A Open Data Initiatives

The open data movement has been quite successful in convincing governments that making governmental data publicly accessible under open data licenses is in their best interest to stimulate the domestic (or even local) AI economy. Examples include the EU’s Open Data DirectiveFootnote ¹⁹ and Singapore’s ‘Smart Nation’ initiative,Footnote ²⁰ but the open data bandwagon also carries several developing countries.Footnote ²¹ There are many reasons for and drivers behind the push for open data, one of which is the purported value for innovation and economic growth.Footnote ²² AI development is often referenced as a use case for open data: the remarkable improvements in algorithmic image recognition technology, now widely deployed for facial recognition purposes, have been linked to the ImageNet dataset providing free and publicly available access to image data.Footnote ²³

It is, however, much less clear who actually benefits from ‘public’ data becoming available as ‘open’ data. Open data might be beneficial for a wide range of reasons,Footnote ²⁴ but it is not an effective way to counterbalance the pervasive data control asymmetries in the global digital economy. To the contrary, one might suspect that those with the capacity to collect open data and to correlate it with the ‘closed data’ under their (often infrastructural) control stand to gain more than those who lack such capabilities and have to rely on open data entirely. This also has geopolitical implications as those operating out of relatively closed digital economies – such as China – are able to capture open data elsewhere in addition to the data they collect domestically without much external competition.Footnote ²⁵

In certain cases, the local relevance of a certain dataset (for example, traffic data in Taipei) might indicate heightened relevance for a local community, which might incentivize local initiatives to use such local data for local development. But the frequency and salience of such a dynamic, while plausible, needs to be empirically established. It is equally possible that non-local actors will use local data to train algorithms for deployment locally, or indeed elsewhere. Opening up governmental data may benefit AI development, but the local or domestic development of an AI economy is highly contingent on other factors, such as research capacity, data processing ability, and so forth.

Against this backdrop, it is worth noting that the question of whether more privately held data should be made available to governments, businesses, or citizens seems comparatively underexplored.Footnote ²⁶ Private entities are willing to share certain datasets for research purposes, but the legal technology used for such data transfers is usually contracting, not open data licenses.Footnote ²⁷ Data contracting allows for more legal control over the conditions under which data is being shared, used, and distributed.Footnote ²⁸ If governments wanted to make private data available, they could facilitate private–public data sharing by providing more legal certainty (for example, through model contracts, especially with a view toward mitigating liability risks) or by requiring the openness of data generated with public support (analogous to open access publishing requirements),Footnote ²⁹ if not requiring mandatory data sharing outright, as explored further below.Footnote ³⁰

B Data Transfer Restrictions

Several jurisdictions impose data transfer restrictions to secure jurisdictional control over certain categories of data.Footnote ³¹ The EU’s General Data Protection Regulation (GDPR)Footnote ³² is routinely accused by US actors as a ‘protectionist’ instrument, designed to favor the European digital economy, albeit with questionable results.Footnote ³³ This critique often alleges that the GDPR’s intended purpose of protecting European data subjects’ personal data and privacy and its underlying fundamental rights justification are false pretenses for protectionist digital industrial policy.Footnote ³⁴ Drawing a contrast between data protection and data protectionism tacitly assumes that the economic theories in support of trade in goods and services also apply to data, despite its different and arguably unique characteristics.Footnote ³⁵ The relationship between data protection and privacy on the one hand and data-driven innovation and economic growth on the other is more complicated than the protection/protectionism binary suggests.Footnote ³⁶ The GDPR’s predecessor – the European Data Protection Directive (DPD) – was in part motivated by concerns that disparate data protection regimes across the European single market would stymie the nascent European Internet economy.Footnote ³⁷ Much less attention was paid, however, to the question of how European data protection law would affect the conditions under which the European digital economy operates in comparison to the rest of the world. The DPD’s restriction on transfers of personal data from the EU to third countries was not designed as an instrument of economic policy but was meant to ensure that personal data would remain protected even if transferred outside the EU’s territory.Footnote ³⁸ These features contributed to the ‘Brussels Effect’ and the global diffusion of EU-style data protection through law.Footnote ³⁹ The EU’s new data strategy, announced with great fanfare in February 2020, conceives of data as an economic resource and seeks to reframe the GDPR as sound economic policy domestically (ensuring consumer trust in the digital economy) and globally (supposedly giving the European digital economy a competitive edge because of the EU’s role as global data regulator), without mentioning the restriction on extra-EU transfers of personal data explicitly.Footnote ⁴⁰

In contrast, India has come forward with a draft ‘e-commerce policy’ that openly advocates for data transfer restrictions for reasons of economic policy rather than data protection concerns, whether genuine or not. The policy document – which, of course, still needs to be converted into operational law – laments the absence of a legal framework that would allow the Indian government to impose restrictions on the export of valuable data:

This is a remarkable departure from a key tenet of the Silicon Valley Consensus according to which the uninhibited “free flow” of data is the best way to develop a digital economy. Whatever one’s initial view of this policy proposal, it deserves careful legal and economic analysis, because it asks important and underexplored questions: if data is the key resource of the digital economy, especially for AI development, how to facilitate optimal allocation of this resource? Who captures its value? And how can those who do not immediately benefit from the digital transformation be supported, and by whom?

The Indian proposal assumes a strong role for the government in mediating the transition of India toward a digital economy, but this is by no means the only institutional solution imaginable. Moreover, in light of India’s proposal to limit the transfer of data from India to ensure access to data for the domestic AI economy, one may wonder whether it might be more beneficial to incentivize the transfer of relevant data to India. Such ideas challenge the Silicon Valley Consensus, which holds that optimal data allocation is to be achieved through market mechanisms only – despite the digital economy’s pervasive data control asymmetries and resulting market failures.Footnote ⁴²

C Mandatory Data Sharing

Digitalization changes the conditions under which capitalism operates.Footnote ⁴³ Companies with superior data collection capacities benefit as they exploit the resulting information asymmetries.Footnote ⁴⁴ E-commerce platforms may be able to leverage their intermediary position to gather information about commercial transactions on either side of the two-sided market they facilitate. Relying on predictive algorithms, they may be able to engineer demand through targeted advertising. The price to be paid may no longer be uniform – determined by aggregate supply and demand – but is ‘personalized’ (i.e., discriminatory).Footnote ⁴⁵ Legally mandated data sharing has been proposed as a policy intervention to counterbalance the digital economy’s tendency to create winner-takes-all dynamics and to ensure a competitive environment conducive to innovation.Footnote ⁴⁶ But alternative justifications for mandatory data sharing are plausible, including data redistribution.

