The role of cross-border data flows in the digital economy

Brief

22 Jul

Last reviewed: June 2022. This resource is available for download (PDF) in English and French.

In a digital economy, cross-border data flows are crucial in enabling improvements in national economies and living standards in developing countries. Nowadays, the drastic growth in the movement of data means this flow far outweighs the transfer of goods or services. While this means that advances in policy can be made, regulations must be put into place that protect industries, populations, and territories.

The brief, written in close collaboration with Macmillan Keck, seeks to identify specific attributes of cross-border data flows that can help policymakers and regulators build a digital economy that includes — and serves — everyone.

+ 1. Summary

Growth in cross-border data flows is outstripping growth in the flow of goods, services, and people. This is enabling improvements in national economies and living standards in developing countries through greater integration into the global economy. Where data crosses borders, it is exposed to risks beyond such borders, and governments often regulate cross-border data movement to protect their industries, populations, and territories. Data protection laws aim to protect consumer privacy, but inconsistent approaches also impair the ability of consumers to participate fully in the digital economy. Government concerns over national security and public safety have led to restrictions on outward and inward technology and other data transfers. Governments have enacted varying degrees of Internet censorship to block cross-border media and personal communications. Some governments also regulate cross-border data transfers in pursuit of national industrial and fiscal policy.

The global data governance framework is thus currently fractured and inefficient, reflecting deep fissures in trust and instilled differences in approaches among nations. Developing country policymakers cannot alone forge the necessary international cooperation, but they can focus on their domestic data frameworks and participate in relevant international efforts.

+ 2. Considerations while reading this brief

Which challenges related to access to cross-border data flows in a digital economy are most prominent in your market, both a) in general and b) for historically underserved groups such as women and low-income people?
Do cross-border data flows policy and regulations in your country address:
- Digitization: The application of cross-border data flows regulation to the digital economy?
- Inclusivity: The specific challenges faced by women, low-income people, and/or other underserved groups with regard to cross-border data flows?
Which entities are responsible for regulation cross-border data flows? Are responsibilities clear, and are mechanisms in place to avoid regulatory arbitrage? If not, how could this be improved?

+ 3. Characteristics and scope

Cross-border data flows encompass any transfer of data or information across sovereign boundaries. Trade in goods and services – and human travel and migration – have involved embedded data flows for millennia. Today, however, cross-border data flows are increasing exponentially.

Cross-border data volumes were 20 times greater in 2017 than in 2007, and they are expected to be four times greater in 2022 than in 2017. The global volume of data stored across the Internet is expected to grow from 33 zettabytes in 2018 to 175 zettabytes in 2025, with nearly half stored in the cloud, a system of globally distributed and connected servers.

Content generated or consumed by humans represents the bulk of cross-border data volume. In 2020, video, gaming, and social sharing comprised 80% of Internet traffic. Data-driven services, such as computing, telecommunications, media, finance, professional services, and others now comprise half of cross-border service trade, roughly equivalent to travel, transport, and other traditional services combined.

Data may flow into, out of, or simply through a country in transit. Border crossings may be intentional (as when a Fiji resident shares files with a Bangladesh resident) or unintentional (as when one Gambian resident emails another Gambian resident but the network routes the message through Europe). A border crossing may occur before a user accesses the data if a global provider has cached copies of content, such as popular social media content, on domestic servers to reduce latency.

+ 4. Policy drivers and responses

The value of cross-border data flows

Data does not exhibit scarcity characteristics like goods or services. It is sharable, reusable, and non-depletable. Firms can gather, store, process, retrieve, and transmit vast amounts of data at minimal cost. Rather than diminish, data’s value grows with repeated access and use due to accretion and network effects: the value of data increases as the volume and variety of data increase and as more users contribute to and have access to it. For example, the aggregation of health and behavioral data relating to individuals allows detection of correlations and possibly causal connections between activities, living conditions, and health. The value of intangibles – or knowledge-based assets – comprises a very large part of total assets in developed economies and can be expected to grow as developing countries’ economies rely increasingly on data.

