'Agile governance' could redesign policy on data protection. Here's why that matters

Although technology regulation is evolving rapidly in today's world, such regulation remains greatly fragmented across national and regional divides. Agile governance can potentially solve this fragmentation by promoting nimbler, more fluid, and more adaptive approaches to regulation.

Whether it is privacy, cyber security, cyber warfare, national security, or prohibited content, every hot-button issue in technology governance today seems to be of global concern, yet resides in the hands of nationally-focused lawmakers relying on outdated policies that continue to reinforce the fragmentation of technology regulation.

Take data protection, for example. The EU's General Data Protection Regulation (GDPR), which was first proposed in 2012 and came into effect in 2018, is essentially an international privacy law for data protection. Any organization that processes any personal data from any EU citizen is covered.

Beyond its extraterritorial impact, it has inspired similar efforts to update and improve data protection in other jurisdictions, such as in Japan, Chile, Egypt, and the state of California in the United States.

This flurry of GDPR-inspired activity gave hopes that data protection would become more consistent over time. Indeed, there are established mechanisms for precisely this. For more than 20 years, the European Commission has conferred "adequacy" rulings on national regimes that meet its strict data protection standards, allowing personal data to flow unimpeded across borders. However, only a handful of countries and territories have received the European Commission's "adequacy" decision, including Japan and the United Kingdom.

There is no systematic and all-inclusive privacy law regulating all private parties in other countries. In the US, for example, there is a patchwork of state and federal laws, and most focused on specific industries, such as the Health Insurance Portability and Accountability Act (HIPAA) in healthcare and the Gramm-Leach-Bliley Act (GLBA) for entities in the financial sector.

Meanwhile, China's data protection laws focus on strong government control, public order, and national security. These laws include its 2017 Cybersecurity Law and its 2021 Data Security Law, and the upcoming Personal Information Protection Law. These include broad requirements on data localization and have an extraterritorial effect.

Asia has seen perhaps the greatest transformation in the area of data privacy in the last decade. Before 2020, only six countries had comprehensive data privacy laws. Between 2010 and 2020, 20 jurisdictions enacted new data privacy laws, and seven undertook amendments. Five of these have extraterritorial provisions, and while they all share similar data protection elements, all differ from one another and other regions in important ways.

Furthermore, even if GDPR compliance is equivalent to "gold-plating" your firm's system, a global firm will still need to check that its systems fit the idiosyncratic data protection requirements across 20 markets in Asia alone.

Regulatory fragmentation is more than just about costs to firms, however. It also matters because greater complexity and diversity across jurisdictions means that consumers are less likely to be well-protected. Moreover, less discussed is that fragmentation impedes governments' implementation and enforcement. By contrast, a consistent approach means inter-agency cooperation and information sharing between agencies is far easier to achieve.

The concept of agile governance is one solution to this fragmentation. Just this past December, Canada, Denmark, Italy, Japan, Singapore, the United Arab Emirates and the UK signed the first "Agile Nations" agreement to incorporate the principles of agile governance into their regulatory environment.

Agile governance promotes nimbler, more fluid and more adaptive approaches to governance. It draws inspiration from agile software development, embodied by the principles of The Agile Manifesto.

Agile governance does not prioritize regulatory design or implementation speed, as too much speed can threaten the inclusiveness of policy processes or outcomes.

Instead, the idea of agile governance suggests that more proactive, inclusive and iterative approaches to policy design can create rigorous systems that are more effective and representative than traditional processes, even within compressed time periods.

One central idea of agile governance is that policymaking should be outcome driven and evidence-based while recognizing that contexts and needs change throughout a policy project.

This approach requires ongoing collaboration between a wide range of stakeholders to ensure that knowledge flows into policies effectively and inclusively, which then enjoy greater legitimacy.

Agile governance also recognizes that the architectures and rules that guide our behaviour – particularly in the world of technology – extend far beyond the incentives, regulations and laws created in the public sector.

Business models, corporate policies, software, product design, and technological infrastructure can all influence user behavior and outcomes for citizens more so than public policy. As a result, new models of collaborative governance across sectors are required to meet the challenges and opportunities of the 21^st century.

The World Economic Forum has identified eight approaches and more than 100 examples of agile governance worldwide. Many governments are trialling policy labs, sandboxes and crowdsourcing efforts.

Other examples include novel forms of industry-led self-regulation, the concept of super regulators, setting shared ethical principles, new approaches to standards creation and enforcement, and the creation of collaborative governance ecosystems across jurisdictions.

Agile governance puts pressure on governments to innovate in engaging with a broader range of stakeholders. Most public sector institutions and agencies will require an investment in the skills and resources related to cross-sector collaboration and in approaches to knowledge management, systems thinking and design thinking.

However, there are three increasingly important constraints to agile governance, the first which is limited policy space. The legal, economic, and technological implications of living in a globalized world mean that not all policy options are fully available to sovereign states.

The second constraint is stakeholder engagement. In addition to privileging their interests, stakeholders often possess very divergent views about what policies are possible and how to weigh different trade-offs – but engaging them is costly.

Finally, the third constraint is trade-offs. All policy options come with trade-offs, which are very difficult to assess ahead of time and can be challenging to measure after the event.

Agile governance can help solve the growing fragmentation of technology regulation. However, we cannot reap the benefits of this new mode of governance and policymaking unless we continue to overcome the constraints that agile governance faces in real-world settings.