中国作为数字经济强国的实力来源于其对大数据、人工智能和其他新兴技术以及数字贸易的关注。但美国对芯片出口的贸易限制和其他脱钩措施可能会阻碍其未来在这些领域的增长。国际治理创新中心于2022年11月28日举办了一次虚拟研讨会,在中国数字治理实践的背景下探讨这些问题。来自加拿大、中国、欧洲、新加坡和美国的专家研究了上述三个领域的事态发展,以考察其当前和未来的全球影响
本文描绘了不断发展的数据本地化景观。这表明数据本地化措施的数量正在增加,而且这些措施本身的限制性也越来越强。该文件强调,需要更好地了解和监测不断变化的监管环境,以期对数据本地化的经济和社会影响进行实证分析。这一问题在正在进行的数据本地化讨论中尤为重要,无论是在优惠贸易协议中还是在世贸组织关于电子商务的联合声明倡议中。
On March 8, 2022, France enacted updated “sovereignty requirements” as part of a new cybersecurity certification and labeling program known as SecNumCloud. This post analyses how these restrictions breach both France and the European Union’s (EU) commitments under the World Trade Organization’s General Agreement on Trade in Services (GATS), especially as it relates to national treatment, most-favored-nation (MFN), and market access. It also analyzes the implications for transatlantic digital trade and cooperation, including at the Trade and Technology Council (TTC). SecNumCloud’s “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as to 600-plus firms that operate “vital” and “essential” services. The latest SecNumCloud guidance (v3.2, March 2022) retains broad data localization requirements for all data (both personal and non-personal) and foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage Europea data and digital services. A prior post for the Cross-Border Data Forum also analyzed this proposal and how it breached EU trade law commitments under the WTO Government Procurement Agreement (GPA). SecNumCloud’s restrictions deserve greater attention as its impact on data governance and digital trade will potentially (and quickly) grow in France and the EU (never mind if other countries adopt similar sovereign cloud policies). France is leading efforts to embed SecNumCloud’s “sovereignty” requirements in the European Union Agency for Cybersecurity’s (ENISA) Cybersecurity Cloud Services scheme, which is under development. ENISA is running an opaque process without broad and open stakeholder engagement, partially because it realizes that these types of provisions are heavily criticized. ENISA hopes to finalize its draft proposal by mid-2022 and enact it in early 2023. The United States reportedly raised concerns directly with the French government, which seems unperturbed; it released the final SecNumCloud proposal largely unchanged and continues to push for the proposal’s application in ENISA. Ultimately, if U.S. cloud firms can’t operate in a significant portion of the EU digital economy and therefore can’t manage and transfer associated data for supposed cybersecurity reasons, the new Trans-Atlantic Data Privacy Framework isn’t nearly as valuable or meaningful. GATS Trade Law: A Strong Case that SecNumCloud Breaches France’s and the EU’s Market Access, National Treatment, and Most Favored Nation Commitments on Cloud Services France’s application of SecNumCloud to public—and private—sector players raises significant issues in light of the commitments that France and the EU undertook under the GATS, most particularly market access, national treatment, and MFN treatment. The early evidence is in: since its first introduction in 2016, only four companies—all French—have been certified under SecNumCloud. In essence, in both form and substance, this replicates China’s use of similar restrictions for foreign cloud services firms (for digital protectionism and authoritarian purposes). France and the EU committed under the GATS to provide market access—including cross-border (or “mode 1”) access—to foreign suppliers of computer and related services (CRS) without restrictions (except for Malta and the Slovak Republic). They also committed to accord such companies “no less favorable” treatment than domestic suppliers of these services (the core WTO principle of national treatment, in terms of treating foreigners and locals and their products equally). They also committed to provide similar fair treatment to third-country suppliers (the principle of MFN, where countries cannot discriminate between trading partners). And the EU is on the record at the WTO that cloud computing is a CRS (see, e.g., page 16 of this Council for Trade in Services report), so its WTO commitments clearly cover these services. The latest version of SecNumCloud explicitly requires suppliers of cloud computing services to store and process their customers’ data within the EU. This effectively constitutes a ban—or a “zero quota” in WTO terminology—on the cross-border supply of these services. In the U.S. gambling case at the WTO’s dispute settlement body (DS285: United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services), the WTO made it clear that a zero quota (in that case, the United States blocking of Internet gambling from Antigua) violates the GATS market access obligation (specifically, Article XVI:2(a)). There is also a strong argument to be made based on the core WTO principles of national treatment and MFN that under SecNumCloud-like restrictions, France and the EU will treat foreign suppliers less favorably than domestic and third-country suppliers. As noted above, France and the EU have full commitments for national treatment and MFN for cloud-related services, with very