Cross-border flows can improve national economies and living standards in developing countries by leveraging global knowledge to facilitate national integration into the world economy. A 2020 OECD study found that emerging economy participation in the global value chain enabled by cross-border data flows has increased local wages and attracted investment in local infrastructure, machinery, and equipment, even as the share of value added by local intangibles has diminished. Another 2020 OECD study concluded that governments can stimulate local production of intangibles that add value by strengthening their country’s appeal for global value chain activities and strengthening local production and innovation ecosystems and connections to other countries. Achieving these objectives requires openness to cross-border data flows.

The apparel industry offers a good example. A US-based online apparel retailer may procure new patterns from a designer in Italy, review and modify designs in New York, and transmit final patterns to garment manufacturers in El Salvador and Pakistan. The retailer may communicate with carriers for transport of fabrics and other inputs from China, India, and Japan to the garment manufacturers and for transport of completed garments to global distribution centers in Europe and North America. Real-time monitoring of orders and sales can enable the retailer to respond quickly to demand changes by communicating adjustments in style, size, and quantity to the manufacturers.

Cross-border data flows can also help improve public health, agricultural production, and law enforcement. COVID-19 has underscored the importance of global data sharing to monitor the spread and impact of infectious diseases and to develop and administer vaccines and treatments. Technological advances in data collection and analytics can help smallholder farmers in developing countries meet rising food demand in harsher climate conditions. Data obtained from satellite imagery, on-site measurements of soil conditions, and commodities markets can be combined by computer models to predict supply and demand patterns and crop yields to guide farmers via smartphone applications in selecting seeds, planting, and harvesting. Cross-border data sharing can also help governments address tax avoidance, international crime, and terrorism.

Regulating data flows across borders

As with trade in goods and services and human movement, unregulated cross-border data flows can undermine internal safeguards set up by individual countries to protect their industries, populations, and territories. These threats lead governments to respond by regulating relevant data flows. Sometimes the cross-border nature of data is incidental to underlying concerns, while other times it is the source of those concerns.

Protecting intellectual property to foster innovation and investment

Governments enact intellectual property (IP) laws to foster investment, innovation, and competition. Developing and bringing valuable knowledge and technology to market often requires significant investment in research and development with uncertain returns. Strong IP laws for copyright, industrial design, patent, trade secrets, trademark, and geographic indication can help developing countries attract inward technology and investment flows.

Copyright, industrial design, and patent laws reward the creation and sharing of information by affording authors, designers, and inventors exclusive economic rights over their published works for limited periods. Responding to data’s growing importance, copyright protection was extended to original selections or arrangements of published databases (collections of data), but not the underlying data, in the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS). The European Union, Mexico, and South Korea also recognize what are referred to as sui generis database rights, meaning rights over a dataset that has been obtained, verified, or presented with substantial investment even if it lacks copyright-worthy originality. Conversely, China, the United States, and other TRIPS parties require originality to protect published databases. A 2020 public consultation by the US Patent and Trademark Office on how IP laws can promote innovation in artificial intelligence received mixed responses about the efficacy of sui generis database rights. Trade secret rights, protecting information that derives commercial value from being kept secret, enable a business to be first-to-market or offer better, faster, or lower-priced goods or services than its rivals. Trade secrets may include raw and processed data derived from collection, observation, measurement, testing, study or survey, formulas, processes, algorithms, productivity tools and methods, and sensitive internal corporate information. Trade secret rights protect firms that invest in research and development, driving digital innovation in market economies. Trademark and geographic indication laws also aim to prevent unfair competition by protecting against counterfeits or inferior imitations. Competition is generally discussed in the Competition Briefing Note.

Within the digital economy, trade secret rights have emerged as a key tool to protect valuable unpublished data. Supply-chain counterparties can, without forfeiting IP protection, share trade secrets in confidence domestically and across borders in the 164 TRIPS contracting states that protect them. A 2014 OECD study of 37 developed and developing countries from 1985 to 2010 found a positive and statistically significant relationship between a country’s trade secret protections and economic performance in innovation, international technology transfer, and access to technology-intensive inputs and related products.

