Hostname: page-component-cd9895bd7-gvvz8 Total loading time: 0 Render date: 2024-12-24T02:32:29.738Z Has data issue: false hasContentIssue false

Privacy, Cybersecurity, and GATS Article XIV: A New Frontier for Trade and Internet Regulation?

Published online by Cambridge University Press:  02 May 2019

Neha Mishra*
Affiliation:
Melbourne Law School

Abstract

Measures restricting data flows outside one's borders, including mandatory data/server localization measures, are not only a barrier to trade, but also largely ineffective in achieving better internet security or trust. Nevertheless, governments deploy such measures, primarily on grounds of cybersecurity and privacy, potentially violating their obligations under the General Agreement on Trade in Services (GATS). In this article, I investigate whether GATS-inconsistent measures may be justified under GATS Art. XIV when aimed at ensuring privacy or cybersecurity, and, if so, whether GATS Art. XIV effectively balances trade and internet policy. As the internet governance framework is complex and somewhat ambiguous, applying GATS Art. XIV to cybersecurity/privacy measures necessitates balancing of trade liberalization principles and domestic internet policy. This exercise can be effective in weeding out data localization measures disguised as privacy/cybersecurity measures, particularly by employing relevant technical and factual evidence. However, given the lack of binding international law/norms on these issues, GATS Art. XIV has a limited role, particularly in cases involving direct conflict between multistakeholder/transnational internet norms and domestic internet policies, or where the measures are founded on contentious standards/benchmarks on privacy/cybersecurity. Ultimately, ensuring free and secure data flows requires a multidimensional policy response, including strengthening linkages between trade law and internet governance.

Type
Research Article
Copyright
Copyright © Neha Mishra 2019

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Footnotes

I gratefully acknowledge the support of the Australian Government Research Training Program Scholarship and the Competitive Additional Funding received from Melbourne Law School. I thank Tania Voon, Andrew Mitchell, Victor do Prado, Nikitas E Hatzimihail, Yannis Voudouris, and fellow panellists and participants at the 7th PEPA-SIEL Conference 2018, and two anonymous reviewers for the World Trade Review for their very helpful comments and insights on earlier drafts of this article.

References

1 See, e.g., A. G. Martinez, ‘The End of Data without Borders’, The Wired (1 February 2018); Komaitis, K., ‘The “Wicked Problem” of Data Localization’, 3(2) Journal of Cyber Policy (2017), 355CrossRefGoogle Scholar.

2 Chander, A. and Le, U. P., ‘Data Nationalism’, 64 Emory Law Journal (2015), 677, 680Google Scholar.

3 See European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on a Framework for the Free Flow of Non-Personal Data in the European Union’, Doc. no. 2017/0228 (COD) (13 September 2017), Art. 3(5).

4 See, e.g., Портал персональных данных Уполномоченного органа по защите персональных данных [Federal Law no. 242-FZ of 21 2014 on Amendments to Certain Legislative Acts of the Russian Federation with Regard to Specifying the Procedure for the Processing of Personal Data in Data Telecommunications Networks] (Russia), ‘Russian Data Localisation Law’, Art. 18(5).

5 For example, in the European Union data storage includes data processing. See Hon, W. K. et al. , ‘Policy, Legal and Regulatory Implications of a Europe-only Cloud’, 24 International Journal of Law and Information Technology (2016), 251, 259CrossRefGoogle Scholar.

6 Sometimes, a data localization measure may not prohibit cross-border transfer although it may necessitate localization. See, e.g., Russian Data Localization Law. See also Tuthill, L., ‘Cross- border Data Flows: What Role for Trade Rules?’, in Sauvé, P. and Roy, M. (eds.), Research Handbook on Trade in Services (Cheltenham: Edward Elgar, 2016), pp. 357, 363Google Scholar.

7 For example, a Schengen routing plan was proposed by Germany requiring all personal data of EU residents to be only routed through the EU. See P. Bank, ‘Deutsche Telekom: “Internet Data made in Germany Should Stay in Germany”’, DW: Made for Minds (18 October 2013), www.dw.com/en/deutsche-telekom-internet-data-made-in-germany-should-stay-in-germany/a-17165891.

8 See, e.g., Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, Regulation (EU) 2016/679 of the European Parliament and of the Council [2016] OJ L119 (1 May 2018) (GDPR). In this paper, I use privacy and data protection interchangeably, particularly while referring to legislative frameworks.

9 See, e.g., J. Wagner, ‘China's Cybersecurity Law: What You Need to Know’, The Diplomat (1 June 2017), https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/.

10 See, generally, Chander and Le, ‘Data Nationalism’, supra n. 2, at 730–734; M. F. Ferracane, ‘Restrictions to Cross-Border Data Flows: A Taxonomy’, ECIPE Working Paper no. 1/2017, European Centre for International Political Economy (November 2017), 6.

11 ‘The World's Most Valuable Resource is no Longer Oil, but Data’, The Economist (6 May 2017), www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data.

12 See, e.g., Communication from the African Group, ‘Work Programme on Electronic Commerce’, Report of Panel Discussion on ‘Digital Industrial Policy and Development’, WTO Doc. JOB/GC/133 (21 July 2017).

13 See, generally, Peng, Shin-yi and Liu, Han-wei, ‘The Legality of Data Residency Requirements: How Can the Trans-Pacific Partnership Help?’, 51(2) Journal of World Trade (2017), 183, 199Google Scholar. See also A. Mcquinn and D. Castro, ‘How Law Enforcement Should Access Data Across Borders’, Information Technology and Information Foundation (July 2017), 1, 2; Hon, W. K., Data Localization Laws and Policy: The EU Data Protection International Transfers Restriction through a Cloud Computing Lens (Cheltenham: Edward Elgar, 2017), pp. 4849CrossRefGoogle Scholar. For historical discussion on this issue, see Bender, D. R., ‘Transborder Data Flow: An Historical Review and Considerations for the Future’, 79(3) Special Libraries, 230235Google Scholar.

