9 Data Sovereignty and Trade Agreements: Three Digital Kingdoms

Sovereignty is, paradoxically, one of the most important yet misunderstood terms in international law. This is especially true in the international trade law area, where sovereignty and international obligations are often pitted against each other when countries try to enforce binding legal obligations through compulsory dispute settlement systems. This led to the Great 1994 Sovereignty Debate in 1994,¹ when the World Trade Organization (WTO) was coming into being. Some 20 years later, it became a hot issue again when the U.S. administration led by President Trump tried to cite sovereignty as the justification for many of its WTO-inconsistent measures, especially those ostensibly grounded on “national security.” Due to space constraints, this chapter does not unpack the many challenges posed to international trade law by sovereignty. Instead, it focuses on an emerging area: data regulation in trade agreements, which best illustrates the conflict between international trade regulation and sovereignty in the digital era.

The chapter starts with an in-depth analysis of the elusive concept of data sovereignty, by trying to blend the classical definitions of canonical authors with the unique features of the data economy. It then conducts an empirical examination on the current approaches to data sovereignty in trade agreements by the three leading players, that is, the United States, China, and the EU. While noting the divergent approaches taken by the three, the chapter also concludes with observations on possible future convergence of the three approaches.

Sovereignty is one of the most fundamental concepts in modern international law. At the same time, however, it is also one of the most “controversial”² concepts with a “long and troubled history.”³ Despite their disagreements on the exact meaning of the term, most international lawyers seem to agree that sovereignty has a “well established” status as either a “highly ambiguous”⁴ or “notoriously amorphous” concept.⁵ Indeed, the concept is so contested that even many leading international lawyers deem it better to just give up the term, which, called the “S word”⁶ by Louis Henkin, is “a mistake, an illegitimate offspring”⁷ that is “largely unnecessary and better avoided.”⁸

Nonetheless, I am still of the view that we should try to fathom the meaning of sovereignty, as it is “one of those powerful words which has its own existence as an active force within social consciousness” that can not only “represent reality,” but also “play a leading part in creating and transforming reality.”⁹ This is most evident in the repeated reference to sovereignty by national governments in various settings even in the digital age. Thus, without pinning down its meaning, it would not be possible to understand some of the key contentions and approaches in data governance and trade regulation.

In this regard, I will start with classical authors. While the concept of sovereignty has long been used in Europe, Jean Boden is commonly accepted as the “father” of the modern usage of the concept “sovereignty”¹⁰ as he engaged in “the first systematic discussion of the nature” of the concept.¹¹ In his book Les six Livres de la Republique, Bodin defines sovereignty as “the absolute & perpetual power in a Republic.”¹² This definition focuses on the internal paradigm of the domestic pyramid of power by placing sovereignty as “the most supreme power in the hierarchical organizational structure of society, that is, the highest unified power—as opposed to a subordinate decentralized one—free from any temporal authority.”¹³

While this definition does provide a good explanation of sovereignty in the domestic context, it might run into difficulty at the international level, where all states are regarded as equal sovereigns in principle, yet in reality countries do differ in their relative powers depending on their military or economic might. The solution to this problem was provided by Emer de Vattel, who transposed the concept of sovereignty from the national level onto the international plane.¹⁴ In contrast to the internal paradigm of Rodin, Vattel shifted to the external dimension by defining sovereignty as the “exclusivity of power without,” that is, “a political body which is the sole representative of the people externally and which is not submitted to any foreign state or to any higher law externally.”¹⁵ By focusing on such “incorporated independent authority,” Vattel provided the foundation for the discourse on sovereignty under international law, which is based on the fundamental notion of states as independent actors.

It is easy to see where Bodin and Vattel differ, in that the former defines sovereignty vis-à-vis its subjects while the latter places sovereignty in the context of external powers, be they foreign states or international law. Despite their differences, both of these definitions focus on the “general norm”¹⁶ or the “routine” situations.¹⁷ In reality, however, the power of sovereignty is often manifested in decisions concerning “borderline cases” or the “exceptions.”¹⁸ This led Carl Schmitt to propose a new definition of sovereignty by stating, at the very beginning of his Four Chapters on the Concept of Sovereignty, that “[s]overeign is he who decides on the exception.”¹⁹ As illustrated in later discussions in this chapter, the focus on exceptions is also fitting to discussions on data sovereignty, which often needs to wrestle with issues such as exceptions to the general rules on data flow and location of data.

