On May 24-25, 2018, the Internet Governance Project (IGP) at Georgia Tech’s School of Public Policy held its 4th Annual Workshop in Atlanta. This year’s workshop theme was “Digital Free Trade or Cyber Nationalism? Setting the Course for a 21st Century Digital Trade Policy.” The workshop explored the scientific and public policy questions raised around digital trade. This blog covers the workshop proceedings and its outcome.
Understanding the nature of digital trade
The workshop opened with papers exploring the nature of digital trade and cross-border information flows, including attempts to measure their size and value. A presentation by economist Jessica Nicholson, U.S. Commerce Department’s Bureau of Economic Analysis (BEA), surveyed current quantitative data on digital trade and described in detail how the BEA is attempting to develop new and better measures. Her presentation, based on this research report, highlighted some of the uncertainties and gaps involved in measuring digital data flows as trade. Some, but not all, digital exchanges are captured in general trade in services statistics, and of those that are captured, we know that some are “potentially ICT-enabled” (PICTE) but we don’t know whether they actually occurred electronically or through traditional means. The U.S. has a significant trade surplus in PICTE services, which account for almost 55% of its total international services exports, and slightly under half of its service imports. A big component of this is charged for the use of intellectual property.
A paper by IGP’s Milton Mueller attempted to address the information flows that the BEA study did not attempt to measure. His empirical analysis relied on Telegeography data regarding the geographic distribution of the top 100 web sites in each of 100 countries. This data was used as an indicator of “information exchange balances” across countries. The research showed that Web traffic is highly transnational. On a worldwide basis, domestic website requests account for only one third of the traffic, with the remaining two-thirds being cross-border requests. Of the traffic that is cross-border, 76% of the requests are headed to U.S. websites, and another 18% are headed to European websites, so together the North American and Western European regions are the target of no less than 94% of the cross-border web requests. Slightly over half of these requests (52%) come from East Asia and South Asia (basically, China and India). East Asia, which has a huge goods trade surplus with the developed economies, particularly with the US, has the largest negative information exchange balance. Mueller’s paper noted that the trade paradigm, with its emphasis on monetization, surpluses, and deficits, was less applicable to this situation than the Article 19 guarantee of a right to “seek, receive and impart information and ideas through any media regardless of frontiers.”
Data localization and digital trade
This panel examined the issue of data localization and related efforts to align information flows with national borders. Are data localization laws inherently protectionist or are they justified by governments’ needs to bypass time-consuming barriers to trans-jurisdictional access to information?
Panelists agreed that while data security and national interest is frequently invoked to localize data, data security has little to do with jurisdictions. Rather, when states localize data to enable domestic law enforcement access and surveillance, this can inhibit the public’s data security by restricting consumer choice. Dr. Annegret Bendiek’s paper suggests that currently there are no viable approaches to provide data security and data protection to facilitate cross border data flow. This creates uncertainty in business practice about how to handle data and who should be allowed to have access to the data. She concluded that having data servers in the European Union and outsourcing to a third party to grant access to the data, might be an option but does not solve the problem of cross-border data flow globally. Agreements that allow law enforcement to have access to foreign data, such as the Cloud Act, might be a step towards solving the problem.
Nigel Corey of ITIF argued that mandatory data localization to preserve data security is a misleading argument. The security of data does not depend on where the data is geographically located, but on company practices. Many of the mandatory data localization efforts take place in the name of protecting the national interest, while it is unclear how cross border data flow threatens national security or puts public interest at risk. “One solution to fight against data localization is for nations to seek recourse from existing international institutions like the WTO when the intent of the policy is clearly protectionist. Another solution, would be for states to work globally on finding a common framework to enable governments to legitimately gain access to data, in a timely manner.
Jon Neiditz, an Atlanta lawyer, brought forward a different view. He discussed the results of a the second year of a survey of more than 600 respondents responsible for the protection of “crown jewel” data assets within their organizations which he just completed with the Ponemon Institute on global exfiltration of trade secrets, corporate confidential information and intellectual property from organizational systems by states, state-affiliated entities and state-sponsored and other hackers. Data protectionism in this environment, he argued, is really unilateral protectionism, and a winning, best-of-both-worlds strategy against the free multilateral flow of data. As long as global access to data puts these digital assets in such danger, facilitating cross-border data flow through trade agreements will not create a level playing field. Rather, we need to emphasize a digital Geneva Convention on data security and commercial espionage as a foundation for agreements on cross-border data flow.
