Skip to main content Accessibility help
×
Hostname: page-component-78c5997874-j824f Total loading time: 0 Render date: 2024-11-10T05:28:49.892Z Has data issue: false hasContentIssue false

3 - The Costs of Data Protectionism

from Part I - Global Trade Law and Policy in the Age of Big Data

Published online by Cambridge University Press:  09 July 2021

Mira Burri
Affiliation:
University of Lucerne

Summary

Cross-border data flows are raising both economic and political concerns related to the concentration of data, data sovereignty, privacy, law enforcement, and national security. This has posed the question of whether countries should insist that companies process data within their jurisdictions and many countries have already enacted restrictions on the transfer of data across borders. However, it is yet not clear how different types of data policies impact trade. The chapter addresses the question by looking at whether data policies create a distortion on trade in services and explores the direct and indirect costs of data protectionism.

Type
Chapter
Information
Publisher: Cambridge University Press
Print publication year: 2021
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This content is Open Access and distributed under the terms of the Creative Commons Attribution licence CC-BY-NC-ND 4.0 https://creativecommons.org/cclicenses/

A Introduction

Movement of data across borders is central to today’s economy: it enables people to instantly connect with each other, companies to do business smoothly and governments to offer new, more efficient services to their citizens. The Internet has fundamentally changed what, with whom and how trade is conducted, and today virtually all cross-border transactions make use of the Internet or some digital component.Footnote 1 The exponential growth in data being exchanged cross-border is not set to slow down.Footnote 2 Yet, cross-border data flows are also raising both economic and political concerns related to the concentration of data, data sovereignty, privacy, law enforcement, and national security. This has posed the question of whether countries should insist that companies process data within their jurisdictions, and already many countries have enacted restrictions on the transfer of data across borders.Footnote 3

The enactment of these measures has been a topic of hot discussions across the world. On the one hand, there are actors arguing that data should flow freely and that any restriction creates unnecessary costs for businesses and the economy while also limiting the freedom of expression of people online.Footnote 4 On the other hand, certain stakeholders argue that these measures are legitimate to protect important policy objectives, such as privacy and security.Footnote 5

These discussions are not new. In fact, already in the 1980s, some companies started to worry about the potential trade-restrictive impact of new policy measures affecting the use and transfers of data justified under the rationale of national security and privacy. Yet, the debate is still open today with claims by the business community that restrictions on the transfer and use of data (both personal and non-personal) are put in place without a proper analysis of the trade-inhibiting effects and with little guarantee that security and privacy concerns are actually addressed.Footnote 6

The discussions on the trade-restrictive impact of data policies have intensified in the past years with the increasing importance of data flows for trade. As stated by the Swedish National Board of Trade, today ‘trade cannot happen without data being transferred from one location to another’.Footnote 7 Restrictions on the movement of data in practice affect not only firms in the digital sector, but in virtually any sector of the economy.Footnote 8 In fact, firms of all sizes and across all sectors use data.Footnote 9 This is even more the case considering that data per se does not have much intrinsic value, but rather acquires it when processed (often along with other data) and used to offer services, improve business efficiency or take management decisions. Therefore, it does not surprise that restrictions on data flows are perceived by companies as trade restrictions.Footnote 10 Former European Trade Commissioner Malmstrӧm also notably stated that ‘restrictions on cross-border data flows inhibit trade of all kinds: digital and nondigital, products and services. We cannot just pretend that this doesn’t exist, or that data has nothing to do with global trade’.Footnote 11

While companies have advocated the removal of data policies and the free flow of data across borders, it is yet not clear how different types of data policies impact trade, and some governments have also argued that certain policies would rather support trade by enhancing consumers’ confidence.Footnote 12 This chapter addresses the question by looking at whether data policies create a distortion on trade in services. It does so by providing a summary of the main empirical evidence on the costs of restrictions on cross-border transfers of data and domestic restrictions on the use of data. The latter category is also included in the analysis because domestic restrictions on the use of data could have an indirect impact on trade as a result of lower productivity for local firms and limited access to innovation.

The first category of restrictions on cross-border transfer of data deals with all measures that raise the cost of conducting business across borders. These measures either mandate companies to keep data within a certain border or impose additional requirements for data to be transferred abroad. More specifically, these measures include bans to transfer data abroad, local processing requirements, local storage requirements, and conditional flow regimes.Footnote 13 The common feature of these measures is that they create ‘thick’ digital borders between countries. The second group of data policies relates to the use of data domestically and includes all measures that impose certain requirements for firms to access, store, process, or more generally make any commercial use of data within a certain jurisdiction. These measures apply to both local and foreign firms alike and include data retention requirements, administrative requirements, such as the need to prepare a Data Privacy Impact Assessment (DPIA) and to hire a Data Protection Officer (DPO), data breach notifications to government authorities, and the requirement to provide government with direct access to personal data.

B Countries That Impose Stricter Data Policies

Before exploring the empirical evidence on the costs of data protectionism, this section gives a brief introduction on the level of data restrictions imposed all over the world. The indicator used in the analysis is the Data Restrictiveness Index developed in Ferracane et al.,Footnote 14 which is based on the information available in the Digital Trade Estimates (DTE) database of the European Center for International Political Economy (ECIPE).Footnote 15

The Data Restrictiveness Index summarizes the level of restrictiveness on data policies in over sixty economies and varies between zero (completely open) and one (virtually restricted) with higher levels indicating increasing levels of data restrictiveness.Footnote 16 In the analysis, data policies are defined as those regulatory measures that restrict the commercial use of electronic data. The study is limited to those measures implemented at the national or supranational level (such as in the European Union), while other restrictions imposed by local public entities are not taken into account. Data policies are divided into two main categories: (i) cross-border data policies and (ii) domestic data policies, as defined earlier. The data policies implemented in the countries are analysed and aggregated in the Data Restrictiveness Index through a detailed methodology, presented in Section E. The types of measures included in the analysis are listed in Table 3.1, with the respective weights assigned in the analysis, which are estimated based on experts’ input.

