Exploring International Data Flow Governance

Foreword

The World Economic Forum’s Platform for Shaping the Future of Trade and Global Economic
Interdependence is organizing a global multistakeholder discussion aimed at deepening understanding
and expanding common ground on one of the most dynamic and challenging policy issues of our
time: cross-border data flows.

The two chapters presented in this World Economic Forum white paper have been developed to
prepare the ground for this discussion. They were written by four distinguished co-authors and have
benefited from the input of an expert group composed of private-sector, think-tank and academic
leaders from around the world.

The paper provides an overview of current domestic policy approaches and international trade
frameworks related to data flows. This baseline analysis is intended to be a useful resource for all
stakeholders, including domestic and international economic policy-makers.

The white paper considers “data” in a broad sense, without limiting the analysis to any specific data
classification. Further, it considers data flow “restrictive measures” broadly, including but not limited to
data localization policies. This approach recognizes that the cross-border elements of countries’ data
rules vary – in other words, whether or not the data can be moved abroad and under what conditions
depends on the structure of the relevant legislation.

At the global level, data flow considerations need to be untangled from those relating to competition
and taxation frameworks. These debates may be interrelated, but the tools to address them are not
necessarily the same. If used interchangeably, they may be ineffective. The aim of this publication is
to understand how countries can satisfy policy objectives in such domains as privacy, cybersecurity,
financial system safety and so on with the least restrictive effect on trade and global value chains.
The first chapter analyses the primary ways in which countries typically regulate data flows at
the domestic level and examines the restrictive effect of such measures. It then explores what
commercial and other values data flows enable in the economy and society and why the search for
simpler approaches may be worth pursuing. It concludes with a series of suggested good practices
governments can use to strike a suitable balance between the free flow of data needed to support a
modern and productive open economy, on the one hand, and the protection of personal information,
assurance of adequate levels of cybersecurity and integrity of law enforcement procedures, etc. on
the other.

The second chapter provides an overview of relevant trade policy tools and principles at the
multilateral and plurilateral or bilateral levels. It explores new approaches that could be used to achieve
greater regulatory interoperability and reduced friction between jurisdictions on essential topics
affecting data flows.

The chapter concludes that trade policy should combine regulatory cooperation with marketenabling commitments in respect of data flows. Failure to do so could result in countries using trade
agreement exceptions – an important part of the trade architecture intended to preserve policy space
and autonomy – merely to justify restrictive approaches. Regulatory cooperation can help address
the underlying policy concern giving rise to restrictions directly, ensuring that it will be satisfactorily
addressed by the jurisdiction receiving the data.

Further thought and discussion on how the growing preference of countries to regulate data flows
can be reconciled with the essential role these now play in the functioning of so many aspects of
our economies is warranted. Informal, multistakeholder discussion among experts and practitioners
from governments, business, academia and civil society could help to lay the foundation for wider
agreement on practical solutions in this regard. The World Economic Forum looks forward to
facilitating such a process during 2020 in cooperation with the Government of Japan as part of the
follow-up to the G20’s Data Free Flow with Trust discussions that took place earlier this year.

The Platform for Shaping the Future of Trade and Global Economic Interdependence provides
space for informal, public-private cooperation on important integration policy and practical
challenges. Stakeholders work together to shape soft law and other multistakeholder advances.
Efforts are also underway to improve trade and investment facilitation as well as sustainable value
chain operations through industry best practices and cooperation. Collaboration with business,
civil society and policy-makers is achieved through informal discussion, knowledge integration and
partnerships. A network of 30 leading policy research institutes and international organizations
anchors these efforts.

This paper is part of a platform project to help governments develop frameworks for trade in
increasingly digital-driven economies. The project explores the actions required to ensure that
opportunities from emerging technologies enable small and medium enterprises (SMEs) and
entrepreneurs in developing economies and drive more inclusive trade. It also encourages discussion
on how to navigate potential disruptive effects to ensure digital trade drives inclusive growth.

Chapter 1: Regulating cross-border data flows – domestic good practices

International data flows have surged in the global digital economy, prompting governments to balance these flows with domestic policies on privacy, security, and law enforcement. Due to concerns like cyberattacks, unfair competition, and data misuse, many governments are adopting restrictive data flow measures. However, these restrictions may disrupt innovation and global connectivity. The “data free flow with trust” model, introduced by Japan’s Prime Minister Abe, proposes that data can flow across borders while meeting policy objectives, supported by G20 ministers. Achieving this balance requires regulatory cooperation through international platforms like the OECD and G20. There are various types of data flow regimes, ranging from unconditional flows to complete bans, reflecting the complex global landscape of data regulation.

What happens at home: domestic examples

Domestic regimes on data flows vary, even while many of the relevant debates and concerns may be similar. The variation can be an expression of different societies’ preferences concerning the treatment and use of data. These preferences may be expressed by a majority or minority, implicitly or explicitly debated, and may change over time.