Policymakers are re-examining the adequacy of their trade secret protections for the digital economy. Trade secret laws were updated by the European Union and United States in 2016, Japan in 2018, and China in 2019. These trade secret law updates reflect a significant shift of business attention toward data as a key asset in an information economy and recognition by governments that efficient and effective sharing of commercial secrets requires robust legal frameworks to enforce confidentiality undertakings.

The World Intellectual Property Organization (WIPO) unites 193 countries in a global forum for IP services, policy, information, and cooperation to achieve a balanced and effective IP framework. IP rights are recognized at the national level and owners must register their rights (or take other necessary legal steps to ensure their rights will be recognized) in all relevant countries. WIPO administers treaties that harmonize and streamline multinational patent, copyright, and trademark registrations. IP owners rely on national enforcement to protect against license breaches, counterfeiting, and piracy. Restrictions on unlawful cross-border data flows form part of the international IP framework intended to contribute to global innovation and lawful knowledge sharing.

IP owners may license use by others, with or without geographic or other limitations, facilitating global division of supply chain roles. For example, a video copyright owner may restrict where a licensee may view or permit viewing of licensed content. Similarly, a licensor of machine-readable software code (protected by copyright) may charge licensees based on the number of permitted users and place of use and may elect not to disclose human-readable software code (protected as trade secrets).

IP owners have broad discretion over global distribution and use of their know-how and content. In October 2020, biotech firm Moderna publicly committed not to enforce its mRNA patents against those making vaccines intended to combat COVID-19 and, after the pandemic ends, to license its mRNA patents to others. Responding to this offer, Afrigen Biologics of South Africa has successfully produced its own mRNA vaccine using Moderna technology. In January 2022, Canadian recording artist Neil Young required Sweden-based Spotify, the world’s largest music streaming service, to remove his music from its global platform to protest Spotify’s decision to carry podcasts by comedian Joe Rogan, who had been accused of promoting COVID-19 vaccine misinformation.

Growth in IP volumes offers one measure of growth in innovation, with trade secrets and patents serving as key measures of digital economy impact. The value or volume of trade secrets cannot easily be measured, but WIPO closely tracks patent applications. 15.9 million patents were in force across 135 jurisdictions in 2020, a 5.9% increase from 2019. In 2020, the five countries with the most patents in force were the United States (3.3 million), China (3.1 million), Japan (2 million), South Korea (1.1 million), and Germany (800,000). In 2020, innovators filed 3.3 million patent applications globally, including 1.5 million in China. Total global applications for unique inventions doubled from 2010 to 2018, reaching 2.1 million. Computer technology was the subject of the most patent applications from 2017 to 2019 in China, the United Kingdom, and the United States, and globally in 2019, with 284,146 published applications. Among large middle-income countries, applicants from India and Mexico filed most heavily in pharmaceuticals, applicants from Brazil in other special machines, and applicants from Turkey in transport. The most African patent applications in 2020 originated in South Africa (915) and Cameroon (672).

Developing countries have long criticized the WIPO framework for enabling foreign firms to appropriate indigenous knowledge without fairly compensating local populations. The 1993 Biodiversity Convention and 2010 Nagoya Protocol recognize indigenous rights in traditional knowledge and seek reciprocity for sharing. The 1994 Marrakesh Agreement establishing the World Trade Organization (WTO)⁴⁹ and the 2001 Doha Declaration address trade-related conflicts. Developing countries now control indigenous knowledge within their borders and are becoming more vigilant in policing its overseas use. In 2009, India put its indigenous medicinal knowledge in the public domain, publishing 200,000 formulas for open use, effectively preventing foreign firms from obtaining patents. Peru recognizes sui generis IP rights in indigenous knowledge and actively protects those rights by challenging and invalidating foreign patents. In 2020, Mexico conferred on native communities copyrights in collective works derived from popular culture and traditional indigenous designs, and, in 2021, established fines and imprisonment as penalties for violations. Efforts continue to foster equitable global sharing of indigenous knowledge, which, if preserved and digitized, could help address climate change, disease, and declining biodiversity.

