Global reset – Technology decoupling (Part 4: The geopolitics of data)

Global reset – Technology decoupling (Part 4: The geopolitics of data)

Phuah Eng Chye (23 April 2022)

Data is the indispensable resource in the information society. UNCTAD notes digital data “are core to all fast-evolving digital technologies, such as data analytics, artificial intelligence (AI), blockchain, Internet of Things (IoT), cloud computing and other Internet-based services…global Internet bandwidth rose by 35 per cent in 2020…about 80 per cent of all Internet traffic relates to videos, social networking and gaming. Monthly global data traffic is expected to surge from 230 exabytes in 2020 to 780 exabytes by 2026…traffic is geographically concentrated in two main routes: between North America and Europe, and between North America and Asia”. In the “data-driven digital economy, two countries stand out: the United States and China. Together, they account for half the world’s hyperscale data centres, the highest rates of 5G adoption in the world, 94 per cent of all funding of AI start-ups in the past five years, 70 per cent of the world’s top AI researchers, and almost 90 per cent of the market capitalization of the world’s largest digital platforms. The largest such platforms – Apple, Microsoft, Amazon, Alphabet (Google), Facebook, Tencent and Alibaba – are increasingly investing in all parts of the global data value chain: data collection through the user-facing platform services; data transmissions through submarine cables and satellites; data storage (data centres); and data analysis, processing and use, for instance through AI. These companies have a competitive data advantage resulting from their platform component, but they are no longer just digital platforms. They have become global digital corporations with planetary reach; huge financial, market and technology power; and control over large swathes of data about their users. And they have seen their size, profits, market value and dominant positions strengthened during the pandemic, as digitalization has accelerated”.

Dan Ciuriak and Maria Ptashkina point out “whereas data was mostly exhaust when the General Agreement on Trade and Services (GATS) was developed – an unexploited by-product of commercial transactions, business and industrial processes, and other interactions – it has now become the most valuable asset of the digital age (the new oil) and, indeed, the essential capital asset for the emerging data-driven economy. It is hardly surprising that governments are seeking to capture this value through industrial policies and taxation reforms. Further, states will need to take measures to ensure the security and integrity of their essential services both internally and externally, especially the backbone infrastructure services – finance, transportation, communications and energy. Metaphorically, a nation’s digital borders must be as secure as its physical borders. With the rollout of the IoT and the flow of data into the inherently insecure cloud, the security challenges escalate not only from the perspective of vulnerability to hacking but also from the consequences of interference with the functioning of an infrastructure that increasingly acts as an interactive central nervous system for the economy. Finally, in parallel with the security concerns are the myriad issues raised in transposing the rules and norms governing social and political behaviour into the digital realm. These issues run the gamut from surveillance capitalism to state surveillance; to the use of personally identifiable information for commercial and political objectives, including fake news and targeted messaging for manipulation of electorates; to the governance of urban spaces…The vastness of the scope of these issues is due in part to the protean nature of data. Not only can data be used and reused in endless configurations and applications underpinning value capture and creation, but it also can act as a source of feedback to change the world that generated it in the first place. This feedback generates its own governance demands since it comes complete with the biases built into data, given the means of its collection and the populations from which it is sourced. These issues can be grouped under the broad rubric of sovereignty, because they affect how states govern themselves, and democratic legitimacy demands that governance principles shape, rather than be shaped by, the digital transformation”.

