数字贸易正在颠覆消费者和企业的经营方式。数字贸易和电子商务通过提高生产力和降低货物贸易成本,已成为经济发展的主要驱动力。但政府政策迟迟未能跟上跨境数据流动日益重要的程度,以及国内监管可能帮助或阻碍国际贸易的方式。第一个考虑数字贸易重要性的贸易协定,跨太平洋伙伴关系协定(TPP),引入了几项处理这些关键问题的新规则。为什么TPP中的七个亚太国家(澳大利亚、文莱达鲁萨兰国、日本、马来西亚、新西兰、新加坡和越南)在处理数字贸易和电子商务方面制定了不同的国内政策,却同意对该行业采取类似的政策?工作文件编号:746
数字化转型的快速加速对服务贸易产生了深远影响,但数字化的好处有可能被现有和新兴的贸易壁垒破坏。经合组织数字服务贸易限制指数(Digital STRI)是一种新的工具,用于识别、编目和量化影响数字贸易服务的交叉壁垒。它由两个组成部分组成,即监管数据库和指数,汇集了44个国家的可比信息。数字STRI显示了影响数字服务贸易的多样化和复杂的全球监管环境。此外,在过去几年中,这些指数显示出监管环境日益收紧,突显出需要进一步的国际合作和对话,以最大限度地发挥数字化的好处。
本文概述了数字贸易对东盟国家及其中小企业带来的一些问题,包括数字化为东盟企业增加贸易提供了新的机会。然而,研究表明,采用相对简单的数字工具(如网页)的比例仍然相对较低,这限制了东盟中小企业作为出口商和进口商参与贸易的能力。本文认为,为了从数字贸易中获益,政策制定者需要考虑与访问数字网络相关的一系列新旧贸易问题。
本文描绘了不断发展的数据本地化景观。这表明数据本地化措施的数量正在增加,而且这些措施本身的限制性也越来越强。该文件强调,需要更好地了解和监测不断变化的监管环境,以期对数据本地化的经济和社会影响进行实证分析。这一问题在正在进行的数据本地化讨论中尤为重要,无论是在优惠贸易协议中还是在世贸组织关于电子商务的联合声明倡议中。
总部位于布鲁塞尔的领先智库里斯本理事会和总部位于华盛顿特区的顶级智库进步政策研究所(PPI)联合发布了《揭示数字贸易的隐藏价值:迈向21世纪跨大西洋繁荣议程》。该论文由里斯本理事会主席兼联合创始人Paul Hofheinz和PPI首席经济策略师、宾夕法尼亚大学沃顿商学院麦克创新管理研究所高级研究员Michael Mandel撰写,分析了数据、数据分析和无形资产在国际贸易中日益增长的作用。它向政策制定者提出建议,围绕大西洋两岸的经济增长和共同繁荣议程,利用数据分析的巨大力量。该政策简报是在里斯本理事会和PPI在布鲁塞尔Résidence宫召开的关于推动数字贸易隐藏价值的高级别圆桌会议上发布的。
随着人们和企业找到新的创新方式,利用数据和技术通过互联网提供更多商品和服务,数字贸易问题对美国经济的重要性继续增加。然而,数字技术极大地推动了创业和创新的增长,但越来越多的数字贸易壁垒越来越威胁到这一增长。7月13日,美国众议院筹款委员会贸易小组委员会举行了一场重要听证会,讨论数字贸易对美国经济日益增长的重要性、这些数字贸易壁垒的兴起,以及美国贸易政策,包括通过跨太平洋伙伴关系(TPP),可以帮助消除现有和防止未来的壁垒。ITIF创始人兼总裁Robert Atkinson与来自IBM、互联网协会、PayPal和Fenugreen(一家科技初创公司)的代表一起作证。这篇文章抓住了一些关键要点。
On March 8, 2022, France enacted updated “sovereignty requirements” as part of a new cybersecurity certification and labeling program known as SecNumCloud. This post analyses how these restrictions breach both France and the European Union’s (EU) commitments under the World Trade Organization’s General Agreement on Trade in Services (GATS), especially as it relates to national treatment, most-favored-nation (MFN), and market access. It also analyzes the implications for transatlantic digital trade and cooperation, including at the Trade and Technology Council (TTC). SecNumCloud’s “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as to 600-plus firms that operate “vital” and “essential” services. The latest SecNumCloud guidance (v3.2, March 2022) retains broad data localization requirements for all data (both personal and non-personal) and foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage Europea data and digital services. A prior post for the Cross-Border Data Forum also analyzed this proposal and how it breached EU trade law commitments under the WTO Government Procurement Agreement (GPA). SecNumCloud’s restrictions deserve greater attention as its impact on data governance and digital trade will potentially (and quickly) grow in France and the EU (never mind if other countries adopt similar sovereign cloud policies). France is leading efforts to embed SecNumCloud’s “sovereignty” requirements in the European Union Agency for Cybersecurity’s (ENISA) Cybersecurity Cloud Services scheme, which is under development. ENISA is running an opaque process without broad and open stakeholder engagement, partially because it realizes that these types of provisions are heavily criticized. ENISA hopes to finalize its draft proposal by mid-2022 and enact it in early 2023. The United States reportedly raised concerns directly with the French government, which seems unperturbed; it released the final SecNumCloud proposal largely unchanged and continues to push for the proposal’s application in ENISA. Ultimately, if U.S. cloud firms can’t operate in a significant portion of the EU digital economy and therefore can’t manage and transfer associated data for supposed cybersecurity reasons, the new Trans-Atlantic Data Privacy Framework isn’t nearly as valuable or meaningful. GATS Trade Law: A Strong Case that SecNumCloud Breaches France’s and the EU’s Market Access, National Treatment, and Most Favored Nation Commitments on Cloud Services France’s application of SecNumCloud to public—and private—sector players raises significant issues in light of the commitments that France and the EU undertook under the GATS, most particularly market access, national treatment, and MFN treatment. The early evidence is in: since its first introduction in 2016, only four companies—all French—have been certified under SecNumCloud. In essence, in both form and substance, this replicates China’s use of similar restrictions for foreign cloud services firms (for digital protectionism and authoritarian purposes). France and the EU committed under the GATS to provide market access—including cross-border (or “mode 1”) access—to foreign suppliers of computer and related services (CRS) without restrictions (except for Malta and the Slovak Republic). They also committed to accord such companies “no less favorable” treatment than domestic suppliers of these services (the core WTO principle of national treatment, in