Charles Duan of R Street Institute discussed how intellectual property protection can lead to data localization. He drew on his experience with the Clearcorrect vs. International Trade Commission case, in which a patent holder sought to block digital transmission of information. Duan explained how intellectual property rights can cover very broad but unrelated interests. Despite this potential, intellectual property is not often a topic associated with the free flow of data. We need to pay attention to how intellectual property rights protections, especially in trade agreements, can overreach and block the legitimate exchange of information.
Digital trade in geopolitical context
This panel reviewed ongoing negotiations and strategic positioning on various trade agreements that might affect digital trade, including the future of North American Free Trade Agreement (NAFTA), Trans-Pacific Partnership (TPP)-minus, Regional Comprehensive Economic Partnership (RCEP), Transatlantic Trade and Investment Partnership (TTIP). Is there any hope for digital free trade in the current geopolitical environment?
Gus Rossi of Public Knowledge looked at the political backlash in various countries against globalization and emphasized the need to convince people nationally of the benefits of digital trade. Trade is reducing inter-country inequality, but increasing it inside the country. Noting how the EU paired free trade and consumer protection, he proposed pairing privacy protection with digital free trade in new agreements.
It was mentioned that Europe still has a political consensus for trade agreements. It was implied that trade agreements were taking the heat for broader changes in the economy: people cannot vote against technological change, but they can vote against trade agreements. Carolina Aguerre described the current regulatory status of digital trade in Latin America and Caribbean and how the region is going towards adopting a more protectionist agenda. She explained that in bilateral trade agreements there is an opportunity for a more tangible approach to the digital economy in LAC countries. Will Hudson of Google observed that the Internet by its very design has tremendous value for trade, creating new opportunities for more people and making trade more inclusive. Encouraging panelists to explore what lessons digital trade negotiations could take from Internet governance, and vice versa, he noted that the Internet is best governed in the same way it was built: it needs to be transparent and participatory.
There were some divergent views on the panel about the role of civil society and its resistance towards digital free trade agreements. Some believed that the rights that civil society stands for should not be directly included in trade agreements. The value of transparency in trade negotiations was also debated. While bilaterals were seen as a positive approach, some concerns were raised that it might lead to various and potentially conflicting policies. In discussions the General Data Protection Regulation (GDPR) was a hot topic. One participant viewed it as a different model, instead of state-by-state negotiated trade agreements we have an extraterritorial “race to the most restrictive.” Another participant said this wasn’t new: GDPR was compared to US attempts to leverage market access to export stronger intellectual property rules, and to China’s attempt to tie market access to IPR transfers. One participant said that GDPR exemplifies what happens when you don’t have global governance.
Cybersecurity and digital trade
Day two of the workshop kicked off with this highly anticipated session. One of the key drivers of cyber-nationalism is cybersecurity, and the growing tendency to link trade in information technology equipment and services to national security and national industrial policy. This panel included Tara Hairston of Kaspersky Lab, Claude Barfield of AEI, Ga Tech PhD student Karl Grindal, and Tsinghua University PhD student Jinhe Liu.
Kaspersky legally challenged administrative and statutory bans on the use of its products by the US Government. They and other multinational companies they speak with are trying to figure out exactly what evidence merits a national security restriction. IT companies that have global operations are trying to figure out exactly what evidence merits a national security restriction and how such restrictions account for global supply chains. If there is a concern, is there a way to mitigate it, and how can governments be more transparent about it? The signals sent to market by governments implementing national security restrictions are broad and impactful. The response by Kaspersky Labs has been greater transparency and data relocation. The idea of transparency centers is not new, e.g., Huawei, Microsoft, Cisco already have them. However, the code reviews they facilitate raise other issues. The choice of Switzerland for a new Kaspersky data center was based on the country’s data protection laws.
Overall, the cybersecurity industry sector needs to move to be more transparent and have processes in place to contend with economic nationalism. Multinationals will continue to seek advantage in countries comparative advantages, e.g., Kaspersky’s operations in Russia and around the world provides a competitive edge in R&D, talent acquisition, and the ability to monitor malicious cyber hot spots. The deployment of sophisticated cyberespionage malware is no longer the province of just nation-states; non-state actors engaging in such activity is exacerbating the problem of cyber nationalism and will continue to do so.
Jinhe Liu presented a framework for understanding Chinese cross-border data flow. The Chinese strategic perspective described by the concept “Internet Sovereignty” has been focused on a perceived dependence on western countries, specifically the United States, with respect to information communications technologies (ICT). The subsequent policy response was the Cybersecurity Law adopted in November 2016. This law implements a policy of local storage and outbound assessment with respect to both “personal information” and “important data.” This law has subsequently been formalized through regulations, and subsequent regulations (Personal information and important data outbound security evaluation measures (Draft)2017.4.11 and Guidelines for data outbound security assessment (Draft)2017.5.27（1st edition）2017.8.25（2nd edition)). These policies have created a distinct form of “Internet governance with Chinese characteristics.”