The discussions above reveal a common theme among the definitions by classical authors: power. This is explicit in Bodin (“highest power”) and Vattel (“underived power”), and implicit in Schmitt (“exceptional power”).²⁰ Now fast forward to the digital age, where technology giants pose serious competition to the national governments in terms of the powers they possess. In this sense, digital firms could be said to have powers rivaling that of traditional sovereigns. This led Lawrence Lessig to extend the concept of sovereignty by equating it with “control.”²¹ He developed two models of sovereignty depending on who has the control. The first model of “citizen-sovereignties” deal with institutions such as universities, social clubs, and churches, which “give consumers control over the rules that will govern them.”²² On the other hand, in the model of “merchant-sovereignties” the rules are imposed by the merchants and not chosen by the consumers.²³ These rules are imposed on a “take it or leave it” basis and the only choice consumers can make is whether to go to McDonald’s or Burger King. But unlike the switching of your lunch spots in the physical space, which is virtually costless, it can be rather costly to try to switch communities in the cyberspace, as “you must give up everything in a move from one cyber-community to another,” which explains the power of digital giants in cyberspace.²⁴

Despite the lack of a precise and commonly agreed-upon definition, sovereignty is still regarded as one of the most indispensable concepts in international law. The same, however, cannot be said of the concept of data sovereignty. To start with, the concept has been dismissed by many as just an oxymoron, because data by its nature transcends borders but sovereignty traditionally has been understood to be confined to within borders. Further complications would arise when data is generated, processed, stored, and disseminated in different jurisdictions, as it has become commonplace in the cyberspace these days. Thus, it has been rather difficult to provide a satisfactory definition of data sovereignty, with earlier attempts focusing either on the ethical dimension of the ownership and control of the data by the individual²⁵ or the technical dimension of “the coupling of stored data authenticity and geographical location in the cloud.”²⁶ After reviewing 602 papers discussing sovereignty in the digital context, a comprehensive survey on the usage of the concept in academic literature classifies six different means to address data sovereignty.²⁷ However, the survey concludes that “data sovereignty” is typically employed to refer “in some way to meaningful control, ownership, and other claims to data or data infrastructures.”²⁸ Such emphasis on control and power is consistent with the classical concepts of sovereignty discussed earlier.

As illustrated by the foregoing discussion, defining data sovereignty has been an endeavor fraught with difficulties. However, as the focus of this chapter is on data sovereignty in the context of trade agreements, it is not really necessary to try to come up with a general definition of data sovereignty. To paraphrase the famous remark made by Bill Clinton when he tried to persuade the U.S. Congress to grant Permanent Normal Trade Status to the China ahead of China’s accession to the WTO in 2000, defining data sovereignty in general would be like “trying to nail jello to the wall.”²⁹ Here, however, we merely need to decide what happens when jello hits the wall, that is, the applicable rules when the concept of data sovereignty somehow interacts with the rules under trade agreements.

By narrowing the scope of our inquiry, we can tentatively define data sovereignty in the context of trade agreements as follows: the highest independent power over data trade, which can define rules and exceptions, especially regarding first, border measures such as the cross-border transfer of data; and second, domestic regulations such as data localization requirements. This definition takes into account the key elements of the different variants mentioned earlier, that is, power, independence and exception. It also situates the concept in the unique context of data trade, with the cross-border fungibility of data as a key feature.

When it comes to data governance, there are three main groups of players: the individual, which provides the raw data, and uses the processed data; the firm, which processes the raw inputs from the consumer, and usually controls such data; and the state, which monitors and regulates the data use by the first two groups. Their different interests often result in conflicting priorities, with the individual advocating privacy protection, the firm promoting unhindered data flow, while the state focusing on the security implications.

The clashes between the three groups often result in various restrictive measures, with the most common type being restrictions on cross-border data flow in the name of the protection of individual privacy or national security.³⁰ More recently, however, data localization requirements have also become popular, with the following as main variations:³¹

While data flow restrictions and data localization requirements are both barriers to e-commerce, it is important to note the differences between the two. Data flow restrictions curb cross-border transfer of data. They normally target the outflow, but can also affect the inflow, such as banning access to certain foreign websites due to its contents. As such restrictions uniformly affect both domestic and foreign firms alike, they are more akin to a most-favored nation (MFN) treatment type of restriction. While such constraints make it more difficult for firms to move data around, they could reduce data breach risks for individuals and regulatory costs for states. On the other hand, data localization requirements tend to affect mostly foreign firms so they can be viewed more as a National Treatment issue. Such requirements obviously would increase costs for foreign firms, but they could also increase risks of personal data breach and even regulatory costs for states due to the duplication of data on both local and offshore servers.³² Given the different ways MFN and national treatment obligations under trade agreements are structured, a proper understanding of the differences between the two restrictions can help inform regulatory approaches and negotiations in trade agreements.

