Cross-border flows of data

Trade rules which maintain “cross-border flows of data” (also referred to “free-flows of data”) have been much debated.

The argument for including this rule is that cross-border flows of data are foundational to the growth and value of the internet, and that national barriers being put in place prevent the free-flows of data.

Barriers to cross-border data flows relates to a number of national policies. Data localisation rules can push firms to store domestic produced data locally, preventing cross-border flows. Barriers to cross-border data flows can also come through internet filtering and indirectly through data protection legislation.

As trade agreements often include specific clauses for data localisation, this issue is dealt with as a separate section. Here we focus on filtering and data protection rules.

Filtering data

Access to websites, data and digital tools located on foreign servers is a prerequisite to access digital goods and services. Engineering the structure of the internet to broadly block cross-border access, or to filter selective data flows is an effective way of controlling digital trade.

China’s so-called “Great Firewall” the filtering/blocking of websites to Chinese customers, is the best known example of internet filtering. Undoubtedly the “Great Firewall” is a tool that is linked to national security, politics and morality. Yet, at the same time it also is ab important economic tool. From a national perspective, filtering of data can support infant digital firms, as seen in the emergence of internet giants in China.

While the case of China is the most widely known case, similar but smaller scale filtering measures have occurred elsewhere, for example blocking foreign internet telephony firms, mobile messaging apps and online streaming channels.

Personal data protection

Data protection issues are often seen as separate from digital trade, but in implementation they are closely intertwined with free-flows of data.

Personal data protection rules have existed in countries for many decades to prevent unauthorised sharing of personal details. But as more data is being collected online these rules need to be updated.

The flagship rule here is the EU’s General Data Protection Regulations (GDPR). The GDPR, which came into effect in 2018, does not ban the movement of European data outside the EU. However, countries outside the EU need to be deemed as ‘adequate’ by the EU in order to handle EU personal data. If this is not satisfactory each company will need to follow more complex protocols in order to transfer data.

EU rules been seen by other countries as a model for national legislation on personal data protection and a number of countries in Latin America, the Middle East and North Africa are adopting or discussing similar GDPR-style legislation.

The principal goal of these rules is data protection – personal privacy, critical data protection and cyber-security. Such motivations remain central, but rules can also support economic agendas by restricting cross-border data flows.

Data protection rules are sometimes said to be ‘disguised’ data localisation rules. This is not overtly stated, but an outcome of these rules. For example, for firms outside the EU, it is often cheaper and legally simpler to store data in-country rather than undertake cross-border transfers.

Such rules are beginning to also be linked to the politics of trade. For instance, the EU -Japan Economic partnership agreement controversially linked the signing of this agreement with a mutual “data adequacy” decision.

Non-Personal data protection

Personal data protection rules can impact wider data as well. Rules such as the GDPR include a far broader definition of personal data than previously. It moves beyond obvious personal data (e.g. customer account details) to other data that can be linked to users (e.g. online tracking records of users).

There are also specific non-personal data protection regulation in countries such as China and Indonesia. This includes additional rules about how non-personal data can be created and shared, which may be more or less permissive.

For instance, a number of countries have adopted tiered system of data protection rules. Tiered rules define categories of sensitive data (e.g. company data) for extra regulation. In the case of some countries, categories defines for extra regulation can be very broad and may prevent, or have requirements for, data moving outside borders.

Cross-border flows and trade agreements

In trade agreements, rules look to bind countries maintaining free flows of data. They reduce the ability for signatories to undertake filtering, or potentially to create broad personal data and non-personal data protection rules.

For advocates of free-flows of data, this is beneficial, as it ultimately leads to reduced protectionism and promotes global growth. On the other side, rules that prevent filtering and limit data protection could reduce the ability of nations to undertake legitimate public policy goals.

As China has shown, data filtering to support infant digital industries is highly effective, even if it may not be a desirable approach everywhere.

The GDPR with its broad scope is having an impact of flows of data in the EU. Such rules have been largely supported by citizens in the EU as an attempt to weaken the market power of international digital giants and their problematic use of data.

Image Credit: Stealth Fiber Crew installing fiber cable underneath the streets of Manhattan – Wikimedia Commons – CC Sharealike