Table 3.1. Categories covered in the Data Restrictiveness Index and their weights

CategoriesTypes of measuresWeights
1Cross-border flow measures0.5
1.1Ban on transfer or local processing requirement0.5
1.2Local storage requirement0.25
1.3Conditional flow regime0.25
2Domestic regulatory measures0.5
2.1Data retention0.15
2.1.1Minimum period0.7
2.1.2Maximum period0.3
2.2Subject rights on data privacy0.1
2.2.1Burdensome consent requirement0.5
2.2.2Right to be forgotten0.5
2.3Administrative requirements on data privacy0.15
2.3.1Data protection impact assessment (DPIA)0.3
2.3.2Data protection officer (DPO)0.3
2.3.3Data breach notification0.1
2.3.4Government access to personal data0.3
2.4Sanctions for non-compliance0.05
2.4.1Monetary fine above 250,000 EUR or set as a percentage of revenue0.5
2.4.2Jail time0.5
2.5Other restrictive practices related to data policies0.05
2.5.1Other restrictive practices related to data policies1
Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘Do Data Policy Restrictions Impact the Productivity Performance of Firms and Industries?’, ECIPE DTE Working Paper No 1 (2018).

The index shows a clear trend of increasing data restrictiveness globally, driven both by raising restrictions on domestic use of data and on transfers of data (Figure 3.1).

Figure 3.1. Data Restrictiveness Index, 2006–2016.

Note: The index covers sixty-four countries representing more than 95 per cent of value-added content of gross exports.

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.

The index shows that Russia, China, and Turkey are the most restrictive countries when it comes to the regulatory environment for using and transferring electronic data (Figure 3.2). These countries are followed by two major European economies, France and Germany, which also show high levels of restrictions on data policies.Footnote 17 Interestingly, on the one hand, all five countries are relatively large, often with a strong manufacturing base compared to their services activities. On the other hand, small services-oriented economies are found to have a more open regime on data policies.

Figure 3.2. Data Restrictiveness Index, by country (2017).

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.

The analysis only focuses on costs of using and transferring data, while it does not take into account regulatory policies that can support data-intensive activities, such as the existence of a basic framework of data protection and consumer protection for online transactions. Future analyses should take into account these policies to have a full perspective on the ease of using and transferring data in different countries. Nevertheless, the Data Restrictiveness Index is an important step forward in the analysis of the national regimes on data policies and the development of much-needed empirical evidence on the costs of protectionism.

C Empirical Evidence on the Cost of Data Protectionism

The economic literature that discusses the cost of data policies from a trade perspective is scarce.Footnote 18 This is probably due to the fact that the topic is relatively new. Yet, the lack of in-depth empirical analysis is surprising given the extent to which trade in services today relies on data flows and considering the sizable portion of all trade in services being traded over the Internet. There are two main streams of research on data flows: one looks at the costs of data policies on local companies (mainly in terms of productivity); the other looks at the costs of these policies on foreign companies, and therefore more directly on trade.

The following section presents the empirical evidence on the costs of data protectionism on local companies in terms of jobs, productivity, and Gross Domestic Product (GDP). If data restrictions on the use and transfer of data lead to higher costs for conducting data-intense activities, then they would be detrimental for the development of local companies, impacting their productivity and, in turn, creating trade distortions. The subsequent section presents the empirical evidence on data protectionism and services trade, and therefore on whether data restrictions could create a trade barrier for foreign companies.

I Foregone Gains for Local Companies

A first set of empirical research looks at the costs of data restrictions on local firms. While it has been argued that data policies could support the development of a local information technology (IT) industry by shielding local incumbents from competition, there is no empirical evidence supporting this claim.Footnote 19 Instead data policies are found to have a negative impact on productivity and GDP.

Some studies look at the impact of data policies on jobs. While strict data policies might lead to the creation of data centres in the country imposing them, the construction of data centres is not expected to create a significant number of jobs. In most cases, data centres contain expensive high-tech equipment that is often imported and creates construction work only in the short term while employing relatively few full-time staff. In fact, the number of jobs associated with data centres has been decreasing sharply, as data centres become more automated.Footnote 20 A 2008 report found that Yahoo, Ask.com, Intuit, and Microsoft hired a total of 180 workers for their facilities – an average of 45 workers per facility.Footnote 21 Other media reports from 2011 showed that a massive USD 1 billion data centre Apple built to help power its cloud computing products created only 50 new full-time jobs.Footnote 22 In 2015, the media reported that Apple’s USD 2 billion global command centre in Mesa, Arizona, would employ 150 full-time personnel, and create between 300 and 500 construction and trade jobs.

Another study looks specifically at one policy framework regarding data, the General Data Protection Regulation (GDPR) of the European Union, and its impact on jobs. Christensen et al. use calibration techniques to evaluate the impact of the GDPR proposal on small- and medium-sized enterprises (SMEs) and conclude that SMEs that use data rather intensively are likely to incur substantial costs in complying with these new rules.Footnote 23 The authors compute these results using a simulated dynamic stochastic general equilibrium model and show that up to 100,000 jobs could disappear in the short run and more than 300,000 in the long term.

