A Introduction

The regulation of data has increasingly become a common feature of trade agreements. To understand this rule framework, it is essential to first identify the main players and interests at stake. In my view, data regulation in trade agreements mainly deals with three groups of interests, each corresponding to different stakeholders. The first is the commercial interests of the companies engaged in electronic commerce. Due to the unique nature of their business, most Internet companies need unhindered data flows to conduct their business. Thus, they demand free flow of information across the globe and oppose to data localization requirements. Behind the second group of interest is the person or the consumer, who supplies the raw data to use the services provided by the Internet companies. As both the raw data and the processed data are controlled by the companies, consumers, at least to the extent they would act in their best interest, wish to ensure that their privacy and personal data are properly protected. This is where the third, and arguably the strongest, stakeholder – the state – comes into play.

The state monitors and regulates the data used by the first two groups, which involves the collection, processing, access and transfer of data. In designing the regulatory framework, the state often tries to strike a balance between the different or even conflicting interests of the different players, by trying to ensure the protection of the privacy of personal data, while not unduly hindering the development of the economy. Faced with various threats, such as cyberwarfare and terrorism, the state also needs to ensure that public safety and national security are not compromised by rogue players roaming at large in cyberspace.

While all regulators would agree on the need to strike a balance between the clashing interests of different stakeholders, their approaches often differ in practice. Some jurisdictions prioritize the need to safeguard the privacy of their citizens. A good example in this regard is the General Data Protection Regulation (GDPR) of the European Union (EU), which recognizes ‘[t]he protection of natural persons in relation to the processing of personal data’ as ‘a fundamental right’.Footnote ¹ On the other hand, some jurisdictions put the commercial interests of firms first. In the United States (US), this is reflected in the 1996 Telecommunication Act, which notes that it is ‘the policy of the United States … to preserve … free market … unfettered by Federal or State regulation’.Footnote ² In contrast, national security concerns are often cited to justify restrictions on cross-border data flow, albeit in varying degrees in different countries. A recent example is China’s 2017 Cybersecurity Law, which imposed several restrictions aiming to ‘safeguard cyber security, protect cyberspace sovereignty and national security’.Footnote ³

It is not easy to say which one is the best approach, as the various regulatory approaches often reflect the different legal, political, economic, social and cultural backgrounds of different countries. What is more important than passing judgement about different models, however, is to understand the inherent logic and mechanisms of the different regulatory regimes. In this chapter, I will focus on China, which is not only home to the largest e-commerce market in the world but also has one of the most tightly regulated cyberspaces. By providing a detailed analysis of the rationale and operation of ‘data regulation with Chinese characteristics’, the chapter seeks not only to help understand this discrete regulatory model but also to find ways to deal with such a regime at the international level.

B Internet Regulation in China

The first email from China was reportedly sent on 20 September 1987 by a group of researchers at the Institute for Computer Science of China’s State Commission of Machine Industry to the University of Karlsruhe in Germany.Footnote ⁴ On 28 November 1990, China’s national domain name – ‘.cn’ – was registered by Professor Qian Tianbai, a pioneer in the Chinese Internet industry.Footnote ⁵ However, it was not until 20 April 1994 that the first connection to the international network was established by China Education and Research Network, which marked the launch of the Internet in China.Footnote ⁶ Since then, the Chinese Internet has grown by leaps and bounds, despite occasional hiccups, such as Google’s exit from China in 2009.Footnote ⁷ In 2013, China’s e-commerce volume exceeded 10 trillion RMB and China overtook the United States as the largest e-commerce market in the world.Footnote ⁸ Nowadays, Chinese e-commerce giants like Alibaba are among the biggest online retailers globally and Chinese online shopping festivals, such as the Singles Day (11.11) Sale have gained loyal followers all around the world.Footnote ⁹ In the latest race on the research and applications of big data, machine learning and artificial intelligence (AI), China is also quickly catching up with the United States, a world leader that increasingly sees its competitive edge being narrowed.Footnote ¹⁰

Notwithstanding the phenomenal growth in the e-commerce sector, the Internet remains under tight regulation in China. The following section provides a detailed examination of this framework, paying specific attention to the regulation of data.

C Trade Agreements

Ever since the Declaration on Global Electronic Commerce at the Second WTO Ministerial Conference in May 1998, WTO members have been exploring ways to incorporate Internet and data regulation into trade agreements.Footnote ⁶⁹ While not much success was made in the WTO collectively, individual members were able to address the issue in other fora such as free trade agreements (FTAs) and the plurilateral Trade in Services Agreement (TiSA) initiative.Footnote ⁷⁰ It makes good sense to address the issue in international trade agreements, as the Internet was born with an international nature and closely linked to commerce. At the same time, however, a country’s position on Internet and data regulation in trade agreements is often heavily influenced by its domestic regulatory approach, and China is no exception.

In a way, China’s first encounter with data regulation in the WTO started on the wrong foot as it concerned a sensitive area: China’s regulation of publications and audio-visual products.Footnote ⁷¹ In the case, the United States complained that China has failed to grant foreign firms the right to import and distribute publication and audio-visual products. One of the key issues in the case was whether China’s commitments on ‘sound recording distribution services’ cover ‘electronic distribution of sound recordings’, as alleged by the United States.Footnote ⁷² China disagreed with the US approach and argued instead that such electronic distribution ‘in fact corresponds to network music services’,Footnote ⁷³ which only emerged in 2001 and were completely different in kind from the ‘sound recording distribution services’. According to China, the most fundamental difference between the two is that, unlike ‘traditional’ sound recording distribution services, network music services ‘do not supply the users with sound recordings in physical form, but supply them with the right to use a musical content’.Footnote ⁷⁴ In response, the United States cited the panel’s statement in US – GamblingFootnote ⁷⁵ that ‘the GATS does not limit the various technologically possible means of delivery under mode 1’, as well as the principle of ‘technological neutrality’ mentioned in the Work Programme on Electronic Commerce – Progress Report to the General Council,Footnote ⁷⁶ and argued that electronic distribution is merely a means of delivery rather than a new type of service.Footnote ⁷⁷ Furthermore, the United States argued that the term ‘distribution’ encompasses not only the distribution of goods, but also distribution of services.Footnote ⁷⁸ After a lengthy discussion covering the ordinary meaning, the context, the provisions of the GATS, the object and purpose and various supplementary means of interpretation, the panel concluded that the term ‘sound recording distribution services’ does extend to distribution of sound recording through electronic means.Footnote ⁷⁹ China appealed the panel’s findings, but they were upheld by the Appellate Body, which largely adopted the panel’s reasoning.Footnote ⁸⁰

The case was also the first WTO case concerning China’s censorship regime. It is interesting to note, however, that the United States did not challenge the censorship regime per se.Footnote ⁸¹ Instead, the United States only challenged the alleged discrimination in the operation of the regime, where imported products were subject to more burdensome content review requirements.Footnote ⁸² Ironically, the United States even proposed, as the solution to the alleged discrimination, that the Chinese Government itself shall shoulder the sole responsibility for conducting content review, rather than outsourcing it to importing firms.Footnote ⁸³

With such an unpleasant experience, China took a cautious approach on the inclusion of Internet or data regulation in other trade fora. While it has signed more than a dozen FTAs so far, most of them have not included provisions on such regulations. The only exceptions are the two FTAs China signed with South Korea and AustraliaFootnote ⁸⁴ in 2015 and the amendment of the FTA signed with Chile in 2018, which include stand-alone chapters on e-commerce. However, unlike the US FTAs, which often include provisions on free flow of data and ban on data localization requirements,Footnote ⁸⁵ the earlier mentioned FTAs only address e-commerce-related issues, such as the moratorium on customs duties on electronic transmissions; electronic authentication and electronic signatures; protection of personal information in e-commerce; and paperless trading.Footnote ⁸⁶ Thus, they do not really address Internet and data regulation issues as such.

A similar approach is taken by China in the WTO negotiations. Even though the United States has long been calling for rules on issues such as free cross-border data flow and ban on data localization requirements, China has ignored these issues until very recently. For example, in its communication on e-commerce jointly tabled with Pakistan before the Eleventh Ministerial Conference, China focused only on ‘cross-border trade in goods enabled by Internet, together with services directly supporting such trade in goods, such as payment and logistics services’.Footnote ⁸⁷ As I have mentioned in another article, this approach is a reflection of the nature of business of most Chinese Internet firms, as they tend to focus on trade in physical goods facilitated by the Internet, rather than digital products like Google and Netflix.Footnote ⁸⁸ Thus, when over seventy WTO members issued a joint statement on launching the negotiations on e-commerce at the Eleventh Ministerial Conference in December 2017,Footnote ⁸⁹ China declined to join. When these members decided to formally launch the e-commerce negotiations in January 2019, however, China changed its position and jumped on the negotiation.Footnote ⁹⁰ In April 2019, China issued a communication on the joint statement negotiation, in which it repeated the focus on cross-border trade in goods enabled by the Internet.Footnote ⁹¹ At the same time, however, it also addressed the main concerns of the United States, including data flows, data storage and treatment of digital products, in the following manner.

First, rather than ignoring these issues as it has done in the past, China chose to face them and acknowledge them as issues of concern for some members. This itself is a positive sign, as it indicates China’s willingness to engage on these issues. Second, at the same time, China also indicated that it was not ready to discuss these issues, at least not in the early stages of the negotiation. Citing the ‘complexity and sensitivity’ of these issues, as well as ‘the vastly divergent views among the Members’, China stated that ‘more exploratory discussions are needed before bringing such issues to the WTO negotiation, so as to allow Members to fully understand their implications and impacts, as well as related challenges and opportunities’.Footnote ⁹² Such approach is all too familiar to those who follow WTO negotiations closely, as it is basically a polite way of saying ‘we do not want to discuss these issues now’.

