We have for our readers today an invited guest post from Neha Mishra, currently a post-doctoral fellow at the Centre for International Law, National University of Singapore. Neha earned her BA.LLB degree from NLS Bangalore several years ago (where we were classmates) after which she practised law briefly in London and India. She then went on to collect degrees in law and public policy from the London School of Economics, National University of Singapore and finally a PhD from Melbourne University on how international trade law and internet policy can be better aligned with cross border data flows.
Neha’s PhD thesis which can be accessed over here, won the Harrold Luntz Graduate Research Prize for the best thesis by a graduate student at the Melbourne Law School. Her research comes at an interesting time for India which is currently in the process of creating its own data protection regime. At some point of time in the near future, the world will have to decide on an international regulatory framework for cross-border data flows failing which we are going to see increased trade tensions on issues such as data localisation. India is already facing heat on this aspect from the United States.
In this post, Neha provides us with a snapshot of one of the areas of her research. It is an abridged version of her article Building Bridges: International Trade Law, Internet Governance and the Regulation of Data Flows, which was published in the Vanderbilt Journal of Transnational Law 2019. While she has taken pains to point out to me that it is not related to intellectual property, I did pester her for this piece because as an IP blog we do end up covering data protection issues quite often and the issues raised in her thesis are likely to end up influencing some aspects of IP policy in the near future.
Cross-Border Data Flows in WTO Law: Moving Towards an Open, Secure and Privacy-Compliant Data Governance Framework
By
Neha Mishra
The digitalisation of the economy and the heavy dependence on cross-border data flows raises complex questions regarding the potential role of international trade agreements in data governance and digital regulation. As concerns around cybersecurity protection, privacy and data protection, and online censorship increase, governments across the world are struggling to strike a balance between digital openness/innovation and safeguarding legitimate internet public policy concerns. Consequently, governments increasingly impose restrictions on cross-border data flows such as data localisation laws and stringent compliance requirements in domestic censorship, privacy, and cybersecurity laws. These restrictions directly restrict cross-border flows of services, and thus may violate rules contained in international trade agreements such as the General Agreement on Trade in Services (‘GATS’) of the World Trade Organization (‘WTO’). This interface of international trade rules (such as those contained in WTO treaties) and internet public policy raises complex and interesting questions regarding how international trade law regulates or can regulate cross-border data flows.
The GATS does not completely restrict government restrictions on cross-border data flows. Under the GATS, WTO Members are permitted to take measures necessary to achieve specific policy objectives (referred as the “necessity test”) listed in various exceptions including protecting public morals/order (GATS art XIV(a)), achieving compliance with domestic laws (GATS art XIV(c)) and national security (GATS art XIVbis). Read in an evolutionary manner, these exceptions arguably cover different internet-related policy objectives advocated by governments including online censorship, privacy/data protection, and cybersecurity protection. Consequently, applying the necessity test to trade-restrictive measures pertaining to cross-border data flows entails a complex balancing of the principles of trade liberalisation enshrined in international trade agreements and domestic laws and regulations on internet and data regulation.
Balancing trade and internet policy objectives necessitates re-orientation of international trade rules to address policy challenges of a data-driven world. This exercise involves examining how the GATS obligations (such as non-discrimination (GATS art II; GATS art XVII), market access (GATS art XVI), rules on domestic regulation (GATS art VI)) and exceptions (art XIV; art XIVbis) apply to measures restricting cross-border data flows. In conducting this legal analysis, I propose a theoretical framework based on the three fundamental principles of internet governance applicable to cross-border data flows, namely internet openness, internet privacy, and internet security. Internet openness implies the free flow of data across the internet without unnecessary disruptions or controls, thereby promoting interoperability and integrity of the internet as well as internet-driven technologies and services. Internet privacy refers to protecting the privacy or information/data related to personal lives of internet users including preventing unauthorised use, collection, and disclosure of such data. Internet security means ensuring confidentiality, availability, and integrity of data. Internet openness, privacy and security are mutually complementing and supportive principles; in other words, internet privacy and security are enablers of digital trust and thus preconditions of internet openness. In practice, however, several governments fail to adequately balance internet openness, privacy and security.
In assessing internet policy-related restrictions on cross-border data flows under the GATS, WTO tribunals can and should make an effort to align GATS rules with the principles of internet openness, privacy and security. For example, market access and national treatment commitments of WTO Members in different service sectors, if interpreted in a technologically neutral manner, can facilitate both trade liberalisation and internet openness. Similarly, GATS obligations on non-discrimination, domestic regulation, and market access (subject to Members’ relevant commitments and exemptions) generally facilitate an open market for cross-border data flows, thereby supporting internet openness. Further, under the necessity tests, WTO tribunals can draw a rational distinction between protectionist measures disguised as cybersecurity or privacy measures and measures genuinely necessary to achieve these objectives, thus striking the necessary balance between internet openness, privacy, and security. A holistic assessment of such measures under GATS (i.e. understanding the implications of the measure on not only trade but also internet openness, privacy and security) requires looking at both the legal and technological implications of data restrictions. Understanding the technological implications of data restrictions falls outside the expertise of the WTO. While consulting internet technical experts (e.g., internet technical bodies such as the Internet Engineering Task Force) is a potential solution, the multistakeholder and dispersed nature of internet governance limits meaningful collaboration between the WTO and internet technical and policy bodies.
The alignment of GATS with the principles of internet openness, privacy and security is also constrained by the lack of multilateral consensus on internet policy issues and the somewhat outdated architecture of GATS. To address these deficiencies, the WTO must consider multi-pronged reforms consisting of: (i) internal reforms at the WTO to facilitate better use of transparency mechanisms (GATS art III) and mutual recognition provisions (GATS art VII) (especially in the case of data certification and data transfer mechanisms); (ii) substantive reforms to develop new disciplines on cross-border data flows and related areas. In that regard, the WTO may also consider developing a non-binding declaration on data flows (without prescribing standards or principles on privacy or cybersecurity, which are much better suited for other international/transnational fora) as well as increasing avenues for meaningful regulatory cooperation among WTO Members; (iii) external engagement outside the traditional multilateral/intergovernmental mechanisms by collaborating with relevant transnational and multistakeholder internet governance bodies. While engaging with these bodies during the negotiation of trade agreements is difficult, the expertise of the internet technical and community can be relevant both during the pre-negotiation stage (i.e. when countries formulate their trade strategies) and post-negotiation stage (in implementing the trade agreement as well as resolving digital trade disputes).
Most international trade agreements, especially the WTO treaties, were not designed to address issues of the data-driven world. While it remains possible to interpret international trade agreements, such as the GATS, flexibly and creatively to support internet openness, reduce data protectionist measures, and promote good internet policy, there are inherent limitations. Although the reform agenda proposed above appears to be ambitious and politically difficult to attain in the short run, all countries have strong incentives to derive the economic benefits from the digital economy. International trade agreements will remain as important instruments in the near future in helping countries integrate with the global digital economy; thus, countries must engage in negotiations in good faith at the WTO and other trade fora to reduce trade restrictions in data-driven sectors as well as promote coherence in global data governance.
Thank you for this post!