Owing to their rapid rise in the last decade or so, cross-border data flows and digital trade are increasingly becoming governed by trade agreements. This is because national regulations restricting the flow of data (personal, business and government) across borders are considered an important impediment to trade (Aaronson 2019; Cory and Dascoli 2021). For instance, Magnus Rentzhog (2015), in a study of Swedish companies from a wide range of sectors, found that moving data across borders easily was crucial for the well-functioning of these firms’ global value chains. Restrictions on cross-border data flows are particularly problematic for trade in services (Ferracane and van der Marel 2021).
Trade agreements recognize that policy makers face a tension between, on the one hand, generating the economic benefits associated with unfettered data flows across borders and, on the other hand, providing a trusting environment for individuals, firms and governments to conduct their business. They aim to ensure that national regulations affecting data flows are not disguised protectionist measures that discriminate against foreign providers of digital goods and services in favour of domestic ones.1 As such, the core principles of national treatment, most favoured nation and transparency apply here as well.
Although trade agreements have the potential to limit the ability of governments to regulate data and the digital economy domestically (Leblond 2021a), they have not prevented national regulation from impeding cross-border data flows between their member states so far. For instance, data-localization measures have been increasing rather than decreasing in the last decade (Cory and Dascoli 2021; Organisation for Economic Co-operation and Development [OECD] 2023). Moreover, they have become more restrictive: “more than two-thirds of identified measures involved a storage requirement with a flow prohibition” (OECD 2023, 18). National data-flow regulations are also becoming “increasingly complex and fragmented” (ibid., 17). Even if they do not prohibit the flow of data across borders, they make it more costly for firms in terms of compliance, thereby hurting international trade (Evenett, Fritz and Giardini 2023).
All trade agreements with an e-commerce or digital trade chapter also contain an article that prohibits the imposition of customs duties on electronic transmissions.
There are more and more trade agreements with provisions addressing international data flows; however, they have not been effective at fostering data free flow with trust in support of international trade (World Economic Forum 2020). This essay explains why and offers an alternative way forward.
Are Trade Agreements Effective at Governing Cross-Border Data Flows?
This section examines provisions regarding cross-border data flows found in trade agreements. To begin, it is worth mentioning that there has been a moratorium on imposing customs duties on electronic transmissions at the World Trade Organization (WTO) since 1998.2 All trade agreements with an e-commerce or digital trade chapter also contain an article that prohibits the imposition of customs duties on electronic transmissions.
The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)3 is the first major trade agreement with provisions on cross-border data flows. It prohibits restrictions on cross-border data transfers for business purposes and requirements to localize the storage of data domestically, respectively (articles 14.11 and 14.13).4 It does not specify what types of data are covered, except to say those that are necessary for business purposes. However, articles 14.11 and 14.13 also allow the parties to impose restrictions on data transfers to achieve a “legitimate public policy objective.” Restrictive measures on cross-border data flows cannot, however, be disguised protectionism that favours one or a set of domestic firms at the expense of their foreign competitors. Moreover, any restriction must be commensurate with the objective that it is meant to achieve; it cannot be stronger or more encompassing than what is strictly required to be effective (the necessity test).
The CPTPP also aims to ensure that signatories have laws and regulations that provide a minimum level of personal information protection (article 14.8). However, the provisions are very flexible in terms of accommodating different national approaches. They simply call on the parties “to take into account principles and guidelines of relevant international bodies,”5 which is a well-established approach in trade agreements, without specifying any particular body.
Thus, there is a fair degree of ambiguity as to the extent to which the CPTPP prevents governments from imposing restrictions on data flows between member states. Ultimately, it is left to the CPTPP’s state-to-state dispute settlement mechanism (DSM) to decide. And, given the absence of internationally agreed regulatory standards, the basis for a DSM panel decision is uncertain.
The CPTPP served as the template for the United States-Mexico-Canada Agreement (USMCA).6 The USMCA adds to the CPTPP in that, with respect to the requirement to have a legal framework to protect personal information, it mentions explicitly the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.7 Like the CPTPP, however, the USMCA parties are not required to take them into account; they are only encouraged to do so.
