1、 G20Members Regulationsof Cross-Border Data Flows G20Members Regulationsof Cross-Border Data Flows Genev������a,2023 2023,United Nations This work is available through open access,by complying with the Creative Commons licence created for intergovernmental organizations,at http:/creativecommons.org/licens
2、es/by/3.0/igo/The findings,interpretatio��ns and conclusions expressed herein are those of the author(s)and do not necessarily reflect the views of the United Nations or its officials ��������or Member States.The designations employed and the presentation of material on any map in this work do not imply the e
3、xpression of any opinion whatsoever on the �����part of the United Nations concerning the legal status of any country,territory,city or area or of its authorities,or concerning the delimitation of its frontiers or boundaries.Photocopies and reproductions of excerpts are allowed with proper credits.This p
4、ublication has not been formally edited.United Nations publication issued by the Uni������ted Nations Conference on Trade and DevelopmentUNCTAD/DTL/ECDE/2023/1eISBN:978-92-1-002423-5 Photos:(cc)UnsplashivvG20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWSNoteIn accordance with the mandate given to it by m
5、ember States,UNCTADs E-Commerce and Digital Economy(ECDE)Branch in the UNCTAD ���Division on Technology and Logistics aims to contribute to enhanced inclusive and sustain-able development gains from e-commerce and the digital economy for people and businesses in developing countries,p����articularly least
6、developed countries(LDCs).The ECDE Programme works with government policymakers and development partners,civil society and the private sector to strengthen the readiness of devel-oping countries to harness the opportunities and address the risks presented by digitalization in four main ways,by:Prov������i
7、ding b������etter evidence on what policy changes are needed at the national,regional and international level to generate more inclusive and sustainable outcomes in the data-driven digital economy,including through the biennial Digital Economy Report;Offering tailored assistance to low-income countries to
8、 build their capacities to engage in ������and benefi t from e-commerce and the digital economy(eTrade����� Readiness Assessments,E-commerce Strategies,E-commerce and Law Reform,Measuring the Digital Economy);Empowering women digital entrepreneurs in developing countries to become more visible as role models a
9、nd therefore better heard by policy makers to foster change in the business enabling environment(eTrade ������for Women);Paving the way for more collaborative efforts and effective partnerships to make better us������e of scarce resources in the area of digital for development and build consensus(eTrade for all
10、,eCommerce Weeks,Intergovernmental Group of Experts).viForeword BY SHAMIKA N.SIRIMANNEDIRECTOR,DIVISION ON TECHNOLOGY AND LOGISTICSAccel�������erated digitalization has marked the experience of many in the pa��������st few years.This has led to a surge in digital data and data flows across borders.It is fair to sa
11、y that we are still looking for answers on the best approaches to handling data to ensure favourable outcomes.However,how we deal with data and data flows will have significant implications for our ability to meet the Sustainable Development Goals.And it will affect th�������e lives of people in countries
12、at all levels of development.This therefore remains one of the main policy challenges of our time.This report,and its underlying survey of G20 member States and invited guests during Indonesias 2022 G20 Presi������dency,highlight the multidimensional nature of data and consequently the multitude of legisl
13、ation which impact many areas for policy making,including child protection,health,competition,financial markets,and data governance.Harnessing data for all people and the planet will require new thin������king on and in-novative approaches to the governance of data.The discussions within the G20s Digital
14、Economy Working Group fostered efforts to strengthen stakeholders un-derstanding of commonalities,complementari�����ties,and elements of convergence between regulatory approaches,including the existing regional and multilateral arrangements,that enables data to flow with trust.P���������revious UNCTAD publication
15、s and research have demonstrated that the challenge going forward is to gover������n data and data flows in such a way that gains can be shared more equitably.And this process must allow for sufficient policy space for countries at varying levels of digital capabilities,to promote national ������priorities and
16、development objectives,while also addressing possible risks from digitalization.This report reflects UNCTADs commitment to providing new knowledge and in-sights to policy makers and to contribute to the much needed dialogue among member States on how to govern cross-border ����data flows with a view to
17、fostering sustainable development.While the body���� of this report looks at G20 participants,the United Nations has a key role to play,being the most inclusive forum in terms of country representation.viiG20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWSImportant lessons can perhaps be drawn from the w
18、ork on ������climate change,ensur-ing that all development aspects are considered.In the Digital Economy Report 2021,we recommended the establishment of a body or mechanism to facilitate more dialogue and coordination on data governance.It would need to be multilat-eral,multidimensional and multistakehold
19、er in its approach.���This report can contribute to building greater awareness of all the relevant areas that Governments are considering in the context of data governance,and support evidence-based consensus-building towards improving a balanced global approach to governing data.viiiixG20 MEMBERS REGU
20、LATIONS OF CROSS-BORDER DATA FLOWSAcknowledgements This report was prepared under the overall guidance of Shamika N.Sirimanne,D�������irector of the Division on Technology and Logistics,by Torbjrn Fredriksson and Laura Cyron.An earlier version was presented to the G20 Digital Economy Working Group at t�����he r
21、equest of the Indonesia G20 Presidency in 2022.UNCT������AD would like to thank the Government of Indonesia and all G20 Members and invited guests that provided responses to the questionnaire,based on which the following report was compiled,as well as to those that provided feedback to the report.The cove
22、r,graphics and desktop publishing were designed by Jess Als.Diana Quirs provided administrative support.Financial support from the Core Donors of the ECDE Programme Germany�������,the �������Netherlands,Sweden and Switzerland is gratefully acknowledged.xContentsNOTEVFOREWORD VIACKNOWLEDGEMENTS IX1.Introduction12.
