trade policy brief
Trade and cross-border data flows
October 2019
ross-border data flows are the life-blood of trade in the digital era but the ubiquitous exchange C of data across borders has given rise to growing data regulation. Four broad approaches are emerging, ranging from relatively free to highly restrictive. he challenge is to make these approaches more interoperable, in order to avoid excessive T market fragmentation and to reduce unnecessary costs on traders - including MSMEs. Existing trade concepts - transparency, non-discrimination and least trade restrictive - can help.
What’s the issue? Today, cross-border data flows support new information industries (e.g., Artificial Intelligence, 3D printing and the Internet of Things), power a new production revolution, and change how we grow and trade food. The geography of data flows is very different from the geography of trade flows. A file sent from Geneva to Rio de Janeiro is broken down into ‘packets’, each taking different routes and often crossing different countries, to reach the destination where they are reassembled. The actual flow of data reflects individual firm choices: accessing the OECD library from Paris, for instance, actually means contacting a server in the United States (the OECD uses a US-based company for its web services). Moreover, with the cloud, data can live in many places at once, with files and copies residing in servers around the world. The geography of data flows is very different from the geography of trade flows.
stage, data helps coordinate research and design outputs from different countries. Data also helps exercise overarching control and coordination of geographically dispersed processes of production, including enabling SME integration into Global Value Chains. At the delivery stage, data transfers are needed to track and trace products as they travel to the border and beyond, they are a key element of trade facilitation. And, when products get to consumers, at the use stage, data enables feedback mechanism that allow consumers to interact with ‘smart’ products. All these elements, whether at the individual stages or taken as a whole require constant digital connectivity via information and communication links supporting a ‘digital thread’ (Figure 1). Measures that condition access to and use of the digital thread will affect the efficacy of the individual stage and the viability of the value chain for modern manufacturing.
How bits and bytes translate into dollars and cents is also difficult to establish. Data is valued at use and not at volume. Although Netflix is the largest single source of internet traffic, estimated by some at 15% of global bandwidth, it does not represent 15% of the value of data flows. Moreover, the value of any given bit of data can increase when merged with other bits of data and can change over time (e.g. data on driving habits was not very useful until it became indispensable for driverless cars). Data is also not the new oil: it is not scarce, and it can be copied and shared at virtually no cost.
The benefits of digital trade for both business and consumers are contingent on the degree of trust that is placed on the activities of different players operating in the digital space. The information trail left in today’s economic and social interactions is richer than ever before. But the information gathered and the use made of it is not always clear to the consumer fueling concerns about privacy protection. Privacy itself is difficult to define. It means different things to different people and the value we attach to privacy, whether as individuals or in society, can be subjective. There can also be a tradeoff between benefitting from highly personalised and often ‘free’ services and the extent to which consumers are able to keep their data private. The optimal choice in that trade-off will also vary according to individual preferences.
While data transfers are often associated with firms operating in services sectors, firms across all sectors are reliant on data transfers in support of their business activities. For instance, in manufacturing, at the design
www.oecd.org/trade
tad.contact@oecd.org
@OECDtrade
Trade and cross-border data flows
Figure 1. The digital thread of modern manufacturing activities • Data for:
• Data for:
• Managing processes of production • Instructing robotics (co-bots) • Human resources • Back-office
• New designs (R&D) • Personalised services • Collaborative processes
Use
Deliver
Digital Thread
Produce
• Data for:
Digital Thread
Design
• Data for:
• Sending and receiving information • Services delivery
• Digital delivery of services • Tracking goods • Trade facilitation
Digital Thread
Note: The figure is schematic. Source: OECD (2019)
With the growing collection of personal data, the risks to individual privacy increase, which is why consumers are increasingly asking for assurances that their data is being handled appropriately. Businesses increasingly see their ability to meet these demands as part of their competitive offering.
What is happening with data regulation? The ubiquitous exchange of data across borders has given rise to a range of concerns, especially when
personally identifiable information is involved. This has led governments to update their data-related regulations, with a growing number of countries placing conditions on the transfer of data across borders or requiring that data be stored locally (Figure 2). Such regulation can directly affect the ability to trade digitised goods and services, and can also have broader trade consequences, such as when it affects data flows critical for the coordination of global value chains. Even just the patchwork of different regulations can make it harder for MSMEs to benefit from digital trade.
Figure 2. A growing number of data regulations
Modifications
Count of data regulation 250
14 12
200
10 8
150
6
100
4
50
2
0
0
Source: OECD (2019)
www.oecd.org/trade
tad.contact@oecd.org
@OECDtrade
Why are countries regulating data? The reasons for governments to restrict or place conditions on data flows can reflect a number of objectives. One is to safeguard the privacy of individuals and their personal data. Approaches to privacy and personal data protection vary across cultures, which is one reason why regulation can differ. Countries may also restrict the flow of data, or mandate that data be stored locally, in order to meet regulatory objectives such as access to information for audit purposes. Restrictions to data flows might also be aimed at the protection of information deemed to be sensitive from a national security perspective, or to enable national security services to access and review data. But some countries also use data regulation to develop domestic capacity in digitally intensive sectors, as a form of digital industrial policy.