In addition, the USMCA provides some limit on the extent to which data protection legislation or regulation can constrain the transfer of data between the member states: restrictions must be “necessary and proportionate to the risks presented.”8 The CPTPP has no such limit. Nevertheless, it still leaves open the question of determining if and to what extent restrictions are “necessary and proportionate.” As with the CPTPP, answering such a question is left to a panel under the USMCA’s DSM (chapter 31). Hence, the USMCA does not really reduce the uncertainty relating to restrictions on cross-border data flows that could be imposed by national data-protection laws and regulations.
If the USMCA has some stricter provisions than the CPTPP regarding data flows, the more recent Regional Comprehensive Economic Partnership has looser ones.
Finally, unlike the CPTPP, the USMCA does not allow the parties to invoke a “legitimate public policy objective”9 exception to impose data-localization requirements to firms from the other two parties to the agreement (except, like with the CPTPP, when a digital good or service is provided to a government). Here, the USMCA is clearer in supporting cross-border data flows than the CPTPP. However, as always, the effectiveness depends on the parties’ willingness to pursue a dispute under chapter 31.
If the USMCA has some stricter provisions than the CPTPP regarding data flows, the more recent Regional Comprehensive Economic Partnership (RCEP) has looser ones.10 The RCEP’s language is such that it allows member states to impose whatever national regulatory restrictions on the flow of data across borders. With respect to provisions in favour of allowing the cross-border transfer of information by electronic means, the RCEP retains the CPTPP’s “legitimate public policy” exception, including for data-localization measures, but makes it self-judging. This means that any measure restricting the cross-border flow of data is legitimate if a party to the RCEP says so. And the other RCEP members cannot dispute it: first, because it is explicitly stated that they cannot; and second, because the RCEP’s state-to-state DSM does not apply to chapter 12 on digital trade (unlike the CPTPP and USMCA).
If the RCEP makes toothless the provisions prohibiting restrictions on cross-border data transfers for business purposes as well as requirements to localize the storage of data domestically, the recently released “stabilized” text of the WTO’s plurilateral agreement on electronic commerce simply ignores them.11 Compared to the RCEP’s fudged approach, it has the benefit of being honest about the fact that the more than 80 parties to the negotiations cannot agree on how to address cross-border transfers.
Until recently, the European Union did not include provisions on cross-border data in its trade agreements, other than the prohibition of customs duties on electronic transmissions. This is because international flows of personal data are covered by the General Data Protection Regulation (GDPR).12 Under the latter, the European Union allows for personal data to flow freely with countries whose personal data (or privacy) protection regimes are deemed “adequate” by the European Commission.13 In cases where the regime in another country outside the European Union is not considered adequate, organizations can still flow personal data out of the European Union if appropriate safeguards vis-à-vis the organization receiving the personal data are in place. These safeguards can be provided to the European Union through approved standard contractual clauses, binding corporate rules, codes of conduct and certification mechanisms.
This is why both the Canada-EU Comprehensive Economic and Trade Agreement14 and the EU-Japan Economic Partnership Agreement (EPA)15 did not include provisions on the free flow of data. In the latter case, article 8.81 originally stipulated that the two parties would reassess the situation within three years after it entered into force. On October 28, 2023, the European Union and Japan announced that they had concluded a deal on cross-border data flows to amend the EPA (European Commission 2023). Under this amendment, the European Union and Japan “shall not adopt or maintain measures which prohibit or restrict the cross-border transfer of information.”16 It also provides an exhaustive list of such measures (for example, no data localization, no requirement to use computing facilities in one of the parties’ territory, no need for authorization to transfer data to the other party’s territory). Like other trade agreements, the amendment contains an exception clause to pursue a “legitimate public policy objective” if it is non-discriminatory and satisfies a necessity test. It also states that personal data-transfer instruments, such as those found in the GDPR for safeguarding, are allowed so long as they are generally applied.