Third, in particular, China singled out the issue of cross-border data flows, by stating that ‘[i]t’s undeniable that trade-related aspects of data flows are of great importance to trade development’.Footnote ⁹³ Interesting to note is, however, what China did and did not say in this sentence. It did not, for example, use ‘free flow of data’, which is how the United States has always referred to the issue in its submissions.Footnote ⁹⁴ On the other hand, it qualified ‘data flow’ with ‘trade-related aspects’. This implies that China is not willing to address all kinds of data flows, just those related to trade. In other words, to the extent that some data flows do not have a trade nexus, they could be legitimately excluded. As I have mentioned elsewhere, this qualification could have wide implications, as it could be employed to justify restrictions on data flows in sectors that China has not made commitments, or even for those covered by existing commitments but provided free of charge (such as Google’s search engine services), as they are not ‘traded’.Footnote ⁹⁵

Fourth, in an effort to turn the table, China also prefaced the discussion on these ‘other issues’ with the recognition that members shall have the ‘legitimate right to adopt regulatory measures in order to achieve reasonable public policy objectives’. This language is reminiscent of the calls for more ‘policy space’, a term often employed in trade negotiations to justify special and differential treatment and resorting to exceptions clauses. As the China – Publications and Audiovisual case mentioned earlier has illustrated, China will, most likely, invoke the public order exception contained in the general exceptions clauses of both the GATT and GATS to justify its online censorship regime. In particular, regarding data flows, China emphasized that it ‘should be subject to the precondition of security’ and should ‘flow orderly in compliance with Members’ respective laws and regulations’. This extends China’s domestic narrative of cybersecurity to the international level, which is made complete with the earlier reference for all members to ‘respect the Internet sovereignty’ of other members. By elevating the issue to one of ‘sovereignty’, China has shown the seriousness it attaches to the issue of regulating data flow.

In summary, China has made it clear that it is not yet ready to discuss these sensitive data-related issues, at least not in the early stages of the negotiations. There is a possibility that it will consider some of them further down the road, but such negotiations will not be easy given China’s guarded position.

D Conclusion

When people discuss data regulations today, they tend to focus on two main players: the UnitedStates, which calls for free flow of data to serve the interests of firms, and the EU, which prioritizes the need for the protection of personal information and privacy of the consumers. This chapter discusses the third major player – China – which emphasizes data security and even regards it as a matter of national sovereignty. Of course, such a regulatory approach was not formed overnight. Instead, the earlier discussions have illustrated how data regulation with Chinese characteristics has evolved over the past twenty-five years. More specifically, the analyses in this chapter have shown the differing regulatory logics and approaches at two different levels – the national and the international.

First, at the domestic level, we have seen Internet regulation shifting from hardware to software, and now to content and data. The shift in regulatory focus closely follows the development of the Internet in China, where it started as a novelty that was confined to the ranks of tech-savvy geeks, then gradually expanded to the masses with the proliferation of software and apps catered to popular uses, and now permeates everyone’s daily life from socializing and shopping to entertainment and education. Recognizing the central role played by the Internet in modern life, Chinese regulators have shrewdly chosen to regulate data, which is the essence of cyberspace that powers everything, especially with the rise of big data and artificial intelligence. Moreover, data regulation has now been elevated to the level of national security, and the agency that is responsible for content regulation, the CAC, has also evolved into the super-agency that is almost synonymous with data regulation in China. The CAC has no responsibility in promoting the growth of the sector. Instead, its only responsibility is making sure that the cyberspace is secure and nothing unexpected pops up. It is this single-minded pursuit of security that has led to such draconian policies as Internet blockage, filtering and other restrictions on the free flow of data, forced data localization requirements and the transfer of source code. As the Internet is becoming more complicated and omnipotent, we can only expect Internet and data regulations in China to become more sophisticated and omnipresent.

Second, at the international level, due to its unpleasant experience in WTO disputes, China has for a long time been rather cautious in addressing Internet and data related issues. This approach is also reflected in its free trade agreements, which tend to avoid the Internet-related issues. Even though its most recent FTAs – especially the ones with South Korea, Australia and Chile – started to address them, they tend to focus on only e-commerce-related issues and do not really address data flows. At the same time, in contrast to its defensive position on data-related issues, China has been quite aggressive in pushing for liberalization of ‘cross-border trade in goods enabled by Internet’. This reflects China’s interest as the leading goods exporter and the success of its e-commerce platforms such as Alibaba. In its latest proposal on the WTO Joint Statement Initiative on e-commerce, China started to address data regulations, but they were framed as secondary issues that require ‘more exploratory discussions’ and are subject to each member’s ‘right to regulate’ to achieve other policy goals, especially security.

The growth of the Internet in China over the past twenty-five years has not only led to the phenomenal growth of its e-commerce market, but also gave China the confidence and power to export its model, and to ‘set the agenda and make rules for cyberspace at the international stage’, as per the high-level exhortation by President Xi at the Politburo’s Thirty-Sixth Collective Study Session on ‘Implementation of the Internet Power Strategy’ in October 2016.Footnote ⁹⁶ The success of China’s e-commerce sector will make the Chinese model attractive to many developing countries, as many of them are trying to emulate the accomplishments of China. However, an argument could be made that given China’s huge population base and the resulting enormous market, its e-commerce success story is more ‘in spite of’, rather than ‘because of’, the tight grip on cyberspace by the government. Nonetheless, given China’s growing economic clout, data regulation with Chinese characteristics is something that the rest of the world must grapple with for some time to come. It is in this regard that this chapter tries to make a distinct contribution by offering a preliminary peek behind the cyber curtain, while also offering some hints on the things to come.

A Introduction

In the past two decades, the rapid development of the Internet allowed the growth of e-commerce, and together with the new digital technologies and the Internet of Things, the flow of data – both commercial and personal has increased to levels unseen before. Traditional trade rules could serve as a starting point to deal with these issues but they clearly are not enough. To provide some context, in 1994 – at the time the World Trade Organization (WTO) and its agreements were established by the Marrakesh Agreement – Mosaic was the most used web browser on the Internet. (Netscape Navigator was created the same year, and Internet Explorer was only released in 1995.)Footnote ¹ Neither Google, nor Amazon or Facebook existed in 1994. The ‘modern’ rules of trade law were not designed having taken into account the characteristics of contemporary digital trade and data flows.

This situation has led to the regulation of electronic commerce today becoming one of the most important topics in trade law and policy. Efforts of dealing with these issues at a multilateral level started in 1998, when the WTO established a work programme on electronic commerce and at the ministerial conference that same year, members agreed on a temporary duty-free moratorium on all electronic transactions – a practice that since then has been renewed at each WTO ministerial conference.Footnote ² Further development has been slow paced and we are still far from achieving consensus on this topic. Only in December 2017, forty-four WTO members made a joint declaration to initiate exploratory work together toward future negotiations on trade-related aspects of electronic commerce.Footnote ³ In 2019, some countries like India and South Africa argued that the e-commerce moratorium in the WTO led to loss of revenue, as it gave such transmissions immunity from taxation, and initially opposed to the renewal of the duty-free moratorium.Footnote ⁴ And while there has been a new reinvigoration under the 2019 Joint Statement Initiative with currently seventy-seven WTO members on board, overall, until now, the WTO has made no substantive progress on e-commerce, and countries have not been able to agree on a multilateral regime for the treatment of e-commerce and data flows.Footnote ⁵

But the lack of consensus at a multilateral level does not mean that rules for digital trade are not being created elsewhere. In fact, since the beginning of the twenty-first century, certain countries have been including provisions and even chapters on electronic commerce, as well as rules on data flows, in preferential trade agreements (PTAs). It is well known that the United States has been important in the creation and diffusion of digital trade rules, especially after the 2002 US Digital Trade Agenda and the Bipartisan Trade Promotion Authority Act of the same year.Footnote ⁶ Not so well known is the relevant role other actors have played in the development of these rules.Footnote ⁷ This contribution focuses on one group of countries of the Latin American region, which have been the most important vectors of the inclusion of e-commerce and data rules in PTAs – a group that includes Chile, Colombia, Mexico, Peru, and Panama. For the purpose of this chapter, we consider ‘Latin American’ PTAs those trade agreements in which at least one, or more parties, is a country from Latin America and the Caribbean region.

Besides highlighting the contribution that those countries have had in the creation and diffusion of this new rule-making, our goal is also to determine the level of regulatory convergence that Latin American countries (LACs) have on rules on digital trade and data flows. For this purpose, we understand regulatory convergence as an overarching notion that aims to reduce unnecessary regulatory incompatibilities between countries in a dynamic and incomplete process.Footnote ⁸ The rationale behind regulatory convergence in PTAs stems from the idea that regulatory diversity may entail significant costs that can hinder cross-border exchanges,Footnote ⁹ and that the maintenance of needlessly burdensome cross-border differences in regulation can result in a number of additional negative policy impacts, including higher transaction costs stemming from information asymmetries.Footnote ¹⁰ Divergent regulatory requirements can lead to duplication of procedures and costs in trade that are important for all internationally active businesses and especially so for small- or medium-sized enterprises (SMEs), for which such fixed costs can be a deciding factor in whether or not to export or invest, including across borders.Footnote ¹¹ Lack of transparency or clarity of regulations, as well as excessive, inefficient, or ineffective regulations, create unnecessary delays or impose costs on traders and investors.Footnote ¹²

Regulatory convergence mechanisms include substantive or procedural aspects that are aimed at two different types of regulatory outcomes. In some agreements, regulatory convergence aims to achieve substantive regulatory harmonisation (similar or equivalent regulation – ‘substantive convergence’). Other agreements consider harmonisation of the processes by which regulations are developed, adopted, publicised, and implemented (similar or equivalent procedures – ‘procedural convergence’). With different denominations,Footnote ¹³ both approaches are present in the PTAs examined in this chapter.

The chapter is organised as follows. After the introduction, we provide a detailed description of e-commerce and data rules found in Latin American PTAs, and their convergence or divergence. Then we briefly present the domestic frameworks of relevant LACs on digital trade–related topics, as well as their consistency with existing international commitments, with special emphasis on personal data protection. To conclude, we highlight some potential conflicts that could arise between these countries’ domestic regulations and international commitments in the field.

