Understanding the Role of the WTO in International Data Flows: Taking the Liberalization or the Regulatory Autonomy Path?

Understanding the Role of the WTO in International Data Flows: Taking the Liberalization or the... Abstract Recent years have witnessed a surge in discussions relating to data and data flow in trade fora. This was predictable given the importance of data for trade in the digital economy, especially e-commerce. However, there is a major discord between WTO members on issues relating to data flows and data localization. This article sets out to understand how data flows across borders and the types of trade restrictive data localization measures members use. The analysis of various restrictions on data flows imposed by states reflects the different objectives behind them, targeting all or specific types of data. Such regulations potentially violate existing WTO commitments. The article concludes with a call for issuing a multilateral amendment of existing norms, and undertaking a data differentiated approach to resolve the deadlock at the WTO. Data is the basic unit enabling the functioning of the digital economy, often referred as the ‘oil of the twenty-first century’ or ‘currency for the digital economy’. Innovation with respect to data, its movement, analysis, and usage has caused the digital economy to develop and become a self-standing economy by itself, in addition to being a key facilitator for other sectors. In recent years, e-commerce has emerged as perhaps the most pressing issue in the multilateral trading system. While most states recognize the tremendous potential of e-commerce for development, many are skeptical to undertake any commitments or even clarify the applicability of existing WTO norms. The most controversial feature of this debate, not surprisingly, relates to data and data flows. E-commerce, defined by the WTO as the ‘production, distribution, marketing, sale or delivery of goods and services by electronic means’,1 hinges on the efficient movement of data, and arguably all other aspects of it are similar to other conventional trade in goods and services. Given that cross-border data flows lie at the core of any international e-commerce transaction, data has an intrinsic trade dimension. A classic example of this is the ‘app economy’, which has disrupted traditional transaction means in several industries, like international money transfer (PayPal), transportation (Uber), tourism (AirBnB, Bookings.com), travel ticket purchase (Expedia), entertainment (Netflix), and so on. The ‘app economy’ is operational through movement of data facilitated by access to cloud-based distributed data processing.2 This economy is solely dependent on the movement of data, which permits the consumer, the app provider, and the seller to be physically located in different geographical locations, so long as there is movement of data between them. On the other hand, the ‘app economy’ also helps in understanding the importance of cross-border data flows for the efficient functioning of businesses in the digital economy. For example, the simple transaction of payments for the purchase of a product on an e-commerce website using an application like PayPal requires a complex web of data flows between Paypal’s server, the customer’s device, the e-commerce website’s server and the seller’s device, all of which can be potentially located in different states where different rules on data flows may be applicable. Restrictions on data flows at any one stage imposed by one of the several states through which the data is flowing can disrupt, hinder or raise the cost of the entire transaction. The nature of world trade has in recent years greatly changed, and more than ever before, is today characterized by globalization and decentralization of the production process facilitated by data flows.3 This has resulted in reduction in transaction costs through lesser investment requirements in extensive production (primarily for goods) and distribution or supply (primarily for services) networks.4 Lowered investment and transaction costs help businesses achieve economies of scale and boost their competitiveness. Technology has enabled the efficient and speedy transfer of massive volumes of data, and is predicted to continue expanding exponentially. Consequently, newer regulatory issues and challenges have also emerged, including invasion of privacy, mass scale commercialization of users’ data by technology companies, cyber-security threats, unequal development of digital infrastructure and capacity, and several other concerns. Within their domestic and regional regulatory mechanisms, states have adopted different approaches to address these concerns. In so doing, the risk arises of seeing a balkanization of cyber space by hindering data flows. The first section of this article defines key terms crucial for clarifying the problems at stake, demonstrating the stages of data flows to depict where and how data flows can be restricted, thereby resulting in data being localized. In the second section, the article explores the uncertain terrain of existing WTO norms to determine their suitability to twenty-first century digital economy era needs. It also provides a legal analysis to determine the WTO compatibility of some common data localization measures. In the third section, the article develops a normative framework for future rule-making. It does so by analysing the emerging political consensus (or lack thereof) on data flows as seen through submissions made by different members to the WTO. Finally, the article recommends an update of the WTO’s classification system to bring it in line with current trends in data driven trade. The article also develops a typology of data and proposes a data differentiated approach for undertaking commitments on trade-related aspects of data. I. DATA, ITS MOVEMENT ACROSS BORDERS, AND LOCALIZATION MEASURES While there exists widespread acknowledgement on the importance of data and its movement for e-commerce facilitation, there is a lack of clarity with respect to the meaning and understanding of the term ‘data’ itself. Often the terms ‘data’ and ‘information’ are used interchangeably. While several international and regional treaty instruments deal with different elements and types of data, none seem to have defined the term. Therefore, it becomes imperative to consider the ordinary, dictionary meaning of the term. The Oxford English Dictionary provides several definitions for the term, ‘data’. Some are technical and pertain to particular fields like scientific research and numerical information. For the field of computing, data has been defined as, ‘Quantities, characters, or symbols on which operations are performed by a computer, considered collectively.’5 However, the definition most suitable in the context of the digital economy and of data-related international trade law and policy is ‘information in digital form’.6 Consequently, ‘data flows’ would mean the ‘movement of information in digital form’. This movement is enabled through the technology of the Internet, which is central to e-commerce, and more broadly to the digital economy.7 These definitions of data and data flow as digital information and movement of digital information respectively are the meanings ascribed to the terms throughout this article. Data localization can be considered as ‘any legal limitation on the ability for data to move globally and to remain locally’.8 This ranges from de jure restrictions such as local data storage requirements which mandate that the physical storage of data must be in data centers within the local geographical territories of a state, or local content or production requirements; to de facto restrictions like privacy and data protection laws enacted with the objective of protecting the privacy of citizens. It is important to highlight here that data localization includes both the explicit prohibition of—and lesser restrictions on—the cross-border movement of data. A. Understanding how data moves across borders and how restrictions are imposed An enquiry into the different types of data-related restrictions requires first and foremost an analysis of the journey of data from the point of its creation to its final consumption. The journey of data can be compartmentalized into four distinct components, and it may travel across borders while moving from any one of these components to the other. Firstly, data always originates on a physical device, whether it is an email or a machine processed data. The data of any Internet-based platform or ecosystem is created and stored on a server, which is a particular type of computing device that is directly connected to the internet through ICT infrastructure.9 Once it is created, at the second stage, data flows online through the mechanism of the internet, in smaller units known as ‘packets’. Internet facilities are provided to any user/consumer by internet service providers (ISPs), using wired or wireless ICT equipment. Data moving from one ISP network to another is transferred at ‘internet exchange points’ through a process known as ‘peering’. To enable data flows, at the third stage, the data is required to be physically stored in servers located in computational facilities called ‘data centres’ (even in cloud computing, the data is always stored on a physical server located somewhere). Internet exchange points are often in the same physical locations that possess data storage and processing facilities, that is, data centers. Larger Internet companies like Google and Facebook have their own data centers around the world, while smaller companies mostly use third-party owned and operated data centers.10 Finally, the data travels from the data centre through ISPs onto the consumer or end-user’s device. Efficiency of this four-step flow of data depends on superior ICT infrastructure. Companies that are intensive users of data are most likely to be based in countries having good digital infrastructure (for an analysis on the ICT infrastructure problem in developing countries see the Tavengerwei paper).11 A mix of various factors such as the number of broadband and internet subscriptions, ease of absorption of new technology, availability of capital and so on contribute to a good digital infrastructure. Consequently, countries having a good digital infrastructure can export data and trade with respect to data intensive sectors, irrespective of whether the data being traded is used as an input in the downstream economy or an output for the upstream economy.12 Hence, economies of scale and comparative advantage in the data intensive industries, as well as data transfers between related multinational enterprises, are relatively concentrated in countries with superior ICT infrastructure, which are by and large developed economies.13 Even with the existence of the ICT infrastructure, the flow of data can be restricted through localization measures. Data localization measures are diverse in nature and extent, yet they can occur in any of the four stages of data flows depicted above. Such measures arguably result in creating non-tariff barriers to trade, whether, or not, they are justified on grounds of public policy concerns. At the stage of ISPs’ ‘peering’ at internet exchange points, some states impose a restriction preventing foreign ISPs from providing internet services, thereby diverting the traffic routing of data, even if an ISP is technically capable of providing network services within a particular range. At the third stage of storage in data centres, several states impose restrictions requiring local data storage and local data processing. This results in increased costs for companies who are forced to invest in data centres that are geographically located within the territory of the restriction implementing state, in order to enable them to do business in that state. Finally, at the data consumption stage, states impose restrictions like ‘firewalls’ which result in a blanket prohibition on data imports, as well as restrictions on the nature of intellectual property or source code transfer requirements. Although some of these restrictions represent absolute prohibitions on data flows and amount to a de jure restriction, most are in the nature of de facto restrictions that create barriers for data flows. Table 1 below elaborates on some commonly known data localization measures. Table 1. Snapshot of common data localization measures Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Source: Author’s compilation. Table 1. Snapshot of common data localization measures Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Source: Author’s compilation. II. POSITIONING DATA AND DATA FLOW WITHIN THE WTO REGIME The overview of different data localization measures raises two key policy questions. Firstly, whether such restrictions are covered within the existing trade regime, and if yes, whether such measures are in violation of those existing norms or if such localization measures are protected within its scope as an exception. Secondly, should there be any multilateral rule-making relating to data and data flows, and if so, how can such a normative framework be developed which enables economies of scale and development of the ICT sector, while delineating legitimate public policy exceptions. WTO law operates significantly within the vertical silos of ‘goods’, ‘services’, and ‘intellectual property’, all of which are relevant for data and data flows but at the same time, data challenges this conventional notion compartmentalizing products into mutually exclusives categories. Innovative business models and the rise of the ‘Internet of Things’ are creating a surge of innovative electronic products, which are autonomous and interactive. The term ‘smart’ has been coined and appended to products ranging from mobile phones and computers to automobiles (for example, GPS navigation systems and self-driving cars) and homes (for example, personal assistant speakers such as Google Home). These devices are embodied as ‘goods’ and would be treated as goods under WTO law, but the features that lend them their ‘smart’ characteristic are the data flow-dependent services that are embedded into them and it is such ‘services’ that confer true value to the product. Data flows can also sometimes blur the line between means of trading and the product being traded itself.27 Technology such as additive manufacturing utilized in 3D printing illustrates this. Trading in additive manufactured products would mean that although the end-product being traded is embodied as a good, it is the data (conventionally considered a service) that is actually moving across borders while being transmitted from the seller to the buyer. Consequently, classification and treatment of products, especially tariff treatment, traded through the medium of 3D printing is complicated in light of the mutually exclusive silos of goods, services, and intellectual property. The issue of classification of data-intensive products is not merely an issue of semantics because the rules applicable to a product depend on its classification. International trade law mandates similar treatment for ‘like’ goods under the GATT and ‘like’ services and service suppliers under the GATS Agreement. For example, a physical hardbound book and the electronic version of the same book, would potentially be ‘like’ products in light of their end-use, consumers’ tastes and preferences and competitive relationship.28 However, while the former is a good, the latter would be classified as a service, and therefore the two products are treated differently by WTO member states. Goods are medium of delivery dependent, but not services, due to the principle of ‘technologically neutral’. Although the Appellate Body or any WTO Panel has never explicitly derived the principle of ‘technological neutrality’ or even used the terminology, the concept has, however, been widely derived based on interpretation of WTO cases, even though several critics consider this interpretation of the Dispute Settlement Body as an instance of judicial overreach.29 Indeed, commitments made during the Uruguay Round in 1994 precedes the boom in data-driven economies and business models, and members did not have issues like e-commerce and data flows in mind while negotiating GATT and GATS commitments. However, as things currently stand, if the mode of delivery of a digital product is a hard copy, it raises GATT issues, which is dependent on the fact that the product is physical in substance, and its mode of delivery requires the product to physically cross borders.30 However, if the same product is also distributed electronically, then it is a GATS issue, and hence independent of the mode of delivery.31 One visible effect of this is that the ‘good’, for instance hardbound book or compact disc is subject to customs duties, but not the ‘like’ ‘service’, for instance e-book or online music and movies, due to the moratorium on customs duties on e-commerce. The ever-increasing expansion of data-intensive products causing products that were traditionally goods