The EU and Australia are among the jurisdictions that have experimented with certain forms of mandatory data sharing. The EU’s GDPR contains a right to data portability that requires data controllers to transmit personal data in a structured, commonly used, and machine-readable format to another data controller, at the request of the data subject.Footnote ⁴⁷ The provision is supposed to enhance data protection by creating a more competitive environment (on the assumption that consumers will gravitate toward firms with higher data protection standards), but its impact has been muted.Footnote ⁴⁸ In contrast, Australia’s Consumer Data Right (CDR) bill was not primarily designed as a data protection law. It provides for the sharing of consumption data with consumers and accredited third parties, subject to data privacy safeguards, in certain sectors.Footnote ⁴⁹

The discussion around mandatory data sharing is most advanced in the banking sector. The EU’s second payment services directive requires banks to share consumers’ payment account data with third-party providers (under the condition that the consumers explicitly consented to such transfers).Footnote ⁵⁰ The goal is to advance competition between traditional banks and newly emerging financial services providers, some of which rely heavily on algorithmic analysis of financial data. Banks seem to have acquiesced to these new regulatory demands by creating dedicated data transfer infrastructures in the form of web-based application programming interfaces (APIs).Footnote ⁵¹ Automotive vehicle data is another data category that is increasingly subject to mandatory data-sharing requirements. In some jurisdictions, car manufacturers must make vehicle data available to independent repair shops.Footnote ⁵² The EU’s European data strategy contemplates further interventions in a variety of sectors, including agricultural, industrial, and health data, where other arrangements prove insufficient to facilitate data sharing.Footnote ⁵³ The salience of data for AI development seems likely to spur further such initiatives elsewhere. As the next section explores, data holders will seek to mobilize existing and emerging commitments under IEL to oppose mandatory data sharing and data mobility restrictions.

A Regulation of Data Mobility

Several disciplines in international trade law regulate data mobility in favor of cross-border transfers of data, at the expense of nation states’ ability to restrict such transfers or to require the location of computing facilities (such as routers, servers, or data centers) within their territory. While established disciplines under the rules for trade in goods and trade in services in general, and telecommunication services in particular, only apply to certain categories of data, the new disciplines in “e-commerce” and “digital trade” chapters of agreements like CPTPP or USMCA apply to ‘information’, including personal information, generally.Footnote ⁵⁷ Under the ‘digital trade’ framing, certain cross-border transfers of data can be conceptualized as trade in digital goods or as trade in digital services. To accommodate nonphysical goods, dedicated provisions address ‘digital products’Footnote ⁵⁸ that enjoy protections from discriminatory treatment.Footnote ⁵⁹ However, data that is not produced for commercial sale or distribution but that is generated or assembled for machine learning purposes apparently escapes the digital product category. Similarly, if data is used to train algorithms that provide services (for example, financial services based on algorithms trained with financial market data), only the services, but not the data used to provide the services, enjoy the protections under the General Agreement on Trade in Services (GATS) and the equivalent provisions in free trade agreements. GATS commitments apply if data is an end (data as a service) and not just a means to an end, and only if the WTO member in question has made specific commitments toward services liberalization in its schedule. Relevant categories in this regard encompass data processing services, software programming services, and various kinds of telecommunication services.Footnote ⁶⁰

Under the contested principle of technology neutrality, established commitments for services – formerly provided in analog form but now increasingly provided digitally – automatically acquire the same liberalization status as their analog counterparts.Footnote ⁶¹ In this way, the gradual digitalization of services can lead to a gradual liberalization of services economies that registered relatively liberal commitments for analog services. Conversely, some digital services escape the WTO’s classification of services altogether, thereby creating new gaps within the system. It was, for example, unclear under which category Google’s core business – providing search services – could be subsumed before the revised classification included a dedicated category for ‘web search portal content’.Footnote ⁶²

If a WTO member has made specific commitments to allow for cross-border market access of digital foreign service providers, full-scale data transfer limitations that amount to a ‘total prohibition’ of the relevant service are principally illegal under Article XVI:2 (c) GATS (zero quotas).Footnote ⁶³ Data transfer limitations that fall short of a ‘total prohibition’, as is the case under both the EU and the proposed Indian model, are not affected by this prohibition. They would need to comply, however, with the general obligation to national (that is, nondiscriminatory) treatment contained in Article XVII GATS and the requirement to administer any such limitation in a reasonable, objective, and impartial manner under Article VI GATS. The former would not apply to a situation in which both domestic and foreign service suppliers would need to comply with the data transfer limitations in question. The latter may give rise to a violation if the GATS member can show that the EU, for instance, conducted its adequacy assessment in an unreasonable, subjective, or partial manner. In this way, the GATS metaregulates the regime for personal data transfers under the EU’s GDPR. While the EU is principally allowed to adopt and enforce measures to protect the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts, it must not do so in a manner that would constitute an arbitrary or unjustifiable discrimination between comparable countries or a disguised restriction on trade in services.Footnote ⁶⁴ In contrast, no such general exception exists for the Indian proposal to limit the transfer of Indian data for overtly protectionist purposes. This is likely inconsequential, because India made only minimal commitments toward services liberalization, but nevertheless paradigmatic for international trade law’s aversion against ‘protectionism’ that is being carried forward in the digital domain.

Contrast the multilateral rules for trade in services under GATS – which are contingent on services classification, dependent on specific commitments by states, and not tailored toward questions of data mobility – with the newly created rules in agreements such as CPTPP, USMCA, and USJDTA that are specifically designed to protect data mobility against transnational data transfer restrictions.

These rules contain commitments to refrain from prohibiting or restricting the cross-border transfer of information, unless such measures are necessary to achieve a public policy objective and are not arbitrary, unjustifiably discriminatory, a trade restriction in disguise, or more restrictive than necessary.Footnote ⁶⁵ The last clause, the trade law version of a necessity test, in particular, is reason enough for the EU to oppose these kinds of provisions in plurilateral (as in the case of the failed Trade in Services Agreement (TISA)) and bilateral negotiations (as in the case of the cratered EU-US Transatlantic Trade and Investment Partnership (TTIP)). While data and privacy protection are universally recognized as legitimate public policy objectives, at least in principle, views about what is necessary to achieve these objectives differ considerably. Accordingly, the EU carves out its data protection regime, including the data transfer restrictions, from external scrutiny in its trade agreements.Footnote ⁶⁶

The model inaugurated in TPP and subsequently used in USMCA and USJDTA also created a dedicated rule on a certain form of data localization that requires foreign businesses to use or locate computing facilities within a treaty party’s territory as a condition for conducting business in that territory.Footnote ⁶⁷ In contrast to the TPP, which allowed for the possibility to justify such measures in principle under the same conditions as applicable to cross-border data transfer restrictions, the USMCA and USJDTA do not preserve this option.Footnote ⁶⁸ They also ‘fix’ the ‘gap’ that the TPP had created for financial data at the insistence of US financial regulators and to the disappointment of US financial services providers. While still treating financial services data differently from other information, the USA, Mexico, Canada, and Japan, respectively, agreed to refrain from mandating the use of domestic computing facilities requirements for financial services, as long as their respective financial regulatory authorities have immediate, direct, complete, and ongoing access to information processed or stored on financial services computing facilities outside their territory.Footnote ⁶⁹ In this way, the USMCA and USJDTA preserve both the right of financial service providers to locate data territorially where they see fit and the right of regulators to access the data transnationally.