limited exceptions. Essentially, the national treatment commitment is interpreted as meaning that if a regulation affects competitive conditions in the market to the detriment of foreign suppliers, there is a violation. That is plainly the case here, since EU suppliers will be allowed to provide cloud services without restriction while foreign suppliers are restricted from processing and storing customer data in their home countries. Similarly, SecNumCloud breaches MFN obligations as it creates differences between suppliers in different WTO member countries. If France allows cloud companies from a given WTO member country to provide cross-border cloud services from their home country while preventing companies from another WTO member country from doing the same (or otherwise modifying the conditions of competition to their detriment), there is a violation. And since France is a member of the WTO in its own right, if it allows a firm from Germany or another EU member state to provide services, they are breaching their MFN commitments. France could try to defend SecNumCloud through WTO exceptions related to the protection of privacy and the specific exception for national security.The protection of privacy exception states the measure is needed for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” But this is specious. There is ample evidence that EU member states do not ensure greater protection of privacy—e.g., in the case of government surveillance—than the EU’s leading trading partners. A central question with such a case would be whether reasonnable alternatives (to data localization, foreign ownership, and control caps) are available to address the stated public policy issue. However, even if France did try to defend itself via this or another exception, France would bear the burden of proof to defend its use of these trade law exceptions. The measure would be assessed on the basis of necessity (that this type of restriction is needed to address this listed exception) and proportionality (that it is no less trade-distorting than necessary). Even then, the exception would not apply if the measure is arbitrarily or unjustifiably discriminatory or a disguised restriction on trade. France could also try to use the national security exception (below). Until recently, countries generally tried to avoid using this exception, as the broad language could be used to undermine all manner of trade commitments. Also, using it in a trade dispute raises the prospect that a dispute panel may well end with a judgment that ultimately constrains how countries use the exception. WTO: GATS Article XIV bis Security Exceptions Nothing in this Agreement shall be construed: (a) to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests; or (b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests (i) relating to fissionable materials or the materials from which they are derived; (ii) relating to the traffic in arms, ammunition, and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment; (iii) taken in time of war or other emergency in international relations; or (c) to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security. Most recently, the Trump administration misguidedly invoked the national security exception to justify tariffs on steel and aluminum. It tried to make the case that national security was not a matter the WTO could even adjudicate (i.e., that it is nonjusticiable). However, the WTO dispute settlement body thought otherwise, stating national security is not a get-out-of-jail-free card for members to enact whatever trade restrictions they want. Similarly in 2019, a dispute between Russia and Ukraine in which Russia claimed it had taken trade-restrictive measures for the purpose of protecting its national security, resulted in a landmark judgment. A WTO dispute settlement panel stated that it can review national security cases and objectively determine whether the circumstances in one of the sub-clauses of Article XXI(b) exists and whether the measure has a plausible connection to the circumstance identified. Furthermore, it defined “emergency in international relations” in a commonsense way, meaning WTO members couldn’t simply self-define an emergency to justify national security-related trade restrictions. The WTO Is Paralyzed: But Countries Should Highlight the Clear Potential for a Future Case The WTO trade dispute process is paralyzed at the moment as the United States continues to hold it hostage in pushing for reforms. However, this shouldn’t stop the United States, United Kingdom, and others with a clear interest in the EU digital economy from raising the potential for such a case in their discussions with French and EU officials. Trade lawyers from the United States and other countries have been reluctant to initiate these types of GATS cases, even though data localization and other restrictions impacting cross-border services trade continue to spread. For example, the EU’s General Data Protection Regulation (GDPR), and more recently its Digital Markets Act, indirectly and explicitly target U.S. firms and goods and services for discriminatory treatment. Something needs to