becoming digital in nature that can be now traded through data flows, can be expected to cause a decrease in traditional manufacturing, thereby implying that custom duties on goods would decrease, but no custom duties would apply for similar or ‘like’ services.32 A. GATS Agreement and W/120 classification (see also Kelsey’s article) The GATS Agreement requires categorizing any trade in services transaction into one of the four modes of supply envisaged within the agreement. A related and highly debated issue is whether trade in data and data flows is GATS Mode 1, that is, cross border supply of service (defined as ‘service delivered within the territory of a Member from the territory of another Member’), or a GATS Mode 2, that is, consumption of a service abroad.33 Conceptually, during data flows and trade in data-intensive products neither the buyer nor the seller cross state borders, at least in the physical sense. This forms the basis for the majority view that data flows broadly constitutes a Mode 1 transaction issue, and is further strengthened by the ‘medium of delivery independent’ principle derived from GATS jurisprudence.34 However, for particular products, it is possible to foresee that it is the consumer virtually travelling abroad, which is enabled through data flow, for consumption of the service. In such cases, the service is not being provided on the server of the consumer’s device, but rather on the server of the seller’s device. For example, online banking, cloud computing, web, or application hosting and e-commerce website hosted outside the consumer’s state (to illustrate, purchasing an e-book in Switzerland from Amazon’s French website). In such instances, the data may be hosted in a foreign country where the seller’s servers are located, and when the consumer wants access to the data, virtual consumption abroad is enabled by data flow. 35 Such cases would be an instance of a Mode 2 transaction. The W/120 classification system is the WTO’s comprehensive list of services sectors and sub-sectors covered by the GATS. It comprises one hundred and sixty services. It incorporates twelve broad categories of services that further encompass several categories and sometimes even sub-categories; therefore, there is either a three-tier or a two-tier level of categorization for a particular service. Among the broader categories, ‘business services’, ‘communication services’, and ‘financial services’ are most relevant for the digital economy, and to a lesser extent ‘educational services’, ‘tourism and travel related services’, and ‘distribution services’. Within ‘business services’, the sub-category on ‘computer and related services’ especially ‘data base’ and ‘data processing’ services are important, whereas within ‘communication’ services the categories on ‘telecommunication services’, and ‘audio-visual services’ are the most relevant for trade in data, although the categories of ‘professional services’ is also important in light of several professional services being supplied across borders through the medium of the Internet. It is important to note that ‘software’ does not constitute a distinct category, since its concept was fairly nascent during GATS’ negotiation years, although several of the restrictions on data flows pertain to software. It is also interesting to note that several data localizations measures apply to government services; however, the GATS Agreement is inapplicable to services supplied in the exercise of governmental authority.36 The extent to which a state has liberalized trade in these sectors and sub-sectors can be determined from the commitments made for these categories, which is provided in their GATS Schedule. B. Overlap between W/120 services The Appellate Body in US-Gambling held that services must be specific to a particular sector, and hence the sectors and sub-sectors are mutually exclusive.37 This was necessitated in the event that a service could be classified under two different sub-sectors, it could lead to the possibility of an anomaly wherein a member state has no restrictions on market access and national treatment in one such sub-sector, but has reservations for the other sub-sector.38 However, such exclusivity becomes problematic in light of new-age business models of tech companies comprising digital platforms which intertwine several services and data-intensive products, since often such services have multiple end-uses.39 Consequently, such services can be classified under several categories. Some instances of unavoidable overlap exist between ‘audiovisual’ and value-added ‘telecommunications’ in the case of over-the-top applications such as video streaming (Netflix, Youtube), as well as ‘telecommunications’ and ‘data base services’ for cloud computing.40 Since the digital economy was merely in its initial stages when the GATS commitments were made, members such as the EU freely liberalized computer and related services, but in order to retain regulatory autonomy over culturally sensitive issues, the EU avoided any commitments for audiovisual services.41 Not surprisingly, the EU takes the stance that most digital services are audiovisuals, and not data processing or database, which enables the EU to take advantage of the fact that it does not having substantial commitments for audiovisual services.42 Indeed, W/120 itself causes an inherent contradiction with the mutually exclusive requirement for services classification since the sub-category of ‘data processing’ appears twice—once under ‘computer and related services’ (W/120 classification number 1.B.c.), and second under ‘telecommunication services’ (W/120 classification number 2.C.n.).43 Commonly used guiding principles may assist in the task of classification. Firstly, the GATS’ classification system is based on services outputs, that is, the final service being supplied by a service supplier or purchased by a Mode 2 consumer, as a coherent whole must be the appropriate classification. Hence, for any transaction, it is important to analyze the coherent and whole final service being provided.44 Secondly, the intrinsic nature of the service determined from the intended end-use of the service, rather than the means of delivery, should be the distinguishing characteristic of a service.45 Thirdly, GATS jurisprudence has incorporated the concept of ‘integrated service’, referring to a classification comprising different services which are individually identifiable, however, since the entire transaction functions only when all services are supplied together, whether they are supplied by one or different service supplier, then it constitutes an ‘integrated service’ which is classified under a single sub-sector that embodies the coherent whole service. 46 Finally, the guiding principles provided in the UN Provisional CPC, 1990 may also assist in resolving the overlap problem. The explanatory note of the UN CPC indicates a lex specialis type of treatment for determining the appropriate service sector, when more than one service classification appears applicable.47 In reality, however, these principles are often not too effective in resolving the overlap issue. For instance, Alphabet’s (Google) search engine is a feature almost anyone who has ever accessed the Internet is familiar with. While for a user it would potentially be a ‘data base service’, the company, Alphabet, earns its revenues from the search engine feature through ‘advertising services’ (CPC 871), both of which are its end-use and intrinsic nature. In addition to the overlap problem, the W/120 classification categories also particularly fails to accommodate certain ‘new’ services that have emerged since the drafting and adoption of the W/120 system which do not squarely fit into any of the available categories. To illustrate, voice and video services enabled by the internet, such as Skype and FaceTime, have become vital forms of modern day communication. Although it appears to be a sort of value added telecommunication or business service, none of the sub-categories under them seem applicable for it. Additive manufacturing resulting in 3D printing is another such ‘new’ service. It is enabled by the Internet and data flows; however, no category under the classification list is potentially applicable for it. The CPC Guiding Principles provide that such ‘new’ service could be classified under the category most akin to the service.48 However, this principle cannot be easily imported for commitments under the GATS Agreement, since member states are likely to favour an approach where they are fully assured of the extent of the commitments that they have undertaken, given the bottom-up (hybrid) normative means of scheduling GATS commitments.49 Accommodating any ‘new’ service remains a complicated issue, and the subsequent analysis further compounds this concern. C. Compatibility of restrictions with existing WTO obligations Having analysed the present terrain of related WTO norms and associated challenges deriving therefrom, it is imperative to analyse whether the restrictions observed above are in compliance with existing obligations of respective members. Table 2 provides an analysis of the WTO compatibility of the most widely known restrictions noted in Table 1. Table 2. Compatibility of data localization measures with WTO rules Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Source: Author’s compilation. Table 2. Compatibility of data localization measures with WTO rules Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Source: Author’s compilation. The GATS Agreement entails liberalization in the supply of services through four modes of delivery. However, unlike the GATT, the GATS Agreement provides MFN treatment subject to ‘opt-out’ through explicitly provided exemptions, and a hybrid list of positive commitments (along with negatively listed limitations thereto) with respect to market access and national treatment obligations.50 Therefore, the GATS Agreement is a unique agreement combining horizontal commitments with a hybrid list approach for commitments for the services enlisted under the Services Sectoral Classification List, together with a purely negative list approach for MFN exemptions.51 As explained above, prior to examining the specific commitments of a state for a service, the analysis in Table 2first attempts to classify the service in question under the localization measure into one specific sub-category under the W/120 list. However, the overlap issue persisted as is seen in the ‘potential classification(s)’ column wherein the different W/120 sectors that overlap with respect to the specific restriction are enlisted. Secondly, the analysis determines the appropriate mode of supply, and concluded that certain restrictions and classification raise both Mode 1 and Mode 2 concerns, whereas others raise only Mode 1 concerns and this is also reflected in Table 2. Although it analyses only few of the hundreds of data localization measures imposed by different WTO states, Table 2 reveals the potential of several violations of WTO norms. The EU’s new data protection regime, the GDPR’s ‘adequacy’ test, whereby ‘personal data’ can only be transferred to certain third countries, may potentially be in violation of EU’s most-favoured nation (MFN) and market access obligations under the GATS Agreement. The ‘adequacy’ test is an improvement over the ‘Safe-Harbour Regime’ that was in force under GDPR’s predecessor regulation and which could easily be challenged as an MFN violation of the ‘recognition’ principle under the GATS Agreement.53 However, and although at this stage one can only speculate, the adequacy test may also potentially violate this principle. The GATS Agreement also provides for legitimate exceptions under Articles XIV and XIVbis, which, similar to GATT exceptions, follow the two-tier analysis of a measure first being identified under a specific sub-paragraph of the provision, followed by withstanding the two-pronged chapeau test.54 Sub-paragraph (c) of Article XIV protects measures necessary to secure compliance with laws or regulations which are not GATS inconsistent, including those ‘relating to the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and account’.55 Although this exception could save the GDPR, the ‘adequacy’ requirement would first have to pass the chapeau tests developed through WTO jurisprudence which requires a sufficient nexus between the measure at hand and the interest sought to be protected.56 A measure is ‘necessary’ if there is no less trade restrictive and WTO consistent alternative.57 Therefore, while it seemingly appears EU GDPR would qualify as an exception under Article XIV(c), a closer inspection may yield contrary results.58 Similarly, there is scope for WTO disputes with respect to Russia’s local storage of data requirements and China’s Firewall, since both states have liberalized relevant sectors under the GATS Agreement. The measures may, like in the EU’s case, be protected by exceptions such as privacy and security—the stated objectives of Russia’s measure, and public morals—the stated objective of China’s measure. However, these defenses could be challenged in light of exceptions’ jurisprudence. Russia’s data localization measure neither prohibits the transfer of the locally stored data abroad, nor prevents access to this stored data.59 China’s public morals defense for content filtering of foreign websites is also questionable.60 Although at this stage it is impossible to predict the outcome of such potential disputes and all localization measures are foreseeably not equally egregious, certainly a case for WTO dispute exists in all these cases. Differentiating between justified and unjustified or excessive measures requires positive determination of the policy rationale behind such measures and an accepted ranking of the extent of embedded trade restrictiveness. Hence, it reflects the pressing need for multilateral negotiations or, at a minimum clarification on the applicability of GATS commitments to modern tech-related businesses. Certain other important patterns and observations with respect to commitments made by states relating to the digital economy, and specifically data flows emerge from a reading of Table 2. For instance, the WTO classification parlance is often difficult to comprehend and outdated, especially in the absence of definitions within the classification text itself.61 Undoubtedly, the GATS norms and classification system were drafted in an era prior to the Internet boom. The Appellate Body has interpreted the GATS Agreement in a technologically neutral manner so as to factor in future technological developments. However, given the positive list normative framework states are likely to favour an approach where there is greater certainty regarding the commitments voluntarily made by them.62 This illustrates the necessity for new negotiations in light of the exponential growth of Internet’s capability in the post-Uruguay Round era. Indeed, the GATS Agreement, in line with its object, purpose and travaux preparatoires, provides member states the right of regulatory autonomy. This is a crucial component of the GATS framework, provided explicitly under Article VI of the GATS Agreement, and would apply to any data related concern.63 Hence, states have the right to regulate and clarify the applicability of their commitments (although not the autonomy to restrict trade in the sectors that are already liberalized), and this would be a preferred outcome over a dispute. With this idea in mind, the final section of this article develops a data and technology compatible normative framework to address the issue of data localization while providing states sufficient regulatory space for legitimate exceptions. III. TOWARDS A FRAMEWORK TO RESOLVE ISSUES AND DEADLOCK The problems highlighted above, including the scope for potential disputes, highlights the pressing need for amending WTO norms to reflect the realities of twenty-first century trade, wherein the digital economy and data-related issues are vital to international trade. At a minimum, clarification by member states interpreting their commitments undertaken under the GATS and their reconciliation with domestic data localization measures is warranted. However, data is a politically contentious issue in trade policy circles. Proposing any workable solution to resolve the political deadlock, mandates first and foremost gauging the underlying political economy of the issue. A. State of progress at the WTO: Taking stock of e-commerce work programme The ‘WTO E-commerce Work Programme’, the cross-cutting WTO forum for discussions on e-commerce including data flow-related issues, was established in 1998.64 One of its first outcomes was the imposition of a temporary moratorium on customs duties for electronic transmissions, which was in accordance with the practice existing at that time. This moratorium has been extended at every subsequent WTO ministerial conference, including the eleventh Ministerial Conference at Buenos Aires in December 2017.65 Although several WTO members were keen on making this moratorium permanent, it