In sum, established rules in the multilateral trading system only protect certain kinds of data from certain kinds of restrictions. In this sense, factual data mobility – that is, the ability of data holders to decide where data resides and where it moves – exceeds the legal protection of data mobility under WTO law. For this reason, the USA and like-minded countries have been advocating for more stringent rules to preserve transnational data mobility as other countries have sought to impose data transfer restrictions.Footnote ⁷⁰ The design of these provisions, in particular their reliance on categories borrowed from international investment law conducive to regulatory arbitrage by way of strategic incorporation, means that countries that sign on to the US model effectively opt for an open digital economy favoring transnational data mobility vis-à-vis everyone. The EU, and other jurisdictions interested in a more differentiated regime, are hence prudent in refraining from such commitments.Footnote ⁷¹

B Regulation of Data Control

IEL regulates control over data mainly through commitments under international IP law and international investment law. International IP law – which shifted into the trade regime with the WTO’s agreement on ‘trade-related aspects of intellectual property rights’ (TRIPS) and has since become a staple of ‘free trade’ agreements – regulates control over data by requiring IP protection for certain categories of data. Recent US agreements have gone further by creating new rights to data exclusivity in their IP chapters and novel protections for algorithms in ‘digital trade’ chapters. Yet, the entrenchment of data control under international investment law might be even more far-reaching as it lends itself to protecting data as an asset (investment), which entitles data holders (investors) to certain guarantees enforceable against nation states by way of investor–state dispute settlement (ISDS). While ostensibly in favor of data mobility, IEL tends to entrench data control by protecting those who have data rather than those who need it or want it. The only exception are new commitments in recent agreements that encourage governments to make ‘their’ data available as ‘open data’.Footnote ⁷² This encourages a shift from governmental control over data toward ‘public’ access, which is, in reality, often mediated by private actors such as data brokers or cloud providers.Footnote ⁷³ No international agreement contemplates data sharing by private data holders, despite the regulatory trend toward compulsory data-sharing mechanisms in certain jurisdictions.

IEL’s regulation of data control is especially salient as the question of legal ownership over data remains unsettled in domestic law.Footnote ⁷⁴ The integration of international IP law into IEL has led to the gradual transformation of IP as a coordinative system of incentive governance into a commodity that can be ‘traded’ transnationally and an asset that enjoys investment protection.Footnote ⁷⁵ While the reconceptualization of established IP rights as investments might upset the balance found under TRIPS,Footnote ⁷⁶ the dynamic might be different for data where such a balance is yet to be found. Both common and civil law systems grapple with questions of whether and to what extent property rights in data should be recognized, newly established, or – where they exist – abolished. IEL may have a significant and potentially long-lasting influence on these debates. In this context, it is important to differentiate between legal rights of data ownership (property rights in data) and factual control over data. Data holders may exercise infrastructural control over data without commensurate property rights that a domestic court would recognize or enforce. Conversely, data transfer, storage, and processing infrastructures can be designed in ways that separate forms of legal or technological control over data. One example is cloud computing models in which the owner and operator of the physical and digital data infrastructure has no access to its consumer’s data.Footnote ⁷⁷ Another is ‘safe sharing sites’, which provide for differentiated access to data, while distinguishing between raw data and insights derived from them.Footnote ⁷⁸ Neither of these contractual arrangements hinges on the recognition of property rights in data.

However, legal ownership claims over data can be critical when de facto control over data is being challenged. When governmental regulators require the disclosure of information or when data-sharing requirements between businesses are being instituted, data controllers will claim ‘data ownership’ to guard their economic interests in data exploitation. Such claims under domestic law can be shaped and entrenched by commitments under IEL.

The TRIPS agreement sets a baseline for IP protection for certain categories of data, but such protection is not comprehensive and remains contested. Copyright, for example, only covers expressions (such as images, texts, videos) as data.Footnote ⁷⁹ Compilations of data can be protected if they constitute intellectual creations, but such protection does not extend to the data contained therein.Footnote ⁸⁰ Trade secrets might be able to fill some of these gaps. Technological shifts toward cloud computing and ML make it easier to satisfy the three-pronged test that Article 39.1 TRIPS stipulates. First, the secrecy of data can be achieved, for example, by keeping the data internal and by only allowing differentiated access. Second, the commercial value derived from secrecy may flow from competitive advantages in machine learning applications attributable to superior datasets. And third, secrecy can be maintained by way of technological safeguards such as encryption.Footnote ⁸¹ While the extent to which trade secrecy under TRIPS protects against data disclosure requirements transnationally has not yet been tested in dispute settlement proceedings,Footnote ⁸² companies rely routinely on trade secrecy to fight transparency domestically.Footnote ⁸³ In light of uncertainty about the level of protection of undisclosed test data provided by Article 39.3 TRIPS, the USA has been aggressively pushing for ‘data exclusivity’ provisions in recent agreements.Footnote ⁸⁴ While so far confined to regulatory approval for agricultural chemical and pharmaceutical products – where data exclusivity creates de facto exclusivity for the relevant product – these demands might be a precursor for future contests around data exclusivity in other contexts. Novel provisions protecting against source code disclosure that go beyond the traditional copyright protection for software are another pointer in the same direction.Footnote ⁸⁵

Meanwhile, international investment law’s bearing on data control has been largely overlooked, but this might just be the calm before the storm.Footnote ⁸⁶ The broad ‘investment’ definitions found in many agreements and the variety of approaches deployed by tribunals make it plausible that ‘data’ will soon be recognized as a protected asset under international investment law by at least some tribunals,Footnote ⁸⁷ thereby granting property-type protection under international law where such protection under domestic law remains uncertain.Footnote ⁸⁸ While the broad and relatively open-ended guarantee of fair and equitable treatment contained in many investment agreements can be leveraged against many forms of data regulation, the guarantees against indirect or even direct expropriation appear to be particularly apt to challenge the growing trend toward mandatory data sharing. To be sure, in the absence of ISDS jurisprudence, many open questions remain: does the recognition of data as an asset presuppose the recognition of IP-type rights in data (fostering convergence between international IP and investment law)?Footnote ⁸⁹ Is the collection of data making a contribution to the host state economy, as required under the Salini test?Footnote ⁹⁰ What kind of territorial nexus, if any, is required between a company’s data-related activities and the host state to enjoy investment protection?Footnote ⁹¹ Answers to these question will only emerge over time. The development of ISDS jurisprudence on data control questions is likely to depend on what kind of cases are being brought against whom and on what basis. The failed attempt to challenge Australia’s tobacco regulation may cause investors to tread more carefully when challenging the regulatory ambitions of developed countries (e.g., the EU’s data strategy).Footnote ⁹² Developing countries with industrial data policies that challenge the Silicon Valley Consensus are likely targets for ISDS-backed counter pressure.

