Cross-Border Data Policy: Opportunities and Challenges

Internet governance refers to the norms, rules, and technologies that govern the working of the Internet internationally. China advocates for a state-controlled Internet, including at the International Telecommunication Union and other forums it supports, such as the China-hosted World Internet Conference (Segal 2020; Eichensehr 2014). China’s limits on allowing free flow of data across borders means it largely avoids making any commitments on these issues in its trade agreements. It has also opposed language on these issues at the G20 and elsewhere.

The United States advocates for a multi-stakeholder-based approach to the Internet that is based on a voluntary, industry-based, and bottom-up standards process, which pushes back against government efforts to dictate how the global internet should work. It advocates for this approach at the ITU, the Internet Corporation for Assigned Names and Numbers (ICAAN, responsible for coordinating databases related to the namespaces of the Internet), and the Internet Governance Forum (Yang 2019). The United States also pursues new trade rules to support data flows and digital trade in bilateral, regional, and multilateral forums and agreements, such as the United States–Mexico–Canada trade agreement. The United States’ global digital economic policies are often fused with broader efforts to support human rights, like freedom of speech, on the Internet.

At the heart of the EU’s international strategy is the push for other countries to also adopt the precautionary principle and to harmonize their data privacy laws to its General Data Protection Regulation (GDPR). GDPR imposes a general prohibition on transfers of EU personal data to only a small group of foreign countries (mainly former colonies) it has determined provide an “adequate” level of protection equal to data protection at home (Atkinson 2015). The EU also supports certain policies that it wants applied to global Internet, such as the impact that GDPR has had on certain ICANN functions (such as identifying domain name holders for criminal investigations and other purposes) and the “right to be forgotten” (which allows a person to have private information removed from Internet searches and other directories, which the EU wants applied not just domestically, but to the global Internet). Overall, the EU tends to support the multi-stakeholder approach to other global Internet issues, but where these conflict with its own laws, it is willing to undermine global cooperation to enact its own (conflicting) approach.

Data governance is the most prominent global conflict within Internet policy. This involves data privacy and protection, portability and sharing, cybersecurity, and government access to data (whether for law enforcement investigations, national security, or political purposes). However, AI governance is also fast emerging as a growing flashpoint. This involves debates about AI development, ethics, and accuracy and explainability.

China’s domestic data governance is based on the goal of “cyber sovereignty.” China’s commercial data privacy framework is evolving and rebalancing from a largely laissez faire approach to how firms use data by adding greater consumer protection (Shi 2020). China requires a range of data to only be stored locally and for the government to have wide ranging access and control over it and the broader digital economy.² While the desire for government access to data can make sense, China can achieve this goal by requiring copies of data to be maintained in China, while still allowing data “exports.” China also has pursued an active “digital industrial policy” to support growing digital economy firms. However, this has usually meant that Chinese firms have benefited more than foreign digital firms. Some of the world’s leading digital firms, including many from the United States, are banned or blocked in China (Cory 2020). While China’s approach to AI ethics/governance is still at a very early stage, it is heading in a similar direction, given its focus on self-sufficiency (Laskai and Webster 2019).

The United States is focused on a light-touch approach to Internet regulations, such as privacy and AI. From the Clinton administration Internet governance principles crafted by Ira Magaziner, to efforts by the Trump White House supporting a light-touch approach to AI regulation, the US government has generally avoided innovation-harming regulatory regimes and sought to convince other nations of the wisdom of this approach (Thierer 2012).

The EU has embraced the “precautionary principle” where new innovations are approached from a “glass half empty” view, with the urgent need to form a commission of experts—largely academics and “civil society” representatives with little connection to actual R&D and commerce—to study the innovation and how it could be harmful (Kop 2020). The dominant narrative in Brussels is that the strict regulation of privacy, AI, and other emerging technologies is required in order to boost consumer trust, which in turn will give EU firms a leg up over their American and Chinese competitors (McQuinn and Castro). The EU’s emerging AI governance framework is applying a similarly restrictive and protectionist approach in favoring local (over foreign) AI and standards.