still remains temporary and reviewable at every ministerial conference.66 This can be attributed to certain other member states’ reluctance to make the moratorium permanent, caused due to the African Group’s interest in exploring potential revenue implications of electronic transmissions,67 and India’s demand to link this moratorium to the moratorium on non-violation complaints under the TRIPS Agreement.68 The year 2016 witnessed a renewed and reinvigorated interest in digital trade related issues at the WTO, through the tabling of proposals highlighting issues for discussions through submissions, which are known as ‘non-papers’ in light of the lack of negotiating mandate for such an issue. Table 3 below provides a detailed analysis of data related statements in such non-papers submitted since 2016. Table 3. Data-related provisions in WTO ‘non-paper’ submissions Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Source: Author’s compilation. Table 3. Data-related provisions in WTO ‘non-paper’ submissions Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Source: Author’s compilation. The Buenos Aires Ministerial has also resulted in a statement issued by 67 WTO members, including Brazil, China, and Russia to explore trade-related aspects of e-commerce so as to work towards future rules, setting the stage for possible plurilateral negotiations on e-commerce.77 The role of data and data flow will be pivotal to this journey. The discussion below advances two solutions for resolving the political tensions over this issue, the first being an update of the WTO classification system, and the second, a data differentiated approach to future multilateral norm-making. B. Update of the WTO classification system The WTO W/120 classification list was compiled in July 1991 on the basis of the UN Provisional CPC, 1990 which was in force at that time, and not surprisingly it is an ill-fit for today’s data intensive international trade transactions. Since then, the UN CPC list has undergone several updates, the latest being in 2015 (UN CPC Version 2.1). Although the WTO retains a pre-digital economy outlook on classification, other classification systems have already adopted a more developed framework. These provide a starting template for amending the WTO classification and the related clarification or update needed to address some of the most pressing definitional lacunae and overlap issues discussed in this article. Version 2.1 of the UN CPC states that the classification of products which make up a bundle, that is, combine goods and services, should be classified in accordance with their main component, that is, the primary value added.78 This notion of ‘integrated goods and services’ is an excellent reference for resolving the ‘goods versus services’ dilemma, although it would still require additional work for classification of all data intensive products. UN CPC 2.1 sectors are relatively easier to navigate with respect to the digital economy and data-intensive products. For instance, they include ‘telecommunications, broadcasting, and information supply services’ as a sub-sector of ‘business and production’ services, which comprises, among others, ‘internet telecommunications services’, ‘online content’, ‘Hosting and IT infrastructure provisioning facilities’, and ‘broadcasting, programming and programme distribution services’. To illustrate the benefits of these categories, the ‘new’ service of voice and video communication like Skype would potentially be a ‘hosting and IT infrastructure provisioning facility service’.79 Interestingly, however, UN CPC Version 2.1 does away with the category of ‘computer services’, leading one to speculate if all computer and related services under this list would be covered within the ‘software’ sector. Despite such concerns which must be considered, the crucial takeaway from UN CPC Version 2.1 would be that a potential framework for updating W/120 is already in existence and if the political consensus emerges, such an update may not require members to start from scratch since the UN CPC 2.1 version is sufficiently advanced. The Information Technology Agreement (ITA) update of 2015 provides a positive example of WTO members updating and expanding an outdated classification system. Amending the existing WTO classification system would be beneficial for member states irrespective of their political will to liberalize, since it would provide clarity to better determine the sectors to liberalize and the sectors to maintain regulatory autonomy in. C. Data differentiated approach for future norm-making The GATS Agreement provides flexibility for ‘protectionism’, hence, it is widely argued that digital products should be covered within the ambit of the GATS Agreement so as to address the ‘systemic disadvantage’ of developing economies with respect to ICT infrastructure-related underdevelopment.80 Indeed, the GATS Agreement provides greater options to member states to determine their individual choice—towards greater liberalization or greater regulatory autonomy, and may be preferred by the majority of states for trade-related aspects of data. Any potential normative framework would ideally strike a balance between liberalization and domestic autonomy. The object of data localization measures observed above is often to secure compliance with specific policy objectives relating to particular types of data, and not all types of data. Therefore, any normative framework for future rule-making requires first an understanding of different types of data so as determine which types of data require more regulatory autonomy in line with national policy objectives. Therefore, it therefore becomes imperative to develop a typology of data on the basis of the observed localization measures and political debates on this issue. 1. Data typology Data restriction measures differentiate data on the basis of the source and purpose of data, and this forms an apt basis for developing a data typology. An analysis of regulations and laws that require differential treatment of data clearly indicates one distinct category, which is ‘personal data’. This category becomes most obvious through the study of data protection laws imposing restrictions on processing of only personal data. The EU GDPR is one of the most elaborate data protection regimes, which provides a comprehensive yet narrow definition of personal data as, ‘any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly,….’81 Therefore, personal data relates only to identifiable (not anonymous) and natural (not juridical) persons. Within the ambit of ‘personal data’, localization measures often reserve higher protection for further specific types of data. This subset of personal data either relates to particularly sensitive issues or is personal data relating to particular sectors. The EU GDRP conceptualizes a category as ‘sensitive personal data’, which is sensitive by virtue of the data’s inherent linkage to individuals’ fundamental rights and freedoms. While EU Member States have some scope to domestically regulate what aspects of personal data qualify as ‘sensitive personal data’, illustratively it can include ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation’.82 Other states have enacted laws protecting personal data relating to health information, accounting, tax and financial information, gambling information, and so on. While the extent of the constituent elements of sensitive personal data varies across jurisdictions, the important take-away is that within the broader category of ‘personal data’ additional protection can be given to the subset of ‘sensitive personal data’. Another category of data that may be considered is ‘company data’. Company data comprises of data flowing between entities of corporations, that is, intra-company data. It includes the supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services, human resources, etc.83 A majority of the total data that is transferred cross-border is as part of business management, between affiliates of the same multinational enterprise or related enterprises.84 Therefore, corporations significantly depend on speedy and effective cross-border data flows. Studies reflect that such data is one of the most intensive users of cross-border data flow, and consequently company data is severely impacted by non-categorized regulations restricting data flow. A third category is business data. This category has a broad scope and is difficult to define but broadly relates to any data that is commercial, marketable, or can be monetized. This includes products that encapsulate digitized content such as software, music, and audio-visual content.85 For instance, commonly known applications and websites such as Netflix, Spotify, Youtube, and Facebook all produce digitized content. Business data also includes digitally enabled services such as e-commerce websites, legal or consulting services provided digitally. Business data is a subset of company data, and it can also overlap with personal data (for instance, social media applications like Facebook). Similar to the subset of ‘sensitive personal data within ‘personal data’, a further subsets can be created within ‘business data’, which is, ‘social data’. Social data relates to behavioural patterns of larger social units.86 Social data is derived from personal data, but is distinct from it as it undergoes a process of anonymization and thereby, the data is no longer traceable to individual persons. As a result of ‘social data’ being anonymous it does not overlap with ‘personal data’. To illustrate, the EU GDRP excludes anonymous information including personal information that is rendered anonymous ‘in such a manner that the data subject is not or no longer identifiable.’87 Therefore, social data is a subset of business data, but does not overlap with personal data (since it cannot be traced to any identifiable individual). The usage and regulatory concerns surrounding social data is predicted to rise with the expansion of digital analytics such as Big Data. Delineating this typology of data, and especially including social data, is necessary since not all usage and movement of data have similar ramifications. Concerns have been raised during multilateral discussions,88 against the creation of norms permitting free flows of data as well as the prohibition of data localization measures. One of the primary reasons justifying such skepticism is the argument that data can be monetized or commodified. The recent Cambridge Analytica scandal wherein personal data of Facebook users was analysed to influence different political campaigns depicts the gravity of this situation.89 Consequently, permitting the free flow of data would result in further utilization and monetization of the data of citizens for free, which will subsequently be processed for commercial benefit by big technology companies.90 Often an analogy is made viewing data as raw material collected from oblivious citizens for free, and then commoditized, especially by large technology-oriented multinational corporations, and resold back to citizens.91 The basis for such arguments is that relatively value-less data is embedded into goods and services, thereby resulting in valuable goods and services being created and then traded. However, if data is categorized into personal, social data, and other types of company data, it becomes evident that the monetization argument pertains only to personal and social data, and not so much for company data. Company data, is usually already protected strongly through corporate law and intellectual property rights such as trademarks and trade secrets. However, protection of personal data and limitations on compiling and processing of social data is relatively less protected. The pressing need for international regulation is reflected through the multilateral discussions on e-commerce wherein the importance of building online trust and consumer protection has been highlighted. Diagram 1 above provides a conceptual depiction of the typology of data that has been developed above, including the possibilities of overlap. Table 4 provides illustrative examples of the categories including instances of overlap. This typology provides the groundwork for data differentiated norms. Table 4. Illustrative examples of overlap between different types of data Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Source: Author’s compilation. Table 4. Illustrative examples of overlap between different types of data Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Source: Author’s compilation. Diagram 1. View largeDownload slide Typology of Data Reflecting Overlaps. Diagram 1. View largeDownload slide Typology of Data Reflecting Overlaps. 2. Data differentiated normative framework In the absence of international harmonization, data localization measures may cause balkanization of the digital space. This can be countered through either of two options—harmonization of minimum legal standards, or by tolerating deviations.92 Given the borderless nature of cyberspace, and to attain economies of scale, suggestions have been made for more horizontal commitments on data and data flow under the GATS Agreement, and replacement of the positive list approach by a negative list approach for national treatment and market access commitments.93 Specific exceptions beyond the existing ones on protection of personal data and online privacy, such as cyber-security, other types of national security, prevention of online criminal activities have also been suggested to be incorporated either as horizontal commitments, or through the individual schedules of members. Although such an approach could be beneficial for data producer states desiring more efficient cross-border flows of data, certain states would predictably be opposed to such amendments to the existing GATS framework since replacing the existing positive list approach with a negative list approach may diminish regulatory autonomy of states to protect data in line with their national policy objectives. In light of this, a plausible workable solution to reconcile the diverse interests of members would be the adoption of a data differentiated approach, utilizing the data typology developed above, involving greater liberalization of the digital economy through ensuring market access for some types of data, while retaining greater regulatory autonomy for other types of data. Differential treatment of data is technically possible through tagging data thereby coupling it with a management decision on handling the data, including the decision to prevent its movement across borders.94 Member states could use such a typology to determine the types of data over which they would seek to retain greater regulatory space relative to other types of data. For instance, greater horizontal commitments on free flow of data, that is, a list of obligations, subject to opt-out, on market access and national treatment obligations, could be undertaken with respect to company data that is not overlapping with personal or social data. This would result in a regime enabling free flow of for some data. A positive list approach could however be retained for data where states desire greater domestic regulations, for instance personal and social data. Therefore, horizontal commitments on data flows under the GATS Agreement, on a multilateral or plurilateral basis, could allow greater liberalization and enable the freer flow of data. However, such commitments should also provide exceptions for national policy objectives, and retain the positive list approach for undertaking liberalization commitments for data that constitute politically sensitive regulatory issues, that is, personal and social data. While this article does not flesh out the details or nature of the horizontal commitments to harmonize rules ensuring freer flow of certain types of data, it develops a data typology in an attempt to delineate different approaches that may be adopted multilaterally in line with policy objectives pertaining to specific types of data. IV. Conclusion The growth of the digital economy is outpacing any related policy and legal discussions and negotiations internationally, and in most cases, even nationally. While on the one hand, newer digital technologies are continuously disrupting traditional business models and consequently shifting patterns of international trade and investment, on the other hand, restrictive measures concerning the digital economy are different from traditional barriers to trade. The heavy reliance on movement of data in the digital economy results in barriers to movement of data becoming a great disruption for data intensive industries like e-commerce, online banking, and app economies. This article derives that such measures are potentially in violation of particular obligations undertaken by the respective states under their GATS Schedule. Furthermore, this article analysed the problems of applying pre-Internet era norms and commitments to the digital economy, thereby highlighting the pressing need for new multilateral regulations. Based on the issues noted and the political deadlock over them, this article recommends clarification and amendment of the WTO’s outdated classification system, and the adoption of a data differentiated normative framework for undertaking a combination of horizontal commitments as well as positive list obligations on data flows. The data differentiated approach is not an end in itself; however, it could prove to be the answer to resolving the political deadlock on this highly contentious issue. The author would like to thank Ines Willemyns as well as an anonymous reviewer for their comments on an earlier draft. The author is grateful for related discussions with Professors Joost Pauwelyn and Mira Burri, and Dr Weiwei Zhang. The author is also grateful for the valuable comments and suggestions received during the MC11 Think Track Conference in Buenos Aires, 13 December 2017. Footnotes 1 ‘WTO Work Programme on E-Commerce’ (WTO 1998) WT/L/274, para. 1.3. 