23、Survey methodology 4Description of the questionnaire.4Motivation to include questions.4Response rates by section .43.Survey results 5Analy�����sis ����of laws and regulations presented.5Policy coordination and consultation.114.Conclusions14Implications for international cooperation on data governance.14Areas
24、 for potential further discussi��������on .155.References166.Annex 17ANNEX TABLE 1:PERSONAL DATA DEFINITIONS 17ANNEX TABLE 2:SENSITIVE DATA DEFINITIONS 20ANNEX TABLE 3:OVERVIEW OF SUBMISSIONS CATEGORIZED BY DATA TYPE 22RECENT UNCTAD PUBLICATIONS ON E-COMMERCE AND THE DIGITAL ECONOMY 26xiG20 MEMBERS REGULATI
25、ONS OF CROSS-BORDER DATA FLOWSAcronyms and abbreviationsG20Group of TwentyOECDOrganisation for Economic Co-operation and DevelopmentUNCTADUnited Nations Conference on Trade and Developme��������ntxii11.Introduction1.See Cisco,27 November 2018,Cisco Predicts M������ore Internet Protocol Traffic in the Next Five Ye
26、ars Than in the History of the Internet.2.This statement refers to openly available information from TeleGeography,the largest provider of data and analysis on long-haul networks and the undersea cable marke�����t.More information is available for subscription.Thus,it could be the case that more detailed
27、 statistics exist,but are proprietary.Data have become a k�����ey strategic asset for the creation of both private and social value.If well managed,data can help address global development challenges such as pandemics and climate change while promoting prosperity.However,negligent handling of data can co
�������������28、ntribute to highly unequal development outcomes and un-dermine the functioning of the Internet.Unified measurement of global data flows does not exist.However,it is clear that an already existing upward tendency was accelerated by COVID-19 when many activities moved online.One estimate suggested tha
29、t the global Internet Protocol traffic in 2022,both international an�������d domestic,would exceed all Internet traffic up to 2016.1 Meanwhile,this increase in data traffic and extent of value capture from the digital economy is not equally distributed across and between countries;available information sug
30、gests that traf�����fic,which can be seen as a rough proxy for value,is predominantly c�������oncentrated on two main East-West routes,between North America and Asia and North America and Europe(see Figure 1).2As highlighted in the Digital Economy Report 2021(UNCTAD,2021),the global landscape for the governance
31、 of data is fragmented,with countries adopting dif-ferent approaches to regulate and safeguard data flows across borders.There is a lack of globally agreed common definitions and understanding of basic concepts related to data and data flows.The v������������arious taxonomies that are used to classify types of
32、data are sometimes based on different criteria.For example,data may be collected for commercial or governmental purposes;used by the private or the public sector;may be instant or historic;sens�������itive or non-sensitive;personal or non-personal.Different understandings of key terms and approaches may un
33、dermine the interoperability of data access and sharing,including across borde�����rs.Regardless of the different definitions and concepts related to data and data flows,there are initiatives in the G20 and beyond to identify and unify convergences,commonalities and complementarities,in order to help in
34、the adequate development on the subject,through the experiences and authorities in the fi����eld of personal data protection of each country.G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS2Figure 1:Evolution of interregional international bandwidth,selected yearsLatinAmericaOceania200420152020EuropeC
35、anadaand theUnited StatesMiddle EastAsiaAfricaOceaniaMiddle East5001001600Terabytes per second10EuropeAfricaEuropeAfricaAsiaCanadaand theUnited StatesAfricaLatinAmericaAsiaEuropeSource:UNCTAD(2021),based on TeleGeography(2015,2019,2021).Note:One Tera����bite is equal t��������o 1,000 Gigabites.Data for 2024 are
36、 forecasts.The interface between the use of different taxonomies and cross-border data flows has not yet been much explored.This report analyses the responses t��o a survey of G20 Members current laws and regulations pertaining to cross-border data flows.It seeks to establish a better understanding of
3������7、 where there are commonalities,complementarities,convergence and divergence,and contribute to further dialogue on how to shape governance frameworks that can facilitate cross-border data flows and data free flow with trust.This report focuses predominantly on domestic policies of G20 member States a
38、nd invited guests3 affecting �������data flows.Consequently,they highlight unilateral ways of handling data�������-related issues and indirectly illustrate countries national priorities in safeguarding data and enabling data flows.For international discussions in this area to succeed,a better understanding of the
39、 national perspectives can be a beneficial component.3.The nine invited guest countries under the Indonesian presidency:Cambodia,Fiji,the Netherlands,Rwanda,Seneg�����al,Singapore,Spain,Suriname,and United Arab Emirates.INTRODUCTION3Data free flow���� with trust and cross-border data flows are topics of disc
40、ussion among G20 members since the Japanese Presidency in 2019.They continued under the Saudi Presidency in 2020 and the Italian Presidency in 20��������21.In 2022,under the Indonesian Presidency,the Digital Economy Working Group met for the first time,taking over from its predecessor,the Digital Economy Ta
41、sk Force.Discussions on cross-border data flows concern all countries,beyond the G20.This is also reflected in the grow�������ing body of relevant initiatives since 2021 such as the African Union Data Policy Framework,4 the G7 Trade Ministers Digital Trade Principles,5 multiple United Nations initiatives t
42、he Secretary Generals“Our Common Agenda”6 and UNICEFs Global Development Commons7 and initiatives from civil s�����ociety,for instance,the Datasphere Initiative8.Furthermore,there is an increasing body of ������policy relevant research on cross-border flows,as demonstrated by the Digital Economy Report 2021(UN
43、CTAD,2021).Moreover,the OECD reports on Mapping approaches to data and data flows(OECD,2020)and on Mappin������g commonalities in regulatory approaches to cross-border data transfers(Casalini et al.,2021)inform on the existing approaches for gover������nance of data flows and options on regulatory approaches.Th
44、e latter report put an emphasis on trade related aspects.To complement these insights,this report������� is based on G20 Members responses to a survey asking for any type of law and regulation linked to cross-border data flows.Given the growing role of data for all aspects of life,broadening the perspectiv
45、e for international cooperation in the area of cross-border da������ta flows will be essential to ensure that in the future the gains from digitalization can be shared more broadly������ across countries for the benefit of society,economies,people and the environment.4.https:/au.int/en/documents/20220728/au-dat
46、a-policy-framework5.https:/www.gov.uk/gov������ernment/news/g7-trade-ministers-digital-trade-principles6.https:/www.un.org/en/common-agenda7.https:/gdc.unicef.org/8.https:/www.thedatasphere.org/G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS42.Survey methodologyDescription of the questionnaireResponses
47、 by �������G20 Members and invited guests inform this report and analysis.The underlying survey elicited information on existing laws and regulations and some proposals that include provisions affecting cross-border data flows.This report aims to provide a description of the existing landscape in member St
48、ates of laws and regulations that take cross-border data flows into account.The survey aimed to categorize which types o�����f data certain laws and regulations are linked to and how these categories are defined.Categories include personal,non-personal,critical and sensitive data.This information was com
49、plemented by information on whether the law or regulation is specific to a sector and on the ministries and a������gencies responsibl�����e for its imple-mentation.Moreover,the survey aimed to find out how these laws and regulations impact cross-border data flows.In a second part,the survey asked about nationa
50、l(multistakeholder)coordination on data governance issues.Motivation to include questionsThe survey was as open ended as possible for countries to submit their laws and regulations.Given the gr������owing importance of data in all areas,the results presented here are indicative,but not exhaustive.The ques
51、tions aimed to create basic profiles of laws and regulations that pertain to cross-border data flows.They may indic���ate certain country-specific priorities but���� also highlight how pervasive data are in all areas of the economy and society.Response rates by section The response rate and level of engage
