Background

The Digital Trade and Data Governance Hub seeks to better understand what nations are doing to govern data and help others assess the principles, policies, standards, laws, regulations, and agreements designed to control, manage, share, protect, and extract value from various types of data. For many governments, governing various types of data has become an essential, albeit challenging, task, requiring new strategies, structures, policies, and processes. Moreover, data governance is fluid, reflecting societal and technological challenges as well as the will, understanding, and expertise of both policymakers and the broader public.

In 2021 the Hub designed a new evidence-based metric to characterize a comprehensive approach to data governance at both the national and international levels. We divided data governance into six attributes (the dimensions in which nations act as they govern data) and subdivided these six into 26 indicators specific evidence of action. We then used the metric to assess 51 countries plus the European Union. We selected nations from different regions of the world, varied levels of digital prowess, and different levels of income. After examining evidence for each indicator, we graded each nation on its performance. The map below indicates total scores for each of the 51 nations and the European Union.

Global data governance map

* We define comprehensive data governance as a systemic and flexible approach to governing different types of data use and re-use. We believe that policymakers are constantly working towards an approach that can simultaneously empower individuals, groups, and firms; protect individuals from harm; meet changing societal and technological conditions; and plan for and grapple with the side effects of data-driven change.

 

* We encourage readers to compare countries, but we do not intend the scoring to be used as a ranking of data governance quality or effectiveness.


* Colors represent countries' overall score on the DataGovHub Metric.

Not Included
0 -20
20.01 - 40
40.01 - 60
60.01 - 80
80.01 - 100
Six Attributes of

Data Governance

The government plans for the different contexts of data use and re-use. 
The government constructs a legal regime around data’s types and/or uses.
The government thinks about the ethical, trust, and human rights implications of data use and re-use.
The government alters institutional structures in response to data-driven transformation.
The government informs its constituents about its activities and asks for public comment, with the intention of incorporating their feedback.
 
The government joins with other first-movers in shared international efforts to establish data governance rules and norms.

What Our Data Reveals

Swipe Across for More

All of our case studies are governing data, but many high and middle-income nations have made significant progress in data governance. Chart 1 shows that some countries, like the United Kingdom and Germany, perform well across all attributes. At the same time, nations such as Iran, Ethiopia, and Bangladesh are just beginning to adopt data governance policies, processes, and structural changes. Moreover, the 16 highest-scoring countries are all high-income countries with the prominent exception of Brazil (see Table 1). Most of the high-performing countries are located in Europe.

AttributeIndicators
(1)
StrategicLearn more about Strategic Indicator
1(a)
Data StrategyLearn more about Strategic Indicator
1(b)
Public Administration Data StrategyLearn more about Strategic Indicator
1(c)
Federal Guidelines for Private Sector Data SharingLearn more about Strategic Indicator
1(d)
AI StrategyLearn more about Strategic Indicator
(2)
RegulatoryLearn more about Regulatory Indicator
(2a)
Personal Data Protection LawLearn more about Regulatory Indicator
(2b)
Open data law for the proactive release of government information by defaultLearn more about Regulatory Indicator
(2c)
Freedom of Information ActLearn more about Regulatory Indicator
(2d)
Right to be Protected from Automated Decision-MakingLearn more about Regulatory Indicator
(2e)
Right of Data PortabilityLearn more about Regulatory Indicator
(3)
ResponsibleLearn more about Responsible Indicator
(3a)
Data CharterLearn more about Responsible Indicator
(3b)
Public Sector Data Ethics FrameworkLearn more about Responsible Indicator
(3c)
AI Ethics FrameworkLearn more about Responsible Indicator
(3d)
Trust Framework for Digital Identity ManagementLearn more about Responsible Indicator
(4)
StructuralLearn more about Structural Indicator
(4a)
Personal Data Protection BodyLearn more about Structural Indicator
(4b)
Open Data PortalLearn more about Structural Indicator
(4c)
Open Data BodyLearn more about Structural Indicator
(4d)
Public Sector Data Governance BodyLearn more about Structural Indicator
(4e)
International Data Affairs BodyLearn more about Structural Indicator
(5)
ParticipatoryLearn more about Participatory Indicator
(5a)
Public Consultation on Personal DataLearn more about Participatory Indicator
(5b)
Public Consultation on Public DataLearn more about Participatory Indicator
(5c)
Expert Advisory Body on Data EthicsLearn more about Participatory Indicator
(5d)
Expert Advisory Body on Data-Driven Technical Change and its Impact on SocietyLearn more about Participatory Indicator
(6)
InternationalLearn more about International Indicator
(6a)
Convention 108+Learn more about International Indicator
(6b)
Open Government PartnershipLearn more about International Indicator
(6c)
OECD AI PrinciplesLearn more about International Indicator
(6d)
Binding Trade Agreements on Cross-Border Data FlowsLearn more about International Indicator

Table 3 reveals three areas of convergence based on the prevalence of several indicators. First, more than 84% of the 52 nations studied have adopted Freedom of Information Acts and Open Data Portals. Our analysis here is not surprising; citizens have long pressed for access to information and open public data. Second, most nations (some 70%) have adopted personal data protection structures and regulations. Third, many governments have adopted AI strategies, reflecting the import of AI to the data-driven economy as well as public concerns about its use for decision-making.

