The final months of 2023 were critical for digital trade policy, both in the United States and globally. A major development was the United States’ withdrawal of support for certain provisions in the World Trade Organization’s (WTO’s) Joint Statement Initiative (JSI) talks — a move that drew considerable attention. However, other developments, though less publicized, were equally important. These include the EU-Japan digital trade agreement, which introduced a new exception language, and the G7’s decision in Hiroshima on operationalizing Japan’s “data free flow with trust” (DFFT) proposal at the Organisation for Economic Co-operation and Development (OECD). Collectively, these events are critical for understanding the future of cross-border data flows and digital trade negotiations. They represent foundational elements of a broader global economic policy and are integral to the evolving landscape of digital trade.
In October 2023, the United States Trade Representative (USTR) took a significant step by revising its approach to certain digital trade proposals, a move intended to provide greater flexibility for policy makers. These proposals included provisions on cross-border data flows; server location requirements; non-discrimination; and trade secret protections for source code and algorithms, which have far-reaching societal and economic implications for tech-related policies such as privacy, antitrust, misinformation, consumer protection, protection of fundamental rights, artificial intelligence (AI) regulation and cybersecurity.
The USTR’s announcement drew both applause and disapproval from members of Congress, civil society organizations, think tanks, digital rights groups and the tech industry. Notably, the disapproval was more pronounced, reflecting the contentious nature of the change in position.
It’s crucial now to look beyond these immediate reactions to the USTR’s decision itself. The focus should be on the broader context of global digital governance and the integral role digital trade plays within it.
Digital trade is fundamental to the architecture of global digital governance, but the relationship is not straightforward. While there are extensive discussions around global digital governance, digital development, data governance and AI policy, discussions about the binding rules that govern the related technologies are less prominent. Digital trade represents a critical intersection where traditional trade rules meet the challenges of the rapidly evolving digital economy. Achieving coherence between trade rules and other crucial digital governance issues such as privacy, security, antitrust, democracy and human rights is a complex task, if not bordering on the impossible. Often overlooked by those working in digital governance due to its complex nature and its roots in service-related rules, digital trade is, in fact, essential to digital governance architecture, regardless of its lack of elite status compared to areas such as tech regulation and AI policy.
Digital trade rules, established through bilateral, regional and multilateral trade agreements, are not only binding but also enforceable. These rules influence far more than trade alone; they shape domestic regulations and policy priorities across all sectors. Commitments made in trade agreements have wide-ranging implications for a country’s regulatory environment, impacting many sectors whether directly related to trade or not.
Trade commitments often come with exceptions to allow flexibility for public policy measures. For instance, typical digital trade rules such as “each party shall allow cross-border data transfer” or “no party shall restrict information flow, including personal information” are straightforward in terms of the obligations. The challenge is in crafting exception language that balances firm obligations with the flexibility required to meet public policy objectives.
The core issue with data flow provisions is not the flow of data, primarily personal data, across borders, but rather the impact of this unrestricted data flow on issues such as privacy, misinformation, competition, child protection and worker rights, among others. Since the introduction of binding trade commitments on cross-border data flows in the Trans-Pacific Partnership (TPP), trade negotiators have been struggling to draft exceptions that effectively balance trade obligations with public policy needs, often without realizing they are venturing into uncharted territories related to the commercial exploitation of personal data.
Trade exceptions place limits on how domestic regulations may affect trade commitments. The first inbuilt exceptions for data flows and server location requirements in the TPP borrow the language from the WTO general exceptions clause found in the General Agreement on Tariffs and Trade (GATT) article XX and the General Agreement on Trade in Services (GATS) article XIV. The GATT exception requires a policy measure to be necessary for achieving a specific public policy objective while ensuring it does not constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on international trade. Historically, in the WTO, the general exception has been interpreted in a way that restricts governments from implementing public policy measures to protect consumers, the environment and other areas, with successful applications in only two out of nearly 48 cases.
The TPP incorporated the first e-commerce chapter in a trade agreement that introduced binding and enforceable rules governing data flows. Recognizing the challenges posed by the WTO general exception, particularly the ambiguous “necessity test,” which requires that a measure (be it a regulation or law) should not be more trade-restrictive than necessary to achieve a public policy objective, TPP negotiators took a different approach. They dropped the word “necessary” but still required the measure to achieve a legitimate public policy objective and be less trade-restrictive.
