See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/378481365

Neha Mishra: International Trade Law and Global Data Governance -Aligning
Perspectives and Practices (Hart Publishing, 2024), An Overview of the Book

Preprint · February 2024

CITATIONS READS

0 20

1 author:

Neha Mishra
The Graduate Institute
29 PUBLICATIONS 134 CITATIONS

SEE PROFILE

All content following this page was uploaded by Neha Mishra on 26 February 2024.

The user has requested enhancement of the downloaded file.

OA link: https://www.bloomsburycollections.com/monograph?docid=b-9781509961726.

Background of the book:

We live in a world where digital and data-driven technologies have led to deep geopolitical
tensions and complex regulatory fragmentation. Governments across the world are struggling to
strike a balance between participating in a thriving global digital economy and protecting vital
public interests including protecting data privacy, ensuring data security, and fostering competitive
and fair digital markets. Further, developing countries face added challenges due to insufficient
digital infrastructure, poor regulatory capacity, and a weak voice in majority of global and
transnational fora on data governance. It is important to unpack these complex interfaces between
digital trade and data regulation from various disciplinary lenses.

In my book, I explore whether international trade law can regulate global flows of digital data in a
manner that aligns with various contemporary policy priorities in global data governance. In doing
so, I look at the growing suite of data regulatory measures across different policy areas and the
role of international trade law in both disciplining unnecessary regulatory barriers in digital trade
and fostering a meaningful and inclusive global framework for data governance. This dialogue is
increasingly important, with several countries embarking upon narratives and agendas of digital
and data sovereignty, which can in turn fragment the global economic order. My book focuses on
five areas of data regulation: privacy and data protection, cybersecurity regulation, governmental
access to data, bridging the global data divide, and competition regulation, and ends with a
proposal for a multilayered framework in international trade law that better aligns trade rules with
global data governance.

1
Neha Mishra: International Trade Law and Global Data Governance – An Overview

Chapter 1: Setting the Narrative

The key question that I address in this book is whether international trade law and global data
governance can be aligned and, if so, how and to what extent. To address this question, I look at
a range of governmental measures restricting cross-border data flows (or data-restrictive
measures) aimed at addressing different public policy objectives and examine their interface with
international trade law. I also evaluate the interface of international trade law with other
international and transnational initiatives on different aspects of cross-border data governance. In
addition to looking at WTO treaties such as the General Agreement on Trade in Services (GATS),
I also discuss several examples of relevant provisions from digital trade chapters of Preferential
Trade Agreements (PTAs) and the new generation of digital-only agreements or Digital Economy
Agreements (DEAs).

Cross-border data flows entail numerous economic, social, and even political benefits for
stakeholders in the global digital economy, including governments. However, they also entail
challenging policy risks for global data governance, including fundamental aspects of privacy
protection and cybersecurity. As long argued by scholars, at the heart of global data governance
lies the conflict between a globally interconnected internet and the jurisdictional limitations created
by territorial borders. This conflict often leads to deep political divides and a dearth of trust between
different stakeholders in the global digital economy. It has also resulted in a sharp rise in domestic
laws and regulations that restrict cross-border data flows and thereby hamper digital trade. As the
book further explains in different chapters, such restrictions potentially implicate international trade
law in various ways, thereby raising complex legal and policy questions regarding the clash of
trade rules with data regulations and the best way to strike a balance between the two.

Digitalisation of the global economy creates an inextricable link between the regulation of digital
trade and cross-border data flows. In a world where data regulation is susceptible to extreme,
conflicting narratives such as the free flow of data v/s data sovereignty, finding the right balance
is difficult. Further, this divided narrative is both legally and politically counterproductive, leading
to regulatory fragmentation and reduced digital trust. With the leadership of Japan, several
countries are now promoting ideas such as “Data Free Flow with Trust” to steer towards a
balanced narrative on cross-border data flows, especially in the context of fostering the global
digital economy. While this idea has potential due to its inherent flexibility, its implementation will
necessitate stronger regulatory cooperation and more inclusive/representative dialogues on data
governance. This is particularly so because governments often have sound and clear policy
rationales in regulating cross-border data flows including protecting personal data and privacy of
individuals, cybersecurity protection, enabling governmental access to data for regulatory
supervision and law enforcement, bridging the data divide, and enabling fairer competition in
digital markets. Therefore, understanding the role of digital trade rules in this complex policy space
necessitates a multifaceted approach.

