Data Governance and Trade
The Asia-Pacific Leads the Way
Ambassador Robert Holleyman examines issues around trade, data governance, and cross-border data flows in the Asia-Pacific.
Data is integral to modern domestic and international commerce. Whether for added efficiency, by connecting remote workers, suppliers, and customers, or for entertainment, e-commerce, banking, and other services, data has become an essential element of how we live and conduct business. Nations in the Asia-Pacific have increasingly adopted rules for data governance and cross-border data flows as elements and chapters of their bilateral and regional trade agreements. This commentary examines the main issues that these rules have sought to address in the context of several high-profile trade agreements.
National laws and regulations establish parameters around categories of data. Most often this includes health data, financial data, and other types of personal or consumer data. Discussions about cross-border data use in health are particularly consequential. The Covid-19 pandemic has increased attention toward issues around medical data flows and the value of such data for improving health.
Within the context of cross-border trade, policymakers and trade negotiators have developed an evolving set of rules and norms related to the treatment and use of data when transmitted from one nation to another. In many cases, data may be freely transmitted, particularly when it does not involve personal or sensitive information. In some instances, however, data may not be authorized for transfer beyond a nation’s borders or jurisdiction without meeting certain preconditions. This is frequently the case with respect to personally identifiable data when national privacy regimes—such as the European Union’s General Data Protection Regulation, Japan’s Act on the Protection of Personal Information, and Singapore’s Personal Data Protection Act—establish criteria to ensure that sets of personal data transferred to another country retain the privacy protections of the originating country. In other instances—for example, with some regulated financial data—the local storage of data may be required before any transfer. In a small minority of cases, some types of data may not be transmitted at all beyond a country’s borders—most frequently when national security concerns apply.
DATA GOVERNANCE IN TRADE AGREEMENTS
Governments are appropriately concerned about preserving the integrity of their data governance regimes, particularly with respect to personal privacy and national security. When data issues are addressed within trade agreements, the end result often favors cross-border data transfer while preserving the ability of a nation to regulate data flows for purposes of protecting the privacy of its citizens or preserving national security in the use and transmission of data. For example, part of the balance may involve provisions encouraging the adoption of national data protection laws by parties, while ensuring that such laws do not serve as disguised barriers to cross-border trade.
Trade agreements in the 21st century have sought to define the conditions for nondiscriminatory treatment of data between signatories. They seek to limit restrictions on transfers of data across national borders and address ways in which data governance rules and regulations within a country may affect cross-border trade for the parties. With increasing frequency and growing levels of detail, data issues are being integrated into international trade agreements in the same way that trade agreements addressed cross-border trade in physical goods and services over time.
Although it is not easy to secure due to national sensitivities and evolving norms around data, experience has shown that finding common ground can be easier on data in than other areas during the negotiation of trade agreements. For example, compared to agriculture issues—which typically involve long-standing domestic protections and national sensitivities—data flows have not been subject to such protections in their short history. Countries also have an incentive to include rules governing data in trade agreements, as virtually every transaction in modern business involves data.
Bilateral and regional agreements in the 2000s. Given its size and rapid adoption of digital technologies, the United States was an early advocate for the inclusion of data provisions in trade agreements. Not alone in this interest, the United States became party to twelve bilateral and regional trade agreements that entered into force between 2004 and 2012. In varying forms, these agreements progressively expanded the obligations for treatment of cross-border e-commerce, now more frequently called “digital trade.” Noteworthy U.S. bilateral agreements in the early 2000s advanced foundational digital principles in the Asia-Pacific. For example, the 2004 U.S.-Singapore Agreement, the first U.S. free trade agreement (FTA) in Asia, included provisions on e-commerce, ensuring nondiscrimination for products delivered electronically, prohibiting customs duties on digital products, and binding the parties to the World Trade Organization’s otherwise temporary moratorium on e-commerce duties. Similar provisions were included in later agreements with countries ranging from Chile to Panama to South Korea.
Trans-Pacific Partnership (TPP). The signing of the TPP in 2016 by twelve Asia-Pacific nations (Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, the United States, and Vietnam) represented a significant leap forward in comprehensive treatment of cross-border e-commerce and data flows. The TPP built on provisions in earlier bilateral agreements and added an extensive list of pioneering commitments. The Office of the U.S. Trade Representative summarized key digital provisions in the agreement in “The Digital 2 Dozen” report, which emphasized the importance and benefits of strengthening conditions for innovation, competitiveness, and security while reducing barriers to cross-border digital trade between the parties.