B Regulatory Convergence in E-Commerce and Data Flow Provisions in Latin American PTAs

The inclusion of provisions in PTAs referring explicitly to e-commerce and data flows is not a recent phenomenon, although it has evolved importantly in the past two decades. According to the TAPED dataset, 191 PTAs include provisions that are related to e-commerce and data flows, with 116 PTAs with e-commerce provisions and 86 with e-commerce chapters.Footnote ¹⁴ These provisions are highly heterogeneous and address various issues including customs duties and non-discriminatory treatment of digital products, electronic signatures, paperless trading, unsolicited electronic messages, as well as consumer protection, data protection, data flows, and data localisation.

As detailed in Table 13.1, of the total number of PTAs with e-commerce and data flow provisions the countries of Latin America have concluded 53 per cent (62 agreements, 47 chapters). Twenty-nine of these agreements have been concluded with developed countries (47 per cent of this subset) and 33 with other developing countries (53 per cent of this subset), most of them also from Latin America (26 agreements in total). The countries leading this treaty-making practice in the region are Chile (18 PTAs) Peru (16 PTAs), Colombia (12 PTAs), Panama and Costa Rica (11 PTAs each). This is in line with the fact that the surge of PTAs having e-commerce provisions involves both developed and developing countries. 49 per cent of the PTAs with e-commerce provisions were negotiated between developed and developing countries, and 47 per cent were negotiated between developing countries.Footnote ¹⁵

The earliest e-commerce provision in a PTA involving a Latin American country is found in the 2001 Canada–Costa Rica Free Trade Agreement (FTA), which included a Joint Statement on Global Electronic Commerce. In a non-binding fashion, it addresses several issues, like the applicability of WTO rules to e-commerce, supporting industry developments in the field, stakeholder’s participation, transparency, and consumer and data protection. In 2002, the Chile–EU Association Agreement properly included e-commerce provisions in the text of the treaty on issues such as cooperation and data protection.Footnote ¹⁶ The first PTA concluded in the region having a dedicated e-commerce chapter is the 2002 Chile–US FTA. In 2006, the Nicaragua–Taiwan FTA began the inclusion of provisions on data flows as part of its cooperation commitments. The number of Latin American PTAs with such provisions has increased over the years (see Figure 13.1), simultaneously with the growing discussions on the digital economy and its move up as a topic on the policy agendas and negotiation tables.

Figure 13.1. Latin American PTAs with e-commerce and data flow provisions

Although the number of PTAs with e-commerce and data flow provisions remains limited, the last eight years have shown a significant increase in the number of agreements with such provisions. Overall, agreements including such provisions are mainly of an intercontinental nature, but around one-third of these PTAs have at least one Latin American country as a contracting party (thirty-one treaties) and Latin America is one of the most relevant regional area with this type of treaty-making (Table 13.2).

PTAs with e-commerce provisions involving LACs have also increased their level of detail significantly over the years. Seven is the average number of PTA provisions found on e-commerce chapters in the past five years, with an average of 955 words. A treaty involving a Latin American country, the United States–Mexico–Canada Agreement (USMCA), is currently the PTA in force with the largest number of articles and words on e-commerce, as its current text has 19 articles and an average of 3,206 words. Several PTAs having a Latin American country as a party have devoted more than 11 articles and 1,900 words to these topics, like the 2017 Argentina–Chile FTA, the 2015 Pacific Alliance Additional Protocol (PAAP), the 2016 Chile–Uruguay FTA, the 2018 Australia–Peru FTA, the 2018 Brazil–Chile FTA, and both the Trans-Pacific Partnership Agreement (TPP) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), whose e-commerce chapter reiterates verbatim the TPP text.

C E-Commerce and Data Provisions in Latin American PTAs

E-commerce and data provisions are found in the main text of several Latin American PTAs, mostly on chapters or sections dedicated to e-commerce or intellectual property (IP). When available, data flow provisions are also found in these chapters or sections, but are commonly included in chapters on specific services, mainly telecommunication and financial services. E-commerce provisions can also be found in side documents, like annexes, joint statements, and side letters. As presented in Table 13.3, Latin American PTAs represent an important number of treaties with such provisions.

In the following sections, we examine the provisions of Latin American PTAs in two main groups: (i) electronic commerce and (ii) cross-border data flows.

An assessment of the extent of legalisation of these provisions was also performed, distinguishing between ‘soft’, ‘mixed’, and ‘hard’ commitments. We considered as ‘soft’ those commitments that are not enforceable by the parties, like ‘best efforts’ and cooperation commitments. We classified as ‘hard’ those commitments that oblige a party to comply with a rule or a principle and which are enforceable by another party. Finally, we consider an agreement with ‘mixed’ legalisation if the treaty has both soft and hard commitments. Similarly, we included in this category references to other agreements that are only partially applicable.Footnote ¹⁷

D Legal Framework of E-Commerce and Personal Data Protection in Latin American Countries

As mentioned, a group of five Latin American countries, Chile, Colombia, Costa Rica, Panama, and Peru, have concluded an important number of trade agreements with clauses or chapters on e-commerce and data flows, representing around half of all the PTAs that include these provisions. In this section we examine whether the domestic legal framework of these countries corresponds to their international commitments, taking as a case study the regulation of data protection.

Most Latin American countries, sharing the tradition of European continental civil law, have recognised the right to the protection of personal data and the right to privacy as separate legal notions. Several Constitutions of the region recognise explicitly the right to privacy, but those of Argentina, Brazil, Colombia, Mexico, Peru, and Venezuela also include the ‘habeas data’, or the right to the protection of personal data. But even in countries where this mechanism is not expressly contained in the Constitution, the relevant courts have recognised the ‘right to control’ personal information.Footnote ¹³⁵

Chile, Colombia, Costa Rica, Panama, and Peru have also domestic regulations on the processing of personal data in both the public and private sectors. Chile was the first to introduce such framework in 1999, followed by Colombia in 2008.Footnote ¹³⁶ However, in most of these countries there are concerns on the proactive application of data protection laws and regulations by their respective Data Protection Authority (DPA) – and in some cases such authority does not exist. Other challenges commonly mentioned are the harmonisation of cross-border cooperation for the protection of privacy with other DPAs and police and judicial authorities; the promotion of privacy management programmes including obligations to respond, inform, and compensate data owners in case of violation of security that affects personal information; and the enhancement of interoperability with other regional and national privacy and data protection frameworks.Footnote ¹³⁷

E Conclusion

As we have seen throughout this chapter, a group of Latin American countries have pioneered the inclusion of e-commerce and data flow provisions in preferential trade agreements. These countries have done so, in a largely consistent way, with an important level of regulatory convergence on certain objectives and principles (like facilitate and promote e-commerce, avoid unnecessary barriers, and address the needs of SMEs), as well as on specific commitments, such as moratorium on custom duties, electronic authentication, source code, consumer protection, personal data, data flows and data localisation, yet, with different levels of legalisation. These principles and commitments were largely developed in the conclusion of PTAs with developed countries.

But Latin American countries have also advanced new principles on e-commerce and data flows in the conclusion of trade agreements. Around half of all PTAs including data flow provisions on telecommunications or financial services have been concluded by Latin American countries, and the 2014 Mexico–Panama FTA was the first PTA with general binding provision on cross-border information flows. Latin American PTAs are the largest group of treaties that include provisions either banning or limiting requirements of data localisation. Additionally, the largest number of agreements including provisions on stakeholder’s participation or the principle of ‘technological neutrality’ has also been concluded by Latin American countries. Only three PTAs explicitly recognise the principle of ‘net neutrality’Footnote ¹⁷⁷ and all have been concluded between Latin American countries.Footnote ¹⁷⁸

A further testimony to the creative role of Latin American countries on these topics is the announcement made on 18 May 2019 on the side lines of the Asia-Pacific Economic Cooperation (APEC) meeting of Ministers Responsible for Trade in Viña del Mar, Chile, of the start of the negotiations of a Digital Economy Partnership Agreement (DEPA) between Chile, Singapore, and New Zealand.Footnote ¹⁷⁹ The agreement was finally concluded on 21 January 2020 covering all aspects of the digital economy to support trade in the digital era, and also going beyond existing commitments, looking at a range of emerging issues, like cross-border data flows, digital identities, artificial intelligence, electronic invoicing, and open government data.

However, the five examined Latin American countries have not all had the same consistency at domestic level, with national regulations on certain topics addressed in PTAs that lag behind what has been committed to in those agreements, particularly on the issue of data protection. The Organization of American States (OAS) has reported that a consistent and coherent regional approach to the protection of personal data has not yet emerged in Latin America. In 2015, the Inter-American Juridical Committee adopted a ‘Proposal for the Declaration of Principles of Privacy and Protection of Personal Data in the Americas’ with the purpose of urging the OAS member states to adopt measures to respect privacy, reputation, and dignity of people in the Americas.Footnote ¹⁸⁰ At the same time, a group of five countries of the region that are considered to have a moderate (Chile, Colombia, Costa Rica, Peru) or limited (Panama) data protectionFootnote ¹⁸¹ are leading the conclusion of PTAs including digital trade and data flow provisions. While these provisions are not all binding, general provisions on data flows, as well as on specific sectors (financial services and telecommunications), have become commonplace in recent years. In contrast, data protection provisions in these PTAs are largely non-binding or their scope of application is left to domestic regulations.

The different levels of commitment and approaches on these issues found in these five countries between the international and domestic regulation, as well as their implementation (or lack thereof), potentially create the possibility of future conflicts, if some of these countries intend to change the domestic regime for data protection. If both regimes are not well-coordinated, Latin American countries could be limited in their policy space to enact rules that contradict international commitments. For example, from the group of countries mentioned earlier, only Colombia, Panama, and Peru have established a criterion of equivalence for the international transfer of personal data, meaning that those countries agree that personal data may be exchanged only where the party which may receive them undertakes to protect such data in at least an ‘adequate’ way to the one applicable to the party from where that data originates. In all the PTAs examined in this chapter, we find such a rule only in the 2017 Argentina–Chile FTA.