14 Aaranson, S., ‘Why Trade Agreements are Not Setting Information Free: The Lost History and Reinvigorated Debate over Cross-Border Data Flows, Human Rights and National Security’, 14(4) World Trade Review (2015), 671, 674, 682685Google Scholar; J. F. Hill, ‘The Growth of Data Localization Post-Snowden: Analysis and Recommendations for US Policymakers and Business Leaders’, Paper presented at Conference on the Future of Cyber Governance, The Hague Institute for Global Justice (1 May 2014).

15 See N. Mishra, ‘Data Localization Laws in a Digital World’, Public Sphere (2016), 136, 144–151.

16 J. Manyika et al., ‘Digital Globalization: The New Era of Global Flows’, McKinsey Global Institute (March 2016), www.mckinsey.com/business-functions/digital-mckinsey/our-insights/digital-globalization-the-new-era-of-global-flows, 1. See also UNCTAD, ‘Data Protection Regulations and International Data Flows: Implications for Trade and Development’, United Nations (2016), http://unctad.org/en/PublicationsLibrary/dtlstict2016d1_en.pdf, xi.

17 M. Bauer et al., ‘The Costs of Data Localisation: Friendly Fire on Economic Recovery’, ECIPE Occasional Paper 3/2014 (2014), 10.

18 Marrakesh Agreement Establishing the World Trade Organization (opened for signature 15 April 1994), 1869 UNTS 183 (entered into force 1 January 1995), annex 1B, General Agreement on Trade in Services (GATS).

19 GATS Art. I: 1 read with Art. XXVIII(b).

20 See, generally, D. Crosby, ‘Analysis of Data Localization Measures under WTO Services Trade Rules and Commitments’, Policy Brief, E15 Initiative (March 2016); generally, Mitchell, A. and Hepburn, J., ‘Don't Fence Me In: Reforming Trade and Investment Law to Better Facilitate Cross-Border Data Transfer’, 19 Yale Journal of Law & Technology (2017), 182Google Scholar.

21 S. Aaronson, ‘What Are We Talking About When We Discuss Digital Protectionism?’, Working Paper, Economic Research Institute of Asia (July 2017), 14.

22 See, generally, Wu, T., ‘The World Trade Law of Censorship and Internet Filtering’, 7 Chicago Journal of International Law (2006), 263Google Scholar; B. Hindley and H. Lee-Makiyama, ‘Protectionism Online: Internet Censorship and International Trade Law’, ECIPE Working Paper 12/2009, ecipe.org/publications/protectionism-online-internet-censorship-and-international-trade-law.

23 See, generally, Komaitis, ‘The “Wicked Problem” of Data Localisation’, supra n. 1, at 355; Mcquinn and Castro, ‘How Law Enforcement Should Access Data Across Borders’, supra n. 13; Selby, J., ‘Data Localization Laws: Trade Barriers, Legitimate Responses or Cybersecurity Risks, or Both?’, 25 International Journal of Law & Information Technology (2017), 213CrossRefGoogle Scholar.

24 See, generally, Peng, Shin Yi, ‘Cybersecurity Threats and the WTO National Security Exceptions’, 18 Journal of International Economic Law (2015), 449CrossRefGoogle Scholar.

25 S. Garfinkel, ‘The End of End-to-End?’, MIT Technology Review (1 July 2003); Hon, Data Localization Laws and Policy, supra n. 13, at 32, 105.

26 R. Barnes et al., Technical Considerations for Internet Service Blocking and Filtering, RFC 7754, Internet Engineering Task Force (March 2016), 12.

27 See Bauer et al., ‘The Costs of Data Localisation’, supra n. 17.

28 See, e.g., H. Lovells, ‘Russia Releases 2017 Data Privacy Inspection Plans: Microsoft Passes 2016 Inspection’ (19 January 2017), www.hldataprotection.com/2017/01/articles/international-eu-privacy/russia-releases-data-privacy-inspection-plans-for-2017-microsoft-passes-2016-inspection/; ‘Russia's Personal Data Localization Law: Expanding Enforcement’, Lexology, TFM Group (27 April 2016).

29 Hon, Data Localization Laws and Policy, supra n. 13, at 100; Sargsyan, T., ‘Data Localization, and the Role of Infrastructure for Surveillance, Privacy and Security’, 10 International Journal of Communications (2016), 2221Google Scholar.

30 For a discussion on the technological efficiency of data localization measures, see Section 4.2.2.

31 Mihaylova, I., ‘Could the Recently Enacted Data Localization Requirements in Russia Backfire?’, 50(2) Journal of World Trade (2016), 313, 317319Google Scholar; Hon, Data Localization Laws and Policy, supra n. 13, at 112–114; Leviathan Security Group, ‘Quantifying the Costs of Forced Localization’ (2015), https://static1.squarespace.com/static/556340ece4b0869396f21099/t/559dad76e4b0899d97726a8b/1436396918881/Quantifying+the+Cost+of+Forced+Localization.pdf, 3.

32 R. Bennett, ‘Surge in Data Localization Laws Spells Trouble for Internet Users on TechPolicyDaily.com (10 May 2016), www.aei.org/publication/surge-in-data-localization-laws-spells-trouble-for-internet-users/.

33 Mihaylova, ‘Could the Recently Enacted Data Localization Requirements in Russia Backfire?’, supra n. 31, at 313, 317–319.

34 See, e.g., GPPR, Arts. 6–9, 22.

35 Mihaylova, ‘Could the Recently Enacted Data Localization Requirements in Russia Backfire?’, supra n. 31, at 313, 317–319; Hon, Data Localization Laws and Policy, supra n. 13, at 112–114.

36 Hill, ‘The Growth of Data Localization Post-Snowden’, supra n. 14.

37 The internet technical and policy community consists of organizations such as Internet Governance Forum (IGF), Internet Engineering Task Force (IETF), World Wide Web Consortium (W3C), Internet Corporation for Assigned Names and Numbers (ICANN), and Internet Society (ISOC). Further, civil society organizations and technology companies are also often active members of the internet governance community, participating through several of the above bodies. See, e.g., discussion at IGF 2017 on ‘Digitalization and International Trade’ (19 December 2017), www.youtube.com/watch?v=O7f5h6eTn8w.