Dan Ciuriak and Maria Ptashkina argue “given the shift of political discourse onto digital platforms where it is susceptible to manipulation, the sovereignty pillar becomes an essential part of the governance regime. The sovereignty pillar safeguards the integrity of a country’s social choice mechanisms, which, in turn, determine everything from the political stripe of the governing party to gender policies, environmental commitments, and distributional issues such as access to health care, low income support and so forth. The issue of sovereignty, however, raises the risk of system friction. Historically and traditionally, social norms have differed across countries; the implications of these differences may get amplified in the digital age. One can contrast, for example, the concerns over China’s use of digital technologies (including facial recognition) for purposes of its Social Credit reputation-scoring system with those over digital personal rating systems employed in Western market contexts by eBay, Airbnb, credit rating services and so forth, which operate in similar ways. Although surveillance capitalism raises its share of worries, the differences in context – including the role of state power and the absence of an independent judiciary in China – heighten for many the threat perception in the latter context…Biometric data technology – ranging from facial recognition to retina or iris scans, fingerprints, voiceprints, scans of hands and so forth – is being deployed ubiquitously in the absence of elaborated protocols for use, with no social consensus within polities and certainly without a widely accepted useful standard for multilateral purposes…Privacy policy also faces more general issues. In the absence of a commonly accepted definition, there are different traditions in defining what constitutes personal data or personally identifiable information and in identifying the limits on information use, data collection or disclosure of information”.

Geopolitical significance of data

From a geopolitical perspective, the earliest to recognise and capitalise on the strategic power of information was the US. Information is the secret sauce of the US soft power strengths (e.g. currency, finance, innovation, education and content). The US ability to use information better than anyone else and its parallel control of networks and technology helped entrench its position as the dominant superpower for many decades.

Dan Ciuriak describes the US as exploiting its information advantage in two phases – an earlier phase built on intellectual property rights and a latter phase built on data. “The leading IP jurisdiction – the United States – was an early mover in recognizing its interests…Rent capture in the knowledge-based economy thus depends on expanding the scope of protected IP and on intensifying enforcement. In the international dimension, rent capture by the owners of IP requires expanding the suite of IP-related treaties to which countries are signatories…starting with the Omnibus Trade and Competitiveness Act of 1988, which introduced the Special 301 Report…the United States pioneered the introduction of IP protection into trade agreements, starting with the Canada-US Free Trade Agreement in 1989, and the North American Free Trade Agreement that followed…The introduction of IP chapters fundamentally changed the nature of trade agreements, since these agreements now enabled international rent capture not by exploiting economies of scale through liberalized trade but by excluding rival products through restricted trade. The push for internationalization of IP protection primarily served to channel rents into the handful of leading knowledge-based economies…A new fault line thus emerged internationally between the IP haves and the IP have-nots…Enforcement of IP rights had in fact become the biggest source of economic rent capture…Internationally, however, a battle line did form…The scene was set for the future trade and technology war”.

In the latter phase, Dan Ciuriak points out “the data-driven economy…signals the transition to a new economic era, in which a major new source of rents triggers new conflicts, both internal and external, on new battlegrounds, with new tools and weapons, between new coalitions. The contours of conflict are again changing…First, the skewed capture of rents in the modern knowledge-based and data-driven economy, which creates a tinderbox for societal conflict…societies that do not move decisively to arrest and retrace these trends risk potentially severe disruption driven by unpredictable populist politics…Societies need to take advantage of the pandemic-induced crisis to reset income and wealth distribution for the age of data. Second, the fragmentation being observed internationally is not creating natural coalitions with obvious bargaining chips to exchange in negotiations. In the consumer- and society-facing aspects of the data-driven economy, China evolved separately from the rest of the world behind its Great Firewall. Accordingly, the main contest for rents in these areas boils down to the United States, which hosts global champions that capture the vast bulk of the market, versus the rest of the world, which captures little. Interestingly, whereas domestically US populist politics align against the technology giants, internationally, US interests align with them. This makes for particularly challenging governance issues for the United States and likely militates against an international accord being reached. Moreover, China is not in this picture. In core technologies, meanwhile, the friction breaks down differently and awkwardly”.

In my view, there is a misimpression that the key information advantage lies in technology (hardware and software). The advantage offered by technology is transitory as its strategic value depreciates rapidly due to obsolescence. In this context, technology is only a key enabler to enhance the capture and use of data. In contrast, the information advantage from data is enduring. Datasets become more valuable as they become more comprehensive over time. The accumulation of data in production, services, logistics, marketing, transactions, social, surveillance and politics has passed a tipping point where it is disrupting legacy processes and organisations.