terms of treating foreigners and locals and their products equally). They also committed to provide similar fair treatment to third-country suppliers (the principle of MFN, where countries cannot discriminate between trading partners). And the EU is on the record at the WTO that cloud computing is a CRS (see, e.g., page 16 of this Council for Trade in Services report), so its WTO commitments clearly cover these services. The latest version of SecNumCloud explicitly requires suppliers of cloud computing services to store and process their customers’ data within the EU. This effectively constitutes a ban—or a “zero quota” in WTO terminology—on the cross-border supply of these services. In the U.S. gambling case at the WTO’s dispute settlement body (DS285: United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services), the WTO made it clear that a zero quota (in that case, the United States blocking of Internet gambling from Antigua) violates the GATS market access obligation (specifically, Article XVI:2(a)). There is also a strong argument to be made based on the core WTO principles of national treatment and MFN that under SecNumCloud-like restrictions, France and the EU will treat foreign suppliers less favorably than domestic and third-country suppliers. As noted above, France and the EU have full commitments for national treatment and MFN for cloud-related services, with very limited exceptions. Essentially, the national treatment commitment is interpreted as meaning that if a regulation affects competitive conditions in the market to the detriment of foreign suppliers, there is a violation. That is plainly the case here, since EU suppliers will be allowed to provide cloud services without restriction while foreign suppliers are restricted from processing and storing customer data in their home countries. Similarly, SecNumCloud breaches MFN obligations as it creates differences between suppliers in different WTO member countries. If France allows cloud companies from a given WTO member country to provide cross-border cloud services from their home country while preventing companies from another WTO member country from doing the same (or otherwise modifying the conditions of competition to their detriment), there is a violation. And since France is a member of the WTO in its own right, if it allows a firm from Germany or another EU member state to provide services, they are breaching their MFN commitments. France could try to defend SecNumCloud through WTO exceptions related to the protection of privacy and the specific exception for national security.The protection of privacy exception states the measure is needed for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” But this is specious. There is ample evidence that EU member states do not ensure greater protection of privacy—e.g., in the case of government surveillance—than the EU’s leading trading partners. A central question with such a case would be whether reasonnable alternatives (to data localization, foreign ownership, and control caps) are available to address the stated public policy issue. However, even if France did try to defend itself via this or another exception, France would bear the burden of proof to defend its use of these trade law exceptions. The measure would be assessed on the basis of necessity (that this type of restriction is needed to address this listed exception) and proportionality (that it is no less trade-distorting than necessary). Even then, the exception would not apply if the measure is arbitrarily or unjustifiably discriminatory or a disguised restriction on trade. France could also try to use the national security exception (below). Until recently, countries generally tried to avoid using this exception, as the broad language could be used to undermine all manner of trade commitments. Also, using it in a trade dispute raises the prospect that a dispute panel may well end with a judgment that ultimately constrains how countries use the exception. WTO: GATS Article XIV bis Security Exceptions Nothing in this Agreement shall be construed: (a) to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests; or (b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests (i) relating to fissionable materials or the materials from which they are derived; (ii) relating to the traffic in arms, ammunition, and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment; (iii) taken in time of war or other emergency in international relations; or (c) to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security. Most recently, the Trump administration misguidedly invoked the national security exception to justify tariffs on steel and aluminum. It tried to make the case that national security was not a matter the WTO could even adjudicate (i.e., that it is nonjusticiable). However, the