52、ment were high,with 90 per cent of G20 Members submitting responses plus contributions from five guests.Overall,the submissions included 92 national laws,regulations,and guidelines.SURVEY RESULTS53.Surv��������ey resultsAnalysis of laws and regulations presentedDefinitionsDiscussions in international fora o
53、n data and data flows can be facilitated by using common definitions �����for va�����rious concepts and terms when regulating data and data flows.Against this background,the survey requested respondents to specify,where possible,the definitions used in the different laws.Personal dataAt a basic level,definiti
54、ons appear to be aligned,as also pointed ou�����t in OECD(2020).In the submissions to the survey,the definitions of“personal data”overlap to a great extent across Members,although the level of detail provided varies(see Annex table 1).As some laws and regulations predate t�����he recent years of acceler-ated
55、digitalization,the definitions referring to personal or sensitive information are included as well.Some national laws limit �����the definition of personal data to information on identified or identifiable persons without any further details.In a law of Mexico,a further clarifica������tion on“identifiable”is a
56、dded,by stressing“when his/her identity may be directly or indirectly determined from any information”.Similar clarifications are also found in legal texts from the European Union,the Republic of Korea and the United Kingdom of Great Britain and Northern Ireland.Definitions also vary with re�������spect to
57、 the level of detail on the kind of information that may make someone identifiable.For e�����xample,Canadas Privacy Act includes,but is not limited to,23 specific features of informat����ion.Saudi Arabia lists 11 features in its Personal Data Protection Law,the United States of America includes 11 in its Pri
58、vac��������y Act,the definitions offered by the European Union and United Kingdom of Great Britain and Northern Ireland cov������er 10 categories,while the personal informa-tion protection act of the Republic of Korea contains three(see Annex table 1).Singapores Advisory Guidelines on Key Concepts in the Personal
59、 Data Protection Act extends the Acts definition by providing examples of possible features that make an individual identifiable.Another way to group the definitions is by their inclusion of provisions on whether and how these����� data are recorded or stored.Elements to this effect ������are included in the d
60、efinitions used by,for example,Australia,China,Indo������nesia and the United States of America.6Sensitive dataThe term“sensitive data”in the submissions is universally understood to be a subset of personal data(see Annex table 2).National definitions vary with regard to the kind of elements which are inc
61、luded as sensitive information(see Table 1).Table 1:Elements included in sensitive data definitionsCategoriesArgent��������ina AustraliaBrazilMexicoSaudi ArabiaRepublic of KoreaTrkiyeUnited KingdomBiometric informationCredit dataCriminal recordsEthnic/racial/tribal originGenetic informationHealth informatio
62、nLocation dataPhilosophical/moral convictionPolitical assoc.membershipPolitical opinionsReligious beliefSex lifeTrade union membershipUnknown parentageSource:UNCTAD,based on su�������rvey respons�������es by G20 member States and invited guests.SURVEY RESULTS7Critical dataAnother term used in discussions around c
63、ross-border data flows and their regula-tion is“critical data”,which is often left intentionally ambiguous(UNCTAD 2021:129)�����.The laws and regulations submitted seem to confirm this observation.Three countries refer to critical data in their submissions(Republic of Korea with respect to cloud compu������tin
64、g,Saudi Arabia for critical systems cybersecurity controls and Trkiye in the context of statistics).Critical data are defined on����ly in one instance,in the Republic of K������oreas Standards for Cloud Computing Service Information Protection(see Table 2).Table 2:Critical data definition DefinitionRepublic o
65、f KoreaStandards for Cloud Computing Service Information ProtectionCritical data:Important internal information data such as electronic approval,HR,and accounting managementAreas and sectors covered by the data regulationsThe survey submissions highlight the multi-�����dimensionality of data and the dive
66、rsity of areas potentially affected by data flows.Forty-two laws and regulations were predominantly linked to personal data,9 relate to non-personal data,and 41 refer to all types of data(see Annex table 3).As the term data free flow with trust implies,transferring data internationally req������uires a ce
67、rtain level of trust or legal safeguards which ensure that data are protected to a si�����milar extent outside the country as within.In line with this,a large share of submit-ted laws and regulations that are linked to cross-border data flows are focused on personal data and provisions allowing their tra
68、nsfer abroad,specifically with respect to persona�����l data protection and privacy(see Annex table 3,column 1).It is therefore not surprising that 28 submissions primarily focus on these aspects of safeguarding.These are complemented by laws that are less broad and more specific to elec-tronic communica
69、tions,health,financial transactions and the public sector.One law specifically addresses childrens privacy protection online,an aspect of the digital economy that was included for the first time in the Declaration of����� G20 Digital Ministers in Trieste under the Italian Presidency and in the included G
70、20 High Level Principles for Children Protection and Empowerment in the Digital Environment(G20,2021).9In the domain of submissions pertaining to non-pe������rsonal data(see Annex table 3,column 2),submissions can be grouped into four categories:geospatial data(2 submissions),trade secrets and intellectua
71、l property(4),trade(1)and cyberse-curity(1).Laws and regulations touching on all types of data(see Annex table 3,column 3�������)are related to the categories shown in Figure 2.9.https:/innovazione.gov.it/notizie/articoli/en/the-declaration-of-g20-digital-ministers/G20 MEMBERS REGULATIONS OF CROSS-BORDER D
72、ATA FLOWS8Figure 2:Categories of laws and regulations affecting“all data”Data governanceData bases/information systems/cloud computingCybersecurityTelecommunications/electronic informationLaw enforc�����ementCompetitionHealth(Public)procurementPublic sectorSource:UNCTAD,based on survey responses from G20
73、 member States and invited guests.These main themes are also mi������rrored in the list of sectors shown in Table 3,to which so��������me of the laws and regulations are specific.Table 3:Sector-specific legislationSector concernedG20 Members with relevant lawsBanking,financial sector,capital marketsSaudi Arabia,T
74、rkiye,������United StatesDefense and related private sectorUnited StatesGeospatialIndonesia,Republic of KoreaHealthIndonesia,United StatesICT and telecommunicationsEuropean Union,Indonesia,Saudi Arabia,Trkiye,United Kingdom,United StatesPublic sectorBrazil,Canada,Mexico,Republic of Korea,Saudi Arabia,Unit
75、ed StatesTradeEuropean Union,Indonesia,United StatesSource:UNCTAD,based on survey responses from G20 member States and invited guests.Data governance and the handling of data-related policy questions are not limited to one single ministry or agency.Instead,the multifaceted nature of data touc�������hes pol
76、icymaking of many government institutions(see Figure 3).This suggests a grow-ing need to ensure having relev�������ant expertise in data-related aspects across all ministries����� involved in data governance.Given the diversity of legal areas emerging from the submissions,it is clear that policies to enable dat
77、a free flow with trust go w������ell beyond the trade domain,which is SURVEY RESULTS9where most of the international discussions on cross-border data flows are currently happening as evidenced by international and regional agreements related to trade.10Indeed,a lot of legislation is primarily concerned wi
78、th personal data related aspects that may not be linked to trade,such as health or law enforcement.For example,the recent experience of COVID-19 and the international c������ollaboration to fight the pandemic,brought the role of responsible scientific use of he����alth and related data to the centre of attent
79、ion.Cross-border data flow provisionsPolicy approaches to governing cross-border data flows can be divided into unilat-eral,bilateral and multilateral ones,as r�����eflected in the survey submissions.Unilateral approachesFirst,most Members use adequacy,standard contractual clauses or binding cor-porate r
80、ules to enable international data trans�������fers.These provide an assessment of data protect�������ion(for personal data)before allowing data flows to take place.Second,data transfer plans requiring government approval are another unilateral mechanism to facilitate data free flow with trust.These are employed b
81、y Indonesia with respect to geospatial data,health data and per�����sonal data protection.Similarly,Trkiyes banking law has provisions which allow the Board of the Banking Regulation and Supervision Agency to prohibit inte�������rnational data flows as does their regulation on private archival material.Third,mu
