Sanctions play a crucial role in the United States’ tech and trade conflict with China. They prevent Chinese companies from acquiring advanced U.S. technologies and entering the U.S. market. Huawei—the world’s largest telecommunications firm—is among the most targeted Chinese firms due to concerns that it assists the Chinese Communist Party spy on the United States (and its allies). While sanctions against Huawei are justifiable, the Biden administration needs to ensure that these sanctions don’t inadvertently harm other U.S. technological and economic interests. The 2019 U.S. sanctions against Huawei had unintended consequences on the open technical standards system, underpinning America’s position as a global tech leader. Notably, the sanctions fractured the standard to measure and compare the energy efficiency of data center servers. China created its own duplicative and objectively worse standard. Not only must firms use this standard in China, but China is also advocating that others, such as the European Union, use its standard here as well. The Biden administration eventually addressed these sanctions’ impact on standards activities, but the damage was done. The case highlights why the Biden administration should take a nuanced approach to addressing national security issues that involve technical standards.
The U.S. State Department has highlighted three broad policy priorities—interconnection, innovation, and inclusion—to guide the United States during its year as host and chair of the Asia-Pacific Economic Cooperation (APEC). The Biden administration, however, has not provided high-level direction for exactly what it hopes to achieve. Thankfully, this has not stopped the United States’ highly capable economic policy officials from laying the groundwork to make its APEC host year a success. The first APEC Senior Officials’ Meeting (SOM) in Palm Springs included productive digital policy discussions. The United States should build on this momentum at SOM 2 and 3, the trade ministers meeting, and other meetings to push for a pragmatic, yet realistic, digital agenda that includes electronic invoices (e-invoices); electronic labels (e-labels); an Asia-Pacific regional data commons via data-sharing models, especially for health data; action on improving digital skills for the workforce; and cybersecurity for critical infrastructure and government services, among other measures
难以理解数据导致了糟糕的类比——即新石油、新培根或新黄金——以及糟糕的政府政策,因为决策者无法对隐私、网络安全、数字贸易或创新等数字政策进行知情的成本效益分析。
Bangladesh's digital future is at a critical juncture as its draft Data Protection Act includes requirements to compel firms to store data locally – a concept known as data localisation. Localisation would create a lose-lose situation for Bangladesh. It undermines Bangladesh's ability to get the most out of the data and digital tools that drive digital development. New econometric analysis shows that its trade and economy will suffer severely. Localisation also doesn't do the things its supporters say it does in terms of privacy and cybersecurity. As Nigel Cory writes in the Daily Star, there is still a long way to go, but Bangladesh has made remarkable progress in helping more people and businesses get online and benefit from data, digital technologies, and global connectivity. Because of this, Bangladeshi policymakers have a lot at stake in enacting data policies. They face one central question: do they follow a smart data governance strategy (that holds firms accountable for following local laws when they move data abroad, a principle most countries embrace) or do they pursue data localisation in a misguided pursuit of digital control and protectionism? Both paths allow for data privacy, cybersecurity, law enforcement, and national security policies, but the latter will be much more costly to the digital economy. With misguided localisation policies, Bangladesh's early progress and future promise are at risk. What path will Bangladesh's policymakers take as they conduct a final review of the country's Data Protection Act? The path to a false and costly promise of digital protectionism and control? Or will they choose one that's based on targeted and balanced laws that reflect global data-policy norms that keep Bangladesh integrated with the global digital economy? Hopefully, it's the latter. Read the op-ed.