change. WTO commitments either apply to modern services trade or they don’t. The reluctance of WTO members—namely, Australia, Chile, Japan, New Zealand, Singapore, the United Kingdom, the United States, and others—who otherwise expend a lot of time and energy negotiating new digital trade rules and agreements outside of the WTO (and inside it, at the Joint Statement Initiative (JSI) e-commerce negotiations) to push back and initiate cases only perpetuates the status quo of rising data and IT mercantilism. Another Barrier to Transatlantic Digital Trade and Cooperation: Why the European Commission and Other EU Members Should Step In After France nearly derailed the inaugural TTC meeting, France’s advocacy for new cybersecurity restrictions undermines efforts to work with the United States at the TTC, including in the working group on ICT security. The next TTC meeting is on May 15-16 in Paris. Discriminatory cybersecurity regulations that target U.S. cloud service providers would add another entry to the long and growing list of EU attacks on U.S. tech companies that will hurt the transatlantic relationship if not revised. The United States and EU need to focus on removing irritants to the bilateral trade relationship to focus on the bigger picture (namely, the challenges posed by China and Russia in international affairs). It would also overshadow—and undermine—the new Trans-Atlantic Data Privacy Framework (which is the successor to the EU-U.S. Privacy Shield). U.S. cloud firms would be blocked from providing services to a large part of the EU digital economy, never mind being able to manage and transfer associated data overseas. But the disconnect is broader. As so often is the case with European economic and strategic policy, Europe wants it both ways in that Thierry Breton (Commissioner for the Internal Market) stated he wants to work in lockstep with the United States on a new EU-wide “Cyber Shield” to detect and respond to cyber-attacks. But just without American (or other countries’) cloud firms. The European Commission—which would have to defend these measures in any WTO dispute—and EU member states that support an open, rules-based, and cooperative transatlantic digital trade regime should intervene and head off France’s efforts to align Europe with Chinese digital protectionism. Thankfully some EU members (namely, the “D9+” group of countries, Belgium, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain, the Czech Republic and Sweden) have started raising specific concerns and issues about ENISA’s draft proposals with the Commission. A non-paper by Ireland, Sweden, and the Netherlands lays out a broad range of sensible points and recommendations, including (directly quoted) that: We should look at the whole framework of possible EU action, and see what measures could improve Europe’s data sovereignty. For example, it could be strengthened by enhancing control on European data by more generic legislation at the EU level such as the Data Act, rather than imposing technical security requirements in a cloud scheme under the Cybersecurity Act. The consequences of proposed sovereignty requirements should be studied carefully by relevant experts, including from competent authorities and relevant private sector stakeholders. An impact assessment of the requirements is needed and should include an analysis of economic effects. The Cloud certification scheme concerns all categories of data, including both personal and non-personal data. Personal data is explicitly regulated by the GDPR6. Non-compliance of privacy issues (Schrems II Judgement), must be governed in the context of the GDPR. It is therefore advised to discuss this with the European Data Protection Board (EDPB), instead of integrating this in the Cloud certification scheme. Any possible measure should strengthen the European digital single market. We should not adopt measures which will hamper the single market or the development of small-medium sized enterprises (SMEs) or startups. Fragmentation of the European market must be prevented. Any possible measures should not breach existing or hamper future (bilateral, plurilateral or multilateral) trade-agreements between the EU and third countries. In specific circumstances (e.g., in the area of national security) localization requirements can be justified. Such requirements should be supported by solid safeguards. This is in accordance with the EU Cybersecurity Act. The Cloud scheme must not be delayed more than it already is, in order for the implementation of the Cybersecurity Act to maintain momentum. Where to From Here? The European Commission, D9+ EU member states, and EU trading partners need to step up their pushback against France’s efforts to create these sovereignty requirements. The United States (and other trading partners) should (again) directly engage France, the European Commission, and other EU member states on SecNumCloud and ENISA developments. France has reportedly pushed back, pointing to the U.S’s own similarly misguided data localization requirements for certain confidential and sensitive government data and services, including the U.S. GovCloud program and