In several of these countries discussions are taking place to reform data protection laws to a model that is closer to the EU’s GDPR. Up to now, the only Latin American countries the EU has determined as having and adequate levels of data protection under the GDPR are Argentina and Uruguay.Footnote ¹⁸² What would happen if other countries of the region made a policy change to be GDPR adequate and implement their own adequacy policies? Could that be a violation of PTA commitments to allow the cross-border transfer of information by electronic means that do not include such exception?Footnote ¹⁸³ Is this a problem waiting to happen?

A matter for further research is to determine why these Latin American countries have pioneered the development and diffusion of electronic commerce and data flow provisions in PTAs. Is this a sort of path dependency or the influence of third countries, a reaction to particular economic interests, or rather the will to be in a position of rule-makers and not rule-takers?Footnote ¹⁸⁴ The answers to these questions could help to shed a light on the development of new rules for digital trade.

A Introduction

Policymakers face a tension between, on the one hand, generating the economic benefits associated with unfettered data flows across borders and, on the other hand, providing a trusting environment for individuals, firms and governments taking part in the data-driven economy. International trade agreements seek to regulate data flows through provisions aiming to facilitate the cross-border trade of goods and services built on data, such as data processing and other computing services.Footnote ¹

On the margins of the G20 leaders’ meeting in Osaka in June 2019, twenty-three countries plus the European Union (EU) signed the Osaka Declaration on the Digital Economy.Footnote ² The declaration states that the signatories, ‘standing together with other World Trade Organization (WTO) Members that participate in the Joint Statement on Electronic Commerce issued in Davos on 25 January 2019, in which 78 WTO Members are on board, hereby declare the launch of the “Osaka Track”, a process which demonstrates our commitment to promote international policy discussions’. The referred-to January 2019 Joint Statement, issued during the World Economic Forum’s annual meeting in Davos, confirms the members’ ‘intention to commence WTO negotiations on trade-related aspects of electronic commerce’.Footnote ³ This Joint Statement is itself a restatement of a previous Joint Statement issued at the WTO’s eleventh ministerial conference in Buenos Aires in December 2017, where some seventy-five members ‘recognize[d] the important role of the WTO in promoting open, transparent, non-discriminatory and predictable regulatory environments in facilitating electronic commerce’.Footnote ⁴ The Buenos Aires Joint Statement indicated that the signatories would begin exploratory work toward ‘future WTO negotiations on trade-related aspects of electronic commerce’.Footnote ⁵

A number of discussion rounds took place in 2018 and 2019 in Geneva in order to delimit the scope of potential plurilateral negotiations on electronic commerce/digital trade. The provisions on e-commerce/digital trade found in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)Footnote ⁶ and the United States–Mexico–Canada Agreement (USMCA),Footnote ⁷ the North American Free Trade Agreement’s (NAFTA) replacement, are currently the most detailed proposals being considered in the WTO’s plurilateral negotiations on e-commerce.Footnote ⁸

This is why this chapter offers a detailed analysis of these CPTPP/USMCA e-commerce/digital trade provisions that pertain to data flows in order to identify the constraints they could impose on national data regulation.Footnote ⁹ To do so, it uses Canada as an example, because it is a party to both trade agreements and it seeks to build a high-trust data environment for consumers and businesses.Footnote ¹⁰ The analysis leads to the conclusion that Canada’s CPTPP and USMCA commitments could ultimately negate the effectiveness of future data protection policies that the Canadian federal government might want to adopt to achieve its ‘trust in the digital age’ objective.Footnote ¹¹

B Cross-Border Data Flow and National Data Regulation

Policymakers have lots of reasons to try to link the free flow of data and data protection. According to Dan Ciuriak, ‘there is a need for free flow of data, including on a cross-border basis’, because data is ‘intrinsic to commercial transactions’.Footnote ¹² He sees data as the ‘fifth freedom’ of commerce, with free movement of goods, services, capital and labour as the other four. Legal and regulatory limits on cross-border data flows can, however, act as beyond-the-border obstacles to trade.Footnote ¹³ For instance, Martina Ferracane and Erik van der Marel find that policies that restrict the cross-border flow of data have a negative impact on trade in digital services.Footnote ¹⁴

In certain circumstances (for example, to protect privacy, security, competition, culture, and so on), there is a need for the regulation of data collection, access, use and transfer. For example, the use of and access to people’s data should be fair, transparent, accountable and subject to individuals’ explicit consent. Moreover, the use of personal data should not lead to discrimination and bias when people seek to obtain a good or a service, whether it is from the private or the public sector. Another example is the protection of proprietary business data against uncompensated commercialization by others. On the other hand, access to data should not be controlled in such a way that it limits competition and innovation.

So the big question for policy-makers is how to allow for data to flow freely across borders while maintaining a high degree of trust among individuals, firms and governments that they will not be harmed in terms of privacy, consumption (price, choice or access), competition, innovation, security and so on. Strong data protection laws and regulations are necessary to create such trust. The problem is that such laws and regulations, if developed independently from other countries, can limit the cross-border flow of data and have negative economic consequences. This is the balancing act that the countries taking part in the WTO’s plurilateral negotiations on ‘trade-related aspects of electronic commerce’ are trying to achieve.

C The CPTPP, the USMCA and National Data Regulation: Example from Canada

This section analyzes the electronic commerce/digital trade chapters included in the CPTPP and the USMCA in order to determine how they may affect data regulation in Canada, in order to provide an example of the potential impact that a WTO plurilateral agreement on trade-related aspects of electronic commerce modeled on CPTPP/USMCA provisions could have on members’ governments’ ability to regulate data nationally. Since the CPTPP’s electronic commerce chapter provided the basis for the USMCA’s digital trade chapter, the analysis focuses first on the CPTPP.Footnote ¹⁵

D Key Proposals at the WTO’s Plurilateral Negotiations on Trade-Related Aspects of Electronic Commerce

In April 2019, the key players in the negotiations – China, the EU and the United States – issued their proposals to the WTO’s plurilateral negotiations on trade-related aspects of electronic commerce.Footnote ⁵³ The Chinese proposal is the least ambitious. It is hortatory in nature and focuses on principles for the facilitation of cross-border electronic commerce, leaving aside data flows.Footnote ⁵⁴ China’s proposal is thus in line with the electronic commerce provisions contained in some of the FTAs that it has signed so far. As such, it reflects the country’s desire to protect its walled-off digital realm.Footnote ⁵⁵

The EU’s proposal goes much further than the Chinese one. For instance, it offers specific provisions that mandate unrestricted cross-border data flows,Footnote ⁵⁶ subject to national rules deemed ‘appropriate to ensure the protection of personal data and privacy’.Footnote ⁵⁷ The EU’s proposal also stipulates that there can be no requirement for the transfer of software source codes in exchange for market access, although it can be required for legal violations or national security reasons.Footnote ⁵⁸

The US proposal, for its part, follows closely the digital trade chapter found in the USMCA.Footnote ⁵⁹ As such, it supports the EU’s position on cross-border data flows, personal data protection and source codes; however, unlike the EU’s proposal, which states that ‘[n]othing in the agreed disciplines and commitments shall affect the protection of personal data and privacy afforded by the Members’ respective safeguards’,Footnote ⁶⁰ the US offer qualifies the limits on cross-border data flows that national data protection regimes can impose: ‘ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented’ (Article 7.4), which follows USMCA’s Article 19.8.3. Article 8 of the US proposal also restates, verbatim, the USMCA’s provisionFootnote ⁶¹ that only restrictions on cross-border data flows that ‘achieve a legitimate public policy objective’ are acceptable. Finally, the USMCA’s Article 19.17 (‘Interactive Computer Services’) is transposed in its entirety into the US proposal,Footnote ⁶² thereby putting forward the prohibition on treating ‘a supplier or user of an interactive computer services as an information content provider in determining liability for harms related to information stored, processed, transmitted, distributed, or made available by the service, except to the extent that the supplier or user has, in whole or in part, created or developed the information’.Footnote ⁶³

In sum, the proposals occupy different places on a continuum that includes independent national data protection at one end and cross-border data free flow at the other, with China being close to the former pole while the United States is closer to the other pole and the EU is somewhere in between (see Figure 14.1). As analyzed earlier, the USMCA’s digital trade chapter, which itself builds on the CPTPP’s chapter 14, has served to inform the US position in the WTO’s Plurilateral ‘Trade-related Aspects of Electronic Commerce’ negotiations. Should the latter ever prevail, which remains to be seen in light of the divergent key positions on offer, it will make it difficult for member states to adopt national data regulations that impose limits on the cross-border flow of data, most especially personal data.

Figure 14.1. Illustrating the relative positions of the main proposals to the WTO’s plurilateral negotiations on e-commerce

E Conclusion and Outlook

As the example of Canada demonstrates herein, the CPTPP and the USMCA require their members to adopt obligations that provide for the free flow across borders of data for business purposes while, in principle, protecting consumers, personal information and government-related data. However, as analyzed above, these two trade agreements also pose potential obstacles to a member state’s ability to effectively regulate data and provide a trustworthy environment for individuals, businesses and governments. The analysis shows that it is not at all clear how much policy flexibility the CPTPP and the USMCA ultimately allow governments that want to adopt new laws and regulations to, among various objectives, protect people’s privacy, prevent algorithmic bias, protect critical infrastructure, ensure national security or promote domestic innovation.

For the plurilateral negotiations of an agreement on ‘trade-related aspects of electronic commerce’ at the WTO, this means that the US proposal, which is closely derived from the USMCA’s digital trade chapter,Footnote ⁶⁴ would create a lot of uncertainty as to how much limits on cross-border data flows a country could impose via its national data regulation regime, until dispute-settlement panels decide on the acceptability and legitimacy of national data rules in restricting data flows across borders.

