2 minute read
Box 1. Four main data governance paradigms
Bahrain, Jordan, Lebanon, Morocco, Oman, Qatar, and Tunisia enacted or updated their data protection laws in 2018. Other countries in the region (e.g., Saudi Arabia and United Arab Emirates) have considered a more prudent approach characterized by sector-specific data protection directives. Implementation of such legal and regulatory frameworks remains a work in progress, and efforts to finalize and adopt those frameworks must continue in view of remaining regulatory gaps (Daza Jaller and Molinuevo 2020).
Data governance frameworks should avoid inward-facing approaches by accounting for the cross-border nature of digital technologies and digital data flows. Some positive foundational initiatives exist for a regional digital technology framework, such as the Arab Digital Economy Strategy, which is designed to establish common principles and alignment on legislative and technological infrastructure across the Arab League. Countries in the Middle East and North Africa could build on these initiatives and draw inspiration from already developed data governance paradigms (see Box 1 on paradigms in China, European Union, the United States, and Singapore), with suitable adaptation for the regional context.
Box 1. Four main data governance paradigms
Cybersecurity, artificial intelligence, and data are key components of all digital development projects. Fundamentally, legal frameworks are needed to protect privacy and allow for redress of harm. In the highly diverse global landscape of data governance, several paradigms of personal data governance are discernable (with some common elements), but no convergence to a global standard is expected in the foreseeable future. Four broad paradigms have emerged in different country contexts. The European paradigm views data use as a liability and thus emphasizes protection of personal privacy rights. The European Union’s General Data Protection Regulation (GDPR), effective since May 2018, shifts the burden for maintaining the privacy and security of personal data to digital service providers by charging costs and imposing penalties if data collectors or processors allow data to be misused, lost, or stolen. The GDPR also limits the amount of personal data that businesses can collect, requiring that the information be “limited to what is necessary in relation to the purposes for which they are processed” (principle of data minimization). This model gives regulators unprecedented ability to penalize data abuses and authority over data collectors and processors. The U.S. paradigm emphasizes data as an asset and is a more market-oriented approach that specifies limited rules for collection and selling of digital data outside the health and banking spheres. Businesses are permitted to own the data they have invested in collecting, whether by observing Internet browsing patterns or through a credit bureau. This offers data collectors an asset with economic value, although this asset cannot be valued on firms’ balance sheets. The U.S. focus on market behavior to determine data collection and use has fostered the growth of giant tech firms such as Google and Facebook but has also been criticized for its lack of regulation and shortsighted approach to competition and individual rights. In China, the state has ultimate authority over data that users produce. Through strict control of companies operating in China (e.g. every entity doing business in China is required to host its data locally) and closed-circuit data sharing of camera footage, identity checks, WiFi connections, as well as health, banking, and legal records, China’s government has artificial intelligence systems that can recognize anyone in the country in real time and can link that identification to other data about them. Data flows freely to and within government departments and is designed to further the government’s social, political, and economic objectives.
continued on next page