At the same time, notwithstanding their differences, it is also important to keep in mind that both types of restrictions could have major implications for international trade, especially given the growing importance of data to trade in general. Moreover, due to their binding natures, trade agreements have also become the forum of choice for regulating data issues at the international level.

While all countries would agree that there is a need to strike a balance between the clashing interests of different stakeholders, their approaches often differ in practice. Some jurisdictions prioritize the need to safeguard the privacy of users. A good example in this regard is the General Data Protection Regulation (“GDPR”) of the EU, which recognizes “[t]he protection of natural persons in relation to the processing of personal data” as “a fundamental right.”³³ On the other hand, some jurisdictions put the commercial interests of firms first. In the United States, this is reflected in the 1996 Telecommunication Act, which notes that it is “the policy of the United States . . . to preserve . . . free market . . . unfettered by Federal or State regulation.”³⁴ In contrast, national security concerns are often cited to justify restrictions on cross-border data flow, albeit in varying degrees in different countries. A recent example is China’s 2017 Cyber Security Law, which imposes several restrictions aiming to “safeguard cyber security, protect cyberspace sovereignty and national security.”³⁵

These differences in the domestic regulatory frameworks of these countries are also reflected in their trade agreements, which in turn reveals their different approaches to data sovereignty. Using the twin provisions of free flow of data and prohibition of data localization requirements as proxies, we can group the major approaches to data sovereignty and trade agreements into the following three models, with each represented by a major trader.

As the world’s largest economy and until recently, the largest trader, the United States is a highly competitive exporter in both agricultural and industrial goods and services. Thus, the United States has been very aggressive in promoting free trade and dismantling trade barriers in its trade agreements. This approach is also carried over into the digital age, with the U.S. trade agreements pioneering the inclusion of digital trade issues with an expansive set of obligations.

In particular, two provisions have become the sine qua non in the digital trade chapters in U.S. trade agreements, with the recently concluded United States-Mexico-Canada Agreement (“USMCA”) as the leading example:

First is the guarantee on free cross-border flow of data by stating that “no Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means”;³⁶ and

Second is the prohibition of data localization requirements by stipulating that “no Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.”³⁷

These two provisions provide strong protection of the interests of the firm, which deem the restrictions on cross border flow of data and various localization requirements as obstacles to their ability to conduct businesses across national boundaries. Applying the concept of sovereignty mentioned earlier, the U.S. approach essentially puts the sovereignty into the hands of business firms, so that they have the control of both border measures and domestic regulations.

As we can see from the experiences of China and the EU below, two of the most frequent reasons used by governments to regulate data are protection of privacy or national security. In both of these areas, however, the United States has taken different approaches in its trade agreements.

On privacy protection, the U.S. trade agreements only require parties to adopt their own legal framework for data protection, which could take many different legal approaches including “comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.”³⁸ This is very different from the EU approach, which requires its trade partners to adopt GDPR-equivalent clauses. While the U.S. agreements also calls for Parties to “take into account principles and guidelines of relevant international bodies,”³⁹ the examples only include “the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013),” which are regarded as providing only minimum levels of data protection or “1st generation” data privacy standards.⁴⁰ Moreover, rather than enhancing privacy protection for consumers, the U.S. trade agreements seem to be more concerned with making sure that the commercial interests of the firms are not adversely affected by over-restrictive privacy regimes. Take, for example, the clause on personal information protection under the USMCA, which include a total of six paragraphs. Only one of these contains substantive obligations to adopt or maintain legal framework on personal information protection,⁴¹ while three are aimed at minimizing the regulatory burden for business firms. The first among the three calls the Parties to ensure that “any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented,”⁴² which are apparently modeled after the necessity test and proportionality principle under the WTO. The second requires the Parties to “endeavor to adopt non-discriminatory practices in protecting users of digital trade from personal information protection violations occurring within its jurisdiction,” which also draws from the non-discrimination principle of the WTO, especially the national treatment obligation. Lastly, while the agreement recognizes the divergent legal approaches the Parties might take on personal information protection, it also encourages the Parties to develop “mechanisms to promote compatibility between these different regimes.” Again, trade lawyers would recognize in these provisions vestiges of WTO rules on mutual recognition, harmonization, and equivalence under the various WTO agreements.