38 See discussion of electronic commerce at the WTO in D. Crosby, ‘E-commerce and Digital Trade for Development: Negotiations to Soft Launch at MC11’, E15 Initiative (October 2017), http://e15initiative.org/blogs/e-commerce-and-digital-trade-for-development-negotiations-to-soft-launch-at-mc11/. See also Conference Notes, Conference on the Use of Data in the Digital Economy (2 and 3 October 2017), Geneva, www.wto.org/english/res_e/reser_e/datadigitalc17notes_e.pdf.

39 See, e.g., Yilma, K. M., ‘The “Right to Privacy in the Digital Age”: Boundaries of the “New” UN Discourse’, 87(4) Nordic Journal of International Law (2018), 485528CrossRefGoogle Scholar (discussing the UN General Assembly resolutions on digital privacy). See also Access Now, ‘The Impact of Forced Localisation on Human Rights’ (4 June 2014), www.accessnow.org/the-impact-of-forced-data-localisation-on-fundamental-rights/. See also Chander, A., ‘International Trade and Internet Freedom’, 102 American Society of International Law Proceedings (2009), 37Google Scholar.

40 WTO, Work Programme on Electronic Commerce – Non-paper from the United States, WTO Doc. JOB/GC/94 (4 July 2016) [2.3]; WTO, Work Programme on Electronic Commerce – Non-Paper for the Discussions on Electronic Commerce/Digital Trade from Japan, WTO Doc. JOB/GC/100 (25 July 2016) [2.2].

41 See, generally, W. J. Drake et al., ‘Internet Fragmentation: An Overview’, Future of the Internet Initiative White Paper, World Economic Forum (January 2016); Global Commission on Internet Governance, ‘One Internet’, CIGI and Chatham House (2016).

42 See, e.g., WTO, Work Programme on Electronic Commerce – Non-paper from the United States, supra n. 40; WTO, Work Programme on Electronic Commerce – Non-Paper for the Discussions on Electronic Commerce/Digital Trade from Japan, supra n. 40.

43 Sargsyan, ‘Data Localization, and the Role of Infrastructure for Surveillance, Privacy and Security’, supra n. 29, at 2221.

44 S. Shackelford and F. Alexander, ‘China's Cyber Sovereignty: Paper Tiger or Rising Dragon?’, Asia & the Pacific Policy Society (18 January 2018), www.policyforum.net/chinas-cyber-sovereignty/. See also L. DeNardis et al., ‘The Rising Geopolitics of Internet Governance: Cyber Sovereignty v. Distributed Governance’, Paper presented at Columbia SIPS Tech & Policy Initiative, Columbia SIPA (November 2016).

45 Broeders, D., The Public Core of the Internet: Towards an International Agenda for Internet Governance, Amsterdam University Press (2016), p. 13CrossRefGoogle Scholar; DeNardis et al., ‘The Rising Geopolitics of Internet Governance’, supra n. 44, at 16–17.

46 See, generally, Mitchell and Hepburn, ‘Don't Fence Me In’, supra n. 20, at 182, 188–195.

47 Bauer et al., ‘The Costs of Data Localisation’, supra n. 17, at 5, 6.

48 See, generally, Global Commission on Internet Governance, ‘One Internet’, supra n. 41; ISOC, ‘Understanding Security and Resilience of the Internet’ (2013), www.internetsociety.org/sites/default/files/bp-securityandresilience-20130711.pdf; OECD, Digital Security Risk Management for Economic and Social Prosperity, OECD Recommendation and Companion Document (17 September 2015); Kulesza, J., International Internet Law (Abingdon: Routledge, 2012), 67CrossRefGoogle Scholar; OECD, The OECD Privacy Framework (2013), www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.

49 ISOC, ‘Understanding Security and Resilience of the Internet’, supra n. 48, at 3; OECD, OECD Digital Economy Outlook (OECD Publishing, 2015), p. 19Google Scholar; J. West, ‘A Framework for Understanding Internet Openness’, Centre for International Governance Innovation and Chatham House, Paper Series no. 35 (May 3016), 5; N. Mishra, ‘International Trade, Internet Governance and the Shaping of the Digital Economy’, ArtNet Working Paper No. AWP 618, UNESCAP (29 June 2017), 11–15.

50 ISOC, ‘Understanding Security and Resilience of the Internet’, supra n. 48, at 3. See also Global Commission on Internet Governance, supra n. 41, at 2.

51 De Nardis, L., ‘Five Destabilizing Trends in Internet Governance’, 12(1) I/S: A Journal of Law and Policy (2015), 113, 130Google Scholar.

52 See, e.g., ‘If Facebook Will Not Fix Itself, Will Congress?’, The Economist (11 April 2018), www.economist.com/united-states/2018/04/11/if-facebook-will-not-fix-itself-will-congress; S. Frier, ‘Facebook Plunges as Pressure Mounts on Zuckerberg Over Data’, The Bloomberg (19 March 2018), www.bloomberg.com/news/articles/2018-03-19/facebook-s-zuckerberg-under-pressure-to-answer-for-data-breach; J. Lee, ‘The Rise of China's Tech Sector: The Making of an Internet Empire’ (4 May 2017), www.lowyinstitute.org/the-interpreter/rise-china-s-tech-sector-making-internet-empire; L. James, ‘Tech Ethics in Practice’ (20 March 2018), https://medium.com/doteveryone/tech-ethics-in-practice-44b710fbc44c.

53 See, generally, Hirsch, D. D., ‘The Law and Policy of Online Privacy: Regulation, Self-Regulation, or Co-Regulation?’, 34 Seattle University Law Review (2011), 439Google Scholar; ‘The Framework for Global Electronic Commerce’, Principles, 1–4, https://clintonwhitehouse4.archives.gov/WH/New/Commerce/read.html; Gibbons, L. J., ‘No Regulation, Government Regulation, or Self-Regulation: Social Enforcement or Social Contracting for Governance in Cyberspace’, 6(3) Cornell Journal of Law & Policy (1997), 475Google Scholar; Hwa, A. P., ‘Self-Regulation after WGIG’, in Drake, W. J. (ed.), Reforming Internet Governance: Perspectives from the Working Group on Internet Governance, United Nations (2008), pp. 130132Google Scholar.