2 Amy Porges and Alice Enders, ‘Data Moving Across Borders: The Future of Digital Trade Policy’ [2016] E15 Initiative 3. 3 ICC Commission on Trade and Investment Policy and ICC Commission on the Digital Economy, ‘Trade in the Digital Economy—A Primer on Global Data Flows for Policymakers’ (lnternational Chamber of Commerce (ICC) 2016) Policy Paper 103/330, 373/560 1 <https://iccwbo.org/publication/trade-in-the-digital-economy/> accessed 18 October 2017; Joshua Meltzer, ‘A New Digital Trade Agenda’ [2015] E15 Initiative 2. 4 ICC Commission on Trade and Investment Policy and ICC Commission on the Digital Economy (n 3) 1; Anupam Chander, ‘Freeing Trade in CyberSpace’, The Electronic Silk Road (New Haven: Yale University Press, 2013) 19. 5 John J. Simpson and Edmund Weiner (eds), ‘Oxford English Dictionary, Data, N.’ <http://www.oed.com/view/Entry/296948> accessed 1 November 2017. 6 Ibid. 7 The ‘digital economy’ is defined by UNCTAD as ‘the application of internet-based digital technologies to the production and trade of goods and services’. ‘UNCTAD World Investment Report 2017—Investment and the Digital Economy’ (UNCTAD 2017) Annual <unctad.org/en/PublicationsLibrary/wir2017_en.pdf> accessed 26 September 2017. 8 Meltzer (n 3) 5. 9 Note that personal devices of users/consumers are not referred as ‘servers’, but rather as ‘clients’ since they indirectly connect to the Internet through ISPs. 10 ‘How a Data Center Works’ (SAP Data Center) <http://www.sapdatacenter.com/article/data_center_functionality/> accessed 29 November 2017. 11 Erik Van der Marel, ‘Disentangling the Flows of Data: Inside or Outside the Multinational Company’ (ECIPE 2015) ECIPE Occasional Paper )7/2015 17; Robert Pepper, John Garrity and Connie LaSalle, ‘1.2 Cross-Border Data Flows, Digital Innovation, and Economic Growth’ <http://wef.ch/29d7HNj> accessed 29 November 2017; ‘World Economic Forum: Networked Readiness Index, 2016’ (World Economic Forum 2016) Global Information Technology Report <http://reports.weforum.org/global-information-technology-report-2016/networked-readiness-index/> accessed 2 December 2017. 12 Van der Marel (n 11) 13. 13 Van der Marel (n 11), Tables 3 and 4. 14 Nigel Cory, ‘Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?’ (Information Technology and Innovation Foundation 2017) Policy Paper <https://itif.org/publications/2017/05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost> accessed 18 October 2017. 15 Anupam Chander and Uyen P Le, ‘Breaking the Web: Data Localization vs. the Global Internet’ (2014) Research Paper No. 378 Emory Law Journal; UC Davis Legal Studies Research Paper No. 378, 19–29 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2577969> accessed 17 November 2017; Constance Johnson, ‘Indonesia: Local Content Rules for Electronic Products | Global Legal Monitor’ (Law.gov, 15 September 2016) <//loc.gov/law/foreign-news/article/indonesia-local-content-rules-for-electronic-products/> accessed 30 November 2017. 16 ‘Turkey Country Profile’ (MIT 2010) Country Profile 347–349 <https://opennet.net/sites/opennet.net/files/ONI_Turkey_2010.pdf> accessed 26 November 2017. 17 General Data Protection Regulation 2016 (Regulation) (hereinafter EU GDPR). 18 Kristina Irion, Svetlana Yakovleva and Marija Bartl, ‘Trade and Privacy: Complicated Bedfellows? How to Achieve Data Protection-Proof Free Trade Agreements’ (2016) Independent Study 10. <https://www.ivir.nl/publicaties/download/1807> accessed 17 November 2017. 19 Chander and Le (n 15) 22. 20 Ibid. 16. 21 Sanya Reid, ‘Some Preliminary Implications of WTO Source Code Proposal’ 5–6 <http://www.twn.my/MC11/briefings/BP4.pdf> accessed 8 May 2018. 22 ‘Country Reports on Human Rights Practices for 2016 - Vietnam’ <https://vn.usembassy.gov/2016-country-reports-human-rights-practices-vietnam/> accessed 30 November 2017. 23 Cory (n 14) 21. 24 Chander and Le (n 15) 21; Cory (n 14). 25 Cory (n 14). 26 For example, see ‘China Country Profile’ (MIT 2011) Country Profile <http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-china.pdf> accessed 26 November 2017. 27 Meltzer (n 3) 4; Farrokh Farrokhnia and Cameron Richards, ‘E-Commerce Products Under the World Trade Organization Agreements: Goods, Services, Both or Neither?’ (2016) 50 Journal of World Trade 793. 28 These are the tests for likeness developed through WTO jurisprudence. Panel Report, Spain—Tariff Treatment of Unroasted Coffee [1981] WTO Panel L/5135-28S/102, WTO [4.7]; Appellate Body Report, Argentina—Measures Relating to Trade in Goods and Services [2016] Appellate Body WT/DS453/AB/R, WTO [6.32]; Appellate Body Report, European Communities—Measures Affecting Asbestos and Products Containing Asbestos [2001] Appellate Body WT/DS135/AB/R, WTO [99]; Appellate Body Report, European Communities—Measures Prohibiting the Importation and Marketing of Seal Products [2014] Appellate Body WT/DS400/AB/R; WT/DS401/AB/R, WTO 5.82; China- Certain Measures Affecting Electronic Payment Services [2012] WTO Panel WT/DS413/R, WTO [7.700]. 29 China—Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products [2009] Appellate Body WT/DS363/AB/R, WTO [377–378]; United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services [2005] Appellate Body WT/DS285/AB/R, WTO. 30 See China—Audiovisuals (n 29) [196]. 31 Meltzer (n 3) 9. 32 Sacha Wunsch-Vincent, The WTO, the Internet and Trade in Digital Products: EC-US Perspectives (Hart Publishing 2006) 52–53; Antony Taubman in Mira Burri and Thomas Cottier (eds), Trade Governance in the Digital Age (Cambridge University Press, 2012) 315–319; Porges and Enders (n 2) 8–9; Rolf H Weber, ‘Digital Trade and E-Commerce: Challenges and Opportunities of the Asia-Pacific Regionalism’ (2015) 10 Asian Journal of WTO and International Health Law and Policy 321, 324–325; Farrokhnia and Richards (n 27) 808–809. 33 Wunsch-Vincent (n 32) 65–70; Weber (n 32) 324. WTO Trade in Services Council, ‘Work Programme on Electronic Commerce: Progress Report to the General Council’ (WTO 1999) Progress Report to the General Council S/L/74 para 5; WTO Trade in Services Council, ‘Work Programme on Electronic Commerce: Note by the Secretariat’ (WTO 1998) Note by the Secretariat S/C/W/68. 34 See above n 30 and 31. 35 Porges and Enders (n 2) 9. For an interesting take on distinguishing between Mode 1 and Mode 2 supply in data-related service, see Usman Ahmed, Brian Bieron and Gary Horlick, ‘Mode 1, Mode 2, or Mode 10: How Should Internet Services Be Classified in the Global Agreement on Trade in Service?’ (2015) 2015–2016 Boston University School of Law International Law Journal. 36 Art. I 3(b), GATS Agreement. 37 US Gambling (n 29) [180]. 38 US Gambling (n 29) footnote 219. 39 Andrew D. Mitchell and Neha Mishra, ‘Data at the Docks: Modernising International Trade Law for the Digital Economy’ (2017) 20 Vanderbilt Journal of Entertainment and Technology Law, Forthcoming 11–13 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3064396> accessed 17 November 2017. Ruosi Zhang, ‘Covered or Not Covered: That Is the Question - Services Classification and its Implications for Specific Commitments under the GATS’ (2015) Working Paper 10–12 <https://www.wto.org/english/res_e/reser_e/ersd201511_e.pdf> accessed 16 November 2017. 40 Zhang (n 39) 13; Renee Berry and Matthew Reisman, ‘Policy Challenges of Cross-Border Cloud Computing’ (2012) 4 Journal of International Commerce and Economics 1, 21–22. 41 Mira Burri, ‘The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation’ (2017) 51 UC Davis Law Review 65, 85; Wunsch-Vincent (n 32) 56–57. 42 Burri (n 41) 85; Pierre Larouche, ‘Dealing with Convergence at the International Level’ in Damien Geradin and David Luff (eds), The WTO and Global Convergence in Telecommunications and Audio-Visual Services (1st edn, Cambridge University Press, 2004) 311–422. 43 ‘WTO Services Sectoral Classification List — Note by the Secretariat’ (WTO 1991) MTN.GNS/W/120. 44 Zhang (n 39) 8. 45 Ibid 9. 46 China – Electronic Payments (n 28) [VII. 55–62, VII.183–188]; Panagiotis Delimatsis, ‘The WTO Outlaws the Privileges of the Chinese Payment Services Giant’ (2012) 16 American Society of International Law <https://www.asil.org/insights/volume/16/issue/31/wto-outlaws-privileges-chinese-payment-services-giant> accessed 26 November 2017; Shailja Singh, ‘WTO Dispute Analysis: China—Measures Affecting Electronic Payment Services’ (2012) 9 Centre for WTO Studies, IIFT. 47 Zhang (n 39) 14. 48 United Nations, Statistics Division, Department of Economic and Social Affairs, ‘General Rules for the Interpretation of the Harmonized System - Central Product Classification (CPC) Version 1.1’ 17 <https://unstats.un.org/unsd/publication/SeriesM/SeriesM_77ver1_1E.pdf> accessed 20 November 2017. 49 Zhang (n 39) 14–15. 50 Art. XX, GATS Agreement. 51 Zhang (n 39) 1. 52 Note that within the terminology used for GATS Schedules, ‘None’ means that there are no limitations on liberalization, that is, completely liberalized. 53 Art. VII, GATS Agreement. 54 US Gambling (n 29) [292]. 55 Art. XIV (c) (ii), GATS Agreement. 56 US Gambling (n 29) [292]. 57 Ibid. 308; China – Audiovisuals (n 29). 58 For an in-depth analysis, see Irion, Yakovleva and Bartl (n 18) 28–30. 59 Alla Naglis, Daniel Crosby and Xenia Melkova, ‘LinkedIn Blocked in Russia: Privacy and Trade Law Aspects’ <https://s3.amazonaws.com/kslaw-staging/attachments/000/003/991/original/ca112116a.pdf?1494907303> accessed 4 March 2018. 60 Tim Wu, ‘The World Trade Law of Censorship and Internet Filtering’ (2006) 7 Chicago Journal of International Law 263; Claude Barfield, ‘A WTO Challenge to China’s Internet Censorship Is Long Due’ <http://www.eastasiaforum.org/2016/05/26/a-wto-challenge-to-chinas-internet-censorship-is-long-overdue/> accessed 5 March 2018. 61 Burri and Cottier (n 32) 257. 62 Weber (n 32) 324. For illustration on the divergent views of different members, see ‘Report of the Meeting Held on 18 September 2014 - Note by the Secretariat’, S/CSC/M/71. 63 WTO Trade in Services Council, ‘Work Programme on Electronic Commerce: Progress Report to the General Council’ (n 33) para 11. 64 ‘WTO Work Programme on E-Commerce’ (n 1) adopted on 25 September 1998. 65 ‘WTO Work Programme on E-Commerce: Ministerial Decision of December 13, 2017’ (WTO 2017) Ministerial Conference Eleventh Session WT/MIN(17)/65; WT/L/1032. 66 For an empirical analysis of the WTO members who seek to make the moratorium permanent, and the ones who are opposed to it, see Patrick Low, ‘Framing Future Work and Negotiations on E-Commerce at the WTO’ (International Centre for Trade and Sustainable Development, 1 December 2017) <https://www.ictsd.org/opinion/framing-future-work-and-negotiations-on-e-commerce-at-the-wto> accessed 2 January 2018. 67 ‘The Work Programme on Electronic Commerce - Communication from the African Group, Draft Ministerial Decision on Electronic Commerce’ (WTO 2017) WTO/JOB/GC/155; WTO General Council, ‘Work Programme on Electronic Commerce: Review of Progress, REPORT BY AMBASSADOR ALFREDO SUESCUM – FRIEND OF THE CHAIR’ (WTO 2016) Progress Review WT/GC/W/721 para. 1.6. 68 D. Ravi Kanth, ‘India Rejects WTO Push for New Global E-Commerce Rules - Livemint’ LiveMint (Geneva, 17 October 2017) <http://www.livemint.com/Industry/tRCUKDsTGvnQUpVyVTLmhJ/India-rejects-WTO-push-for-new-global-ecommerce-rules.html> accessed 6 March 2018; Third World Network, ‘India+4 Link Moratoriums on E-Commerce, TRIPS NV and CBD’ <https://www.twn.my/title2/wto.info/2017/ti171227.htm> accessed 6 March 2018. 69 Non-Paper from Brazil, WTO Doc. JOB/GC/98, dated 20 July 2016. 70 Trade Policy, the WTO and the Digital Economy, WTO Doc. JOB/GC/97/Rev.1 dated 22 July 2016 & WTO Doc. JOB/GC/116, JOB/CTG/4 dated 13 January 2017. 71 Non-Paper for the Discussions on Electronic Commerce/Digital Trade from Japan, WTO Doc JOB/GC/100, dated 25 July 2016. 72 MIKTA E-Commerce Workshop Reflections, WT Doc. JOB/GC/99, dated 22 July 2016. The paper is based on reflections from the MIKTA-Commerce Workshop at the WTO on 5 July 2016 between the countries of Paper 6. 73 Non-paper from United States, WTO Doc JOB/GC/94, dated 4 July 2016. 74 WTO, ‘WTO E-Commerce Development Agenda, Communication from Costa Rica’ (WTO 2017) WTO E-Commerce Work Programme JOB/GC/139, dated 10 October 2017. 75 ‘The Work Programme on Electronic Commerce - Statement by the African Group’ (n 85) JOB/GC/144, dated 20 October 2017. 76 ‘Reflecting on the Information Insufficiency in E-Commerce’ 77 WTO, ‘Joint Statement on Electronic Commerce’ (WTO 2017) Ministerial Conference Eleventh Session WT/MIN(17)/60. 78 Overview United Nations, Statistics Division, Department of Economic and Social Affairs (ed), ‘Central Product Classification (CPC) Version 2.1’ 15 <https://unstats.un.org/unsd/cr/downloads/CPCv2.1_complete%28PDF%29_English.pdf> accessed 29 November 2017 para 58. 79 UNCTAD, ‘UNCTAD International Trade in ICT Services and ICT-Enabled Services: Proposed Indicators from the Partnership on Measuring ICT for Development’ (United Nations 2015) UNCTAD Technical Notes on ICT for Development TN/UNCTAD/ICT4D/03 6–7. 80 Sam Fleuter, ‘The Role of Digital Products Under the WTO: A New Framework for GATT and GATS Classification’ (2016) 17 Chicago Journal of International Law 172–173 <https://chicagounbound.uchicago.edu/cjil/vol17/iss1/5>. 81 Art. 4(1), EU GDPR. 82 Art. 9(1), EU GDPR. 83 Van der Marel (n 11). 84 Ibid. 85 Porges and Enders (n 2) 1. 86 Parminder Jeet Singh and Richard Hill, ‘Digitalisation and the Gig Economy: Implications for the Developing World’ <https://www.twn.my/title2/resurgence/2017/319-320/cover03.htm> accessed 29 November 2017. 87 Rec. 26, EU GDPR. 88 ‘The Work Programme on Electronic Commerce - Statement by the African Group’ (n 75) para 3.5; ‘Work Programme on Electronic Commerce - Report of Panel Discussion on “Digital Industrial Policy and Development” - Communication from the African Group’ para. 1.9. 89 Helen Havlak, ‘The Cambridge Analytica Scandal’ (The Verge, 10 April 2018) <https://www.theverge.com/2018/4/10/17165130/facebook-cambridge-analytica-scandal> accessed 10 April 2018; Sam Meredith, ‘Facebook-Cambridge Analytica: A Timeline of the Data Hijacking Scandal’ (CNBC, 10 April 2018) <https://www.cnbc.com/2018/04/10/facebook-cambridge-analytica-a-timeline-of-the-data-hijacking-scandal.html> accessed 10 April 2018; ‘How to Check Whether Facebook Shared Your Data with Cambridge Analytica | Technology | The Guardian’ (10 April 2018) <https://www.theguardian.com/technology/2018/apr/10/facebook-notify-users-data-harvested-cambridge-analytica> accessed 10 April 2018. 90 ‘Work Programme on Electronic Commerce - Report of Panel Discussion on “Digital Industrial Policy and Development” - Communication from the African Group’ (n 88) para. 1.9; Analysis of China’s digital policy in Singh and Hill (n 86); ‘The High Stakes in MC11 for Developing Countries’ Future Development Prospects’ (SouthCentre 2017) Policy Brief <https://www.southcentre.int/wp-content/uploads/2017/10/IN_High-Stakes-in-MC11-30-Oct-2017_EN-1.pdf> accessed 25 November 2017. 91 Ibid. 92 Chander (n 4) 143–144, 189. 93 Joshua Meltzer, ‘The Internet, Cross-Border Data Flows and International Trade’ [2013] Issues in Technology Innovation 16 <https://www.brookings.edu/wp-content/uploads/2016/06/internet-data-and-trade-meltzer.pdf> accessed 26 September 2017. 94 Jatinder Singh and others, ‘Seeing through the Clouds: Managing Data Flow and Compliance in Cloud Computing’ Cloud Computing 6 <https://www.cl.cam.ac.uk/research/srg/opera/publications/papers/2015ccmagSI.pdf> accessed 11 November 2017. © The Author(s) 2018. Published by Oxford University Press. All rights reserved. This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices) http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Journal of International Economic Law Oxford University Press

Understanding the Role of the WTO in International Data Flows: Taking the Liberalization or the Regulatory Autonomy Path?

Loading next page...
 
/lp/ou_press/understanding-the-role-of-the-wto-in-international-data-flows-taking-dUX04rlvd4
Publisher
Oxford University Press
Copyright
© The Author(s) 2018. Published by Oxford University Press. All rights reserved.
ISSN
1369-3034
eISSN
1464-3758
D.O.I.