82、ltiple submitted laws and regulations require consent from the data subjectas a condition for inter������national data flows.This is often used in the context of personal data.Another approach relates to data localization requirements.It is unilateral,but limits or conditions data to flow freely.Personal
83、data generated in the Russian Federation and by its inhabitants must be sto�������red locally first before it can be transferred abroad.In the context of cloud computing,Brazil requires a recent data backup to be main-tained in its territory.Saudi Arabia requires data and data infrastructure for cloud and
84、IoT systems to be maintained within the country.11 The same holds for the Republic of Koreas cloud computing services for public procurement,for which data need to be stored in the country.Trkiye has a provision which re�������quires data from t�����he financial sector and capital markets to have their primary
85、and secondary versions stored domestically,beyond t�������his there are no explicit restrictions on data flows.Indonesia and the ������Republic of Korea mandate that geospatial data are saved and processed domestically.Although,Indonesias regulation on implementation of geo-spatial information includes an except
86、ion where,when trained labour or equipment is not available within the country,processing can take place abroad.Fi������nally,Indonesia requires the domestic storage of health data,although under specific circumstances processing can take place abroad.10.Fo�������r instance,discussions as part of the Joint Initi
87、ative Negotiations on E-commerce,the Comprehensive and Pro����gressive Agreement for Trans-Pacific Partnership,the Regional Comprehensive Economic Partnership and the United States-Mexico-Canada Agreement.11.See the cloud computing regulatory fram������ework,the IoT regulatory framework,and the essential cybe
88、rsecurity controls.G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS1010Figure 3:Ministries and agen����cies responsible for different areas of data and data fl ows based on survey submissionsArgentina:Agency for Access�������� to Argentina:Agency for Access to Public InformationPublic InformationAustralia:Off
89、ice of the Australian Australia:Office of the Australian Information Commissioner Informat�������ion Commissioner Brazil:ComptrollerBrazil:Comptroller-General OfficeGeneral OfficeBrazil:Information Security Brazil:Information Security Department,Institutional Department,Institutional Security Cabinet,Presi
90、dency of Security Cabinet,Presidency of the Republic the Republic Brazil:National Data Protection Brazil:National Data Protection AuthorityAuthorityCanada:Office of the Privacy Canada:Office o������f the Privacy Commissioner of CanadaCommissioner of CanadaJapan:Personal Information Japan:Persona������l Informat
91、ion Protection CommissionProtection CommissionMexico:National Institute of Mexico:National Institute of Transparency,Access to Transparency,Access to Information&Protection o���f Information&Protection of Personal DataPersonal DataRepublic of Korea:Personal Republic of Korea:Personal Information Protec
92、tion Information Protection CommissionCommissionSaudi Arabia:Saudi Authority for Saudi Arabia:Saudi Authority for Data&Artificial IntelligenceData&Artificial IntelligenceSingapore:Personal Data Singapore:Personal Data Protection CommissionPro�����tection CommissionTrkiye:Personal Data Protection Trkiye:P
93、ersonal Data Protection AuthorityAuthorityUnited Arab Emirates:Emirates United Arab Emirates:Emirates Data Office Data Office United Kingdom:United Kingdom:Department for Department for Digital,Culture����,Media and Digital,Culture,Media and Sport;Sport;Information Information Commissioners OfficeCommis
94、sioners OfficeCambodia:Ministry of Post&Cambodia:Ministry of Post&Telecommunications Telecommuni�����cations Indonesia:Ministry of Indonesia:Ministry of Communications&Communications&InformaticsInformaticsJapan:Japan:Digital AgencyDigital AgencyRepublic of Korea:Ministry of Republic of Korea:Ministry of
95、Science&ICTScience&ICTRussian Federation:Fe������deral Russian Federation:Federal Service for Supervision of Service for Supervision of Communications,Information Communications,Information Technology,&Mass Media Technology,&Mass Media(RoskomnadzorRoskomnadzor)Saudi Arabia:Communications&Saudi Arabia:Comm
96、unications&Information Technology Information Technology CommissionCommissionSaudi Arabia:Ministry of Saudi Arabia:Ministry of Communications&Communications&Informati������onInformationSaudi Arabia:National Saudi Arabia:National Cybersecurity AuthorityCybersecurity AuthorityTrkiyeTrkiye:Information&:Infor
97、mation&Communication Technologies Communication Technologies AuthorityAuthorityIndonesia:Ministry �����of TradeIndonesia:Ministry of TradeSaudi Arabia:Saudi Central Saudi Arabia:Saudi Central BankBankTrkiye:Banking Regulation&Trkiye:Banking Regulation&Supervision AgencySupervision AgencyTrkiye:Capital Ma
98、rkets Board Trkiye:Capital Markets Board Trkiye:Ministr���������y of Treasury&Trkiye:Ministry of Treasury&FinanceFinanceUnited States:Commodity United States:Commodity Futures Trading CommissionFutures Trading CommissionUnited Kingdom:Department for United Kingdom������:Department for Digital,Culture,Media and Dig
99、ital,Culture,Media and SportSportUnited States:Federal Trade United States:Federal Trade Comm�����issionCommissionIndonesia:Ministry of HealthIndonesia:Ministry of HealthUnited Kingdom:Department for United Kingdom:Department for Digital,Culture,Media and Digital,Culture,Media and SportSportUnited States
100、:Department of United States:Department of Health&Human ServicesHealth&Human ServicesIndonesia:Ministry of HealthData/Information/Privacy protectionData/Information/Privacy protectionCommunications,Information���� Technology,PostCommunications,Information Technology,PostHealthHealthTrade/Financial Marke
101、tsTrade/Financial MarketsCambodia:Ministry of Post&Indonesia:Ministry of National Indonesia:Ministry of National Development Planning&Development Plan�������ning&Geospatial Information AgencyGeospatial Information AgencyRepublic of Kore����a:Ministry of Republic of Korea:Ministry of Land,Infrastructure&Land,In
102、frastructure&Transport,Spatial Information Transport,Spatial Information System DivisionSystem DivisionUnited Kingdom:Department for United Kingdom:Department����� for Digital,Culture,Media and Digital,Culture,Media and SportSportIndonesia:Ministry of TradeGeospatialGeospatialIndonesia:Ministry of Nation
103、al European Union&its member European Union&its member StatesStatesSaudi Arabia:Saudi Arabia:Saudi Authority for Saudi Authority for Data&Artificial IntelligenceData&Artifi������cial IntelligenceTrkiyeTrkiye:Presidency of ������the:Presidency of the Republic,Directorate of State Republic,Directorate of State Ar
104、chivesArchivesTrkiyeTrkiye:Turkish Statistical:Turkish Statistical InstituteInstituteUnited States:all federal United States:a����ll federal agencies in the executiveagencies in the executiveUnited Stat�����es:Department of United States:Department of JusticeJusticeUnited States:Office of United States:Offic
105、e of Management&BudgetManagement&BudgetUnited States:Secretary of United States:Secretary of DefenseDefenseOtherOtherSource:UNCTAD,based on survey responses from G20 member States a�������nd invited guests.SURVEY RESULTS11Bilateral approachesThe submitted laws from Canada,Mexico,Singapore and the United St
106、ates of America refer to������� contracts and memoranda of understanding for international par-ties to enable data flows,predominantly for personal data as well as data linked to commodities trading.Similarly,they put the responsibility on the local data controller to ensure that(foreign)data processors ad
107、here to the relevant safeguards.Judicial cooperation is an essential element of enabling cross-border data flows.Arge�����ntina,Canada,the Russian Federat������ion,the United Kingdom of Great Britain and Northern Ireland and the United States of America refer to bilateral judicial cooperation in this context.R
108、egulatory cooperation on data protection also plays an important role in creating a regulatory environment that enables,and builds trust in,data flows.Enhanced international regulatory cooperation can be secured through arrangements between regulators on issues such as enforcement,and through ������dialog
109、ues and agreements b����etween Governments.Regulatory cooperation is also a key area mentioned in the 2021 G7 Roadmap for Cooperation on Data Free Flow ���������with Trust.12Multilateral approachesGiven the focus of the survey on domestic laws,references to multilateral ap-proaches are limited in the submissions
110、.However,one of Trkiyes laws approves the Multilateral Convention on Mutual Administrative Assistance in Tax Matters to improve exchanges between countries on data related to taxation.�������Furthermore,European Union directives and regulations on establishing a digital single market involve by nature of t
