Background
In recent years, proponents of data globalization have been at loggerheads with the proponents of data localization. The former have been promoting free and open flow of data across borders, while the latter have been adopting measures curtailing cross-border data flow citing privacy and security concerns. These data localization measures broadly restrict or prohibit cross-border data flow and require the storage and processing of data within the territory of the country adopting such norms. According to most studies, such forced localization measures create a huge burden on businesses, particularly for small and medium-sized enterprises (SMEs), increasing costs up to 30 – 60% for acquiring local computing facilities and data storage infrastructure.[1] In fact, as per a study conducted by the European Centre for International Policy Economy, forced data localization norms lead to a negative impact on the GDP and considerable impact on investments.[2] For instance, as per the study, the impact of recently proposed or enacted data localization measures on the GDP in seven countries was: Brazil (-0.2%), China (-1.1%), the EU (-0.4%), India (-0.1%), Indonesia (-0.5%), Korea (-0.4%) and Vietnam (-1.7%). However, countries adopting such measures justify their need for protecting data privacy, cybersecurity and protection from illegal external surveillance.[3] These fears are not entirely unfounded. Particularly after the revelations of the National Security Agency’s mass surveillance program by Edward Snowden, more countries started adopting data localization measures.[4]
Data localization norms adopted by countries
As of 2019, over thirty-four countries have adopted data localization measures, including China, Germany, Russia, Vietnam and Malaysia.[5] These norms differ across the board in the level of restrictions they place. For instance, Russia’s data localization law, which came into force in 2015, requires businesses collecting personal data of Russian citizens to “record, systematize, accumulate, store, amend, update and retrieve” in databases located in Russia.[6] However, such data can be mirrored abroad or accessed remotely from outside Russian borders. While Google and Apple complied with Russia’s data localization norms, LinkedIn did not and was consequently blocked in Russia.[7] China’s data localization norms are more extensive. The cybersecurity law requires operators to store all personal data and all ‘important data’ within mainland China and any cross-border transfer of such data is only allowed after a security assessment. If it is determined by the security assessment that the transfer of personal information may affect national security or public interest, or the security of such information cannot be protected, then such information will not leave the country.[8] In Germany, for software services purchased by Germany’s public authorities, Resolution 2015/5 requires sensitive information, including government secrets and infrastructure information, to be stored on servers within Germany in a cloud called Bundes Cloud.[9] While WTO agreements, especially the General Agreement on Trade in Services (GATS), do not explicitly prohibit data localization measures, there is an increasing body of scholarship encouraging the WTO to include localization as a trade restrictive measure.[10]
Exploring the legality of data localization measures under GATS
The GATS applies to supply of services including the production, distribution, marketing, sale and delivery of a service.[11] This includes supply of services “from the territory of one Member country into the territory of any other Member” (Mode 1).[12] Supply of services through Mode 1 does not require the physical presence of one Member country’s supplier in the other Member country,[13] and therefore, it also includes trade in digital services under WTO’s jurisprudence.[14] The cross-border supply of digital services inevitably includes cross-border flow of data required for the service, such as consumer data or business data.[15] Consequently, data localization measures which restrict or de facto prohibit cross-border trade in services can be assessed under the GATS framework.[16] This raises questions as to whether data localization measures may violate the core principles of GATS:
(a) National treatment: Article XVII of GATS provides that Members have to accord to services and service suppliers of any other Member, “treatment no less favorable than it accords to its own like services and service suppliers.” Assuming a data localization measure affects the supply of service in a particular sector in which a Members has a national treatment obligation, it is arguable that a data localization measure violates a Member’s national treatment obligation.[17] This is because a data localization measure would require foreign service suppliers to have expensive local infrastructure increasing their costs, and affording them a less favorable treatment than domestic suppliers.
(b) Market access: Article XVI:2 provides a list of market access commitments to be complied by Members in sectors where market access commitments are undertaken. As per Article XVI:2 (a) Members will not adopt measures which impose limitations on the number of service suppliers whether in the form of numerical quotas, monopolies, exclusive service suppliers or the requirements of an economic needs test. In US – Gambling, the WTO Appellate Body found the US’s laws, prohibiting cross-border supply of gambling and betting services, as violative of Article XVI:2 (a) by holding that: “[A] prohibition on one, several or all means of delivery cross-border] is a “limitation on the number of service suppliers in the form of numerical quotas” within the meaning of Article XVI:2(a) because it totally prevents the use by service suppliers of one, several or all means of delivery that are included in mode 1.”[18] Using a similar line of reasoning, it is arguable that a data localization measure is a limitation on the number of service suppliers as it totally prevents the use by service suppliers of one, several or all means of delivery of cross-border digital service.
