DATA PROTECTIONISM: THE GROWING MENACE TO GLOBAL
Scania is well used to its vehicles being delayed at border crossings by officious customs officers and laborious paperwork. Yet these days, the Swedish truck company’s business is hindered as much by international obstructions to its data as roadblocks on its lorries.
As a Scania truck is driven through the European Union (EU), a small box sends diagnostic data — speed, fuel use, engine performance, even driving technique — to the company’s headquarters in Sweden. The information adds to a vast international database that helps owners manage the servicing of their fleet and Scania improve the manufacturing of the next generation of vehicles.
“The world is moving towards an autonomous, electrified transport system, and that needs data,” says Hakan Schildt of Scania’s connected services operation. “Transport is becoming a data business.”
In China, however, which severely restricts international transfers of data, the company incurs extra costs setting up local data storage and segregating some of the information from the rest of its operations. Many countries are imposing similar, if less drastic, restrictions. “We are having to regionalize a lot of our operations and set up local data processing,” Mr. Schildt says. “National legislation is always changing.”
The McKinsey Global Institute estimates that cross- border flows of goods, services and data added 10% to global gross domestic product in the decade to 2015, with data providing a third of that increase. That share of the contribution seems likely to rise: conventional trade has slowed sharply, while digital flows have surged. Yet as the whole economy becomes more information- intensive — even heavy industries such as oil and gas are becoming data-driven — the cost of blocking those flows increases.
As well as the expense of adding new national data centres, companies run much less efficiently if their information is Balkanized. Nicholas Hodac, government and regulatory affairs executive for IBM in Brussels, says an increasing number of the company’s clients run operations entirely in the cloud. “You can’t offer efficient services to clients in the artificial intelligence ( AI) or analytics space unless you can transfer data to where it can be best served,” he says.
Yet that is precisely what is happening. Governments have sharply increased “data localization” measures requiring information to be held in servers inside individual countries. The European Centre for International Political Economy ( ECIPE), a think tank, calculates that in the decade to 2016, the number of significant data localization measures in the world’s large economies nearly tripled from 31 to 84.
Even in advanced economies, exporting data on individuals is heavily restricted because of privacy concerns, which have been highlighted by the Facebook/ Cambridge Analytica scandal. Many EU countries have curbs on moving personal data even to other member states. Studies for the Global Commission on Internet Governance ( GCIG), an independent research project, estimates that current constraints — such as restrictions on moving data on banking, gambling and tax records — reduces EU GDP by half a percent.
In China, the champion data localizer, restrictions are even more severe. As well as long-established controls over technology transfer and state surveillance of the population, such measures form part of its interventionist “Made in China 2025 ” industrial strategy, designed to make it a world leader in tech-heavy sectors such as artificial intelligence and robotics.
China’s Great Firewall has long blocked most foreign web applications, and a cyber security law passed in 2016 also imposed rules against exporting personal information, forcing companies including Apple and LinkedIn to hold information on Chinese users on local servers. Beijing has also given itself a variety of powers to block the export of “important data” on grounds of reducing vaguely defined economic, scientific or technological risks to national security or the public interest.
“The likelihood that any company operating in China will find itself in a legal blind spot where it can freely transfer commercial or business data outside the country is less than 1%,” says ECIPE Director Hosuk Lee-Makiyama.
The results look impressive: China has some of the biggest tech businesses in the world, including Alibaba, Tencent and Baidu, and is establishing strong positions in new sectors like AI. But economists say China’s service sector growth has so far been insufficient to mitigate the slowdown in manufacturing, and restrictions on digitalization will not help. The US Chamber of Commerce says that further data localization will reduce Chinese GDP by a total of between 1.8-3.4% by 2025.
Other emerging markets, such as Russia, India, Indonesia and Vietnam, are also leading data localizers. Russia has blocked LinkedIn from operating there after it refused to transfer data on Russian users to local servers.
Business organizations including the US Chamber of Commerce want rules to restrain what they call “digital protectionism.” But data trade experts point to a serious hole in global governance, with a coherent approach prevented by different philosophies between the big trading powers. Susan Aaronson, a trade academic at George Washington University in Washington, DC, says: “There are currently three powers — the EU, the US and China — in the process of creating separate data realms.”
The most obvious way to protect international flows of data is in trade deals — whether multilateral, regional or bilateral. Yet only the World Trade Organization laws governing data flows predate the Internet and have not been thoroughly tested through litigation. It recently recruited Alibaba cofounder Jack Ma to front an e-commerce initiative, but officials involved admit it is unlikely to produce anything concrete for a long time. In any case, Mr. Aaronson says: “While data has traditionally been addressed in trade deals as an e-commerce issue, it goes far wider than that.”
The Internet has always been regarded by pioneers and campaigners as a decentralized, self- regulating community. Activists have tended to regard government intervention with suspicion, except for its role in protecting personal data, and many are wary of legislation to enable data flows.
“While we support the approach of preventing data localization, we need to balance that against other rights such as data protection, cybersecurity and consumer rights,” says Jeremy Malcolm, senior global policy analyst at the Electronic Frontier Foundation, a campaign for internet freedom.