On security, the U.S. trade agreements focus on “threats to cybersecurity undermine confidence in digital trade,” that is, “malicious intrusions or dissemination of malicious code that affect electronic networks.”⁴³ Put differently, the U.S. approach mainly addresses cybersecurity risks facing the private firm, which is quite different from the Chinese approach that focuses on perceived threats to national security. At the same time, the U.S. approach also tries to minimize disruptions to the operations of firms, by calling Parties to adopt “risk-based approaches that rely on consensus-based standards and risk management best practices to identify and protect against cybersecurity risks.”⁴⁴ The risk-based approach is apparently carried over from the regulatory framework under the WTO, especially under the Agreements on Technical Barriers to Trade (TBT) and Sanitary and Phytosanitary Measures (SPS). By placing restrictions on the regulatory measures that might be adopted by governments, such an approach provides better protection for the firms’ interests. Similarly, the reference to “consensus-based standards” also reflects prevailing practices in the United States, which has been codified in the the Cybersecurity Enhancement Act of 2014.⁴⁵ The Act calls for the National Institute for Standards and Technology under the Commerce Department to “facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.”⁴⁶ Under the Act, the U.S. cybersecurity standards are developed as a public-private partnership between the government and the business sector, which serves to reduce the cybersecurity risks for the firms rather than advancing the national security goals of the government.

Many other provisions in the USMCA are also designed to facilitate the development of digital trade. This is done by either removing regulatory barriers, such as the provision on non-discriminatory treatment of digital products; or providing an enabling framework for digital trade such as the provisions on domestic electronic transaction legal framework; recognition of the legal validity of electronic signatures or electronic authentication methods; the acceptance of electronic documents as the legal equivalent of their paper versions; and open government data. The most interesting provision, though, is the provision on principles on access to and use of the Internet for digital trade.⁴⁷ This clause is mainly designed to deal with the risks that market players that own or control key infrastructures could abuse their power by unreasonably denying their business users access to their infrastructures, making it impossible for these users to conduct e-commerce activities. To address this problem, the agreements provide consumers (including business users) with the freedom of access to and use of the Internet for e-commerce, subject only to network management and network safety restrictions. This provision apparently grew out of the net neutrality principle from the domestic telecom regulatory framework within the United States. In a way, it provides digital giants with reverse control over the telecom and Internet services providers in the countries they are operating, shielding the former from being held hostage by the network throttling practices often found in many countries.

As the main proponent of the pluri-lateral Trade in Services Agreement (TISA) negotiations, the United States also proposed similar provisions in the draft TISA agreement. Most of these can be found in the e-commerce chapter, where the United States called for provisions that guarantee service suppliers the freedom to transfer information across countries for the conduct of its business; freedom for network users to access and use services and applications of their choice online, and to connect their choice of devices; prohibition of data localization requirements as a condition of supplying a service or investing; and prohibition of discrimination against electronic authentication and electronic signatures. In addition, the horizontal provisions also include prohibitions on a host of localization requirements as mentioned earlier. While they apply to all service sectors, they would be of particular relevance to e-commerce due to the nature of the sector.

For China, the key to data regulation is data security, which has now been elevated to the level of national security and national sovereignty. Such a regulatory approach, which I dubbed “data regulation with Chinese characteristics” in another paper,⁴⁸ is the result of an evolution spanning 25 years. This evolving approach closely traces the development of the Internet sector in China. When the Internet first started as a novelty that was confined to the ranks of tech-savvy geeks, the regulations focused on computer and Internet hardware, by requiring all Internet connections to go through official gateways sanctioned by the Chinese government. As the Internet gradually expanded to the masses with the proliferation of software and social media catered to popular uses, the government moved on to regulate the software and started to demand that software used for Internet access must be sanctioned by the government. As the cyberspace became an indispensable part of everyday life and began to permeate every sector from socializing, shopping to entertainment and education, the government shifted the focus to the regulation of content and now data, which is the essence of cyberspace that powers everything, especially with the rise of big data and artificial intelligence. Moreover, data regulation has now been elevated to the level of national security with the introduction of Cyber Security Law in 2016. The agency that is responsible for content regulation, the CAC (Cyberspace Administration of China), has also evolved into the super-agency that is almost synonymous with data regulation in China. The CAC has no responsibility in promoting the growth of the sector. Instead, its only responsibility is making sure that the cyberspace is secure and nothing unexpected would pop up. It is this single-minded pursuit of security that has led to such draconian policies as Internet blockage, filtering and other restrictions on the free flow of data, forced data localization requirements, and the transfer of source code. As the Internet is becoming more complicated and omnipotent, we can only expect Internet and data regulations in China to become more sophisticated and omnipresent.

At the international level, China has traditionally taken a cautious approach to data regulation in trade agreements. Until very recently, it has not even included e-commerce chapters in its RTAs (regional trade agreements). This only changed with its FTAs (free trade agreements) with Korea and Australia, which were both signed in 2015. Nonetheless, the provisions in these two FTAs remain rather modest, as they mainly address trade facilitation related issues, such as moratorium on customs duties on electronic transmission, recognition of electronic authentication and electronic signature, protection of personal information in e-commerce, paperless trading, domestic legal frameworks governing electronic transactions, and the need to provide consumers using electronic commerce level of protection equivalent to traditional forms of commerce.