Bangladesh's digital future is at a critical juncture as its draft Data Protection Act includes requirements to compel firms to store data locally – a concept known as data localisation. Localisation would create a lose-lose situation for Bangladesh. It undermines Bangladesh's ability to get the most out of the data and digital tools that drive digital development. New econometric analysis shows that its trade and economy will suffer severely. Localisation also doesn't do the things its supporters say it does in terms of privacy and cybersecurity. As Nigel Cory writes in the Daily Star, there is still a long way to go, but Bangladesh has made remarkable progress in helping more people and businesses get online and benefit from data, digital technologies, and global connectivity. Because of this, Bangladeshi policymakers have a lot at stake in enacting data policies. They face one central question: do they follow a smart data governance strategy (that holds firms accountable for following local laws when they move data abroad, a principle most countries embrace) or do they pursue data localisation in a misguided pursuit of digital control and protectionism? Both paths allow for data privacy, cybersecurity, law enforcement, and national security policies, but the latter will be much more costly to the digital economy. With misguided localisation policies, Bangladesh's early progress and future promise are at risk. What path will Bangladesh's policymakers take as they conduct a final review of the country's Data Protection Act? The path to a false and costly promise of digital protectionism and control? Or will they choose one that's based on targeted and balanced laws that reflect global data-policy norms that keep Bangladesh integrated with the global digital economy? Hopefully, it's the latter. Read the op-ed.
欧洲声称希望加强跨大西洋数字合作,但它系统性地排除美国公司参与其技术标准制定过程。真正的跨大西洋数字联盟需要真正的欧盟-美国。技术标准合作。
On March 8, 2022, France enacted updated “sovereignty requirements” as part of a new cybersecurity certification and labeling program known as SecNumCloud. This post analyses how these restrictions breach both France and the European Union’s (EU) commitments under the World Trade Organization’s General Agreement on Trade in Services (GATS), especially as it relates to national treatment, most-favored-nation (MFN), and market access. It also analyzes the implications for transatlantic digital trade and cooperation, including at the Trade and Technology Council (TTC). SecNumCloud’s “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as to 600-plus firms that operate “vital” and “essential” services. The latest SecNumCloud guidance (v3.2, March 2022) retains broad data localization requirements for all data (both personal and non-personal) and foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage Europea data and digital services. A prior post for the Cross-Border Data Forum also analyzed this proposal and how it breached EU trade law commitments under the WTO Government Procurement Agreement (GPA). SecNumCloud’s restrictions deserve greater attention as its impact on data governance and digital trade will potentially (and quickly) grow in France and the EU (never mind if other countries adopt similar sovereign cloud policies). France is leading efforts to embed SecNumCloud’s “sovereignty” requirements in the European Union Agency for Cybersecurity’s (ENISA) Cybersecurity Cloud Services scheme, which is under development. ENISA is running an opaque process without broad and open stakeholder engagement, partially because it realizes that these types of provisions are heavily criticized. ENISA hopes to finalize its draft proposal by mid-2022 and enact it in early 2023. The United States reportedly raised concerns directly with the French government, which seems unperturbed; it released the final SecNumCloud proposal largely unchanged and continues to push for the proposal’s application in ENISA. Ultimately, if U.S. cloud firms can’t operate in a significant portion of the EU digital economy and therefore can’t manage and transfer associated data for supposed cybersecurity reasons, the new Trans-Atlantic Data Privacy Framework isn’t nearly as valuable or meaningful. GATS Trade Law: A Strong Case that SecNumCloud Breaches France’s and the EU’s Market Access, National Treatment, and Most Favored Nation Commitments on Cloud Services France’s application of SecNumCloud to public—and private—sector players raises significant issues in light of the commitments that France and the EU undertook under the GATS, most particularly market access, national treatment, and MFN treatment. The early evidence is in: since its first introduction in 2016, only four companies—all French—have been certified under SecNumCloud. In essence, in both form and substance, this replicates China’s use of similar restrictions for foreign cloud services firms (for digital protectionism and authoritarian purposes). France and the EU committed under the GATS to provide market access—including cross-border (or “mode 1”) access—to foreign suppliers of computer and related services (CRS) without restrictions (except for Malta and the Slovak Republic). They also committed to accord such companies “no less favorable” treatment than domestic suppliers of these services (the core WTO principle of national treatment, in terms of treating foreigners and locals and their products equally). They also committed to provide similar fair treatment to third-country suppliers (the principle of MFN, where countries cannot discriminate between trading partners). And the EU is on the record at the