data can be: 1) necessary for back-office operations; 2) the very product or service your business is offering to the market; 3) not your product or service per se, but an essential component of your product and service; 4) a non-essential component, but an add-on bundled with your product or service to increase its attraction; 5) the medium through which your product or service is conveyed or brought to market; 6) the digital market stall or display area for your product or service.
Lesson Eight: Incorporate data risk in the dollar value of data
Like any other corporate asset, the dollar value of personal data will be misleading unless it incorporates a measure of the business’ exposure to data risk.
Just as we calculate risk-adjusted returns on capital, we would need to calculate data-risk adjusted returns on personal data-sets. Data risk varies according to: a) a business’ incorporation jurisdiction; b) the bilateral trade agreement between their incorporation country and the target market countries; c) the functions personal data flows play in that business’ value proposition; d) the function the target market countries play in that business’ strategy; e) the relative cost/benefit analysis of complying with data regulations as shifting bilateral trade and data agreements disturb both trade and data flows.
Lesson Nine: Beware data unilateralism
Personal data privacy laws, for good or for bad, inject unilateralism in the flow of data needed for multilateral trade. Unilateralism, by definition, takes data risk out of the control of the counter-party. When data unilateralism is deployed for geopolitical strategies, as recent history shows, data risk becomes a variant of political risk. A business’ data risk mitigation strategies, therefore, will need to look carefully at the political climate as much as at its third party data supply chain.
Lesson Ten: Calculating the dollar value of data is really hard
You can never measure the dollar value of your data-sets in the abstract, but only of data free-to-flow where trade agreements are most advantageous to your business strategy, within the limitations set by unilateral data privacy rules. While the dollar value of personal data is not impossible to calculate, it will take one very complex equation to do so. That’s one important conversation that can be expected to move out of California and spill into the global business community in 2020.
2020 looks set to be the year when privacy regulation really spans the globe, trade agreements and negotiations intensify as the old trading blocks readjust, and further no-deal Brexit preparations take place away from public scrutiny.
If data flows are central to global trade, as the great no-deal Brexit preparation experiment taught us, then 2020 should also be the year when you assess your global data supply chain vulnerabilities.