Protecting personal data and privacy

Governments enact data protection laws to provide privacy and consumer protections for their citizens, known as data subjects, whose personal data is collected by data controllers (which determine the purpose of and means for processing personal data) or processed by data processors (which process personal data at the direction of or on behalf of a controller) [see Data Protection Briefing Paper]. 128 countries have adopted data protection or privacy laws. A compilation of personal data from multiple data subjects comprises a complex array of overlapping and adjacent rights. For example, a data controller may have IP rights with respect to a database, while individual data subjects may have data protection or privacy rights with respect to personal data related to them.

Unlike IP law, data protection currently has no governing global treaty to harmonize national approaches. The 2018 EU General Data Protection Regulation (GDPR), replacing the 1995 Data Protection Directive, has in practice become an international model due to the EU’s importance in open global markets. The GDPR focuses on providing data subjects (the individuals to whom personal data relates) informed choice over the collection and processing of personal data about them. However, GDPR and many other data protection laws do not afford individuals full ownership or control over personal data about them. These laws impose some obligations on data controllers and processors that override the choice of the data subject while enumerating contexts in which data protection rules may not apply at all.

Many data protection regimes apply to cross-border flows. GDPR applies to (1) foreign processing by EU data controllers; and (2) certain processing by foreign data controllers or processors related to EU data subjects. GDPR prohibits restrictions on lawful data flows within the European Union but not on outward flows. Affirming the benefits of global trade and cooperation, GDPR allows outward data flows consistent with EU protections, expressly permitting transfers to a third country that ensures adequate protection, as determined by the Commission. Personal data may also be transmitted outside the EU if a data controller or processor provides appropriate safeguards. Appropriate safeguards include:

binding corporate rules (BCR) for transfers within a corporate group or joint venture within which the data may circulate;
standard contract clauses (SCCs), approved by the Commission or national supervisory authority, to be entered into between the parties sending and receiving the data; or
certification under an approved mechanism.

At least 14 countries – Argentina, Armenia, Bahrain, Barbados, Brazil, Colombia, Georgia, Israel, Malaysia, Peru, South Africa, Switzerland, Turkey, and Ukraine – have largely followed GDPR in regulating cross-border data flows. Others are more stringent. For example, Algeria and Morocco require prior regulatory approval to ensure the other state provides sufficient legal protection.

Some countries, such as Rwanda, require all personal data to be stored domestically (data localization) unless the supervisory authority permits the data controller or processor to store it outside Rwanda. China allows some outward transfers but requires those processing large amounts to store personal data locally unless they pass a government security assessment. These growing data localization requirements restrict personal data flows across some borders but not others based on origin and destination and contribute to Internet fragmentation.

Absent a multilateral approach, GDPR-based approaches require every country to determine the suitability of cross-border flows to and from every other country. If 194 countries adopted this approach (with 28 EU countries acting as one bloc), over 14,000 bilateral determinations would be required. By January 2022 – a quarter-century after the original Data Protection Directive and four years after GDPR – the European Commission had recognized only 14 jurisdictions as providing adequate protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom, and Uruguay.

Some regional data protection initiatives have emerged, but none addresses the government-to-government trust issues highlighted by the European Court of Justice (ECJ) in Schrems (see box). The 21-member Asia-Pacific Economic Cooperation forum (APEC) developed a Cross-Border Privacy Rules (CBPR) system, with nine participating countries: Australia, Canada, Japan, Mexico, the Philippines, Singapore, South Korea, Taiwan, and the United States. The approach involves self-certification by businesses based on agreed privacy standards, but it does not require public authorities to meet any minimum standard. In January 2021, the Association of Southeast Asian Nations (ASEAN) endorsed a data management framework that includes cross-border data flows as a strategic priority. The African Union Convention on Cyber Security and Personal Data Protection, which has not yet come into force, would set data protection standards but not establish an open internal market among member countries as in Europe, leaving national authorities with sole discretion over cross-border transfers.

