Published by The Lawfare Institute
in Cooperation With
The future of U.S. global digital policy hangs in the balance following a shock decision by the office of the United States Trade Representative (USTR) that the United States no longer supports provisions that protect cross-border data flows, prohibit forced data localization, safeguard source code, and prohibit countries from discriminating against digital products in the World Trade Organization (WTO). The USTR’s previous position allows data to flow freely, with restrictions as the exception, in contrast to China’s position that seeks stricter control and oversight based on local law and regulation before allowing data to flow. While the difference between the two positions may have seemed rather technical, it served as the foundation for U.S. government support for an open internet and digital economy. That foundation is now gone.
The announcement took many members of Congress, other parts of the Biden administration, and many of the United States’ closest trading and digital policy partners—like Australia, Japan, Chile, the United Kingdom, and the European Union—by surprise. In an indication that the USTR’s decision may not have been coordinated in an interagency process, National Security Council spokesperson John Kirby clarified that the United States maintains its long-standing support for trusted cross-border data flows, suggesting that “robust interagency discussion” among “multiple perspectives” will continue. Consistent with the USTR retreat, media reports suggest that digital trade won’t be among the outcomes announced at this week’s Indo-Pacific Economic Framework (IPEF) talks in San Francisco.
The announcement has sparked a fierce bipartisan response. Senate Finance Committee Chairman Ron Wyden (D-Ore.) blasted the move, stating, “In addition to abandoning our democratic allies in these negotiations, USTR is leaving a vacuum that China—an active participant in these negotiations—will be more than pleased to fill.” Eleven Democrats in the House called on President Biden to “[d]efend American values” at the WTO “against ‘digital sovereignty’ campaigns by China.” Senate Finance Ranking Member Mike Crapo (R-Idaho) and Republican colleagues condemned the policy and said the USTR failed to consult Congress: “We have warned for years that either the United States would write the rules for digital trade or China would. Now, the Biden Administration has decided to give China the pen.”
U.S. lawmakers often invoke China to tilt domestic policy debates toward their desired outcomes. Countering China is one of the few areas of bipartisan support in Congress, so framing issues in the context of U.S.-China competition has become a popular way to draw attention to, and get potential action on, an issue in Washington. Often, the connections to China are tenuous or misplaced. But in this case, it’s legitimate for Congress to use the China card as China is a clear beneficiary of the USTR’s decision. The USTR’s retreat undermines the United States’ long-standing support for a free and open global internet, which involves many U.S. government agencies and initiatives across trade, national security, cybersecurity, privacy, law enforcement, human rights, diplomacy, and many others.
The rationale articulated by the USTR—that the United States requires more space to address domestic policy issues—reveals a similarity with Beijing’s own vision for cyber sovereignty. In effect, the USTR’s decision supports China’s restrictive approach to digital governance. USTR spokesman Sam Michel said the United States “removed its support for proposals that might prejudice or hinder … domestic policy considerations.” A Chinese technology expert noted in a WeChat post that the USTR decision reflects “the need to be able to address legitimate public policy objectives in the digital trade area” and that “the so-called ‘legitimate public policy objectives’ are … very important words in international trade agreements such as CPTPP …. To put it bluntly, it refers to the extent to which congressional legislation and government supervision can break through the core rules of cross-border data flow in trade agreements.”
The USTR’s decision helps Beijing advocate for the broad, self-judging exception for national security in trade agreements to justify rules that require data to be stored on local servers. By contrast, Australia, Japan, Singapore, the United Kingdom, and many other U.S. trading partners are negotiating rules so that data flows are the norm and any restrictions to it the exception. For example, members of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (like Australia, Japan, and Singapore) advocate for language at the WTO that protects data flows and ensures that any exceptions to this rule are necessary, not arbitrary, and proportionate. These U.S. allies want WTO negotiations to narrow the scope for domestic “policy space” exceptions to legitimate privacy, cybersecurity, and other policies. While policy space may sound appealing in principle, in practice countries like China have misused this concept in existing WTO agreements, such as on services trade, to enact restrictions that make its trade commitments—whether on data flows, digital goods and services, or other issues—essentially meaningless.
Paradoxically, at the same moment the United States is walking back its stance on free data flows, Beijing has taken significant steps to ease controls over cross-border data transfers. Driven by a slowing economy and declining foreign investment, China’s cyber regulator issued a landmark new draft regulation in September that exempts many companies from a mandatory security assessment required to send data out of the country. Beijing is revising long-standing restrictions on data flows, in part, to make the business environment more favorable to businesses, while the United States is sending signals that it intends to do the opposite. That said, implementation of China’s policy shift remains unclear. And even if it were to go into place as written, Beijing could still deem a company’s data as linked to national security and, therefore, subject to localization requirements at any moment—consistent with its cyber sovereignty position.