Therefore, the establishment of local data centres does not appear to lead to new jobs created in the country. Certain local companies providing data processing services would nevertheless benefit from such measures as they could leverage on a larger pool of data to process.Footnote 24 Yet, the empirical evidence suggests that the higher costs for processing data locally and the consequent loss of productivity in the overall economy would outweigh the benefits accrued to a small set of actors.Footnote 25 When data restrictions apply, local companies are not free to use the most convenient data processing provider globally and have to pay for more expensive or even duplicate services when they transfer data needed for day-to-day activities, for example, for human resources management. The higher costs of data processing are widespread and affect all businesses and consumers that are denied access to certain innovative services. The additional costs have a trickle-down impact on the macroeconomic performance of those countries implementing such rules.Footnote 26

A study by the Leviathan Security Group finds that in many countries, which are considering or have considered restrictions on cross-border transfer of data, local companies would be required to pay 30–60 per cent more for their computing needs than if they used services located outside the country’s borders.Footnote 27 The methodology used by the Leviathan Security Group compares the prices offered by local providers with the cheapest secure alternative option offered worldwide. In Brazil, for example, at the low end for 1-GB-equivalent servers, Microsoft’s price in 2015 was USD 0.024 per hour. The lowest worldwide price for 1-GB-equivalent servers – USD 0.015 per hour – would save Brazilian customers 37.5 per cent on their server costs when compared to a Brazil-exclusive solution. For a 2-GB-equivalent server, a Brazil-located solution would cost USD 0.08 per hour, and the cheapest price globally would be USD 0.03 per hour – a saving of 62.5 per cent. Averaged across the types of servers, a customer located in Brazil would pay 54.6 per cent less by using cloud servers outside Brazil instead of Brazil-located cloud computing resources.Footnote 28 Therefore, it emerges that, while certain local companies would benefit from offering their services to other local companies, overall a vast majority of local companies would incur higher costs for data processing, leading to lower productivity for the economy.

Another set of studies looks at the impact of data policies on productivity of local firms. A study by Bauer et al.Footnote 29 is the first to explore how regulatory policies related to electronic data affect total factor productivity (TFP), albeit at an industry level.Footnote 30 The authors make a first attempt at analysing this linkage econometrically by setting up a data regulatory index using existing indices of services regulation. They look at different types of policies relating to both the use and the transfer of data. The authors calculate the costs of data policies for domestic firms by establishing a link between regulation in data services and TFP at the industry-level in downstream sectors across a small set of countries. They find that stricter data policies tend to have a stronger negative impact on the downstream performance of industries that are more data intense.

A more rigorous assessment of the empirical relationship between data policies and productivity is provided by Ferracane et al.Footnote 31 The authors use firm-level TFP data across a set of developed countries and the Data Restrictiveness Index presented in the previous section. TFP is considered the most important factor for long-run GDP growth and it represents the part of economic output accounted for by efficiency and technology. The results confirm that restrictive data policies significantly harm the productivity of firms active in data-intense sectors, especially for local companies in industries and services sectors more reliant on data.

Ferracane et al.Footnote 32 is also the first empirical study to analyse cross-border and domestic data policies separately. Both types of restrictions are found to have a significant negative impact on productivity. Yet, restrictions on the domestic use of data have a marginally stronger impact on productivity compared to policies on the cross-border movement of data. Therefore, measures implemented at the domestic level with the objective to raise trust of consumers on digital services are not found to have any positive impact on productivity of firms and are rather expected to lead to a loss of productivity of local firms. On average, the study predicts that lifting data restrictions would generate a positive impact on the productivity performance of local firms with a TFP increase of about 4.5 per cent across countries (Figure 3.3), with stronger benefits in data-intensive sectors such as retail and information services.Footnote 33

Figure 3.3. Firm productivity gains from lifting data restrictions, by country.

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.

To contextualise the magnitude of this gain in productivity, we can compare the results with a study by Iootty and others,Footnote 34 who explored the potential impact of policy reform in services using a similar approach. The predicted TFP gains that these authors obtained from lowering services restrictions are around 3 per cent. The higher gains from reforming data restrictions can be explained by the important role of intangible assets in today’s economy.

Finally, some studies look at the impact of data policies on GDP. Bauer et al.Footnote 35 employ the econometric results on TFP presented earlier in a general equilibrium analysis using the Global Trade Analysis Project (GTAP) to estimate the wider macroeconomic impact. The study measures the impact of data policies on exports, GDP, and lost consumption owing to higher prices and displaced domestic demand. The impact of proposed or enacted data restrictions on GDP is found to be substantial in all seven countries analysed in the study: Brazil (−0.2 per cent), China (−1.1 per cent), EU (−0.4 per cent), India (−0.1 per cent), Indonesia (−0.5 per cent), the Republic of Korea (−0.4 per cent), and Vietnam (−1.7 per cent). If these countries also introduced economy-wide data localisation requirements, GDP losses would be even higher: Brazil (−0.8 per cent), the EU (−1.1 per cent), India (−0.8 per cent), Indonesia (−0.7 per cent), and the Republic of Korea (−1.1 per cent). Yet, from this study it remains unclear whether the effect can be assigned to the cross-border or the domestic component of data policies.Footnote 36

Another study from Manyika et al. of 2016 looks at the contribution of cross-border data flows to GDP and finds that it has overtaken that of flows in goods in the current wave of globalisation.Footnote 37 The study states that data flows today account for USD 2.8 trillion of the total increased world GDP over the last decade, thereby exerting a larger impact on growth than traditional goods trade. Interestingly, this work does not dedicate special attention to the interlinkages that exist between data flows and trade in services but takes the former as being a separate channel that impacts the economy independent from services.

From this analysis, it emerges that data policies are not expected to create new jobs in the local economy nor to develop the local industry in data-intense sectors. On the contrary, it appears that these policies tend to lower the level of productivity of local companies and, in particular, domestic restrictions on the use of data are expected to have a stronger impact on productivity. This is not to say that local governments should remove any domestic restrictions on the use of data. These measures might be necessary for important policy objectives, such as privacy and security. Yet, the governments need to take into account the costs of these measures on local companies when designing and implementing them.