contracts under the Federal Risk and Authorization Management Program (FedRAMP, which provides a standardized approach to cloud security services for government services). However, these programs are far narrower. They are for U.S. government agencies and contractors, especially those with stringent regulatory compliance requirements, such as under the International Traffic and Arms Regulation (i.e., export controls), the U.S. Department of Defense’s Security Requirements Guide, and the Criminal Justice Information Services Security Policy and Addendum. Furthermore, foreign firms have been certified “FedRAMP High,” which allows them to manage some of the U.S. federal government’s most sensitive, unclassified data, such as those related to law enforcement and emergency services. While U.S. localization requirements are still misguided, they are far narrower as they don’t affect broader market access for commercial cloud services. The United States and EU should also add the issue of extraterritorial access to data to the TTC agenda and to ongoing discussions at the Organization for Economic Cooperation and Development on developing principles and a framework around trusted government access to data. This issue is broader than the United States and relates to all governments. It’s separate—though obviously related—to negotiations for a new Trans-Atlantic Data Privacy Framework, but it deserves specific attention given it is being used in France and other countries to justify restrictions on data and digital services. Failing changes to SecNumCloud and ENISA proposals, and a constructive response at the TTC, the United States (and other trading partners) should review the cybersecurity support they provide the EU and its member states. If enacted, the U.S. Department of Commerce and U.S. Trade Representative should consider countermeasures to target French and European service firms and their exports. This could start with a Section 301 investigation, which would hopefully lead to the application of the service-related provisions of Section 301 of the Trade Act of 1974. While traditionally used to enact tariffs, Section 301 also provides the U.S. government the option to apply fees and other restrictions on services, which the United States should finally bring to life unless the EU changes course. Ultimately, it would be disappointing if France and the EU added another major barrier to mutually beneficial digital trade and digital cooperation (in this case, on cybersecurity) to the transatlantic relationship just as the two sides work at the TTC to get into lockstep on greater shared challenges, such as how to use security assessments for cloud certifications and how to improve cybersecurity for critical infrastructure.
On March 8, 2022, France enacted updated “sovereignty requirements” as part of a new cybersecurity certification and labeling program known as SecNumCloud. This post analyses how these restrictions breach both France and the European Union’s (EU) commitments under the World Trade Organization’s General Agreement on Trade in Services (GATS), especially as it relates to national treatment, most-favored-nation (MFN), and market access. It also analyzes the implications for transatlantic digital trade and cooperation, including at the Trade and Technology Council (TTC). SecNumCloud’s “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as to 600-plus firms that operate “vital” and “essential” services. The latest SecNumCloud guidance (v3.2, March 2022) retains broad data localization requirements for all data (both personal and non-personal) and foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage Europea data and digital services. A prior post for the Cross-Border Data Forum also analyzed this proposal and how it breached EU trade law commitments under the WTO Government Procurement Agreement (GPA). SecNumCloud’s restrictions deserve greater attention as its impact on data governance and digital trade will potentially (and quickly) grow in France and the EU (never mind if other countries adopt similar sovereign cloud policies). France is leading efforts to embed SecNumCloud’s “sovereignty” requirements in the European Union Agency for Cybersecurity’s (ENISA) Cybersecurity Cloud Services scheme, which is under development. ENISA is running an opaque process without broad and open stakeholder engagement, partially because it realizes that these types of provisions are heavily criticized. ENISA hopes to finalize its draft proposal by mid-2022 and enact it in early 2023. The United States reportedly raised concerns directly with the French government, which seems unperturbed; it released the final SecNumCloud proposal largely unchanged and continues to push for the proposal’s application in ENISA. Ultimately, if U.S. cloud firms can’t operate in a significant portion of the EU digital economy and therefore can’t manage and transfer associated data for supposed cybersecurity reasons, the new Trans-Atlantic Data Privacy Framework isn’t nearly as valuable or meaningful. GATS Trade Law: A Strong Case that SecNumCloud Breaches France’s and the EU’s Market Access, National Treatment, and