As data protection regimes diverge, will Japan’s Data Free Flow with Trust bridge the gap?

By Yogesh Hirdaramani

Japan’s Data Free Flow with Trust (DFFT) initiative could help countries harmonise their approaches to cross-border data flows undergirded by principles of digital trust, even as countries chart their own data protection and privacy pathways, say industry experts.

At this year's G7 meetings in Hiroshima, Japan, leaders are expected to operationalise Data Free Flow with Trust (DFFT) and enable international cooperation on cross-border data flows, undergirded by principles of digital trust. Image: Canva

Last weekend, the G7 Digital and Technology Ministers, including representatives from Germany, the United States, and Japan collectively affirmed their support for Data Free Flow with Trust (DFFT), an initiative proposed by Japan in 2019 that aims to guide international cooperation on cross-border data transfers. 

 

The Ministers, who met to discuss digital economy concerns in view of the upcoming G7 Hiroshima Summit happening in mid-May, affirmed the need to explore concrete approaches to realising DFFT at this year’s G7. Accordingly, they endorsed the creation of a mechanism for multi-stakeholder dialogue on the topic, the Institutional Arrangement for Partnership.

 

Cross-border data transfers have become a key point of contention for regulators over the past few years, with the New York Times declaring that the era of borderless data is coming to an end last year. At this year’s G7, Japan is expected to take up the cause of promoting the free flow of data, underpinned by a framework of digital trust that addresses concerns over cybersecurity and data privacy.

 

GovInsider spoke to industry experts to better understand what DFFT might entail, the key concerns driving restrictions on cross-border data transfers, and what to expect from this year’s G7 meetings.

 

A cosmopolitan, principles-based approach

 

The DFFT plays a unique role as a principles-based initiative that aims to build bridges between different data protection frameworks around the world, shares Quint Simon, Director of Public Policy for Asia Pacific & Japan at Amazon Web Services (AWS) with GovInsider. 

 

Unlike a regional framework like the European Union’s General Data Protection Regulation (GDPR) that imposes requirements with regards to the processing of personal data of individuals located in the European Economic Area, the DFFT aims to promote shared principles regarding the cross border transfer of data, she explains.

 

“How do we drive greater interoperability between different regimes like the GDPR or APEC’s Cross-Border Privacy Rules? How do we ensure there is some level of consistency and harmonisation, wherever possible, between regulatory frameworks? The value of DFFT is that it is flexible and can capture many initiatives,” says Simon.

 

“Whenever a country in the APAC region passes a new privacy law or a new cybersecurity regime that is principles based and enables cross border data flows, that is a manifestation of something that would easily fall under DFFT,” explains Simon. For example, the Singapore-Australia Digital Economy Agreement is one such digital trade agreement that aims to develop interoperable data transfer mechanisms and shared digital standards.

 

Converging concerns

 

When regulatory frameworks are consistent, interoperable, and allows data to flow freely, businesses can maximise their potential for innovation and ensure that costs are not passed down to end-consumers unnecessarily. 

 

On the other hand, when countries have differing approaches, companies face high compliance costs in trying to navigate inconsistent approaches to privacy, such as having to invest in more expensive – and potentially less secure – local server providers.

 

A report by the Information Technology & Innovation Foundation found that when a nation’s data restrictiveness increases by 1 unit, this can cut its gross trade output by 7 per cent, slow productivity by 2.9 per cent, and over a period of five years, raise downstream prices by 1.5 per cent. 

 

“The meeting’s discussions have the opportunity to focus attention and amplify momentum to where global regulatory policies are converging, particularly in terms of interconnectivity, interoperability, and enabling standards,” shares Dr Peter Lovelock, Director and Principal of the Fair Tech Policy pillar at Access Partnership.

 

Simon from AWS challenges the narrative that governments are tending towards data localisation frameworks. From her perspective, governments are seeking to find a balance between enabling cross-border data flows while ensuring data remains secure with proper safeguards. For example, Indonesia and India have both recently introduced data protection bills that rollback unnecessary data localisation restrictions.

 

She highlights the example of Ukraine, which lifted its data localisation restrictions on certain public and private sector data a week before the Russian invasion in 2022. On the day of the Russian invasion, AWS was able to help the Ukrainian government securely store and transfer data to the cloud, which has allowed the country to sustain public services in the following months

 

“DFFT is going to play an important role in helping governments see an alternative to prescriptive data localisation requirements that still addresses the underlying policy intent of increasing privacy assurances,” says Simon. 

 

What this year’s G7 discussions hold

 

Observers can expect Japan to institutionalise DFFT and set the approach up for long term success at this year’s G7 discussions by introducing the Institutional Arrangement for Partnership, which aims to promote stronger public-private partnerships towards making DFFT a reality.

 

“The challenge lies in translating principles into policy. This is where the G20 group of nations has the opportunity to make an impact when they meet in India this year for discussions," says Dr Lovelock of Access Partnerships. 

 

Such a platform can emphasise projects supporting trusted data flows and risk-based standards for cybersecurity, says Simon. Concrete mechanisms for public-private partnerships can help shape regulatory frameworks to remain conducive for businesses.

 

A global coalition of industry and non-governmental organisations collectively signed a statement calling for G7 countries to concretise DFFT by strengthening cross-border data interoperability mechanisms, aligning their own data transfer policies with international standards, and supporting a public-private commitment to digital trust. 

 

Simon highlights that ASEAN countries can help lead the conversation on DFFT, with its long history of establishing shared norms and values on cross-border activities. In turn, DFFT can help guide ASEAN countries when negotiations for the region’s Digital Economy Framework Agreement begin in 2025.

 

DFFT is slated to boost Japan’s global reputation for digital innovation and raise the profile for the government’s Digital Agency, reported GovInsider previously.