The EU’s all-consuming fears about government surveillance—following the European Court of Justice decisions in Schrems I and II—means that its evolving data governance framework makes it increasingly difficult to transfer EU personal data outside the region, which acts as a barrier to trade for foreign firms (Cory et al. 2020). The EU singles out the United States for actions that it does not even restrict among its own member states (in terms of surveillance and government access to data). However, recent data and AI-related policies show that this is expanding to include firms from China and other countries. In the context of foreign AI developed by foreign firms (especially China), Commissioner for the Internal Market, Thierry Breton, said firms that develop and use AI could be forced to “retrain algorithms locally in Europe with European data,” adding that, “We could be ready to do this if we believe it is appropriate for our needs and our security.” Mobike and TikTok have already attracted greater regulatory scrutiny. This will likely continue as Chinese tech firms and their products become more prominent in Europe and elsewhere around the world.

The conflict over online content moderation and censorship is essentially a proxy for the broader conflict over the role of government and human rights in the digital economy. How countries define what content is legal and illegal online and assign legal responsibility (or protection from liability) to Internet platforms and other intermediaries is changing around the world. This is a massive challenge: every minute, more than 500 hours of video are uploaded to YouTube, 350,000 tweets are sent, and 510,000 comments are posted on Facebook (Karanicolas 2020). Yet, how countries go about making their respective approaches as clear, predictable, and as targeted as possible is necessary. This is due to the growing role that digital (creative) content creators and Internet platforms and intermediaries play in global trade and innovation.

Many countries are trying to address a range of legitimate issues, such as hate speech, disinformation, copyright infringing material, child pornography, terrorism-related material, and other issues (Liang and Lu 2012). But beyond efforts to address specific types of content, many democratic nations share a concern about countries like China that remove or block access to content for political purposes (Rayburn and Conrad 2014; Zittrain and Edelman 2003). Conflicts arise as the global nature of the Internet means that content that is legal in one country can be illegal in another. For example, content that is considered hate speech in Germany or is considered politically sensitive in China or Vietnam would be protected as free speech in Australia, the United States and many other countries.

The clearest conflict between the United States and China is over free speech and political censorship. The United States advocates an open internet where nearly all content on the Internet is available to citizens, because of the belief in the ultimate democratizing and empowering force of information. The United States has also created a legal framework that provides legal liability protection for Internet-based intermediaries if they take reasonable steps to remove illegal content, such as via the Digital Millennium Copyright Act and Section 230 of the Communications Decency Act. However, the debate in the United States (and internationally) is often about where to draw the lines around legal and illegal content online. This dialogue is distorted as many cyberlibertarians and open Internet advocates misguidedly equate any efforts to address, block, or remove illegal content online as censorship.

While both the United States and China block content that they deem illegal, the definition of that content is much broader in China. The ‘Great Firewall’ of China blocks thousands of foreign websites and limits domestic content (Griffiths 2019). Even though political and social concerns may be a central motivation, some have argued that China’s internet censorship has served its economic ends in blocking foreign platforms and digital goods.³

Government access to data—both law enforcement and surveillance-related—is emerging as a major point of conflict.

Countries have used the specter of foreign government surveillance—both real and imagined—to justify restrictions on data and international data flows.⁴ Policymakers fear that data is being accessed directly through a firm’s in-country facilities or indirectly via extraterritorial requests for data or operations that target data transferred and stored overseas.

The 2013 Snowden disclosures about US surveillance were the initial catalyst for policy changes around the world, especially in China and Europe. (In 2013 Edward Snowden leaked a vast amount of secret data from the US National Security Agency). The irony is that many of the same Western and democratic countries that denounced US surveillance on the behalf of their citizens, have enacted their own surveillance regimes (Cate and Dempsey 2017). Furthermore, the debate on national security and data flows is often misleading and disingenuous, as countries use national security in a broad and vague manner to enact restrictions on a growing range of data and digital services that are largely commercial, and not directly tied to national security.

Some countries have used the fear of foreign government surveillance to enact restrictive data governance systems that help them control data for political and social ends, which at times means cutting themselves off from the global Internet. China’s broad use of national security permeates its data governance, cybersecurity, and related laws.⁵ The vague and sweeping nature of Chinese law, combined with the lack of legal checks and balances, gives China the capability to pursue a broad range of data, but it is unclear as to what extent it actually uses this power.