How are countries regulating data? Not all data regulation are the same and four broad approaches are emerging (Figure 3). These are not mutually exclusive; different approaches can apply to different types of data even within the same jurisdiction (health data, for instance, might be subject to more stringent approaches than data related to product maintenance). 1. At one extreme, there is no regulation of crossborder data flows, usually because there is no data protection legislation at all. While this implies no restrictions on the movement of data, the absence of regulation might affect the willingness of others to send data. 2. The second type of approach does not prohibit the cross-border transfer of data nor does it require any specific conditions to be fulfilled, but provides for expost accountability for the data exporter if data sent abroad is misused (e.g. firms send data but if something goes wrong they are legally accountable).
3. A third approach, flows conditional on safeguards, includes approaches relying on the determination of adequacy or equivalence as ex-ante conditions for data transfer. These rulings can be made by a public authority or by private companies and can include requirements about how data is to be treated. Where an adequacy determination has not yet been made, firms can move data under options such as binding corporate rules, contractual clauses and consent. 4. The last broad type of approach, flow conditional on ad-hoc authorisation, relates to systems that only allow data to be transferred on a case-by-case basis subject to review and approval by relevant authorities. This approach relates to personal data for privacy reasons but also to the more sweeping category of “important data”, including in the context of national security.
What international instruments exist? International instruments to address cross border data flows have also emerged: •
Privacy Shield establishes rules and principles that meet EU adequacy requirements. Companies operating in the US can voluntarily choose to be liable for such privacy protection under US law in order to be able to freely move personal data between the EU and the US.
•
The APEC Cross-Border Privacy Rules (CBPR) System is a framework to promote the interoperability of privacy regulation through enforcement of minimum standards. It is voluntary, requiring participating businesses to implement data privacy policies consistent with the CBPR. To date 6 of the 21 APEC economies are participating, with 27 firms from 2 economies registered.
Figure 3. Approaches to data flow regulation
No regulation
Ex-post accountability
Flow conditional on safeguards
Level of restrictiveness to movement of data Source: OECD (2019)
www.oecd.org/trade
tad.contact@oecd.org
@OECDtrade
Flow conditional on adhoc authorisation
Trade and cross-border data flows •
•
Regulators can also agree voluntary guidelines for good practice: the OECD Privacy Guidelines, for instance, include data flow governance provisions. Data flows are also addressed in FTAs such as CPTPP and USMCA. In Article 14.10 of CTPPP, for example, “Parties recognise that each Party may have its own regulatory requirements concerning the transfer of information by electronic means”. However, “each party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person”. The Article also foresees measures inconsistent with this provision, but only “to achieve legitimate public policy objective[s], provided that the measure: is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and… [when it] does not impose restrictions on transfers of information greater than are required to achieve the objective”. The EU has adopted a new horizontal approach on crossborder data flows and personal data protection in trade agreements that it is pursuing in all its trade negotiations. This clause prohibits different forms of data localisation and data storage measures. At the same time, the EU considers privacy and data protection as fundamental rights, and the EU clause provides that “each party may adopt and maintain the safeguards that it deems appropriate for the protection of personal data and privacy”. The cross-border flow of personal data is also not included in the EU-Japan Economic Partnership Agreement signed in 2018. However, Japan and the EU agreed to allow free flow of personal data through “mutual adequacy” of their respective data protection systems.
Further reading • López González, J. and M. Jouanjean (2017), “Digital Trade: Developing a Framework for Analysis”, OECD Trade Policy Papers, No. 205, OECD Publishing, Paris, https://doi. org/10.1787/524c8c83-en • Lopez-Gonzalez, J. and J. Ferencz (2018), “Digital Trade and Market Openness”, OECD Trade Policy Papers, No. 217, OECD Publishing, Paris. http:// dx.doi.org/10.1787/1bd89c9a-en • Casalini, F. and J. López González (2019), “Trade and Cross-Border Data Flows”, OECD Trade Policy Papers, No. 220, OECD Publishing, Paris, https:// doi.org/10.1787/b2023a47-en • Casalini, F., J. López González and E. Moïsé (2019), “Approaches to market openness in the digital age”, OECD Trade Policy Papers, No. 219, OECD Publishing, Paris. http://dx.doi. org/10.1787/818a7498-en • Ferencz, J. (2019), “The OECD Digital Services Trade Restrictiveness Index”, OECD Trade Policy Papers, No. 221, OECD Publishing, Paris, https:// doi.org/10.1787/16ed2d78-en • Ferencz, J. and F. Gonzales (2019), “Barriers to trade in digitally enabled services in the G20”, OECD Trade Policy Papers, No. 232, OECD Publishing, Paris, https://doi. org/10.1787/264c4c02-en.
What is the role of trade policy? As governments regulate cross-border data flows, it will be increasingly important that the trade impacts are also considered, to ensure that privacy, security, protection of intellectual property and the benefits of digital trade, are all comprehensively understood, considered, and balanced. There are encouraging signs that regulators are trying to develop a shared sense of international good practice in data governance (e.g., the OECD Privacy Guidelines are being reviewed, and work is underway on principles on AI, both involving countries beyond OECD membership). While the Internet was born global, and offers new opportunities for firms of all sizes, it also raises considerable challenges for policy in a world where borders and regulatory differences between countries remain. The trading system has experience in promoting open exchange in the context of regulatory difference: in seeking greater interoperability among approaches, requirements that standards be transparent, nondiscriminatory and that they avoid unnecessary trade restrictiveness can play an important role.
www.oecd.org/trade
tad.contact@oecd.org
@OECDtrade