10.1093/jiel/jgy021
Publisher site
See Article on Publisher Site

Abstract

Abstract Recent years have witnessed a surge in discussions relating to data and data flow in trade fora. This was predictable given the importance of data for trade in the digital economy, especially e-commerce. However, there is a major discord between WTO members on issues relating to data flows and data localization. This article sets out to understand how data flows across borders and the types of trade restrictive data localization measures members use. The analysis of various restrictions on data flows imposed by states reflects the different objectives behind them, targeting all or specific types of data. Such regulations potentially violate existing WTO commitments. The article concludes with a call for issuing a multilateral amendment of existing norms, and undertaking a data differentiated approach to resolve the deadlock at the WTO. Data is the basic unit enabling the functioning of the digital economy, often referred as the ‘oil of the twenty-first century’ or ‘currency for the digital economy’. Innovation with respect to data, its movement, analysis, and usage has caused the digital economy to develop and become a self-standing economy by itself, in addition to being a key facilitator for other sectors. In recent years, e-commerce has emerged as perhaps the most pressing issue in the multilateral trading system. While most states recognize the tremendous potential of e-commerce for development, many are skeptical to undertake any commitments or even clarify the applicability of existing WTO norms. The most controversial feature of this debate, not surprisingly, relates to data and data flows. E-commerce, defined by the WTO as the ‘production, distribution, marketing, sale or delivery of goods and services by electronic means’,1 hinges on the efficient movement of data, and arguably all other aspects of it are similar to other conventional trade in goods and services. Given that cross-border data flows lie at the core of any international e-commerce transaction, data has an intrinsic trade dimension. A classic example of this is the ‘app economy’, which has disrupted traditional transaction means in several industries, like international money transfer (PayPal), transportation (Uber), tourism (AirBnB, Bookings.com), travel ticket purchase (Expedia), entertainment (Netflix), and so on. The ‘app economy’ is operational through movement of data facilitated by access to cloud-based distributed data processing.2 This economy is solely dependent on the movement of data, which permits the consumer, the app provider, and the seller to be physically located in different geographical locations, so long as there is movement of data between them. On the other hand, the ‘app economy’ also helps in understanding the importance of cross-border data flows for the efficient functioning of businesses in the digital economy. For example, the simple transaction of payments for the purchase of a product on an e-commerce website using an application like PayPal requires a complex web of data flows between Paypal’s server, the customer’s device, the e-commerce website’s server and the seller’s device, all of which can be potentially located in different states where different rules on data flows may be applicable. Restrictions on data flows at any one stage imposed by one of the several states through which the data is flowing can disrupt, hinder or raise the cost of the entire transaction. The nature of world trade has in recent years greatly changed, and more than ever before, is today characterized by globalization and decentralization of the production process facilitated by data flows.3 This has resulted in reduction in transaction costs through lesser investment requirements in extensive production (primarily for goods) and distribution or supply (primarily for services) networks.4 Lowered investment and transaction costs help businesses achieve economies of scale and boost their competitiveness. Technology has enabled the efficient and speedy transfer of massive volumes of data, and is predicted to continue expanding exponentially. Consequently, newer regulatory issues and challenges have also emerged, including invasion of privacy, mass scale commercialization of users’ data by technology companies, cyber-security threats, unequal development of digital infrastructure and capacity, and several other concerns. Within their domestic and regional regulatory mechanisms, states have adopted different approaches to address these concerns. In so doing, the risk arises of seeing a balkanization of cyber space by hindering data flows. The first section of this article defines key terms crucial for clarifying the problems at stake, demonstrating the stages of data flows to depict where and how data flows can be restricted, thereby resulting in data being localized. In the second section, the article explores the uncertain terrain of existing WTO norms to determine their suitability to twenty-first century digital economy era needs. It also provides a legal analysis to determine the WTO compatibility of some common data localization measures. In the third section, the article develops a normative framework for future rule-making. It does so by analysing the emerging political consensus (or lack thereof) on data flows as seen through submissions made by different members to the WTO. Finally, the article recommends an update of the WTO’s classification system to bring it in line with current trends in data driven trade. The article also develops a typology of data and proposes a data differentiated approach for undertaking commitments on trade-related aspects of data. I. DATA, ITS MOVEMENT ACROSS BORDERS, AND LOCALIZATION MEASURES While there exists widespread acknowledgement on the importance of data and its movement for e-commerce facilitation, there is a lack of clarity with respect to the meaning and understanding of the term ‘data’ itself. Often the terms ‘data’ and ‘information’ are used interchangeably. While several international and regional treaty instruments deal with different elements and types of data, none seem to have defined the term. Therefore, it becomes imperative to consider the ordinary, dictionary meaning of the term. The Oxford English Dictionary provides several definitions for the term, ‘data’. Some are technical and pertain to particular fields like scientific research and numerical information. For the field of computing, data has been defined as, ‘Quantities, characters, or symbols on which operations are performed by a computer, considered collectively.’5 However, the definition most suitable in the context of the digital economy and of data-related international trade law and policy is ‘information in digital form’.6 Consequently, ‘data flows’ would mean the ‘movement of information in digital form’. This movement is enabled through the technology of the Internet, which is central to e-commerce, and more broadly to the digital economy.7 These definitions of data and data flow as digital information and movement of digital information respectively are the meanings ascribed to the terms throughout this article. Data localization can be considered as ‘any legal limitation on the ability for data to move globally and to remain locally’.8 This ranges from de jure restrictions such as local data storage requirements which mandate that the physical storage of data must be in data centers within the local geographical territories of a state, or local content or production requirements; to de facto restrictions like privacy and data protection laws enacted with the objective of protecting the privacy of citizens. It is important to highlight here that data localization includes both the explicit prohibition of—and lesser restrictions on—the cross-border movement of data. A. Understanding how data moves across borders and how restrictions are imposed An enquiry into the different types of data-related restrictions requires first and foremost an analysis of the journey of data from the point of its creation to its final consumption. The journey of data can be compartmentalized into four distinct components, and it may travel across borders while moving from any one of these components to the other. Firstly, data always originates on a physical device, whether it is an email or a machine processed data. The data of any Internet-based platform or ecosystem is created and stored on a server, which is a particular type of computing device that is directly connected to the internet through ICT infrastructure.9 Once it is created, at the second stage, data flows online through the mechanism of the internet, in smaller units known as ‘packets’. Internet facilities are provided to any user/consumer by internet service providers (ISPs), using wired or wireless ICT equipment. Data moving from one ISP network to another is transferred at ‘internet exchange points’ through a process known as ‘peering’. To enable data flows, at the third stage, the data is required to be physically stored in servers located in computational facilities called ‘data centres’ (even in cloud computing, the data is always stored on a physical server located somewhere). Internet exchange points are often in the same physical locations that possess data storage and processing facilities, that is, data centers. Larger Internet companies like Google and Facebook have their own data centers around the world, while smaller companies mostly use third-party owned and operated data centers.10 Finally, the data travels from the data centre through ISPs onto the consumer or end-user’s device. Efficiency of this four-step flow of data depends on superior ICT infrastructure. Companies that are intensive users of data are most likely to be based in countries having good digital infrastructure (for an analysis on the ICT infrastructure problem in developing countries see the Tavengerwei paper).11 A mix of various factors such as the number of broadband and internet subscriptions, ease of absorption of new technology, availability of capital and so on contribute to a good digital infrastructure. Consequently, countries having a good digital infrastructure can export data and trade with respect to data intensive sectors, irrespective of whether the data being traded is used as an input in the downstream economy or an output for the upstream economy.12 Hence, economies of scale and comparative advantage in the data intensive industries, as well as data transfers between related multinational enterprises, are relatively concentrated in countries with superior ICT infrastructure, which are by and large developed economies.13 Even with the existence of the ICT infrastructure, the flow of data can be restricted through localization measures. Data localization measures are diverse in nature and extent, yet they can occur in any of the four stages of data flows depicted above. Such measures arguably result in creating non-tariff barriers to trade, whether, or not, they are justified on grounds of public policy concerns. At the stage of ISPs’ ‘peering’ at internet exchange points, some states impose a restriction preventing foreign ISPs from providing internet services, thereby diverting the traffic routing of data, even if an ISP is technically capable of providing network services within a particular range. At the third stage of storage in data centres, several states impose restrictions requiring local data storage and local data processing. This results in increased costs for companies who are forced to invest in data centres that are geographically located within the territory of the restriction implementing state, in order to enable them to do business in that state. Finally, at the data consumption stage, states impose restrictions like ‘firewalls’ which result in a blanket prohibition on data imports, as well as restrictions on the nature of intellectual property or source code transfer requirements. Although some of these restrictions represent absolute prohibitions on data flows and amount to a de jure restriction, most are in the nature of de facto restrictions that create barriers for data flows. Table 1 below elaborates on some commonly known data localization measures. Table 1. Snapshot of common data localization measures Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Source: Author’s compilation. Table 1. Snapshot of common data localization measures Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Measure State Data type Details Data production Local content China Cross-cutting Rules on online publishing requirements including app stores, audiovisuals, online games, online literature database.14 Nigeria Business, personal Guidelines for Nigerian Content Development in Information and Communications Technology, 2014. Indonesia Cross-cutting Local content rules for electronic products.15 Online censorship Turkey Cross-cutting Wide-ranging restrictions on freedom of press and media.16 Data flow through ISPs Data protection European Union Personal, Sensitive Personal General Data Protection Regulation,17 enforces restrictions on transfer to third party states based on an ‘adequacy’ test.18 South Korea Personal, Social Personal Information Protection Act requiring consent from ‘data subject’ prior to data exports.19 Data transfer requirement India Sensitive personal Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules requires ‘necessity’ and ‘special consent’ requirement for export of data.20 Source code/ technology transfer requirement USA Personal, tax Source code transfer of tax-related information.21 Traffic routing Vietnam Cross-cutting Restriction on foreign ISPs to provide Internet access directly.22 Data storage Local data storage and processing Australia Sensitive Personal Personally Controlled Electronic Health Records Act, 2012 Brazil Business Localization requirement for public procurement contract including cloud-computing services.23 Indonesia Personal, business, company Regulation on Electronic Systems, 2012; Localization for over-the-top services (such as Skype, WhatsApp) New Zealand Business, company Internal Revenue Act Russia Personal, business Extensive local storage and processing requirements for personal data, business data relating to telecommunications, including email and social networking services.24 United States Business State specific laws and local regulations. For instance, LA requires Google to store its data in US territory, Tennessee gives preferences to local providers for government procurement contracts that require data entry or call center services.25 Data consumption Prohibition and restrictions on foreign websites China Cross-cutting Golden Shield Program (‘Great Firewall of China’) broadly limiting data imports Restrictive access China, Turkey, Iran Cross-cutting Filtering dissemination and access to content deemed harmful or subversive.26 Source: Author’s compilation. II. POSITIONING DATA AND DATA FLOW WITHIN THE WTO REGIME The overview of different data localization measures raises two key policy questions. Firstly, whether such restrictions are covered within the existing trade regime, and if yes, whether such measures are in violation of those existing norms or if such localization measures are protected within its scope as an exception. Secondly, should there be any multilateral rule-making relating to data and data flows, and if so, how can such a normative framework be developed which enables economies of scale and development of the ICT sector, while delineating legitimate public policy exceptions. WTO law operates significantly within the vertical silos of ‘goods’, ‘services’, and ‘intellectual property’, all of which are relevant for data and data flows but at the same time, data challenges this conventional notion compartmentalizing products into mutually exclusives categories. Innovative business models and the rise of the ‘Internet of Things’ are creating a surge of innovative electronic products, which are autonomous and interactive. The term ‘smart’ has been coined and appended to products ranging from mobile phones and computers to automobiles (for example, GPS navigation systems and self-driving cars) and homes (for example, personal assistant speakers such as Google Home). These devices are embodied as ‘goods’ and would be treated as goods under WTO law, but the features that lend them their ‘smart’ characteristic are the data flow-dependent services that are embedded into them and it is such ‘services’ that confer true value to the product. Data flows can also sometimes blur the line between means of trading and the product being traded itself.27 Technology such as additive manufacturing utilized in 3D printing illustrates this. Trading in additive manufactured products would mean that although the end-product being traded is embodied as a good, it is the data (conventionally considered a service) that is actually moving across borders while being transmitted from the seller to the buyer. Consequently, classification and treatment of products, especially tariff treatment, traded through the medium of 3D printing is complicated in light of the mutually exclusive silos of goods, services, and intellectual property. The issue of classification of data-intensive products is not merely an issue of semantics because the rules applicable to a product depend on its classification. International trade law mandates similar treatment for ‘like’ goods under the GATT and ‘like’ services and service suppliers under the GATS Agreement. For example, a physical hardbound book and the electronic version of the same book, would potentially be ‘like’ products in light of their end-use, consumers’ tastes and preferences and competitive relationship.28 However, while the former is a good, the latter would be classified as a service, and therefore the two products are treated differently by WTO member states. Goods are medium of delivery dependent, but not services, due to the principle of ‘technologically neutral’. Although the Appellate Body or any WTO Panel has never explicitly derived the principle of ‘technological neutrality’ or even used the terminology, the concept has, however, been widely derived based on interpretation of WTO cases, even though several critics consider this interpretation of the Dispute Settlement Body as an instance of judicial overreach.29 Indeed, commitments made during the Uruguay Round in 1994 precedes the boom in data-driven economies and business models, and