WTO that cloud computing is a CRS (see, e.g., page 16 of this Council for Trade in Services report), so its WTO commitments clearly cover these services. The latest version of SecNumCloud explicitly requires suppliers of cloud computing services to store and process their customers’ data within the EU. This effectively constitutes a ban—or a “zero quota” in WTO terminology—on the cross-border supply of these services. In the U.S. gambling case at the WTO’s dispute settlement body (DS285: United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services), the WTO made it clear that a zero quota (in that case, the United States blocking of Internet gambling from Antigua) violates the GATS market access obligation (specifically, Article XVI:2(a)). There is also a strong argument to be made based on the core WTO principles of national treatment and MFN that under SecNumCloud-like restrictions, France and the EU will treat foreign suppliers less favorably than domestic and third-country suppliers. As noted above, France and the EU have full commitments for national treatment and MFN for cloud-related services, with very limited exceptions. Essentially, the national treatment commitment is interpreted as meaning that if a regulation affects competitive conditions in the market to the detriment of foreign suppliers, there is a violation. That is plainly the case here, since EU suppliers will be allowed to provide cloud services without restriction while foreign suppliers are restricted from processing and storing customer data in their home countries. Similarly, SecNumCloud breaches MFN obligations as it creates differences between suppliers in different WTO member countries. If France allows cloud companies from a given WTO member country to provide cross-border cloud services from their home country while preventing companies from another WTO member country from doing the same (or otherwise modifying the conditions of competition to their detriment), there is a violation. And since France is a member of the WTO in its own right, if it allows a firm from Germany or another EU member state to provide services, they are breaching their MFN commitments. France could try to defend SecNumCloud through WTO exceptions related to the protection of privacy and the specific exception for national security.The protection of privacy exception states the measure is needed for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” But this is specious. There is ample evidence that EU member states do not ensure greater protection of privacy—e.g., in the case of government surveillance—than the EU’s leading trading partners. A central question with such a case would be whether reasonnable alternatives (to data localization, foreign ownership, and control caps) are available to address the stated public policy issue. However, even if France did try to defend itself via this or another exception, France would bear the burden of proof to defend its use of these trade law exceptions. The measure would be assessed on the basis of necessity (that this type of restriction is needed to address this listed exception) and proportionality (that it is no less trade-distorting than necessary). Even then, the exception would not apply if the measure is arbitrarily or unjustifiably discriminatory or a disguised restriction on trade. France could also try to use the national security exception (below). Until recently, countries generally tried to avoid using this exception, as the broad language could be used to undermine all manner of trade commitments. Also, using it in a trade dispute raises the prospect that a dispute panel may well end with a judgment that ultimately constrains how countries use the exception. WTO: GATS Article XIV bis Security Exceptions Nothing in this Agreement shall be construed: (a) to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests; or (b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests (i) relating to fissionable materials or the materials from which they are derived; (ii) relating to the traffic in arms, ammunition, and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment; (iii) taken in time of war or other emergency in international relations; or (c) to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security. Most recently, the Trump administration misguidedly invoked the national security exception to justify tariffs on steel and aluminum. It tried to make the case that national security was not a matter the WTO could even adjudicate (i.e., that it is nonjusticiable). However, the WTO dispute settlement body thought otherwise, stating national security is not a get-out-of-jail-free card for members to enact whatever trade restrictions they want. Similarly in 2019, a dispute between Russia and Ukraine in which Russia claimed it had taken trade-restrictive measures for the purpose of protecting its national security, resulted in a landmark judgment. A WTO dispute settlement panel stated that it can review national security cases and objectively determine whether the circumstances in one of the sub-clauses of Article XXI(b) exists and whether the measure has a plausible connection to the circumstance identified. Furthermore, it defined “emergency in international relations” in a commonsense way, meaning WTO members couldn’t simply self-define an emergency to justify national security-related trade restrictions. The WTO Is Paralyzed: But Countries Should Highlight the Clear Potential for a Future Case The WTO trade dispute process is paralyzed at the moment as the United States continues to hold it