Data is thus no longer a by-product of the industrial economy. Data is the core of an information society with its datafied citizens. Data is not oil though. Data has a unique national identity and is intangible and inexhaustible. Governments can no longer leave data in the hands of the private sector and the global firms without oversight because of data’s crucial role in production, commerce, services, finance, infrastructure and in public services. In commercial hands, once data goes offshore, its use cannot be monitored and the risks it poses to national sovereignty are becoming unacceptable. It is a matter of time before more governments assert sovereign claims on data. Technology decoupling is not only leading to diverging technological paths, it is being accompanied by increasing protection of national data. Technology decoupling spells the end of the romanticised vision of a free and open global internet and the start of a transition to a landscape shaped by data governance controls.

Divergent data governance approaches

UNCTAD identified five approaches to data governance. Three are highly influential. The US adopts a market-oriented approach that accepts private sector control of data. China has a mixed security and digital development approach built on control of data by the government. The EU approach is based on fundamental rights and values and favours control of data by individuals. The remaining two – the security-oriented Russian and development-oriented Indian variants – have relatively limited global influence.

The US “has favoured a private market-driven approach aimed at stimulating innovation as well as supporting first-mover advantages and subsequent dominant positions by its digital firms, through network effects and acquisitions. In this context, the country has used trade agreements to ensure its firms unfettered access to foreign markets by, for example, favouring free data flows and banning practices such as data and server localization requirements…This approach enables data to flow back to the United States when users around the world engage with firms headquartered in the country. A key motivation behind the regulatory approach of the United States on cross-border data flows is maintaining its leadership in the global digital market and further expanding into new markets”. Its success in developing data-driven products and services “has created a positive feedback loop, which means that the more data that can be collected by United States companies, the better for their data products and, therefore, the greater their ability to succeed in global markets. Accordingly, the United States has advocated against digital and data protectionism…An undivided Internet and the free flow of information across borders are integral parts of the political and economic philosophy of the United States. Unlike most developed economies, the United States does not have an omnibus data privacy framework, nor does it impose any specific compliance requirements for cross-border transfers of personal data. The United States has, however, adopted strict localization policies for defence-related data, requiring that any company supplying cloud services to its Department of Defense must store its data only domestically. More recently, although not a general restriction on data flows, the United States has adopted the Clean Network Programme for protecting critical assets from foreign interference and guarding individual privacy by restricting untrusted telecommunications carriers, applications and cloud services, notably from China. Therefore, despite the overall liberal framework on cross-border data flows, the United States takes a restrictive approach for specific defence and national security issues. Due to the global, market-driven cloud computing model…the United States adopted the Clarifying Overseas Use of Data (CLOUD) Act…allows federal law enforcement authorities to require United States-based companies to provide user data stored abroad based on a warrant or subpoena, provided that it does not breach the privacy rights of an individual in the foreign country where the data are stored…it establishes a procedure by which the United States can enter into executive agreements with foreign countries to provide data for law enforcement purposes”.

In addition, UNCTAD notes “recent years have seen increasing pressure to adopt a privacy law…These moves towards privacy regulation…may point to the tide turning towards a departure from the free market approach with giant digital companies”. The recent emphasis on antitrust regulations “recent bans on activities of some foreign digital companies (e.g. Huawei, TikTok and Grindr) in the United States market also point towards more interventions of the State in the markets and increased restrictions related to data and cross-border data flows, for national security reasons”. “Indeed, this may suggest that the United States is advocating for a free data flow policy for its companies around the world, and thus free foreign data inflows into the country, but at the same time imposing a policy of preventing foreign data-driven companies to enter the United States market and banning related domestic data outflows”.