II The Foregone Gains for Foreign Companies

Turning to the impact of data policies on foreign companies and trade in services, the evidence is even more scarce. A study conducted in 2014 by the US International Trade Commission (USITC) looks at a set of restrictions on trade including restrictions on data flows. The study estimates that removing foreign barriers on digital trade would lead to an increase in US GDP of up to USD 41.4 billion.Footnote 38 The econometric model used in the analysis relies on surveys of US firms to identify restrictions to digital trade and to rank countries that enact these restrictions in order to estimate the impact that removing these measures would have on certain sectors and the overall US economy.Footnote 39 Yet, this study looks at a broader set of restrictions than data policies, including policies on platforms and content access.

Earlier work from Freund and Weinhold points to the facilitating role of the Internet on trade in services.Footnote 40 The authors state that an increase in Internet penetration by 10 per cent has the effect of increasing the growth of services trade by 1.1 percentage point for imports and 1.7 percentage point for exports. These conclusions are closely related to the question of whether data flows influence trade in services to the extent that restrictions on data can constitute a restriction on the use of the Internet.

In addition to these studies, some scholars have focused more generally on the link between data flows and trade in services. Recent work by Goldfarb and Trefler discusses the potential theoretical implications of data policies on international trade and how these policies relate to the existing models of international trade. Although this discussion is put in a wider context of artificial intelligence (AI), the authors make clear that an expanded AI industry, in which data flows are an important factor, would have clear implications for services trade.Footnote 41 Similarly, Goldfarb and Tucker point out that privacy regulations may harm innovative activities, particularly in services.Footnote 42 They present the results of previous case studies they undertook with respect to two services sectors, namely health services and online advertising. In short, both studies show that there are strong linkages between the effective sourcing and deployment of data, the services economy, and trade in services.

Mattoo and MeltzerFootnote 43 provide anecdotal evidence on the cost of GDPR on Indian firms presenting a survey by NASSCOM-DSCI in 2013.Footnote 44 The survey finds that the requirements for cross-border transfer of personal data lead to a significant loss of business opportunities for Indian firms, with nearly two-fifths of the surveyed services exporters claiming lost commercial opportunities of more than USD 10 million and another third estimating a loss between USD 1 million and 10 million.

Ferracane and van der Marel is the first empirical study that investigates more directly the impact of data policies on trade in services and confirms the findings from the NASSCOM-DSCI survey.Footnote 45 The authors investigate whether stricter data policies on use and transfers of data inhibit trade in services. The study analyses econometrically whether data policies reduce the imports of services, and in particular whether data-intense services, such as computer services, technical services, intellectual property (IP) rights, and research and development (R&D) services, are affected. For the analysis, the authors rely on the Data Restrictiveness Index presented earlier and a methodology adapted from Ferracane et al.Footnote 46 Restrictions on the cross-border movement of data are found to significantly reduce imports of services, while no statistically significant evidence is found regarding domestic data policies. This is unsurprising, as generally restrictions at the border have a direct impact on trade, while domestic restrictions only indirectly impact trade. The analysis predicts that if countries lifted their restrictions on the cross-border flow of data, the imports of services would rise on average by 5 per cent across all countries, with obvious benefits for local companies and consumers, who could access cheaper and better online services from abroad (Figure 3.4).Footnote 47 Moreover, if the two most restricted countries – Russia and China – were to remove restrictions on the cross-border movement of data, they would experience a staggering increase of services imports by more than 50 per cent.Footnote 48

Figure 3.4. Trade gains from lifting data restrictions, by country.

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.

These numbers amount to a substantial size of foregone gains from trade by putting in place restrictive data policies. To compare, total commercial services exports increased by around 7 per cent in 2017.Footnote 49 Most of these trade gains would be seen in data-intense sectors, such as computer services, financial and insurance services, as well as telecom and R&D services.

D Data Protectionism and the World Trade Organization

The empirical evidence presented in this chapter shows that data policies do restrict trade in services. Restrictions that apply to the cross-border movement of data have a more direct inhibiting effect on trade in services, while they also create trade distortions by impacting the productivity of local companies and industries, although to a marginally lower extent than policies related to the domestic use of data. On the other hand, domestic data policies are associated with lower productivity for local firms, and therefore impact trade only indirectly.

Yet, the evidence available is still scarce, especially in relation to the impact of data policies on trade. Ferracane and van der MarelFootnote 50 is the first study to delve in-depth into the impact of data policies on trade in services and the findings are in line with the expectation of businesses that indeed these measures reduce imports of services. The analysis predicts that, if countries lifted their restrictions on data (in particular restrictions on cross-border data flows), the imports of services would rise on average by 5 per cent.

Given the relevance of data policies for trade, it is not unlikely that a country could bring a claim before the World Trade Organization (WTO) to challenge certain data restrictions. The debate on whether data restrictions represent a trade barrier that could potentially be challenged at the WTO is, however, still in its infancy.Footnote 51 It is urgent to undertake further empirical analyses to assess the costs of these measures. This analysis should also focus on identifying which types of data policies are mostly responsible for restricting trade and also investigate whether and how restrictive data policies affect developing countries and their growth potential in the long run.

A WTO dispute could have a profound impact on the way in which the Internet develops and eventually on our society. If a dispute were to arise, the analysis could not prescind from an informed discussion on the necessity of the measures to achieve important policy objectives. While certain data policies might be necessary to protect the privacy of citizens and national security, more research is needed to assess which measures enable countries to best protect these important non-economic policy priorities and which instead create unnecessary costs on the domestic economy and on foreign companies.

The policy implications to take into account when regulating data flows are complex and include, on top of trade aspects, also technical issues related to the Internet architecture and Internet governance, human rights including data privacy and freedom of expression, development issues connected to data sovereignty as well as potentially public order issues connected to the suppression of political dissidents.Footnote 52 However, it is not yet clear how data policies contribute to achieving any of these policy objectives and these restrictions risk creating unnecessary fragmentation of the Internet.