hostage in pushing for reforms. However, this shouldn’t stop the United States, United Kingdom, and others with a clear interest in the EU digital economy from raising the potential for such a case in their discussions with French and EU officials. Trade lawyers from the United States and other countries have been reluctant to initiate these types of GATS cases, even though data localization and other restrictions impacting cross-border services trade continue to spread. For example, the EU’s General Data Protection Regulation (GDPR), and more recently its Digital Markets Act, indirectly and explicitly target U.S. firms and goods and services for discriminatory treatment. Something needs to change. WTO commitments either apply to modern services trade or they don’t. The reluctance of WTO members—namely, Australia, Chile, Japan, New Zealand, Singapore, the United Kingdom, the United States, and others—who otherwise expend a lot of time and energy negotiating new digital trade rules and agreements outside of the WTO (and inside it, at the Joint Statement Initiative (JSI) e-commerce negotiations) to push back and initiate cases only perpetuates the status quo of rising data and IT mercantilism. Another Barrier to Transatlantic Digital Trade and Cooperation: Why the European Commission and Other EU Members Should Step In After France nearly derailed the inaugural TTC meeting, France’s advocacy for new cybersecurity restrictions undermines efforts to work with the United States at the TTC, including in the working group on ICT security. The next TTC meeting is on May 15-16 in Paris. Discriminatory cybersecurity regulations that target U.S. cloud service providers would add another entry to the long and growing list of EU attacks on U.S. tech companies that will hurt the transatlantic relationship if not revised. The United States and EU need to focus on removing irritants to the bilateral trade relationship to focus on the bigger picture (namely, the challenges posed by China and Russia in international affairs). It would also overshadow—and undermine—the new Trans-Atlantic Data Privacy Framework (which is the successor to the EU-U.S. Privacy Shield). U.S. cloud firms would be blocked from providing services to a large part of the EU digital economy, never mind being able to manage and transfer associated data overseas. But the disconnect is broader. As so often is the case with European economic and strategic policy, Europe wants it both ways in that Thierry Breton (Commissioner for the Internal Market) stated he wants to work in lockstep with the United States on a new EU-wide “Cyber Shield” to detect and respond to cyber-attacks. But just without American (or other countries’) cloud firms. The European Commission—which would have to defend these measures in any WTO dispute—and EU member states that support an open, rules-based, and cooperative transatlantic digital trade regime should intervene and head off France’s efforts to align Europe with Chinese digital protectionism. Thankfully some EU members (namely, the “D9+” group of countries, Belgium, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain, the Czech Republic and Sweden) have started raising specific concerns and issues about ENISA’s draft proposals with the Commission. A non-paper by Ireland, Sweden, and the Netherlands lays out a broad range of sensible points and recommendations, including (directly quoted) that: We should look at the whole framework of possible EU action, and see what measures could improve Europe’s data sovereignty. For example, it could be strengthened by enhancing control on European data by more generic legislation at the EU level such as the Data Act, rather than imposing technical security requirements in a cloud scheme under the Cybersecurity Act. The consequences of proposed sovereignty requirements should be studied carefully by relevant experts, including from competent authorities and relevant private sector stakeholders. An impact assessment of the requirements is needed and should include an analysis of economic effects. The Cloud certification scheme concerns all categories of data, including both personal and non-personal data. Personal data is explicitly regulated by the GDPR6. Non-compliance of privacy issues (Schrems II Judgement), must be governed in the context of the GDPR. It is therefore advised to discuss this with the European Data Protection Board (EDPB), instead of integrating this in the Cloud certification scheme. Any possible measure should strengthen the European digital single market. We should not adopt measures which will hamper the single market or the development of small-medium sized enterprises (SMEs) or startups. Fragmentation of the European market must be prevented. Any possible measures should not breach existing or hamper future (bilateral, plurilateral or multilateral) trade-agreements between the EU and third countries. In specific circumstances (e.g., in the area of national security) localization requirements can be justified. Such requirements should be supported by solid safeguards. This is in accordance with the EU Cybersecurity Act. The Cloud scheme must not be delayed more than it already is, in order for the implementation of the Cybersecurity Act to maintain momentum. Where to From Here? The European Commission, D9+ EU member states, and EU trading partners need to step up their pushback against France’s efforts to create these sovereignty requirements. The United States (and other trading partners) should (again) directly engage France, the European Commission, and other EU member