As seen above, a data localization measure could potentially violate a Member’s national treatment and market access obligations under GATS.
Justifying data localization measures under GATS exceptions
General exceptions
Assuming, basis our analysis above, that the data localization measure violates a Member’s obligations under GATS, to be legal such a measure will have to fall within either the general exceptions under Article XIV or security exception under Article XIV bis. Under Article XIV, there are two relevant exceptions applicable to data localization measures, Article XIV(a) and (c),[19] which are as follows:
- Article XIV(a) – measures necessary to protect public morals or to maintain public order. Under this, the Member has to bear the burden of proving the necessity of adopting such a measure to achieve its objectives.[20] Under WTO’s jurisprudence, this entails a ‘weighing and balancing’ test with three factors: (i) the contribution of the measure to achieve the stated objective (public moral or public order); (ii) the restrictive impact of the measure on international commerce; and (iii) identification of possible alternatives which are less trade restrictive in nature.[21] In addition, a footnote to Article XIV(a) states that the “public order exception may be invoked only where a genuine and sufficiently serious threat is posed to one of the fundamental interests of society.” Hence, any Member seeking to justify a data localization measure under this exception will have to fulfil the high threshold of the ‘weighing and balancing’ test and ‘public order’. It would be difficult to justify that a data localization measure is the least trade restrictive measure a Member could have adopted.
- Article XIV(c) – measures necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of GATS including those relating to: (i) the prevention of deceptive and fraudulent practices or to deal with the effects of a default on services contracts; (ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts; (iii) safety. Under this exception it is easier for a Member to justify a data localization measure. However, the ‘weighing and balancing’ test will have to be fulfilled even under this exception. This implies that the Member will have to prove that there are no alternative measures which are less trade restrictive.
In addition, if a measure falls within any of the exceptions, a WTO panel will also assess if the measure satisfies the requirements in the chapeau of Article XIV, i.e., the measure is “not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination … or a disguised restriction on trade in services.”[22] This is to ensure that the exceptions are exercised reasonably by Members.[23] Thus, a Member will have to meet extensive scrutiny under Article XIV before a data localization measure can be considered an exception to GATS’ rules and commitments.
Security exception
Article XIV bis does not prevent any Member from taking any action “which it considers necessary to protect its essentials security interests” (i) relating to the supply of services for the provisioning of a military establishment; (ii) relating to fissionable and fusionable materials and the materials from which they are derived; or (iii) taken in time of war or any other international relations emergency. Although there is no extensive WTO jurisprudence on the security exception, it came to be considered in the context of the General Agreement on Tariffs and Trade (GATT) by a WTO Panel in Russia – Measures Concerning Traffic in Transit.[24] The Panel clarified that ‘essential security interests’, while not defined under the WTO agreements, refers to those interests relating to the quintessential functions of the state “namely, the protection of its territory and its population from external threats, and the maintenance of law and public order internally.”[25] Due to the specific circumstances under which such an exception may be availed, it is unlikely that Members can justify a data localization measure as a means to protect its ‘essential security interests’.
Data localization andFree Trade Agreements (FTAs)
Provisions prohibiting data localization have become increasingly common in recent FTAs. More and more countries are willing to accept such provisions in their regional and bilateral trade agreements. For instance, the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) prohibits a party from requiring a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that territory.[26] It allows Members to adopt measures which achieves legitimate public policy objectives, provided the measure (a) is not be applied in an manner which constitutes arbitrary or unjustifiable discrimination or disguised restriction on trade; and (b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.[27] However, the text does not define what constitutes a ‘legitimate public policy objective’. In addition, in chapter 29 on exceptions and general provisions, the CPTPP allows the applicability of GATS general exceptions under Article XIV (a), (b) and (c) to the digital trade chapter. It also contains a security exception that is limited to adoption of measures necessary to fulfil its obligations with respect to the maintenance or restoration of international peace or security, or the protection of its own essential security interests.[28] Similar obligation and exceptions are included in the US-Mexico-Canada Agreement.[29] The Regional Comprehensive Economic Partnership (RCEP) also contains a similar prohibition as in the CPTPP.[30] However, the exceptions in RCEP allow a party to adopt a measure for ‘essential security interests’ and such a measure cannot be disputed by other parties. Such an indisputable right is unique to the RCEP and is not seen in any other FTA.
