Data and AI regulation around the world

Tim Davies

Tim Davies

We held the first in our Connected Conversations series earlier this month, bringing together a number of data governance thinkers, practitioners and campaigners from four continents to explore current contours of data and AI regulation around the world.

In our hour-long discussion we just scratched the surface of the different opportunities and challenges present when it comes to putting communities at the heart of data governance, and we’re confident that there is value in continuing and deepening the conversation, particularly with a focus on the narratives and agendas around data at play in the G7 and G20 over the coming years.

Put briefly, contributions pointed to both opportunities to innovate and build models of collective data governance within existing and nascent legal frameworks, and to the need to critically engage with advancing data policy agendas to make sure they don’t narrow, undermine or sideline the space for data governance that takes account of community impacts and democratic voice.

Around the world

India: Astha Kapoor (Aapti Institute) led our global tour by summarising the new draft of the Data Protection Bill that was published in India on 18th November. Many years in the making, the new draft is much lighter than earlier versions, dropping proposed rights such as ‘data portability’ and ‘right to be forgotten’. Astha outlined a distinction being drawn between ‘citizen rights’ and ‘consumer rights’, with data portability interpreted as the latter, and so outside the scope of the Bill.

References to ‘non-personal data’ have been dropped from the Bill, potentially opening a space for a separate renewed discussion outside of the Bill’s progress on the impacts of data that, whilst technically not containing personal identifiers, may nevertheless be used to affect individuals and communities.

The concepts of ‘data fiduciaries’ and ‘consent managers’ feature in the Bill draft, and Astha outlined how this could create opportunities for new entities to use the law to ‘aggregate consent’ and through this to empower communities to act more collectively in exercise of their data rights.

As India take on the presidency of the G20, they are also working on placing data firmly on the agenda, working on a set of data values and likely to champion Indian led work on consent management as part of the 2023 summit.

Africa: Alison Gillwald (Research ICT Africa - RIA) discussed developments around the Africa Data Policy Framework, published in July 2022. The framework, developed with support from RIA, incorporates a number of relatively novel concepts, such as data justice, that, while not necessarily widely understood in policy circles at present, open up opportunities for rethinking data governance practices and advocating for more democratic models of data governance as the Framework is domesticated into national policies.

Alison noted the strong ‘citizens’, and ‘people’, language of the framework, and emphasis on multistakeholderism, as well as references to data commons, data trusts and other new forms of data stewardship.

The African Data Policy Framework doesn’t immediately change national regulations, but, with the right support, has the potential to influence and shape national legislation, particularly, Alison noted, when there are good examples to draw on of how broad ideas might be put into practice. Balancing the need for ‘progressive realisation’ that allows countries to move at their own pace, with the need for interoperability between regulations, raises some particular challenges for the years ahead. Alison noted that the African Union has called for input on standardisation, albeit within existing bureaucratic processes, hinting at the need for work to consider how to broaden engagement in standardisation processes.

European Union: Alek Tarkowski (Open Future) described the ‘embarrassment of riches’ in terms of data-focussed legislative agendas in the European Union, including the broadly-concluded Data Governance Act, the in-progress Data Act, evolving European Health Data Space regulation, and the AI Act, although this last act includes little on collective or participatory data governance. Issues of access to research within the Digital Services Act, and Digital Markets Act also provide some openings for work on data governance.

Alek raised the question of where, as small organisations, we should latch on and find the best hooks for successful advocacy in such a broad policy space. For example, the Data Governance act has created a framework for data intermediaries, offering a potential space for practical innovations in collective data governance. The Data Act opened up a conversation about public data commons and Business-to-government data sharing, but there appears to be little political energy behind this, as mistrust around sharing data with the state creates political obstacles. Ultimately, Alek reflected, it takes a lot of engagement to move the needle on data governance issues, particularly when they are framed as industry and market issues, and he pointed to Right to Research as a potential angle to focus on with more concentrated advocacy in future.

UK: Jeni Tennison (Connected by Data) shared an update on government attempts to reform the UK GDPR (inherited from the EU after Brexit) through the Data Protection and Digital Information Bill, which is broadly focussed on ‘deregulation’, lowering burden for business, and enabling more ‘public good’ uses of data, albeit where what is good is arbitrated by decision of the secretary of state.

To connect with this debate Connected by Data advocacy has explored a framing of “old style data protection is about privacy - new style data protection needs to be meeting the new challenges we have now”, making the case that stronger collective and participatory data governance can address the crisis of trust when securing benefits from data, and can help protect data rights. Jeni also outlined arguments the team have been exploring around business benefits of participatory data governance, in removing uncertainty, and the benefits to innovation, education and skills as public involvement in data governance stands to improve data literacy.

Jeni also noted the upcoming 2024 election, broadly expected to deliver a change in governments, and therefore requiring more emphasis on political party manifestos and agendas, as well as government policy processes.

Global: Carolina Rossini (The Datasphere Initiative) drew attention to the UNESCO Recommendations on the Ethics of AI, and the UN High Level Committee on Programmes - Inter-Agency Working Group on AI, in addition to the work by the Data for Developement network on the Global Index on Repsonsible AI. She called attention for the need of multistakeholder participation in these discussions, and mentioned the emerging call for a global data governance convention by UN agencies.

Building on Alison’s discussion of interoperability across the African continent, Carolina also highlighted her hopes that such a convention is focused on a global approach to interoperability between laws, policies and standards, including developing common approaches to how new forms of data institutions are defined. For Carolina power imbalances in the Data and AI economy can only be solved by a less fragmented field of collectives.

Discussions sparked

The presentations sparked an in-depth (albeit brief as we hit upon our hour time limit) discussion, covering the connections between data and trade policy, consumer rights advocacy around the G7, the role of AI narratives in focussing attention on data use as a gateway into talking about data governance, and the importance of always asking who is at the table in multi-stakeholder events or global policy processes.

In particular, we explored the extent to which we need to make connections between different levels of data governance policy making, from the global, to the regional, and the local: seeing where it is useful to invest time in connecting conversations about broad principles and local practices, and better understanding, managing and shifting the way in which data governance conversations are sliced and diced in different ways around the world.

We’re looking forward to seeing how future Connected Conversations can make a contribution to this.