states on SecNumCloud and ENISA developments. France has reportedly pushed back, pointing to the U.S’s own similarly misguided data localization requirements for certain confidential and sensitive government data and services, including the U.S. GovCloud program and contracts under the Federal Risk and Authorization Management Program (FedRAMP, which provides a standardized approach to cloud security services for government services). However, these programs are far narrower. They are for U.S. government agencies and contractors, especially those with stringent regulatory compliance requirements, such as under the International Traffic and Arms Regulation (i.e., export controls), the U.S. Department of Defense’s Security Requirements Guide, and the Criminal Justice Information Services Security Policy and Addendum. Furthermore, foreign firms have been certified “FedRAMP High,” which allows them to manage some of the U.S. federal government’s most sensitive, unclassified data, such as those related to law enforcement and emergency services. While U.S. localization requirements are still misguided, they are far narrower as they don’t affect broader market access for commercial cloud services. The United States and EU should also add the issue of extraterritorial access to data to the TTC agenda and to ongoing discussions at the Organization for Economic Cooperation and Development on developing principles and a framework around trusted government access to data. This issue is broader than the United States and relates to all governments. It’s separate—though obviously related—to negotiations for a new Trans-Atlantic Data Privacy Framework, but it deserves specific attention given it is being used in France and other countries to justify restrictions on data and digital services. Failing changes to SecNumCloud and ENISA proposals, and a constructive response at the TTC, the United States (and other trading partners) should review the cybersecurity support they provide the EU and its member states. If enacted, the U.S. Department of Commerce and U.S. Trade Representative should consider countermeasures to target French and European service firms and their exports. This could start with a Section 301 investigation, which would hopefully lead to the application of the service-related provisions of Section 301 of the Trade Act of 1974. While traditionally used to enact tariffs, Section 301 also provides the U.S. government the option to apply fees and other restrictions on services, which the United States should finally bring to life unless the EU changes course. Ultimately, it would be disappointing if France and the EU added another major barrier to mutually beneficial digital trade and digital cooperation (in this case, on cybersecurity) to the transatlantic relationship just as the two sides work at the TTC to get into lockstep on greater shared challenges, such as how to use security assessments for cloud certifications and how to improve cybersecurity for critical infrastructure.
On March 8, 2022, France enacted updated “sovereignty requirements” as part of a new cybersecurity certification and labeling program known as SecNumCloud. This post analyses how these restrictions breach both France and the European Union’s (EU) commitments under the World Trade Organization’s General Agreement on Trade in Services (GATS), especially as it relates to national treatment, most-favored-nation (MFN), and market access. It also analyzes the implications for transatlantic digital trade and cooperation, including at the Trade and Technology Council (TTC). SecNumCloud’s “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies as well as to 600-plus firms that operate “vital” and “essential” services. The latest SecNumCloud guidance (v3.2, March 2022) retains broad data localization requirements for all data (both personal and non-personal) and foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage Europea data and digital services. A prior post for the Cross-Border Data Forum also analyzed this proposal and how it breached EU trade law commitments under the WTO Government Procurement Agreement (GPA). SecNumCloud’s restrictions deserve greater attention as its impact on data governance and digital trade will potentially (and quickly) grow in France and the EU (never mind if other countries adopt similar sovereign cloud policies). France is leading efforts to embed SecNumCloud’s “sovereignty” requirements in the European Union Agency for Cybersecurity’s (ENISA) Cybersecurity Cloud Services scheme, which is under development. ENISA is running an opaque process without broad and open stakeholder engagement, partially because it realizes that these types of provisions are heavily criticized. ENISA hopes to finalize its draft proposal by mid-2022 and enact it in early 2023. The United States reportedly raised concerns directly with the French government, which seems unperturbed; it released the final SecNumCloud proposal largely unchanged and continues to push for the proposal’s application in ENISA. Ultimately, if U.S. cloud firms can’t operate in a significant portion of the EU digital economy and therefore can’t manage and transfer associated data for supposed cybersecurity reasons, the new Trans-Atlantic Data Privacy Framework isn’t nearly as valuable or meaningful. GATS Trade Law: A Strong Case that SecNumCloud Breaches France’s and the EU’s Market Access, National Treatment, and Most Favored Nation Commitments on Cloud Services France’s application of SecNumCloud to public—and private—sector players raises significant issues in light