A European Data Protection’s Regulation and Artificial Intelligence

The GDPR regulates the processing of personal data; that is, any information relating to a directly or indirectly identified or identifiable natural person (“data subjects”). This legislation deals with AI on many levels.Footnote ³⁹ First, it contains a very broad definition of “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”.Footnote ⁴⁰

It also regulates the conditions under which “personal data”Footnote ⁴¹ can be collected, retained, processed and used by AI. The GDPR is built around the concept of lawful processing of data,Footnote ⁴² meaning that personal data cannot be processed without obtaining individual consent or without entering into a set of limited categories defined under the Regulation.Footnote ⁴³ That is a crucial difference between current American federal and state laws, which are based on the presumption that data processing is lawful unless it is explicitly prohibited by the authorities under specific legislation.Footnote ⁴⁴

Under the GDPR, processing of personal data is subject to the lawfulness, fairness and transparency principles.Footnote ⁴⁵ The Regulation also contains specific transparency requirements surrounding the use of automated decision-making, namely the obligation to inform about the existence of such decisions, and to provide meaningful information and explain its significance and the envisaged consequences of the processing to individuals.Footnote ⁴⁶ The right to obtain information also covers the rationale of the algorithms, therefore limiting their opacity.Footnote ⁴⁷ Individuals have the right to object to automated individual decision-making, including the use of data for marketing purposes.Footnote ⁴⁸ The data subject has the right to not be subject to a decision based solely on automated decision-making when it produces legal effects that can significantly affect individuals.Footnote ⁴⁹ Consent to the transfer of data is also carefully and strictly defined by the Regulation, which states that it should be given by a clear affirmative act from the natural person and establishes the principles of responsibility and liability of the controller and the processor for any processing of personal data.Footnote ⁵⁰ Stringent forms of consent are required under certain specific circumstances, such as automated decision-making, where explicit consent is needed.Footnote ⁵¹

Therefore, under the GDPR, a controller that will use data collected for profiling one of its clients and identifying its behavior (for instance, in the sector of insurance) must ensure that this type of processing relies on a lawful basis. Moreover, the controller must provide the data subject with information about the data collected. Finally, the data subject may object to the legitimacy of the profiling.

Another illustration of the interference between AI technologies and GDPR is the requirements and limitations imposed on the use of biometric dataFootnote ⁵² for remote identification, for instance through facial recognition. The GDPR prohibits the process of biometric data “for the purpose of uniquely identifying a natural person” unless the data subject has given explicit consent.Footnote ⁵³ Other limitations to this prohibition are exhaustively delineated, such as the “protection of the vital interests” of the data subject or other natural persons, or for reasons of “substantial public interest”. Most of those limited biometric identification purposes will have to be fulfilled according to a necessity and a proportionality test and are subject to judicial law review.Footnote ⁵⁴

B Transatlantic Regulatory Competition

Despite its limitations and imperfections, the GDPR remains as a piece of legislation that aims to rightfully balance fundamental rights considerations with technological, economic and policy considerations in accordance with European values and standards. In contrast, US law surrounding the data privacy legal framework does not rely on human rights but, rather, on consumer protection, where the individual is supposed to benefit from a bargain with the business in exchange for its personal information (the so-called transactional approach).Footnote ⁵⁵ Moreover, in contrast with Europe’s unified and largely centralized legislation, the American model for data protection has primarily been based on autoregulation and a sectoral regulation approach, at least until the 2018 adoption of the California Consumer Privacy Act (CCPA).Footnote ⁵⁶

This state legislation partially resembles the GDPR. First, the CCPA is the first data protection statute that is not narrowly sectoral.Footnote ⁵⁷ It defines “personal information” in a way that seems in practice equivalent to the GDPR’s personal data definition.Footnote ⁵⁸ Personal information is also partially relevant to AI (such as biometric data, geolocalization and Internet, or other electronic network information). It also includes a broad definition of processing, which can include automated decision-making.Footnote ⁵⁹ Echoing the GDPR’s transparency requirements, the CCPA provides a right of information, under which a consumer has the right to request that a business that collects consumers’ personal information disclose to that consumer the categories and specific pieces of personal information collected.Footnote ⁶⁰ This right of disclosure is particularly significant.Footnote ⁶¹ The CCPA also contains a right to opt out and deny the possibility for a business to use its personal information.Footnote ⁶²

Despite those similarities, important differences remain between the two statutes. Concretely, under the CCPA’s transactional approach, the right to opt out cannot be opposed if it is necessary to business or service providers to complete the transaction for which the personal information was collected or to enable solely internal uses that are reasonably aligned with the expectations of the consumer’s relationship with the business.Footnote ⁶³ Moreover, whereas the GDPR rests on the principle of the “lawful processing of data”,Footnote ⁶⁴ the CCPA does not require processing to be lawful, implying that data collection, use and disclosure is allowed unless it is explicitly forbidden. Whereas the GDPR requires some specific forms of consent related to sensitive data and limits individual automated decision-making, the CCPA “does nothing to enable individuals to refuse to give companies their data in the first place”.Footnote ⁶⁵ Another striking difference is related to the consumer’s right not to be discriminated against under the CCPA if he or she decides to exercise the right to seek information or the right to opt out. The effect of this nondiscrimination principle seems tenuous as, in those circumstances, a business is not prohibited from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer.Footnote ⁶⁶ This is typically the result of a consumer protection-based approach, which in reality tolerates and admits discrimination (here, the price or the quality of the service provided), and a human rights-based approach that is much more reluctant to admit economic differentiations among individuals to whom those fundamental rights are addressed.

This brief comparison between the GDPR and the CCPA is not meant to suggest that one legislative model is intrinsically superior, more efficient, more legitimate or more progressive than the other. Both statutes merely translate ontological discrepancies between the European and American legal conceptions and policy choices. However, the conflict between those two models is inevitable when considering the current state of cross-border data flows. Not surprisingly, the question of extraterritoriality was crucial during the GDPR’s drafting.Footnote ⁶⁷ Even though the Regulation is based on the necessity of establishing a single digital market, under which data protection and fundamental EU rights are equally guaranteed, its extraterritorial effects are expressly recognized as the GDPR applies “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” and “to the processing of personal data subjects who are in the Union by a controller or processor not established in the Union”.Footnote ⁶⁸ The extraterritorial effects of the GDPR and, more broadly, of the EU’s legal framework are undeniable given the importance of the single EU market.Footnote ⁶⁹ Extraterritoriality should be understood as a kind of “effet utile” of the Regulation, as most of the data processors and controllers are currently located outside the EU’s territory. The EU’s effort would in practice be doomed if personal data protection were to be limited to the EU borders.Footnote ⁷⁰