A major breakthrough was made in the Regional Comprehensive Economic Partnership (RCEP) Agreement, which China signed along with other 14 countries in the region in November 2020. Under the Chapter on E-commerce, China like all other RCEP Members agreed to not “require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that Party’s territory,”⁴⁹ or “prevent cross-border transfer of information by electronic means where such activity is for the conduct of the business of a covered person.”⁵⁰

Of course, merely agreeing to the twin provisions on data flow and data localization does not mean that China now embraces the U.S. model. Instead, both provisions are still overshadowed by national security concerns. First of all, both provisions allow Members to adopt “any measure that it considers necessary for the protection of its essential security interests.” Moreover, they also explicitly state that such security measures “shall not be disputed by other Parties,” which means that the securities measures will be largely self-judging. Finally, as the whole chapter on e-commerce is carved out from the normal dispute settlement procedure under the RCEP, any such security measure will not be subject to legal challenge.

Another exception to these two obligations is “any measure . . . that [the implementing Party] considers necessary to achieve a legitimate public policy objective.” Note here the necessity test is not the objective one as found under the general exceptions clause under GATT Art. XX, but what the Party taking such measure “considers necessary,” which is only found under the security exceptions clause under GATT Art. XXI. The subjective nature of the necessity test here is further confirmed by the footnotes to the two provisions, which explicitly “affirm that the necessity behind the implementation of such legitimate public policy shall be decided by the implementing Party.”

What then, could such “legitimate public policy objective” entail? Like most other countries in the world, this could include laws for the protection of privacy or personal information. Yet, the Chinese approach to privacy protection also comes with its own limitations. To start, privacy is a rather new concept in Chinese law, and there was no privacy protection law until 2009, when privacy was first recognized as a civil right under the Tort Liability Law. This was duly incorporated into China’s new Civil Code enacted in 2020, which has a separate chapter on privacy and personal information protection as part of the volume on personality rights.⁵¹ According to Art. 1035 of the new Civil Code, the processing of personal information shall be based on the consent of the data subject, “except if there are different requirements under laws or administrative regulations.” In China, there are many laws that do not require the consent of the data subject. For example, under Art. 25 of China’s Electronic Commerce Law, government agencies may require e-commerce operators to provide e-commerce transaction data, which includes the personal information of the consumers. Similarly, by requiring government agencies in charge of cyber security monitoring and management and their staff to keep confidential any personal or privacy information they obtain in the discharge of their duty, Art. 45 of the Cyber Security Law also indirectly confirms that such agencies do have access to personal information of netizens without their consent. This approach is also adopted by China’s new Personal Information Protection Law, which confirms that data processors might not need to obtain the consent of the data subject when necessary for discharging official duty and responsibility.⁵² Moreover, in cases specified by the relevant laws or administrative regulations, the data subject would not even be made aware that his/her data is being processed.⁵³ The same exception also applies in cases where the notification or obtaining the consent of the data subject would impede the discharge of official duty by the relevant state organs.⁵⁴ Even if the data subject later becomes aware of the occurrence of such data processing activities, he/she would be denied the right to review or copy such personal information, which is normally available to data subjects.⁵⁵

To sum up, the Chinese framework for personal information protection provides extensive exemptions for the government to collect personal information, either directly or through personal information processors. This probably explains why China until this day has yet to participate in the APEC CBPR (Cross-Border Privacy Rules),⁵⁶ as the CBPR Program Requirements includes some potentially awkward questions such as “how the collected personal information may be shared, used or disclosed as compelled by law,” which neither the companies nor the Chinese government might be ready to answer.

Despite the gaps in China’s personal information protection framework, at least an argument could be made that it is common to have personal information protections laws as exceptions to the twin provisions on data flow and data localization. However, the exceptions under the Chinese data regulation regime covers not only personal data but also “important data,” a highly important concept that is poorly defined.

The concept of “important data” was first introduced in the Cyber Security Law, which requires “operators of critical information infrastructure” to locally store not only personal information but also “important data” collected and generated in their operations within China.⁵⁷ If they need to send such data abroad due to business necessity, they have to first undergo security assessment by the authorities.⁵⁸ Thus, the local storage requirement and restriction on cross-border data flow applies to “important data” collected and generated by operators of “critical information infrastructure,” which is defined in Article 31 of the law as infrastructure in “important industries and fields such as public communications and information services, energy, transport, water conservancy, finance, public services and e-government affairs,” as well as such “that will result in serious damage to state security, the national economy and the people’s livelihood and public interest if it is destroyed, loses functions or encounters data leakage.” Such a broad definition could potentially capture everything and is not really helpful nor does it give much guidance, which is why the same Article also directs the State Council to develop the “specific scope of critical information infrastructure.”