UNCTAD points out “the Chinese regulatory model on cross-border data flows is based on the central role of cybersecurity in national security and is, therefore, highly restrictive…However, the protection of privacy has not been a major priority, and China is a major player in terms of mass digital surveillance. China has introduced various restrictions on cross-border data flows in its domestic laws. For instance, its domestic cybersecurity law requires critical infrastructure providers to store important data and personal information within China. The term critical infrastructure is defined broadly and ambiguously…data loss, destruction or leakage can result in serious damage to state security, national economy and people’s livelihood and public interests. Further, cross-border transfers of personal data by critical infrastructure providers are subject to extensive security assessment by the regulators. The Chinese approach to preserving cybersovereignty has evolved over the years to include hardware regulation (controlling how data flow across networks – for instance, data exchange in Internet exchange points (IXPs)), software regulation (such as access to virtual private networks) and data/ content regulation. Further, China exercises strong control over Internet/data standards used in domestic technologies, which indirectly increases sovereign control over data flows…proposed a new IP protocol system at the International Telecommunication Union, which could change the way data flow. The Government has also proposed a regulation that would require traffic to be routed locally if a user in China accesses a local website.  Currently, China is in the process of finalizing its data protection framework, which proposes that one of the following conditions must be satisfied for cross-border transfer of personal data: (a) the data transfer must pass a security assessment…(b)…personal information protection certification for the data transfer; (c) the data transfer is in accordance with an international agreement; and (d)…any other conditions specified in the regulations. Further, this law includes a clear data localization mandate – all critical information infrastructure operators and notified personal information handlers must store personal information collected by them domestically. Moreover, the Government will seek international agreements for the transfer of personal data, and mutual recognition for standards of personal information protection. The economic interest of China in the digital market may explain the subtle shift in the country’s previously non-negotiable stance on cross-border data flows in recent months…A driver for the policy shift of China on commercial data flows could be to facilitate the digital component of the Belt and Road Initiative (BRI) known as the Digital Silk Road, which was launched in 2015”.

Rogier Creemers adds China has elevated the status of data to be “a production factor on par with land, capital, and labor in terms of importance. At the same time, Beijing has made clear that, like those other factors, data must be regulated. Last year, the National People’s Congress passed two separate pieces of legislation that constitute the twin pillars on which China’s data governance architecture rests: the Personal Information Protection Law (PIPL) and the Data Security Law (DSL)”.

The real impetus for PIPL “came from incidents such as the Snowden revelations, as well as a cavalcade of highly publicized incidents of large-scale data theft and data-enabled fraud…an illegal data trading cottage industry developed, where company or government employees purloined data to make an extra buck. And as more Chinese citizens became connected, more data was generated, and more of that data ended up in the hands of private companies, momentum toward a dedicated law on personal data protection grew”. “Where the PIPL’s first draft mostly targeted overt forms of abuse, its later iterations started paying more attention to those platforms themselves…The final version of the PIPL included, among others, an obligation for platform companies to create an independent body, mainly staffed with external members, to oversee personal information management activities, regularly release CSR reports on data protection, and limit the extent to which algorithms can be used to push content. Further draft regulations explicitly limited companies’ ability to use personal information and algorithms for work allocation for gig workers, or for anti-competitive purposes…This market-regulatory intention of the PIPL…resembles initiatives the EU is undertaking…Where China diverges, unsurprisingly, is in the extent to which the PIPL provides an effective constraint on government”.