The plurilateral discussions currently on-going at the WTO under the Joint Statement on Electronic Commerce Initiative (JSI) might offer a fertile ground for informed discussions that could engage Internet governance institutions and other stakeholders for a better understanding not only of the costs of data policies on trade in services but also on the technical effectiveness of these policies to achieve their desired objective. If anything, countries should be in a position to carefully weigh the negative impact of certain measures in order to strike the right balance between different policy priorities, without creating excessive costs for firms and, eventually, consumers.

The WTO could provide a much-needed arena for a transparent and informed dialogue on data policies, their costs and their effectiveness in achieving certain policy objectives. As stated by Selby, there is a need to ‘distinguish rhetorical claims from underlying realpolitik as to identify potential reasons why it is such a contested policy issue’.Footnote 53 Engaging the relevant stakeholders is indispensable for such an informed discussion to take place, and more empirical research is needed both in relation to the costs of data policies for the economy and on the actual effectiveness of these measures in achieving the desired policy objective. Failure to do so could lead to a fragmentation of rules on data, with consequences that go well beyond trade.Footnote 54

E Annex

The data policy index covers those data policies considered to impose a restriction on the cross-border movement and the domestic use of data. The methodology to build on the measures is listed in the Digital Trade Estimates (DTE) database, which is available on the ECIPE website (https://ecipe.org/dte/database/). Starting from the DTE database, these policies are aggregated into an index using a detailed weighting scheme, which looks at the trend of data policies for the years 2006–2016. The database and index are updated with new regulatory measures found in certain countries.

While certain policies on data flows can be legitimate and necessary to protect the privacy of the individual or to ensure national security, these policies nevertheless create a cost for trade and are therefore included in the analysis. The criteria for listing a certain policy measure in the DTE database are the following: (i) it creates a more restrictive regime for online versus offline users of data; (ii) it implies a different treatment between domestic and foreign users of data; and (iii) it is applied in a manner considered disproportionately burdensome to achieve a certain policy objective. Each policy measure identified in any of the categories receives a score that varies between zero (completely open) and one (virtually closed), reflecting their scope and level of restrictiveness. A higher score represents a higher level of restrictiveness in data policies. The data policy index also varies between zero (completely open) and one (virtually closed). The higher the index, the stricter the data policies implemented in the country.

The index is composed of two sub-indexes that cover two main types of policy measures: one sub-index covers policies on the cross-border movement of data and one sub-index covers policies on the domestic use of data. Analysing these two sub-indexes separately provides additional information on whether the impact of data policies on services trade varies depending on the nature of the policies. The full data policy index is measured as the sum of these two sub-indexes. This annex presents in detail the composition of the two sub-indexes. It shows which policy measures are found in each of the sub-indexes and the scheme applied to weigh and score each measure.

The list of measures included in the two sub-indexes is summarised in Table 3.1 presented earlier. As shown in the table, the sub-indexes are measured as a weighted average of different types of measures. The weights are intended to reflect the level of restrictiveness of the types of measures in terms of costs for digital trade. The first sub-index on cross-border data flows covers three types of measures, namely (i) a ban on data transfer or a local processing requirement for data; (ii) a local storage requirement, and (iii) a conditional flow regime. The second sub-index covers policies affecting the domestic use of data, divided in the following subcategories: (i) data retention requirements, (ii) subject rights on data privacy, (iii) administrative requirements on data privacy, (iv) sanctions for non-compliance, and finally, (v) other restrictive practices related to data policies.

The main sources used to create the database are national data protection legislations. Otherwise, information is obtained from legal analyses on data policies and regulations from high-profile law firms and from Stone et al.Footnote 55 Occasionally corporate blogs and business reports were also taken into consideration, as they can have useful information on the de facto regime faced by the company when it comes to the movement of data. All sources for each of the measures are listed in the ECIPE DTE database.

I Sub-index on Cross-Border Data Flows

The first sub-index covers those policy measures restricting cross-border data flows. Restrictions on cross-border data flows are divided in three groups: (i) ban on data transfer or a local processing requirement for data; (ii) local storage requirement; and (iii) conditional flow regime. As shown in Table 3.1, the category of bans on data transfer and local processing requirements has a score of 0.5, while the other two categories have a score of 0.25 each. The sum of the scores of these categories can go from 0 up to 1, which reflects a situation of virtually closed regime on cross-border data flows. This score is multiplied by 0.5 to create the final sub-index on cross-border data flows. The sub-index therefore goes from 0 (completely open) to 0.5 (virtually closed).

The scoring of these measures follows the scope in terms of sectoral and geographical coverage as well as the type of data affected. If a ban on transfer or a local processing requirement applies to a specific subset of data (for instance, when it applies to health records or accounting data only), this measure receives a score of 0.5. A similar score is also assigned when the restriction only applies to specific countries (for instance, when data cannot be sent for processing only to a specific country). On the other hand, when the measure applies to all personal data or data of an entire sector (such as financial services or telecommunication sector), then a score of 1 is given. Measures targeting personal data also receive the highest score because it is often hard to disentangle personal information versus non-personal information, and therefore measures targeting personal data often end up covering the vast majority of data in the economy.

If there are two measures scoring 0.5, the score is 1. If there are more additional measures, the score for this category still remains 1. This score is then weighted by 0.5 which is the weight assigned to the category of bans on data transfer and local processing requirements. For the category of local storage requirements, a similar methodology applies. When data storage is only for specific data as defined earlier, this measure receives a score of 0.5, whereas when the data storage applies to personal data or to an entire sector, it receives a score of 1. As mentioned before, the score goes up to 1 maximum and is then weighted by 0.25, which is the weight assigned to the category of local storage requirements.

For the conditional flow regimes, the measures receive a score of 0.5 in cases in which they apply to specific data, but they receive a score of 1 in case conditions that apply to personal data or an entire sector. The final score is then weighted by 0.25, which is the weight assigned to the category of conditional flow regimes.