In 2016, the CAC issued the National Network Security Inspection Operation Manual⁵⁹ and the Guide on the Determination of Critical Information Infrastructure,⁶⁰ which clarified the scope of critical information infrastructure by grouping them into three categories: (1) websites, which includes websites of government and party organizations, enterprises and public institutions, and news media; (2) platforms, which include Internet service platforms for instant messaging, online shopping, online payment, search engines, emails, online forum, maps, and audio video; and (3) production operations, which include office and business systems, industrial control systems, big data centers, cloud computing, and TV broadcasting systems.

The CAC also laid down three steps in determining the critical information infrastructure, which starts with the identification of the critical operation, then continues with the determination of the information system or industrial control system supporting such a critical operation, and concludes with the final determination based on the level of the critical operations’ reliance on such systems and possible damages resulting from security breaches in these systems. More specifically, they listed 11 sectors, which include energy, finance, transportation, hydraulic, medical, environmental protection, industrial manufacturing, utilities, telecom and Internet, radio and TV, and government agencies. The detailed criteria are both quantitative and qualitative. For example, on the one hand, critical information infrastructure includes websites with daily visitor counts of more than one million people and platforms with more than ten million registered users or more than one million daily active users, or daily transaction value of 10 million RMB. On the other hand, even those that do not meet the quantitative criterion could be deemed to be critical information infrastructure, if there are risks of security breaches that would lead to leakage of lots of sensitive information about firms or enterprises, or leakage of fundamental national data on geology, population, and resources; or seriously harming the image of the government or social order or national security. The potentially wide reach of the criteria was well illustrated by the case of the BGI Group, the largest genomics organization in the world, which was fined by the Ministry of Science and Technology in October 2018 for exporting certain human genome information abroad via the Internet without authorization.⁶¹ Given the nature of their business, the BGI case could fall under the category of “leakage of fundamental national data on . . . population,” as mentioned earlier.

In addition to the vague concept of “important data,” the newly enacted Data Security Law adds another concept of “national core data,” which is defined as “data related to national security, the lifeline of the national economy, people’s livelihood and major public interests” and will be subject to “a more stringent management system.”⁶² It is likely that the scope of the new category of “national core data” will be narrower than “important data,” but it is unclear how much narrower it will be. Moreover, as mentioned above, the restrictive rules on data flow and data localization only applies to “important data” collected and generated by operators of “critical information infrastructure” as per the Cyber Security Law. It is unclear, however, whether the stricter restrictions on “national core data” will be similarly limited to operators of “critical information infrastructure.” A plausible or even compelling argument could be made to argue that due to its utmost importance, the restrictions on “national core data” would apply to all data processors or even private individuals, even if they do not qualify as operators of “critical information infrastructure.”

Unlike the United States and China, which focus respectively on the firm and the state, the EU has, as its main concern, the privacy of the individual. This started with the Data Protection Directive in 1995, which prohibits the transfer of personal data to non-EU countries unless they have privacy protection standards deemed adequate.⁶³ The Directive was replaced⁶⁴ by the GPDR in 2018.

Despite its name, which suggests a broader reach, the GDPR applies only to personal data, which is defined as “any information relating to an identified or identifiable natural person (‘data subject’).”⁶⁵ It regulates the behaviors of the data controller and processor, which are respectively defined as the one who “determines the purposes and means of the processing of personal data”⁶⁶ and “processes personal data on behalf of the controller.”⁶⁷ Under the GDPR, the processing of personal data is only allowed with the “explicit”⁶⁸ consent of the data subject and a few other specifically enumerated reasons,⁶⁹pursuant to a set of principles that specifies the scope and manner of such processing.⁷⁰ Transfer of personal data to third countries is only allowed on the basis of an adequacy decision⁷¹ or appropriate safeguards.⁷²

Since its introduction, the GDPR has become the gold standard of privacy protection in the world. Encouraged by its success, top EU officials started to advocate “technological sovereignty” for the EU.⁷³ “Technological sovereignty” is a concept closely linked with “digital sovereignty,”⁷⁴ which was elaborated in the European Commission’s “Communication on a European Strategy for Data” unveiled in February 2020.⁷⁵ As many commentators pointed out, the EU’s new data strategy is designed to “counter the strong position of US and Chinese digital companies in the European market”⁷⁶ and remedy “the key European disadvantage” of “the lack of significant European digital corporations with global influence.”⁷⁷ The new data strategy aims to create “a single European data space” so that “by 2030, the EU’s share of the data economy—data stored, processed, and put to valuable use in Europe—at least corresponds to its economic weight, not by fiat but by choice.”⁷⁸

For the EU, the quest for digital sovereignty started out as a defensive move to fend off the encroachment into EU cyberspace by big firms from the United States, as well as the big government from China. By combining the powers of its huge market and regulatory apparatus, the EU is trying to reclaim digital sovereignty from not only the other countries, but more importantly, the digital giants.