Rogier Creemers explains “while Beijing has never quite made clear its specific concern about foreign listing, one could surmise they are concerned that the U.S. government might use the Foreign Corrupt Practices Act or other oversight processes to gain access to personal data on Chinese citizens. And, in view of reports on large-scale data capture on overseas individuals from China, perhaps there is some mirroring going on. This connection between data and national security has center stage in the DSL. This law not only covers personal information, but all possible data, held by anyone. Its goal is ensuring that national security and the public interest do not suffer harm from data-enabled interference by criminals or adversaries. To this end, all entities holding data in China will be required to self-categorize into one of five tiers, with higher tiers coming with stricter requirements on software and hardware maintenance, technical protection measures, reporting and auditing obligations, etc. Line ministries now have the task of publishing catalogues to indicate which data belongs in which tier”. “The DSL is unique worldwide: no other state has passed comprehensive legislation addressing the fundamental question of data governance and national security. This makes it probable that other countries will learn from China’s example – also if it’s an example of how not to do things”. He concludes “the PIPL and DSL also target the CCP’s adversaries, at home and – most importantly – abroad. Different regulatory bodies already issued several draft regulations that provide some detail on how the vague and general terms of the PIPL and the DSL will be implemented, but it will likely take years for the catalogues and schedules that are necessary for full compliance with the laws to come out”.

Simone McCarthy notes “under the new rules, all companies that operate a network must tell the government how sensitive the data they handle is, and what strategies and government-approved infrastructure they use to protect it from cyberattack. As the regulations are administered by the Ministry of Public Security, police teams and their affiliated agencies will have the authority to ask companies to provide documentary evidence to support their claims or even plug directly into their networks to verify them”. In this regard, “cybersecurity is not very good in China…A lot of information is bought, stolen and traded, so the government wanted to tighten that up.” “The Chinese government is moving rapidly to put in place exactly the kinds of protections that we in the US are concerned about on our side with supply chain security and data protection”, nonetheless “the pretty unique approach Beijing had taken to solving the problem was unlike anything multinationals were accustomed to, as in most countries there were no such cybersecurity requirements, except for sensitive industries like defence, financial services and healthcare”.

Simone McCarthy points out foreign firms as concerned by how China’s cybersecurity law might affect their operations. The main risk highlighted is that “the Chinese government is putting in place new tools that make it much more difficult for foreign and domestic companies to keep their information private”. This includes invasive audits and inspections that could expose source codes or other proprietary information or “even remote or back-door access to their networks”. There are also questions over “how the new rules might affect their use of services and applications hosted outside the country due to the complexity of cross-border connectivity. Given “the requirement to have only Beijing-approved infrastructure and networks, some companies fear they will have no choice but to switch to Chinese servers and service providers…if you are using a certain cloud service today, it might not be acceptable tomorrow if it’s not considered licensed by the Chinese government…So it could be blocked, and then you’re left without access to what’s a very important business application.” Hence, foreign firms need to “carefully consider what data is going through their Chinese servers” and refrain “from pouring in any outside data into their Chinese offices or even extracting local data that can be legally moved for analysis outside China to keep it private”.

Lindsey R. Sheppard, Erol Yayboke and Carolina G. Ramos notes “often contrasted with the European Union – whose approach to data privacy through the GDPR is called the Brussels Effect – China offers a different model of data governance and regulation known as the Beijing Effect. Chinese law requires that various forms of data, including personal information and important data, be stored in China and undergo a government security review before transfer out of the country, if deemed necessary. These data localization mandates, along with other Chinese regulations regarding internet content and access, have severely restricted most foreign technology companies – with several notable exceptions – to the point that many are unable or unwilling to continue operations within China. In the absence of foreign competition, domestic companies such as TikTok, DiDi, and WeChat have flourished while complying with China’s hard localization requirements.

UNCTAD notes “the European Union emphasizes the control of data by individuals…Thus, regulations on cross-border data flows are relatively strict and focus heavily on protecting the privacy of individuals. The European Union aims to build a single digital market within its borders, where digital products as well as data are free to flow under a set of rules to protect individuals, businesses and Governments from abuses arising from data collection, processing and commercialization. Regulation of the digital economy and data in the European Union has taken place mostly in a defensive or reactive manner, as it aims to address the concerns stemming from the activities of global digital platforms – for example, on issues related to abuses of market power, competition or taxation, in addition to the protection of data…most global digital platforms are based in the United States and China, while digital platforms based in the European Union are relatively marginal”.