111、his political and economic union multiple countries,with an aim of fostering free flow of data within the European Union member States as much as possible while using adequacy for����� transfers outside of the single markets borders.Singapore makes reference to using the Asia-Pacific Economic Cooperation
112、(APEC)Cross����-Border Privacy Rules System in a multilateral arrangement for cross-border data flows.Policy coordination and consultationThe multidimensional character of data that plays a role for the economy and so-ciety can be harnessed to generate much private and societal economic value.At the sam
113、e time,many non-economic aspects,such as childrens privacy,other human rights,and security,are also of concern to G20 member States.Given all these dimensions that cannot be disentangled for clea������r-cut policymaking,data have become a strategic resource for countries,firms and individuals.T����his suggest
114、s that to address existing and future opportunities and challenges related to data and data flows,it becomes increasingly impo�����rtant to develop holistic approaches to data governance(including management and implementation)in cross-border data protection to incorporate the cross-dimensional impact of
115、 various policy measures.A whole-of-government approach can be beneficial to determine broad 12.https:/www.gov.uk/government/publications/g7-digital-and-techn������ology-ministerial-declarationG20 MEMBERS REGULATIONS OF CROSS-BORDE������R DATA FLOWS12guiding principles and to coordinate policymaking across mini
116、stries and agencies.Furthermore,various actors are differently impacted by data and their governance.Consequently,multistake������holder consultations,which can elicit the needs outside the public sector,can add value for countries policy development.Lead agencies and departments for data governanceWhole-
117、of-government approaches which clearly identify one lead organization for the governments strategy on data governance may help coordinat�����e requirements and demands from society and economy.Six out of 13 countries that answered this part of the survey questionnaire responded affirmatively to the quest
118、ion of whether they had a ministry or agency that has the primary responsibility for coordinating issues related to data governance.In the United Kingdom of Great Britain and Northern Ireland this responsi����bility is shared between two entities.The Department for Digital,Culture,Media&Sport leads on g
119、eneral data governance frameworks while the Central Digital and Data Office leads on government data.T������he responsible agencies and ministries are listed in Figure 4.Figure 4:Lead agencies for data governance in selected countriesArgentinaAgency for Access to Public I�������nformationCambodiaMinistry of Post
120、 and Telecommunications of CambodiaMexicoNational Digital Strategy Coordination,direct report to the Office of the PresidentSaudi ArabiaSaudi Data and AI AuthorityUnited Arab EmiratesEmirates Data OfficeUnited KingdomDepartment for Digi�����tal,Cultu������re,Media and Sport&Cabinet Office,Central Digital and D
121、ata OfficeSource:UNCTAD,based on survey responses from G20 member States and invited guests.Mechanisms for multistakeholder dialogue on data governanceA growing number of countries have set up multistakeholder dialogues to secure inputs into the policymaking process.In t������he survey,ten out of 15 count
122、ries that responded to this part indicated that they have such a mechanism in place.Canada introduced its Digital Charter following multistakeholder consultations.A Digital Charter Implementation Act is currently being discussed in parliament�������.Mexico introduced the“Abramos Mxico”initiative in Februar
123、y 2022.It aims to dev�������elop a National Open Data Policy in a public,open and collaborative way with multisectoral inputs.This endeavour is promoted by multiple agencies including S SURVEYURVEY RESULTS RESULTS13the National Institute for Transparency,Access to Information and Protection of Personal Dat
124、a,the National Transparency System,the regula�������tory body for statistical and geographical information civil society and academia.The Republic of Korea has set up an“Open Data Strategy Council”under the prime minister,with participation of other ministers,and co-chaired by the private sector.The counci
125、l guides and coordinates the Governments p������olicies,plans on open government data,and monitors their implementation.It is led by the Ministry of Interior and Safety.Saudi Arabias national regulatory committee provides a collaborative regulation mechanism through which various regulations linked to dig
126、ital are harmonised and implemented.The Data Pro�������tection Advisory Committee of Singapore,consisting of public and private sector as well as civil society representatives,advises the������� Personal Data Protection Commission with respect to reviewing and administrating the personal data protection framework
127、.In the United Arab Emirates,federal govern������ment entities and the private sector engage in consultations for the co-drafting of policies.The United Kingdom of Great Britain and Northern Ireland incorporates multistake-holder feedback through various mechanisms and fora,including the National Data Str
128、ategy Forum and the International Data Transfers Expert Council,expert and advisory groups and expert networks from academia and the private sector.Furthermore,the Government publishes public and stakeholder consult�������ations for policy interventions linked to data.Finally,thre����e members regularly hold d
129、iscussions with various stakeholders on data governance issues.G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS144.Conclusions13.For a longer discussion on this aspect,please refer to UNCTADs Digital Economy Report 2021.The responses to the que�������stionn������aire highlight the diversity of laws and regulat
130、ions which are linked to cross-border data flows.Given the growing importance of data,thi�����s trend is likely to continue and ever more sectors may be affected by data and laws governing data flows.Implications for international cooperation on data governanceThe survey highlights that,for some aspects
131、of data,national definitions do ������overlap a great deal,although there remain differences at a more granular level,for example with regard to the definition of personal data.While the bulk����� of the submissions is on governing personal data,the responses highlight that several countries also govern non-pe
132、rsonal data.Building a deeper understanding of wh������ere commonali-ties and differences may exist is important to explore future opportunities for finding common ground.The survey responses also illustrate that data flows are not equal to trade,nor are the laws and regulations confined to trade contexts
133、.13 In none of the countries that responded to the data governance se��������ction of survey is the Ministry of Trade or Co������mmerce the lead for issues related to data governance.Nevertheless,at the international level,cross-border data flows are currently discussed predominantly in the context of trade agree
134、ments.Furthermore,current international agreements,particularly trade agreements but also discussions within the OECD,the Council of Europe and reg�����ional initiatives,tend to be too limited geographically,especially low-income countries are often not parties to these agreements,and in scope,pos-sibly
135、failing to govern cross-border data flows in a way that allows for an equitable sharing of economic development gains while properly addressing possible risks.The current situation may serve as a poin����t of departure towards broadening �����the discussion on how data governance frameworks may be developed
136、to support global development goals while allowing sufficient policy space for countries at varying levels of digital capabilities to secure national priorities and development objectives.CONCLUSIONS15Areas for potential further discussion������� Based on the results from this survey,the G20 may in the fut
137、ure wish to discuss possible ways forward to agreeing on common terminology of ����key concepts related to data governance.In view of the different approaches adopted by Members,fur-ther sharing of experiences may be useful with a view to identifying good practices that might be emulated by others.Discu
138、ssions within the G20 would be part of a broader move towards reaching consensus on the global scale,with participation of all countries.At the same time,discussions on dat����a governance frameworks that enable combining global development goals and countries policy space m�����ay be helpful.This aspect may
139、 be taken up further by the coming Presidencies of India,Brazil and South Afr����ica.Special attention may be warranted to approaches that may help to fully factor in the multi-�������dimensional character of data,and perspectives of multiple stakeholders,when designing and implementing different laws and regu
140、la-tions affecting data and data flows.G20 ME��������MBERS REGULATIONS OF CROSS-BORDER DATA FLOWS165.ReferencesCasalini�������� F,Lpez Gonzlez J and Nemoto T(2021).Mapping commonalities in regulatory approaches to cross-border data transfers.OECD Trade Policy Paper,No.248,OECD Publishing,Paris.Available at:https:/d