II Sub-index on Domestic Use of Data

The sub-index on domestic use of data index covers a series of subcategories of policies affecting the domestic use of data. These are (i) data retention requirements, (ii) subject rights on data privacy, (iii) administrative requirements on data privacy, (iv) sanctions for non-compliance, and finally, (v) other restrictive practices related to data policies. Given that each of these sub-categories contains, in turn, additional subcategories, they will be presented separately. For the calculation of the sub-index, the weights assigned to the categories are shown in Table 3.1.

The categories with the highest weights (and therefore those which are considered to create higher costs for digital trade) are data retention and administrative requirements on data privacy, which are assigned a weight of 0.15 each. The category of subject rights on data privacy is assigned a score of 0.1, while the other two categories of sanctions for non-compliance and other restrictive practices are assigned a score of 0.05.

The sum of the scores of these categories can go up to 0.5, which reflect a situation of virtually closed regime on domestic use of data. The sub-index therefore goes from 0 (completely open) to 0.5 (virtually closed). As mentioned earlier, the data policy index is measured as the sum of the two sub-indexes and therefore the score for the final data policy index goes from 0 to 1.

1 Data Retention

The first category belonging to the sub-index on domestic use of data deals with measures related to data retention, which are measures regulating how and for how long a company should keep certain data within its premises. Data retention measures can define a minimum period of retention or a maximum period of retention. In the first case, the companies (often telecommunication companies) are required to retain a set of data of their users for a certain period, which can go up to two years or more in some cases. These measures can be quite costly for the companies and they are assigned a weight of 0.7. On the other hand, the measures imposing a maximum period of retention are somewhat less restrictive and prescribe the company not to retain certain data when it is not needed anymore for providing their services. They are therefore given a weight of 0.3. The country receives a score of 1 in each of the two subcategories when there is one or more measures implemented, while 0 is assigned in case of absence of these measures. Therefore, if a country implements one or more data retention requirements for a minimum period of time and no data retention requirements for a maximum period of time, the score will be 0.7. Alternatively, if the country only implements one requirement of maximum period of data retention, the score will be 0.3.

2 Subject Rights on Data Privacy

The second category belonging to the sub-index on domestic use of data covers measures related to subject rights on data privacy. The rights of the data subject are often a legitimate goal in itself, but they can nonetheless represent a cost for the firm when they are implemented disproportionately or in a discriminatory manner. This is the reason why they are covered in the index. However, they only form a smaller part of the sub-index with a weight of 0.1 as their cost on businesses is significantly low compared with other measures. Two categories of measures are identified regarding data subject rights, which are (i) a burdensome consent for the collection and use of data (with a weight of 0.5) and (ii) the right to be forgotten (with also a weight of 0.5).

If one of the measures applies, a score of 1 is given whereas a score of 0 is assigned otherwise. Regarding the first measure on the consent for the collection and use of data, a score of 1 is given only when the process for requesting consent is considered as disproportionately burdensome. This is the case when the consent has to be always written and explicit or when consent is required not only for the collection of data, but also for any transfer of data outside the collecting company. If this is not the case, then a score of 0 is assigned. Additionally, if the consent is required only in case of transfer across borders, this measure is instead reported in the first sub-index under conditional flow regime and scored accordingly.

3 Administrative Requirements on Data Privacy

The third category belonging to the sub-index on domestic use of data covers administrative requirements on data privacy. Measures included in this category are (i) the requirement to perform a data privacy impact assessment (DPIA) (with a weight of 0.3); (ii) the requirement to appoint a data protection officer (DPO) (with as well a weight of 0.3); (iii), the requirement to notify the data protection authority in case of a data breach (with a weight of 0.1); and finally (iv) the requirement to allow the government to access the personal data that is collected (with also a weight of 0.3).

For the scoring, the first three measures receive a score of 1 when a measure applies and 0 otherwise. In the case of the fourth measure, which is the requirement to allow government to access collected personal data, a full score of 1 is assigned only when the government has an open access to data stored by companies in at least one sector of the economy. However, if a government has only access to escrow or encryption keys, but still notifies access to the data, an intermediate score of 0.7 is assigned. Government direct access to data handled by the company or the use of escrow keys may, in fact, create remarkable consumer dissatisfaction that may lead to the user’s termination of service demand. Finally, if the government has to follow the same procedure that it would follow for offline access to data – that is, the presence of a court decision or a warrant, or when the request follows a judicial investigation process – then the score is 0.

4 Sanctions for Non-compliance

The fourth category of the sub-index on domestic use of data covers measures which impose a sanction for non-compliance. These measures cover both pecuniary and penal sanctions with a weight of 0.5 for each of them. The pecuniary sanctions are not considered a restriction per se, but they are accounted for in the sub-index when (i) they are above 250,000 EUR; (ii) companies have explicitly complained about disproportionately high fines or discriminatory enforcement of sanctions; and (iii) they are expressed as a percentage of a company’s domestic or global turnover. In fact, in all these cases, the sanctions have the capacity of putting a company out of business and might play an important role in the economic calculation of a company. We also list under this section those instances in which the infringement of data privacy rules can be sanctioned by closing down the business. The application of penal sanctions, such as jailtime as a result of infringement of data privacy rules, is included as a restriction. Instances in which penal sanctions are assigned as a result of identity theft and similar illegal actions are obviously not included. If any of these measures applies, then the score is 1.

5 Other Measures

Finally, the last category takes up all those measures which are related to domestic use of data, but do not fit under any of the aforementioned categories. All these measures are assigned a score of 1.

Footnotes

* Max Weber Fellow at the European University Institute, Research Associate at European Center for International Political Economy (ECIPE). Contact: martina.ferracane@eui.eu.

1 There are several reports on how data flows are impacting production and trade. See, e.g., M. Rentzhog and H. Jonströmer, No Transfer, No Trade: The Importance of Cross-Border Data Transfer for Companies Based in Sweden (Stockholm: Kommerskollegium, 2014); M. Rentzhog, No Transfer, No Production – A Report on Cross-Border Data Transfers, Global Value Chains, and the Production of Goods, 3rd edn (Stockholm: Kommerskollegium, 2015).