Government concerns over cross-border access to data for law enforcement investigations is another emerging point of conflict. As the threat of global cybercrime rises, there is an increasing need for a better process to manage cross-border requests for data. Yet, cross-border digital law enforcement cooperation is complicated. Requests can involve data that implicates multiple stakeholders, people, and jurisdictions. This may cover the nationalities of the individuals or organizations that own the data, the service providers storing the data, the individuals or organizations accessing the data and, if the data contains personally identifiable information (PII), the individuals described in the data. In today’s digital world, it is not hard to see how criminal investigations in one country may involve an email stored in another country and a bank account in yet another.

There are significant differences in how different countries’ legal systems facilitate data sharing for law enforcement purposes. Existing legal tools (such as mutual legal assistance treaties) are out-of-date and slow, yet new tools are emerging, such as the US’s CLOUD Act agreements (which will make the process much more efficient, while keeping legal safeguards in place) (McQuinn and Castro 2017). Rather than seeking to improve domestic and international legal frameworks to improve cross-border law enforcement cooperation, some policymakers in Brazil, China, India and elsewhere have supported data localization as they think it is the only way to get local and foreign firms to respond to requests for data from law enforcement and other agencies. This stems from the mistaken belief that firms can avoid oversight and requests for data by simply transferring data out of the country.

Countries need to recognize that when it comes to policies about how the Internet is used, there can be differences among nations. Figure 1 offers a four-cell typology of issues where there can and cannot be consensus and policy issues that involve public benefits and public harms. An example of a policy that can be based on consensus, and involves harms, is restricting child pornography. Every nation agrees with this goal. The clearest example of a universal good, and thus the need for universal rules, pertains to frameworks on core Internet architecture and protocols, as the Internet needs commonly shared global standards. A multi-stakeholder approach to maintaining this goal is desirable, as debates and disagreements over the technical architecture and protocols of the Internet can only be resolved with stakeholder consensus. Because there is a presumed global consensus on trade—as evidenced by membership in the World Trade Organization—there should, at least in theory, be able to be a consensus on digital trade issues.

A diagram explains the typology with an example of policy based on consensus and no consensus. Universal goods and Universal Bads are under consensus, while local goods and Bads are under no consensus.

In contrast, issues of data privacy involve a local good, and will be difficult to generate global consensus. Likewise, Internet content moderation is usually a local bad (blocking harmful or objectionable content), but there is unlikely to be consensus among countries (besides on specific content, like child pornography) on what content should be blocked. However, policymakers can still agree that whatever framework a country adopts does not act as a barrier to trade.

A central challenge is that many countries associate data governance with political and social control. Therefore, these countries will oppose global efforts to harmonize rules on data privacy (such as the EU’sGDPR). Given the current values-based approach to global Internet policy, these countries are likely to be intractable in coming up with principles and mechanisms that allow robust encryption, privacy, and content moderation and related issues. Every nation needs to recognize that not every country it deals with on the global digital economy will share its values. This is a distinction that policymakers already acknowledge offline with traditional trade.

Ultimately, policymakers need to recognize the critical policy distinction—between policies with global consensus and those without. In many cases, this consensus will (at best) be widespread but not unanimous. Given this reality, it is better that a consensus-based approach be ambitious, but pragmatic, in seeking shared principles and agreements among a like-minded group of countries that represent a substantial part of the global economy and value a mostly open, rules-based global digital economy (see Fig. 1) (Castro and Atkinson 2014).

Perhaps the most challenging global internet policy issue relates to cross-border data flows. Rather than tell firms where they can store or process data, policymakers should hold firms that have legal nexus within their borders accountable for managing data they collect, regardless of where they store or process it. This expectation could be made clear in law by declaring that companies doing business in a country are legally responsible for any failures to manage data from that country, regardless of whether those failures are the fault of the firm in that country or abroad, or an affiliate or business partner in that country or abroad. In other words, a country’s data-protection rules would travel with the data. The accountability principle is based on the fact that modern technology, especially the Internet and cloud data storage, means that each country’s domestic regulatory regime for data (such as for privacy) needs to be globally interoperable given that each country faces the same challenge in applying its laws to firms that may transfer data between jurisdictions. Interoperable privacy frameworks are the international extension of this accountability-based approach such that data is still able to flow between different privacy regimes, and countries data protection rules flow with it.