The protectionist attributes of these Chinese policies, have been challenged (albeit at a reduced level) through US protectionist policies in turn, like those initiated by the Committee on Foreign Investment in the United States (CFIUS). Claude Barfield of AEI, pointed out the concern that the “national security” standard which currently governs CFIUS decisions are at risk of being expanded to include national “economic interests.” CFIUS reform legislation being debated in Congress has explored adding this language. Congress is fixated on doing something about China. Problem is CFIUS covers all inward investment and China will be a relatively small investor in US compared to other countries. Moreover, Congress is contemplating expansion of CFIUS purview from inward investment to also include outward investment by US companies, aimed at China and covering a wide range of activity like investments, joint ventures, etc., not just M&As. CFIUS will be inundated and unable to do deep, meaningful reviews. DoD and Treasury have the capability to define what are “critical technologies” and therefore what is reviewed. Allies and other countries can be exempted.
Karl Grindal’s presentation, built on Claude Barfield’s with a quantitative analysis of CFIUS decisions and a framework for understanding the various Trade Regimes that might use concerns around cybersecurity to inhibit trade. These trade regimes included: arms control regimes, foreign investment restrictions, tariffs, and localization policies. These four regimes were categorized based on a framework to assess, how focused they were in application, which actors would bear the highest cost, what the likelihood of retaliation could be, and how would these policies contribute to global internet fragmentation. This framework was previously described by an IGP blog post here.
Karl’s historical review of CFIUS showed that while presidents have been reticent to use their CFIUS authorities, the number of investigations performed annually is trending in an upward direction. Further, since 2014, CFIUS has begun to collect data on the number of notices withdrawn and transactions abandoned in light of CFIUS concerns. While still small, this number demonstrates that the effect of these policies is larger than just what Ant Financial and Moneygram or Broadcom and Qualcomm would suggest. These unknown transactions which are preemptively blocked, are indicative of the effect for any restriction in trade. Even narrowly applied, policies which cover specific transactions can have a broader effect. Brought to its extreme, the expansive tariffs proposed by President Trump are indicative of the dangers of sweeping decisions. In these events, retaliatory policies are likely, and the costs frequently fall on those with the most to lose.
Rights and Trade – IPR and Privacy
Trade in digital services are often linked to rights protection (or rights conflicts), most notably around privacy and intellectual property. This panel brought together academic and civil society experts active on issues related to digital trade to discuss the extent to which trade and individual rights are complementary or conflicting. A paper by Jeremy Malcolm and Jyoti Panday, representing EFF, focused on the backlash to trade and described the potential for privacy based consumer protection policies to create a new global social contract. Highlighting both right and left resistance towards increased globalization, Jeremy identified the impact of a populist opposition to global digital trade. Jeremy then surveyed the diverse ways that data localization has been implemented by countries around the world, be it for metadata in Germany or cloud storage in China. To these policies, Jeremy tried to understand the intention behind the localization provisions. These policies are justified using a wide variety of arguments including that they promote domestic innovation, challenge US hegemony, or improve policing or national security. While these policies are frequently viewed through an economistic lens, Jeremy asserts that the impact on democracy and human rights is equally important.
Discussant Shannon Coe of the U.S. Commerce Department’s International Trade Administration led with her own presentation on the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR). Speaking independently of her role with the U.S. Commerce Department, she emphasized the history and expansion of CBPR and described how they enable greater trade integration. As a voluntary system, adoption has been slower than anticipated; only 6 of the 21 APEC countries are part of this system. However it has been picking up, with 3 more countries on track to join by 2019, and represents a unique model privacy model from that implemented by the EU with GDPR.
Ishan Mehta, Georgia Tech graduate student alumni, presented a more critical take on the APEC cross border privacy rules. Noting that uptake had been slow and that the system was complicated, he described GDPR as the elephant in the room, Ishan wondered what role APEC’s voluntary accountability system would have when more aggressive privacy requirements could potentially be expanded as a global norm. With many companies already becoming compliant with new GDPR requirements, the ability to extend these same protections to non-European Union citizens is comparatively affordable, and in some cases the cheapest option. As APEC has struggled to gather adoption, Ishan argued that the benefits of this voluntary privacy regime have not been realized by either countries or companies.