UNCTAD notes “the General Data Protection Regulation (GDPR)…is one of the most comprehensive frameworks for data protection in the world…personal data can be transferred and processed outside the European Union only if there is full compliance with the privacy rights provided to its citizens. To that effect, personal data transfers are automatically allowed only to a specific group of countries and territories that the European Commission has endorsed as having data protection frameworks that are essentially equivalent to GDPR (adequacy finding)…Transfer of personal data to non-European Union countries that have not obtained positive adequacy findings is possible…(a) if the data processor can offer appropriate safeguards…or (b) if…the data processor obtains explicit consent from the data subject”. “Although GDPR is a regulation applicable to personal data within the European Union, it has an extraterritorial effect, as it applies to all activities of controllers or processors in the Union, regardless of whether the processing takes place in the Union or not…In recent years, the European Union has put some emphasis on the objective of digital sovereignty. This is due to several factors, such as the predominance of United States and Chinese companies in the digital technology sector, and the need to reduce dependence on external technologies in the absence of successful European technology companies. It also reflects concerns regarding the ability of the European Union to ensure privacy of its citizens, and the security risks associated with foreign technologies…While no clear definition of digital sovereignty exists in European Union policy, it can be considered to refer broadly to securing and protecting digital infrastructure in Europe, and addressing privacy rights of Europeans, including giving European Union citizens the right to decide where, how and by whom their personal data are used”. “The European Union does not favour data localization per se in its laws…GDPR recognizes the importance of cross-border flows of personal data…But given the strict requirements in GDPR, there is no easy way for cross-border data flows, as few countries have been granted adequacy”. “Recent developments[1] may suggest that the European Union is shifting in its position on data localization…With regard to cross-border data transfers and the prohibition of data localisation requirements, the Commission will follow an open but assertive approach, based on European values and interests. The Commission will work towards ensuring that its businesses can benefit from the international free flow of data in full compliance with EU data protection rules and other public policy objectives, including public security and public order. In particular, the EU will continue to address unjustified obstacles to data flows while preserving its regulatory autonomy in the area of data protection and privacy.”

“The Russian Federation has influence mainly at a regional level, as a leading economy and driver of digital development in the Eurasian Economic Union”. UNCTAD notes “similar to the Chinese model, the Russian regulatory model on cross-border data flows is premised on the centrality of network and data security as a political and national security issue. The Russian Federation considers cybersecurity to be a purely sovereign prerogative. However, unlike China, the Russian Federation has not put such a strong focus on the economic agenda for digital development, and has been relatively less successful in boosting the domestic digital sector, with some notable exceptions, such as Yandex (a search engine platform) and Kaspersky (a cybersecurity services and antivirus software provider). The Russian Federation has imposed a series of restrictions on cross-border data flows. The most significant is a blanket data localization requirement for personal data, requiring all companies operating in the country to record, systematize, accumulate, store, amend, update and retrieve personal data of all Russian nationals, using Russian servers”.

Lindsey R. Sheppard, Erol Yayboke and Carolina G. Ramos adds that “while Russia has been aggressively asserting control over its internet architecture – cracking down on social media companies that do business in Russia without a physical presence and voicing increasing concerns with data flows out of the country – its approaches to data localization have primarily focused on implementing data mirroring policies. Data may be transferred and processed outside Russia but must be physically stored in databases within the nation’s borders. The mandates apply to Russia-based entities and to foreign companies that have Russian website domain names, use the Russian language on their website, or conduct business in Russia and deliver goods for payment in rubles”.