of the commitments that France and the EU undertook under the GATS, most particularly market access, national treatment, and MFN treatment. The early evidence is in: since its first introduction in 2016, only four companies—all French—have been certified under SecNumCloud. In essence, in both form and substance, this replicates China’s use of similar restrictions for foreign cloud services firms (for digital protectionism and authoritarian purposes). France and the EU committed under the GATS to provide market access—including cross-border (or “mode 1”) access—to foreign suppliers of computer and related services (CRS) without restrictions (except for Malta and the Slovak Republic). They also committed to accord such companies “no less favorable” treatment than domestic suppliers of these services (the core WTO principle of national treatment, in terms of treating foreigners and locals and their products equally). They also committed to provide similar fair treatment to third-country suppliers (the principle of MFN, where countries cannot discriminate between trading partners). And the EU is on the record at the WTO that cloud computing is a CRS (see, e.g., page 16 of this Council for Trade in Services report), so its WTO commitments clearly cover these services. The latest version of SecNumCloud explicitly requires suppliers of cloud computing services to store and process their customers’ data within the EU. This effectively constitutes a ban—or a “zero quota” in WTO terminology—on the cross-border supply of these services. In the U.S. gambling case at the WTO’s dispute settlement body (DS285: United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services), the WTO made it clear that a zero quota (in that case, the United States blocking of Internet gambling from Antigua) violates the GATS market access obligation (specifically, Article XVI:2(a)). There is also a strong argument to be made based on the core WTO principles of national treatment and MFN that under SecNumCloud-like restrictions, France and the EU will treat foreign suppliers less favorably than domestic and third-country suppliers. As noted above, France and the EU have full commitments for national treatment and MFN for cloud-related services, with very limited exceptions. Essentially, the national treatment commitment is interpreted as meaning that if a regulation affects competitive conditions in the market to the detriment of foreign suppliers, there is a violation. That is plainly the case here, since EU suppliers will be allowed to provide cloud services without restriction while foreign suppliers are restricted from processing and storing customer data in their home countries. Similarly, SecNumCloud breaches MFN obligations as it creates differences between suppliers in different WTO member countries. If France allows cloud companies from a given WTO member country to provide cross-border cloud services from their home country while preventing companies from another WTO member country from doing the same (or otherwise modifying the conditions of competition to their detriment), there is a violation. And since France is a member of the WTO in its own right, if it allows a firm from Germany or another EU member state to provide services, they are breaching their MFN commitments. France could try to defend SecNumCloud through WTO exceptions related to the protection of privacy and the specific exception for national security.The protection of privacy exception states the measure is needed for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” But this is specious. There is ample evidence that EU member states do not ensure greater protection of privacy—e.g., in the case of government surveillance—than the EU’s leading trading partners. A central question with such a case would be whether reasonnable alternatives (to data localization, foreign ownership, and control caps) are available to address the stated public policy issue. However, even if France did try to defend itself via this or another exception, France would bear the burden of proof to defend its use of these trade law exceptions. The measure would be assessed on the basis of necessity (that this type of restriction is needed to address this listed exception) and proportionality (that it is no less trade-distorting than necessary). Even then, the exception would not apply if the measure is arbitrarily or unjustifiably discriminatory or a disguised restriction on trade. France could also try to use the national security exception (below). Until recently, countries generally tried to avoid using this exception, as the broad language could be used to undermine all manner of trade commitments. Also, using it in a trade dispute raises the prospect that a dispute panel may well end with a judgment that ultimately constrains how countries use the exception. WTO: GATS Article XIV bis Security Exceptions Nothing in this Agreement shall be construed: (a) to require any contracting party to furnish any information the disclosure of which it considers contrary to its essential security interests; or (b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests (i) relating to fissionable materials or the materials from which they are derived; (ii) relating to the traffic in arms, ammunition, and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment; (iii) taken in time of war or other emergency in international relations; or (c) to prevent any contracting party from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security. Most recently, the Trump administration misguidedly invoked the