141、oi.org/10.1787/ca9f974e-en.G20(2021).Declaration of G20 Digital Ministers:Leveraging Digitalisation for a Resilient,Strong,Sustainable and Inclusive ����Recovery.OECD(2020).Mapping Approaches to Data and Data Flows.Report for the G20 Digital Economy Task Force,Saudi Arabia.OECD,Paris.TeleGeography(2015)
142、.International Bandwidth Trends in Africa.What Has(and Hasnt)Changed in the Past Five Years,27 August.Available at:http:/isoc-ny.org/afpif2015/AfPIF2015_Teleography.pdf.TeleGeogr������aphy(2019).Back to the Future.Presentation by Alan Mauldin,TeleGeography Workshop at Pacific Telecommunications Council(P��T
143、C),20 January.Available at:https:/ the Cloud,Overland and Undersea.Trends in Cloud Infrastructure and Global Networks,17 Februrary.Available at:https:/ Economy Report 2021 ������Cross-border data flows and development:For whom the data flow.UNCTAD/DER/2021.�������ANNEx176.AnnexAnnex table 1:Personal data definit
144、ions������CountryDefinitionArgentinaLaw ��������n 25.326 on Personal Data Protection(Art.2)Personal data:Information of any kind referring to specific or identifiable natural or legal persons.AustraliaPrivacy ActPersonal information means information or an opinion about an identified individual,or an individual w
145、ho is reasonably identifiable:(a)whether the information or opinion is true or not;and(b)whether the information or opinion is recorded in a material form or not.BrazilGeneral Data Protection Law(Lei Ge����ral de Proteo de Dados Pessoais,Art.5 I)Personal data:infor�������mation regarding an identified or ident
146、ifiable natural person.CanadaPerso�����nal Information Protection and Electronic Documents Act(Definitions)Person�������al information means information about an identifiable individual.CanadaPrivacy Act(Definitions)Personal information means information about an identifiable individual that is recorded in any
147、form including,without restricting the generality of the foregoing,(a)information relating to the race,national or ethnic origin,colour,religion,age or marital status of the individual,(b)information relating to the education or the medical,cr�����iminal or employment hist�����ory of the individual or informa
148、tion relating to financial transactions in which the individual has been involved,(c)any identifyin���������g number,symbol or other particular assigned to the individual,(d)the address,fingerprints or blood t������ype of the individual,(e)the personal opinions or views of the individual except where they are abou
149、t another individual or about a proposal for a grant,an award or a prize to be made to another individual by a government institution or a part of a government institut��������ion specified in the regulations,(f)correspon������dence sent to a government institution by the individual that is implicitly or explicit
150、ly of a private or confidential nature,and replies to such correspondence that would reveal the contents of the original correspondence,(g)the views or opinions of another individual about the ind������ividual,(h)the views or opinions of another individual about a proposal for a grant,an award or a prize
151、to be ma����de to the individual by an institution or a part of an institution referred to in paragraph(e),but excluding the name of the other individual where it appears with the views or opinions of t��������he other individual,and(i)the name of the individual where it appears with other personal information
152、relating to the individual or where the disclosure of the name itself would reveal information about the ind�������ividual.G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS18CountryDefinitionChinaPersonal Information Protection Law of the Peoples Republic of China(Art.4)Personal information refers to vari
153、ous information related to an identified or identifiable natural person recorded electronically or by other means,but does not include anonymized information.IndonesiaGovernment�������� Regulation No.71 of 2019 R������egarding Implementation of Electronic System and TransactionPersonal data is any data about a pe
154、rson(where person is an individual,whether a citizen,foreign national,or an entity)either identified and/or can be identified separately or in combination with other inform������atio������n either directly or indirectly through electronic and/or non-electronic systems.IndonesiaMinister of Communications and Inf
155、ormatics Regulation No.20 of 2016 on Personal Data Protection in the Electronic SystemPersonal data that may identify certain individual directly or indirectly that is stored,maintained which truthfulness and confidentiality t����hereof secured and protected.JapanAct on the Protection of Personal Inform
156、ationInformation relating to a living �����individual which falls under any of the following items:(i)those containing a name,date of birth,or o�������ther descriptions,etc.(meaning any and all matters(excluding an individual identification code)stated,recorded or otherwise expressed using voice,movement or oth
157、er methods in a document,drawing or electromagnetic record(meaning a record kept in an electromagnetic form(meaning an electronic,magnetic or other forms that cannot be recognized through the human senses;the same applies in item(ii)of the following paragraph);t���he same a�����pplies hereinafter)whereby a
158、specific individual can b�������e identified(including those which can be readily collated with other information and thereby identify a specific individual);(ii)those containing an individual identification code.MexicoFederal Law for the Protection of Personal Data in Possession������ of Individuals(Art.3 V)Any
159、 information concerning an identified or identifiable individual.MexicoGeneral Law for the Protection of Personal Data in Possession of Obligated Entities(Art.3 XXI)Any information concerning an identified or identifiable natural person.An individual is deemed to be identif��������iable when his/her identit
160、y may be directly or indirectly determined from any information.Russian FederationFederal Law No.152-FZ on Personal Data 2006(Personal Data Protection Act,Art.3)Personal d�����ata is any information directly or indirectly related to an identified or identifiable individual(data subject).Saudi ArabiaPerso
161、nal Data Protection Law Any piece of data,whatever its source or format,that identifies,or makes it possible to identify,a natural person directly or indi�����rectly,e.g.name,personal ID number,addresses,contact numbers,license numbers,records,personal property details,bank account numbers,credit cards,m
162、ovin�����g or still pictures images of an individual,and other information of a personal nature.ANNEx19CountryDefinitionRepublic of KoreaPersonal Information Protection Act(Art.2(1)The term“personal information”means any of the following information relating to a living individual:(a)Information that ide
163、ntifies a particular individual by his or her full name,resident registration number,image,etc.;�������(b)Information which,even if it by itself does not identify a particular individual,�����may be easily combined with other information to identify a particular individual.In such cases,whether or not there is
164、ease of combination shall be determined by reasonably considering the time,cost,technology,etc.used to identify the individual such as like�����lihood that the other information can be procured;(c)Information under items(a)or(b)above that is pseudonymized in accordance with subparagraph 1-2 below and the
165、reby becomes incapable of identifying a particular individual without the use or combination of information for restoration to th������e original state(hereinafter referred to as“pseudonymized information”).SingaporePersonal Data Protection Act 2012(Sec.2)“Personal data”means data,whether true or not,abou
166、t an individual who can be identified(a)from that data;or(b)from that data and other information to which the organisation has or is likely to have access;TrkiyePersonal Data Protection LawPersonal data means any information relating to an identified or ���identifiable natural person.United Kingdom of
167、Great Britain and Northe��������rn IrelandGDPR and Data Protection Act 2018Personal data means any information relating to an identified or identifiable living individual.“Identifiable living individual”means a living individual who can be identified,directly or indirectly,in particular by reference to an i
168、dentifier such as a name,an identification number,location data or an online identifier,or one or more factors specific to the physical,physiological,genetic,mental,economic,cultura��������l or social identity of the individual.United States of AmericaThe Privacy Act of 1974,5 United States Code 552aRecords
169、 maintained on individuals.The term record means any item,collection,or grouping of information about an�������� individual that is maintained by an agency,including,but not limited to,his education,financial transactions,medical history,and criminal or employment history and that contains his name,or the i