Data localization debate in the plurilateral e-commerce negotiations
Despite being a common provision adopted in recent FTAs, the data localization issue is hotly debated in WTO’s plurilateral e-commerce negotiations.[31] This mainly comes from the differing positions held by the US and China. The US’s proposal focussed on a provision similar to the USMCA, i.e., prohibiting a party from requiring the use or location of computing facilities in that party’s territory as a condition for conducting business in that territory, without any exceptions.[32] However, China, with its extensive domestic data localization regulations, maintained reservations to include any provision on this issue.[33] Consequently, no consensus has been reached in the initial negotiating rounds which took place in 2019. As reflected in China’s proposal, it may agree to include a provision prohibiting data localization but push for an exception similar to the RCEP, i.e., an indisputable essential security exception.[34]
Way forward
From the analysis above, the following observations emerge:
- While data localization measures are becoming increasingly common, there is little clarity on whether such measures meet their intended objectives – data protection or privacy or cybersecurity, especially without strong domestic laws on data protection and privacy. Meanwhile, various studies show the negative economic impact on countries which adopt such measures. It will be interesting to see how countries balance trade and data governance going forward.
- So far, only FTAs have binding obligations prohibiting data localization measures. Due to a lack of political will and consensus on the issue, there is a long way to go before data localization measures are explicitly deemed trade restrictive under GATS, either through an amendment to GATS or a legal interpretation. Even a consensus on this issue in the plurilateral negotiations appears shaky. Consequently, FTAs will lead the way in the context of data governance in the near future.
This piece has been authored by Kruthi Venkatesh, a consultant working with Ikigai Law, with inputs from Nehaa Chaudhari, Director (Public Policy), Ikigai Law.
For more on the topic, please feel free to reach out to us at contact@ikigailaw.com
For other
articles in this series, please see here.
[1] UNCTAD, Data Protection Regulations and International Data Flows: Implications for Trade and Development at 4 (2016), available at, https://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf; See also Leviathan Security Group, Quantifying the Cost of Forced Localization, at 3 (2015), available at, https://static1.squarespace.com/static/556340ece4b0869396f21099/t/559dad76e4b0899d97726a8b/1436396918881/Quantifying+the+Cost+of+Forced+Localization.pdf (last accessed on 19th Jun., 2020).
[2] European Centre for International Political Economy (ECIPE), The Costs of Data Localisation: Friendly Fire on Economic Recovery (2014), available at, https://ecipe.org/publications/dataloc/ (last accessed on 19th June, 2020).
[3] Id.
[4] Jonah Force Hill, The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders, 2(3) Lawfare Research Paper Series at 3 (July, 2014), available at, https://lawfare.s3-us-west-2.amazonaws.com/staging/Lawfare-Research-Paper-Series-Vol2No3.pdf (last accessed on 19th June, 2020).
[5] Sean Stephenson and Paul M. Lalonde, The Limits of Data Localization Laws: Trade, Investment, and Data, (9th Aug., 2019) available at, http://www.dentonsdata.com/the-limits-of-data-localization-laws-trade-investment-and-data/ (last accessed on 19th June, 2020).
[6] Federal Law No. 242-FZ, art. 2, available at, https://pd.rkn.gov.ru/authority/p146/p191/ (last accessed on 19th June, 2020).
[7] Mark Scott, Russia Prepares to Block LinkedIn after Court Ruling, 10th November, 2016, available at, https://www.nytimes.com/2016/11/11/technology/russia-linkedin-data-court-blocked.html (last accessed on 19th June, 2020).
[8] Personal Information Outbound Transfer Security Assessment Measures, art. 2, available at, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-new-draft-rules-cross-border-transfer-personal-information-out-china/ (last accessed on 19th June, 2020).
