The concept of Data Free Flow with Trust (DFFT) aims at facilitating free flow of data between countries while simultaneously strengthening the trust of data subjects through robust data protection measures. How can data be exchanged securely and reliably on a global scale, without jeopardising the protection of privacy and personal data protection? We explore the idea behind DFFT and report the status of the actual implementation.
What is DFFT?
Data Free Flow with Trust is a framework created to promote the free flow of data between countries in compliance with strict data protection standards. This concept was first introduced by the Japanese government at the G20 summit in 2019 in Osaka and has attracted international attention.
The core objective of DFFT is to create the legal and technological conditions that enable secure and trustworthy transfers of data. DFFT is intended to remove obstacles arising from different data protection regulations across countries and create a standardised basis for international data transfers.
An effective and trustworthy free flow of data offers significant economic advantages. Unrestricted access to global data market enables companies to enhance efficiency and develop innovative products and services. At the same time, the protection of privacy strengthens the trust of data subjects, which in turn has a positive impact on the business environment.
Implementation of DFFT and progress to date
A key player in implementing DFFT is the OECD (Organisation for Economic Co-operation and Development), which has developed programmes to promote free and trustworthy flows of data, placing a significant emphasis on international norms and standards. The OECD positions itself as a bridge between different data protection standards and is working to formulate guidelines for cross-border data transfer based on generally recognised principles such as transparency, accountability and privacy protection.
In addition, the Global Privacy Assembly (GPA), an international association of data protection authorities, adopted important recommendations on DFFT at its annual conference in Jersey in 2024. These proposals are intended to serve as a basis for harmonising the legal frameworks and transfer instruments in the participating states. A major step forward in the implementation of DFFT is the harmonisation of data protection laws and practices at a global level.
Therefore, DFFT should not only protect individual rights, but also create a balance between the promotion of international data flows and national sovereignty. The currently existing different approaches to data protection around the world pose a challenge to the project. While the EU pursues a highly regulated data protection model (in particular through the GDPR), market-orientated and less restrictive regulations prevail in the U.S. China, on the other hand, uses data as an instrument of state control.
These varying models complicate the process of harmonisation. Thus, DFFT focuses on the interoperability of data protection regulations instead of their standardisation. This approach enables different national data protection laws and models to be aligned while still promoting the free flow of data.
Institutionalisation of DFFT
To ensure the sustainable implementation of this concept, a coordinating institution has been established to oversee the ongoing development of data protection standards. An international advisory body has been founded, formally recognised as the DFFT Expert Community within the OECD.
This group, consisting of government representatives and various interest groups such as companies, NGOs, and research organisations, supports the DFFT concept by collecting country-specific legal frameworks on how different states legally regulate government access to data. This documentation will create transparency to promote trust between countries an improve the interoperability of their data protection systems.
Working groups are established within the community for specific projects to develop focused perspectives and solutions, while also complementing the OECD’s ongoing efforts in data policy and data protection.
International co-operation for DFFT
The successful implementation of DFFT requires close cooperation between various stakeholders at international level. This includes governments, data protection authorities, companies and international organisations. The GPA plays a central role as a platform for exchanging best practices and developing common standards. In addition, bilateral and multilateral agreements between countries are required to harmonise the legal framework for data flows.
In May 2022, the G7 digital ministers also published a declaration on the action plan to promote DFFT. The action plan contains the following points:
Strengthening the basis for DFFT
The G7 states aim at gaining a deeper understanding of the opportunities and challenges of cross-border data flows. This includes a more in-depth analysis of existing regulatory approaches regarding data protection, information security and the protection of intellectual property rights. The impact of data localisation obligations on small and medium-sized enterprises will also be considered.
Promoting interoperability
Interoperability is to be facilitated by utilising common elements between existing regulatory approaches. This includes the analysis of standardised contractual clauses and technologies designed to strengthen trust. The G7 supports the OECD project to develop principles for trustworthy government access to personal data in the private sector.
Regulatory cooperation
The G7 promotes dialogue between policymakers and data protection authorities as well as exchanges on topics such as data protection technologies, data intermediaries, web tracking and the creation of international sandbox environments.
Promoting DFFT in digital trade
Building on the Digital Trade Principles from 2021, the G7 aims to support the DFFT approach in the context of digital trade, including through discussions at the WTO.
Knowledge exchange via international data spaces
The G7 promotes knowledge exchange via international data spaces, which act as a framework for trustworthy and voluntary data exchange between organisations and sectors, and are intended to support innovation in science, industry and the public sector.
Additionally, in 2023, the G7 digital ministers emphasised in their declaration the need for an institution to operationalise DFFT as a cooperation platform. Thus, the G7 has established an institutional partnership framework (IAP). It is intended to enable cooperation between governments and stakeholders, ensuring the advancement of the DFFT approach across sectors.
Japan has solidified the concept and aims to foster its progress and advance it through institutional structures, such as framework agreements in trade and regulatory cooperation. The DFFT plan is already being incorporated into trade agreements such as the US-Japan Digital Trade Agreement (USJDTA) and the Japan-UK Comprehensive Economic Partnership Agreement (Japan-UK EPA).
In 2024, the G7 data protection authorities (DPAs) made important new decisions on the further development of DFFT in their declaration. The focus is on a comparative analysis of transfer instruments such as certifications in accordance with the EU General Data Protection Regulation (GDPR) and the Global Cross-Border Privacy Rules (CBPR) system, which identifies similarities such as lawfulness, purpose limitation, data security and transparency as well as differences in legal basis, enforceability and government access to data. This analysis serves as a basis for identifying elements for interoperable transfer mechanisms and for promoting global convergence.
In addition, the G7 DPAs have intensified their support for international cooperation, in particular through dialogue with the DFFT Expert Community at the OECD, the GPA and other regional networks mentioned above. A key focus is placed on the harmonisation of data protection standards, including the promotion and further development of standard contractual clauses, which are considered the most important tool for cross-border data transfers worldwide.
The G7 action plans seem to present a promising approach to facilitating international flows of data. However, the path from theory to practice remains challenging. It is still questionable whether the measures are sufficient to establish actual global standards. Implementation is proceeding at different speeds, leaving the global digital space fragmented. The reason for this are, as already mentioned, different data protection models.
Conclusion
While progress has been made in terms of concrete changes, structural adjustments and the establishment of uniform standards still require more time. The DFFT plan is currently in the implementation phase, and many measures are expected to take full effect in the coming years. However, Japan and the G7 aim to establish DFFT in practice through concrete initiatives and at the same time address technological challenges such as the safe use of AI.
The DFFT concept represents a significant step towards a global data space. By promoting the free flow of data while simultaneously enhancing data protection, DFFT lays the foundation for a globally competitive and responsibly governed digital economy.