The European legislator admits that flows of personal data to and from countries outside the EU are necessary for the expansion of international trade.Footnote ⁷¹ Yet, international data transfers must not undermine the level of data protection and are consequently subject to the Regulation’s provisions. Data transfer to third countries is expressly prohibited under the GDPR unless it is expressly authorized thanks to one of the legal bases established under the Regulation.Footnote ⁷² The European Commission may decide under the GDPR that a third country offers an adequate level of data protection and allow transfers of personal data to that third country without the need to obtain specific authorization.Footnote ⁷³ However, such a decision can also be revoked.Footnote ⁷⁴ In the absence of an adequacy decision, the transfer may be authorized when it is accompanied by “appropriate safeguards”, which can take the form of binding corporate rulesFootnote ⁷⁵ or a contract between the exporter and the importer of the data, containing standard protection clauses adopted by the European Commission.Footnote ⁷⁶ Even in the absence of an adequacy decision or appropriate safeguards, data transfer to third countries is allowed under the GDPR, in particular on the consent of the data subject, and if the transfer is necessary for the performance of a contract.Footnote ⁷⁷

Under the current regime, the EU Commission adopted a set of adequacy findings with select third countries, such as Japan, in February 2019.Footnote ⁷⁸ The European Commission also commenced adequacy negotiations with Latin American countries (Chile and Brazil) and Asiatic countries (Korea, India, Indonesia, Taiwan), as well as the European Eastern and Southern neighborhoods, and is actively promoting the creation of national instruments similar to the GDPR.Footnote ⁷⁹ Moreover, in July 2016, the European Commission found that the EU-US Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the EU to organizations in the USA, demonstrating regard for, inter alia, safeguards surrounding access to the transferred data by the United States’ intelligence services.Footnote ⁸⁰ More than 5,300 companies have been certified by the US Department of Commerce in charge of monitoring compliance with a set of common data privacy principles under the Privacy Shield, which is annually and publicly reviewed by the Commission.Footnote ⁸¹ The Privacy Shield seemed to demonstrate that despite profound divergence between European and American approaches to data protection, there was still room for transatlantic cooperation and mutual recognition. However, in mid-July 2020, the European Court of Justice (ECJ) concluded that the Commission’s Privacy Shield decision was invalid as it disregarded European fundamental rights.Footnote ⁸² As the Court recalled, the Commission must only authorize the transfer of personal data to a third country if it provides “a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed within the European”.Footnote ⁸³ The ECJ found lacunae in judicial protections for European data subjects against several US intelligence programs.Footnote ⁸⁴

The question of data transfer between the EU and UK after Brexit is one of the many hot topics that should be dealt with in a future EU/UK trade agreement, and it is a perfect example of the problematic nature of the GDPR’s application to EU third countries with closed economic ties. The October 2019 political declaration setting out the framework for the future relationship between the two parties contains a specific paragraph on digital trade that addresses the question of data protection. It says that future provisions on digital trade “should … facilitate cross-border data flows and address unjustified data localisation requirements, noting that this facilitation will not affect the Parties’ personal data protection rules”.Footnote ⁸⁵ However, in June 2020, six months after Brexit, the Commission was still uncertain regarding a future UK adequacy assessment because of a lack of specific data protection commitment in the UK. Moreover, the British government indicated that it wanted to develop a separate and independent data protection policy.Footnote ⁸⁶ One of the EU’s main concerns is that through bilateral agreements concluded between the UK and the USA, data belonging to EU citizens could be “siphoned off” to the United States.Footnote ⁸⁷

The issue of compatibility between European privacy rules and the Chinese legal framework is also a growing matter of concern for Europeans. China applies much stricter data border control on the grounds of national security interests. For instance, the 2017 Chinese law on cybersecurity provides that companies dealing with critical infrastructures of information, such as communications services, transport, water, finances, public services energy and others, have an obligation to store their data in the Chinese territory. Such a broad definition can potentially affect all companies, depending on the will of Chinese authorities, who also have broad access to personal information content on the grounds of national security.Footnote ⁸⁸ However, Chinese attitudes regarding privacy protection are not monolithic. According to Samm Sacks, “[t]here is a tug of war within China between those advocating for greater data privacy protections and those pushing for the development of fields like AI and big data, with no accompanying limits on how data is used”. This expert even describes a growing convergence between the European and Chinese approaches in data protection regimes, leading the USA to be more isolated and American companies to be more reactive.Footnote ⁸⁹ However, based on the model of the recent conflict between European data privacy rules and US tech companies’ practices, emerging cases that shed new light on data protection regulatory divergence between China and the EU are inevitable.Footnote ⁹⁰

Fragmentation and market barriers are emerging around requirements for privacy and data flows across borders. Can this fragmentation be limited through international trade law? What is the EU’s position on international data flows and data protection in the context of its trade policy? Can and should European trade agreements become an efficient way to promote the GDPR’s privacy approach?

A A Limited Multilateral Framework

Despite recent developments, digital trade rules currently remain limited, both at the multilateral and the bilateral level. World Trade Organization (WTO) disciplines do not directly confront the problematic nature of digital trade or AI, even though the WTO officially recognizes that AI, together with blockchain and the Internet of Things, is one of the new disruptive technologies that could have a major impact on trade costs and international trade.Footnote ⁹³ Mira Burri has, however, described how WTO general nondiscrimination principles – Most Favorable Nation Treatment and National Treatment – could potentially have an impact on the members’ rules and practices regarding digital trade, as well as more specific WTO agreements, especially the General Agreement on Trade in Services (GATS).Footnote ⁹⁴ She notes that WTO members have made far-reaching commitments under the GATS. The EU in particular has committed to data processing services, database services and other computing services.Footnote ⁹⁵ These commitments might prohibit new measures with regard to search engines that limit market access or discriminate against foreign companies, as they should be considered data processing services. Localization requirements with regard to computer and related services would also be prima facie GATS-inconsistent, but could well be justified under the agreement’s general exceptions.Footnote ⁹⁶

Despite a few updates, such as the Information Technology Agreement, WTO members have failed, as in other fields, to renovate and adapt proper WTO disciplines to strategic issues, such as digital trade and AI. The current plurilateral negotiations on e-commerce, which involve seventy-nine members including China, Japan, the USA and the EU and its member states, might represent a new opportunity to address these issues.Footnote ⁹⁷ However, given the current state of the WTO, such evolution remains, at present, hazardous.Footnote ⁹⁸ So far, the most relevant provisions on digital trade are those negotiated within the bilateral or plurilateral trade deals, beginning with the TPP.Footnote ⁹⁹

Recent developments in EU digital trade diplomacy can be seen as a reaction to the United States’ willingness to develop an offensive normative strategy whose basic aim is to serve its big tech companies’ economic interests and to limit cross-border restrictions based on data privacy protection as much as possible.