At the end of November 2023, the European Union announced that it had agreed to a digital partnership with Canada. In this case, the text is notable for the fact that it does not say anything about the free flow of data other than “both sides intend to exchange information on their respective data governance frameworks and discuss the interoperability of Canadian and EU Data Spaces.”17 The difference in the European Union’s approach to Canada and Japan with respect to cross-border data flows remains a mystery at the time of writing, especially since the EU-New Zealand trade agreement, which came into force on May 1, 2024, has provisions on cross-border data flows that are in line with the EU-Japan EPA amendment (and all three countries’ data protection and privacy protection regimes are deemed adequate by the European Commission).
On April 21, 2022, the Global Cross-Border Privacy Rules (CBPR) Forum was established by Canada, Japan, the Republic of Korea, the Philippines, Singapore, Taiwan and the United States, although the United States is the lead on this initiative.18 The CBPR Forum is meant to promote “trusted global data flows” by building on the APEC CBPR System, from which firms can voluntarily obtain data-privacy certifications that demonstrate their compliance with the privacy rules. With this certification, firms can transfer personal data freely between the forum’s members. The forum is also expected to pursue interoperability with other data protection and privacy regimes such as the GDPR.
Another recent significant trade agreement governing cross-border data flows is the Digital Economy Partnership Agreement (DEPA) set up by Chile, New Zealand and Singapore in June 2020 (it entered into force in January 2021).19 It has been dubbed the “world’s first digital-only trade agreement” (Taheri, Adams and Stern 2021). It consists of 16 modules to facilitate digital trade and cooperation on digital issues and technologies. For the most part, these modules “adopt or refine existing measures addressing digital trade facilitation,” especially from the CPTPP, to which all three countries also belong (Ciuriak and Fay 2022, 3). Module 4, which deals with data issues, is a good example of a module that adopts existing CPTPP commitments (on cross-border transfer of information by electronic means and on location of computing facilities without going further); however, it does not go beyond those previous commitments (ibid., 4).
In sum, trade agreements governing cross-border data flows are a growing “digital noodle bowl” that makes it increasingly difficult for firms, especially small and medium-sized ones, to keep up with (Honey 2021). These agreements’ ability to ensure the free flow of data across borders is also in question because of their ambiguous language, which ultimately leaves it to a few people on dispute-settlement panels (when those are made available by an agreement) to decide what are “legitimate public policy objectives” and “necessary and appropriate” measures. Perhaps not surprisingly, no dispute on digital trade matters has yet been initiated under any agreement. This is likely due to the parties preferring to leave things as they are: better the devil you know (with the national regulatory space that goes with it) than the one you do not know (i.e., regulations and standards decided by non-democratically elected panel arbitrators that significantly restrict national regulatory space). Finally, for the most part, trade agreements governing cross-border data flows do not have provisions for the parties to develop common standards and regulations, only referring to the latter or encouraging the parties to have them in place nationally.
Is There a Better Way to Govern Cross-Border Data Flows?
The growing digital noodle bowl leads to two unsatisfactory scenarios. In the first scenario, member-states are allowed to adopt whatever regulations they deem necessary to protect individuals, consumers, businesses and governments at the national level, but at the expense of cross-border data flows. In the second scenario, data is freer to flow across borders (as a result of trade agreements limiting national data regulations’ scope of applicability), but at the expense of trust in data-driven markets.
These two scenarios are derived from Patrick Leblond and Susan Ariel Aaronson’s (2019) data trilemma, which states that the following three elements cannot hold simultaneously: free flow of data across borders; national data protection laws and regulations that are distinct from those of other countries; and a high level of trust in the data environments among individuals, consumers, businesses and governments. Only two of the three elements can occur at the same time. Strong national data protection laws and regulations should lead to high trust levels but, to do so, they risk imposing restrictions on cross-border data flows. Alternatively, if policy makers want to ensure the free flow of data across borders while maintaining national data policies, then they may have to accept weaker data protection measures, which could negatively affect trust. Finally, if policy makers want data to flow freely across borders while ensuring a high degree of trust surrounding the collection and use of data, then they either adopt another jurisdiction’s regulatory standards (in order for data to flow freely with this jurisdiction and others with the same recognized standards), or they cooperate with governments in other countries to develop and enforce common, high-quality protection standards and regulations for personal as well as non-personal data.