Broadly, the book highlights two key aspects regarding the role of international trade law in global
data governance. First, it argues that applying international trade law to data restrictive measures
is not a straightforward exercise but requires taking into account several policy considerations
outside of trade law and policy. Second, given the multilayered governance framework of data
flows, the narrative in international trade law must evolve to match this reality to make way for
flexible and pragmatic mechanisms that increase opportunities for digital trust and regulatory
alignment.

2
Neha Mishra: International Trade Law and Global Data Governance – An Overview

Chapter 2: The Tussle and Harmony of Trade and Privacy

While personal data flows drive the global digital economy today, their regulation is critical to
protect privacy rights of individuals. Countries often protect privacy through data protection laws,
which contain extensive checks and compliance requirements for the collection, processing, and
cross-border transfer of personal data. Further, countries may pursue multiple policy objectives
other than privacy protection through their data protection laws, including information security and
consumer protection. So far, no universally accepted legal framework for data protection and
privacy exists, although experts argue that the GDPR and, to a lesser extent, the COE Convention
and OECD Privacy Guidelines are important benchmarks. Data protection law is evolving rapidly
across the world. While some countries have adopted an accountability-based approach to cross-
border data flows thus moving the responsibility to companies to conduct the necessary checks
for cross-border transfers, others have opted for tighter regulatory controls. These controls include
data localisation either for specific categories of personal data or personal data more broadly; ad
hoc regulatory approval requirements; adequacy-based frameworks, wherein the government
maintains a whitelist of jurisdictions to which companies can transfer data; and pre-approved
contractual safeguards for inter or intra-company data transfers.

Some of the above requirements may implicate international trade law due to their trade-restrictive
impact. For instance, measures pertaining to data protection may be inconsistent with obligations
on non-discrimination, market access and domestic regulation, although such measures may be
justifiable under different sub-clauses of the general exception under GATS. It is desirable for
trade tribunals to employ both legal and technological evidence in deciding these disputes,
especially understanding the real-world impact of such measures. Nonetheless, these tests are
complicated because of: (i) the increasing irrelevance of the services classification schedule
followed by WTO members in their commitments for specific obligations such as national
treatment or market access; (ii) the limited relevance of private and multistakeholder standards in
examining the reasonableness of specific data restrictions; (iii) the lack of certainty regarding the
economic impact of privacy measures on market competition; and (iv) the complexity of “weighing
and balancing” various trade and non-trade considerations under the general exception.

Several PTAs and DEAs advance on WTO law as they contain explicit obligations for countries to
adopt frameworks on personal data protection, including by referencing certain external
guidelines, benchmarks, and principles developed by the OECD and APEC. Many PTAs also
contain binding provisions on cross-border data flows and prohibition of data localisation
measures, but subject to an exception for an undefined list of legitimate public policy objectives.
Some PTAs, especially those driven by EU, contain an explicit carve-out for data protection laws,
thus ensuring that domestic data protection law is not subject to dispute settlement procedures of
the trade agreement. However, conflicting language and the lack of common benchmarks on data
protection across PTAs continue to fragment the global regulatory landscape for personal data.

International trade law is not the appropriate platform to set norms, benchmarks, or standards for
privacy protection as it is not a privacy regulatory body. Nonetheless, international trade law can
play a contributory role in fostering global privacy in several ways, including by: (i) incorporating
evolving privacy norms and best practices from the OECD, Global Privacy Assembly, APEC data
certification mechanisms, etc. by reference in international trade agreements; (ii) creating more
regulatory alignment among countries, such as through a non-binding WTO declaration on core
aspects of data protection and privacy; (iii) facilitating robust mechanisms for mutual recognition
and interoperability of data protection frameworks; and (iv) experimenting with new models of
institutional cooperation between trade and privacy bodies, particularly the Global Privacy
Assembly.

