The relationship between trade and the digital economy seems obvious today, but a few decades ago, that relationship did not exist. In our current zeitgeist — as the North American Free Trade Agreement and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership are being renegotiated and implemented — issues surrounding the data-driven economy are inextricably linked to global trade.
Data localization and data transfers have been central to recent trade negotiations. In short, data localization rules require data to be stored locally, and data transfer rules restrict data transfers to countries with laws that meet an “adequacy” standard. Both are at odds with modern trade agreements and their goals of limitless and unhindered global digital trade.
In this video, CIGI Senior Fellow Michael Geist explains why data localization and data transfers are important for both privacy and security, and why a policy balance must be struck with the free flow of data. Geist says that it is important to consider that the free flow of information across borders is incredibly important from an economic, pro-democracy and human rights perspective. Today, policy makers face the challenge of finding the right balance between protecting privacy with data controls and safeguarding an open internet with the free flow of information.
So, one of the really interesting questions is the relationship between modern trade agreements and data rules, and if we’re to go back a number of years ago, there was no relationship. But, they’ve gradually changed as the economy has changed to a whole series of other regulatory issues and, most recently, is trade agreements have tried to also focus on digital commerce and digital trade.
So, there are two types of data controls or data issues that we see appear in the trade agreements — one is known as data localization and the other has to do with data transfers. When we talk about data localization, the idea is that countries may require that certain data be retained within their local jurisdiction, in other words, localized. And so, the idea there is that unless you require that the data be stored and retained within the jurisdiction, there’s certainly a prospect or a possibility that that data may go elsewhere and the ability to assert some of your rules, whether privacy or security rules, may be lost.
When it comes to data transfers, that speaks to potentially creating limits on, naturally enough, transferring data outside of the jurisdiction. And the most obvious and well-known example has to do with the European Union (EU), which long ago established rules around the ability to transfer data from the EU, from any of the EU member-states, to a third-party country. And what they said was that you could only do so if one of those third-party countries had privacy rules in place, or data protection rules in place, that they felt met an “adequacy standard.”
What we’ve started to see in agreements like the TPP, are real limitations on the ability of any country within the TPP to either set limits on data transfers or to require that certain data be localized. In other words, create real restrictions on the ability for countries to assert the kinds of rules that many have been asserting, actually, for some time.
The other, I think, real challenge and it speaks to the substance of the provision, is that there are good arguments for ensuring that we’ve got free flow of data. I think many recognize that an open internet and free flow of information across borders is incredibly important from an economic perspective, it’s important from, I think, a pro-democracy perspective, a basic human rights perspective to ensure that people have access to the information of their choice and limitations on that can, in many respects, be a real problem.
And so, the challenge becomes how do we reconcile that? I think a lot of it lies in how we start interpreting these agreements. If we’re going to be able to ensure that we can craft a real balance between, on the one hand, ensuring that we’ve got the promotion of an open internet and, at the same time, enough policy space, enough wiggle room, in a sense, to ensure that we can also safeguard things like privacy and security.