IndicatorAttributePercent of Countries with This Indicator
Freedom of Information ActLearn more about Strategic IndicatorRegulatoryLearn more about Strategic Indicator92%
Open Data PortalLearn more about Regulatory IndicatorStructuralLearn more about Regulatory Indicator84%Learn more about Regulatory Indicator
AI StrategyLearn more about Responsible IndicatorStrategicLearn more about Responsible Indicator71%
Data Protection BodyLearn more about Structural IndicatorStructuralLearn more about Structural Indicator71%Learn more about Structural Indicator
Public Consultation on Personal DataLearn more about Participatory IndicatorParticipatoryLearn more about Participatory Indicator69%
Personal Data Protection LawLearn more about International IndicatorRegulatoryLearn more about International Indicator69%

Although most of our countries have laws governing public and private sector use of personal data (37 out of 52), these laws vary in scope. For example, China and Malaysia have passed data protection laws that limit the private sectors’ use of personal data but these laws do not cover the government’s use of personal data. India is debating similar exceptions for the government. While the U.S. does not have one comprehensive federal law protecting private use of personal data, it has laws governing public sector use of personal data.

We found evidence that policymakers are adopting novel and innovative approaches to emerging challenges such as how to encourage trustworthy data-sharing. We also found that we must frequently update what countries are doing to keep pace with new developments. For example, while we were writing this report, Saudi Arabia approved a new data protection law. 

Nations are doing more to Regulate and Adapt Governance Structures than to Develop Participatory and Responsible Approaches. As Chart 2 shows, we found more evidence that our 52 nations are taking action in the attributes of structure and regulation than in those of participation and responsibility.

We found considerable evidence that governments ask for comments from their constituents on data governance strategies, processes, and structures. But we were unable to measure if citizens actually commented and if those citizens truly reflect a diversity of views within the country. Moreover, we could not ascertain the extent to which governments 'heard’ these comments and make changes in response. However, because so much human activity has moved online, data governance has become an essential governance responsibility.  Hence, we believe that policymakers must make major efforts to educate and involve their citizens in data governance.

What Our Data Reveals

Strategic
Regulatory
Responsible
Structural
Participatory
International

We Found

Data governance is a work in progress for every one of our case studies. Almost every case study nation has put in place laws, regulations, and/or executive orders to govern all three types of data.

No nation seems close to comprehensive data governance, which we define as a systemic and flexible approach to govern different types of data use and reuse. Such a system regulates government as well as private sector use of personal and proprietary data and empowers users.

Significant convergence on personal data protection laws: Fifty one (or 98%) of our case study countries had a personal data protection law; only the UAE did not. Moreover, 64 percent of our cases had adopted a comprehensive approach to personal data protection, which we defined as covering private and government use of data, informed consent, an agency to enforce the law and rules governing 3rd party transfer or sale of personal data.

However, higher income countries did not have the mostcomprehensive approaches to personal data protection. Several high income countriessuch as Taiwan and New Zealand do not mandate informing data subjects when their data is transferred or sold to a third party. We also find that many of the mechanisms used in personal data protection that were popularized by the EU are now being put into law in other parts of the world.

Major convergence on public data governance: Over 80 percent of our case studies had an open data law, meaning that in general data collected, utilized, analyzed, and funded by the case study government was made open for its citizens and others to utilize. However, many nations, including low income developing countries, are still figuring out how to govern public data and make it useful to their constituents, whether for research or business purposes. Consequently, 48 percent do not mandate such data be provided in a machine readable format which makes it easier to use and reuse.

Some convergence on proprietary data governance: 76 percent of our cases had enacted a trade secrets law and 80 percent of our cases participated in an international trade agreement with trade secrets provisions. However, we found some evidence that governments were pushing back against firm control of data use and reuse. For instance, 47 percent of nations with a trade secret law did not give firms using data analytics explicit control over data they analyzed using a mechanism protected under trade secrets, while 52.9 percent of nations did give these firms such control.

Significant convergence on data governance in trade agreements: 77 percent of our cases participated in a trade agreement with provisions encouraging electronic authentication and e-signatures; 71.2 percent participated in an agreement with aspirational language to encourage interoperability of privacy regimes; and 78.8 percent with aspirational language on cyber-security.