members did not have issues like e-commerce and data flows in mind while negotiating GATT and GATS commitments. However, as things currently stand, if the mode of delivery of a digital product is a hard copy, it raises GATT issues, which is dependent on the fact that the product is physical in substance, and its mode of delivery requires the product to physically cross borders.30 However, if the same product is also distributed electronically, then it is a GATS issue, and hence independent of the mode of delivery.31 One visible effect of this is that the ‘good’, for instance hardbound book or compact disc is subject to customs duties, but not the ‘like’ ‘service’, for instance e-book or online music and movies, due to the moratorium on customs duties on e-commerce. The ever-increasing expansion of data-intensive products causing products that were traditionally goods becoming digital in nature that can be now traded through data flows, can be expected to cause a decrease in traditional manufacturing, thereby implying that custom duties on goods would decrease, but no custom duties would apply for similar or ‘like’ services.32 A. GATS Agreement and W/120 classification (see also Kelsey’s article) The GATS Agreement requires categorizing any trade in services transaction into one of the four modes of supply envisaged within the agreement. A related and highly debated issue is whether trade in data and data flows is GATS Mode 1, that is, cross border supply of service (defined as ‘service delivered within the territory of a Member from the territory of another Member’), or a GATS Mode 2, that is, consumption of a service abroad.33 Conceptually, during data flows and trade in data-intensive products neither the buyer nor the seller cross state borders, at least in the physical sense. This forms the basis for the majority view that data flows broadly constitutes a Mode 1 transaction issue, and is further strengthened by the ‘medium of delivery independent’ principle derived from GATS jurisprudence.34 However, for particular products, it is possible to foresee that it is the consumer virtually travelling abroad, which is enabled through data flow, for consumption of the service. In such cases, the service is not being provided on the server of the consumer’s device, but rather on the server of the seller’s device. For example, online banking, cloud computing, web, or application hosting and e-commerce website hosted outside the consumer’s state (to illustrate, purchasing an e-book in Switzerland from Amazon’s French website). In such instances, the data may be hosted in a foreign country where the seller’s servers are located, and when the consumer wants access to the data, virtual consumption abroad is enabled by data flow. 35 Such cases would be an instance of a Mode 2 transaction. The W/120 classification system is the WTO’s comprehensive list of services sectors and sub-sectors covered by the GATS. It comprises one hundred and sixty services. It incorporates twelve broad categories of services that further encompass several categories and sometimes even sub-categories; therefore, there is either a three-tier or a two-tier level of categorization for a particular service. Among the broader categories, ‘business services’, ‘communication services’, and ‘financial services’ are most relevant for the digital economy, and to a lesser extent ‘educational services’, ‘tourism and travel related services’, and ‘distribution services’. Within ‘business services’, the sub-category on ‘computer and related services’ especially ‘data base’ and ‘data processing’ services are important, whereas within ‘communication’ services the categories on ‘telecommunication services’, and ‘audio-visual services’ are the most relevant for trade in data, although the categories of ‘professional services’ is also important in light of several professional services being supplied across borders through the medium of the Internet. It is important to note that ‘software’ does not constitute a distinct category, since its concept was fairly nascent during GATS’ negotiation years, although several of the restrictions on data flows pertain to software. It is also interesting to note that several data localizations measures apply to government services; however, the GATS Agreement is inapplicable to services supplied in the exercise of governmental authority.36 The extent to which a state has liberalized trade in these sectors and sub-sectors can be determined from the commitments made for these categories, which is provided in their GATS Schedule. B. Overlap between W/120 services The Appellate Body in US-Gambling held that services must be specific to a particular sector, and hence the sectors and sub-sectors are mutually exclusive.37 This was necessitated in the event that a service could be classified under two different sub-sectors, it could lead to the possibility of an anomaly wherein a member state has no restrictions on market access and national treatment in one such sub-sector, but has reservations for the other sub-sector.38 However, such exclusivity becomes problematic in light of new-age business models of tech companies comprising digital platforms which intertwine several services and data-intensive products, since often such services have multiple end-uses.39 Consequently, such services can be classified under several categories. Some instances of unavoidable overlap exist between ‘audiovisual’ and value-added ‘telecommunications’ in the case of over-the-top applications such as video streaming (Netflix, Youtube), as well as ‘telecommunications’ and ‘data base services’ for cloud computing.40 Since the digital economy was merely in its initial stages when the GATS commitments were made, members such as the EU freely liberalized computer and related services, but in order to retain regulatory autonomy over culturally sensitive issues, the EU avoided any commitments for audiovisual services.41 Not surprisingly, the EU takes the stance that most digital services are audiovisuals, and not data processing or database, which enables the EU to take advantage of the fact that it does not having substantial commitments for audiovisual services.42 Indeed, W/120 itself causes an inherent contradiction with the mutually exclusive requirement for services classification since the sub-category of ‘data processing’ appears twice—once under ‘computer and related services’ (W/120 classification number 1.B.c.), and second under ‘telecommunication services’ (W/120 classification number 2.C.n.).43 Commonly used guiding principles may assist in the task of classification. Firstly, the GATS’ classification system is based on services outputs, that is, the final service being supplied by a service supplier or purchased by a Mode 2 consumer, as a coherent whole must be the appropriate classification. Hence, for any transaction, it is important to analyze the coherent and whole final service being provided.44 Secondly, the intrinsic nature of the service determined from the intended end-use of the service, rather than the means of delivery, should be the distinguishing characteristic of a service.45 Thirdly, GATS jurisprudence has incorporated the concept of ‘integrated service’, referring to a classification comprising different services which are individually identifiable, however, since the entire transaction functions only when all services are supplied together, whether they are supplied by one or different service supplier, then it constitutes an ‘integrated service’ which is classified under a single sub-sector that embodies the coherent whole service. 46 Finally, the guiding principles provided in the UN Provisional CPC, 1990 may also assist in resolving the overlap problem. The explanatory note of the UN CPC indicates a lex specialis type of treatment for determining the appropriate service sector, when more than one service classification appears applicable.47 In reality, however, these principles are often not too effective in resolving the overlap issue. For instance, Alphabet’s (Google) search engine is a feature almost anyone who has ever accessed the Internet is familiar with. While for a user it would potentially be a ‘data base service’, the company, Alphabet, earns its revenues from the search engine feature through ‘advertising services’ (CPC 871), both of which are its end-use and intrinsic nature. In addition to the overlap problem, the W/120 classification categories also particularly fails to accommodate certain ‘new’ services that have emerged since the drafting and adoption of the W/120 system which do not squarely fit into any of the available categories. To illustrate, voice and video services enabled by the internet, such as Skype and FaceTime, have become vital forms of modern day communication. Although it appears to be a sort of value added telecommunication or business service, none of the sub-categories under them seem applicable for it. Additive manufacturing resulting in 3D printing is another such ‘new’ service. It is enabled by the Internet and data flows; however, no category under the classification list is potentially applicable for it. The CPC Guiding Principles provide that such ‘new’ service could be classified under the category most akin to the service.48 However, this principle cannot be easily imported for commitments under the GATS Agreement, since member states are likely to favour an approach where they are fully assured of the extent of the commitments that they have undertaken, given the bottom-up (hybrid) normative means of scheduling GATS commitments.49 Accommodating any ‘new’ service remains a complicated issue, and the subsequent analysis further compounds this concern. C. Compatibility of restrictions with existing WTO obligations Having analysed the present terrain of related WTO norms and associated challenges deriving therefrom, it is imperative to analyse whether the restrictions observed above are in compliance with existing obligations of respective members. Table 2 provides an analysis of the WTO compatibility of the most widely known restrictions noted in Table 1. Table 2. Compatibility of data localization measures with WTO rules Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Source: Author’s compilation. Table 2. Compatibility of data localization measures with WTO rules Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Member Measure Data type Potential classification(s) Related WTO commitments Relevant exceptions European Union Data protection Personal Data processing Mode 1 and 2 (1.B.c.), database (1.B.d.), telecommunications Mode 1 (2.C.), etc. MFN; 1.B.c & 1.B.d: None52 2.C: Market access conditions National treatment—None Privacy protection Vietnam Traffic routing All 2.C. Mode 1 Conditions for market access, National treatment-None N/a (market access conditions protects the measure) China Golden Shield Program— Firewall All 1.B.c. & 1.B.d. Mode 1 and 2; 2.C Mode 1 and 2; audiovisual services (2.D.) Mode 1 1.B.c.: None, 1.B.d.: No commitment, 2.C.: Market access conditions, none for national treatment; 2.D: None 1.B.c. & 2.D: Public morals 1.B.d: N/a 2.C. market access conditions may protect some aspects of the Firewall Russia Local storage Personal 1.B.c. & 1.B.d. Mode 1 and 2; 2.C. Mode 1 and 2 1.B.c. & 1.B.d: None 2.C: MA and national treatment conditions Privacy, security Source: Author’s compilation. The GATS Agreement entails liberalization in the supply of services through four modes of delivery. However, unlike the GATT, the GATS Agreement provides MFN treatment subject to ‘opt-out’ through explicitly provided exemptions, and a hybrid list of positive commitments (along with negatively listed limitations thereto) with respect to market access and national treatment obligations.50 Therefore, the GATS Agreement is a unique agreement combining horizontal commitments with a hybrid list approach for commitments for the services enlisted under the Services Sectoral Classification List, together with a purely negative list approach for MFN exemptions.51 As explained above, prior to examining the specific commitments of a state for a service, the analysis in Table 2first attempts to classify the service in question under the localization measure into one specific sub-category under the W/120 list. However, the overlap issue persisted as is seen in the ‘potential classification(s)’ column wherein the different W/120 sectors that overlap with respect to the specific restriction are enlisted. Secondly, the analysis determines the appropriate mode of supply, and concluded that certain restrictions and classification raise both Mode 1 and Mode 2 concerns, whereas others raise only Mode 1 concerns and this is also reflected in Table 2. Although it analyses only few of the hundreds of data localization measures imposed by different WTO states, Table 2 reveals the potential of several violations of WTO norms. The EU’s new data protection regime, the GDPR’s ‘adequacy’ test, whereby ‘personal data’ can only be transferred to certain third countries, may potentially be in violation of EU’s most-favoured nation (MFN) and market access obligations under the GATS Agreement. The ‘adequacy’ test is an improvement over the ‘Safe-Harbour Regime’ that was in force under GDPR’s predecessor regulation and which could easily be challenged as an MFN violation of the ‘recognition’ principle under the GATS Agreement.53 However, and although at this stage one can only speculate, the adequacy test may also potentially violate this principle. The GATS Agreement also provides for legitimate exceptions under Articles XIV and XIVbis, which, similar to GATT exceptions, follow the two-tier analysis of a measure first being identified under a specific sub-paragraph of the provision, followed by withstanding the two-pronged chapeau test.54 Sub-paragraph (c) of Article XIV protects measures necessary to secure compliance with laws or regulations which are not GATS inconsistent, including those ‘relating to the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and account’.55 Although this exception could save the GDPR, the ‘adequacy’ requirement would first have to pass the chapeau tests developed through WTO jurisprudence which requires a sufficient nexus between the measure at hand and the interest sought to be protected.56 A measure is ‘necessary’ if there is no less trade restrictive and WTO consistent alternative.57 Therefore, while it seemingly appears EU GDPR would qualify as an exception under Article XIV(c), a closer inspection may yield contrary results.58 Similarly, there is scope for WTO disputes with respect to Russia’s local storage of data requirements and China’s Firewall, since both states have liberalized relevant sectors under the GATS Agreement. The measures may, like in the EU’s case, be protected by exceptions such as privacy and security—the stated objectives of Russia’s measure, and public morals—the stated objective of China’s measure. However, these defenses could be challenged in light of exceptions’ jurisprudence. Russia’s data localization measure neither prohibits the transfer of the locally stored data abroad, nor prevents access to this stored data.59 China’s public morals defense for content filtering of foreign websites is also questionable.60 Although at this stage it is impossible to predict the outcome of such potential disputes and all localization measures are foreseeably not equally egregious, certainly a case for WTO dispute exists in all these cases. Differentiating between justified and unjustified or excessive measures requires positive determination of the policy rationale behind such measures and an accepted ranking of the extent of embedded trade restrictiveness. Hence, it reflects the pressing need for multilateral negotiations or, at a minimum clarification on the applicability of GATS commitments to modern tech-related businesses. Certain other important patterns and observations with respect to commitments made by states relating to the digital economy, and specifically data flows emerge from a reading of Table 2. For instance, the WTO classification parlance is often difficult to comprehend and outdated, especially in the absence of definitions within the classification text itself.61 Undoubtedly, the GATS norms and classification system were drafted in an era prior to the Internet boom. The Appellate Body has interpreted the GATS Agreement in a technologically neutral manner so as to factor in future technological developments. However, given the positive list normative framework states are likely to favour an approach where there is greater certainty regarding the commitments voluntarily made by them.62 This illustrates the necessity for new negotiations in light of the exponential growth of Internet’s capability in the post-Uruguay Round era. Indeed, the GATS Agreement, in line with its object, purpose and travaux preparatoires, provides member states the right of regulatory autonomy. This is a crucial component of the GATS framework, provided explicitly under Article VI of the GATS Agreement, and would apply to any data related concern.63 Hence, states have the right to regulate and clarify the applicability of their commitments (although not the autonomy to restrict trade in the sectors that are already liberalized), and this would be a preferred outcome over a dispute. With this idea in mind, the final section of this article develops a data and technology compatible normative framework to address the issue of data localization while providing states sufficient regulatory space for legitimate exceptions. III. TOWARDS A FRAMEWORK TO RESOLVE ISSUES AND DEADLOCK The problems highlighted above, including the scope for potential disputes, highlights the pressing need for amending WTO norms to reflect the realities of twenty-first century trade, wherein the digital economy and data-related issues are vital to international trade. At a minimum, clarification by member states interpreting their commitments undertaken under the GATS and their reconciliation with domestic data localization measures is warranted. However, data is a politically contentious issue in trade policy circles. Proposing any workable solution to resolve the political deadlock, mandates first and foremost gauging the underlying political economy of the issue. A. State of progress at the WTO: Taking stock of e-commerce work programme The ‘WTO E-commerce Work Programme’, the cross-cutting WTO forum for discussions on e-commerce including data flow-related