UNCTAD notes “the approach of India is mostly focused on the domestic market, with no expansion ambitions so far, although the country is a strong voice among developing countries in international debates on issues related to the digital economy”. “India is increasingly shifting towards a regulatory model primarily focused on maximizing the economic and social benefits of data and data-driven sectors for its citizens and the domestic economy, and minimizing revenue flows to companies based in digitally advanced economies. The underlying idea behind this approach is shielding India from data colonialism, i.e. preventing rich countries from deriving benefits from crossborder data flows at the cost of hurting the interests of India. The Personal Data Protection Bill and the Draft National E-Commerce Policy (entitled India’s Data for India’s Development), both clearly outline the ambition of India to build its digital sector by capitalizing on the data of Indian people through data localization measures. The Personal Data Protection Bill contains data localization requirements, as it requires a copy of sensitive personal data to be stored in India, and further prohibits cross-border transfers of critical personal data. Sensitive personal data are defined as (a) financial data, (b) health data, (c) official identifier, (d) sex life, (e) sexual orientation, (f) biometric data, (g) genetic data, (h) transgender status, (i) intersex status, (j) caste or tribe, (k) religious or political belief or affiliation, or (l) any other data categorized as sensitive personal data by the Government. Given the broad definition of sensitive personal data, the proposed legislation creates a greater compliance burden for companies compared with the current legal regime (under which data can be transferred to any country providing the same level of protection as India, provided the transfer is necessary for the performance of an existing contract, and the user has consented to such transfer). The Government can consider any data as falling within the scope of critical personal data, because this term is not defined. Further, this bill emulates the approach of GDPR in permitting cross-border transfers of personal data only in limited circumstances: to countries for which the Government expressly allows transfers (adequacy approach); subject to approval of intra-group data transfer schemes; consent of the data subject; or based on specific necessity, as approved by the regulator. The Draft National E-Commerce Policy envisages broad data localization measures, although it does not include any explicit restrictions on cross-border flows of non-personal data”.

UNCTAD adds that recently a Committee of Experts on Non-Personal Data established by the Ministry of Electronics and Information Technology “has recommended data localization requirements for some categories of non-personal data: general non-personal data can be stored and processed anywhere in the world; sensitive non-personal data can be transferred outside the country, but must be stored in India; and critical non-personal data can be stored and processed only in India. Data localization requirements also apply to data collected using public funds, subscriber information collected by broadcasting companies, electronic books of accounts, and policyholder information collected by insurance companies. A key motivation…appears to be protecting the country’s economic interests by ensuring that local digital data are primarily used to develop domestic digital start-ups (or data champions), and thereby push back against the data colonialism of big technology companies…informed by the various advantages of data localization for ensuring effective regulatory oversight and enforcement of domestic laws. For instance, India requires all payment system providers to store data relating to payment systems in India (even if such data are processed abroad) so that the Reserve Bank of India can have unfettered supervisory access to data stored with these system providers as also with their service providers/intermediaries/third party vendors and other entities in the payment ecosystem. In the context of personal data protection, the Srikrishna Committee report stated that effective enforcement of Indian privacy law would invariably require data to be locally stored within the territory of India, and this would mean that such a requirement, where applicable, would limit the permissibility of cross-border transfers. However, requiring data localization for legal purposes also complements the domestic economic development logic behind the regulatory approach of India towards data governance, i.e. if more data can be stored within India, then it will lead to better domestic digital infrastructure for emerging digital technologies such as AI and IoT. Certain civil society bodies have expressed concerns that the Draft Data Protection Bill does not contain adequate checks and balances, especially because any governmental agency can be exempted from the law. Therefore, while the data protection bill enshrines tough compliance requirements for private companies…it remains unclear if the proposed law will be equally effective in protecting individuals from government surveillance”.

Generally, the large-population countries “have implemented or are in the process of implementing data localization mandates”. Lindsey R. Sheppard, Erol Yayboke and Carolina G. Ramos notes “Brazil’s data privacy and protection legislation, the General Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or LGPD), entered into force in February 2020. Like the European Union’s GDPR, the LGPD enumerates the rights of individuals regarding their data and outlines how certain types of data may be used by companies and other third parties. After considering a data localization provision in its so-called fake news bill, Brazil also introduced a data localization amendment to the LGPD that, if enacted, would mandate that Brazilians’ personal data be physically stored and maintained within Brazilian borders”. “South Africa has taken steps to implement a GDPR-like data governance framework as well as separate legislation with explicit data localization requirements. Though South Africa’s Protection of Personal Information Act (POPIA) does not contain explicit data localization mandates, it does introduce increased preconditions for cross-border data transfers. In addition to POPIA, South Africa introduced the National Data and Cloud Policy, which includes requirements to store and process data considered critical information infrastructure within the country’s borders and to mirror data generated from South African natural resources”.