To leave such crucial decisions for economy and society in the hands of unelected and unaccountable individuals seems an odd way to govern the data-driven economy’s future functioning. A better approach would be to remove issues related to data regulation and standards from the WTO negotiations and push for a separate international regime to govern data and its cross-border flows.Footnote ⁶⁵ Just like capital (or financial) flows are not part of the WTO’s framework,Footnote ⁶⁶ which limits itself to rules on trade in financial services, so should data flows be excluded from an eventual agreement on trade-related aspects of electronic commerce. The latter agreement, should it ever see the light of day, should instead focus its attention solely on the rules governing trade in digital goods and services. A separate international body (such as an International Data Standards Board) should be responsible for setting standards that regulate the creation, processing, use, distribution and transfer of data, both personal and non-personal. All countries that apply and enforce these standards would be allowed to take part in a single data area where data would be free to flow across member states’ borders. The WTO’s rules on digital trade would be left to deal with possible infringement of core trade principles, such as non-discrimination.

A Introduction

The digitalization and the increase in global trade significantly impact the economy and citizens of Europe. European policymakers are well aware of these developments and wish to unlock the potential of the digital economy through the EU’s Digital Single Market Strategy.Footnote ¹ One core goal of this strategy, promoted by the European Commission since 2015, is the pursuit of a free flow of data within the EU. Such a free flow should encourage the creation of and access to goods and services that – in their essence – collect and process vast amounts of data.

While the free flow of data is desirable from an economic perspective, as it maximizes the use of data by businesses throughout (and beyond) the EU, an entirely free flow of personal data goes against individuals’ interests to exercise some control over the collection and use of their data by third parties. Therefore, a balance between economic and individual interests must be struck by creating a regime that ensures both. We call this desired balance an ‘adequate free flow of data’. The term ‘adequate’ implies that a European digital economy should achieve more than economic welfare and simultaneously protect the interests of European citizens and consumers, especially their fundamental rights, such as the right to personal data protection. The balancing of interests could also benefit the digital economy, as it would promote the European citizens’ trust and confidence in the digital single market in order to enable the full exploitation of its potential. To achieve trust and confidence, legitimate boundaries to the free flow of data must be set.

Policymakers in the EU have debated whether the digital economy may benefit from the introduction of data ownershipFootnote ² and data access rights,Footnote ³ and legal scholars have analysed how such rights could lead to a digital economy benefitting all stakeholders. Yet policymakers and scholars have sometimes had different understandings of the term ‘ownership’, most often inadvertently. First, data ownership can be understood as a property right derived from civil law concepts of property in real estate and chattel, or intellectual property rights. This understanding of ‘ownership’ is how lawyers usually conceive the term. Second, data ownership can also be understood more broadly as a right that grants some control over data. It is this sort of ownership that non-lawyers typically have in mind when they advocate for the introduction of a ‘data ownership right’, most often (and again inadvertently) having only personal data in mind. With regard to personal data, this second understanding aligns with the approach taken in data protection law, namely in the EU’s General Data Protection Regulation (GDPR),Footnote ⁴ which grants data subjects some control over their personal data. In contrast to data ownership, data access rights serve a different purpose – to empower individuals and businesses to obtain access to data that is of specific interest to them. Individuals have a legitimate interest in having access to personal data which is processed by businesses; the same is true for non-personal data that individuals have stored with a third party, such as a cloud provider. For businesses, access to data may be of key importance when offering innovative goods and services in the digital economy, as the use of specific data may be necessary to enter a new market or to remain competitive in an existing one.

In this chapter, we refrain from recapitulating the thorough academic debate on data ownership and data access rights.Footnote ⁵ Instead – and considering this book’s broader perspective of big data and global trade – we look at the topic from a different angle and ask whether and how the concepts of data ownership and data access rights may serve the goal of establishing an adequate free flow of data in the digital single market.

In the pursuit of the chapter’s objective, we first map the policy goals contained within the EU’s Digital Single Market Strategy. Upon this basis, we analyse how data ownership – understood as a property right – may serve the implementation of this strategy. Based on the insight that introducing property rights in data is unlikely to help implementing an adequate free flow of data, we examine in the following section of the chapter whether ownership as control over personal data is a viable alternative to the property rights approach. As a final step, we examine if, and under what circumstances, access rights to data already exist, or should be introduced, to allow individuals and businesses to use both personal and non-personal data. The last part concludes and explores paths towards strengthening data access rights, for instance, through the introduction of a compulsory licences regime.

B The Digital Single Market Strategy: Basic Features and Objectives

In a nutshell, the goal of the EU Digital Market Strategy is to ensure that individuals and businesses have access to online services and products and that the requirements of fair competition, consumer and data protection as well as copyright are being fulfilled. In addition, no geo-blocking should occur within the Union.Footnote ⁶ In line with the general objective of fostering the internal market, the Digital Single Market Strategy aims to ‘tear down the regulatory walls and move from 28 national markets to a single one’,Footnote ⁷ while maintaining confidence in the digital economy. In order to promote the availability of good quality and interoperable datasets, EU policymakers seek to abolish inappropriate restrictions to the free flow of data across member states. Additionally, the European Commission wants to facilitate the value generation from datasets by training their citizens in the respective fields, by cooperating with industry and universities to determine the adequate skills required for the labour market and by promoting access to and transfer of knowledge amongst the private and the public sector.Footnote ⁸

These statements show that the free flow of data is a key policy goal to enable the EU to compete in the global digital economy. But limitations are necessary to create a balanced approach that takes into account the needs of businesses and individuals alike. Some of the latter fear an ever-increasing collection and unrestricted processing of their personal data. In light of the power and information asymmetries between data processing entities and individuals, this fear is understandable and well-founded, as individuals are left with little or no control over how their personal data is being processed.Footnote ⁹ Thus, an important distinction needs to be made between the free flow of personal and non-personal data.

While some individuals fear a lack of control over their personal data, they hardly care about the collection and use of non-personal data. Accordingly, Europeans seem to be quite comfortable with the free flow of non-personal data.Footnote ¹⁰ In contrast, when it comes to personal data, an arguably central foundation of the digital single market is the establishment of a ‘strong, consistent and comprehensive data protection framework for the EU’.Footnote ¹¹ For users to have sufficient trust and confidence in the free flow of personal data, rules governing this flow must be adopted, and the European Commission sees the GDPR as the critical building block to do so. According to the commission, the GDPR is the central piece of legislation for the development of ‘innovative and sustainable data goods and services’,Footnote ¹² and ‘the foundation for the free flow of personal data in the EU’, as it ‘bans prohibitions and restrictions to the free movement of personal data for reasons connected with the protection of natural persons with regard to the processing of personal data’.Footnote ¹³ Even if restrictions to the free flow can be justified by other reasons (e.g. under taxation and accounting laws), the GDPR is seen as an important step to abolish data localisation restrictions – i.e., rules mandating local storage or processing activities. In fact, as data localization requirements of member states are a major obstacle to the free flow of data,Footnote ¹⁴ the abolishment of such restrictions is key to promote a flourishing European data economy.Footnote ¹⁵

Yet, while the GDPR certainly fosters a free flow of personal data within the EU by establishing a (relativelyFootnote ¹⁶) uniform regime in all EU member states, it also imposes substantial restrictions on the processing of personal data and thereby limits the free development and deployment of digital goods and services. While innovation remains possible, the GDPR has at least raised its costs, sometimes to a level making the deployment of innovative digital goods and services economically unfeasible.Footnote ¹⁷ These restrictions, however, are taken into account with the aim of protecting European citizens from the risks associated with the processing of their personal data. The tension between the free movement of personal data within the EU and the protection of the fundamental rights and freedoms of individuals is prominently highlighted in Article 1 GDPR, which addresses both goals in a separate paragraph. Interestingly, the European legislator is quite clear on the priority of the two objectives by stating that ‘[t]he free movement of personal data within the Union shall neither be restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data’ (Article 1(3) GDPR). While it is doubtful whether this priority of objectives is actually put into action by the provisions of the GDPR, this statement supports our perspective that any (potential) regulation on personal and non-personal data should be analysed with regards to its ability to ensure an adequate free flow of data.

C Data Ownership

D Data Access Rights

E Conclusion

In order to unlock the potential of the digital economy, the EU promotes its Digital Single Market Strategy. A core aspect of this strategy is establishing an adequate free flow of data within the Union. This adequate free flow balances economic interests of businesses of an entirely free flow of all types of data and individual interests to have some control of the collection and processing of personal data. To achieve this balance, different regulations have been set in place, such as the Trade Secrets Directive, the Open Data, some sector-specific regulations granting access rights, and, above all, the GDPR.

These regulatory attempts have been accompanied by a policy discussion on data ownership and data access rights. As shown in this contribution, data ownership can be understood both as a form of property and as a form of control. Both concepts are not equally fit to achieve the goal of establishing an adequate free flow of data within the digital single market. The introduction of data ownership as a property right for personal and non-personal data would increase transaction costs and impede the trading and the use of data. Such a right would thus hinder the EU’s goal of achieving a free flow of data. Additionally, in terms of processing personal data, ownership as a property right does not aid individuals to remain in control of their personal data. To the contrary, such ownership rights would substantially weaken their position, as businesses could acquire these rights and exclude the data subjects from using their own personal data. Therefore, the concept of ownership as a property right can be dismissed as a model to help achieve the goals of the Digital Single Market Strategy. The concept of ownership as control has been implemented in the GDPR for the processing of personal data and has the potential to balance economic and individual interests. From an economic perspective, the harmonization of rules and the prohibition of data localization restrictions enhance the free flow of personal data. In contrast, the necessity to comply with the data protection principles (Article 5 GDPR), the need to establish a basis for the lawfulness of all processing of personal data (Article 6 GDPR) and the increased compliance duties of data controllers limit the processing activities and require the establishment of costly organizational and technical solutions to enable data subjects to make use of their individual rights (e.g., right of access and erasure). From an individual perspective, however, these limitations and in particular the (limited) control over how data about them is collected, as well as the options to interfere with the processing of said data at a later stage, are welcomed by many. It remains to be seen, however, whether individuals will actually exercise their (limited) control and whether the current approach of data protection law is able to strike an appropriate balance between economic and individual interests. While some doubts remain, the GDPR can be seen as a first step towards establishing an adequate free flow of personal data within the digital single market.