[9] Hosuk Lee-Makiyama and Matthias Bauer,The Bundes Cloud: Germany on the Edge to Discriminate Against Foreign Suppliers of Digital Services, European Centre for International Political Economy (ECIPE) (2015), available at, https://ecipe.org/publications/the-bundes-cloud-germany-on-the-edge-to-discriminate-against-foreign-suppliers-of-digital-services/ (last accessed on 19th June, 2020).
[10] See Duane Morris TechLaw, Russia’s data localization law – a violation of WTO regulations?, 20th January, 2016, available at, https://blogs.duanemorris.com/techlaw/2016/01/20/russias-data-localization-law-a-violation-of-wto-regulations/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=LinkedIn-integration; See also Congressional Research Service, U.S. Trade in Services: Trends and Policy Issues, at 13 (22nd Jan., 2020) (arguing that localization requirements by other countries can create trade barriers) available at, https://fas.org/sgp/crs/misc/R43291.pdf (last accessed on 19th June, 2020).
[11] General Agreement on Trade in Services, Apr. 15, 1994, Annex 1B, 33 I.L.M. 1167 (1994), art. XXVIII(b), Definition of “supply of a service” (hereafter, GATS).
[12] GATS, art. I:2 (a).
[13] See WTO Panel Report, Mexico – Measures Affecting Telecommunications Services, WT/DS/204R, at para 7.45 (1st June, 2004) (concluding that services “without United States’ suppliers operating, or being present in some way, in Mexico, are services which are supplied cross-border within the meaning of Article I:2(a) of the GATS.“)
[14] See WTO Appellate Body Report, United States – Measures Affecting the Cross-Border Supply of Gambling and Betting Services, WT/DS285/AB/R, para. 239 (20th April, 2005) (hereafter US – Gambling).
[15] Daniel Crosby, Analysis of Data Localization Measures Under WTO Services Trade Rules and Commitments, Policy Brief, The E15 Initiative, at 2 (Mar., 2016), available at, http://e15initiative.org/wp-content/uploads/2015/09/E15-Policy-Brief-Crosby-Final.pdf (last accessed on 19th June, 2020).
[16] Id. at 2.
[17] Id. at 8.
[18] US – Gambling, supra note 14, at para 238.
[19] Neha Mishra, Privacy, Cybersecurity and GATS Article XIV: A New Frontier for Trade and Internet Regulation, World Trade Review at 4 (2019), available at, https://www.cambridge.org/core/journals/world-trade-review/article/privacy-cybersecurity-and-gats-article-xiv-a-new-frontier-for-trade-and-internet regulation/F46D255A399C0A30B9BA68021EC28947 (last accessed on 19th June, 2020).
[20] US – Gambling, supra note 14, at para 309.
[21] US – Gambling, supra note 14, at para 307 – 308; See also AB Report, Brazil – Measures Affecting Imports of Retreaded Tyres, WT/DS332/AB/R at 146, 178 (17th Dec., 2007).
[22] US – Gambling, supra note 14, at para 292.
[23] US – Gambling, supra note 14, at para 339.
[24] Panel Report, Russia – Measures Concerning Traffic in Transit, WT/DS512/7 (26th Apr., 2019).
[25] Id, at para 7.130.
[26] Comprehensive and Progressive Agreement for Trans-Pacific Partnership, Art. 14.13.
[27] Comprehensive and Progressive Agreement for Trans-Pacific Partnership, Art. 14.13.3.
[28] Comprehensive and Progressive Agreement for Trans-Pacific Partnership, Art. 29.2.
[29] The US-Canada-Mexico Agreement, Art. 19.12 and Art. 32.2.
[30] Regional Comprehensive Economic Partnership, Art. 15.2.
[31] For context on WTO’s plurilateral negotiations, please see our first piece in this series titled ‘E-commerce Related Discourse at the WTO: Brief History and Subsequent Developments’, here.
[32] World Trade Organization, Joint Statement on Electronic Commerce, Communication from the United States, INF/ECOM/23, at 5 (26th Apr., 2019).
[33] World Trade Organization, Joint Statement on Electronic Commerce, Communication from China, INF/ECOM/19 (24th Apr., 2019).
[34] Id.