national security exception to justify tariffs on steel and aluminum. It tried to make the case that national security was not a matter the WTO could even adjudicate (i.e., that it is nonjusticiable). However, the WTO dispute settlement body thought otherwise, stating national security is not a get-out-of-jail-free card for members to enact whatever trade restrictions they want. Similarly in 2019, a dispute between Russia and Ukraine in which Russia claimed it had taken trade-restrictive measures for the purpose of protecting its national security, resulted in a landmark judgment. A WTO dispute settlement panel stated that it can review national security cases and objectively determine whether the circumstances in one of the sub-clauses of Article XXI(b) exists and whether the measure has a plausible connection to the circumstance identified. Furthermore, it defined “emergency in international relations” in a commonsense way, meaning WTO members couldn’t simply self-define an emergency to justify national security-related trade restrictions. The WTO Is Paralyzed: But Countries Should Highlight the Clear Potential for a Future Case The WTO trade dispute process is paralyzed at the moment as the United States continues to hold it hostage in pushing for reforms. However, this shouldn’t stop the United States, United Kingdom, and others with a clear interest in the EU digital economy from raising the potential for such a case in their discussions with French and EU officials. Trade lawyers from the United States and other countries have been reluctant to initiate these types of GATS cases, even though data localization and other restrictions impacting cross-border services trade continue to spread. For example, the EU’s General Data Protection Regulation (GDPR), and more recently its Digital Markets Act, indirectly and explicitly target U.S. firms and goods and services for discriminatory treatment. Something needs to change. WTO commitments either apply to modern services trade or they don’t. The reluctance of WTO members—namely, Australia, Chile, Japan, New Zealand, Singapore, the United Kingdom, the United States, and others—who otherwise expend a lot of time and energy negotiating new digital trade rules and agreements outside of the WTO (and inside it, at the Joint Statement Initiative (JSI) e-commerce negotiations) to push back and initiate cases only perpetuates the status quo of rising data and IT mercantilism. Another Barrier to Transatlantic Digital Trade and Cooperation: Why the European Commission and Other EU Members Should Step In After France nearly derailed the inaugural TTC meeting, France’s advocacy for new cybersecurity restrictions undermines efforts to work with the United States at the TTC, including in the working group on ICT security. The next TTC meeting is on May 15-16 in Paris. Discriminatory cybersecurity regulations that target U.S. cloud service providers would add another entry to the long and growing list of EU attacks on U.S. tech companies that will hurt the transatlantic relationship if not revised. The United States and EU need to focus on removing irritants to the bilateral trade relationship to focus on the bigger picture (namely, the challenges posed by China and Russia in international affairs). It would also overshadow—and undermine—the new Trans-Atlantic Data Privacy Framework (which is the successor to the EU-U.S. Privacy Shield). U.S. cloud firms would be blocked from providing services to a large part of the EU digital economy, never mind being able to manage and transfer associated data overseas. But the disconnect is broader. As so often is the case with European economic and strategic policy, Europe wants it both ways in that Thierry Breton (Commissioner for the Internal Market) stated he wants to work in lockstep with the United States on a new EU-wide “Cyber Shield” to detect and respond to cyber-attacks. But just without American (or other countries’) cloud firms. The European Commission—which would have to defend these measures in any WTO dispute—and EU member states that support an open, rules-based, and cooperative transatlantic digital trade regime should intervene and head off France’s efforts to align Europe with Chinese digital protectionism. Thankfully some EU members (namely, the “D9+” group of countries, Belgium, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain, the Czech Republic and Sweden) have started raising specific concerns and issues about ENISA’s draft proposals with the Commission. A non-paper by Ireland, Sweden, and the Netherlands lays out a broad range of sensible points and recommendations, including (directly quoted) that: We should look at the whole framework of possible EU action, and see what measures could improve Europe’s data sovereignty. For example, it could be strengthened by enhancing control on European data by more generic legislation at the EU level such as the Data Act, rather than imposing technical security requirements in a cloud scheme under the Cybersecurity Act. The consequences of proposed sovereignty requirements should be studied carefully by relevant experts, including from competent authorities and relevant private sector stakeholders. An impact assessment of the requirements is needed and should include an analysis of economic effects. The Cloud certification scheme concerns all categories of data, including both personal and non-personal data. Personal data is explicitly regulated by the GDPR6. Non-compliance of privacy issues (Schrems II Judgement), must be governed in the context of the GDPR. It is therefore