Dan Ciuriak points out “the major economies are aligning policies in international agreements with perceived national interests: the United States is promoting an open architecture that aligns with the market dominance of its data-intensive firms, whose approach to systemic risks reflects private considerations only; the European Union is promoting sound regulation, which aligns with its primarily defensive interests; and China is taking advantage of the size of its internal market to develop a competitive digital economy. For the small, open economies, the question is whether any of these models are in their interests. Given this, flexibility to regulate in the national interest, without incurring penalties that would tend to generate inaction due to regulatory chill effects, seems to be a paramount consideration when making commitments in such agreements”.

The different governance approaches pose significant challenges. Dan Ciuriak notes “it is an open question as to what will prove to be the most robust, secure and efficient architecture for the information society infrastructure in the data-driven-economy era. Indeed, the very lack of experience with alternative models and regulatory approaches has led to arguments against the regulation of the digital economy precisely because we do not yet know enough to regulate effectively. The same rationale applies to treaties that constrain the regulation of the digital economy”.

Hung Tran concludes “as these regional/national data-governance frameworks are being formalized into laws, in many cases with extraterritorial overreach, the global marketplace for ideas, information, and data will be fragmented, raising the costs of compliance in doing cross-border business as well as limiting the potential to share data widely, which, among other things, has been crucial for fostering collaborative scientific research leading to innovation”.

My conclusion is that the divergent data governance approaches are driven by national interests and objectives being shaped by the transition from industrial to information geopolitics. Decoupling did not cause but amplified these tensions.  It is early and my opinion is that the tensions will be resolved by the free information model advocated by the United States giving way either to the EU’s digital sovereignty model or the cybersovereignty model adopted by China and Russia.


Dan Ciuriak (5 March 2018) “The economics of data: Implications for the data-driven economy”. Centre for International Governance Innovation (CIGI).

Dan Ciuriak (27 July 2020) “Economic rents and the contours of conflict in the data-driven economy”. Centre for International Governance Innovation (CIGI).

Dan Ciuriak, Maria Ptashkina (15 April 2020) “Toward a robust architecture for the regulation of data and digital trade”. Centre for International Governance Innovation (CIGI).

Gary Clyde Hufbauer, Megan Hogan (October 2021) “Digital agreements: What’s covered, what’s possible”. Peterson Institute for International Economics (PIIE).

Hung Tran (November 2021) “Competing data governance models threaten the free flow of information and hamper world trade”. Atlantic Council.

Lindsey R. Sheppard, Erol Yayboke, Carolina G. Ramos (23 July 2021) “The real national security concerns over data localization”. Center for Strategic and International Studies (CSIS).

Phuah Eng Chye (12 March 2022) “Global reset – Technology decoupling (Part 1: Challenges, checkpoints, chokepoints and IOT)”.

Phuah Eng Chye (26 March 2022) “Global reset – Technology decoupling (Part 2: Decoupling race and scenarios)”.

Phuah Eng Chye (9 April 2022) “Global reset – Technology decoupling (Part 3: The standard setting battleground)”.

Rogier Creemers (26 January 2022) “China’s data legislation matures”. SupChina.

Simone McCarthy (13 October 2019) “Will China’s revised cybersecurity law put foreign firms at risk of losing their secrets?” SCMP.

United Nations Conference on Trade and Development (UNCTAD) (2021) “Digital economy report 2021 – Cross-border data flows and development: For whom the data flow”.

[1] Such as the Data Governance Act, the decision of the European Court of Justice in Schrems II, as well as the GAIA-X initiative.