2 McKinsey estimates that cross-border data flows were 45 times larger in 2015 than in 2005. J. Manyika et al., Digital Globalization: The New Era of Global Flows (Washington, DC: McKinsey Global Institute, 2016). TeleGeography also estimates an annual compound growth rate of global bandwidth use of approximately 40 per cent between 2009 and 2013. See TeleGeography, Global Bandwidth Research Service (2015), at Executive Summary.

3 M. F. Ferracane, ‘Restrictions on Cross-Border Data Flows: A Taxonomy’, ECIPE Working Paper No 1 (2017).

4 See, e.g., R. D. Atkinson, ‘International Data Flows: Promoting Digital Trade in the Twenty-first Century’, Testimony of Robert D. Atkinson, Founder and President, The Information Technology and Innovation Foundation before the House Judiciary Committee, Subcommittee on Courts, Intellectual Property and the Internet, 3 November 2015.

5 Privacy and security are listed among the main motivations for governments to impose restrictions on the cross-border transfer of data in several studies. Among recent studies, see, e.g., F. Casalini and J. López González, ‘Trade and Cross-Border Data Flows’, OECD Trade Policy Papers No 220 (2019); WTO, World Trade Report 2018: The Future of World Trade: How Digital Technologies Are Transforming Global Commerce (Geneva: WTO, 2018); A. Mattoo and J. P. Meltzer, ‘International Data Flows and Privacy: The Conflict and Its Resolution’, Journal of International Economic Law 21 (2018), 769789.

6 S. Stone, J. Messent, and D. Flaig, ‘Emerging Policy Issues: Localisation Barriers to Trade’, OECD Trade Policy Papers No 180 (2015).

7 Rentzhog and Jonströmer, Footnote note 1.

8 See, e.g., M. Mandel, ‘Data, Trade and Growth’, Progressive Policy Institute Policy Brief, 24 April 2013; and D. Castro and A. McQuinn, ‘Cross-Border Data Flows Enable Growth in All Industries’, Information Technology and Innovation Foundation, February 2009.

9 Rentzhog, Footnote note 1.

10 See, e.g., Rentzhog and Jonströmer, Footnote note 1; United States International Trade Commission, Digital Trade in the US and Global Economies, Part 2, Investigation No 332-540, Publication 4485 (Washington, DC: USITC, 2014).

11 C. Malmström, ‘Trade in a Digital World’, Speech at the Conference on Digital Trade, European Parliament, 17 November 2016, available at http://trade.ec.europa.eu/doclib/docs/2016/november/tradoc_155094.pdf.

12 See, e.g., UNCTAD, Data Protection Regulations and International Data Flows: Implications for Trade and Development, UNCTAD/DTL/STICT/2016/1, April 2016.

13 For a detailed taxonomy, see M. F. Ferracane, note 3.

14 M. F. Ferracane, J. Kren, and E. van der Marel, ‘Do Data Policy Restrictions Impact the Productivity Performance of Firms and Industries?’, ECIPE DTE Working Paper No 1 (2018).

15 DTE Database, available at https://ecipe.org/dte/database.

16 A detailed methodology for constructing the index can be found in Ferracane et al., Footnote note 14.

17 The analysis refers to the year 2017. Since the GDPR came into force in May 2019, France and Germany were required to lift some of these restrictions and therefore are likely to have a lower score in the Data Restrictiveness Index today.

18 Other empirical research on electronic data has focused more specifically on the economics of privacy and on consumers’ understanding and decisions regarding the trade-offs associated with the privacy and the sharing of personal data. See among others A. Acquisti, C. Taylor, and L. Wagman, ‘The Economics of Privacy’, Journal of Economic Literature 52 (2016).

19 This logic would follow the ‘infant industry argument’ that some governments have put forward as a justification for restricting transfers of data cross-border. If that were the case, certain restrictions on data flows could be interpreted as a form of ‘digital industrial policy’. See Casalini and López González, Footnote note 5; see also a similar argument made in J. Selby, ‘Data Localization Laws: Trade Barriers or Legitimate Responses to Cybersecurity Risks, or Both?’, International Journal of Law and Information Technology 25 (2017), 213232; L. Tuthill, ‘Cross-Border Data Flows: What Role for Trade Rules?’, in P. Sauvé and M. Roy (eds), Research Handbook on Trade in Services (Cheltenham: Edward Elgar Publishing, 2016), 357382; M. Langenegger, ‘Cloud Mini-Series Part 1: The Transformative Potential of Cloud Computing’, Project Disco, 26 March 2014.

20 N. Cory, ‘Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?’, Information Technology and Innovation Foundation, 1 May 2017.

21 R. Miller, ‘The Economics of Data Center Staffing’, Informa: Data Center Knowledge, 18 January 2008; D. Ohara, ‘# of Data Center Employees (Yahoo, Ask.com, Intuit, and Microsoft) in Washington Columbia Basin’, Green Data Center Blog 2.0, 10 January 2008.

22 H. Blodget, ‘The Country’s Problem in a Nutshell: Apple’s Huge New Data Center in North Carolina Created Only Fifty Jobs’, Business Insider, 28 November 2011; M. S. Rosenwald, ‘Cloud Centers Bring High-Tech Flash But Not Many Jobs to Beaten-Down Towns’, The Washington Post, 24 November 2011.

23 L. Christensen et al., ‘The Impact of the Data Protection Regulation in the EU’, The European Financial Review, 19 June 2013.

24 For example, Selby (Footnote note 19) mentions that the local processing requirement imposed in the Russian data protection law has also resulted in a surge of business for Russian-based data hosting centres, including those operated by Orange and IXcellerate.