advised to discuss this with the European Data Protection Board (EDPB), instead of integrating this in the Cloud certification scheme. Any possible measure should strengthen the European digital single market. We should not adopt measures which will hamper the single market or the development of small-medium sized enterprises (SMEs) or startups. Fragmentation of the European market must be prevented. Any possible measures should not breach existing or hamper future (bilateral, plurilateral or multilateral) trade-agreements between the EU and third countries. In specific circumstances (e.g., in the area of national security) localization requirements can be justified. Such requirements should be supported by solid safeguards. This is in accordance with the EU Cybersecurity Act. The Cloud scheme must not be delayed more than it already is, in order for the implementation of the Cybersecurity Act to maintain momentum. Where to From Here? The European Commission, D9+ EU member states, and EU trading partners need to step up their pushback against France’s efforts to create these sovereignty requirements. The United States (and other trading partners) should (again) directly engage France, the European Commission, and other EU member states on SecNumCloud and ENISA developments. France has reportedly pushed back, pointing to the U.S’s own similarly misguided data localization requirements for certain confidential and sensitive government data and services, including the U.S. GovCloud program and contracts under the Federal Risk and Authorization Management Program (FedRAMP, which provides a standardized approach to cloud security services for government services). However, these programs are far narrower. They are for U.S. government agencies and contractors, especially those with stringent regulatory compliance requirements, such as under the International Traffic and Arms Regulation (i.e., export controls), the U.S. Department of Defense’s Security Requirements Guide, and the Criminal Justice Information Services Security Policy and Addendum. Furthermore, foreign firms have been certified “FedRAMP High,” which allows them to manage some of the U.S. federal government’s most sensitive, unclassified data, such as those related to law enforcement and emergency services. While U.S. localization requirements are still misguided, they are far narrower as they don’t affect broader market access for commercial cloud services. The United States and EU should also add the issue of extraterritorial access to data to the TTC agenda and to ongoing discussions at the Organization for Economic Cooperation and Development on developing principles and a framework around trusted government access to data. This issue is broader than the United States and relates to all governments. It’s separate—though obviously related—to negotiations for a new Trans-Atlantic Data Privacy Framework, but it deserves specific attention given it is being used in France and other countries to justify restrictions on data and digital services. Failing changes to SecNumCloud and ENISA proposals, and a constructive response at the TTC, the United States (and other trading partners) should review the cybersecurity support they provide the EU and its member states. If enacted, the U.S. Department of Commerce and U.S. Trade Representative should consider countermeasures to target French and European service firms and their exports. This could start with a Section 301 investigation, which would hopefully lead to the application of the service-related provisions of Section 301 of the Trade Act of 1974. While traditionally used to enact tariffs, Section 301 also provides the U.S. government the option to apply fees and other restrictions on services, which the United States should finally bring to life unless the EU changes course. Ultimately, it would be disappointing if France and the EU added another major barrier to mutually beneficial digital trade and digital cooperation (in this case, on cybersecurity) to the transatlantic relationship just as the two sides work at the TTC to get into lockstep on greater shared challenges, such as how to use security assessments for cloud certifications and how to improve cybersecurity for critical infrastructure.
In contrast to the international trade issues around the movement of goods that defined 20th century globalization, trade in the 21st century is increasingly digital and knowledge-based, in large part, as digital technologies enable data-driven innovation, the ongoing disaggregation of production, and the increasing trade in services. Modern trade is more about the movement of bytes, ideas, information, and services, which are subject to a variety of non-tariff policies that affect digital and digitally enabled trade. However, the ever-growing gap between technological innovation and domestic and international policy frameworks shows that many policymakers are struggling to adapt rules and norms to today’s digital economy, which detracts from the potential economic and social benefits of these technologies. In the years ahead, policymakers will face a key choice in deciding whether they want to be bold and adjust policies in order to embrace a truly global market for digitally enabled trade in goods and services.
This chapter examines China’s increasingly assertive efforts to influence international data governance, especially cross-border data flows, and promote its concept of “cyber sovereignty,” while also analyzing its restrictive approach to domestic data governance as the basis for its international advocacy efforts.