3
Neha Mishra: International Trade Law and Global Data Governance – An Overview

Chapter 3: The Emerging Dimensions of Digital Trade and Cybersecurity

Cybersecurity is one of the fastest-expanding policy areas in global data governance; it not only
refers to the technical security of data and digital networks and infrastructure but also increasingly
includes political and economic security. Currently, no global treaties pertaining to cybersecurity
exist although the Budapest Convention on Cybercrime has been signed by 68 countries. Various
international fora including the UN, several regional organisations, as well as internet technical
and policy bodies are also discussing different aspects of cybersecurity governance. Additionally,
the private sector plays a central role in designing cybersecurity technologies and standards. Many
countries have adopted specific data-restrictive measures pertaining to cybersecurity, including
data localisation, security reviews for data transfers, imposition of indigenous technical standards,
and outright ban on specific digital services and applications. As these measures restrict digital
trade flows, they can implicate different obligations in trade treaties including the GATS: non-
discrimination, market access, and domestic regulation. In applying these tests, a careful
assessment of various factors is necessary such as the discriminatory or trade-restrictive effect of
a particular measure, its impact on market competition, and the way the measure is implemented
in practice. In assessing the reasonableness and legitimacy of such measures, however, the
global cybersecurity standards developed by private standard-setting or multistakeholder bodies
are less relevant, given the State-centric definition of international standards under GATS.

Cybersecurity-related measures can theoretically be justified under both general and security
exceptions contained in trade treaties, but there are several practical challenges. First, the lack of
international consensus on cybersecurity norms and standards can make it harder for trade
tribunals to assess whether a measure qualifies the necessity test under the treaty exceptions.
Second, different governments have different tolerance levels for cyber-risks and several of these
risks may be latent in nature, thus putting trade tribunals in a difficult position to examine the
underlying issues. Third, governments may not view market-based standards and technological
solutions as appropriate alternatives to domestic legal requirements. Finally, in the context of
security exceptions contained in GATS and several PTAs, the scope of application is usually
limited to essential security interests relating to a few exceptional scenarios such as a conflict/war
(although what qualifies as a cyber-war is not certain) or relating to military/nuclear risks, thus not
covering most day-to-day security threats. However, recent PTAs contain more lenient security
exceptions, which allow parties to self-assess the legitimacy of their cybersecurity measures.

International trade law can and must play a more expansive role in promoting global cybersecurity
governance. First, existing obligations and exceptions in international trade law, if applied
meaningfully, can discipline several protectionist measures disguised as cybersecurity-related
measures. In particular, use of technical expertise in relevant disputes will be important. Second,
bodies such as the WTO can encourage more transparent reporting of cybersecurity measures
and even create new mechanisms for the political resolution of cybersecurity-related disputes in
relevant committees. Third, in developing new disciplines on cybersecurity and digital trade,
countries can better accommodate multistakeholder and private technical and standard-setting
bodies in the implementation of cybersecurity, but accounting for factors such as transparency,
accountability, and representativeness of such bodies. Finally, multilateral organizations such as
the WTO must engage more meaningfully in multistakeholder dialogues on cybersecurity, to foster
greater global consensus on relevant trade-related aspects of cybersecurity. Some PTAs and
DEAs contain cybersecurity-specific provisions but limited to soft provisions on cooperation and
capacity building. Recent DEAs also highlight the importance of multistakeholder dialogues and
risk-based approaches in cybersecurity regulation.

4
Neha Mishra: International Trade Law and Global Data Governance – An Overview

Chapter 4: Data Access, Digital Trade and Global Data Governance

Governments seek access to and control over data for various reasons: regulatory supervision,
ensuring accountability of companies providing digital services such as compliance with domestic
laws, investigating crimes by examining electronic evidence, and even controlling/monitoring their
citizens and improving their intelligence. In recent years, several governments are attempting to
improve data access to increase domestic opportunities for commercialisation of local data
resources. One of the most common tools that governments use for data access are data
localisation measures such as compulsory local storage requirements or even a complete ban on
transfer of data abroad. Governments may also demand direct access to data from companies or
force them to submit their encryption keys as a condition of providing their services in a market.