B The US Approach to Digital Trade Diplomacy

The United States’ free trade agreement (FTA) provisions on digital trade are the result of the Digital Agenda that was endorsed in the early 2000s. Several US trade agreements containing provisions on e-commerce have been concluded by different American administrations over the last two decades.Footnote ¹⁰⁰ In 2015, the United States Trade Representative described the TPP as “the most ambitious and visionary internet agreement ever attempted”.Footnote ¹⁰¹ The TPP provisions relate to digital tradeFootnote ¹⁰² in various respects, including, inter alia, nondiscriminatory treatment of digital products,Footnote ¹⁰³ a specific ban of custom duties on electronic transmissionFootnote ¹⁰⁴ and free supply of cross-border digital services.Footnote ¹⁰⁵ More specifically, despite recognizing the rights of the parties to develop their own regulatory requirements concerning the transfer of information by electronic means, the agreement prohibits the limitation of cross-border transfer of information by electronic means, including personal information.Footnote ¹⁰⁶ Additionally, under the TPP, “no Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory”.Footnote ¹⁰⁷ US tech companies were deeply satisfied with the content of the agreement.Footnote ¹⁰⁸

However, the TPP drafters did not ignore the problematic nature of personal information protections. Indeed, the text of this agreement recognized the economic and social benefits of protecting the personal information of users of electronic commerce.Footnote ¹⁰⁹ It even indicated that each party shall adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce, therefore admitting the possibility of following different legal approaches. However, each party should adopt instruments to promote compatibility between the different legal frameworks,Footnote ¹¹⁰ and the agreement’s wording is relatively strong on the nondiscriminatory practices in terms of user protections.

The GDPR was still under discussion when the TPP was concluded. However, there is room for debate concerning the possible compatibility of the European legislation and this US trade treaty. As with the WTO compatibility test, the main issue concerns the possible discriminatory nature of the GDPR, which in practice is arguable. This doubt certainly constituted an incentive for the EU to elaborate upon and promote its own template on digital trade, in order to ensure that its new legislation wouldn’t be legally challenged by its trade partners, including the US administration.

Just like the TPP, the USMCA contains several provisions that address digital trade, including a specific chapter on this issue.Footnote ¹¹¹ It also prohibits custom duties in connection with digital productsFootnote ¹¹² and protects source code.Footnote ¹¹³ The prohibition of any cross-border transfer or information restriction is subject to strong wording, as the agreement explicitly provides that “[n]o Party shall prohibit or restrict the cross border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person”.Footnote ¹¹⁴ Yet, the USMCA admits the economic and social benefits of protecting the personal information of users of digital trade and the relevance of an internal legal framework for the protection of this information.Footnote ¹¹⁵ However, the conventional compatibility of internal regulations that would limit data collection relies on a necessity and proportionality test and a nondiscrimination requirement. In any case, the burden of proving compatibility will undoubtedly fall on the party that limited data transfer in the first place, even though it did so on the grounds of legitimate policy objectives. Under these circumstances, the legality of GDPR-style legislation would probably be even harder to argue than under the former TPP.

C The European Union’s Response to the American Trade Regulatory Challenge

Before studying the precise content of existing EU agreements and proposals on digital trade, one should bear in mind that European trade policy is currently subject to strong internal tensions. Trade topics have become increasingly politicized in recent years, especially in the context of the Comprehensive Economic and Trade Agreement (CETA) and Transatlantic Trade and Investment Partnership (TTIP) negotiations. It is not only member states, through the Council, and the European Parliament – which has obtained, after the Lisbon Treaty, the power to conclude trade agreements together with the Council – that have placed pressure on the Commission. Pressure has also come from European civil society, with movements organized at the state and the EU level.Footnote ¹¹⁶ As a result, the idea that trade deals should no longer be a topic for specialists and be subject to close political scrutiny is gaining ground in Europe. As a response, the capacity of trade agreements to better regulate international trade is now part of the current Commission’s narrative to advocate for the necessity of its new FTA generation,Footnote ¹¹⁷ in line with European primary law provisions that connect trade with nontrade policy objectives.Footnote ¹¹⁸ The most recent generation of EU FTAs incorporate a right to regulate, which is reflected in several provisions, in particular in the context of the sustainable developmentFootnote ¹¹⁹ and investment chapters.Footnote ¹²⁰ More recently, the EU also showed a willingness to include a right to regulate in the digital chapter’s provisions.Footnote ¹²¹ Paradoxically, the recall of the state power to regulate is the prerequisite of stronger trade liberalizationFootnote ¹²² and, more broadly, a way in which to legitimize the extension of trade rules.

Older trade agreements, meaning those concluded before 2009, when the Lisbon Treaty entered into force, remained practically silent on the issue of digital trade or electronic commerce. The EU-Chile (2002) trade agreement is probably the first FTA that contains references to e-commerce, probably under the influence of the US-Chile FTA concluded during the same period. However, the commitments were limited as they refer to vague cooperation in this domain.Footnote ¹²³ Moreover, the service liberalization was strictly contained within the limits of the positive list-based approach of the former generation of European FTAs.Footnote ¹²⁴ The EU-Korea FTA of 2011 contains more precise provisions on data flows, yet it is limited to specific sectors.Footnote ¹²⁵ For instance, Article 7.43 of this agreement, titled “data processing”, is part of a broader subsection of the agreement addressing financial services. The provision encourages free movement of data. Yet, it also contains a safeguard justified by the protection of privacy. Moreover, the parties “agree that the development of electronic commerce must be fully compatible with the international standards of data protection, in order to ensure the confidence of users of electronic commerce”. Finally, under this agreement, the cross-border flow of supplies can be limited by the necessity to secure compliance with (internal) laws or regulations, among which is the protection of the privacy of individuals.Footnote ¹²⁶ Although limited to specific sectors, those provisions demonstrate that the EU was aware of the potential effect of data protection on trade long before the adoption of the GDPR.Footnote ¹²⁷

This sectoral approach has been followed by the EU and its partners in more recent trade agreements, such as the CETA between the EU and Canada, which was concluded in 2014.Footnote ¹²⁸ Chapter 16 of the CETA agreement deals expressly with e-commerce. It prohibits the imposition of customs duties, fees or charges on deliveries transmitted by electronic means.Footnote ¹²⁹ It also states that “[e]ach Party should adopt or maintain laws, regulations or administrative measures for the protection of personal information of users engaged in electronic commerce and, when doing so, shall take into due consideration international standards of data protection of relevant international organizations of which both Parties are a member”.Footnote ¹³⁰ However, the CETA also contains another innovative and broader exception clause based on data protection. Article 28.3 addresses the general exception to the agreement, and provides that several chapters of the agreement (on services and investment, for instance) can be subject to limitation based on the necessity to “secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to … the protection of the privacy of individuals in relation to the processing and dissemination of personal data”. Finally, the CETA agreement, unlike the US model, does not contain a general free data flow provision and only promotes specific forms of data transfer, consistent with European economic interests, such as financial transfers for data processing in the course of business.Footnote ¹³¹