Figure 3 provides one illustration for each of the data flow restrictions in the taxonomy developed. These examples and a few others are elaborated below in relation to the law’s stated primary objective(s).26 In some instances, objectives may overlap, or the priority may not be clear, or an undisclosed motive is the real driver. This section is not intended as a comprehensive regulatory mapping, rather it offers a snapshot of different approaches taken to date with varying degrees of restrictiveness.

Non-personal data

Another recent EU regulation, applicable as of 28 May 2019, seeks to remove obstacles to the flow of non-personal data within the bloc.31 This regulation aims to encourage more data flows throughout the EU, supporting the establishment of a competitive data economy by creating a larger market. The mandate, however, is limited to free flow within the EU, and not with other countries or regions. Globally, while policy-makers have focused more on personal data, restrictions on the flow of non-personal data is a concern for some multinational businesses that move such data extensively for day-to-day operations, or businesses that work with large datasets. Some firms note, however, that it can be challenging to separate personal from non-personal data.32 These complexities escalate due to different jurisdictions adopting different definitions of personal and non-personal data, which may cause overlaps between the two types of data.

Law enforcement

Existing legal methods of ensuring government access to data stored overseas are burdensome and slow. Electronic privacy laws such as those in the US sometimes prevent companies from sharing information with foreign governments, even where the foreign government is investigating a local citizen with respect to a local crime.33 Governments have failed to provide sufficient resources for mechanisms implementing existing mutual legal assistance treaties, despite the enormous increase in cross-border evidence requests. Some stakeholders expect restrictions on data flows to be used by policy-makers as an alternative response. The US Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in 2018, eases law enforcement access to data between countries with which the US has reached an executive agreement; however, it requires more procedures from the government authority seeking access and provides additional safeguards for foreign residents. The first such agreement was signed by the US and the UK in October 2019. Ensuring law enforcement access to data is a less restrictive approach to data transfers that also achieves the other policy objective at hand.

Security

China’s Cybersecurity Law, in effect since 2017, restricts data transfers abroad for personal and “important” data from critical information infrastructure operators, though the specifics remain unclear. Draft guidelines suggest these infrastructures include sectors like energy, finance, and large social media platforms. Similarly, Vietnam’s Cybersecurity Law mandates local data storage for foreign internet service providers, local office establishment, and security assessments before data transfer. Unlike these countries, most states do not require cybersecurity reviews for data transfers. A regional example includes the African Union’s 2014 Malabo Convention, which encourages legal frameworks for personal data protection and national cybersecurity measures, though only five states have ratified it. Promoting international cybersecurity standards, like those from the ISO, could simplify achieving cybersecurity goals.

Financial service supervision

In 2018, the Reserve Bank of India mandated data localization for payment providers to ensure supervisory access, though this raised concerns about hindering global fraud prevention and cybersecurity. Brazil’s Central Bank Regulation no. 4658/2018 allows financial institutions to use foreign cloud services, provided there is an information exchange agreement with the foreign regulator, rather than imposing local processing requirements. South Korea has relaxed its regulations, allowing financial institutions to outsource IT services to foreign providers without needing prior regulatory approval, using their own contracts with specific mandatory terms.

Health data privacy

Australia’s My Health Records Act of 2012 prohibits storing or processing personally identifiable health records outside the country. In contrast, the US allows the transfer of health information abroad but requires an information security risk assessment. The EU has no specific restrictions on exporting health data, treating it like other personal data, but it is classified as sensitive, and its transfer is strictly regulated.

Chapter 2: Trade policy and data flows – progress to date and future innovations

The challenge

Governments are increasingly restricting data flows due to commercial tensions, cybersecurity concerns, and control over the digital space, despite the growing opportunities offered by data flows and digital technologies. The strained international trade rules and WTO adjudication system may not withstand a tech or data usage war. This chapter discusses international trade policy’s approach to data flows and potential steps forward. Trade agreements like the CPTPP and the USMCA have provisions for cross-border data flows, but trust is crucial to avoid restrictions. Enhanced international regulatory cooperation on data is necessary to build trust and reduce reliance on trade agreement exceptions for data flow restrictions.

State of play

At the WTO, the General Agreement on Trade in Services (GATS) applies mainly to service sectors where members have made specific commitments, with key obligations being most favoured nation (MFN) and transparency. GATS covers any government measure affecting trade in services, including data flow restrictions. Commitments on market access and national treatment apply only in scheduled sectors. Data flow restrictions can conflict with these commitments, but exceptions exist for various policy objectives. The GATS is technologically neutral and considers services as products, with trade defined broadly. Regulatory cooperation and additional commitments are necessary to address the regulatory incentives behind data flow restrictions.

Regulatory good practice

Encouraging regulatory “good practice” in Preferential Trade Agreements (PTAs) can facilitate data flow governance. This approach involves transparent regulatory procedures, public consultation, and advance notice of changes. Examples include the CPTPP and USMCA, which emphasize regulatory coherence, public consultation, and impact assessments. Applying these practices to data flow regulations can help policymakers consider the effects of proposed laws on cross-border data flows and the quality of digital products. Trade negotiations could also require publishing domestic regulations, explaining their rationale, and allowing for public comment, similar to the WTO’s Technical Barriers to Trade Council process.