Data access measures are problematic for various reasons: from a human rights perspective, from
the perspective of disrupting the distributed architecture of the internet and cloud computing
infrastructure and, from the commercial perspective, by raising both business costs and business
uncertainty. Nonetheless, such measures are often driven by legitimate policy objectives,
especially in a world where key sectors such as finance, health and insurance are highly
digitalised, and where crimes are often linked to online activities. This urgency is further magnified
by the gradual irrelevance of the Mutual Legal Assistance Treaties in the digital world. Some
governments also implement blocking statutes, preventing companies operating domestically from
sharing data in response to data requests from foreign governments.

Initiatives in relation to facilitating and regulating governmental access to data are common outside
the trade framework. For instance, there are state-led initiatives such as the CLOUD Act of the
United States and e-Evidence Regulation of the EU. At a global level, certain bodies such as the
OECD and the Global Privacy Assembly have created specific mechanisms to facilitate data
access while maintaining basic safeguards of reasonableness, proportionality, and due process.
However, some of these initiatives may be conflicting, for example, the requirements of the
CLOUD Act are likely to be inconsistent with data protection laws such as the GDPR. These
jurisdictional conflicts regarding data access create business uncertainty and can become
obstacles to digital trade, particularly if such measures are implemented in an arbitrary or
unreasonable manner. Further, data localisation measures often violate basic obligations on non-
discrimination and market access. While they may be justified under the exceptions contained in
international trade treaties, the weighing and balancing of the necessity of the underlying policy
objectives and its trade restrictive impact under these exceptions entail a difficult policy exercise.

In this chapter, I propose that international trade law can play a more meaningful role in dealing
with complex regulatory issues in relation to governmental access to data. First, countries must
commit to high-level declarations that ensure basic human rights safeguards for governmental
access to data such as the OECD declaration on governmental access to data or signing up to
instruments such as the Second Protocol to the Budapest Convention that deals with electronic
evidence (although the latter has some evident flaws). Second, any requirements on the
prohibition of data localisation must be accompanied by a mandatory obligation on service
providers storing/processing data abroad to provide regulators immediate access to data,
provided such requirements are legitimate and follow due process. Similarly, governments can
agree on language in trade agreements that prohibits them from demanding access to encryption
keys as a condition of market access. Finally, when trade disputes arise in relation to measures
relating to governmental access to data, it might be helpful to create legal scope for tribunals to
consider the high-level norms and principles set out in evolving global and transnational
frameworks on governmental access to data.

5
Neha Mishra: International Trade Law and Global Data Governance – An Overview

Chapter 5: Bridging the Global Data Divide through International Trade Law

A sharp data divide exists between developed and developing countries today. This divide is
multidimensional and reflected in various dimensions of the digital economy such as inadequate
quality and access to data infrastructure, poor prospects for commercialisation of data, and weak
data regulatory frameworks. A growing (often-populist) narrative is that the global data divide
results from capitalist exploitation in the digital world, often termed as “data colonialism”. This
narrative emphasises how developing countries are trapped in a vicious cycle of data
manipulation, regulatory incapacity, and digital dependency, especially on foreign Big Tech
companies. Further, many developing countries are forced to adopt regulatory models of digital
powers such as the EU, the US, or China, without necessarily contextualising them to domestic
needs and policy preferences.

The data colonialism narrative has provoked many countries, including small developing
economies and even some LDCs, to adopt reactionary industrial policies including data
localisation and local content requirements to create opportunities for the domestic digital sector.
However, as the global data divide results from a complex interplay of factors, such unilateral
reactionary measures do not necessarily address the deeper problems at hand and can further
adversely affect the ability of businesses in developing countries to benefit from global digital
trade. In this chapter, therefore I explore the role and relevance of international trade law in
bridging the global data divide and protecting the economic and political interests of developing
countries.