To achieve the goal of an adequate free flow of data within the EU, individuals and businesses should have access to the data necessary to pursue their interests. For individuals, access to their personal data is key to ensure informational self-determination. Such access is granted by the GDPR, in particular through the right of access and the right to data portability. In most cases, individuals also tend to have sufficient means to access non-personal data that belongs to them. Businesses should have access and be able to use personal and non-personal data as seamlessly as possible in order to develop innovative goods and services and strengthen their competing power, both within the EU and on a global level. The goal of a fully free flow of data, however, must be balanced against the interest of individuals in the protection of their personal data and the interest of businesses in the protection of their trade secrets. Accordingly, a business’ access to personal data held by another business must only be granted in accordance with the GDPR. If these requirements are met or do not apply (as in the case of non-personal data), access to and use of data should be fostered. One way forward is the introduction of additional sector-specific access rights. Another, more all-encompassing and possibly more promising way, is to establish a general right of access to data which is protected as a trade secret by introducing compulsory licences in trade secrets law. Obviously, such licences would only be granted if certain conditions are met, and if an appropriate licence fee is paid. But the mere existence of such licences and the enforcement on a case-by-case basis could help to open up datasets which have been sealed behind corporate walls despite the fact that the data could be useful for others. Overall, the introduction of compulsory licences to grant access to data would allow for the balancing of interests of the businesses holding data with the interests of other businesses that need access to such data to enter a market, develop innovative goods or services, or remain competitive.

A Introduction

The founders of Stitch Fix and Strava understood something basic about people. Humans like to use data to connect with other people and to compare with their peers. Based on those insights, these entrepreneurs were able to build two new digital service companies. Both Stitch Fix (a clothing service) and Strava (a social network) rely on personal data to provide services to their customers. Stitch Fix clients first answer a detailed questionnaire about their clothing likes and dislikes. In return, these customers receive clothes and style recommendations designed by stylists and artificial intelligence (AI) to help them look and feel better about themselves.Footnote ¹ Meanwhile, runners, cyclists and triathletes turn to Strava to measure their performance and instantly compare it to others around the world.Footnote ² The two companies could not succeed without the relatively free flow of data across borders. Data flows move across borders when individuals, companies or governments authorize data to be transferred from one country (the source of data) to another country where the data may be processed or used.Footnote ³

Firms have long relied on data to improve the efficiency and quality of goods and services. However, today market actors also utilize data to create entirely new services, such as personalized healthcare, and sectors such as apps, Internet-connected devices (Internet of Things, IoT), cloud service providers and AI. These sectors are the foundation of the data-driven economy: an economy built around the collection, preservation, protection, implementation and understanding of many different types of data. Although no one has exact figures, a significant portion of the data-driven economy is built on personal data – that is, data by and about people or a person.Footnote ⁴

The data-driven economy portends major changes for the ability of individuals to shape their destiny and autonomy. Firms active in the data-driven economy are dependent upon data, much of which is personal data. According to the US National Institute of Standards (NIST), in the past, personal data was something that researchers had to ask for, store, analyze. Because it was not easy to collect personal data, scholars struggled to get sufficient information to do a full analysis. But today almost all our daily activities are data-collection opportunities, thanks to the mobile Internet, the IoT, and other data-driven technologies. Moreover, in the past, people could control their data to some extent because researchers, whether firms or individuals, had to obtain, or at least go through the motions of obtaining, consent. However, with the data-driven economy, people whose data is collected and used have provided their personal data without fully informed consent. To put it differently, despite mechanisms to opt in or out of data collection, people do not understand that in return for providing data that firms then monetize, they receive the many free services presented by digital technologies.Footnote ⁵ In this sense, while the mission of data-driven firms, such as Stitch Fix and Strava may be to help customers, their strategy for so doing may also conflict with long-accepted ideas about autonomy.Footnote ⁶

Compared to Alibaba or Google, Stitch Fix and Strava are small players in the data-driven economy, but they are not atypical. Many of these firms see providing data services as akin to providing a public good. For example, Google’s corporate mission is ‘to organize the world’s information and make it universally accessible and useful’.Footnote ⁷ Not surprisingly, researchers and policymakers now believe that data is the most traded good or service. In 2016, the McKinsey Global Institute asserted that the value of data flows has overtaken the value of global trade in physical goods.Footnote ⁸ According to the World Economic Forum, ‘the world produces 2.5 quintillion bytes a day, and 90 per cent of all data has been produced in just the last two years’.Footnote ⁹

To succeed in the data-driven economy, companies and researchers need access to significant amounts of data – what economists term ‘economies of scale’. Policymakers in many countries want to encourage these scale economies with shared norms and rules, but they also want these norms and rules to explicitly limit trade in some types of data to ensure the safety and privacy of their citizens. In elaborating this rule framework decision-makers must develop a process that reassures their citizens that the rules-based system is transparent, accountable and open to citizens’ input.Footnote ¹⁰ With shared norms and rules, the Internet would be less likely to fragment; more people would have greater access to information; and individuals could create and share more information.Footnote ¹¹ Individuals might also be better able to obtain rents from their personal data and have some modicum of control over its use. However, policymakers around the world disagree on how and where to develop such shared rules.Footnote ¹²

Many executives and policymakers argue that trade agreements are the appropriate venue in which to govern cross-border data flows, because they believe that when information flows across borders, these flows are essentially traded.Footnote ¹³ They have negotiated e-commerce and digital trade chapters for this purpose. Herein, we distinguish between e-commerce (goods and services delivered via the Internet and associated with a transaction) and ‘digital trade’, which includes ‘e-commerce’ as well as new data-based services, such as Stitch Fix, or social platforms, such as Twitter.Footnote ¹⁴

While countries have begun to build a regulatory environment for e-commerce, it is unclear how to build an effective enabling environment for data. Many developing countries are not yet ready for such rule-making. After all, the bulk of firms like Strava and Stitch Fix are being created in middle-income and wealthy countries.Footnote ¹⁵ In many developing countries, business people are hobbled by obstacles such as unstable Internet connections, limited funding, inadequate numbers of researchers, and complementary policies, and infrastructure.Footnote ¹⁶ Moreover, while many countries have open data strategies for government-funded or public data, others have not yet figured out how to ensure that when firms mine the personal data of their users, they protect it from misuse, theft, or human rights violations. Firms that do not adequately protect the data that they collect, monetize, and share could lead users to experience problems such as identity theft, manipulative marketing or discrimination.Footnote ¹⁷ Users deserve a chance to shape new rules and to influence how firms use data.Footnote ¹⁸

This chapter examines the new role of data in trade and explores how trade in data differs from trade in goods and services. Clearly, data is different and may need a distinct set of rules. Although there are six different types of data, we focus on two types: public data and personal data (information that relates to an identified or identifiable individual). We then examine several analogies used by analysts to describe data as an input, which can help us understand how data could be regulated. Next, we discuss how trade policymakers are regulating trade in data and how these efforts have created a regulatory patchwork. Finally, we suggest an alternative approach noting that any agreement must be built by and for the people whose data serve as its foundation. Before trade negotiators try to develop rules regarding cross-border data flows, they must acknowledge the special character of data and focus first on creating an effective enabling environment, then built trust in that new economy by empowering people around the world to control their data.

B The Peculiarities of Data and the Role of Data in Trade

Data and information have long been a key component of trade, but as noted earlier, data has also created new forms of trade. However, cross-border data flows are quite different from trade in goods or other types of services for many reasons: First, many services from payroll to data analytics rely on access to cross-border data flows. These data flows may yield a good or a service, or both.Footnote ¹⁹ Second, trade in digital services differs from trade in other services because suppliers and consumers do not need to be in the same physical location for a transaction to occur. Third, trade in data is fluid and frequent, and location is hard to determine on the borderless network. Trade in the same set of data can occur repeatedly in nanoseconds – for instance, when millions of people download Drake’s latest song. As a result, researchers and policymakers may find it hard to determine what is an import or export. They may also struggle to ascertain when data or data sets are subject to domestic law (such as intellectual property law) and what type of trans-border enforcement is appropriate.Footnote ²⁰ Fourth, when data flows across borders, it may or may not be affiliated with a transaction. Hence, it is hard to describe some of these flows as ‘traded’.Footnote ²¹ Fifth, economists generally agree that many types of data are public goods, which governments should provide and regulate effectively. Furthermore, when states restrict the free flow of data, they reduce access to information, which in turn can diminish economic growth, productivity and innovation domestically and globally.Footnote ²² Such restrictions can also affect the functioning of the Internet.Footnote ²³ Sixth, trade in data occurs on a shared platform (the Internet) that is held in common. Seventh, and as earlier mentioned, much of the data flowing across borders and powering new sectors is personal data – digital data created by and about people. While they may benefit from services built on that data, the people who are the source of it do not control it. Data is their asset, yet they cannot manage, exchange and account for it.Footnote ²⁴

Recent surveys show that people around the world are increasingly concerned about how firms use, protect, control and trade personal data. A 2018 poll of 25,262 Internet users in twenty-five countries found that half of Internet users surveyed are more concerned about their online privacy than they were a year ago, reflecting growing concern around the world about online privacy and the power of social media platforms.Footnote ²⁵ Citizens want their governments to strengthen data protection laws and to beef up enforcement. In 2017, the Australian government stated that ‘governments that ignore potential gains through consumer data rights will make the task of garnering social license needed for other data reforms more difficult’.Footnote ²⁶

In sum, cross-border data flows may not fit the traditional definition of trade. Policymakers should thus at least question whether the traditional model of trade rules needs reforms to reflect the specificities of data.

