This report derives largely from an earlier online seminar organised by Oxford Global Society [recording]. It was put together by Dr Mansi Kedia, drawing on other authors’ contributions.
About the authors:
Dr. Mansi Kedia: Senior Fellow at the Indian Council for Research on International Economic Relations, India
Prof. Mira Burri: Professor of International Economic and Internet Law, University of Lucerne, Switzerland
Dr. Yik Chan Chin: Associate Professor at Beijing Normal University, China
Prof. Susan Ariel Aaronson: Research Professor and the Director of the Digital Trade and Data Governance Hub at George Washington University, USA
The increasing digitisation of the economy and the emergence of global e-commerce have focused attention on the rules governing the cross-border flow of data. Currently, the rules for cross-border data sharing in different jurisdictions reflect a balancing of various rights, interest, and wider policy considerations (such as privacy, security and economic integration). Different approaches to cross-border data flows raises questions for international trade agreements. Can (or should) any form of international cooperation on cross-border data sharing rules emerge through bilateral or regional trade agreements or is it possible for a multilateral and uniform international agreement on cross-border data flows?
The fragmented global landscape
The transactions of cross-border e-commerce are estimated to exceed USD 2 trillion in 2023. While goods and services trade is increasingly dependent on the ability of businesses to collect, process and store data, there is no consensus on data governance. The global landscape is fragmented with countries and regions adopting different frameworks to regulate the flow of data. Countries struggle to find common ground on data protection and data flows; with limited success in multilateral negotiations, simpler practical approaches are being explored. The ongoing e-commerce negotiations at the World Trade Organisation (WTO) highlight the importance of free flow of data as a facilitator of digital trade and discuss the location of computing facilities, especially with respect to the financial services sector. Since the Japanese presidency in 2019, the G20 member countries are also discussing elements of convergence between different regulatory approaches that will enable data free flow with trust. These multilateral initiatives are complemented by private sector frameworks including projects such as Gaia-X, data sharing platform developed for the cloud services sector, and Japan’s Green x Digital consortium working on carbon neutrality.
A Variety of Governing Mechanisms
Data governance involves issues of security and privacy that are guided by national interest and priorities. Countries have developed a range of unilateral policies and regulations to govern the flow of data that result in barriers for moving data across borders. Almost 75 percent countries in the world are said to have implemented some level of data localisation regulations which fall into the category of complete localisation, mirroring, consent-based transfer and standards-based transfer.
The EU and the US
The European Union (EU) can be defined as a relatively late mover in the landscape of digital trade rule-making and for a long time had not developed a distinct strategy, in contrast in particular to the United States (US) that had a well set-out plan starting with its 2001 ‘Digital Agenda’. Although EU’s free trade agreements (FTAs) did include provisions on electronic commerce, such as the 2002 agreement with Chile, the language was cautious, with commitments not exceeding the levels of the General Agreement on Trade in Services (GATS) and a number of soft cooperation pledges in the fields of information technology, information society and telecommunications. The 2016 EU agreement with Canada – the Comprehensive Economic and Trade Agreement (CETA) went a step further. The CETA provisions include commitments ensuring (a) clarity, transparency and predictability in their domestic regulatory frameworks; (b) interoperability, innovation and competition in facilitating electronic commerce; as well as (c) facilitating the use of electronic commerce by small and medium sized enterprises.
It is only very recently that the EU took up a more modern approach towards the regulation of digital trade. Some indications for this turn were given by the 2018 EU–Japan Economic Partnership Agreement (EPA) and the modernization of the trade part of the EU–Mexico Global Agreement, where for the first-time data flows were mentioned but still cautiously, as the Parties only committed to ‘reassess’ within three years of the entry into force of the agreement. The new EU approach towards the issue of cross-border data is now fully endorsed in the EU’s currently negotiated deals with Australia and Tunisia, and the 2022 agreement with New Zealand. These FTAs’ digital trade chapters include norms on the free flow of data and data localization bans. This repositioning and newer commitments are however also linked with high levels of data protection.
The EU wishes to permit data flows only if coupled with the high standards of its General Data Protection Regulation (GDPR) and endorses a distinct model of privacy as a fundamental right. Beyond the topic of data flows and its interface with data protection, it should be noted that the rest of the EU digital trade template includes the issues covered by the US-led model under the Comprehensive and Progressive Agreement for Transpacific Partnership (CPTPP) and the United States-Mexico-Canada Agreement (USMCA). One can observe in this sense that the EU navigates in a unique way the economic benefits of an open data-driven economy and the safeguarding of its digital sovereignty. This model, while justified from the EU’s perspective and its wish to protect the rights of its citizens, is in contestation with the CPTPP/USMCA model, which has found diffusion in other FTAs, and may be a hindrance to finding common solutions with regard to cross-border data flows in a multilateral or plurilateral context.