Historically, writing global rules for commerce has required the two largest trading powers, the US and the EU, to agree a common direction. But European and American philosophies of data protection have been opposed. The most active advocate for liberalizing rules has traditionally been the US administration and its allies among the — overwhelmingly US- owned — big tech companies. Barack Obama’s White House was instinctively sympathetic to the needs of Silicon Valley, and explicitly criticized EU policies towards data as de facto protectionism.
The US wrote rules guaranteeing cross- border data flows into the 12-nation TransPacific Partnership ( TPP), a trade deal that was intended to export the US economic model to the world’s fastest- growing region. Washington also pushed the idea in a proposed Trade in Services Agreement ( TISA) involving 23 of the world’s biggest economies.
But the election of President Donald Trump, who cares more about steel than tech and is instinctively hostile to binding America with international rules, has muted that powerful voice. He immediately pulled the US out of the TPP and has recently reaffirmed his skepticism of the deal. True, the remaining 11 TPP countries retained the data provisions when they revised the text of the agreement. But the presence of the US would give the rules critical mass.
Meanwhile, a lack of engagement from the US means TISA has gone into hibernation. In any case the push for data rules was already struggling, with the EU emerging as the main roadblock.
Europe has traditionally had a very different philosophy towards data and privacy. In Germany, for instance, public opinion tends to support strict privacy laws — usually attributed to lingering memories of surveillance by the Stasi secret police in East Germany. The EU’s new General Data Protection Regulation (GDPR), which comes into force on May 25, imposes a long list of requirements on companies processing personal data on pain of fines that could total as much as 4% of annual turnover.
One senior EU official makes a comparison to genetically modified food, another intractable trade issue. European public opinion is suspicious of technology it regards as untrusted and the American companies ( Monsanto in the case of GM, Facebook and Google for data) that propagate it. Accordingly, the European Commission imposes tough regulation that it is highly reluctant to liberalize through trade negotiations.
In principle, GDPR can be compatible with encouraging cross- border digital flows. Marietje Schaake, a liberal Dutch member of the European Parliament, says: “No trade agreement can change EU law, whether it be on data protection, the environment or anything. The EU can set a global standard for data if we write very clearly articulated principles with proper safeguards for privacy.”
In practice, those charged with guarding privacy in the EU remain concerned that data provisions in trade deals would leave them open to litigation, and prefer to export its data regulation through unilateral ad hoc arrangements. After a fierce battle between the directorates governing data protection and trade respectively, the commission recently proposed a standard text on data flow for future trade deals.
The measure purports to ban localisation measures of the type typically used by Russia or China. But trade experts warn that it is very cautiously written, with a blanket exemption for measures claiming to protect privacy. Mr. Lee-Makiyama says: “The EU text will essentially provide no meaningful restriction on countries wanting to practice data localization.”
Tactical considerations are important. Putting controversial issues like data flows in trade deals makes them more likely to collapse. Sweden, generally a supporter of open trade, led a “Digital 9” group of EU member states calling for strong rules to protect data transfer. Nonetheless Ann Linde, its trade minister, struck an agnostic note at a recent conference in Brussels. “Putting data into trade deals isn’t the perfect way,” she said. “But we haven’t found a better way.”
Against this political backdrop, the prospects for broad and binding international rules on data flow are dim. Any global initiative is likely to require the US to enthusiastically lead the charge. True, the US is pushing for strong data flow provisions in its NAFTA negotiations with Canada and Mexico. But unless it rejoins TPP its influence will be limited.
Mr. Aaronson argues that advanced economies should unite behind a set of balanced rules on data flows rather than leaving the field to China. But absent that kind of leadership, there seems to be little that companies like Scania can do except continue preparing to adapt their operations to keep up with the vagaries of digital protectionism.
“The free flow of data is part of free trade,” Scania’s Mr. Schildt says. “Technology is changing faster than we can grasp.” The governance of digital information, however, is progressing rather more slowly.
In the battle for dominance over setting rules for commerce, the EU and US often adopt contrasting approaches.
While the US often tries to export its product standards in trade diplomacy, the EU tends to write rules for itself and let the gravity of its huge market pull other economies into its regulatory orbit. Businesses faced with multiple regulatory regimes will tend to work to the highest standard, known widely as the “Brussels effect.”
The EU appears to be trying something similar with data. It is exporting digital governance not through reciprocal deals but unilaterally bestowing an “adequacy” recognition on trading partners before allowing them to transfer data. The agreements acknowledge their partners’ rules, or at least the practices of their companies, meet EU standards. Companies such as Facebook have promised to follow GDPR throughout their global operations as the price of operating in Europe.
But many in the tech industry consider the system arbitrary and unstable, and a poor substitute for binding reciprocal agreements. In 2015, its fragility was underlined by the European Court of Justice striking down “Safe Harbour,” an adequacy agreement between the EU and US after a case brought by Max Schrems, an Austrian privacy activist. The EU and US hastily put together a replacement “Privacy Shield,” but risks remain.
Christian Borggreen, who heads the Brussels office of the Computer & Communications Industry Association, an international tech business group, says the arrangements are a small, messy and incomplete patchwork. European data controllers also rely on EU-approved clauses to transfer data, but he says those too are vulnerable to ECJ disapproval. “If another of these dominoes falls, the whole process of data transfer is at risk.”