The current European strategy regarding trade and data protection appears more clearly in the negotiations after the adoption of the GDPR. In 2018, the European Commission made public proposals on horizontal provisions for cross-border data flows, and for personal data protection in EU trade and investment agreements.Footnote ¹³² This template is an attempt to reconcile diverging regulatory goals, in particular human rights considerations and economic considerations.Footnote ¹³³ This conciliation is also symbolized by the internal conflict, inside the Commission, between the Directorate General for Trade (DG Trade), traditionally in charge of trade negotiations, and the Directorate General for Justice and Consumers (DG JUST). DG Trade has shown greater sensitivity toward cross-border data flows, whereas DG JUST conceived trade law as an instrument to expand Europe’s privacy protections.Footnote ¹³⁴ As a result, this template supports cross-border data flows while also immediately recognizing that the protection of data and privacy is a fundamental right. Therefore, the protection of data privacy is exempted from any scrutiny.Footnote ¹³⁵ This privacy safeguard uses the wording from a clause to the national security exceptions and contrasts with the necessity and proportionality tests put in place under the TPP and USMCA. Not surprisingly, this privacy carve-out was immediately criticized by tech business lobbyists in Brussels.Footnote ¹³⁶

However, the EU proposals formulated in late 2018, under the framework of the negotiation of two new FTAs with Australia and New Zealand (initiated in 2017), largely confirmed the template’s approach. First, the EU’s proposed texts refer to the right of the parties to regulate within their territories to achieve legitimate objectives, such as privacy and data protections.Footnote ¹³⁷ These proposals also further cross-border data flows in order to facilitate trade in the digital economy and expressly prohibit a set of restrictions, among which are requirements relating to data localization for storage and processing, or the prohibition of storage or processing in the other party’s territory. Moreover, the proposals protect the source code, providing that, in principle, the parties cannot require the transfer of, or access to, the source code of software owned by a natural or juridical person of the other party.Footnote ¹³⁸ A review clause on the implementation of the latter provision, in order to tackle possible new prohibitions of cross-border data flows, is included. Additionally, the European proposals allow the parties to adopt and maintain safeguards they deem appropriate to ensure personal data and privacy provisions. The definition of personal data is similar to the GDPR’s conception.Footnote ¹³⁹ This approach is also in line with the EU’s proposal, formulated within the context of the plurilateral negotiations regarding e-commerce, which took place at the WTO in April 2019.Footnote ¹⁴⁰

The ability of the EU to persuade its trading partners to endorse its vision on digital trade remains uncertain. In this context, the content of the Digital Chapter of the recently concluded FTA between the EU and Japan is not very different from the CETA,Footnote ¹⁴¹ demonstrating the absence of real common ground and Japanese support on this issue. Whereas the JEFTA is an ambitious text in a wide range of sensitive trade matters (such as geographical indications, service liberalization and the link between trade and the environment), it only refers to a vague review clause regarding digital trade and free data flows.Footnote ¹⁴² However, as mentioned earlier, the question of cross-border data flows between Japan and the EU has been dealt with through the formal process that led Japan to reform its legal framework on data protection, which in turn led to the Commission’s 2019 adequacy decision.Footnote ¹⁴³ Unilateral instruments remain, for the EU, the de facto most efficient tools when it comes to the promotion of its conception of data protection.Footnote ¹⁴⁴

A Origin of Data

Data can be classified according to a variety of parameters. A classification model can rely on the sensitivity of the subject, purpose of use, context of procession, degree of identifiability, or method of collection of data. We build on a categorization model of data that was introduced by a roundtable of Organisation for Economic Co-operation and Development (OECD) privacy experts in 2014,Footnote ¹ and expanded by Malgieri.Footnote ² The taxonomy categorizes data according to its origin – that is, the manner in which it originated – and distinguishes between raw data (provided and observed data) and generated data (derived and inferred data).

Raw data (“user-generated data”) encompasses provided and observed data. Provided data is data originating from the direct actions of individuals (e.g., registration form filing, product purchases with credit card, social media post, etc.). Observed data is data recorded by the data controller (e.g., data from online cookies, geolocation data, or data collected by sensors).

Generated data (“data controller-generated data”) consists of derived and inferred data. Derived data is data generated from other data, created in a “mechanical” manner using simple, non-probabilistic reasoning and basic mathematics for pattern recognition and classification creation (e.g., customer profitability as a ratio of visits and purchases, common attributes among profitable customers). Inferred data is data generated from other data either by using probabilistic statistical models for testing causal explanation (“causal inferences”) or by using machine learning models for predicting output values for new observations given their input values (“predictive inferences”).Footnote ³

The relationship between information and the data subject can be classified as either strong (provided data), intermediate (observed and derived data), or weak (inferred data). The stronger the relationship, the more individuals are involved in the creation of the data. Illustratively, a Facebook user has a strong relationship with their registration data and their posts. An example of a weaker relationship would exist when Facebook, based on its algorithmic models, assigns a liberal or conservative political score to this user. The user’s age, geographic location, and posts are all data provided by the user, and eventually included as independent variables in the model. But it is Facebook’s model that will ultimately predict the likelihood the user belongs to either group.

The evolving relationship from provided to inferred data, or from a weak to strong relationship between the data subject and the data, is illustrated in Figure 11.1. Although the delimitation of data types is crucial, a number of gray areas exist. Take the example of a data subject that does not upload data themself, but actively selects which sets of data and their conditions the data controller may access. It is unclear whether these datasets are received or observed by the controller.Footnote ⁴ Note that inferred data is created not only by the analysis of a specific user’s data, but also by the analysis – via statistical learning and automatic techniques to elicit patterns – of all data available to the data generator, including personal data provided by other users.Footnote ⁵

Figure 11.1 Data types and examples

B Artificial Intelligence and Data

With the rise of AI, generated data is expected to proliferate at an exponential rate. As more and more institutions take advantage of increasingly broad datasets, computing power, and mathematical processes,Footnote ⁶ the amount of generated data will expand and the costs of prediction decrease.Footnote ⁷ As pointed out by a recent report ordered by the House of Commons of the United Kingdom, protecting data helps to secure the past, but protecting inferences is what will be needed to protect the future.Footnote ⁸ Inferential data generated by machine learning techniques has already been used (with varying success)Footnote ⁹ to predict sexual orientation based upon facial recognition; emotions of individuals based on voice, text, images, and video; a neighborhood’s political leanings by its cars; and physical and mental predictions, to name but a few.Footnote ¹⁰ With the advancement of the technology and the availability of large training sets, the accuracy of inferred predictions will increase as well.

The predictive potential of machine learning is not confined to academic use cases, as commercial applications abound. Recent patent applications in the USA include methods for predicting personality types from social media messages,Footnote ¹¹ predicting user behavior based on location data,Footnote ¹² predicting user interests based on image or video metadata,Footnote ¹³ or inferring the user’s sleep schedule based on smartphone and communication data.Footnote ¹⁴ In all these instances, raw user data is collected on mobile devices (e.g., smartphones, tablets, etc.) to build and train the predictive model, and then used to predict individual user characteristics and behaviors (as generated data). This generated data is of value to marketing and advertising firms or organizations more generally to identify target users for their products and services.

C Valuation of Data

In general, the valuation of data is difficult, as it varies widely by type, scale, and industry sector. We make two assumptions that underly this chapter, and that support our position that generated data is of higher value than raw data. We claim that the higher value of generated data derives from the investment of firms in development, and subsequent use of statistical and machine learning models.