Interoperability is already at the heart of many countries’ data privacy frameworks and at global discussions on data privacy, such as at the OECDand the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules system.⁶ As per ITIF’s typology, interoperability is fighting to be the global consensus, as it is a mutually acceptable and beneficial principle to countries, regardless of their political system, their approach to data privacy, or level of development (as opposed to the disadvantages of harmonization and localization). Such an interoperable system would focus on “global protections through local accountability.”

While the EU’s data protection rules have gained some global traction over the past year (in its efforts to push for a global, harmonized approach to data privacy), there is no reason to suspect that in the future another country or region might not put forth competing rules. For example, imagine if China created its own set of data protection rules and declared that any country wanting to do business in China must have identical data protection laws. Such a scenario would potentially force countries to choose one privacy regime or another. Such a clear divergence would simply deepen the splinternet. This is why it is unrealistic and impractical to demand universal rules on privacy. A better option would be to create an interoperable, accountability-based system that works for all countries and the various ways they enact data privacy and protection.

Many nations and regions, especially Europe, are pushing for a regime of global AI regulation, rightly understanding that not all AI systems will comport with EU values or laws.⁷ And while global efforts to develop and implement AI governance principles (such as that AI systems should minimize undesirable AI bias) are useful and warranted, going further and codifying these into some kind of international legal agreements would be not only difficult to do, but also likely harmful to innovation. It would be difficult to do because just like privacy, it is unlikely that all nations will agree to a single standard. It would be potentially harmful because it is likely that the most restrictive rules would be put in place, limiting the ability of digital and AI developers to innovate.

Just as nations now have the right to regulate the safety of material products (such as cars, food, pharmaceutical drugs) and limit imports that do not meet these standards, they have the same right to do the same with digital products, including ones with AI in them. There is no global standard on genetically modified organisms (GMOs), for example, which is a good thing because it means that countries that take a science-based approach to GMO-based crops, are able to produce and sell to other like-minded nations. While there is no single, harmonized approach to regulating these and other trade-related issues, countries have shown that they can agree upon shared principles and processes in how they regulate these issues so that they share commonalities and that a country’s system is generally interoperable with those in other countries. For example, the World Trade Organization’s core principles of non-discrimination, most-favored-nation, and transparency and the OECD’s privacy principles.⁸ These shared principles help ensure countries can address legitimate public policy objectives, but in a way that ensure that domestic regulation is not used as a de facto trade barrier. For digital issues, this would mean that countries could pursue different domestic policy regulatory regimes that are interoperable and supporting digital trade as they form part of an integrated global digital economy.

It is critical to recognize that countries can have conflicting rules and regulations regarding values-related digital content (in terms of how each country determines what is and is not illegal online). Countries that are realistic about the task of building a broad rules-based global digital economy need to accept (even if they do not necessarily like) the fact that some countries censor information on the Internet for political and social purposes. Indonesia blocks websites and apps for displaying “harmful” material, such as pornography, terrorism-related material, or that related to the lesbian, gay, bisexual, and transgender community (Davies and Silviana). The EU does not have the same commitment to freedom of speech as the United States does. For example, online access to Mein Kampf is blocked in Germany, but not in the United States. Any global solution imposed on either country would violate key principles and values. Policymakers and advocates also need to recognize that the practice of authoritarian nations to limit access to certain websites and web pages does not constitute the breaking of the internet. The architecture is still the same and enables cross-border communication, just not all of it.

This principle is also based on the central recognition that not all website blocking constitutes a threat to the open internet. When talking about a data-driven global digital economy, it is important to recognize that not all data flows should be treated the same, as some data flows are rightly illegal. For example, over 30 countries (including many democratic, rule-of-law countries) use website blocking to prevent access to websites engaged in large-scale copyright infringement, illegal gambling services, financial fraud, and child pornography (Cory 2018).

A pragmatic global digital economy strategy will require changes from everyone. The United States needs to move away from an idealist view of digital international relations to a realpolitik one, which is focused more on protecting key economic interests rather than acting as a global ambassador of complete and unfettered Internet openness. Countries do and will continue to take differing approaches to moderating and blocking content online. Countries should develop clear, predictable, and non-discriminatory legal and administrative frameworks for all firms—both foreign and domestic—to use so that they know what online content is and is not illegal.