China’s policy on cross border data flows is also trying to strike a balance between safeguarding national security and promoting international trade. The country’s Data Security Law defines seven categories of cross-border data flows and local storage requirements. The classification is based on the importance of data to economic and social development, assessment of risks and security, relevance to national security, public interest and legitimate rights of businesses and individuals. Additionally, the Personal Information Protection Law states the compliance conditions necessary for exporting personal data. Most data can be legally exported from China after meeting requirements of security assessments, security certifications, standard contracts, etc., provided in the law. However, sharing data with foreign authorities, including foreign judicial authorities needs government approval. The new Data Export Security Assessment Measures defines four categories of personal and important data that require prior assessment of risk. The assessment of legality, necessity of purpose, and method of data export is also in line with article 5 of China’s Personal Information Protection Law. For all practical purposes, data of Chinese businesses are ring-fenced within the country borders to meet legal requirements.
India’s position on the governance of cross-border data flows is peppered with strong preferences for digital sovereignty and gaining control over citizen data. These choices reflect well in India abstaining from signing the G20 Osaka Track Agreement on Data Free Flow with Trust as well as opposing the WTO’s Joint Statement Initiative. Additionally, in its bilateral agreement with trade partners, clauses on data flows are either not negotiated or drafted in language that does not force action. Of the 62 countries, that have a total of 144 data localisation regulations, India has the second highest number of restrictions (behind China). The reasons are clear – India does not want to lose an opportunity to create its own digital champions. According to the latest data available, 8 out of the top 10 websites in India (in terms of traffic), are foreign companies that process and store data outside India. Placing data localisation restrictions can become one way to slow down the rapid colonolisation of the domestic digital economy. Secondly, from a security perspective, the absence of efficient mechanisms for data sharing on criminal activities create challenges for law enforcement agencies to collect evidence that is currently residing in other jurisdictions. As of 2021, there were 845 pending requests from India with various countries under the Mutual Legal Assistance Treaty (MLAT) and other requests raised with foreign courts.
However, these motivations are countered by equally strong evidence on the negative impact of data localisation measures on the economy. A study by ICRIER, estimated that a 10 percent increase in international internet bandwidth (a proxy for international data and traffic flows), can lead to a USD 6.97 billion increase in India’s trade. Qualitative evidence from industry survey finds that localisation measures can significantly increase costs for globally integrated communications and financial services firms. Business respondents also highlighted the increased risk of storing data in a single location. This is not the only source of evidence. According to a study by Hinrich Foundation, digital trade generated $35 billion for India in 2019. This is estimated to increase to $512 billion by 2030.
India as visible in the latest draft of the Digital Privacy and Data Protection Bill (DPDPB 2022) has proposed the whitelisting of countries for permitting cross-border data flow, an in-between approach that balances risks of and opportunities for an emerging economy’s burgeoning digital ecosystem. However, India has not adopted the Budapest Convention, an international framework for harmonisation of laws and investigative techniques, instead it made a proposal to the UN Ad-hoc Committee working on international cybercrime to support the idea of a broader jurisdiction over citizen data immaterial of where the data is stored, processed or screened. This is an alternate to the broken MLAT and measures of hard localisation. In the future India may also carve out a second-best regime that is incrementally navigated through bilateral negotiations in trade agreements before jumping into broader international agreements that may be dominated by preferences of the data owned private ecosystem of the US, a privacy respecting data flow regime of the EU and the informational security lens of China and Russia.
Where do we go from here?
Rules for cross-border data flow respond to multiple, often competing objectives of national and citizen security, digital sovereignty, trade and economic growth. However, the recent rise in data localisation measures highlight the demand for technological sovereignty, especially among developing countries. In the foreseeable future localised data governance arrangements are likely to prevail, on account of the calculated self -interest of all countries that could include the spectrum of political, social and economic reasons. There is a need for policy space, especially among developing countries that have newer data governance institutions and a growing digital economy for which data is an important resource. Accordingly, progress at multilateral institutions is slow. Infact, using trade deals to negotiate data flows is being perceived as the big tech and governments attempting to increase their control over data. Trade rules don’t recognise the dual nature of data – commercial asset as well as a public good, and hence gloss over important considerations of technology capacity building, innovation asymmetries and its impact on global competition and innovation. Many countries are preferring to adopt the bilateral or regional route where the risks of opening up are limited or simple private sector driven protocols and agreements that enable businesses to engage in digital trade.
There is no denying that data flows generate economic value by enabling innovation, facilitating trade (especially services trade), strengthening MSMEs, boosting entrepreneurship and employment. This will apply to many sectors of the economy including financial services, energy, education and agriculture which are directly linked to sustainable development. Using the foundations of the existing bilateral and multilateral efforts it is recommended that the global architecture be based on a comprehensive rights-based approach that includes civil, political, social and economic rights of development. A group of civil society organisation in their appeal to the G20 on the topic of Data Free Flow with Trust suggested that:
Cross-border data flows are based on social and economic justice, and observe principles like fairness and justice, transparency, lawfulness, and reciprocity in relation to data-related benefits. We need to develop a just global digital and data governance framework with an independent, representative multilateral mechanism.
Until then, we trust the theory of the second-best, a patchy ecosystem of policies and regulations that is fuelling digital trade, albeit below potential.
 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
 See e.g. above note 1; also M. Burri, ‘Interfacing Privacy and Trade’, Case Western Journal of International Law 53 (2021), 35–88; A. Chander and P.M. Schwartz, ‘Privacy and/or Trade’, University of Chicago Law Review 90:1, available at https://lawreview.uchicago.edu/print-archive/privacy-andor-trade