issues, was established in 1998.64 One of its first outcomes was the imposition of a temporary moratorium on customs duties for electronic transmissions, which was in accordance with the practice existing at that time. This moratorium has been extended at every subsequent WTO ministerial conference, including the eleventh Ministerial Conference at Buenos Aires in December 2017.65 Although several WTO members were keen on making this moratorium permanent, it still remains temporary and reviewable at every ministerial conference.66 This can be attributed to certain other member states’ reluctance to make the moratorium permanent, caused due to the African Group’s interest in exploring potential revenue implications of electronic transmissions,67 and India’s demand to link this moratorium to the moratorium on non-violation complaints under the TRIPS Agreement.68 The year 2016 witnessed a renewed and reinvigorated interest in digital trade related issues at the WTO, through the tabling of proposals highlighting issues for discussions through submissions, which are known as ‘non-papers’ in light of the lack of negotiating mandate for such an issue. Table 3 below provides a detailed analysis of data related statements in such non-papers submitted since 2016. Table 3. Data-related provisions in WTO ‘non-paper’ submissions Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Source: Author’s compilation. Table 3. Data-related provisions in WTO ‘non-paper’ submissions Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Members Free flow of data Data localization Other related provisions Brazil69 Supports, but new rules for it will be necessary only if it is first found that existing rules are insufficient. Provides scope for exceptions. Endorses protection of personal data. Supports services traded online as being exclusively under Mode I of GATS Agreement, including data flows. Canada, Chile, Colombia, Côte d'Ivoire, European Union, Republic of Korea, Mexico, Paraguay, Singapore and Turkey70 Supports, but subject to legitimate public policy exceptions. Endorses measures addressing all forms of localization by building on existing WTO commitments, but subject to public policy exceptions. Endorses building on existing WTO commitments, rather than creating new rules. Endorses measures to restrain any requirements for transfer or access to source code, or software. Japan71 Supports Endorses restrictions on data localization. Endorses measures to restrict requirement to transfer information, source code, or encryption of technology Mexico, Indonesia, Korea, Turkey and Australia72 Supports, but subject to exceptions. Identifies need for technical work to understand various policy implications Need for technical work to understand various policy implications Endorses update of Telecommunications Reference Paper to support digital competition. United States73 Supports it, subject to reasonable safeguards Endorses prohibition of local data centres and local content. Considers restrictions to protect consumer data when exported as reasonable exception to data flow. Endorses prohibition on forced technology transfer and transfer of source code. Costa Rica74 Supports Endorses restrictions for data protection African Group75 Opposes Opposes regulating it Opposes hard rules on non-disclosure of source code, and barring forced technology transfer Taiwan76 Supports efficient transmission of data Source: Author’s compilation. The Buenos Aires Ministerial has also resulted in a statement issued by 67 WTO members, including Brazil, China, and Russia to explore trade-related aspects of e-commerce so as to work towards future rules, setting the stage for possible plurilateral negotiations on e-commerce.77 The role of data and data flow will be pivotal to this journey. The discussion below advances two solutions for resolving the political tensions over this issue, the first being an update of the WTO classification system, and the second, a data differentiated approach to future multilateral norm-making. B. Update of the WTO classification system The WTO W/120 classification list was compiled in July 1991 on the basis of the UN Provisional CPC, 1990 which was in force at that time, and not surprisingly it is an ill-fit for today’s data intensive international trade transactions. Since then, the UN CPC list has undergone several updates, the latest being in 2015 (UN CPC Version 2.1). Although the WTO retains a pre-digital economy outlook on classification, other classification systems have already adopted a more developed framework. These provide a starting template for amending the WTO classification and the related clarification or update needed to address some of the most pressing definitional lacunae and overlap issues discussed in this article. Version 2.1 of the UN CPC states that the classification of products which make up a bundle, that is, combine goods and services, should be classified in accordance with their main component, that is, the primary value added.78 This notion of ‘integrated goods and services’ is an excellent reference for resolving the ‘goods versus services’ dilemma, although it would still require additional work for classification of all data intensive products. UN CPC 2.1 sectors are relatively easier to navigate with respect to the digital economy and data-intensive products. For instance, they include ‘telecommunications, broadcasting, and information supply services’ as a sub-sector of ‘business and production’ services, which comprises, among others, ‘internet telecommunications services’, ‘online content’, ‘Hosting and IT infrastructure provisioning facilities’, and ‘broadcasting, programming and programme distribution services’. To illustrate the benefits of these categories, the ‘new’ service of voice and video communication like Skype would potentially be a ‘hosting and IT infrastructure provisioning facility service’.79 Interestingly, however, UN CPC Version 2.1 does away with the category of ‘computer services’, leading one to speculate if all computer and related services under this list would be covered within the ‘software’ sector. Despite such concerns which must be considered, the crucial takeaway from UN CPC Version 2.1 would be that a potential framework for updating W/120 is already in existence and if the political consensus emerges, such an update may not require members to start from scratch since the UN CPC 2.1 version is sufficiently advanced. The Information Technology Agreement (ITA) update of 2015 provides a positive example of WTO members updating and expanding an outdated classification system. Amending the existing WTO classification system would be beneficial for member states irrespective of their political will to liberalize, since it would provide clarity to better determine the sectors to liberalize and the sectors to maintain regulatory autonomy in. C. Data differentiated approach for future norm-making The GATS Agreement provides flexibility for ‘protectionism’, hence, it is widely argued that digital products should be covered within the ambit of the GATS Agreement so as to address the ‘systemic disadvantage’ of developing economies with respect to ICT infrastructure-related underdevelopment.80 Indeed, the GATS Agreement provides greater options to member states to determine their individual choice—towards greater liberalization or greater regulatory autonomy, and may be preferred by the majority of states for trade-related aspects of data. Any potential normative framework would ideally strike a balance between liberalization and domestic autonomy. The object of data localization measures observed above is often to secure compliance with specific policy objectives relating to particular types of data, and not all types of data. Therefore, any normative framework for future rule-making requires first an understanding of different types of data so as determine which types of data require more regulatory autonomy in line with national policy objectives. Therefore, it therefore becomes imperative to develop a typology of data on the basis of the observed localization measures and political debates on this issue. 1. Data typology Data restriction measures differentiate data on the basis of the source and purpose of data, and this forms an apt basis for developing a data typology. An analysis of regulations and laws that require differential treatment of data clearly indicates one distinct category, which is ‘personal data’. This category becomes most obvious through the study of data protection laws imposing restrictions on processing of only personal data. The EU GDPR is one of the most elaborate data protection regimes, which provides a comprehensive yet narrow definition of personal data as, ‘any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly,….’81 Therefore, personal data relates only to identifiable (not anonymous) and natural (not juridical) persons. Within the ambit of ‘personal data’, localization measures often reserve higher protection for further specific types of data. This subset of personal data either relates to particularly sensitive issues or is personal data relating to particular sectors. The EU GDRP conceptualizes a category as ‘sensitive personal data’, which is sensitive by virtue of the data’s inherent linkage to individuals’ fundamental rights and freedoms. While EU Member States have some scope to domestically regulate what aspects of personal data qualify as ‘sensitive personal data’, illustratively it can include ‘racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation’.82 Other states have enacted laws protecting personal data relating to health information, accounting, tax and financial information, gambling information, and so on. While the extent of the constituent elements of sensitive personal data varies across jurisdictions, the important take-away is that within the broader category of ‘personal data’ additional protection can be given to the subset of ‘sensitive personal data’. Another category of data that may be considered is ‘company data’. Company data comprises of data flowing between entities of corporations, that is, intra-company data. It includes the supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services, human resources, etc.83 A majority of the total data that is transferred cross-border is as part of business management, between affiliates of the same multinational enterprise or related enterprises.84 Therefore, corporations significantly depend on speedy and effective cross-border data flows. Studies reflect that such data is one of the most intensive users of cross-border data flow, and consequently company data is severely impacted by non-categorized regulations restricting data flow. A third category is business data. This category has a broad scope and is difficult to define but broadly relates to any data that is commercial, marketable, or can be monetized. This includes products that encapsulate digitized content such as software, music, and audio-visual content.85 For instance, commonly known applications and websites such as Netflix, Spotify, Youtube, and Facebook all produce digitized content. Business data also includes digitally enabled services such as e-commerce websites, legal or consulting services provided digitally. Business data is a subset of company data, and it can also overlap with personal data (for instance, social media applications like Facebook). Similar to the subset of ‘sensitive personal data within ‘personal data’, a further subsets can be created within ‘business data’, which is, ‘social data’. Social data relates to behavioural patterns of larger social units.86 Social data is derived from personal data, but is distinct from it as it undergoes a process of anonymization and thereby, the data is no longer traceable to individual persons. As a result of ‘social data’ being anonymous it does not overlap with ‘personal data’. To illustrate, the EU GDRP excludes anonymous information including personal information that is rendered anonymous ‘in such a manner that the data subject is not or no longer identifiable.’87 Therefore, social data is a subset of business data, but does not overlap with personal data (since it cannot be traced to any identifiable individual). The usage and regulatory concerns surrounding social data is predicted to rise with the expansion of digital analytics such as Big Data. Delineating this typology of data, and especially including social data, is necessary since not all usage and movement of data have similar ramifications. Concerns have been raised during multilateral discussions,88 against the creation of norms permitting free flows of data as well as the prohibition of data localization measures. One of the primary reasons justifying such skepticism is the argument that data can be monetized or commodified. The recent Cambridge Analytica scandal wherein personal data of Facebook users was analysed to influence different political campaigns depicts the gravity of this situation.89 Consequently, permitting the free flow of data would result in further utilization and monetization of the data of citizens for free, which will subsequently be processed for commercial benefit by big technology companies.90 Often an analogy is made viewing data as raw material collected from oblivious citizens for free, and then commoditized, especially by large technology-oriented multinational corporations, and resold back to citizens.91 The basis for such arguments is that relatively value-less data is embedded into goods and services, thereby resulting in valuable goods and services being created and then traded. However, if data is categorized into personal, social data, and other types of company data, it becomes evident that the monetization argument pertains only to personal and social data, and not so much for company data. Company data, is usually already protected strongly through corporate law and intellectual property rights such as trademarks and trade secrets. However, protection of personal data and limitations on compiling and processing of social data is relatively less protected. The pressing need for international regulation is reflected through the multilateral discussions on e-commerce wherein the importance of building online trust and consumer protection has been highlighted. Diagram 1 above provides a conceptual depiction of the typology of data that has been developed above, including the possibilities of overlap. Table 4 provides illustrative examples of the categories including instances of overlap. This typology provides the groundwork for data differentiated norms. Table 4. Illustrative examples of overlap between different types of data Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Source: Author’s compilation. Table 4. Illustrative examples of overlap between different types of data Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Data type Illustrative examples Personal, Business and Company Personal online search data analysis for advertising by a tech company (Business model of Facebook, Google, etc.), data used by app economies like Uber, AirBnb, etc. Personal and company, but not business Human resources-related data of the employees of a company-salary, insurance, health, etc. Social and company Big data analysis based business models, seen in sectors like navigation, marketing, etc. Company, but neither personal nor business Data supervision, management, and organization of data relating to corporations, including financial planning of companies, management, bookkeeping, administrative support services Company and business, but not personal Trademarks and patent data owned by a corporation Source: Author’s compilation. Diagram 1. View largeDownload slide Typology of Data Reflecting Overlaps. Diagram 1. View largeDownload slide Typology of Data Reflecting Overlaps. 