It’s important to emphasize that digital trade rules that foster data flows and nondiscrimination don’t stop fair and legitimate laws and regulations addressing digital issues. The U.S.-Mexico-Canada Agreement (USMCA) didn’t stop California’s Consumer Privacy Act. And it wouldn’t stop the proposed American Data Privacy and Protection Act, or any hypothetical new U.S. competition law, as long as these laws treat all firms the same. Likewise, Australia, New Zealand, and Singapore’s many digital trade agreements and partnerships haven’t stopped them from updating privacy, cybersecurity, and digital content laws. More specifically, the European Union-United Kingdom Trade and Cooperation Agreement’s source code provisions did not stop the EU from enacting related provisions in its AI Act.
To the extent the U.S. retreats from its position of defending free data flows, data localization measures are likely to accelerate around the world, with economic and human rights consequences.
Without U.S. support for trade commitments against data localization, U.S. policymakers and companies will have a harder time pushing back on localization requirements in countries where U.S. and Chinese firms are in fierce competition for market share. Data localization is a central feature of this competition, as policymakers in many countries use it to unfairly advantage local firms and data centers and disadvantage foreign firms that otherwise rely on centralized information technology systems to enter markets around the world.
For the past few years, some countries had begun to shift away from support for data localization, in part due to trade pressure from the U.S. and its allies. For example, both India and Indonesia recently enacted comprehensive data privacy bills without data localization requirements. However, data localization remains part of the debate in both countries and could well gain greater support now that the USTR's position has changed. An Indian think tank, the Global Trade Research Initiative, notes that the USTR’s decision will help ensure that future digital trade agreements provide “policy space” for data sovereignty, stating, “given the US' dominant role in the global digital landscape,” this decision “is poised to spark a worldwide reassessment of national e-commerce policies.” India’s concerns about data sovereignty led it to not join the IPEF’s trade pillar and to avoid the WTO e-commerce negotiations. The absence of U.S. advocacy on data flows will inevitably have implications for digital trade policy in other countries in the future.
While U.S. policymakers and firms have historically advocated against data localization, Chinese firms like AliCloud have supported data localization. These firms gain a competitive advantage from data localization, as they are willing to build local data centers to gain trust, and submit to government requests for data and censorship. U.S. firms, by contrast, are more likely to oppose data localization on legal and human rights grounds as they assess each request for data on its merits. (For example, who in government is making the request and under what legal authority? And is fulfilling the request in line with international human rights principles?) U.S. firms also prefer to use regional instead of local data centers for efficiency to reduce costs and improve performance. Regional data centers help companies optimize for the expense of maintaining and building additional data centers while also having data near customers.
Data localization can enable political oppression in some countries. Physical access to data centers makes it easier for security authorities to force firms located in country—whether foreign or domestic—to comply with illegitimate government requests for access to data and content. Sometimes this occurs when local authorities intimidate or threaten local staff. Localization is the cudgel governments use to enforce compliance—either agree to demands, get out, or have your services blocked. Beyond China and Russia, data localization is central to Vietnam's and Pakistan’s evolving online censorship and surveillance regimes. For the past decade, U.S. firms could rely on the U.S. government to help push back against localization due to economic and human rights concerns. But no longer.
The USTR’s decision also undermines U.S. ambitions for global leadership in artificial intelligence (AI). AI firms in the U.S. and in other countries depend on access to large, diverse international data sets. If U.S. firms cannot send data out of countries in which they operate overseas, this significantly limits AI researchers and developers who use cross-border data to build applications that work across a variety of geographies, languages, cultures, and demographics. As the technology competition between Washington and Beijing continues to play out less in the U.S. and China and more in other countries around the world, encouraging trusted data flows among allies and partners is vital to advancing U.S. technological leadership. Although China’s large domestic population creates a data advantage, the U.S. and its partners can offset this by using data flows from around the world, but this relies on continued access to global data sources.
The USTR wanted policy space on data, source code, and digital products so that potential laws and regulations could create provisions that target U.S. Big Tech. Ironically, large U.S. (and Chinese) social media, cloud, and other tech firms have the resources and expertise to adjust to digital restrictions. For example, these firms can set up expensive, albeit duplicative, data centers and operations in countries with restrictions on data transfers. By contrast, small companies in sectors from finance to health care will be hit the hardest because they can’t afford the costs and complications associated with adjusting to barriers to data flows and digital trade. These firms will simply be shut out of foreign markets.
Restrictions on data flows also undermine a broad set of other U.S. government priorities: foreign development assistance, financial inclusion for the unbanked, and efforts to combat money laundering, among many others. Data localization laws weaken cybersecurity by making integrated cybersecurity management more challenging as well as by impeding the provision of cybersecurity services and cooperation on cyber defense—including information sharing.
The USTR’s decision has far-reaching implications for the future of governing the internet and data that will reverberate beyond the WTO and IPEF. The absence of U.S. advocacy for data flows sends the message to other countries that they can enact restrictions that will discriminate against U.S. firms—which undermines the U.S. economy and leadership in governing digital technologies. According to a fact sheet accompanying the June 2021 executive order on protecting Americans’ data, “[t]he Biden Administration is committed to promoting an open, interoperable, reliable and secure Internet; protecting human rights online and offline; and supporting a vibrant, global digital economy.” With the USTR abandoning a central pillar of these goals, Beijing and other countries seeking to advance a closed vision for the governance of the internet will have a great deal of freedom to lead the world down their preferred path.