54 For academic initiatives in this direction, see Carr, M., ‘Public–Private Partnerships in National Cyber-security Strategies’, 1(1) International Affairs (2016), 43CrossRefGoogle Scholar; World Economic Forum and Boston Consulting Group, ‘Cyber Resilience Playbook for Public Private Collaboration’ (January 2018), www3.weforum.org/docs/WEF_Cyber_Resilience_Playbook.pdf, 42–44.

55 中华人民共和国网络安全法 [Cybersecurity Law], People's Republic of China, National People's Congress (7 November 2016), Art. 37.

56 Russian Data Localisation Law, Art. 18(5).

57 Personally Controlled Electronic Health Records Act 2012 (Cth), s 77 (in connection with e-health records).

58 S. Sinha, ‘Store data locally, RBI directs payment facilitators’, The Economic Times (6 April 2018), https://economictimes.indiatimes.com/articleshow/63636133.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst.

59 Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions, Law no. 6493 (20 June 2013) (Turkey), Art. 23 (in connection with e-payments).

60 Freedom of Information and Protection of Privacy Act, RSBC (1996), s 30.1 (British Columbia); Personal Information International Disclosure Protection Act, NS2006, s 5 (Nova Scotia).

61 Shackelford and Alexander, ‘China's Cyber Sovereignty’, supra n. 44.

62 Several engineers of top technology companies are also members of technical standard setting institutions such as the IETF and W3C, thus showing the close links between the internet technical community and the private sector.

63 See, e.g., Monicken, H., ‘US, China Trade Criticisms at the WTO Over Cybersecurity Measures’, 36(4) Inside US Trade (14 December 2018)Google Scholar, https://insidetrade.com/daily-news/us-china-trade-criticisms-wto-over-cybersecurity-measures; Communication from the United States, Measures Adopted and Under Development by China Relating to Its Cybersecurity LawQuestions to China, WTO Doc. S/C/W/378 (3 October 2018); Communication from the United States, Measures Adopted and Under Development by China Relating to Its Cybersecurity Law, WTO Doc. S/C/W/376 (23 February 2018); Communication from the United States, Measures Adopted and Under Development by China Relating to Its Cybersecurity Law, WTO Doc. S/C/W/274 (26 September 2017); Communication from the European Union, Statement by the European Union to the Committee on Technical Barriers to Trade 20 and 21 June 2018, WTO Doc. G/TBT/N/CHN/1172 (9 July 2018). See also United States Trade Representative, National Trade Estimate Report (2016), 91.

64 Lexology, ‘APEC and EU Discuss Interoperability between Data Transfer Mechanisms’, www.lexology.com/library/detail.aspx?g=22884b49-4d9b-45d9-a14a-708235bbca26.

65 See, e.g., Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) (signed 8 March 2018, not in force), www.mfat.govt.nz/en/trade/free-trade-agreements/free-trade-agreements-concluded-but-not-in-force/cptpp/comprehensive-and-progressive-agreement-for-trans-pacific-partnership-text/#CPTPP, Art. 14.8.2 (setting out a broad definition of regulatory framework for protection of personal information including self-regulatory privacy models, prevalent in the US and other APEC countries); United States–Canada–Mexico Trade Agreement (USMCA), https://ustr.gov/trade-agreements/free-trade-agreements/united-states-mexico-canada-agreement/united-states-mexico, Art. 19.15.2 (emphasizing on risk-based approaches to cybersecurity). See also C. Kuner, ‘The Internet and the Global Reach of EU Law’, LSE Law, Society and Economy Working Papers 4/2017, London School of Economics and Political Science (2017), 23–25.

66 See, generally, on electronic commerce provisions in regional trade agreements, M. Wu, ‘Digital Trade-Related Provisions in Regional Trade Agreements: Existing Models and Lessons for the Multilateral Trade System’, Overview Paper, RTA Exchange, Inter-American Development Bank and International Centre for Trade and Sustainable Development (November 2017); Huang, J., ‘Comparison of E-commerce Regulations in Chinese and American FTAs: Converging Approaches, Diverging Contents and Polycentric Directions?’, 64(2) Netherlands International Law Review (2017), 309CrossRefGoogle Scholar.

67 See, e.g., Appellate Body (AB) Report, United States – Measures Affecting the Cross-Border Supply of Gambling and Betting Services (US–Gambling), WT/DS285/AB/R (20 April 2005) [95], [294], [296], [301] [313]; AB Report, China – Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products (China–Publications and Audiovisual Products), WT/DS363/AB/R (19 January 2010) [141].

68 Mueller, M. L., Networks and States: The Global Politics on Internet Governance (Cambridge, MA: MIT Press, 2010), pp. 163CrossRefGoogle Scholar.

69 E. Korzak, ‘UN GGE on Cybersecurity: The End of an Era?’, The Diplomatic (31 July 2017), https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-russia-just-made-cyberspace-less-safe/; on the issue of privacy, the UN has only adopted resolutions with no binding effect. See, e.g., The Right to Privacy in the Digital Age, 69th session, Third Committee, Agenda Item 68 (b), UN Doc. A/C.3/69/L.26/Rev.1 (19 November 2014). See also Guiding Principles on Business and Human Rights, endorsed by the Human Rights Council in 2011

70 See R. Hill, ‘Dealing with Cyber Security Threats: International Cooperation, ITU, and WCIT’, Paper presented at 7th International Conference on Cyber Conflict: Architectures in Cyberspace (2015), 124, 25.

71 See M. Mueller, ‘Goodbye and Good Riddance to “Enhanced Cooperation”’, The Internet Governance Project (10 February 2018), www.internetgovernance.org/2018/02/10/goodbye-good-riddance-enhanced-cooperation/.

72 Panel and AB refer to the dispute settlement bodies of the WTO and is sometimes collectively referred as ‘WTO tribunals’ in this article.

73 See, e.g., GDPR Art. 45 (containing the adequacy mechanism to assess if a foreign data protection framework is essentially equivalent to that of the EU).

74 For detailed discussion of the relevant provisions in these agreements, see Wu, ‘Digital Trade-Related Provisions in Regional Trade Agreements’, supra n. 66; J.-A. Monteiro and R. Teh, ‘Provisions on Electronic Commerce in Regional Trade Agreements’, WTO Working Paper ERSD-2017-11, WTO (July 2017); A. Chander, ‘The Coming North American Digital Trade Zone’, Net Politics (9 October 2018), www.cfr.org/blog/coming-north-american-digital-trade-zone.