The term “legitimate public policy objective” is not self-defining; it is not clear what can qualify as a legitimate public policy objective, and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) (the TPP’s successor after the US withdrawal in 2017) governments would need to defend the legitimacy of public policy objective if it were challenged in a future dispute. This ambiguity makes it difficult for governments to justify regulatory measures, such as privacy or competition laws, as legitimate trade exceptions. By way of illustration, new regulations, especially those not widely adopted, such as platform regulation, could be seen as creating a non-tariff trade barrier by increasing operational complexity and costs for businesses. Furthermore, the TPP exception to cross-border data flows still requires passing three successive legal tests, such as the measure shall not constitute a disguised restriction on trade, each with its own threshold for the defence to succeed. This renders the TPP exception, even without the explicit mention of “necessary,” significantly deficient. It limits the ability of the parties to set and enforce regulatory standards and safeguards effectively.
The United States-Mexico-Canada Agreement (USMCA), the revised North American Free Trade Agreement negotiated in 2017–2018, adopted similar obligations to the TPP, including more rigorous exceptions for addressing public policy concerns. It reinstated the word “necessary” for the data flow exception and eliminated the public policy exception from server location requirements. These provisions were quickly praised by the tech industry and served as a model for other US trade negotiations during the Trump administration, eventually making their way into the US proposals at the WTO JSI in 2019. However, in October 2023, in light of the diminishing public trust in tech companies, growing concerns about tech monopolies, escalating harms of digital technologies and increased political interest in regulating tech following the USMCA, the USTR decided to withdraw its support for these provisions from the WTO JSI talks.
In fact, when the Biden administration assumed office, USTR officials grappled with a critical question: How to align digital trade rules with the administration’s priorities on privacy, competition, AI bias and discrimination, and democracy? The digital provisions of the USMCA, the only US agreement with such digital commitments approved by Congress, were not in sync with these priorities. During the Indo-Pacific Economic Framework (IPEF) negotiations, the USTR reportedly tried to introduce more flexible exceptions to provide greater policy space. It is speculated that the IPEF proposal revisited the TPP exception with tweaks such as shifting the burden of proof and adding a footnote for flexibility in transfers to non-parties.
While these efforts were significant, they did not fully resolve the underlying issue. The classic paradigm of trade rulemaking, hinged on meeting stringent trade exceptions to preserve regulatory policy space, led USTR negotiators into the complex realm of digital governance, a domain where Americans expect the government to protect their rights and regulations and where the government looks to Congress for governance. In light of this, the USTR’s efforts did not meet the expectations of Congress and the American public. Recognizing the limitations of traditional trade governance in addressing the challenges posed by data and emerging technologies, the USTR opted to step back, allowing policy space for Congress and the administration to more directly govern the digital economy.
Across the pond, European officials have long been trying to address the significant tension between trade agreements and digital governance architecture. This tension, while relatively new to US negotiators given the evolving US approach to tech regulation, raises a crucial question for digital policy: In the context of trade governance, under what circumstances should national governments retain the policy space to pursue regulatory objectives? Specifically, when should they be able to restrict cross-border data flows to safeguard public policy, privacy, AI regulation and competition, which may be impacted by cross-border data flows?
European officials have long faced this complex dilemma: preserving policy space for fundamental rights and the European Union’s strong data protection standards in free trade agreements (FTAs). Studies dating back to the early 2000s suggested that the European Union’s “adequacy” requirements for data protection could be vulnerable to challenges at the WTO. In 2016, joint research by transatlantic consumer organizations indicated a potential risk for the European Union’s General Data Protection Regulation (GDPR) under a WTO panel dispute. The research highlighted that the GDPR might not pass the WTO’s general exception test on several particular grounds, including the existence of less trade-restrictive measures. The GDPR, known for its strict rules on data collection, processing, storage and usage, has been criticized for being overly burdensome and tedious.
After nearly two years of discussions among EU institutions — including the Directorate-General for Trade, the Directorate-General for Justice and the European Parliament — the European Union released the horizontal provision on cross-border data flows, data protection and privacy in 2018. These provisions established a redline on EU data protection rules, securing the policy space needed for the European Union to protect fundamental rights. It introduced a self-standing exception applicable across the agreement, independent of additional successive legal tests of the general exception.
These horizontal provisions faced both support and criticism. The tech industry, in particular, was dissatisfied, arguing that the European Union’s interests would be better served under the existing GATS rules and exemptions.
Since then, these provisions have been incorporated into several EU FTAs, including those with Chile and New Zealand, which are also party to the CPTPP. Despite agreeing to these provisions in their respective FTAs, both countries did not extend similar support to these provisions at the WTO JSI talks. Over time, they have favoured CPTPP rules, adopting them in their own bilateral and regional FTAs, even maintaining footnotes on personal data protection, initially designed for the United States. This suggests a stronger preference for CPTPP rules over EU ones.