In terms of addressing government-to-government trust issues, the OECD Committee on Digital Economy Policy announced in December 2020 plans to convene a drafting group comprising government representatives and experts to examine the possibility of developing an instrument setting out high-level principles or policy guidance for trusted government access to personal data held by the private sector. No outputs from this drafting group have yet been reported. In December 2021, the OECD also published a policy “toolkit” intended to support efforts to achieve greater cross-border interoperability of national privacy and data protection frameworks. Today, international approaches to data protection remain largely fragmented, are not harmonized, and are ineffective.

Developing countries seeking to benefit from the opportunities offered by cross-border flows will need to participate in efforts to simplify and harmonize approaches to such initiatives.

Schrems and the EU-US Safe Harbor
Despite measures to enable cross-border data flows, challenges encountered by the European Union and United States expose inherent barriers absent mutual trust. Under the 1995 Data Protection Directive, the European Commission in July 2000 approved the adequacy of the EU-US Safe Harbor Framework allowing US firms to self-certify compliance with the US Department of Commerce privacy principles.

In 2013, Maximillian Schrems, who lived in Austria, sued the Irish Data Protection Commissioner to bar Facebook Ireland from processing personal data on US servers. On referral from the Irish High Court, the European Court of Justice (ECJ) declared the Commission’s adequacy decision invalid in October 2015. The ECJ found that the safe harbor did not bind US public authorities, whose access to personal data was not strictly limited to what was necessary or proportionate for national security. The ECJ held that this violated the privacy and personal data protection rights of EU citizens.

Again acting under the Directive, the European Commission in July 2016 approved the adequacy of the EU-US Privacy Shield, which built on the Safe Harbor privacy principles, with a US Government undertaking to set up an oversight ombudsperson independent of the intelligence community.

On another referral from the Irish High Court in the ongoing Schrems litigation, the ECJ in July 2020 applied GDPR provisions to invalidate the Commission’s adequacy decision. The ECJ found that Privacy Shield did not adequately protect EU citizens’ privacy from data processing by US public authorities and the ombudsperson scheme did not guarantee an effective remedy or fair trial. The ECJ also cast doubt on whether standard contract clauses could provide appropriate safeguards.

Ensuring national security and public safety

Government concerns over national security and public safety have led to extensive restrictions on outward technology transfers. For over 70 years, governments have restricted weapons technology transfers to hostile actors. Some 28 non-proliferation treaties are now in force. Four multilateral non-proliferation frameworks also subsist. Strict adherence means limiting outward transfers of dual-use technology, i.e., technology that can be used for both peaceful and military applications. Export controls on technology can harm potential recipient countries in the near term and the restricting country’s economic competitiveness in the long term.

Governments are also concerned about international cybersecurity – preventing hostile foreign actors from intercepting or compromising valuable data or using international communications channels to perpetrate terrorism and crime. Cybersecurity is discussed generally in [Cybersecurity Briefing Paper]. In 2020, financial gain was the primary cyberattack motive, and criminal organizations were behind 80% of attacks. Typical government responses are to strengthen local criminal laws and law enforcement capability, improve international cooperation, establish Computer Emergency Response Teams (CERTs), and educate businesses and citizens. Among international efforts is the Financial Action Task Force to combat money laundering and terrorist finance by helping national authorities trace fund flows. Its 37 member countries include rapidly developing economies such as Argentina, China, India, Indonesia (observer), Mexico, Russia, South Africa, and Turkey. Although state actors perpetrate fewer than 10% of documented cyberattacks, governments are concerned about cybersecurity threats from state actors and state-sponsored or state-harbored private actors. Canada’s government considers nation-states the most sophisticated threat actors, with dedicated resources and personnel, extensive planning and coordination, and working relationships with private actors and criminals. US experts say the line between nation-state and criminal actors is blurring, as nation-states harbour and rely on criminal proxies to project power. There is growing concern over the theft of trade secrets by foreign actors who access data in the cloud and in networks. Some state actors engage in cybercrime to support weapons programs and other UN-sanctioned activities.

