Date: Sep 8 (Wed.) 2021, 14:00-16:00
- Tsai-Fang Chen, Associate Professor of Law & Director of Legal Center for Enterprise & Entrepreneurship, National Yang Ming Chiao Tung University.
- Chen-hao Ku, Acting Director, Legal Research & Resource Development Center in the Science & Technology Law Institute, Institute for Information Industry
The basic idea of data across borders is ‘computer-generated and machine-readable digital data being transmitted electronically between different countries.’ The importance of data across borders has grown because of the expansion of traditional business operation models and the emergence of innovated business models; it also encompasses critical impacts on modern global trade. However, the Snowden incident in 2013 has dawned on many states that the national security measures the United States employs could potentially harm the data security of other countries. Since then, state governments have been paying more attention to regulating data across borders and focusing their policies on data protection. Some might argue Trump’s bashing on Tiktok for the latter’s data leak incidents was one example of such trends.
Some countries implement data localization policies to restrict free data flow. The idea of data localization is basically making the transmission of local data to other jurisdictions illegal. To comply with such regulations, companies will have to either establish data centers locally or employ local vendors to store and process data locally.
The European Union’s General Data Protection Regulation (GDPR) has become the standard of data protection regulations after coming into effect in May 2018. The baseline of GDPR regarding data protection is ‘prohibit in principle but allow exceptions.’ This is also an illustration of how EU deems data protection as a basic human right. EU also principally prohibits member states from transferring data to outside of EEA due to the concerns that data protection laws in other jurisdictions are not as powerful as GDPR. The high standard GDPR imposes on companies in regards to data protection practices has a visible impact on global trade. Many companies have since moved their data servers to countries within the EEA to comply with GDPR; this has negative effects on the openness of trade in services. Moreover, the legal obligations of retaining certain data also increase companies’ operational costs, thus preventing them from providing services internationally.
Whether the data flow is free has an essential impact on the free trade of services and products. Regulating measures regarding data localization listed in the General Agreement on Trade in Services (GATS) include Most-Favoured-Nation (MFN) Treatment (Article II), Market Access (Article XVI), and National Treatment (Article XVII). All countries have to comply with the MFN requirements. Many items listed under MFN requirements will be impacted by regulations of cross-border data; global financial services, for example, is one of them. Services involving substantial data processing activities are the most impacted. As suggested above, GDPR restricts data transmission across borders; however, it does not prohibit data processing services. The two obviously conflict with each other. According to GATS, EU can pose restrictions on data transmission in order to protect citizen privacy, but such restrictions cannot be discriminative in respect of different countries.
Currently, most international trade agreements are primarily bi-literal agreements. Most agreements seek to allow data flow while protecting personal data; in other words, they apply a ‘principally allow but prohibit in exception’ approach. However, different countries hold distinct views regarding data flow. The US, whose economic power largely attributes to the global enterprises in the country, is a strong advocate for free data flow. The EU, on the other hand, values data protection more than free data flow. China is another model where the state wants free trade without free data flow due to its so-called national security reasons. Trade agreements such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), Digital Economy Partnership Agreement (DEPA), United States-Mexico-Canada Agreement (USMCA) all include requirements ensuring free data flow while allowing exceptions. For example, CPTPP allows members to adopt or maintain measures to restrict free data flow for legitimate public policy objectives, provided that the measures are ‘not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.’ Regional Comprehensive Economic Partnership (RCEP) also allows member states to adopt or maintain restricting measures if they are considered necessary to achieve a legitimate public policy objective or to protect the country’s essential security interests.
e-commerce, digital transmission, and products, services, and financial services across borders have created huge economic benefits through global trade. As a result, some might argue that free data flow is the foundation of free trade and globalization. Just like the first speaker has elaborated, many regional trade agreements have specifications aiming to ensure free data flow. Free data flow and data localization are on two opposite sides of the spectrum, and state governments will have to weigh the benefits and risks when moving on the spectrum.
On the one hand, excessive regulations on data flow across borders will have a negative impact on global and national economic development; on the other hand, a lack of regulations can harm individual rights. It is clear that the need for regulations regarding cross-border data flow is now a global consensus, but every state has its own perspective and interpretation of the content and implementation of such regulations. To ensure an ever-prospering global economy, we have to devote effort to communicate and negotiate between different regulating regimes to reach a global consensus. The expected outcome is a global trade agreement, and eventually, globally common practices.
There are two common causes of the obstacle and controversies when it comes to data flow across borders. One is the gap in data protection regulations within the country; the other is the different regulating measures between the original jurisdiction of the data and receiving one. In the latter case, it would be a challenge to decide which jurisdiction’s law should apply to protect the parties’ rights. Moreover, in cases of cross-border rights infringement cases, it is also important to take into account the problems of liability and compensation enforcement.
Currently, there are two main approaches to enforce data localization. One is requiring companies to store data locally through regulations; the other is posing restrictions on cross-border data transfer, which as a result, retains data within the border. Countries that take the former measures include China, Russia, Indonesia, India, and Vietnam. On the other hand, countries that have restrictions on data flow include UK, Japan, Hong Kong, Singapore, and Malaysia. Needless to say, different countries impose different specifications on different kinds of data.
The countries mentioned above regulate cross-border data transfer utilizing the model of ‘principally prohibit and allow exceptions.’ There are also countries that prefer a different model, allowing data free flow in principle while prohibiting exceptions. In the case of China, the government’s regulation concerning cross-border data transfer is the “Data Security Law”. The law is developed to protect Internet security and in connection with Internet Security Law and Personal Data Protection Law, regulating the collecting, retention, utilization, processing, transfer, provision, and publication of data.
EU’s GDPR is recognized as the strictest data protection regulation globally. For the EU, they want to protect data within the EEA borders with a focus on individual rights. In the APAC region, the Asia-Pacific Economic Cooperation (APEC) has developed the Cross-Border Privacy Rules (CBPR). Through CBPR, APEC aims to establish trust between consumers and regulatory authorities. APEC members should comply with CBPR and have third parties verify their compliance. Unlike GDPR, the ultimate objective of DBPR is to encourage free trade; protecting personal data is only the means to the end. Rumors have it that APEC is considering extending CBRP to non-APEC members, but the plan is still in an early stage while they gather members’ input.
In Taiwan, the regulating premise of data flow across borders is ‘principally allow, prohibit in exceptions.’ The authority can impose restrictions on data transfer under the circumstances as below:
- where major national interests are involved;
- where an international treaty or agreement so stipulates;
- where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects’ rights and interests may consequently be harmed; or
- where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA.
In addition, different specifications apply to particular types of data, for example, data containing biological or financial information. The law also prohibits media communication enterprises from transferring user data to China. Taiwan’s data protection law is in compliance with APEC’s data protection principles.
In conclusion, different states have different objectives for the implementation of data localization. The objectives can vary from protecting citizens’ personal data, national security, criminal investigation and mitigation, and assisting industry growth. The data types state choose to restrict also vary, ranging from personal data, sensitive/critical to specific types of data (e.g., financial and medical records). There is also a lot more to take into account when it comes to designing and implementing data localization measures. For EU and Japan, the strength of data protection of the receiving countries is one major factor. They also pay a lot of attention to the protection measures taken by the enterprises transferring the data, which is also something the Australia government focus on.