Most Favored Nation Commitments on Cloud Services France’s application of SecNumCloud to public—and private—sector players raises significant issues in light of the commitments that France and the EU undertook under the GATS, most particularly market access, national treatment, and MFN treatment. The early evidence is in: since its first introduction in 2016, only four companies—all French—have been certified under SecNumCloud. In essence, in both form and substance, this replicates China’s use of similar restrictions for foreign cloud services firms (for digital protectionism and authoritarian purposes). France and the EU committed under the GATS to provide market access—including cross-border (or “mode 1”) access—to foreign suppliers of computer and related services (CRS) without restrictions (except for Malta and the Slovak Republic). They also committed to accord such companies “no less favorable” treatment than domestic suppliers of these services (the core WTO principle of national treatment, in terms of treating foreigners and locals and their products equally). They also committed to provide similar fair treatment to third-country suppliers (the principle of MFN, where countries cannot discriminate between trading partners). And the EU is on the record at the WTO that cloud computing is a CRS (see, e.g., page 16 of this Council for Trade in Services report), so its WTO commitments clearly cover these services. The latest version of SecNumCloud explicitly requires suppliers of cloud computing services to store and process their customers’ data within the EU. This effectively constitutes a ban—or a “zero quota” in WTO terminology—on the cross-border supply of these services. In the U.S. gambling case at the WTO’s dispute settlement body (DS285: United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services), the WTO made it clear that a zero quota (in that case, the United States blocking of Internet gambling from Antigua) violates the GATS market access obligation (specifically, Article XVI:2(a)). There is also a strong argument to be made based on the core WTO principles of national treatment and MFN that under SecNumCloud-like restrictions, France and the EU will treat foreign suppliers less favorably than domestic and third-country suppliers. As noted above, France and the EU have full commitments for national treatment and MFN for cloud-related services, with very limited exceptions. Essentially, the national treatment commitment is interpreted as meaning that if a regulation affects competitive conditions in the market to the detriment of foreign suppliers, there is a violation. That is plainly the case here, since EU suppliers will be allowed to provide cloud services without restriction while foreign suppliers are restricted from processing and storing customer data in their home countries. Similarly, SecNumCloud breaches MFN obligations as it creates differences between suppliers in different WTO member countries. If France allows cloud companies from a given WTO member country to provide cross-border cloud services from their home country while preventing companies from another WTO member country from doing the same (or otherwise modifying the conditions of competition to their detriment), there is a violation. And since France is a member of the WTO in its own right, if it allows a firm from Germany or another EU member state to provide services, they are breaching their MFN commitments. France could try to defend SecNumCloud through WTO exceptions related to the protection of privacy and the specific exception for national security.The protection of privacy exception states the measure is needed for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” But this is specious. There is ample evidence that EU member states do not ensure greater protection of privacy—e.g., in the case of government surveillance—than the EU’s leading trading partners. A central question with such a case would be whether reasonnable alternatives (to data localization, foreign ownership, and control caps) are available to address the stated public policy issue. However, even if France did try to defend itself via this or another exception, France would bear the burden of proof to defend its use of these trade law exceptions. The measure would be assessed on the basis of necessity (that this type of restriction is needed to address this listed exception) and proportionality (that it is no less trade-distorting than necessary). Even then, the exception would not apply if the measure is arbitrarily or unjustifiably discriminatory or a disguised restriction on trade. France could also try to use the national security exception (below). Until recently, countries generally tried to avoid using this exception, as the broad language could be used to undermine all manner of trade commitments. Also, using it in a trade dispute raises the prospect that a dispute panel may well end with a judgment that ultimately constrains how countries use the exception. WTO: GATS Article XIV bis Security Exceptions Nothing in this Agreement shall be construed: (a) to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests; or (b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests (i) relating to fissionable materials or the materials from which they are derived; (ii) relating to the traffic in arms, ammunition, and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment; (iii) taken in time of war or other emergency in international relations; or (c) to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security. Most recently, the Trump administration misguidedly invoked the national security exception to justify tariffs on steel and aluminum. It tried to make the case that national security was not a matter the WTO could even adjudicate (i.e., that it is nonjusticiable). However, the WTO dispute settlement body thought otherwise, stating national security is not a get-out-of-jail-free card for members to enact whatever trade restrictions they want. Similarly in 2019, a dispute between Russia and Ukraine in which Russia claimed it had taken trade-restrictive measures for the purpose of protecting its national security, resulted in a landmark judgment. A WTO dispute settlement panel stated that it can review national security cases and objectively determine whether the circumstances in one of the sub-clauses of Article XXI(b) exists and whether the measure has a plausible connection to the circumstance identified. Furthermore, it defined “emergency in international relations” in a commonsense way, meaning WTO members couldn’t simply self-define an emergency to justify national security-related trade restrictions. The WTO Is Paralyzed: But Countries Should Highlight the Clear Potential for a Future Case The WTO trade dispute process is paralyzed at the moment as the United States continues to hold it hostage in pushing for reforms. However, this shouldn’t stop the United States, United Kingdom, and others with a clear interest in the EU digital economy from raising the potential for such a case in their discussions with French and EU officials. Trade lawyers from the United States and other countries have been reluctant to initiate these types of GATS cases, even though data localization and other restrictions impacting cross-border services trade continue to spread. For example, the EU’s General Data Protection Regulation (GDPR), and more recently its Digital Markets Act, indirectly and explicitly target U.S. firms and goods and services for discriminatory treatment. Something needs to change. WTO commitments either apply to modern services trade or they don’t. The reluctance of WTO members—namely, Australia, Chile, Japan, New Zealand, Singapore, the United Kingdom, the United States, and others—who otherwise expend a lot of time and energy negotiating new digital trade rules and agreements outside of the WTO (and inside it, at the Joint Statement Initiative (JSI) e-commerce negotiations) to push back and initiate cases only perpetuates the status quo of rising data and IT mercantilism. Another Barrier to Transatlantic Digital Trade and Cooperation: Why the European Commission and Other EU Members Should Step In After France nearly derailed the inaugural TTC meeting, France’s advocacy for new cybersecurity restrictions undermines efforts to work with the United States at the TTC, including in the working group on ICT security. The next TTC meeting is on May 15-16 in Paris. Discriminatory cybersecurity regulations that target U.S. cloud service providers would add another entry to the long and growing list of EU attacks on U.S. tech companies that will hurt the transatlantic relationship if not revised. The United States and EU need to focus on removing irritants to the bilateral trade relationship to focus on the bigger picture (namely, the challenges posed by China and Russia in international affairs). It would also overshadow—and undermine—the new Trans-Atlantic Data Privacy Framework (which is the successor to the EU-U.S. Privacy Shield). U.S. cloud firms would be blocked from providing services to a large part of the EU digital economy, never mind being able to manage and transfer associated data overseas. But the disconnect is broader. As so often is the case with European economic and strategic policy, Europe wants it both ways in that Thierry Breton (Commissioner for the Internal Market) stated he wants to work in lockstep with the United States on a new EU-wide “Cyber Shield” to detect and respond to cyber-attacks. But just without American (or other countries’) cloud firms. The European Commission—which would have to defend these measures in any WTO dispute—and EU member states that support an open, rules-based, and cooperative transatlantic digital trade regime should intervene and head off France’s efforts to align Europe with Chinese digital protectionism. Thankfully some EU members (namely, the “D9+” group of countries, Belgium, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain, the Czech Republic and Sweden) have started raising specific concerns and issues about ENISA’s draft proposals with the Commission. A non-paper by Ireland, Sweden, and the Netherlands lays out a broad range of sensible points and recommendations, including (directly quoted) that: We should look at the whole