The existing rules in international trade agreements, including PTAs and DEAs, do not provide a
robust foundation for addressing the global data divide. As often discussed, the disciplines on
special and differential treatment in WTO law are weak, unfocused, vague, and largely ineffective.
Some WTO treaties such as GATS and TRIPS, and the Reference Paper on Domestic Services
Regulation, provide a legal basis for supporting developing countries, including engaging in
technical cooperation, and incentivising technology transfer especially to LDCs. However, the
language in these treaties is mostly aspirational and underutilised in practice. Similarly, exceptions
contained in international trade agreements do not clearly provide sufficient policy space for
countries to adopt data restrictive measures to support the domestic digital sector. Even recent
DEAs such as Digital Economic Partnership Agreement that contain soft provisions on digital
inclusion (a welcome change, of course), do not otherwise provide any binding and robust
mechanisms to offer regulatory assistance or technical support to developing country partners.

This chapter proposes building a streamlined mechanism for special and differential treatment in
the context of digital trade. The Trade Facilitation Agreement of the WTO is a helpful prototype.
For instance, obligations on enabling data flows must be complemented by regulatory assistance
and capacity building programmes for developing countries that prioritise their regulatory needs.
Similarly, trade agreements must incentivise meaningful models of technology transfer,
particularly that help customisation of digital technologies for developing countries. Third, trade
policymakers must address existing legal uncertainties such as the status of e-commerce
moratorium and the applicability of exceptions for digital industrial policies. Finally, enhancing
developing country participation in various data governance and standard-setting institutions can
also indirectly benefit the development of inclusive trade rules.

6
Neha Mishra: International Trade Law and Global Data Governance – An Overview

Chapter 6: Reconciling International Trade Law and Competition in the Data-Driven Economy

One of the biggest drivers of Big Tech companies (that have become monopolies in various digital
markets) is their disproportionate data advantage, which generates network economies of scale,
tips markets in their favour, facilitates their easy entry into multiple new (adjacent) markets, and
stifles new market entrants while reinforcing the economic and political power of Big Tech. As a
result, Big Tech companies can conduct massive user surveillance and trap their users in their
digital platforms/siloes indefinitely. Therefore, governments have resorted to various measures to
control data harms and foster data equity. This includes data localisation or other restrictions to
control data malpractices by Big Tech companies. Depending on how they are implemented, these
measures can sometimes violate international trade law.

Further, governments have moved towards imposing requirements for fairer digital competition
such data portability, interoperability, and mandatory data sharing requirements. For instance,
several of these provisions are set out in the Digital Markets Act of the EU and proposed by expert
committees in the UK and the US. However, the effectiveness of these competition regulatory
tools in enhancing competition in digital markets remains unclear to date. They also deeply affect
the business models of global companies that often move data across borders in real time.
Further, over enforcement or selective enforcement of these tools against specific technology
companies can also adversely affect digital trade flows and create geopolitical tensions.

Given that digital/data markets are inherently global, we must understand the interplay of
international trade law and competition law and evaluate if international trade law can contribute
to competition principles necessary for fairer and equitable cross-border data flows. Historically,
the role of the WTO in regulating competition has been controversial and rarely addressed in trade
disputes. With the globalisation of the economy, some economies such as the EU proposed the
inclusion of a global code of competition rules under WTO law, but many others objected due to
varied concerns including losing their domestic regulatory space and stronger preference for
bilateral cooperation measures for competition.

Ultimately, only some aspects of competition regulation were included under the framework of
WTO law such as in the telecommunications sector (in addition to non-discrimination provisions
found in WTO treaties). Majority of PTAs with competition rules are also high-level disciplines such
as adopting competition laws (sometimes with reference to frameworks under the International
Competition Network (ICN) and the OECD) and cooperation on competition matters. The
exception is the PTAs of the EU, which generally have detailed rules on competition policy and
often require their trading partners to adopt a competition law framework similar to the EU. None
of these are rules are specific to the digital sector, which increasingly faces unique competition
problems as discussed earlier.

