‘Agile governance’ could redesign policy on data protection. Here’s why that matters

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Nicholas Davis, Professor of Practice, Thunderbird School of Global Management and Visiting Professor in Cybersecurity, UCL Department of Science, Technology, Engineering and Public Policy, Mark Esposito, Professor, Thunderbird School of Global Management, Arizona State University & Landry Signé, Senior Fellow, Global Economy and Development Programme and Africa Growth Initiative, Brookings Institution

• Technology regulation is evolving rapidly but remains fragmented across national and regional divides.
• Agile governance can potentially address the issue by creating a nimbler and more adaptive approach to regulation.
• But we need to overcome the constraints that agile governance faces in real-world settings to embrace this form of policymaking.

Although technology regulation is evolving rapidly in today’s world, such regulation remains greatly fragmented across national and regional divides. Agile governance can potentially solve this fragmentation by promoting nimbler, more fluid, and more adaptive approaches to regulation.

Whether it is privacy, cyber security, cyber warfare, national security, or prohibited content, every hot-button issue in technology governance today seems to be of global concern, yet resides in the hands of nationally-focused lawmakers relying on outdated policies that continue to reinforce the fragmentation of technology regulation.

Take data protection, for example. The EU’s General Data Protection Regulation (GDPR), which was first proposed in 2012 and came into effect in 2018, is essentially an international privacy law for data protection. Any organization that processes any personal data from any EU citizen is covered.

Beyond its extraterritorial impact, it has inspired similar efforts to update and improve data protection in other jurisdictions, such as in Japan, Chile, Egypt, and the state of California in the United States.

‘Patchwork’ of data regulation

This flurry of GDPR-inspired activity gave hopes that data protection would become more consistent over time. Indeed, there are established mechanisms for precisely this. For more than 20 years, the European Commission has conferred “adequacy” rulings on national regimes that meet its strict data protection standards, allowing personal data to flow unimpeded across borders. However, only a handful of countries and territories have received the European Commission’s “adequacy” decision, including Japan and the United Kingdom.

There is no systematic and all-inclusive privacy law regulating all private parties in other countries. In the US, for example, there is a patchwork of state and federal laws, and most focused on specific industries, such as the Health Insurance Portability and Accountability Act (HIPAA) in healthcare and the Gramm-Leach-Bliley Act (GLBA) for entities in the financial sector.

Meanwhile, China’s data protection laws focus on strong government control, public order, and national security. These laws include its 2017 Cybersecurity Law and its 2021 Data Security Law, and the upcoming Personal Information Protection Law. These include broad requirements on data localization and have an extraterritorial effect.

Asia has seen perhaps the greatest transformation in the area of data privacy in the last decade. Before 2020, only six countries had comprehensive data privacy laws. Between 2010 and 2020, 20 jurisdictions enacted new data privacy laws, and seven undertook amendments. Five of these have extraterritorial provisions, and while they all share similar data protection elements, all differ from one another and other regions in important ways.

Furthermore, even if GDPR compliance is equivalent to “gold-plating” your firm’s system, a global firm will still need to check that its systems fit the idiosyncratic data protection requirements across 20 markets in Asia alone.

Regulatory fragmentation is more than just about costs to firms, however. It also matters because greater complexity and diversity across jurisdictions means that consumers are less likely to be well-protected. Moreover, less discussed is that fragmentation impedes governments’ implementation and enforcement. By contrast, a consistent approach means inter-agency cooperation and information sharing between agencies is far easier to achieve.

AI, machine learning, technology

How is the Forum helping governments to responsibly adopt AI technology?

The World Economic Forum’s Centre for the Fourth Industrial Revolution, in partnership with the UK government, has developed guidelines for more ethical and efficient government procurement of artificial intelligence (AI) technology. Governments across Europe, Latin America and the Middle East are piloting these guidelines to improve their AI procurement processes.

Our guidelines not only serve as a handy reference tool for governments looking to adopt AI technology, but also set baseline standards for effective, responsible public procurement and deployment of AI – standards that can be eventually adopted by industries.

We invite organizations that are interested in the future of AI and machine learning to get involved in this initiative. Read more about our impact.

The concept of agile governance is one solution to this fragmentation. Just this past December, Canada, Denmark, Italy, Japan, Singapore, the United Arab Emirates and the UK signed the first “Agile Nations” agreement to incorporate the principles of agile governance into their regulatory environment.

Agile governance promotes nimbler, more fluid and more adaptive approaches to governance. It draws inspiration from agile software development, embodied by the principles of The Agile Manifesto.

Agile governance does not prioritize regulatory design or implementation speed, as too much speed can threaten the inclusiveness of policy processes or outcomes.

Instead, the idea of agile governance suggests that more proactive, inclusive and iterative approaches to policy design can create rigorous systems that are more effective and representative than traditional processes, even within compressed time periods.

Data policy should be outcome driven

One central idea of agile governance is that policymaking should be outcome driven and evidence-based while recognizing that contexts and needs change throughout a policy project.

This approach requires ongoing collaboration between a wide range of stakeholders to ensure that knowledge flows into policies effectively and inclusively, which then enjoy greater legitimacy.

Agile governance also recognizes that the architectures and rules that guide our behaviour – particularly in the world of technology – extend far beyond the incentives, regulations and laws created in the public sector.

Business models, corporate policies, software, product design, and technological infrastructure can all influence user behavior and outcomes for citizens more so than public policy. As a result, new models of collaborative governance across sectors are required to meet the challenges and opportunities of the 21^st century.

The World Economic Forum has identified eight approaches and more than 100 examples of agile governance worldwide. Many governments are trialling policy labs, sandboxes and crowdsourcing efforts.

Other examples include novel forms of industry-led self-regulation, the concept of super regulators, setting shared ethical principles, new approaches to standards creation and enforcement, and the creation of collaborative governance ecosystems across jurisdictions.

Agile governance puts pressure on governments to innovate in engaging with a broader range of stakeholders. Most public sector institutions and agencies will require an investment in the skills and resources related to cross-sector collaboration and in approaches to knowledge management, systems thinking and design thinking.

Three constraints to agile governance

However, there are three increasingly important constraints to agile governance, the first which is limited policy space. The legal, economic, and technological implications of living in a globalized world mean that not all policy options are fully available to sovereign states.

The second constraint is stakeholder engagement. In addition to privileging their interests, stakeholders often possess very divergent views about what policies are possible and how to weigh different trade-offs – but engaging them is costly.

Governance

What is the World Economic Forum doing about healthcare data privacy?

The Healthcare Data Project at the World Economic Forum Centre for the Fourth Industrial Revolution Japan grapples with the question of how societies should balance the interests of individual citizens, businesses and the public at large when it comes to sensitive healthcare issues. An improved approach to governance during a number of health crises, including pandemics, can help build trust and possibly even save lives.

The Centre for the Fourth Industrial Revolution has developed an approach to data governance – Authorized Public Purpose Access (APPA) – that seeks to balance human rights such as privacy with the interests of a data-collecting organizations and the public interest — that is, the needs of whole societies.

Additionally, a recent white paper examining existing data-governance models, discovering that most are biased toward the interests of one of three major stakeholder groups. The whitepaper revealed the need for a balanced governance model designed to maximize the socially beneficial potential of data while protecting individual rights such as privacy and the legitimate interests of data holders.

Finally, the third constraint is trade-offs. All policy options come with trade-offs, which are very difficult to assess ahead of time and can be challenging to measure after the event.

Agile governance can help solve the growing fragmentation of technology regulation. However, we cannot reap the benefits of this new mode of governance and policymaking unless we continue to overcome the constraints that agile governance faces in real-world settings.