WTO dispute settlement body thought otherwise, stating national security is not a get-out-of-jail-free card for members to enact whatever trade restrictions they want. Similarly in 2019, a dispute between Russia and Ukraine in which Russia claimed it had taken trade-restrictive measures for the purpose of protecting its national security, resulted in a landmark judgment. A WTO dispute settlement panel stated that it can review national security cases and objectively determine whether the circumstances in one of the sub-clauses of Article XXI(b) exists and whether the measure has a plausible connection to the circumstance identified. Furthermore, it defined “emergency in international relations” in a commonsense way, meaning WTO members couldn’t simply self-define an emergency to justify national security-related trade restrictions. The WTO Is Paralyzed: But Countries Should Highlight the Clear Potential for a Future Case The WTO trade dispute process is paralyzed at the moment as the United States continues to hold it hostage in pushing for reforms. However, this shouldn’t stop the United States, United Kingdom, and others with a clear interest in the EU digital economy from raising the potential for such a case in their discussions with French and EU officials. Trade lawyers from the United States and other countries have been reluctant to initiate these types of GATS cases, even though data localization and other restrictions impacting cross-border services trade continue to spread. For example, the EU’s General Data Protection Regulation (GDPR), and more recently its Digital Markets Act, indirectly and explicitly target U.S. firms and goods and services for discriminatory treatment. Something needs to change. WTO commitments either apply to modern services trade or they don’t. The reluctance of WTO members—namely, Australia, Chile, Japan, New Zealand, Singapore, the United Kingdom, the United States, and others—who otherwise expend a lot of time and energy negotiating new digital trade rules and agreements outside of the WTO (and inside it, at the Joint Statement Initiative (JSI) e-commerce negotiations) to push back and initiate cases only perpetuates the status quo of rising data and IT mercantilism. Another Barrier to Transatlantic Digital Trade and Cooperation: Why the European Commission and Other EU Members Should Step In After France nearly derailed the inaugural TTC meeting, France’s advocacy for new cybersecurity restrictions undermines efforts to work with the United States at the TTC, including in the working group on ICT security. The next TTC meeting is on May 15-16 in Paris. Discriminatory cybersecurity regulations that target U.S. cloud service providers would add another entry to the long and growing list of EU attacks on U.S. tech companies that will hurt the transatlantic relationship if not revised. The United States and EU need to focus on removing irritants to the bilateral trade relationship to focus on the bigger picture (namely, the challenges posed by China and Russia in international affairs). It would also overshadow—and undermine—the new Trans-Atlantic Data Privacy Framework (which is the successor to the EU-U.S. Privacy Shield). U.S. cloud firms would be blocked from providing services to a large part of the EU digital economy, never mind being able to manage and transfer associated data overseas. But the disconnect is broader. As so often is the case with European economic and strategic policy, Europe wants it both ways in that Thierry Breton (Commissioner for the Internal Market) stated he wants to work in lockstep with the United States on a new EU-wide “Cyber Shield” to detect and respond to cyber-attacks. But just without American (or other countries’) cloud firms. The European Commission—which would have to defend these measures in any WTO dispute—and EU member states that support an open, rules-based, and cooperative transatlantic digital trade regime should intervene and head off France’s efforts to align Europe with Chinese digital protectionism. Thankfully some EU members (namely, the “D9+” group of countries, Belgium, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain, the Czech Republic and Sweden) have started raising specific concerns and issues about ENISA’s draft proposals with the Commission. A non-paper by Ireland, Sweden, and the Netherlands lays out a broad range of sensible points and recommendations, including (directly quoted) that: We should look at the whole framework of possible EU action, and see what measures could improve Europe’s data sovereignty. For example, it could be strengthened by enhancing control on European data by more generic legislation at the EU level such as the Data Act, rather than imposing technical security requirements in a cloud scheme under the Cybersecurity Act. The