The EU’s data strategy can be seen as part of its broader plan of establishing its own “strategic autonomy.”⁷⁹ The concept started as an idea of the French, when they published their 1994 white paper on defense.⁸⁰ Gradually, however, it was accepted by all of the big three EU Member States: Germany, France, and Italy.⁸¹ The concept was adopted by the EU in 2016 when it unveiled its Global Strategy, which was supposed to “nurtures the ambition of strategic autonomy” for the EU.⁸² With Trump’s election as U.S. president and Brexit, the concept started to take off among the governments of EU Member States.⁸³ While there was some ambiguity on the exact content of the concept, the bigger EU Member States typically perceive it as referring to decision-making autonomy.⁸⁴ This is recently confirmed by the new trade strategy paper issued in February 2021, where the EU further refined it as a concept of “open strategic autonomy,” which emphasizes “the EU’s ability to make its own choices and shape the world around it through leadership and engagement, reflecting its strategic interests and values,”⁸⁵ with a priority area being the EU’s digital agenda.⁸⁶

On data flow, the EU takes a bifurcated approach. Non-personal data are supposed to flow freely pursuant to the EU’s Framework for the Free Flow of Non-personal Data,⁸⁷ while the cross-border flow of personal data is subject to the stringent requirements under the GDPR, despite the explicit recognition under the GDPR that “[f]lows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation.”⁸⁸ Due to its high compliance costs,⁸⁹ the GDPR has proven to be “challenging especially for the small and medium sized enterprises (SMEs).”⁹⁰ To stay away from potential legal challenges, many U.S. websites blocked access to EU customers before the GDPR went into effect⁹¹ and remained unavailable in the EU months after.⁹²

In addition to its negative impact on cross-border data flow, the GDPR also creates the pressure toward data localization, especially after the decision of the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland, Maximillian Schrems (Schrems II).⁹³ However, as Chander has eloquently argued, data localization not only will not “solve the policy objectives identified in Schrems II,” but also creates “its own policy problems.”⁹⁴ The data localization requirements for non-personal data are banned by the EU’s Framework for the Free Flow of Non-personal Data, which mandates EU Member States to repeal their data localization laws by May 30, 2021. In contrast, however, the GDPR does not include such a prohibition. On the contrary, data localization requirements for personal data are quite common among EU countries,⁹⁵ with most covering special categories of sensitive data like health-related personal data or financial services data.⁹⁶ On the latter point, it is worth noting that the EU approach again diverges from the current U.S. approach. When the United States negotiated the Trans-Pacific Partnership, it carved out the entire financial services sector from the scope of its e-commerce chapter, including prohibition of data localization requirements.⁹⁷ In the new USMCA, however, the United States explicitly brought the financial services sector under the ban by stating that data localization should not be required “so long as the Party’s financial regulatory authorities, for regulatory and supervisory purposes, have immediate, direct, complete, and ongoing access to information processed or stored on computing facilities that the covered person uses or locates outside the Party’s territory.”⁹⁸ It would be interesting to see whether the EU shifts closer to the U.S. approach in the future.

In its RTAs, the EU has not been able to include substantive language on data issues until recently. This was due to the internal differences between the two director-generals (DGs) with overlapping jurisdictions on the issue, that is, DG-Trade, which favors free trade for the sector; and DG-Justice, which has concerns over personal information protection.⁹⁹ Thus, notwithstanding its strong interest in privacy protection, the EU positions in its existing FTAs have been rather modest, which usually requires Parties to adopt their own laws for personal data protection to help maintain consumer trust and confidence in electronic commerce.¹⁰⁰ In February 2018, the two DGs were finally able to reach a compromise position, which includes on the one hand horizontal clauses on free flow of all data and ban on localization requirements, while one the other hand, affirms the EU’s right to regulate in the sector by making clear that it shall not be subject to investor-state arbitration.¹⁰¹ Despite this development, the EU still seems to prefer handling data flow issues through bilateral “adequacy” recognitions, which so far has only been granted to a dozen countries.¹⁰² In many of its latest FTAs, data flow issues were left out in the main text, with a separate adequacy decision adopted. This is, for example, the case of its Economic Partnership Agreement (EPA) with Japan, where the adequacy decision¹⁰³ was adopted separately from the EPA, which does not include commitments on free flow of data.¹⁰⁴ While its recent FTA with Vietnam lacks not only provisions on data flow and localization but also any plan for an adequacy decision.

