Data Localization: The Compatibility with GATS and Its Outlook
Eugene Tseng
Vol. 43 Associate Editor
As the world economy is shifting towards a digital-oriented business, and human activities are moving online in a wider range, the cross-border data flow becomes the essential backbone for the global economy. COVID-19 has made clear that data flows are critical to the global economy, enabling both economic responses (e.g., the adoption of digital services for business continuity) and societal responses (e.g., family video calls, streaming content for entertainment).[1] While some countries allow data to flow easily around the world, many more have enacted new barriers to data transfers that make it more expensive and time-consuming, if not illegal, to transfer data overseas.[2] Data Localization: Restrictive Measures to Trade Government measures that restrict or prohibit the cross-border flow of data and require the local storage and processing of data have become known as “data localization measures.”[3] It may require personal data to be retained within their original jurisdiction, either through a direct legal restriction or through other prescriptive requirements (such as local business registration requirements) that have the same result.[4] More specifically, data localization measures are regulations requiring companies to store and process data on servers physically located within national borders.[5] Data localization is closely linked to national sovereignty concerns and has been used by many countries as a means to enhance national security, protect personal privacy, and support law enforcement.[6] It targets a growing range of specific data types and broad categories of data deemed “important” or “sensitive” or related to national security.[7] By restricting where and when data can be transferred and stored, data localization poses a barrier to the free flow of data across borders.[8] Data Localization Measures and the Compatibility of GATS The cross-border supply of digital services inevitably includes cross-border flow of data required for the service, such as consumer data or business data.[9] Consequently, data localization measures that restrict or de facto prohibit cross-border trade in services can be assessed under the General Agreement of Trade in Services (GATS) framework.[10] National Treatment The National Treatment rule under the GATS[11] applies in all sectors where specific commitments have been undertaken and prohibits Members from discriminating in favor of their domestic companies.[12] Assuming a data localization measure affects the supply of service in a particular sector in which a Members has a national treatment obligation, it is arguable that a data localization measure violates a Member’s national treatment obligation.[13] Specifically, if a WTO Member has scheduled commitments on the cross-border supply of data services, it will be very difficult for the Member to argue that data localization measures requiring foreign suppliers to duplicate infrastructure and services or to pay for outsourced local storage are consistent with GATS National Treatment rules.[14] Market Access Under GATS Article XVI, WTO members may not undertake measures that impair market access, such as limiting the number of service suppliers and the total value of service transactions or assets.[15] In U.S.—Gambling, the Appellate Body found that a complete prohibition on the online supply of gambling services was a “zero quota”, in breach of GATS article XVI:2(a) market access obligation.[16] In the context of data localization measures, it is arguable that it is a limitation on the number of service suppliers as it totally prevents the use by service suppliers of one, several or all means of delivery of cross-border digital service.[17] For example, when countries adopt high privacy standards and rules requiring the local processing of financial information, the national scheme may constitute a de facto limit, or even prohibition, on the access of foreign operators.[18] GATS Exceptions Assuming that the data localization measure violates a Member’s obligations under GATS, such measure may look for justifications on the ground that it falls within either the general exceptions under Article XIV or security exceptions under Article XIV bis. Overall, when considering the general exceptions under GATS, the WTO member must ensure that measures purported to advance such interests are both “necessary” and narrowly tailored to achieve a legitimate objective, and cannot be disguised restrictions on digital trade.[19] Specifically, GATS provides an exception where the measure is “necessary to secure compliance with laws or regulations” relating to “protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts,” but such measure should be “necessary” to protect privacy.[20] The same restriction applies to the national security exception.[21] Outlook for Data Localization In recent years, the proponents of data globalization have been promoting free and open flow of data across borders, while the others for data localization have been adopting measures curtailing cross-border data flow citing privacy and security concerns.[22] These laws of localization pose a growing threat to the information technology sector and beyond, with the potential to cause companies to withdraw operations from key markets, harm Internet users, and further fragment the global Internet.[23] The spread of data localization to more countries and data types poses a growing threat to the potential for an open, rules-based, and innovative global digital economy.[24] Such forced localization measures create a huge burden on businesses, particularly for small and medium-sized enterprises (SMEs), increasing costs up to 30%–60% for acquiring local computing facilities and data storage infrastructure.[25] It is thus worth noting that when developing and promoting international and regional initiatives on data protection, consideration should also be given to the compliance burden, and the potential for negative impacts on trade, innovation and competition, especially from the perspective of SMEs.[26] Going forward, due to a lack of political will and consensus on the issue, there is a long way to go before data localization measures are explicitly deemed trade-restrictive under GATS.[27] International trade negotiations are another potential venue for action.[28] For example, companies should press their governments to formally list data localization measures as non-tariff trade barriers.[29] So far, only FTAs have binding obligations prohibiting data localization measures.[30] As a result, we might continue to see FTAs or regional trade agreements to lead the formation of relevant rules in this respect.