framework of possible EU action, and see what measures could improve Europe’s data sovereignty. For example, it could be strengthened by enhancing control on European data by more generic legislation at the EU level such as the Data Act, rather than imposing technical security requirements in a cloud scheme under the Cybersecurity Act. The consequences of proposed sovereignty requirements should be studied carefully by relevant experts, including from competent authorities and relevant private sector stakeholders. An impact assessment of the requirements is needed and should include an analysis of economic effects. The Cloud certification scheme concerns all categories of data, including both personal and non-personal data. Personal data is explicitly regulated by the GDPR6. Non-compliance of privacy issues (Schrems II Judgement), must be governed in the context of the GDPR. It is therefore advised to discuss this with the European Data Protection Board (EDPB), instead of integrating this in the Cloud certification scheme. Any possible measure should strengthen the European digital single market. We should not adopt measures which will hamper the single market or the development of small-medium sized enterprises (SMEs) or startups. Fragmentation of the European market must be prevented. Any possible measures should not breach existing or hamper future (bilateral, plurilateral or multilateral) trade-agreements between the EU and third countries. In specific circumstances (e.g., in the area of national security) localization requirements can be justified. Such requirements should be supported by solid safeguards. This is in accordance with the EU Cybersecurity Act. The Cloud scheme must not be delayed more than it already is, in order for the implementation of the Cybersecurity Act to maintain momentum. Where to From Here? The European Commission, D9+ EU member states, and EU trading partners need to step up their pushback against France’s efforts to create these sovereignty requirements. The United States (and other trading partners) should (again) directly engage France, the European Commission, and other EU member states on SecNumCloud and ENISA developments. France has reportedly pushed back, pointing to the U.S’s own similarly misguided data localization requirements for certain confidential and sensitive government data and services, including the U.S. GovCloud program and contracts under the Federal Risk and Authorization Management Program (FedRAMP, which provides a standardized approach to cloud security services for government services). However, these programs are far narrower. They are for U.S. government agencies and contractors, especially those with stringent regulatory compliance requirements, such as under the International Traffic and Arms Regulation (i.e., export controls), the U.S. Department of Defense’s Security Requirements Guide, and the Criminal Justice Information Services Security Policy and Addendum. Furthermore, foreign firms have been certified “FedRAMP High,” which allows them to manage some of the U.S. federal government’s most sensitive, unclassified data, such as those related to law enforcement and emergency services. While U.S. localization requirements are still misguided, they are far narrower as they don’t affect broader market access for commercial cloud services. The United States and EU should also add the issue of extraterritorial access to data to the TTC agenda and to ongoing discussions at the Organization for Economic Cooperation and Development on developing principles and a framework around trusted government access to data. This issue is broader than the United States and relates to all governments. It’s separate—though obviously related—to negotiations for a new Trans-Atlantic Data Privacy Framework, but it deserves specific attention given it is being used in France and other countries to justify restrictions on data and digital services. Failing changes to SecNumCloud and ENISA proposals, and a constructive response at the TTC, the United States (and other trading partners) should review the cybersecurity support they provide the EU and its member states. If enacted, the U.S. Department of Commerce and U.S. Trade Representative should consider countermeasures to target French and European service firms and their exports. This could start with a Section 301 investigation, which would hopefully lead to the application of the service-related provisions of Section 301 of the Trade Act of 1974. While traditionally used to enact tariffs, Section 301 also provides the U.S. government the option to apply fees and other restrictions on services, which the United States should finally bring to life unless the EU changes course. Ultimately, it would be disappointing if France and the EU added another major barrier to mutually beneficial digital trade and digital cooperation (in this case, on cybersecurity) to the transatlantic relationship just as the two sides work at the TTC to get into lockstep on greater shared challenges, such as how to use security assessments for cloud certifications and how to improve cybersecurity for critical infrastructure.