C New Uses for Data Require New Ways of Thinking about Data

When individuals try to describe how firms are using data to reorder markets, they often compare data to other longstanding inputs to the provision of goods and services. In so doing, they hope to create greater understanding of the import and value of data. As an example, the World Economic Forum describes data as the oxygen of digital life.Footnote ²⁷ In contrast, The Economist describes data as a new type of raw material, such as oil, on par with capital and labour.Footnote ²⁸ However, law professor Lauren Scholz notes that this analogy is not helpful because the supply of oil is limited and only one actor can use a given portion of oil at one time. However, if you have access to data, then you can use it to create information and value.Footnote ²⁹ Other analysts describe data as a form of capital, which can be shared and leveraged within and between organizations.Footnote ³⁰ They note that the big data firms, such as Google, Facebook, Amazon, Uber, Stitch Fix and Strava, commodify and monetize data, creating new revenues and/or functions for the company.Footnote ³¹

Meanwhile, some other scholars posit that we should think about data as labour, as in the early phases of the industrial revolution. We provide our data for free to firms that turn around and monetize this information. But you and I, like the workers of yore, lack bargaining power and are unable to meaningfully negotiate over payments for our data. Most of us are not sufficiently protected from misuse of our personal data or violations of our privacy. In this way, we are denied a share of the economic value of our data, just as workers in the early industrial age. We are facilitating a massive transfer of wealth from ordinary people to the tech titans.Footnote ³² In search of evidence, two scholars traced the AI supply chain and found invisible labour, outsourced or crowdsourced, hidden behind interfaces and camouflaged within algorithmic processes. They note ‘[s]ometimes this labor is entirely unpaid, as in the case of the Google’s reCAPTCHA. In a paradox that many of us have experienced, to prove that you are not an artificial agent, you are forced to train Google’s image recognition AI system for free, by selecting multiple boxes that contain street numbers, or cars, or houses’.Footnote ³³ Moreover, these scholars note that treating data like capital exacerbates inequality and limits the productivity gains from big data and AI. They suggest that we should organize collectively to form a ‘data labor union’ that would bargain for fees for assessing our data. The union could certify data quality and guide ‘users to develop their earning potential’. Meanwhile, data collectors ‘must allow users to understand, withdraw, and transfer their data across competitors’.Footnote ³⁴ Only by organizing collectively can we control how our data are used.

Still other scholars argue that personal data is a form of property that individuals can assert rights to control and to access.Footnote ³⁵ This concept underpins the European Union’s General Data Protection Regulation (GDPR). The notion that data is a form of personal property that people should be able to control also undergirds other countries’ approaches, such as those of Brazil and China.Footnote ³⁶

If we view data as property, then corporations would have to pay the data generators (you and I) for permission, collection and use of data. The big firms would probably not offer services for free if we had to pay. Moreover, firms would then have an incentive to keep data accurate and carefully stored.Footnote ³⁷ But law professor Lisa Austin warns that if you think about data as property, you have to balance the ownership claims of the owners of personal data with those of the firms processing and monitoring that data.Footnote ³⁸ Nor can we ensure that our private information is not misused. As law professor Teresa Scassa has noted, privacy laws are ill fitted to a context in which data is a key economic asset.Footnote ³⁹

Finally, the UK government has introduced the notion that data is similar to infrastructure. In a paper prepared for the National Infrastructure Commission, the authors noted ‘the managed and built environments increasingly depend upon data in real time. New mechanisms for the assembly, management and processing of data provide a new impetus for thinking how the data is best managed so that society can best utilize its resources, solve the most problems and provide the most social good for most people’.Footnote ⁴⁰ In this view, government plays an important role providing and regulating data and promoting its sharing and consumption.Footnote ⁴¹

Except for data as property, these analogies have not significantly influenced national and international regulations. Moreover, these analogies miss an important aspect of the nature of personal data. It is a by-product of our thinking, actions and simply living. It is not one thing, and thus, we should not simply view it as a resource, or as our property, capital, labour, or infrastructure.

There are no reliable statistics about the types, value and amounts of data exchanged across borders and what percentage of cross-border data flow consists of personal data. Both CanadaFootnote ⁴² and in the United States,Footnote ⁴³ are trying to estimate the value of these flows. Despite the lack of exact numbers, we can hypothesize that a significant portion of the data exchanged across borders is personal data. People’s ability to control their data, like other issues of autonomy, is becoming a civil rights issue.Footnote ⁴⁴ According to Ravi Naik, individuals’ rights to data protection ‘have too often been ignored, and it is taking a groundswell of citizen activism to flip the script and hold power to account by individuals asking for their data and determining its use. We are at a watershed moment of a citizen-led demand for data rights, with the hallmarks of a new civil rights movement enmeshed within it’.Footnote ⁴⁵ Some countries, such as Chile, Colombia, Mexico, Turkey and Ecuador, are making personal data protection a constitutional right, although they differ as to the efficacy of enforcement.Footnote ⁴⁶

Truth is, these analogies can only go so far in guiding public policy because the new economy is behaving in ways that few of us understand. For example, the market for data is opaque: we really do not know how firms use our data. In these conditions, data holders/gatherers can deny or grant access to data; they do not have to let people know what data they have collected, whether it is accurate, how they use it and if they sell it.Footnote ⁴⁷ In opaque markets, policymakers should develop policies that facilitate transparency and accountability, as counterweights to opacity. Breznitz argues in this sense that governments must establish the market for data and set the rules for how data are gathered and used.Footnote ⁴⁸ Meanwhile, the Australian Productivity Commission says that governments must move markets from a system based on risk aversion and avoidance (which is not working) to one based on transparency and confidence in data processes.Footnote ⁴⁹

Despite their flaws, two of these analogies may be useful to trade policymakers, as they seek to develop rules governing cross-border exchange of data. First, at the national level, developing country policymakers who see data as a form of basic infrastructure could be more willing to establish data plans. Smart management of all types of data will enable more people to benefit from such data and to create new data-driven services attuned to specific economies and cultures. In contrast, the data as labour analogy might help trade policymakers as they attempt to bridge national strategies and create international rules governing data. In the late nineteenth century, many industrializing states developed national regulations to improve work conditions and protect workers from the vagaries of globalization. These regulations helped raise wages, which in turn led to improvements in labour productivity and greater trade. But not all states adopted such worker protections and trade policymakers feared a race to the bottom among states competing for lower wages and working conditions. The members of the League of Nations established an International Labour Organization (ILO) with rules that would help them find common ground to improve workplace conditions, facilitate peace and encourage trade.Footnote ⁵⁰ We may need a similar organization to help mitigate the differences among national data approaches, if not the WTO.

D The Current State of Rules Governing Cross-Border Data and the Rise of Data Realms

Policymakers have been trying for years to create global rules to govern cross-border data flows both at the World Trade Organization (WTO) and in bilateral and regional trade agreements. The multilateral trade forum of the WTO includes several agreements that address issues affecting data and digital trade. They include the Information Technology Agreement; the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS); and the General Agreement on Trade in Services (GATS). The GATS is the most relevant to the new data-driven services; it has chapters on financial services, telecommunications, computer and media services. But the GATS predates the invention of the Internet and World Wide Web and says nothing explicitly about cross-border data flows. Nonetheless, the WTO panels and the Appellate Body have interpreted the agreement as applying to various online services. While they acknowledge that the agreement is technically neutral – that it was written to apply to changing technologies – academics, business leaders and various governments, including the United States, have argued that the WTO’s rules need both amplification and clarification to apply to new data-driven services, such as those provided by Stitch Fix and Strava.Footnote ⁵¹ Meanwhile, WTO members established a work programme on e-commerce in 1998 and have agreed to waive customs duties on electronic transmissions. They also appear to have made progress on negotiations on data, as a leaked text reveals.Footnote ⁵²

At the Eleventh WTO Ministerial Conference in Buenos Aires in December 2017, Australia, Japan and Singapore, with the support of sixty-seven other WTO members, launched the E-Commerce Joint Statement Initiative. They hoped to encourage a consensus on what members should negotiate and how.Footnote ⁵³ To further that effort, countries issued proposals and background papers. A group of African countries, also supported by India, advocated keeping the discussions within the WTO’s current exploratory work programme, which has conducted work on e-commerce-related topics within various WTO bodies, such as its Council for Trade in Services and Council for Trade in Goods.Footnote ⁵⁴ Overall, not only is there a lack of consensus on e-commerce issues among the members but also it is often apparent that many of the members do not understand the differences, nor do they clearly distinguish between e-commerce and the provision of data-driven services.Footnote ⁵⁵

Despite this, on 25 January 2019, some seventy-six WTO members agreed to commence dedicated e-commerce talks. The announcement of this initiative was not greeted with universal acclaim. While business groups lauded it, civil society organizations and international labour groups came out against the talks and argued that a new agreement could threaten jobs, privacy and data security.Footnote ⁵⁶ The members of the WTO did not only disagree about whether or not these talks should proceed, they also disagreed about the scope of the talks.Footnote ⁵⁷ Many states – including the United States, Canada, China, Japan, the EU, Australia, Brunei, Hong Kong, Kazakhstan, Korea, Mongolia, New Zealand, Singapore, Chinese Taipei, Thailand, Georgia, Iceland, Liechtenstein, Moldova, Montenegro, Norway, Russia, Switzerland, Macedonia and the Ukraine – are keen to move the talks forward. With regard to data flows in particular, while the United States, Canada, the EU and Brazil generally want to create interoperable and universal rules and limit barriers to cross-border data flows, Russia and China are more concerned with maintaining internal social and political stability and are more open to using domestic regulation to limit such flows.Footnote ⁵⁸ Developing countries are also divided. Policymakers and business leaders in most countries acknowledge that traditional e-commerce could help their farmers and firms trade directly with consumers around the world.Footnote ⁵⁹ So, they are willing to negotiate ‘e-commerce’, but many are leery of negotiating data-driven services, given that they may lack domestic data-driven firms.