Although the agreement never entered into force, key TPP obligations included the following:
- Prohibiting digital customs duties to prevent discrimination against cross-border digital delivery
- Enabling cross-border data flows while minimizing forced localization requirements
- Barring forced technology transfers as a condition for access to a party’s market
- Protecting source code in commercial products from forced disclosures to national authorities
- Fostering the use of innovative encryption products to enhance privacy and security
- Preserving market-driven standardization and global interoperability principles
Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). Following the United States’ withdrawal from the TPP in 2017, a successor agreement, the CPTPP, was signed by the remaining eleven nations. While the United States was an early leader and perhaps the strongest advocate for the inclusion of expanded digital provisions in the TPP, multiple countries took up the mantle of leadership for the CPTPP. Japan was a particularly forceful leader in pressing forward to preserve the digital provisions of the TPP.
Upon entry into force in late 2018, following ratification by seven nations, the CPTPP set the new global benchmark as the world’s most comprehensive trade agreement in treatment of data. It remains the agreement with the largest number of parties committing to high-standard data and digital trade provisions.
U.S.-Mexico-Canada Agreement (USMCA). The United States, following its withdrawal as a signatory to the TPP, turned its attention to renegotiating the North American Free Trade Agreement (NAFTA) with Canada and Mexico. The substance of the TPP’s data provisions were incorporated into the resulting agreement, having been agreed on by the three parties during TPP negotiations and reaffirmed by Canada and Mexico in the CPTPP. The USMCA, as the NAFTA successor was renamed in 2018, added new data-related provisions that built on the prior work. The USMCA entered into force on July 1, 2020, and adds obligations to those in the TPP/CPTPP, including:
- Enshrining the Cross-Border Privacy Rules system of the Asia-Pacific Economic Cooperation (APEC)
- Limiting civil liability for third-party posted content on internet platforms (other than intellectual property)
- Opening opportunities for financial data to flow more freely across borders by establishing a process to minimize local storage requirements
- Promoting “open access” to government-generated data
U.S.-Japan Digital Trade Agreement. In 2019 the United States and Japan reached a digital trade agreement that built on provisions in the TPP and incorporated key elements added in the USMCA. Though nonenforceable, the agreement signals the countries’ mutual objectives and bridges some of the gaps left following the U.S. withdrawal from the TPP. When and if a comprehensive FTA is reached between the United States and Japan in the future, the digital trade provisions from the 2019 agreement will likely be included and expanded on.
Singapore-Australia Digital Economy Agreement (DEA). Singapore and Australia signed a new, binding digital agreement on August 6, 2020. The DEA upgrades the digital trade provisions in both the CPTPP and the Singapore-Australia Free Trade Agreement (SAFTA). Once in force, it will amend SAFTA, replacing the e-commerce chapter with a new and enforceable digital economy chapter. The DEA includes provisions preventing unnecessary restrictions on the transfer and location of data, including financial sector data. This goes beyond the CPTPP, where the financial sector was not treated synonymously with other sectors due to regulatory sensitivities among key parties. Additionally, the DEA includes new commitments on e-invoicing and e-payment frameworks, improved enforcement and compliance provisions around online consumer protection, enhanced transparency, and greater cooperation in online safety.
Digital Economy Partnership Agreement (DEPA). Immediately prior to completion of the DEA, on June 12, 2020, Singapore, New Zealand, and Chile signed DEPA. The agreement established a series of “modules” covering multiple aspects of data within trade and expanding on prior digital trade agreements. Although nonbinding, DEPA creates a framework for governing digital trade between the nations that goes beyond commitments made in the CPTPP. Provisions around business and trade facilitation, treatment of digital products and related issues, cybersecurity and trust, online consumer protections, and digital identities are included in the agreement. DEPA also promotes open government data, addresses linkages for the digital economy with small and medium-sized enterprises, and advances digital inclusion for the benefit of all people, including indigenous peoples.