多年来,商业框架一直在适应数字环境。事实上,联合国国际贸易法委员会(贸易法委员会)的《电子商务示范法》可以追溯到1996年,也就是世界贸易组织(世贸组织)成立一年后。,世贸组织在2021年没有一个正常运作的电子商务制度,这说明该组织在跟上贸易制度演变方面遇到了困难。,世贸组织正在努力追赶。2019年,它在76个(目前为86个)成员国之间启动了多边谈判,目的是达成一项电子商务贸易便利化协议,该协议可以降低贸易成本,增强数字和数字贸易的可预测性、互操作性和信任。,为数字化转型经济量身定制的贸易协议最全面的模板是智利、新西兰和新加坡之间的《数字经济伙伴关系协定》。,DEPA涵盖了电子商务的既定基础,因为它基本上将《跨太平洋伙伴关系全面与进步协定》的文本作为起点。有趣的是,在制定下一步发展一个成熟的制度时,DEPA会在这之后做些什么。,例如,该协议深入探讨了数字身份等问题,包括承诺尽最大努力促进技术互操作性或共同标准,以及对数字身份的可比保护水平。,直到最近,数字化转型还是在一个监管非常低的环境中展开的。这在一定程度上可能归因于领先的数字经济体美国倾向于低监管。在一定程度上,这可能归因于这样一个事实,即互联网作为数字经济的关键基础设施,其治理以自下而上的方式成功而稳健地发展,其中包括来自民间社会、企业、政府、学术界、国家和国际组织的众多利益攸关方,所有有贡献的标准和行政功能,而没有一个总体框架或中央管理机构。在一定程度上,这可能归因于老练的超级明星公司游说政府先发制人监管的主导作用——事实上,考虑到创新步伐的加快,政府在很大程度上落后于曲线。,随着对科技巨头,即所谓的技术冲击的强烈反对,那些日子已经一去不复返了。与此同时,美国和中国之间的新冷战,以及疫情导致的对在线系统的强化使用加速了数字化转型,为监管干预和制定新的国际规则以围绕这些干预设置护栏带来了新的紧迫压力。,在国家安全这一关键领域,目前正在以非常广泛的方式推进,包括从个人数据访问到工业供应链,再到大学研究伙伴关系的所有方面,对于所有形式的先进技术——数字化转型在多大程度上改变了范式的本质(特别是将数据流式传输到云端的智能设备的普遍性),这让人怀疑在世贸组织成立和《服贸总协定》通过时达成的协议能否合理维持。
2019年6月28日至29日,在日本大阪举行的二十国集团领导人会议间隙,加拿大和其他23国签署了《数字经济大阪宣言》。该宣言启动了“大阪轨道”,加强了签署国对世界贸易组织(WTO)“电子商务与贸易有关的方面”谈判的承诺。在这种情况下,与主要经济伙伴(中国、欧盟和美国)不同,加拿大尚未决定其立场。因此,本文件的目的是帮助加拿大确定其在这些谈判中的立场。为此,它对《跨太平洋伙伴关系全面与进步协定》(CPTPP)和《加拿大-美国-墨西哥协定》(CUSMA)中的电子商务/数字贸易章节进行了详细分析,这是北美自由贸易协定的替代品,以确定这些协议可能对联邦政府在全国范围内监管数据的能力施加的潜在限制,因为联邦政府试图为消费者和企业建立一个信任的数字环境。分析得出的结论是,加拿大的CPTPP和CUSMA承诺最终可能会否定联邦政府可能希望采取的未来数据保护政策的有效性,以在数据驱动的经济中建立信任。因此,加拿大不应在世贸组织谈判中遵循美国的立场。相反,加拿大能做的最好的事情是推动一个独特的国际制度(即与世贸组织分开)来管理数据及其跨境流动
本文概述了数字贸易对东盟国家及其中小企业带来的一些问题,包括数字化为东盟企业增加贸易提供了新的机会。然而,研究表明,采用相对简单的数字工具(如网页)的比例仍然相对较低,这限制了东盟中小企业作为出口商和进口商参与贸易的能力。本文认为,为了从数字贸易中获益,政策制定者需要考虑与访问数字网络相关的一系列新旧贸易问题。
数字化转型的快速加速对服务贸易产生了深远影响,但数字化的好处有可能被现有和新兴的贸易壁垒破坏。经合组织数字服务贸易限制指数(Digital STRI)是一种新的工具,用于识别、编目和量化影响数字贸易服务的交叉壁垒。它由两个组成部分组成,即监管数据库和指数,汇集了44个国家的可比信息。数字STRI显示了影响数字服务贸易的多样化和复杂的全球监管环境。此外,在过去几年中,这些指数显示出监管环境日益收紧,突显出需要进一步的国际合作和对话,以最大限度地发挥数字化的好处。