This chapter proposes that reaching a multilateral agreement on digital competition (e.g. under
the WTO) is highly unlikely. Instead, it is important to consider the role of other important fora such
as the OECD and the ICN in developing soft law norms and best practices for completion in the
digital sector. Further, countries may consider incorporating digital competition principles in their
PTAs and DEAs with like-minded trading partners. This would provide flexibility such as
incorporating international best practices by reference (e.g. referring to the guidelines developed
by ICN or OECD) or building regional best practices through existing regional trade bodies or even
facilitating dialogues for cross-border competition enforcement in dedicated PTA/regional
committees. Over time, a shared understanding between parties may improve the prospects of
achieving consensus on digital competition issues and facilitate a gradual transition towards
greater regulatory convergence on digital competition.

7
 Neha Mishra: International Trade Law and Global Data Governance – An Overview

Chapter 7: Aligning International Trade Law and Global Data Governance – Towards a
Multilayered Approach

For international trade law to play a meaningful role in global data governance, trade policymakers
must understand the interplay of digital trade and data governance instead of segregating them.
The sharp rise in data restrictive measures curtails digital trade flows and raises difficult questions
in international trade law. While across chapters, I have argued that international trade law can
apply in a meaningful manner (e.g., by meaningfully using legal and technological evidence in
trade disputes), various gaps remain unaddressed due to the multifaceted and polycentric nature
of data governance. Further, trade law faces some inherent limitations, especially when dealing
with legitimate data-restrictive measures with incidental trade-restrictive impact. Thus, it is
important to develop a multilayered approach for the regulation of cross-border data flows. This
approach combines binding treaty provisions with a variety of other tools such as soft law
frameworks, multistakeholder and transnational norms and standards, and informal and flexible
mechanisms for regulatory cooperation and resolution of data-related trade disputes. Regional
bodies and transnational policy networks also play a critical role in providing a foundation for the
global framework for cross-border data flows, and thus trade bodies must be better aligned with
them. So how can we achieve this alignment in practice?

First, we need a balanced narrative on digital trade, one that avoids the unhelpful dichotomy
between free flow of data and data/digital sovereignty, and instead steers towards digital trust,
international cooperation, regulatory alignment, and inclusion. This narrative must underlie any
reforms in international trade law and would shift the attention from currently controversial aspects
such as dispute settlement and usurpation of policy space to building more avenues for meaningful
political dialogues on issues of common concern and trust-based mechanisms for data transfers.
It would also provide more space for developing countries to voice their views, and foster changes
that help them overcome the existing global data divide and compete in fairer digital markets.

Second, we need to create new flexible instrumentalities in international trade law that take into
account the complexities of the digital economy. For instance, countries could develop and agree
upon a non-binding framework for cross-border data flows. I also propose developing a standards
framework for data-driven services, modelled on the TBT Code of Good Practice. Finally, I
recommend creation of new multistakeholder mechanisms for facilitating various forms of
international regulatory cooperation. This path is pragmatic as several divisions are already visible
in the data regulatory preferences of WTO members. A binding multilateral agreement that
provides comprehensive disciplines on cross-border data flows is less likely in the short run,
although this is happening in some PTAs and DEAs. Trade policymakers must also focus on
incremental steps such as systematic notification of data-restrictive measures, political resolution
mechanisms for difficult data disputes especially on national security, and robust enforcement of
transparency obligations. In the long run, these mechanisms are likely to build trust.

Finally, future policy agendas must focus on operationalising trust-based frameworks that build on
regulatory interoperability and inclusion. For instance, interoperability and mutual recognition
mechanisms can be linked to market access provisions and existing trustmarks/data certification
mechanisms. In this way, international trade law can play a contributory role in providing the
building blocks for the global framework for cross-border data flows, while remaining politically
sensitive about issues that are harder to reconcile due to political or ideological conflicts among
countries. Without building a multilayered approach in international trade law that combines
traditional multilateral rulemaking with soft law and more flexible mechanisms, the alignment of
digital trade rules and global data governance will only remain a distant dream.

View publication stats