75 Lee-Makiyama, H., ‘Cross-border Data Flows in the Post-Bali Agenda’, in Evenett, S. J. and Jara, A. (eds.), Building on Bali – Work Programme for the WTO (Centre for Economic Policy Research, 2013), pp. 163Google Scholar, 164; But see Tuthill, ‘Cross-border Data Flows’, supra n. 6, at 357, 371; Crosby, ‘Analysis of Data Localization Measures under WTO Services Trade Rules and Commitments’, supra n. 20.

76 See, e.g., Burri, M., ‘Designing Future-Oriented Multilateral Rules for Digital Trade’, in Sauvé, P. and Roy, M. (eds.), Research Handbook on Trade in Services (Cheltenham: Elgar, 2016), pp. 331, 349Google Scholar. See also Mitchell and Hepburn, ‘Don't Fence Me In’, supra n. 20, at 182, 230–236.

77 See AB Report, Mexico – Tax Measures on Soft Drinks and Other Beverages (Mexico–Taxes on Soft Drinks), WT/DS308/AB/R (24 March 2006) [79]. The AB held that ‘laws and regulations’ refer to domestic laws and regulation, and not international law, unless it is incorporated into domestic law.

78 GATS Art. XIV(c)(i) (ii) (iii).

79 Emphasis added.

80 Panel Report, Colombia – Indicative Prices and Restrictions on Ports of Entry (Colombia–Ports of Entry), WT/DS/366/R (27 April 2009) [7.514]; AB Report, United States – Measures Relating to Shrimp from Thailand (US–Shrimp (Thailand)), WT/DS343/AB/R; WT/DS345/AB/R (1 August 2008) [7.174]. See also AB Report, Korea – Measures Affecting Imports of Fresh, Chilled and Frozen Beef (Korea – Various Measures on Beef), WT/DS161/AB/R, WT/DS169/AB/R (10 January 2001) [157]; AB Report, Thailand – Customs and Fiscal Measures on Cigarettes from the Philippines (Thailand–Cigarettes (Philippines)), WT/DS371/AB/R (15 July 2011) [177]; AB Report, US–Gambling [6.536]–[6.537]. See also Du, Ming, ‘The Necessity Test in World Trade Law: What Now?’, 15 Chinese Journal of International Law (2016), 817, 835CrossRefGoogle Scholar.

81 For a useful discussion on the principle of evolutionary interpretation, see Marceau, G., ‘Evolutive Interpretation by the WTO Adjudicator’, 21 Journal of International Economic Law (2018), 791813Google Scholar.

82 In context of evolutionary interpretation, see AB Report, United States – Import Prohibition of Certain Shrimp and Shrimp Products (US–Shrimp), WT/DS58/AB/R (6 November 1998) [129]; AB Report, China–Publications and Audiovisual Services [396]; Panel Report, Mexico – Measures Affecting Telecommunications Services (Mexico–Telecoms), WT/DS204/R (1 June 2004) [7.2]. While Members tend to accept GATS exception in an online context, they also favour a narrow reading of exceptions, see Work Programme on Electronic Commerce, Progress Report to the General Council, WTO Doc. S/L/74 (27 July 1999) [14].

84 The most widely discussed example is the Chinese cybersecurity law. See 中华人民共和国网络安全法 [Cybersecurity Law] (People's Republic of China) National People's Congress (7 November 2016). For a comprehensive discussion of data localization laws, see M. F. Ferracane et al., ‘Digital Trade Restrictiveness Index’, European Centre for International Political Economy (2018), http://globalgovernanceprogramme.eui.eu/wp-content/uploads/2018/09/DTRI-final.pdf.

85 For example, the GDPR imposes most of these requirements on all service providers in the EU, irrespective of the location where the data are stored and processed.

86 For example, several US states impose a requirement for notification of data breaches. See National Conference of State Legislatures, ‘Security Breach Notification Laws’ (29 September 2018), www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Several countries in the Asia-Pacific region, including Australia and Korea, also impose data breach notification laws. See Nicholas Blackmore, ‘Mandatory Data Breach Notification Laws Spread Across Asia-Pacific’ (2 March 2018), www.kennedyslaw.com/thought-leadership/article/mandatory-data-breach-notification-laws-spread-across-asia-pacific.

87 See discussion in Section 2 above.

88 See, e.g., Universal Declaration of Human Rights, Art 12; International Covenant on Civil and Political Rights Art. 17; The Right to Privacy in the Digital Age, 69th session, Third Committee, Agenda Item 68 (b), UN Doc. A/C.3/69/L.26/Rev.1 (19 November 2014).

90 AB Report, United States – Countervailing Duties on Certain Corrosion-Resistant Carbon Steel Flat Products from Germany (US–Carbon Steel), WT/DS213/AB/R (19 December 2002) [157]. See also AB Report, Dominican Republic – Measures Affecting the Importation and Internal Sale of Cigarettes, WT/DS302/AB/R (19 May 2005) (Dominican Republic–Import and Sale of Cigarettes) [111]; AB Report, US–Gambling [138].

91 Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Strasbourg Convention) (2005).

92 Regarding cross-border transfer of personal data (an issue relevant to international trade law), Art. 12.1 of the Federal Law on Data Protection, Federal Law no 152-FZ (14 July 2006) allows automatic transfer of personal data (subject to other legal requirements) to countries which are party to the Strasbourg Convention. The Roskomnadzor can also include countries with similar levels of data security as prescribed in the Convention as having adequate standards for cross-border data transfer (Russian Data Protection Law, Art. 12.2).

93 Kuner, ‘The Internet and the Global Reach of EU Law’, supra n. 65, at 28.

94 S. Sacks and M. K. Li, ‘How Chinese Cybersecurity Standards Impact Doing Business in China’, CSIS Policy Brief, Centre for Strategic and International Studies (August 2018), https://csis-prod.s3.amazonaws.com/s3fspublic/publication/180802_Chinese_Cybersecurity.pdf?EqyEvuhZiedaLDFDQ.7pG4W1IGb8bUGF; Y. Yang, ‘China's Cyber Security Law Rattles Multinationals’, The Financial Times, https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-russia-just-made-cyberspace-less-safe/ (31 May 2017).