consequences of proposed sovereignty requirements should be studied carefully by relevant experts, including from competent authorities and relevant private sector stakeholders. An impact assessment of the requirements is needed and should include an analysis of economic effects. The Cloud certification scheme concerns all categories of data, including both personal and non-personal data. Personal data is explicitly regulated by the GDPR6. Non-compliance of privacy issues (Schrems II Judgement), must be governed in the context of the GDPR. It is therefore advised to discuss this with the European Data Protection Board (EDPB), instead of integrating this in the Cloud certification scheme. Any possible measure should strengthen the European digital single market. We should not adopt measures which will hamper the single market or the development of small-medium sized enterprises (SMEs) or startups. Fragmentation of the European market must be prevented. Any possible measures should not breach existing or hamper future (bilateral, plurilateral or multilateral) trade-agreements between the EU and third countries. In specific circumstances (e.g., in the area of national security) localization requirements can be justified. Such requirements should be supported by solid safeguards. This is in accordance with the EU Cybersecurity Act. The Cloud scheme must not be delayed more than it already is, in order for the implementation of the Cybersecurity Act to maintain momentum. Where to From Here? The European Commission, D9+ EU member states, and EU trading partners need to step up their pushback against France’s efforts to create these sovereignty requirements. The United States (and other trading partners) should (again) directly engage France, the European Commission, and other EU member states on SecNumCloud and ENISA developments. France has reportedly pushed back, pointing to the U.S’s own similarly misguided data localization requirements for certain confidential and sensitive government data and services, including the U.S. GovCloud program and contracts under the Federal Risk and Authorization Management Program (FedRAMP, which provides a standardized approach to cloud security services for government services). However, these programs are far narrower. They are for U.S. government agencies and contractors, especially those with stringent regulatory compliance requirements, such as under the International Traffic and Arms Regulation (i.e., export controls), the U.S. Department of Defense’s Security Requirements Guide, and the Criminal Justice Information Services Security Policy and Addendum. Furthermore, foreign firms have been certified “FedRAMP High,” which allows them to manage some of the U.S. federal government’s most sensitive, unclassified data, such as those related to law enforcement and emergency services. While U.S. localization requirements are still misguided, they are far narrower as they don’t affect broader market access for commercial cloud services. The United States and EU should also add the issue of extraterritorial access to data to the TTC agenda and to ongoing discussions at the Organization for Economic Cooperation and Development on developing principles and a framework around trusted government access to data. This issue is broader than the United States and relates to all governments. It’s separate—though obviously related—to negotiations for a new Trans-Atlantic Data Privacy Framework, but it deserves specific attention given it is being used in France and other countries to justify restrictions on data and digital services. Failing changes to SecNumCloud and ENISA proposals, and a constructive response at the TTC, the United States (and other trading partners) should review the cybersecurity support they provide the EU and its member states. If enacted, the U.S. Department of Commerce and U.S. Trade Representative should consider countermeasures to target French and European service firms and their exports. This could start with a Section 301 investigation, which would hopefully lead to the application of the service-related provisions of Section 301 of the Trade Act of 1974. While traditionally used to enact tariffs, Section 301 also provides the U.S. government the option to apply fees and other restrictions on services, which the United States should finally bring to life unless the EU changes course. Ultimately, it would be disappointing if France and the EU added another major barrier to mutually beneficial digital trade and digital cooperation (in this case, on cybersecurity) to the transatlantic relationship just as the two sides work at the TTC to get into lockstep on greater shared challenges, such as how to use security assessments for cloud certifications and how to improve cybersecurity for critical infrastructure.
