Being able to freely move data around the world – between and within firms – is now just as important as being able to freely move goods and services.
Car manufacturers increasingly monitor driver behaviour and car diagnostics from regional hubs; professional services firms may need to transfer the data of clients and staff between country offices; companies in every sector store data on cloud-based platforms that operate on servers spread across regulatory jurisdictions.
Putting a precise figure on the value of cross-border data flows is tricky – one gigabyte of data could be worth nothing, or millions – but it is significant. Between 2014 and 2020 annual sales of products and services ordered using the internet grew by 220%, from $1,336 to $4,280 billion.1
However, government restrictions on the free flow of data have grown in parallel. Forced data localisation measures increase costs for businesses, lead to duplication, and can stifle innovation. There is a balance to be struck between the legitimate privacy concerns of citizens and the requirements of businesses, but many government interventions go far beyond what is necessary.
Barriers to digital trade include governments forcing firms to store data on local computer servers, applying duties to data when it enters/exits a country, censoring content, forcing firms to hand over proprietary information such as algorithms, and opaque, or discriminatory, licensing regimes.
According to the Information Technology and Innovation Foundation (ITIF), a US-based think-tank, 144 data localisation restrictions are currently imposed by 62 countries.2 This is more than double the 67 restrictions imposed by 35 countries in 2017.
Examples include Australia’s 2012 requirement to store personal health records locally, South Korea’s 2016 rules requiring financial services data to be stored on local servers, and Saudi Arabia’s 2018 legislation preventing data from regulated industries being transferred outside of its territory without explicit permission.
There are many new restrictions in the pipeline. They include de-facto localisation provisions such as the EU’s ambition to create a European cloud network for member-state public data, and Indonesia’s draft online content regulation which requires digital platforms to remove content within four hours of receiving a request.
Financial services firms have been particularly affected – regulators are keen for financial data to be stored within their regulatory jurisdiction. India, for example, has laws that directly and indirectly force firms to store financial data locally, including a 2018 requirement covering all payment data (including data that has initially been processed outside of the country).
What trade deals can do for digital
Modern trade deals such as the recently signed UK-Australia agreement include provisions that:
- prevent parties from applying customs duties to data flows;
- prohibit data localisation requirements (both generally and specific provisions for financial services);
- promote the growth of electronic payment systems;
- prevent parties from forcing firms to disclose source codes, algorithms and encryption keys as a condition of market access; and
- encourage governments to share open and machine-readable government data.
However, it is important not to overstate the value of such digital trade provisions. In practice, countries tend to commit only to do things they already do. The benefits arise from locking in existing levels of openness, providing certainty for business.
Digital provisions in free trade agreements (FTAs) are also usually subject to self-policed carve outs which mean commitments can be breached so long as the non-compliant measure are deemed to serve a legitimate public policy objective. In practice this means that personal data is not usually covered by FTA digital provisions.
For example, committing not to force firms to store data locally in its FTA with Australia does not prevent the UK from continuing to implement GDPR, which arguably includes de-facto personal data localisation obligations. Freeing up the transfer of personal data usually requires additional measures, such as data adequacy agreements or firm-level obligations, such as standard contractual clauses.
National security is also used as a justification to restrict the flow of data. Despite committing to the free flow of financial data in USMCA, Mexico is using national security grounds to force fintech firms to use Mexican-based cloud services providers.3
That China – a country which restricts the cross-border flow of data in many instances – thinks its system is compatible with the forward-thinking digital commitments contained in the CPTPP and Digital Economic Partnership Agreement (DEPA) should give us pause for thought.
The UK matters
While the proactive agenda of others such as the US has stalled, digital trade remains a high priority for the British government. The recently agreed (in principle) standalone digital agreement with Singapore is a case in point. Its five-point vision for digital trade targets open digital markets; data flows; consumer and business safeguards; digital trading systems; and international cooperation and global governance.4
These ambitions need to be translated into concrete policy mechanisms. Having decided not to align with the US or the EU, the UK must establish its own position on issues like intermediary liability protections and IP/copyright. While the UK believes it can use its post-Brexit independence to do better than the EU, it needs to make sure that a new approach does not jeopardise the EU data adequacy agreement.
The UK hopes that the ambitious digital provisions included in its deal with Singapore, alongside new FTAs with Australia and New Zealand will serve as useful precedents and set a benchmark for future plurilateral and multilateral discussions.
Negotiations with India, which were launched last week, offer an opportunity for the UK to introduce digital commitments to the bilateral relationship. This will not be easy but would be a significant win given India’s protectionist domestic policy agenda and threats to introduce customs duty on cross-border data flows.
The UK’s willingness to prohibit the forced onshoring of financial data (provided the information is made available to regulators if needed) is particularly welcome as more countries are pulling financial data under the umbrella of broader personal privacy restrictions.
Despite the limitations and caveats listed above, the inclusion of digital provisions in FTAs provides an important hook for industry when engaging with foreign governments – both to secure liberalisation and to deter egregious discrimination.
1 WTO, ‘World Trade Report 2021: Economic Resilience and Trade’, November 2021 [Figure A5]
3 Wilson Center, ‘USMCA and Digital Trade Provisions: Status Check’, November 2021
4 Department for International Trade, ‘UK Digital Trade Plan’, September 2021
Sam Lowe Flint Director, Trade was a senior research fellow at the Centre for European Reform and advises clients on trade policy, with a particular focus on regulatory barriers to trade, customs, trade in services and Brexit. To find out more about how Flint can help you navigate the risks and opportunities of these developments, please get in touch.