The European Union’s negotiations with the United Kingdom further illustrate the complexities involved. The United Kingdom’s firm stance on adopting a “less European approach” to privacy and its emphasis on limiting how privacy regulations impact cross-border data transfers presented a significant challenge for negotiations. Ultimately, a compromise was reached, reflecting the inherent difficulties in applying the European Union’s drafted horizontal provisions to real-world negotiations. This compromise, seen as a divergence from the European Union’s horizontal provisions, has provided hope to the industry that the European Union’s redlines on protecting fundamental rights might be open to negotiation.
The European Union and Japan’s free trade negotiations started well before the European Union developed its horizontal provisions. There was a significant conflict between the parties’ approach to data flows and privacy. Japan has traditionally aligned more with the US and UK stance on data flows, advocating for the free flow of data in international trade and objective limits placed on how privacy regulation may interfere. During the negotiations, Japan pushed for a language similar to that in the CPTPP, but the European Union, in the midst of formulating its horizontal provisions, resisted this approach. The agreement was eventually concluded in 2018 (the EU-Japan Economic Partnership Agreement) and included a rendezvous clause on cross-border data transfers, allowing for a future renegotiation of the provision.
Recently, the European Union and Japan revisited their FTA provision on cross-border data flows, concluding what they described as “a landmark deal to make doing business in the online world easier, less costly and more efficient.” The agreed-upon language merges the European Union’s horizontal provisions with elements from the CPTPP provision, introducing a level of ambiguity. Originally, the European Union’s horizontal provisions aimed to preclude the need for justifying privacy and data protection regulations under the WTO general exception. The new language, however, appears to reintroduce the substantive legal tests of the WTO general exception into the European Union’s FTAs, leading to potential legal uncertainty and conflicts with EU data protection law.
Furthermore, it’s uncertain whether this framework is sufficiently adaptable for protecting fundamental rights, considering the rapidly changing face of technology. There’s a risk that it might constrain the European Union, reducing the policy space provided by the horizontal provisions. This raises a critical question, echoed by the European Data Protection Supervisor, about the purpose and necessity of this new language, especially in light of the 2019 adequacy decision allowing free data flow between the European Union and Japan with robust protection guarantees. Considering Japan’s commitments in the CPTPP and the US-Japan Digital Trade Agreement (which mimics the USMCA), about limiting how privacy regulations interfere with cross-border data flows, it’s unclear what the European Union expected to achieve with this new arrangement. However, the adoption of this new language might signal a shift in the European Union’s approach to data flows in ongoing negotiations, such as the WTO JSI and its digital trade pacts with Singapore and South Korea, potentially establishing a new EU position for cross-border data flows
The last, but not least, significant development of 2023 was the G7’s Hiroshima decision to operationalize Japan’s DFFT proposal at the OECD. Coined by the late Japanese prime minister Shinzo Abe at the 2019 G20 Osaka Summit, the DFFT is a concept originating in Japan and further developed in Washington, DC. The term superficially aims to reconcile two seemingly incompatible policy objectives: promoting free data flows and ensuring privacy to foster a more trusted and interoperable global governance system.
On paper, the DFFT appears ideal, ticking all the necessary boxes. Yet it begs the question: Does it genuinely aim to balance “free flows of data” with “trust”? Trust is fundamental in the digital ecosystem, encompassing diverse stakeholders and perspectives. Particularly for cross-border data flows, trust emphasizes a human-centric approach. Data protection and privacy regulations are widely acknowledged as key to building trust within this ecosystem.
As cross-border data transfers become central to trade negotiations, the question arises: How can trust be effectively built into trade agreements? If fostering trust is the objective, the DFFT should avoid relying on the non-functional exceptions of the CPTPP or the US-Japan Digital Trade Agreement. These exceptions place objective, albeit hard to justify, limits on domestic regulations, dictating how domestic regulations interfere with trade commitments. Such provisions may not adequately address the need for a robust, trustworthy framework that simultaneously facilitates cross-border data flows and upholds privacy and data protection standards.
Global trade governance may not be the most suitable platform for the bottom-up approach envisioned by the DFFT, which aims to be fair, inclusive and transparent. The operationalization of the DFFT at the OECD seems to focus on building trust outside the realm of global trade governance. While it remains unclear how the OECD will accomplish this, initiating a multi-stakeholder, inclusive and rational discussion on digital trade rules could be a constructive first step. Such discussions should highlight the critical role of trade exceptions in preserving policy flexibility and fostering trust, potentially offering a more effective approach to digital trade governance.