170、dentif�����ying number,symbol,or other identifying particular assigned to the individual,such as a finger or voice print or a photograph.United States of AmericaHealth Insurance Portability and Accountability Act of 1996(HIPAA)Privacy,Security,Breach Notification,and Enforcement Rules(160.103)In�������dividuall
171、y identifiable health information is information that is a subset of health information,including demographic information collected from an individual,and:(1)Is created or r��������eceived by a health care provider,h����ealth plan,employer,or health care clearinghouse;and(2)Relates to the past,present,or future
172、 physical or mental health or condition of an i�����ndividual;the provision of health care to an indi�����vidual;or the past,present,or future payment for the provision of health care to an individual;and(i)That identifies the individual;or(ii)With respect to which there is a reasonable basis to believe the i
173、nformation can be used to identify the individual.European UnionGeneral Data Protection Regulation 20������16/679(Art 4(1)and other regulations/directives linked to personal dataPersonal data means any information relating to an identified or identifiable natural person(data subject);an identifiable natur
174、al person is one who can be identified,directly or indirectly,in particular by reference to an identifier such as a name,an identification number,locatio����n data,an online identifier or to one or more factors specific to the physical,physiological,genetic,mental,economic,cultural or social identity of
175、 that natural person.G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS20Annex table 2:Sensitive dat��������a definitionsCountryDefinitionArgentinaLaw n 25.326 on Personal Data Protection(Art.2)Sensitive data:Personal data revealing racial and ethnic origin,political opinions��������,religious,philosophical or mora
176、l convictions,trade union membership and information concerning health or sex life.AustraliaPrivacy ActSensitive information means:(a)information or an opinion about an individuals:(i)racial or ethnic origin;or(ii)political opinions;or(iii)membership of a political association;or(iv)religio������us belief
177、s or affiliations;or(v)philosoph������ical beliefs;or(vi)membership of a professional or trade association;or(vii)membership of a trade union;or(viii)sexual orientation or practices;or(ix)criminal record;that is also personal information;or(b)health information about an individual;or(c)genetic information
178、 abo������ut an individual that is not otherwise health information;or(d)biometric information that is to be used for the purpose of automated biometric verification or biometric identification;or(e)biometric templates.BrazilGeneral Data Protection Law(Lei Geral de Proteo de Dados Pessoais,Art.5 II)Sensit
179、ive personal data:personal data conce�������rning racial or ethnic origin,religious belief,political opinion,trade union or religious,philosophical or political,organization membership,data concerning health or sex life,genetic or biometric data,when related to a natural person.Mexico Federal Law for the P
180、rotection����� of Personal Data in Possession of Individuals;General Law for the Protection of Personal Data in Possession of Obligated EntitiesSensitive personal data:Those personal data that affect the most intimate sphere of their owner,or whose improper use may give rise to discrimination or entail a
181、 serious risk for the owner.In particular,sensitive data are considered to be those th������at may reveal aspects such as racial or ethnic origin,present and future state of health,genetic information,religious,philosoph������ical and moral beliefs,trade union membership,political opinions,sexual preference.Sau
182、di Arabia Personal Data protection law Personal data that reveals an individuals ethnic or tribal origin,political opinions������,religious or philosophical beliefs,or trade union membership.Sensitive data also includes criminal and security data,biometric data for the purpose of uniquely identifying a na
183、tural person,genetic data,cr���edit data,health data,location data,and data revealing that an individual is of unknown parent�����(s).Republic of KoreaPersonal Information Protection ActA personal information controller shall not process any information prescribed by Presidential Decree(hereinafter referred
184、 to as“sensitive information”),including ideology,belief,admission to or withdrawal from a trade union or political party,political opinions,health,sex life,and other personal information that �������is likely to markedly threaten the privacy of any data subject.Trki����yePersonal Data Protection LawPersonal d
185、ata relating to the race,ethnic origin,political opinion,philosophical belief,religion,religious sect or other belief,appearance,membership to associations,foundations or trade-unions,data concerning health,sexual life,criminal convictions and security measures,and the bi�����ometric and genetic data are
186、 deemed to be special categori�������es of personal data.ANNEx21CountryDefinitionUnited Kingdom of Gre�������at Britain and Northern IrelandGDPR and Data Protection Act 2018In this section,“sensitive processing”means(a)the processing of personal data revealing racial or ethnic origin,political opinions,religious
187、or philosophical beliefs or trade union membership;(b)the processing of genetic data,or of biometric data,for the purpose of uniquely identifying an individual;(c)the proce�������ssing of data concerning health;(d)the processing of data concerning an individuals sex life or sexual orientation.Criminal reco
188、rds are also included under this definition.European UnionEuropean Union Regulation on the protection of natural persons with regard t������o the processing of personal data and on the free movement of such data,and repealing Directive 95/46/EC(General Data Protection Regulation)This Regulation also provi
189、des a margin of manoeuvre for Member States to specify its rules,including for the processing of special categories of personal data(sensi�������tive data)G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS22Annex table 3:Overview of submissions categorized by data typePersonal dataPersonal data/information
190、 protection Argentina:Law n 25.326 on Persona�������l Data Protection Argentina:Provision n60/2016 of the Agency for Access to Public Information Cambodia*:Draft data protection law Canada:Personal Information Protection and Electronic Documents Act China:Personal Information Protection Law of the Peoples
19��������1、Republic of China Indonesia:Minister of Communications and Informatics Regulat����ion No.20 of 2016 on Personal Data Protection in the Electronic System Japan:Act on the Protection of Personal Information Mexico:Federal Law for the Protection of Personal Data in Possession of Individuals+Regulation Mexi
192、co:General Guidelines on Personal Data Protect���ion for the Public Sector Mexico:General Law for the Protection of Personal Data in Possession of Obligated Entities Republic of Korea:Personal Information Protection Act Russian Federation:Federal Law No.152-FZ on Personal Data 2006(Personal Data Protec
193、tion Act)Saudi Arabia:Personal Data Protection Law Singapo�������re:Personal Data Protection Act 2012 Trkiye:Personal Data Protection Law United Arab Emirates:Federal Decree Law No.45 Of 2021 On Personal Da������ta Protection United Kingdom:Data Protection Act 2018 United Kingdom:Privacy and Electronic Communica
194、tions(European Commission Directive)Regulations 2003 ����European Union:Directive(European Union)2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention,investigation,detection or prosecution of criminal off
195、ences or the execution of criminal penalties,and on the free movement of such data.European Union:Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic comm���unications sector(Direct
196、ive on privacy and electronic communications)European Union:Regulat����ion 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union in������stitutions,bodies,offices and agencies and on the free
197、movement of such data European Union:Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in�������� electronic communications and repealing Directive 2002/58/EC(Regulation on Privacy and Electronic Communications)General Data P
198、rotection Law/Regulation Brazil:General Data Protection Law(Lei Geral de Proteo de Dados Pessoais)of such data,and repealing Directive 95/46/EC United Kingdom:United Kingdom General Data Protection Regulation and Data Protection Act 2018 European Union:Regulation on the protection of natur�������al persons
199、 with regard to the processing of personal data and on the free movement������Privacy Law/Act Australia:Privacy Act 1988 Canada:Privacy Act United States:Privacy Act of 1974,5 �������United States Code 552a European Union:Directive 2002/58/EC on privacy and electronic communicationsElectronic communications Trki
200、ye:By-Law on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector Trkiye:Electronic Communications Law No.5809 ANNEx23 United States:Stored Communications Act Canada:Personal Info�����rmation Protection and Electronic Documents Act Indonesia:Re������gula