Our first assumption is that at the single datapoint level, raw data is on average of lower value than generated data. Our explanation for this assumption is as follows: raw data (such as the age of a data subject) is assumed to be, on average, of lower value to companies than generated data (such as future health predictions). In fact, in the marketplace, the price for general information, such as age, gender, and location, can be purchased for as little as $0.0005 or $0.50 per 1,000 people.Footnote ¹⁵ We assume that the price for creation of and access to generated data is higher.Footnote ¹⁶ The value of the datapoint integrates the value-added created by the respective algorithm. This is a generalizable claim despite specific and highly contextual differences. To provide a counterexample, data relating to diseases directly provided by a patient might be of higher value to an insurance company than a prediction based on that data.Footnote ¹⁷

Our second assumption is that, on a large scale, the value of raw data increases linearly, whereas the value of generated data increases exponentially. We make this assumption for the following reasons: for statistical or machine learning approaches, received and observed data will need to be purchased on a large scale in order to build models that will create inferred data. Since the accuracy of predictions is largely a function of the size of training datasets, we can assume that the value of received and observed data is close to zero for small-scale datasets. On the other hand, past acquisitions of datacentric companies reveal a significantly higher value per user, varying between $15 and $40. For instance, Facebook acquired WhatsApp and Instagram for $30 per user.Footnote ¹⁸ These per-user valuations reflect both the quality and scope of the information collected, as well as the expectation of continued platform engagement, and subsequent additional data creation by each acquired user.Footnote ¹⁹ In short, these acquisitions aim at exploiting trends and patterns in large groups with high confidence in the quality of the data. The process of value creation directly depends on investment in machine learning models needed to convert data into predictions.Footnote ²⁰ These include direct operating costs, such as the employment costs of engineers, the licensing costs for software programs, the costs for obtaining more computer power and storage, and the costs of integrating systems with the implementation platform, as well as indirect costs such as training and change management costs or cybersecurity monitoring costs.Footnote ²¹ Therefore, the valuation of datacentric companies reflects the value of aggregated generated data or the potential for firms to create aggregated generated data.Footnote ²² We represent the respective value of raw data and generated data in Figure 11.2: with more data, the value of raw data increases linearly (a), whereas the value of generated data increases exponentially (b).

Figure 11.2 Data value of raw data and generated data

A Free Flow of Data

EU law has a long tradition of shaping regulation to create a single market for goods, services, people, and capital. In recent years, the European Commission has emphasized the need for a data ecosystem built on trust, data availability, and infrastructure.Footnote ²⁵ Ensuring the free flow of data is part of this effort to establish a “digital single market”.Footnote ²⁶ Data is increasingly seen as a tradable commodity.Footnote ²⁷ While the framework for trading data can be found in the traditional civil law rules for purchase contracts, the contract performance – that is, the actual transfer of the data – largely depends on the existence of data portability as a legal institution.Footnote ²⁸ We are interested in how a regulatory framework for the market may level the playing field, challenging large incumbents with a vested interest in not transferring potentially valuable data to competitors.Footnote ²⁹

The more data is concentrated in the hands of a provider, the more likely it will be considered to hold a dominant position under EU competition law.Footnote ³⁰ Although the dominant competition law test is based on market share, not data concentration, said concentration is likely to lead to large market shares in data-driven markets.Footnote ³¹ The European Data Protection Supervisor has discussed how portability of data can foster a functioning market by preventing the abuse of dominance and the lock-in of consumers.Footnote ³² EU competition law, however, can generally be characterized as an ex post regulation: in fact, the European Commission only intervenes once a dominant position has been abused in already existing markets.Footnote ³³

As digital markets are especially prone to winner-takes-all (or -most) outcomes,Footnote ³⁴ additional ex ante regulations are key. The EU has set up a number of these ex ante mechanisms, in particular in sector-specific regulation. A prominent example of this is the telecommunications sector: the Universal Service Directive established a right to number portability, considered a predecessor to the right to data portability under EU law.Footnote ³⁵ The portability of telephone numbers and of data facilitates effective competition and can be considered a form of ex ante regulation as it creates the prerequisites for establishing a functioning telecommunication market.

The free movement of data is further addressed in Art. 16(2)1 of the Treaty on the Functioning of the European Union (TFEU), which gives the EU legislator the power to establish rules regarding the protection and free movement of personal data. The GDPR confirms the free movement of data as a subject-matter of the regulation and postulates that the free movement of personal data within the EU shall not be restricted or prohibited for the protection of personal data.Footnote ³⁶ These affirmations refer once more to the foundation of the EU: free movement of goods, services, people, capital, and now data in a single market. Since May 2019, the regime is complemented by the NPDR.Footnote ³⁷ Targeting non-personal data, the NPDR is entirely based on the ideal of the free flow of data. According to the NPDR, the two regulations provide a coherent set of rules that cater for free movement of different types of data.Footnote ³⁸

B Regimes for Data Portability

The portability of data is explicitly covered by both the GDPR and the NPDR. The former only applies to “personal data”, the latter to “non-personal data”.Footnote ³⁹ EU law therefore clearly delineates personal from non-personal data.

Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’)”.Footnote ⁴⁰ The notion of personal data is broad, as it only requires that a natural person can be identified directly or indirectly. It is sufficient, for instance, that the link to the natural person can be established using other reasonably accessible information – such as a combination of specific browser settings used to track behavior for personalized advertising.Footnote ⁴¹

Non-personal data, by contrast, is any information that does not relate to an identified or identifiable natural person. Firstly, this encompasses data that originally does not relate to an identified or identifiable natural person, such as weather information or data relating to the operation of machines. Secondly, properly anonymized data cannot be attributed to a specific person and is therefore non-personal.Footnote ⁴² However, if non-personal data can be linked to an individual, the data must be considered personal.Footnote ⁴³

C Analysis: The Concept of Data Portability

Our analysis depicts the limitations of existing EU law in providing for the free movement of data via a comprehensive and effective portability regime. In particular, we discuss how the distinction between personal versus non-personal data and raw versus generated data may impact the concept of data portability.

D Data Portability beyond the European Union

The EU has taken the lead in shaping the way the world thinks about data protection, privacy, and other areas of digital market regulation.Footnote ⁶⁹ Its data protection standards in particular have been diffused globally.Footnote ⁷⁰ Firstly, the ideas and concepts of the GDPR – in our case of data portability – have influenced a number of jurisdictions to enact data portability norms themselves. Secondly, international firms are bound directly by the GDPR’s and the NPDR’s extraterritorial scope, even without being established in the EU. Thirdly, because of the “Brussels Effect” foreign corporations often prefer to respect EU law even without a legal obligation to do so. Fourthly, international soft law has been and can be deployed to integrate data privacy principles from the EU, playing thereby a key role in the international governance of portability regimes. Fifthly, data privacy obligations have been stipulated in international treaties, requiring the implementation of data portability norms within the national law of ratifying states. In this regard, international economic law can help to diffuse data portability rules across the world.