The DEPA approach is likely to become a model for how trading partners can address data and other emerging issues. Most importantly, its modular approach allows it to be scalable and more nimble than traditional comprehensive trade agreements. It establishes a mechanism for collaboration through which it could cover new uses of technologies such as artificial intelligence. Moreover, because DEPA lacks provisions for retaliatory measures and is not enforceable in the manner of a traditional trade agreement, it lends itself to greater innovation and more pioneering approaches.
Although this was not necessarily anticipated by its creators, DEPA thus points the way to securing high-standard agreements by like-minded trading partners. While not a substitute for binding agreements, this model can be effective in more quickly addressing issues such as climate change, where time is of the essence. As many in the United States look to regain a position of global leadership, the modular approach pioneered by DEPA offers an instructive example of what could be done to supplement traditional approaches.
CHINA AND DATA GOVERNANCE
Broadly speaking, China’s approach to data and trade agreements is more restrictive than the agreements outlined above. Although China would not necessarily oppose each of the liberalizing provisions described, some of the obligations would likely generate opposition. China’s approach to data sovereignty, linkages between control of data and national security, and limitations on certain deployments of foreign-controlled technology all present friction points for trade negotiations.
The fifteen-nation Regional Comprehensive Economic Partnership (RCEP) trade agreement, of which China is a major driver, includes provisions on e-commerce. Negotiations began in 2012 and finally concluded in November 2020 with less ambitious provisions on digital issues than other contemporary trade agreements in Asia. China’s sensitivities and more restrictive approach to data, particularly with respect to control of data within its borders, limited the scope of the RCEP. For example, the e-commerce chapter excludes any recourse to dispute settlement. In provisions that would otherwise limit forced localization of data, each member party can decide for itself whether it has a legitimate public policy interest in preventing cross-border transfer of information by electronic means.
Although China’s approach and concept of data sovereignty are not fully reflected in the RCEP, the country is looking to advance its concept of data sovereignty among potentially like-minded nations. What remains to be seen is the degree to which the new and now prevailing standards for data in 21st-century trade agreements will affect China, given its potential interest in joining a number of agreements beyond the RCEP. For example, the Australia–Hong Kong Free Trade Agreement that entered into force in 2020 encompasses several data provisions building on those in the CPTPP. Are these agreements to which China can and should aspire? Does the modular approach to data and trade in DEPA provide potential avenues of engagement for China? Or are the gaps too large, and will China’s approach to data and trade remain more narrowly prescribed than that taken by a growing number of Asia-Pacific economies? While China seems likely to go on adopting a narrower approach, the expanding landscape for the treatment of data governance and trade continues to shape developments in Asia.
The issues around trade, data governance, and cross-border data flows remain priorities for policymakers and industry. In the context of trade agreements, these issues are no longer in their infancy. Yet they have also not reached full maturity, particularly in their treatment of areas like artificial intelligence or data transfer between countries whose national protection regimes diverge.
It is not surprising that the fast-growing Asia-Pacific region is leading the way in global debates and binding agreements at the nexus of data and trade. While basic foundational principles of many nations are increasingly clear, substantial gaps remain, as well as opportunities for new approaches to cross-border data in all its diverse forms. This area of trade policy remains ripe for innovation and future coordination.
Robert Holleyman is a Partner at the law firm of Crowell & Moring and the President and CEO of Crowell & Moring International. Ambassador Holleyman served as Deputy U.S. Trade Representative from 2014 to 2017, where he was responsible for U.S. trade negotiations with Asia and led global trade policy on data governance, digital trade, services, investment, and intellectual property. He was CEO of BSA/The Software Alliance from 1990 to 2013 and counsel in the U.S. Senate earlier in his career.
 See Nigel Cory, “Viruses Cross Borders. To Fight Them, Countries Must Let Medical Data Flow, Too,” Information Technology and Innovation Foundation, May 7, 2020, https://itif.org/publications/2020/05/07/viruses-cross-borders-fight-them-countries-must-let-medical-data-flow-too.
 The United States reached agreements with Singapore, Chile, Australia, Peru, Panama, Colombia, South Korea, Jordan, Bahrain, Morocco, and Oman, as well as the Dominican Republic, Costa Rica, El Salvador, Guatemala, Honduras, and Nicaragua through the Dominican Republic–Central America FTA.