201、tion No.20 of 2016 on Personal Data Protection in the Electronic System United Kingdom:Privacy and Electronic Communications Regulations 2003 European Union:Directive 2002/58/EC on privacy and electronic communicationsFinancial transaction related Cambodia:�������Law on taxation Trkiye:Ba����nking Law No.5411
202、Trki����ye:Law on Approval of the Multilateral��� Convention on Mutual Administrative Assistance in Tax Matters(MAC)No.7018 Trkiye:Tax Procedure Law No.213 Health Russian Federation:Federal Law No.323 on the Fundamentals of Protection of the Health of Citizens in the Russian Federation United States:Confid
2�����03、entiality of Substance Use Disorder Patient Records United States:Health Insurance Portability and Accountability Act of 1996 Privacy,Security,Breach Notification,and Enforcement RulesPublic sector Trkiye:Statistic������s law of Trkiye Mexico:General Law for the Protection of Personal Data in Possession o
204、f Obligated Entities Mexico:General Guidelines on Personal Data Protection for the Public Sector European Union:Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union inst����itutions,bodies,offices and agencies and on the free movement of s
205、uc������h dataOther Cambodia:Law on consumer protection Russian Federation:Civil Aviation Code(Article 85.1)United States:Childrens Online Privacy Protection ActNon-personal dataGeospatial Indonesia:Government Regulation No.45���� of 2021 on Implementation of Geospatial Information Republic of Korea:Act on th
206、e Establishment and Management of Spatial DataTrade secrets/Intellectual Property United States:Copyright Law United States:Economic Espionage Act European Union:Directive 2��������016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business inf
207、ormation(trade secrets)against their unlawful acquisition,use and disclosure European Union:Directive 2019/790 on copyright and related rights in the Digital Single Market and am������ending Directives 96������/9/EC and 2001/29/ECTrade Indonesia:Government regulation No.5 of 2020 on Trade Information System(der
208、ivative from Law No.7 of 2014 on Trade,amended by Law No.11 of 2020 on Job Creation)Cybersecurity European Union:ENISA(the European Union Agency for Cybersecur����ity)and on information and communications technology cybersecurity certification(Regulation 201�����9/881)Other European Union:Framework for the f
209、ree flow of non-personal data in the European Union(Regulation 2018/1807)G20 MEMBERS REGULATIONS OF CROSS-BOR�����DER DATA FLOWS24All dataCybersecurity Cambodia*:Draft cybersecurity law ������China:Data Security Law Saudi Arabia:Critical systems cybersecurity controls Saudi Arabia:Essential cybersecurity contr
210、ols United States:Federal Information Security Modernization Act Databases/information systems/cloud computing Minimum information security requirements for cloud computing for pub��������lic administration Brazil:Normative Instruction GSI/PR N 5-Provides fo�����r the minimum information security requirements fo
211、r the use of cloud computing solu����tions by bodies������ and entities of the federal public administration.Republic of Korea:Standards for Cloud Computing Service Information Protection European Union:Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of
212、 databases Saudi Arabia:Cloud computing regulatory framework Saudi Arabia:Cloud first policy Saudi Arabia:IoT regulatory framework������ Trkiye:Communiqu on management of information systems European Union*:Harmonised Rules on Artificial Intelligence and Amending Certain Union Legislative Acts(Artificial
213、Intelligence Act)Data governance Argen������tina:Provision n60/2016 of the Agency for Access to Public Information Brazil:Open data policy Cambodia*:Draft data governance policy Japan:Basic Act on the Advancement of Public and Private Sector Data Utilization Saudi Arabia:Data Classification Policy United
214、States:Open Government Data Act European Union*:Regulation on harmonised rules on fair access to and use of data(�������Data Act)European Union:Regulation(European Union)2022/868 on European data governance and amending Regulation(European Union)2018/1724(Data Governance Act)European Union:A European strat
215、egy for dataHealth Indonesia:Government Regulation No.46 of 2014 on Health Information System European Uni����on*:European Health Data Space Security/Law Enforcement United States:Clarifying Lawful Overseas Use of Data(CLOUD)Act United States:Judicial Redress Act(link to criminal offenses)U������nited States:
216、�������The Wiretap Act(Public)Procurement Cambodia:Law on public procurement ��������United States:Procurement Law-10 United States Code 3771,130,3013;related procurement regulations Competition European Union*:Single Market For Digital Services European Union*:Regulation of the European Parliament and of the Coun
217、cil on contestable and fair markets in the digital sector(Digital Markets Act)European Union:Directive 2019/790 ����on copyright and related rights in the Digital Single MarketTelecommunications/Electronic Information Cambodia:Law on telecommunications Indonesia:Law No.11 of 2008 on Electronic Informati
218、on and Transaction as lastly amended by Law No.19 of 2016(Law 11/2008)+Regulation No.71 of 2019 Russian Federation:Federal Law No.149-FZ on Information,Information Techno�������logies and Data Protection 2006(Data Protection Act)ANNEx25 United States:The Stored Co������mmunications Act,18 United States Code 2701
21�������9、 et.seq.Public sector Cambodia:Digital government policy Trkiye:Regulation on the Services of State archive Other Cambodia:Digital Economy and society policy framework Cambodia:Draft digital development policy Cambodia:Law on e-commerce United States:Commodity Exchange Act Note:The categorization in
220、 this table is predominantly descriptive to highlight clusters of topics addressed by the laws and regulations nor are the categories exclusive.Some laws and regulations are listed multiple times as they fall into������� several categories.*indicate drafts and proposals.Source:UNCTAD bas������ed on G20 member St
221、ates and invited guests submissions.G20 MEMBERS REGULATIONS OF CROSS-BORDER DATA FLOWS26Recent UNCTAD publications on E-commerce and the Digital EconomyDigital Economy Report(formerly I��������nformation Economy Report)Digital Economy Report 2021:Cross-border data flows and development:For whom the data flo
222、w,UNCTAD/DER/2021,2021.Digi����tal Economy Report 2019:Value Creation and������� Capture:Implications for Developing Countries,UNCTAD/DER/2019,2019.Information Economy Report 2017:Digitalization,Trade and Development,UNCTAD/IER/2017,2017.Information Economy Report 2015:Unlocking the Potential of E-commerce for
223、 Developi�������ng Countries,UNCTAD/IER/2015,2015.Other Research StudiesDigital Economy Report Pacific Edition 2022:Towards value creation and inclusive-ness,UNCTAD/DTL/ECDE/2022/4,2023.E-commerce and the digital economy in LDCs:At breaking point in COVID-19 tim������es,UNCTAD/DTL/STICT/2022/1,2022.COVID-19 and
224、e-commerce:a global review,UNCTAD/DTL/STICT/2020/13,2021.What is at stake for developing countries in trade neg������otiations on e-commerce?The case of the joint statement ����initiative,UNCTAD/DITC/TNCD/2020/5,2021.UNGIS Dialogue on the Role of Digitalization in the Decade of Action:Accelerating the achieve
225、ment of the SDGs through better collaboration in the UN System,UNCTAD/DTL/STICT/INF/2020/3,2������020.COVID-19 and e-commerce:impact on businesses and policy responses,UNCTAD/DTL/STICT/2020/12,2020.eTrade Readiness AssessmentsFast-tracking implementation of eTrade Readiness Assessments Second edition,UNCT
226、AD/DTL/STICT/2022����/5,2022.Tunisia:eTrade Readiness Assessment,UNCTAD/DTL/STICT/2022/3,2022.Cte dIvoire:eTrade Readiness Assessment,UNCTAD/DTL/STICT/2020/11,2021.Fast-tracking implementation of eTrade Readiness Assessments,UNCTAD/DTL/STICT/2020/9,2020.ANNEx27Member States of the West African Economic
227、and Monetary Union eT������rade Readiness Assessment,UNCTAD/DTL/STICT/2020/10,2020.United Republic of Tanzania:Rapid eTrade Readiness Assessment,UN�������CTAD/DTL/STICT/2020/2,2020.Kiribati:Rapid eTrade Readiness Assessment,UNCTAD/DTL/STICT/2019/15,2019.Afghanistan:Rapid eTrade Readiness Assessment,UNCTAD/DTL/ST
228、ICT/2019/5,2019.Bangladesh:Rapid eTrade Readiness Assessment,UNCTAD/DTL/STICT/2019/6,2019.Zambia:Rapid eTrade Readiness Assessment,UNCTAD/DTL/STICT/2018/10,2018.Uganda:Rapid �������eTrade Readiness Assessment,UNCTAD/DTL/STICT/2018/9,2018.E-commerce and Law ReformData protection regulations and internationa
229、l data flows:Implications for trade and development,UNCTAD/DTL/STICT/2016/1,2016.Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations,UNCTAD/DTL/STICT/2013/1,2013.Measu�������ring E-commerce and the Digital EconomyImpacts of the covid-19 pandemic on trade in the digital economy,UNCTAD Technical Notes on ICT for Development No.19,TN/UNCTAD/ICT4D/19,2021.Manual for the Production of Statistics on the Digital Economy 2020,UNCTAD/DTL/STICT/2021/2,2021.Printed at United Nations,Geneva 2304579(E)March 2023 362 UNCTAD/DTL/ECDE/2023/1
sgpjbg002
工作日 8:30 - 17:30
报告分类