As part of their response, some governments now restrict routing and ownership of networks used for cross-border data transmission considered vulnerable to state-sponsored surveillance, interception, and disruption. National security concerns have also been cited to block equipment and installation suppliers.

Concern about foreign state actors is also the primary justification offered by the European Union, China, and a growing list of countries for data localization requirements that restrict outward flows of personal data. In Schrems (see box), the ECJ focused on the risk of US national security agencies processing EU citizen data. China’s 2021 Data Security Law prohibits the transfer of Chinese personal data to foreign judicial or enforcement authorities without government approval. The logical extension of such measures is to restrict domestic data processing by foreign-owned firms, especially as some countries extend the reach of their intelligence and law enforcement agencies to personal data held in other countries. For example, difficulties encountered by the US Government in 2013 using a search warrant to obtain access to data held by Microsoft in a data center in Ireland led to changes in US law in 2018 requiring US data providers to disclose overseas data within their control. France’s cybersecurity chief has since advocated for Europe to exclude US cloud providers – Google, Amazon, Facebook, Apple, and Microsoft – from handling sensitive personal data. Even where such measures are in place, however, state-sponsored espionage can employ spyware to clandestinely reach across borders and capture data.

The Russian invasion of Ukraine in February 2022 led to the stiffest international sanctions and restrictions on cross-border data flows ever imposed. These included EU exclusion of key Russian banks from the cross-border payment messaging system operated by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) and voluntary cut-offs of Russia by private international payment networks such as American Express, Mastercard, and Visa. Still, by mid-March 2022, the European Union, United States, and other allies had not prohibited information services from making themselves accessible within Russia. Influenced in part by a desire to keep Russian citizens informed in the face of state media misinformation, information service providers such as Akamai (content caching), Amazon Web Services (cloud computing), Cloudflare (data centers), Facebook (social media), Telegram (messaging), Twitter (social media), and WhatsApp (messaging) continued to operate in Russia.

Regulating objectionable content

By its nature, the Internet permits access to vast volumes of online content from other countries. Some governments use technology extensively to filter what content may enter and leave the country. During the first month of the February 2022 invasion of Ukraine, Russia blocked over 270 foreign news and financial sites.

The Universal Declaration of Human Rights enshrines the right to freedom of opinion and expression without interference and the right to seek, receive, and impart information and ideas through any media and regardless of frontiers. This right is subject to limitations to secure due recognition and respect for rights and freedoms of others and to establish just requirements of morality, public order, and the general welfare in a democratic society.

Different governments have enacted varying degrees of Internet censorship in interpreting and implementing these limitations. At one end of the spectrum, the United States and others impose few restrictions on online speech. At the other end, China, Eritrea, North Korea, Saudi Arabia, Turkmenistan, and others strictly limit speech. In the middle are countries like Papua New Guinea, which prohibits the publication of objectionable content, which it defines to include content that promotes or incites terrorism or offensively portrays sex, drug use, crime, cruelty, blasphemy, immorality, violence, or revolting or abhorrent phenomena.

Pursuing national industrial and fiscal policy

Some governments are exploring ways to regulate cross-border data activities in pursuit of national industrial and fiscal policy.

India, among other developing countries, has adopted a data localization policy that is currently reflected in a series of sector-specific laws and regulations and may soon be more broadly included in pending data protection legislation, first proposed in 2019 and likely to become law in 2022. One rationale offered for the requirement is to generate economic growth and employment opportunities by increasing the likelihood that value-adding data processing occurs within India rather than the country merely supplying raw data to global platforms. A 2021 quantitative assessment of the bill’s likely impact under various scenarios found that a localization framework involving local data storage and global processing would best enable the envisioned economic growth, but the overall GDP impact was unclear if local data storage equipment needed to be imported. A 2014 economic simulation suggested that the impact on India’s GDP might in fact be negative.