Where to go from here
The last panel showcased various proposals for reform. Professor Susan Aaronson (George Washington University) opened with a presentation outlining what she called “A New Approach to Regulating Data in Trade Agreements .” She questioned the use of “e-commerce” language in trade agreements, noting that e-commerce and data flows are not the same. She also stressed that no existing trade agreements take account of the many types of strategies that governments can adopt to block cross-border flows, from censorship to cyber-security rules (under the exceptions). Her proposed strategy is to base regulation on the type of data. Her proposed data types were personal data; confidential business data; public data; metadata; machine to machine data. But all of these categories, she admitted, could involve personal data. It was asked, if personal data is in all categories, and triggers distinct regulatory obligations, what is the point of having the categories? Charles Duan of R street recommended focusing not on the data itself but on the intended recipient and how it is going to be used.
What follows is a summary of specific proposals for policy change made during the conference:
Using WTO dispute resolution process (DRP)
Several people proposed using the WTO DRP especially in regard to China’s unbalanced approach to digital trade. Specifically, there could be WTO challenges to a) China’s data localization law, and b) China’s Great Firewall (GFW). The GFW could be challenged because it does not conform to WTO rules that national exceptions must be done in the least protectionist way. Reaction to this proposal was mixed, with participants noting some good aspects and some feasibility issues. One participant noted that there are disagreements about the value of the GFW within China and some domestic parties might actually welcome a challenge to it. Another noted that China has a reasonable record in the WTO, and might actually comply with an unfavorable ruling. Drawbacks of this approach were also noted. Big WTO cases, such as Boeing-Airbus, go on for a lifetime. Moreover, WTO rulings are not legally enforceable and states have to come up with their own remedies in case of noncompliance with WTO award. One participant claimed that the “prostitution” of the national security argument by the Trump administration ruins the opportunities the US has to push back against China when they invoke it.
Link cross-border data flows to HR
Participants’ views on linking human rights to cross-border data flow diverged. One participant explained that ex ante, the negotiation phase of trade agreements is the only phase whereby the civil society advocates can potentially have an impact on trade agreements. They can express their concerns and have more rights respecting provisions. However, ex post, when the disputes rise, trade dispute resolution mechanisms might not be suitable to resolve human rights disputes. Other participants stated that WTO dispute resolution forum is not the suitable forum for human rights disputes nor is private arbitration mechanisms.
Make better bargains for the public
It was also suggested that tangible benefits for consumers are needed at the national level if we want societal support for free trade agreements. This could be accomplished by linking trade agreements to consumer protection and other benefits. However, this approach was not perceived as pragmatic by some participants, who feared it could lead to an overextension of trade regimes and might lead to prolonged and frustrating trade negotiations, that might never yield a free trade agreement.
Retaliate against China
Using national protectionist measures to retaliate against China was not seen as the right solution to deter Chinese protectionist measures on digital trade. Tariffs, market access barriers, and FDI limitations generate major costs for consumers and decrease economic efficiency. Many proposed retaliations simply reinforce China’s nationalistic tendencies. Using global, legitimate international forums such as the WTO that is neutral and not political to bring disputes against protectionist measures of countries is a better alternative to nationalistic measures.
Voluntary adoption of harmonized privacy rules
States argue that data localization efforts protect their citizens from jurisdictions that have not passed appropriate data protection laws. An alternative to data localization would be to harmonize the privacy rules that countries and corporations adopt. Global corporations that get involved with digital trade should be incentivized to voluntarily adopt these rules. The human rights advocates can also advocate for the adoption of such rules.
“Geneva Convention on the Status of Data”
There was a suggestion by Nigel Corey to have a Geneva Convention on the Status of Data which would facilitate law enforcement access to data globally and might lessen states efforts to localize data in order to have an easier access. There should also be multilateral agreements on the questions of jurisdiction and transparency of the data. Having a multilateral agreement for government access to data globally was also seen as a solution by other contributors.
Move to bilateral approaches
Bilateral trade agreements were seen as a useful tool that can bring incremental improvements to digital trade, persuade other nations to join free trade agreement regimes and have a positive effect on non parties as well. Some concerns were raised, however, regarding whether this pluralism in trade regimes might fragment progress on digital trade.
The IGP workshop on digital trade proved to be very successful in creating a discussion among various stakeholder groups on the impact of trade policy on Internet governance and the intersection of trade agreements and digital rights. IGP will publish a special issue on digital trade based on the contributions of the workshop in the Journal Digital Policy, Regulation and Governance. The proceedings of this workshop and the papers can help develop a digital trade policy agenda that preserves and advances Internet freedom while being grounded in evidence and sound economic analysis. IGP will work on using and expanding the outcome of this workshop in processes and discussions about digital trade.