Leblond and Aaronson (ibid.) argue that the best approach to obtaining freely flowing data across borders and high trust levels among consumers, businesses and governments in data-driven markets is to create a single data area with its own standard-setting and monitoring body, which could be called the “International Data Standards Board” (IDSB). Such an IDSB would be responsible for setting standards that regulate the creation, processing, use, distribution and transfer of data, both personal and non-personal, within the single data area. It would also be responsible for monitoring that the states that are members of the single data area apply and enforce the common standards adequately. IDSB members would allow data to flow freely between them as they would apply the same standards as well as cooperate closely in terms of not only developing standards but also sharing information and enforcing compliance. This single data area would welcome and support (financially and technically) any country willing to adopt and enforce the common regulatory standards. The IDSB’s frequent assessments would determine if a member state is able to continue taking full part in the single data area or not. In case of inadequate application or enforcement, the other members of the single data area would be allowed to restrict data flows to the member state that is not in good standing until proper actions have been taken to remedy the situation.20 By developing common standards that are effectively enforced, the member states of a single data area managed by an IDSB would overcome the ineffectiveness of existing trade agreements to flow data (personal and business) freely across borders with trust, and thus allow them to derive the economic benefits associated with the data flows.
Such an international body should draw inspiration from international financial standard-setting bodies such as the Basel Committee on Banking Supervision, the International Organization of Securities Commissions and the International Accounting Standards Board (Leblond 2021b). The main challenge is how to get an IDSB and its attendant single data area off the ground.
One could envisage a Bretton Woods-like international conference to set up an IDSB. After all, the Bretton Woods conference led to the creation of three international bodies: the International Monetary Fund, the World Bank and the International Trade Organization (whose charter was never ratified by the Americans). Admittedly, today’s cross-border data context does not compare to the world economic situation that prevailed at the end of the Second World War. This is why the probability of an international conference à la Bretton Woods to create an IDSB is low for the foreseeable future.
Successful international cooperation in financial services, notably payments, could then provide the basis for a broader application to other industrial sectors since they face similar data-transfer issues.
A more promising avenue to get things off the ground would be for the Financial Stability Board (FSB), which is responsible for coordinating international financial standards across Group of Twenty countries and works in tandem with the above-mentioned organizations, to set up an international body responsible for making national data regulatory regimes interoperable so that data can cross borders securely and with minimal friction for cheaper and faster payments globally. Successful international cooperation in financial services, notably payments, could then provide the basis for a broader application to other industrial sectors since they face similar data-transfer issues. The FSB is already looking into “developing recommendations…for promoting alignment and interoperability across data frameworks applicable to cross-border payments, including data privacy, operational resilience, AML/CFT [anti-money laundering/counterterrorism financing] compliance and regulatory and supervisory access requirements” (FSB 2023, 2). Perhaps the creation of an IDSB by the FSB and other international financial regulatory bodies could be one of the recommendations coming out of this mapping exercise.
A third way to go could be for the Global Privacy Assembly, which is the forum for more than 130 data protection and privacy authorities from around the world, to push its members to create an IDSB with standards-setting and enforcement powers over its members (for details, see Leblond 2021b). The advantage of such an approach is that the resulting single data area would immediately apply to a broad array of sectors, not just financial services.
In conclusion, trade and digital agreements have not helped facilitate international data flows. The main reason is that when these agreements contain provisions covering data, the language leaves too much room for discretion and interpretation, which allows governments to impose regulatory restrictions on cross-border data flows with impunity. The creation of an IDSB to manage an international single data area could remedy the current situation if it could issue clear, detailed standards and had the means to enforce them effectively by excluding members who do not abide by the rules from participating in the single data area. The challenge the world’s policy makers face is how to set up such an international body. This essay has offered some approaches that could be feasibly pursued in the foreseeable future.