[1] Nigel Cory & Luke Dascoli, How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them (July 19, 2021), https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost. [2] Id. [3] Daniel Crosby, Analysis of Data Localization Measures Under WTO Services Trade Rules and Commitments, International Centre for Trade and Sustainable Development (ICTSD) (E15 Initiative, Mar. 2016) at 2, https://e15initiative.org/publications/analysis-of-data-localization-measures-under-wto-services-trade-rules-and-commitments/. See also Cory & Dascoli, supra note 1, Appendix A (a list of data localization measures adopted by countries in the world). [4] Data Protection Regulations and International Data Flows: Implications for Trade and Development United Nations Conference on Trade and Development (UNCTAD), at 13, https://unctad.org/system/files/official-document/dtlstict2016d1_en.pdf. [5] Data Localization: A Challenge to Global Commerce and the Free Flow of Information, Albright Stonebridge Group (Sept. 28, 2015), https://www.albrightstonebridge.com/news/data-localization-challenge-global-commerceand-free-flow-information. [6] Linxin Dai, A Survey of Cross-Border Data Transfer Regulations Through the Lens of the International Trade Law Regime, 52 N.Y.U. J. Int’l L. & Pol. 955, 958 (2020). [7] Cory, supra note 1. [8] Dai, supra note 6, at 959. [9] Ikigai Law, The Data Localization Debate in International Trade Law (June 22, 2020), https://www.ikigailaw.com/the-data-localization-debate-in-international-trade-law/#_ftn17; See Crosby, supra note 3. [10] Ikigai Law, supra note 9. See also Joshua P. Meltzer, Cybersecurity, Digital Trade, and Data Flows: Re-Thinking a Role for International Trade Rules 20 (Global Economy & Development Working Paper 132, May 2020), https://www.brookings.edu/wp-content/uploads/2019/11/Cybersecurity-digital-trade-data-flows.pdf. [11] The National Treatment rule is set out in Article XVII of the GATS which provides that Members have to accord to services and service suppliers of any other Member, “treatment no less favorable than it accords to its own like services and service suppliers.” [12] Crosby, supra note 3. [13] Ikigai Law, supra note 9. [14] Crosby, supra note 3; [15] Dai, supra note 6, at 963. [16] Meltzer, supra note 14. For a more detailed discussion, see Crosby, supra note 3, at 7. [17] Ikigai Law, supra note 9. [18] Dai, supra note 6, at 963. [19] Crosby, supra note 3, at 9. [20] Xiaofeng Lin, A Dangerous Game: China’s Big Data Advantage and How the U.S. Should Respond, 2020 U. Ill. J.L. Tech. & Pol’y 253, 280 (2020). [21] Id. [22] Ikigai Law, supra note 9. [23] Albright Stonebridge Group, Data Localization: A Challenge to Global Commerce and the Free Flow of Information 3 (Sept. 28, 2015), https://www.albrightstonebridge.com/news/data-localization-challenge-global-commerce-and-free-flow-information. [24] Cory, supra note 1. See also Albright Stonebridge Group, supra note 23, at 5. [25] Ikigai Law, supra note 9. [26] UNCTAD, supra note 14. [27] Ikigai Law, supra note 9. See also Joshua D. Blume, Reading the Trade Tea Leaves: A Comparative Analysis of Potential United States WTO-GATS Claims Against Privacy, Localization, and Cybersecurity Laws, 49 Geo. J. Int’l L. 801 (2018) (for a discussion on the possibility of bringing claims under WTO dispute settlement body against relevant data restrictive laws and regulations adopted by WTO members). [28] Albright Stonebridge Group, supra note 22. [29] Id. [30] Ikigai Law, supra note 9. See also Dai, supra note 6, at 963-65 (discussing trade agreements of CPTPP and USMCA, which are to encourage and promote cross-border data transfer with the aim of improving of digital trade).