In the same vein, the European Union has begun to express its desire for digital sovereignty – to become less dependent on US and Chinese technology firms. The notion has various objectives, according to the European Council. A central objective is to build a digital single market. Another is to reinforce Europe’s ability to define its own rules, make autonomous technological choices, and develop and deploy strategic digital capacities and infrastructure, while safeguarding its values, fundamental rights, security, and social balance. The EU also seeks to leverage its tools and regulatory powers to help shape global rules and standards, remaining open only to firms complying with EU rules and standards.

Data localization also has fiscal implications, making it easier for national revenue authorities operating under traditional tax regimes based on physical presence to tax data processing services provided by foreign firms. However, the international digital services tax framework, approved by 136 countries in October 2021, may help to close the tax gap without the disadvantages of data localization by re-allocating some taxing rights over larger multinational enterprises from their home countries to markets where they have digital business activities and earn profits.

+ 5. Developing an international data governance framework

The current global data governance framework is fractured and inefficient (with the exception of the WIPO intellectual property framework), reflecting deep fissures in trust and inherent differences in approach among both allied and non-allied nations.

Cross-border data flows have traditionally been addressed in trade agreements. WIPO and the WTO thus offer established fora for improving data governance in the trade context. But this has so far been insufficient. WIPO’s mission is limited to intellectual property, while WTO has lost influence due to increasing trade protectionism, criticism that the TRIPS patent provisions limit access to medicines in developing countries, and the reemergence of competing bilateral and multilateral trade blocs.

In its 2021 World Development Report, the World Bank called on governments to forge new domestic social contracts for data and cooperate internationally in harmonizing and coordinating data governance. At the World Economic Forum 2019 annual meeting, Japan’s Prime Minister invited leaders to build an international order for Data Free Flow with Trust (DFFT). Leaders at the 2020 annual meeting provided multistakeholder input on global data governance processes needed to realize the benefits of increased crossborder data flows. The World Economic Forum has recently published a white paper with the following five key groups of recommendations:

Governments should establish personal data protection and trusted mechanisms for cross-border transfer;
Governments should refrain from restricting non-personal information and machine-to-machine data, and they should cooperate on the development and implementation of legislation on governmental access to digital information abroad for law enforcement;
Stakeholders should engage in market-led technical standardization;
Governments should pursue international trade negotiations on various matters relating to data; and
Developed economy governments, businesses, and international organizations should provide technical assistance to developing countries to develop high standards for data protection, ensuring the costs do not impede micro, small, and medium enterprises from participating in global trade.

Meanwhile, developing country policymakers cannot forge the necessary international cooperation alone, but they can focus on their domestic data frameworks, as suggested by the World Bank. They can also participate in relevant international efforts. For instance, eTrade for All seeks to inform developing countries of the opportunities for digital trade and access to technical assistance. Countries can set their sights on economic opportunities relating to cross-border data by embracing international standards, as Mauritius has done by enacting robust data protection legislation and signing the Council of Europe’s Convention 108+ for the Protection of Individuals with Regard to the Processing of Personal Data. In Asia, the APEC CBPR system provides a framework for participating countries to enable cross-border data flows, including in the context of digital trade. The African Continental Free Trade Agreement negotiations underway under the auspices of the African Union also include a component on digital trade.

+ 6. Emerging topics

Web3 (or Web 3.0) is a concept for a new iteration of the World Wide Web based on blockchain technology. It would decentralize the Internet and afford users greater ability to participate in the governance and operation of the protocols governing their user experience, both as sources and recipients of data. Some believe Web3 could improve data security, scalability, and privacy beyond what is currently possible with Web 2.0 platforms. Some have identified risks with the self-governance, such as vulnerability to hacking of smart contracts, cryptojacking, lack of regulatory best practices, questions about the quality and policing of information, manipulation of data in Web3 apps, and risks to mobile wallets including loss of funds. At present, Web3 is currently limited to niche applications for cryptocurrencies.