The diverging approaches among the three major players are not randomly chosen. Instead, they reflect deeper differences in their respective commercial interests and regulatory approaches within each jurisdiction.

First, the global e-commerce market is largely dominated by China and the United States. Among the ten biggest digital trade firms in the world, six are American and four are Chinese.¹⁰⁵ Of course, this does not necessarily mean that they must share the same position. Upon closer examination, one can see that the U.S. firms on the list tend to be pure digital service firms. Firms like Facebook, Google, and Netflix do not sell physical products but only provide digitalized services such as online search, social network, or content services. In contrast, two of the top three Chinese firms—Alibaba and JD.com—sell mainly physical goods. This is why the United States focuses on the “digital” side while China focuses on the traditional “trade” side when it comes to digital trade, as I argued in another paper.¹⁰⁶

One may argue that China also has giant pure digital firms like Baidu and Tencent, which are often referred to, respectively, as the Google and the Facebook of China. However, because they serve almost exclusively the domestic Chinese market and most of their facilities and operations are based in China, they do not share the demands for free cross-border data flow like their U.S. counterparts, which have data centers in strategic locations around the world.

As for the EU, with no major players in the game, their restrictive privacy rules could be viewed as a form of “digital protectionism”¹⁰⁷ to fend off the invasions of American and Chinese firms into Europe.

The second influence is their different domestic regulatory approaches. In the United States, the development of the sector has long benefited from its “permissive legal framework,”¹⁰⁸ which aims to minimize government regulation on the Internet and relies heavily on self-regulation in the sector. Such policy is even codified in the law, with the Telecommunication Act of 1996 explicitly stating that it is “the policy of the United States . . . to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.”¹⁰⁹ Therefore, it is no surprise that the United States wishes to push for deregulation and the free flow of information at the international level, a long-standing policy that can be traced back to the Framework for Global Electronic Commerce announced by the Clinton administration in 1997.¹¹⁰ At the same time, the United States does not have a comprehensive privacy protection framework. Instead, it relies on a patchwork of sector-specific laws,¹¹¹ which provides privacy protection for consumers of a variety of sectors such as credit reports and video rental. This is further complemented by case-by-case enforcement actions by the Federal Trade Commission, and self-regulation by firms themselves. This explains why, in its RTAs, the United States does not mandate uniform rules on personal information protection but allows members to adopt their own domestic laws.

On the other hand, in China, the Internet has always been subject to heavy government regulations, which not only dictate the hardware one must use to connect to international networks, but also the content that may be transmitted online.¹¹² Many foreign websites are either filtered or blocked in China, which confirms China’s cautious position on free flow of data. Moreover, in 2016, China also adopted the Cyber Security Law, which requires the operators of critical information infrastructure to store locally personal information they collected or generated in China. This is at odds with the U.S. demand to prohibit data localization requirements. Privacy protection is also weak in China, as it was only incorporated into the Chinese legal system in 2009, along with extensive exemptions for the government.

The EU, in contrast, has a long tradition of human rights protection, partly in response to the atrocities of the Second World War.¹¹³ Coupled with the absence of major digital players wielding significant market power and the lack of a strong central government with overriding security concerns, this translates into a strong emphasis on privacy in the digital sphere. Moreover, the EU is also able to transcend the narrow mercantilist confines of the United States¹¹⁴ and recognize privacy as not only a consumer right but also a fundamental human right that is recognized in several fundamental EU instruments¹¹⁵ and the constitution of many Member States.¹¹⁶ Such a refreshing perspective is probably the biggest contribution made by the EU to digital trade issues.

Trade agreements are complicated. Data sovereignty issues are even more so. This chapter provides a modest attempt to offer some clarity to these issues with an in-depth discussion of the data sovereignty models of the three major players. The discussions herein should provide some help in understanding the approaches of most other countries in the world as well because, as illustrated by Ferracane and Marel in their recent comprehensive survey, countries around the world broadly fit in one of the three models discussed here.¹¹⁷

At the same time, we should not be disheartened by the wide divergences among the three approaches. Such differences might prove to be short-lived as countries are learning from each other’s experiences. For example, with its recent ban on TikTok and WeChat, the United States seems to be taking a leaf out of China’s playbook. At the same time, by accepting obligations on free flow of data and prohibitions on data localization requirements, China seems to be edging closer to the U.S. position. Just like the three kingdoms in Chinese history, which were ultimately united into one, hopefully, the three digital kingdoms studied in this chapter can also, through trade agreements,¹¹⁸ forge their divergent approaches to data sovereignty into one, at least in the cyberspace.