96 Munin, N., Legal Guide to GATS (Kluwer Law International, 2010), p. 366Google Scholar.

97 AB Report, Mexico–Taxes on Soft Drinks [72]–[74]; See also Panel Report, China – Measures Affecting Imports of Automobile Parts (China–Auto Parts), WT/DS339/R, WT/DS340/R, WT/DS342/R (18 July 2008) [7.337].

98 See GATS Art. XIV (a), footnote 5.

99 Panel Report, US–Gambling [6.461].

100 In a related context, the Tallinn 2.0 Manual explicitly states the principle of sovereignty extends to ‘the physical, logical and social layers’ of cyberspace. One aspect of the exercise of sovereignty is the freedom to implement domestic cyber-policies including privacy and cybersecurity laws and regulations. See Schmitt, M. N., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press, 2017), pp. 1316CrossRefGoogle Scholar.

101 See, e.g., Shackleford, S. J et al. , ‘When Toasters Attack: Enhancing the “Security of Things” through Polycentric Governance’, 2 University of Illinois Law Review (2017), 415Google Scholar.

102 See, e.g., AB Reports, European Communities – Measures Prohibiting the Importation and Marketing of Seal Products (EC–Seal Products), WT/DS400/AB/R / WT/DS401/AB/R (18 June 2014) [5.199].

103 AB Report, Brazil – Measures Affecting Imports of Retreaded Tyres (Brazil–Retreaded Tyres), WT/DS332/AB/R (17 December 2007) [146], [178]; AB Report, US–Gambling [307]; Korea–Various Measures on Beef [164]; AB Report, Colombia – Measures Relating to the Importation of Textiles, Apparel and Footwear (Colombia–Textiles), WT/DS461/AB/R (22 June 2016) [5.75], [5.77]. See also Du, Ming, ‘The Necessity Test in World Trade Law: What Now?’, 15 Chinese Journal of International Law (2016), 817CrossRefGoogle Scholar.

104 See discussion above in Section 3 above.

105 Ibid.

106 As per the Global Cybersecurity Index 2017, about 38% of countries have a national cybersecurity strategy and 12% are in the process of implementing such a strategy. See UN News, ‘Half of all countries aware but lacking national plan on cybersecurity, UN agency reports’ (5 July 2017), https://news.un.org/en/story/2017/07/560922-half-all-countries-aware-lacking-national-plan-cybersecurity-un-agency-reports.

107 UNCTAD, ‘Data Protection and Privacy Legislation Worldwide’, http://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx.

108 AB Report, US–Gambling [304].

109 Ibid.

110 AB Report, Brazil–Retreaded Tyres [210]. See also AB Report, EC–Seal Products [5.210].

111 Thus, the Panel could accord higher priority to certain types of evidence presented in a dispute. See AB Report, European Communities – Measures Affecting Asbestos and Products Containing Asbestos (EC–Asbestos), WT/DS135/AB/12 (5 April 2001) [161].

112 See Panel Report, EC–Asbestos [8.182], also [8.181].

113 Maurer, T. et al. , ‘Technological Sovereignty: Missing the Point?’, in Maybaum, M. et al. (eds.), Architectures in Cyberspace (NATO CCD COE Publications, 2015), pp. 53, 6162Google Scholar; N. Cory, ‘Cross-Border Data Flows: Where Are the Barriers and What Do They Cost?’, Information Technology and Innovation Foundation (May 2017), 3–4; Komaitis, ‘The “Wicked Problem” of Data Localization’, supra n. 1, at 361–362; United States International Trade Commission, ‘Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions’, Publication no. 4716, Investigation no. 332–561 (August 2017), 285; U. Ahmed and A. Chander, ‘Information Goes Global: Protecting Privacy, Security, and the New Economy in a World of Cross-border Data Flows’, Think Piece, E15 Expert Group on the Digital Economy, International Centre for Trade and Sustainable Development and World Economic Forum (November 2015), 6–7.

114 Hon et al., ‘Policy, Legal and Regulatory Implications of a Europe-only Cloud’, supra n. 5, at 251, 262.

115 P. S. Ryan et al., ‘When the Cloud Goes Local: The Global Problem with Data Localization’ (December 2013), Computer, https://storage.googleapis.com/pub-tools-public-publication-data/pdf/42544.pdf, 54, 56.

116 Hon, Data Localization Laws and Policy, supra n. 13, at 70.

117 Ibid. 62, 89.

118 See, generally, DeNardis, L., ‘Introduction: One Internet: An Evidentiary Basis for Policy Making on Internet Universality and Fragmentation’, in A Universal Internet in a Bordered World: Research on Fragmentation, Openness and Interoperability Volume I (Centre for International Governance Innovation and the Royal Institute of International Affairs, 2016), pp. 4, 6–10Google Scholar.

119 Hon, Data Localization Laws and Policy, supra n. 13, at 32, 105.

120 J. Kim, ‘How Sharding Works’, Medium (6 December 2014), https://medium.com/@jeeyoungk/how-sharding-works-b4dec46b3f6.

121 See Daskal, J., ‘The Un-Territoriality of Data’, 125 Yale Law Journal (2015), 326, 329Google Scholar.

122 Hoffman, D. et al. , ‘Trust in the Balance: Data Protection Laws as Tools for Privacy and Security in the Cloud’, 10 Algorithms (2017), 47, 55–6Google Scholar; Sargsyan, T., ‘The Turn to Infrastructure in Privacy Governance’, in Musiani, F. et al. (eds.), The Turn to Infrastructure in Internet Governance (Springer, 2015), pp. 189, 198Google Scholar; Chander and Le, ‘Data Nationalism’, supra n. 2, at 677, 730.

123 See, e.g., Bauer et al., ‘The Costs of Data Localisation’, supra n. 17; Meltzer, J. P., ‘The Internet, Cross-Border Data Flows and International Trade’, 2 Asia & the Pacific Policy Studies (2014), 90, 92Google Scholar; United States International Trade Commission, ‘Digital Trade in the US and Global Economies, Part 2’, Publication no. 4485 (August 2014) 65; Manyika et al., ‘Digital Globalization’, supra n. 16, at 1.