Meanwhile, the United States, the EU, Australia, Canada and other nations have placed language governing cross-border data flows in e-commerce chapters of their free trade agreements. As the data-driven economy has expanded in importance, the US, Mexico, Canada, the EU and Japan have recently renamed the newer versions of these chapters ‘digital trade’ chapters. Nations are also negotiating and agreed to digital economy specific agreements such as the Digital Economy Agreement of Australia and Singapore, US Japan Digital Economy Agreement, and the Digital Economy Partnership of Chile, New Zealand, and Singapore.Footnote ⁶⁰

The first agreement, the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) went into effect in 2019 among eleven nations bordering the Pacific including Australia, Japan, Mexico, Chile and Canada. These nations agreed to the free flow of data across borders as a default, with limited exceptions. All signatories also must adopt a minimum level of privacy regulation. In contrast, the EU–Japan Free Trade Agreement (FTA), which also went into effect in 2019, puts personal data protection at its core. The EU–Japan Free Trade Agreement is the first FTA of the EU that includes rules on data but it also ensures that personal data is adequately protected not only under the agreement but additionally through an adequacy decision of the European Commission – the first such decision under the GDPR heightened standards of data protection.Footnote ⁶¹

The US government next used CPTPP, whose e-commerce chapter is identical to that negotiated under the Transpacific Partnership Agreement (TPP) as a building block for the renegotiation of the North American Free Trade Agreement (NAFTA). NAFTA 2.0, now called the United States–Mexico–Canada Agreement (USMCA), has several interesting elements designed to promote data-driven economic growth. It seems designed to promote AI and other data-driven services. First, the USMCA contains a proper chapter on ‘digital trade’ (chapter 19), rather than one on e-commerce. Secondly, like CPTPP, it bans mandated disclosure of source code. But differently from the CPTPP, it also promotes AI by encouraging the parties to provide public information (information developed or provided to public entities) in a machine-readable and open format that can be ‘searched retrieved, used, reused, and redistributed’.Footnote ⁶²

While the United States and Canada have made regulating barriers to cross-border data flows a priority, the EU has made personal data protection a priority. The EU will only sign FTAs that contain language regarding the free flow of data if its FTA partner(s) adequately protect personal data. These nations must go through a process of becoming ‘adequate’. Specifically, these states must create independent government data protection agencies, register databases with those agencies and, in some instances, obtain prior approval from the European Commission before personal data processing may begin.Footnote ⁶³ This process is both time-consuming and expensive, as the EU’s digital trade partners must devote resources to data protection, a difficult choice for nations with limited governance expertise or funds.

Meanwhile, policymakers in China restrict the free flow of data and information not only across borders but also within China. In so doing, Chinese officials maintain social stability and the power of the Communist Party.Footnote ⁶⁴ However, China participated in the negotiation of Regional Comprehensive Economic Partnership (RCEP), a mega-regional trade agreement. RCEP includes Australia, Indian, Japan, South Korea and New Zealand as well as the nations of the Association of Southeast Asian Nations (ASEAN).Footnote ⁶⁵ The RCEP' allows member states to impose whatever national regulatory restrictions they wish, as long as they are applied in a non-discriminatory way (are applied equally to domestic and foreign businesses).The provisions are not disputable.Footnote ⁶⁶

Thus, the three big digital markets – the United States, EU and China – have taken different approaches to cross-border data flows. This patchwork approach is causing another problem for many nations. Nations, such as Canada, Mexico and Australia, that have or seek to build strong trade relationships with the big three must choose which approach they would follow.Footnote ⁶⁷ Countries that choose more than one such market will face high regulatory costs, as their costs of compliance would rise, given different standards.Footnote ⁶⁸

In a recent scholarly study, the WTO secretariat confirmed this patchwork of rules. It examined regional trade agreements that have incorporated specific provisions related to e-commerce. They found significant heterogeneity among the seventy-five chapters that explicitly address e-commerce. For example, these FTAs have different objectives, scope and definitions. The FTAs also define and limit different barriers to trade, and most importantly, some thirty-eight of the seventy-five have different provisions related to the domestic legal framework in which e-commerce takes place. Finally, some forty-four of the seventy-five include language on personal data protection but again with very different definitions and obligations.Footnote ⁶⁹

Developing countries are likely to have the most problems adapting to the data-driven economy. These countries will be customers of AI and other data-driven sectors, rather than producers. According to Kai-Fu Lee, a venture capitalist and former computer scientist, the bulk of profit from the data-driven economy and particularly AI will go to the United States and China: ‘AI is an industry in which strength begets strength: The more data you have, the better your product; the better your product, the more data you can collect; the more data you can collect, the more talent you can attract; the more talent you can attract, the better your product. It’s a virtuous circle, and the USA and China have already amassed the talent, market share and data to set it in motion’.Footnote ⁷⁰

Finally, many developing countries have not yet adopted effective rules protecting personal data online or established rules for the use of public data. Based on data from 2017 the UNCTAD reports that 57 per cent of all countries (some 107 countries of which 66 were developing or transition economies) have put in place legislation to secure the protection of data and privacy. In this area, Asia and Africa show a similar level of adoption, with less than 40 per cent of countries having a law in place. Some 21 per cent of countries have no law at all; and 10 per cent are in the process of drafting legislation.Footnote ⁷¹ Moreover, most of adopted legislation contains rules that are not consistent with either the OECD Guidelines for the Protection of Personal Information and Transborder Data FlowsFootnote ⁷² or EU’s GDPR.Footnote ⁷³

Moreover, some countries hoard and refuse to share publicly held data with their citizenry.Footnote ⁷⁴ In general, data gains value as it is shared, but it has little value if governments hoard it. While there is little empirical proof, open data appears to have important spillover effects including increasing civil discourse, improved public welfare and a more efficient use of public resources. But many states lack right to information laws or do not allow their citizens to view or comment on the data they hold.Footnote ⁷⁵ So not only is there a patchwork for FTAs but there is also a patchwork of approaches to governing various types of data as well.

Without sufficient understanding and interaction with data-driven firms and their customers, developing country policymakers may struggle to effectively advocate for their short- and long-term interests in the data-driven economy. Zimbabwe provides an example: the government signed a strategic cooperation framework agreement with a Chinese start-up, CloudWalk Technology, for a large-scale facial recognition programme. Zimbabwe will export a database of their citizens’ faces to China, allowing CloudWalk to improve their underlying algorithms with more data. The government allegedly agreed to the system to improve public safety, while the company wanted to improve the accuracy of its facial recognition system which was based on Chinese faces and needed a wider range of facial types. However, the government of Zimbabwe could use this system to more closely monitor its citizens, which could undermine social stability and trust.Footnote ⁷⁶ While such a situation may be rare, it provides a strong rationale for Zimbabwe and other countries to develop and debate a strategy for protecting personal data.

E A Path Forward

Humans have long exchanged data between borders, but never have they traded so much data or benefited from so many new services built on data. These new services may make us smarter, richer, more flexible and more efficient. But not all countries or people are ready to participate in this brave new world. The OECD recently noted that ‘governments and stakeholders have a responsibility to shape a common digital future that improves peoples’ lives and boost economic growth for countries at all levels of development, while ensuring that nobody is left behind’.Footnote ⁷⁷ However, for governance to succeed and be trusted, it needs to be built on shared norms and rules.

Policymakers should first work at the national level to develop a national strategy for data and then move towards interoperability of approaches rather than harmonization. They must find a way to conduct discussions on data governance that build public trust, consistent with the multi-stakeholder processes embedded in other forms of Internet governance. Against this backdrop, this chapter suggests five steps for moving forward, summarized below.

Step 3: Clarify the Rules and Exceptions to the Rules, So Nations Do Not Restrict Cross-Border Data Flows More Frequently or Broadly than Necessary

Like other treaties, a data-driven economy agreement should include exceptions to the rules. Nations can use the exceptions to ‘excuse’ violations to the agreement when they pursue other important policy objectives. (Figure 16.1 shows that governments have a wide range of reasons to restrict cross-border data flows.) Countries can only use these exceptions, however, if they do so in the least trade distorting manner. Yet, so far, there is no clear model that policymakers can follow to distinguish between legitimate and trade-distorting data flow regulation. The current language in trade agreements is vague and states must rely on trade disputes to develop clarity and some degree of legal certainty. However, there have been few disputes to provide guidance and policymakers have not yet agreed on updating the WTO law language with regard to the general exception clauses or other specific exceptions.

Figure 16.1. Why and how do governments restrict cross-border information flows? Prepared by Caitlyn Leong

Policymakers should begin by delineating how and when nations can use the exceptions to limit cross-border flows in the name of protecting domestic security or cybersecurity. For example, some governments, such as India, Brazil, the United States and the UK, have called on companies to provide backdoors to encrypted communications to help law enforcement. However, such an encryption backdoor would undermine trust and the effectiveness of encryption as a tool for keeping individuals, firms and governments safe online.

F Conclusion

The world is awash with data and there is no consensus on how to regulate it. The five outlined steps can help nations prepare for future negotiations and build value from data. These ideas will not address all the issues that arise in regulating cross-border data flows, and any new approach is likely to face many challenges, especially from those vested in the existing organizations and approaches to governing data. But clearly, we are stuck in a rut on trade and must creatively address the trade and non-trade dimensions of cross-border data flows. Policymakers from a wide range of countries may be more willing to compromise if they see that their citizens will benefit from clear, interoperable rules and from receiving funds for their data. Moreover, this approach could help firms accommodate national differences regarding ethics of data usage, disinformation and other upcoming regulatory issues. It could also give developing countries greater leverage in the discussions on data flows, where they would ordinarily be ‘rule takers’.Footnote ⁹⁵ Finally, these ideas could help more countries better integrate data-driven firms and their traditional firms. By collaborating and rethinking the process of global rule-making on data, we will be better able to achieve the change we wish to see in the world – where people have greater autonomy and control over their data and data drives equitable growth.