International standards

Policy-makers use international standards to harmonize domestic regulations and reduce trade barriers. Key standards include the ISO/IEC 27000 series for cyber and information security, and the NIST Framework for cybersecurity. These standards help align global practices and could serve as bases for domestic regulations, similar to the WTO TBT Agreement’s approach. Privacy-related standards are developed by bodies like the OECD and APEC, though not all qualify as international standards under WTO rules. Trade agreements, such as the USMCA, often reference these standards to provide regulatory certainty and compliance guidelines. Developing further standards for global data flow issues is also recommended.

Conclusion

Finding a balance between permitting the flow of data across jurisdictions and achieving domestic policy objectives such as privacy and security will continue to be a challenge. Yet, for the global economy to function efficiently, efforts to address this challenge must be pursued.
The case for doing so is outlined in Chapter 1. Data flow restrictions are unlikely to lead to longterm benefits globally. Some specific counterexamples may exist, but even these do not fully reflect the complexity of the restrictions’ current and potential future impacts, including reduced economic growth, limited imports and exports of services, hampered cybersecurity, reduced financial system oversight, missed scientific advances and less effective environmental intervention.

For instance, local data storage and processing requirements can increase the risk of cyberattacks, while accountability-based data transfer mechanisms, such as the APEC CBPR, demonstrate how data flows and high standards for protecting privacy can coexist. More work may be needed to ensure CBPR-type mechanisms are usable by small businesses that are increasingly operating across borders thanks to technology, as well as entrepreneurs in developing countries.

Trade policy can play a critical role in helping achieve the required balance between data transfer and other policy objectives. Chapter 2 demonstrates that such policy falls into three categories: obligations and disciplines, exceptions, and provisions on regulatory cooperation.
As a starting point, the WTO already contains a range of rules that could support cross-border data flows. Recent PTAs included updated commitments on data flows and agreements to avoid data localization requirements, subject to appropriate exceptions. While these new rules are important, more is required in order to address growing data flow restrictions. Indeed, despite these updated commitments, many of these data flow restrictions may be justified under relevant WTO/PTA exception provisions. Exceptions risk becoming the rule without the further development of mechanisms to bridge regulatory differences between countries.

The third policy category – regulatory cooperation – is needed to raise the level of trust between policy-makers. Typically, trade disciplines have been used to ensure a balance between achieving regulatory objectives and enabling economic liberalization. This paper outlines the domestic steps and corresponding trade rules that can support interoperability and create pathways for data to flow by:

– Ensuring the least trade restrictive of available regulatory measures are used to achieve a legitimate policy objective while not intruding on regulatory sovereignty. For data flows this would mean that, while a regulator has the authority to determine the desirable level of protection of a given objective, a trade discipline could require that the regulator uses the least trade-restrictive means to achieve the desired result. Internationally agreed technical standards would help establish a benchmark of what constitutes a least trade-restrictive approach to regulation, similar to the WTO TBT Agreement and its Agreement on the Application of Sanitary and Phytosanitary Measures (SPS). Currently, however, such international standards are not readily available for a range of issues relating to data flows.

– Calling for sound domestic regulatory principles such as transparency, simplified procedures, public consultation, advance notice on implementation of changes, establishment of independent regulators, clarity on the sanctions and due process. For data flows, this could start, for example, with the introduction of privacy protection or online consumer protection laws tailored to the digital economy. While trade rules sometimes call for the establishment of regulatory frameworks, they do not set any substantive standards for their content.

– Encouraging regulatory cooperation to facilitate cross-border trade. For data flows, this may involve developing international standards. However, even where international standards have been agreed, domestic implementation has been sufficiently varied so that interoperability mechanisms remain necessary, such as recognition of domestic regulatory standards as well as cooperation between regulatory authorities. 26 Exploring International Data Flow Governance

– Requiring that interoperability mechanisms for data flows reduce the risk of discrimination and the exclusion of third parties. Data transfer mechanisms, mutual recognition or adequacy arrangements between a subgroup of WTO members will result in differentiated treatment of data flows. It will be important, therefore, to ensure that such different arrangements are open to participation by all countries according to a clear set of objective standards.

While trade policy has its limitations and cannot resolve all issues related to data flows, it can play a crucial complementary role in facilitating interactions between domestic regimes. This paper has also noted the desirability of arriving at internationally agreed principles and guidelines for regulatory good practices on “non-trade” objectives. Doing this would almost certainly help to clarify the bounds of what merits justification under an exception to a trade commitment as against what is more likely arbitrary, discriminatory or protectionist responses.

The data flow landscape, both in practice and in the law, will remain an area of critical importance. There is a need to bring different stakeholders from various fields together in a common direction on data flow policy. Leadership on this agenda is an urgent necessity.