124 Hon et al., ‘Policy, Legal and Regulatory Implications of a Europe-only Cloud’, supra n. 5, at 251, 253–254.

125 J. M. Kaplan and K. Rowshankish, ‘Addressing the Impact of Data Location Regulation in Financial Services’, Global Commission on Internet Governance, Paper Series no 14, CIGI and Chatham House (May 2015), 1.

126 Economics and Statistics Administration and the National Telecommunications and Information Administration, ‘Measuring the Value of Cross-Border Data Flows’, US Department of Commerce (September 2016), 1.

127 Both quantitative or qualitative evidence can be put forth to assess the restrictive impact of a measure. See AB Report, Brazil–Retreaded Tyres [146].

128 For the weighing and balancing test, see AB Report, EC–Seal Products [5.214]; AB Report, ChinaPublications and Audiovisual Products [242].

129 AB Report, US–Gambling [308]; AB Report, Brazil–Retreaded Tyres [156].

130 Kuner, C., ‘Developing an Adequate Legal Framework for International Data Transfers’, in Gurtwith, S. et al. (eds.), Reinventing Data Protection (Springer, 2009), pp. 263, 269Google Scholar.

131 See generally Bennett, C. J., ‘The Accountability Approach to Privacy and Data Protection: Assumptions and Caveats’, in Guagnin, D. et al. (eds.), Managing Privacy through Accountability (Palgrave Macmillan, 2012), p. 33CrossRefGoogle Scholar.

132 GDPR Art. 3(2).

133 Kuner, C., ‘Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law’, 5(4) International Data Privacy Law (2015), 235, 244CrossRefGoogle Scholar. See also S. Yakovleva, ‘Should Fundamental Rights to Privacy and Data Protection be a Part of the EU's International Trade “Deals”?’, World Trade Review (2017), 1, 22.

134 Hon, Data Localization Laws and Policy, supra n. 13, at 221. See generally Bennett, C. L., ‘The Accountability Approach to Privacy and Data Protection: Assumptions and Caveats’, in Guagnin, D. et al. (eds.), Managing Privacy through Accountability (Springer online, 2012), p. 33CrossRefGoogle Scholar.

135 See generally Jerker, D. and Svantesson, B, ‘The Regulation of Cross-Border Data Flows’, 1(3) International Data Privacy Law (2011), 180, 194Google Scholar.

136 These trustmarks are often driven by private parties under the oversight of a governmental agency, e.g., Truste, the accountability agent under APEC CBPR is a business organisation based in the US recognised by the FTC, and Japan Institute for Promotion of Digital Economy and Community JIPDEC, the second accountability agent under APEC CBPR is recognized by the Ministry of Economy, Trade and Industry, Government of Japan. See further information, www.cbprs.org/Agents/AgentDetails.aspx.

137 APEC, APEC Cross-Border Privacy Rules System, /www.cbprs.org/.

139 See, e.g., G. Greenleaf, ‘APEC Privacy Framework: A New Low Standard’, Privacy Law and Policy Reporter (2005), 1; Greenleaf, G., ‘Five Years of the APEC Privacy Framework: Failure or Promise?’, 25 Computer Law & Security Report (2009), 28CrossRefGoogle Scholar. Regarding the differences between APEC CBPR and GDPR, see A. Wall ‘GDPR Matchup: The APEC Privacy Framework and Cross-Border Privacy Rules’, https://iapp.org/news/a/gdpr-matchup-the-apec-privacy-framework-and-cross-border-privacy-rules/.

140 See, e.g., Federal Trade Commission, ‘TRUSTe Settles FTC Charges it Deceived Consumers through Its Privacy Seal Program’, Press Release (17 November 2014), www.ftc.gov/news-events/press-releases/2014/11/truste-settles-ftc-charges-it-deceived-consumers-through-its.

141 A close reading of this resolution however indicates that privacy by design was seen as a complement to legal and regulatory measures, and not as an alternative.

142 GDPR Art. 25.

143 GATS Preamble, fourth recital.

144 See, e.g., Finnemore, M. and Hollis, D. B., ‘Constructing Norms for Global Cybersecurity’, 110(3) American Journal of International Law (2016), 425Google Scholar;

145 For a detailed study of the measure, see Savelyev, A., ‘Russia's New Personal Data Localization Regulations: A Step Forward or a Self-imposed Sanction?’, 32 Computer Law & Security Review (2016), 128CrossRefGoogle Scholar.

146 A study in 2015 had found that all major foreign internet companies would need to invest a total of 39 billion USD to comply with the data localization law. See L. Ragozin and M. Riley, ‘Putin Is Building Great Russian Firewall’, Electronic Commerce & Law Report, www.bloomberg.com/news/articles/2016-08-26/putin-is-building-a-great-russian-firewall (26 August 2016).

147 See generally Cohen, B. et al. , ‘Data Localization Laws and Their Impact on Privacy, Data Security and the Global Economy’, 32(1) Antitrust (2017), 107, 108109Google Scholar. See also Section 4.2.2.

148 See, e.g., AmCham China, ‘Navigating the Chinese Cybersecurity Law’ (18 May 2018), www.amchamchina.org/uploads/media/default/0001/09/7246f5970b90359c33d47f16e0f5c0518e7981a9.pdf.

149 See J. I. Wong, ‘Europe's Fight over Data Privacy Has a Silver Lining – a Cloud-Computing Boom’, Quartz (4 October 2016), qz.com/799750/microsoft-msft-azure-europes-in-the-middle-of-a-cloud-boom-thanks-to-data-privacy-rules/.

150 Munin, N., Legal Guide to GATS (Kluwer Law International, 2010), 372Google Scholar.

151 AB Report, United States – Standards for Reformulated and Conventional Gasoline (US–Gasoline), WT/DS2/AB/R (20 May 1996), p. 22.