2. Data differentiated normative framework In the absence of international harmonization, data localization measures may cause balkanization of the digital space. This can be countered through either of two options—harmonization of minimum legal standards, or by tolerating deviations.92 Given the borderless nature of cyberspace, and to attain economies of scale, suggestions have been made for more horizontal commitments on data and data flow under the GATS Agreement, and replacement of the positive list approach by a negative list approach for national treatment and market access commitments.93 Specific exceptions beyond the existing ones on protection of personal data and online privacy, such as cyber-security, other types of national security, prevention of online criminal activities have also been suggested to be incorporated either as horizontal commitments, or through the individual schedules of members. Although such an approach could be beneficial for data producer states desiring more efficient cross-border flows of data, certain states would predictably be opposed to such amendments to the existing GATS framework since replacing the existing positive list approach with a negative list approach may diminish regulatory autonomy of states to protect data in line with their national policy objectives. In light of this, a plausible workable solution to reconcile the diverse interests of members would be the adoption of a data differentiated approach, utilizing the data typology developed above, involving greater liberalization of the digital economy through ensuring market access for some types of data, while retaining greater regulatory autonomy for other types of data. Differential treatment of data is technically possible through tagging data thereby coupling it with a management decision on handling the data, including the decision to prevent its movement across borders.94 Member states could use such a typology to determine the types of data over which they would seek to retain greater regulatory space relative to other types of data. For instance, greater horizontal commitments on free flow of data, that is, a list of obligations, subject to opt-out, on market access and national treatment obligations, could be undertaken with respect to company data that is not overlapping with personal or social data. This would result in a regime enabling free flow of for some data. A positive list approach could however be retained for data where states desire greater domestic regulations, for instance personal and social data. Therefore, horizontal commitments on data flows under the GATS Agreement, on a multilateral or plurilateral basis, could allow greater liberalization and enable the freer flow of data. However, such commitments should also provide exceptions for national policy objectives, and retain the positive list approach for undertaking liberalization commitments for data that constitute politically sensitive regulatory issues, that is, personal and social data. While this article does not flesh out the details or nature of the horizontal commitments to harmonize rules ensuring freer flow of certain types of data, it develops a data typology in an attempt to delineate different approaches that may be adopted multilaterally in line with policy objectives pertaining to specific types of data. IV. Conclusion The growth of the digital economy is outpacing any related policy and legal discussions and negotiations internationally, and in most cases, even nationally. While on the one hand, newer digital technologies are continuously disrupting traditional business models and consequently shifting patterns of international trade and investment, on the other hand, restrictive measures concerning the digital economy are different from traditional barriers to trade. The heavy reliance on movement of data in the digital economy results in barriers to movement of data becoming a great disruption for data intensive industries like e-commerce, online banking, and app economies. This article derives that such measures are potentially in violation of particular obligations undertaken by the respective states under their GATS Schedule. Furthermore, this article analysed the problems of applying pre-Internet era norms and commitments to the digital economy, thereby highlighting the pressing need for new multilateral regulations. Based on the issues noted and the political deadlock over them, this article recommends clarification and amendment of the WTO’s outdated classification system, and the adoption of a data differentiated normative framework for undertaking a combination of horizontal commitments as well as positive list obligations on data flows. The data differentiated approach is not an end in itself; however, it could prove to be the answer to resolving the political deadlock on this highly contentious issue. The author would like to thank Ines Willemyns as well as an anonymous reviewer for their comments on an earlier draft. The author is grateful for related discussions with Professors Joost Pauwelyn and Mira Burri, and Dr Weiwei Zhang. The author is also grateful for the valuable comments and suggestions received during the MC11 Think Track Conference in Buenos Aires, 13 December 2017. Footnotes 1 ‘WTO Work Programme on E-Commerce’ (WTO 1998) WT/L/274, para. 1.3. 2 Amy Porges and Alice Enders, ‘Data Moving Across Borders: The Future of Digital Trade Policy’ [2016] E15 Initiative 3. 3 ICC Commission on Trade and Investment Policy and ICC Commission on the Digital Economy, ‘Trade in the Digital Economy—A Primer on Global Data Flows for Policymakers’ (lnternational Chamber of Commerce (ICC) 2016) Policy Paper 103/330, 373/560 1 <https://iccwbo.org/publication/trade-in-the-digital-economy/> accessed 18 October 2017; Joshua Meltzer, ‘A New Digital Trade Agenda’ [2015] E15 Initiative 2. 4 ICC Commission on Trade and Investment Policy and ICC Commission on the Digital Economy (n 3) 1; Anupam Chander, ‘Freeing Trade in CyberSpace’, The Electronic Silk Road (New Haven: Yale University Press, 2013) 19. 5 John J. Simpson and Edmund Weiner (eds), ‘Oxford English Dictionary, Data, N.’ <http://www.oed.com/view/Entry/296948> accessed 1 November 2017. 6 Ibid. 7 The ‘digital economy’ is defined by UNCTAD as ‘the application of internet-based digital technologies to the production and trade of goods and services’. ‘UNCTAD World Investment Report 2017—Investment and the Digital Economy’ (UNCTAD 2017) Annual <unctad.org/en/PublicationsLibrary/wir2017_en.pdf> accessed 26 September 2017. 8 Meltzer (n 3) 5. 9 Note that personal devices of users/consumers are not referred as ‘servers’, but rather as ‘clients’ since they indirectly connect to the Internet through ISPs. 10 ‘How a Data Center Works’ (SAP Data Center) <http://www.sapdatacenter.com/article/data_center_functionality/> accessed 29 November 2017. 11 Erik Van der Marel, ‘Disentangling the Flows of Data: Inside or Outside the Multinational Company’ (ECIPE 2015) ECIPE Occasional Paper )7/2015 17; Robert Pepper, John Garrity and Connie LaSalle, ‘1.2 Cross-Border Data Flows, Digital Innovation, and Economic Growth’ <http://wef.ch/29d7HNj> accessed 29 November 2017; ‘World Economic Forum: Networked Readiness Index, 2016’ (World Economic Forum 2016) Global Information Technology Report <http://reports.weforum.org/global-information-technology-report-2016/networked-readiness-index/> accessed 2 December 2017. 12 Van der Marel (n 11) 13. 13 Van der Marel (n 11), Tables 3 and 4. 14 Nigel Cory, ‘Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?’ (Information Technology and Innovation Foundation 2017) Policy Paper <https://itif.org/publications/2017/05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost> accessed 18 October 2017. 15 Anupam Chander and Uyen P Le, ‘Breaking the Web: Data Localization vs. the Global Internet’ (2014) Research Paper No. 378 Emory Law Journal; UC Davis Legal Studies Research Paper No. 378, 19–29 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2577969> accessed 17 November 2017; Constance Johnson, ‘Indonesia: Local Content Rules for Electronic Products | Global Legal Monitor’ (Law.gov, 15 September 2016) <//loc.gov/law/foreign-news/article/indonesia-local-content-rules-for-electronic-products/> accessed 30 November 2017. 16 ‘Turkey Country Profile’ (MIT 2010) Country Profile 347–349 <https://opennet.net/sites/opennet.net/files/ONI_Turkey_2010.pdf> accessed 26 November 2017. 17 General Data Protection Regulation 2016 (Regulation) (hereinafter EU GDPR). 18 Kristina Irion, Svetlana Yakovleva and Marija Bartl, ‘Trade and Privacy: Complicated Bedfellows? How to Achieve Data Protection-Proof Free Trade Agreements’ (2016) Independent Study 10. <https://www.ivir.nl/publicaties/download/1807> accessed 17 November 2017. 19 Chander and Le (n 15) 22. 20 Ibid. 16. 21 Sanya Reid, ‘Some Preliminary Implications of WTO Source Code Proposal’ 5–6 <http://www.twn.my/MC11/briefings/BP4.pdf> accessed 8 May 2018. 22 ‘Country Reports on Human Rights Practices for 2016 - Vietnam’ <https://vn.usembassy.gov/2016-country-reports-human-rights-practices-vietnam/> accessed 30 November 2017. 23 Cory (n 14) 21. 24 Chander and Le (n 15) 21; Cory (n 14). 25 Cory (n 14). 26 For example, see ‘China Country Profile’ (MIT 2011) Country Profile <http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-china.pdf> accessed 26 November 2017. 27 Meltzer (n 3) 4; Farrokh Farrokhnia and Cameron Richards, ‘E-Commerce Products Under the World Trade Organization Agreements: Goods, Services, Both or Neither?’ (2016) 50 Journal of World Trade 793. 28 These are the tests for likeness developed through WTO jurisprudence. Panel Report, Spain—Tariff Treatment of Unroasted Coffee [1981] WTO Panel L/5135-28S/102, WTO [4.7]; Appellate Body Report, Argentina—Measures Relating to Trade in Goods and Services [2016] Appellate Body WT/DS453/AB/R, WTO [6.32]; Appellate Body Report, European Communities—Measures Affecting Asbestos and Products Containing Asbestos [2001] Appellate Body WT/DS135/AB/R, WTO [99]; Appellate Body Report, European Communities—Measures Prohibiting the Importation and Marketing of Seal Products [2014] Appellate Body WT/DS400/AB/R; WT/DS401/AB/R, WTO 5.82; China- Certain Measures Affecting Electronic Payment Services [2012] WTO Panel WT/DS413/R, WTO [7.700]. 29 China—Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products [2009] Appellate Body WT/DS363/AB/R, WTO [377–378]; United States—Measures Affecting the Cross-Border Supply of Gambling and Betting Services [2005] Appellate Body WT/DS285/AB/R, WTO. 30 See China—Audiovisuals (n 29) [196]. 31 Meltzer (n 3) 9. 32 Sacha Wunsch-Vincent, The WTO, the Internet and Trade in Digital Products: EC-US Perspectives (Hart Publishing 2006) 52–53; Antony Taubman in Mira Burri and Thomas Cottier (eds), Trade Governance in the Digital Age (Cambridge University Press, 2012) 315–319; Porges and Enders (n 2) 8–9; Rolf H Weber, ‘Digital Trade and E-Commerce: Challenges and Opportunities of the Asia-Pacific Regionalism’ (2015) 10 Asian Journal of WTO and International Health Law and Policy 321, 324–325; Farrokhnia and Richards (n 27) 808–809. 33 Wunsch-Vincent (n 32) 65–70; Weber (n 32) 324. WTO Trade in Services Council, ‘Work Programme on Electronic Commerce: Progress Report to the General Council’ (WTO 1999) Progress Report to the General Council S/L/74 para 5; WTO Trade in Services Council, ‘Work Programme on Electronic Commerce: Note by the Secretariat’ (WTO 1998) Note by the Secretariat S/C/W/68. 34 See above n 30 and 31. 35 Porges and Enders (n 2) 9. For an interesting take on distinguishing between Mode 1 and Mode 2 supply in data-related service, see Usman Ahmed, Brian Bieron and Gary Horlick, ‘Mode 1, Mode 2, or Mode 10: How Should Internet Services Be Classified in the Global Agreement on Trade in Service?’ (2015) 2015–2016 Boston University School of Law International Law Journal. 36 Art. I 3(b), GATS Agreement. 37 US Gambling (n 29) [180]. 38 US Gambling (n 29) footnote 219. 39 Andrew D. Mitchell and Neha Mishra, ‘Data at the Docks: Modernising International Trade Law for the Digital Economy’ (2017) 20 Vanderbilt Journal of Entertainment and Technology Law, Forthcoming 11–13 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3064396> accessed 17 November 2017. Ruosi Zhang, ‘Covered or Not Covered: That Is the Question - Services Classification and its Implications for Specific Commitments under the GATS’ (2015) Working Paper 10–12 <https://www.wto.org/english/res_e/reser_e/ersd201511_e.pdf> accessed 16 November 2017. 40 Zhang (n 39) 13; Renee Berry and Matthew Reisman, ‘Policy Challenges of Cross-Border Cloud Computing’ (2012) 4 Journal of International Commerce and Economics 1, 21–22. 41 Mira Burri, ‘The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation’ (2017) 51 UC Davis Law Review 65, 85; Wunsch-Vincent (n 32) 56–57. 42 Burri (n 41) 85; Pierre Larouche, ‘Dealing with Convergence at the International Level’ in Damien Geradin and David Luff (eds), The WTO and Global Convergence in Telecommunications and Audio-Visual Services (1st edn, Cambridge University Press, 2004) 311–422. 43 ‘WTO Services Sectoral Classification List — Note by the Secretariat’ (WTO 1991) MTN.GNS/W/120. 44 Zhang (n 39) 8. 45 Ibid 9. 46 China – Electronic Payments (n 28) [VII. 55–62, VII.183–188]; Panagiotis Delimatsis, ‘The WTO Outlaws the Privileges of the Chinese Payment Services Giant’ (2012) 16 American Society of International Law <https://www.asil.org/insights/volume/16/issue/31/wto-outlaws-privileges-chinese-payment-services-giant> accessed 26 November 2017; Shailja Singh, ‘WTO Dispute Analysis: China—Measures Affecting Electronic Payment Services’ (2012) 9 Centre for WTO Studies, IIFT. 47 Zhang (n 39) 14. 48 United Nations, Statistics Division, Department of Economic and Social Affairs, ‘General Rules for the Interpretation of the Harmonized System - Central Product Classification (CPC) Version 1.1’ 17 <https://unstats.un.org/unsd/publication/SeriesM/SeriesM_77ver1_1E.pdf> accessed 20 November 2017. 49 Zhang (n 39) 14–15. 50 Art. XX, GATS Agreement. 51 Zhang (n 39) 1. 52 Note that within the terminology used for GATS Schedules, ‘None’ means that there are no limitations on liberalization, that is, completely liberalized. 53 Art. VII, GATS Agreement. 54 US Gambling (n 29) [292]. 55 Art. XIV (c) (ii), GATS Agreement. 56 US Gambling (n 29) [292]. 57 Ibid. 308; China – Audiovisuals (n 29). 58 For an in-depth analysis, see Irion, Yakovleva and Bartl (n 18) 28–30. 59 Alla Naglis, Daniel Crosby and Xenia Melkova, ‘LinkedIn Blocked in Russia: Privacy and Trade Law Aspects’ <https://s3.amazonaws.com/kslaw-staging/attachments/000/003/991/original/ca112116a.pdf?1494907303> accessed 4 March 2018. 60 Tim Wu, ‘The World Trade Law of Censorship and Internet Filtering’ (2006) 7 Chicago Journal of International Law 263; Claude Barfield, ‘A WTO Challenge to China’s Internet Censorship Is Long Due’ <http://www.eastasiaforum.org/2016/05/26/a-wto-challenge-to-chinas-internet-censorship-is-long-overdue/> accessed 5 March 2018. 61 Burri and Cottier (n 32) 257. 62 Weber (n 32) 324. For illustration on the divergent views of different members, see ‘Report of the Meeting Held on 18 September 2014 - Note by the Secretariat’, S/CSC/M/71. 63 WTO Trade in Services Council, ‘Work Programme on Electronic Commerce: Progress Report to the General Council’ (n 33) para 11. 64 ‘WTO Work Programme on E-Commerce’ (n 1) adopted on 25 September 1998. 65 ‘WTO Work Programme on E-Commerce: Ministerial Decision of December 13, 2017’ (WTO 2017) Ministerial Conference Eleventh Session WT/MIN(17)/65; WT/L/1032. 66 For an empirical analysis of the WTO members who seek to make the moratorium permanent, and the ones who are opposed to it, see Patrick Low, ‘Framing Future Work and Negotiations on E-Commerce at the WTO’ (International Centre for Trade and Sustainable Development, 1 December 2017) <https://www.ictsd.org/opinion/framing-future-work-and-negotiations-on-e-commerce-at-the-wto> accessed 2 January 2018. 67 ‘The Work Programme on Electronic Commerce - Communication from the African Group, Draft Ministerial Decision on Electronic Commerce’ (WTO 2017) WTO/JOB/GC/155; WTO General Council, ‘Work Programme on Electronic Commerce: Review of Progress, REPORT BY AMBASSADOR ALFREDO SUESCUM – FRIEND OF THE CHAIR’ (WTO 2016) Progress Review WT/GC/W/721 para. 1.6. 68 D. Ravi Kanth, ‘India Rejects WTO Push for New Global E-Commerce Rules - Livemint’ LiveMint (Geneva, 17 October 2017) <http://www.livemint.com/Industry/tRCUKDsTGvnQUpVyVTLmhJ/India-rejects-WTO-push-for-new-global-ecommerce-rules.html> accessed 6 March 2018; Third World Network, ‘India+4 Link Moratoriums on E-Commerce, TRIPS NV and CBD’ <https://www.twn.my/title2/wto.info/2017/ti171227.htm> accessed 6 March 2018. 69 Non-Paper from Brazil, WTO Doc. JOB/GC/98, dated 20 July 2016. 70 Trade Policy, the WTO and the Digital Economy, WTO Doc. JOB/GC/97/Rev.1 dated 22 July 2016 & WTO Doc. JOB/GC/116, JOB/CTG/4 dated 13 January 2017. 71 Non-Paper for the Discussions on Electronic Commerce/Digital Trade from Japan, WTO Doc JOB/GC/100, dated 25 July 2016. 72 MIKTA E-Commerce Workshop Reflections, WT Doc. JOB/GC/99, dated 22 July 2016. The paper is based on reflections from the MIKTA-Commerce Workshop at the WTO on 5 July 2016 between the countries of Paper 6. 73 Non-paper from United States, WTO Doc JOB/GC/94, dated 4 July 2016. 74 WTO, ‘WTO E-Commerce Development Agenda, Communication from Costa Rica’ (WTO 2017) WTO E-Commerce Work Programme JOB/GC/139, dated 10 October 2017. 75 ‘The Work Programme on Electronic Commerce - Statement by the African Group’ (n 85) JOB/GC/144, dated 20 October 2017. 76 ‘Reflecting on the Information Insufficiency in E-Commerce’ 77 WTO, ‘Joint Statement on Electronic Commerce’ (WTO 2017) Ministerial Conference Eleventh Session WT/MIN(17)/60. 78 Overview United Nations, Statistics Division, Department of Economic and Social Affairs (ed), ‘Central Product Classification (CPC) Version 2.1’ 15 <https://unstats.un.org/unsd/cr/downloads/CPCv2.1_complete%28PDF%29_English.pdf> accessed 29 November 2017 para 58. 79 UNCTAD, ‘UNCTAD International Trade in ICT Services and ICT-Enabled Services: Proposed Indicators from the Partnership on Measuring ICT for Development’ (United Nations 2015) UNCTAD Technical Notes on ICT for Development TN/UNCTAD/ICT4D/03 6–7. 80 Sam Fleuter, ‘The Role of Digital Products Under the WTO: A New Framework for GATT and GATS Classification’ (2016) 17 Chicago Journal of International Law 172–173 <https://chicagounbound.uchicago.edu/cjil/vol17/iss1/5>. 81 Art. 4(1), EU GDPR. 82 Art. 9(1), EU GDPR. 83 Van der Marel (n 11). 84 Ibid. 85 Porges and Enders (n 2) 1. 86 Parminder Jeet Singh and Richard Hill, ‘Digitalisation and the Gig Economy: Implications for the Developing World’ <https://www.twn.my/title2/resurgence/2017/319-320/cover03.htm> accessed 29 November 2017. 87 Rec. 26, EU GDPR. 88 ‘The Work Programme on Electronic Commerce - Statement by the African Group’ (n 75) para 3.5; ‘Work Programme on Electronic Commerce - Report of Panel Discussion on “Digital Industrial Policy and Development” - Communication from the African Group’ para. 1.9. 89 Helen Havlak, ‘The Cambridge Analytica Scandal’ (The Verge, 10 April 2018) <https://www.theverge.com/2018/4/10/17165130/facebook-cambridge-analytica-scandal> accessed 10 April 2018; Sam Meredith, ‘Facebook-Cambridge Analytica: A Timeline of the Data Hijacking Scandal’ (CNBC, 10 April 2018) <https://www.cnbc.com/2018/04/10/facebook-cambridge-analytica-a-timeline-of-the-data-hijacking-scandal.html> accessed 10 April 2018; ‘How to Check Whether Facebook Shared Your Data with Cambridge Analytica | Technology | The Guardian’ (10 April 2018) <https://www.theguardian.com/technology/2018/apr/10/facebook-notify-users-data-harvested-cambridge-analytica> accessed 10 April 2018. 90 ‘Work Programme on Electronic Commerce - Report of Panel Discussion on “Digital Industrial Policy and Development” - Communication from the African Group’ (n 88) para. 1.9; Analysis of China’s digital policy in Singh and Hill (n 86); ‘The High Stakes in MC11 for Developing Countries’ Future Development Prospects’ (SouthCentre 2017) Policy Brief <https://www.southcentre.int/wp-content/uploads/2017/10/IN_High-Stakes-in-MC11-30-Oct-2017_EN-1.pdf> accessed 25 November 2017. 91 Ibid. 92 Chander (n 4) 143–144, 189. 93 Joshua Meltzer, ‘The Internet, Cross-Border Data Flows and International Trade’ [2013] Issues in Technology Innovation 16 <https://www.brookings.edu/wp-content/uploads/2016/06/internet-data-and-trade-meltzer.pdf> accessed 26 September 2017. 94 Jatinder Singh and others, ‘Seeing through the Clouds: Managing Data Flow and Compliance in Cloud Computing’ Cloud Computing 6 <https://www.cl.cam.ac.uk/research/srg/opera/publications/papers/2015ccmagSI.pdf> accessed 11 November 2017. © The Author(s) 2018. Published by Oxford University Press. All rights reserved. This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/about_us/legal/notices)

Journal

Journal of International Economic LawOxford University Press

Published: May 25, 2018

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off