25 See, e.g., M. Bauer et al., ‘The Costs of Data Localisation: Friendly Fire on Economic Recovery’, ECIPE Occasional Paper No 3 (2014); M. Bauer et al., ‘Unleashing Internal Data Flows in the EU: An Economic Assessment of Data Localisation Measures in the EU Member States’, ECIPE Policy Brief No 3 (2016).

26 Another weakness in the infant industry argument is that not all countries are adequate to host data centres (for example, in cases of unreliable power networks, bad weather, earthquakes, and hot summer months) and therefore reliance on local solutions in such cases could significantly hurt the local digital economy in case of infrastructure failures. See Selby, Footnote note 19.

27 Leviathan Security Group, Quantifying the Cost of Forced Localization (Seattle, WA: Leviathan Security Group, 2015).

28 The Leviathan Security Group study also finds that if a European cloud were put in place, cloud computing at 4 GB and above would be consistently 10.5 per cent more expensive than accessing cheaper alternatives worldwide. However, for 1 GB and 2 GB services companies would not have to pay more, as the world’s lowest-cost data centres were located in the EU in 2015, when the study was done.

29 Bauer et al., Footnote note 25.

30 See M. Bauer et al., ‘A Methodology to Estimate the Costs of Data Regulation’, International Economics 146 (2016), 1239.

31 Ferracane et al., Footnote note 14.

33 The results are obtained using firm-level TFP developed by D. Ackerberg, K. Caves, and G. Frazer, ‘Identification Properties of Recent Production Function Estimators’, Econometrica 83 (2015), 24112451. Various other firm-level TFP measures common in the literature are also employed in Ferracane et al. (Footnote note 14) and provide similar results.

34 M. Iootty, J. Kren, and E. van der Marel, ‘Services in the European Union: What Kinds of Regulatory Policies Enhance Productivity?’, World Bank, Policy Research Working Paper No 7919 (2016).

35 Bauer et al., Footnote note 25.

36 Footnote Ibid. Another study by Bauer et al. uses a computable general equilibrium GTAP model to estimate the economic impact of the GDPR and finds that this law could lead to losses up to 1.3 per cent of the EU’s GDP as a result of a reduction of trade between the EU and the rest of the world. M. Bauer et al., The Economic Importance of Getting Data Protection Right: Protecting Privacy, Transmitting Data, Moving Commerce (Brussels: ECIPE, 2013).

37 Manyika et al., Footnote note 2.

38 USITC, Footnote note 10.

39 The USITC sent questionnaires to a stratified random sample of nearly 10,000 firms in seven digitally intensive industries. The questionnaires asked firms how they used the Internet and how the Internet had changed their business practices, sales, and productivity. The questionnaires also asked firms about their experiences with foreign restrictions and impediments to digital trade. The survey had a response rate of nearly 41 per cent. Of the more than 3,600 companies that responded, 80 per cent were SMEs.

40 C. Freund and D. Weinhold, ‘The Internet and International Trade in Services’, American Economic Review 92 (2002), 236240.

41 A. Goldfarb and D. Trefler, ‘AI and International Trade’, NBER Working Paper No 24254 (2018).

42 A. Goldfarb and C. Tucker, ‘Privacy and Innovation’, in J. Lerner and S. Stern (eds), Innovation Policy and the Economy (Chicago: University of Chicago Press, 2012), 6589.

43 Mattoo and Meltzer, Footnote note 5.

44 Survey of the Impact of EU Privacy Regulation on India’s Services Exporters (New Delhi: NASSCOM and DSCI, 2013).

45 M. F. Ferracane and E. van der Marel, ‘Do Data Flows Restrictions Inhibit Trade in Services?’, ECIPE DTE Working Paper No 2 (2018).

46 Ferracane et al., Footnote note 14.

47 We obtain this conclusion by computing the marginal effects using the coefficient results from Ferracane and van der Marel, Footnote note 45. This method is common in the empirical trade literature using econometric techniques.

48 To be more precise, we estimate the average and country-specific increase in imports in case the countries in our study reduced their data restrictions to the average of the three countries with the lowest level of data restrictions. This gives a more realistic approach to policy reform.

49 WTO, ‘Strong Trade Growth in 2018 Rests on Policy Choices’, Press Release, 12 April 2018.

50 Ferracane and van der Marel, Footnote note 45.

51 S. Hodson, ‘Applying WTO and FTA Disciplines to Data Localization Measures’, World Trade Review (2018), 1–29; also S. A. Aaronson, ‘What Are We Talking about When We Talk about Digital Protectionism?’, World Trade Review (2018), 1–37, at 16 (referring to the lack of accurate statistics to measure how such policies make it harder for firms to compete in foreign markets).

52 See Chapter 4 in this volume.

53 Selby, Footnote note 19.

54 See also along the same line, Chapter 4 in this volume.

55 Stone et al., Footnote note 6.

Figure 0

Table 3.1. Categories covered in the Data Restrictiveness Index and their weights

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘Do Data Policy Restrictions Impact the Productivity Performance of Firms and Industries?’, ECIPE DTE Working Paper No 1 (2018).
Figure 1

Figure 3.1. Data Restrictiveness Index, 2006–2016.Note: The index covers sixty-four countries representing more than 95 per cent of value-added content of gross exports.

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.
Figure 2

Figure 3.2. Data Restrictiveness Index, by country (2017).

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.
Figure 3

Figure 3.3. Firm productivity gains from lifting data restrictions, by country.

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.
Figure 4

Figure 3.4. Trade gains from lifting data restrictions, by country.

Source: M. F. Ferracane, J. Kren, and E. van der Marel, ‘The Cost of Data Protectionism’, VoxEU, 25 October 2018.

Save book to Kindle

To save this book to your Kindle, first ensure coreplatform@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.

Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

Find out more about the Kindle Personal Document Service.

Available formats
×

Save book to Dropbox

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.

Available formats
×

Save book to Google Drive

To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.

Available formats
×