152 AB Report, US–Shrimp [158].

153 ITU, ‘Global Cybersecurity Index’, www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx.

154 AB Report, US–Shrimp [156]; AB Report, EC–Seal Products [5.302].

155 For example, domestic companies such as domestic online communication providers and internet platforms can track user details and activity (Federal Law no. 149 on Information, Information Technologies and Protection of Information, 2006 (Russia), Art. 10.1.3, 10.2.9. Further, the System of Operational Investigatory Measures authorises various government agencies to collect communications data and metadata, including from social media platforms, even prior to receiving a warrant. See Marachel, N., ‘Networked Authoritarianism and the Geopolitics of Information: Understanding Russian Internet Policy5(1) Media & Communication (2017), 29, 33Google Scholar. Further, it has also been reported that the Ministry of Communications requires that all digital products to install equipment to facilitate a dragnet Deep Packet Inspection surveillance system. See A. Soloatov and I. Borogoan, ‘The Kremlin's New Internet Surveillance Plan Goes Live Today’, The Wired (11 January 2012), www.wired.com/2012/11/russia-surveillance/;. Finally, the Federal Security Service can set standards for encryption of personal data, enabling state surveillance. See Zharova, A. K. and Elin, V. M., ‘The Use of Big Data: A Russian Perspective of Personal Data Security’, 33 Computer Law & Security Review (2017), 482, 486CrossRefGoogle Scholar.

156 GATS Preamble, third recital.

157 Under Para 5(c) of GATS Telecommunications Annex, all Members are under an obligation to allow service suppliers from all WTO Members to use ‘public telecommunications transport networks’ for the ‘movement of information within and across borders, including for intra-corporate communications of such service suppliers’ and for ‘access to information contained in databases or otherwise machine-readable form in the territory of any Member’. This provision is subject to the exception that Members may take measures ‘necessary to ensure the security and confidentiality of messages’ provided that they ‘are not applied in manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services’.

158 Although no explicit disciplines on electronic commerce have been adopted GATS Art. VI, certain recent free trade agreements refer to building greater internet trust through consumer protection laws, data protection laws, spam, and cybersecurity, indicating a possible future trend that a similar set of domestic regulations might also become necessary under the WTO framework, for example under GATS Art. VI or a Reference Paper. Some examples include ASEAN–Australia–New Zealand Free Trade Agreement (AANZFTA) (signed 27 February 2009, entered into force 1 January 2010), Art. 7; China–South Korea Free Trade Agreement (China–Korea FTA) (signed 1 June 2015, entered into force 20 December 2015), Art. 13.5; European Union–South Korea Free Trade Agreement, Art. 7.49(1)(d); Australia −United States Free Trade Agreement (AUSFTA) (signed 18 May 2004) [2005], ATS 1, Art. 16.6; Japan–Mongolia Economic Partnership Agreement, Art. 9.6.

159 For example, in the EU, non-personal data are subject to less stringent standards than personal data (subject to the GDPR). The EU has also adopted a regulation to enable free flow of non-personal data in the EU. See ‘Proposal for a Regulation of the European Parliament and Council on a Framework for the Free Flow of Non-Personal Data in the European Union’, COM (2017) 495 final (13 September 2017).

160 See discussion in Section 3 above.

161 Marrakesh Agreement Establishing the World Trade Organization (opened for signature 15 April 1994), 1867 UNTS 3 (entered into force 1 January 1995), annex 2, Understand on Rules and Procedures Governing the Settlement of Disputes (DSU), Art. 13.

162 See generally Footer, M. E., ‘The (Re)Turn to “Soft Law” in Reconciling the Antinomies in WTO Law’, 11 Melbourne Journal of International Law (2011), 241Google Scholar. For a view on incorporating more multistakeholder/private standards in international trade law, see Pauwelyn, J., ‘Rule-Based Trade 2.0? The Rise of Informal Rules and International Standards and How They May Outcompete WTO Treaties’, 17(4) Journal of International Economic Law (2014), 739CrossRefGoogle Scholar.

163 See, e.g., L. Gruszczynski, ‘Trade Law and Tobacco: Plain Sailing’ on Tradelinks (15 November 2018), www.linklaters.com/en/insights/blogs/tradelinks/trade-law-and-tobacco-plain-sailing (discussing the use of Framework Convention on Tobacco Control (FCTC) guidelines as factual evidence in the recent Australia – Plain Packaging dispute. However, the FCTC guidelines constitutes part of an international treaty but had not been signed by all the disputing parties and hence, not binding).

164 See text accompanying, nn. 49–51.

165 Broeders, D., ‘Aligning the International Protection of “the Public Core of the Internet” with State Sovereignty and National Security’, 2(3) Journal of Cyber Policy (2017), 366, 367369CrossRefGoogle Scholar.

166 DeNardis et al., ‘The Rising Geopolitics of Internet Governance’, supra n. 44, at 14–15.

167 Noction, ‘How Does BGP Select the Best Routing Path’ (18 January 2013), www.noction.com/blog/bgp_bestpath_selection_algorithm.

168 See, e.g., in relation the Chinese WAPI standard for Wi-Fi, http://actonline.org/2016/03/17/mobile-mythbusting-wifi-wapi-and-the-encryption-debate/. See also, DeNardis et al., ‘The Rising Geopolitics of Internet Governance’, supra n. 44, at 17.

169 See, e.g., Baird, S., ‘The Government at the Standards Bazaar’, in DeNardis, L. (ed.), Opening Standards: The Global Politics of Interoperability (Cambridge, MA: MIT Press, 2011), pp. 13, 18, 19Google Scholar; Ghosh, R., ‘An Economic Basis for Open Standards’, in DeNardis, L. (ed.), Opening Standards: The Global Politics of Interoperability (Cambridge, MA: MIT Press, 2011), pp. 75, 76Google Scholar.

170 See discussion in Section 4.1.

171 In recent WTO proposals on Electronic Commerce, China and the US took a hands-off approach to data protection and consumer protection issues, while others such as Canada, Chile, Korea, Singapore, Brazil, Hong Kong, Australia, Taiwan, and the EU have taken a much stronger stance. See, e.g., WTO, Work Programme on Electronic Commerce, Communication from Canada, Chile, Colombia, Côte d'Ivoire, the European Union, the Republic of Korea, Mexico, Montenegro, Paraguay, Singapore and Turkey – Trade Policy, the WTO and the Digital Economy, WTO Doc. JOB/GC/116, JOB/CTG/4 JOB/SERV/248, JOB/IP/21 JOB/DEV/42 (13 January 2017); WTO, Work Programme on Electronic Commerce – Non-Paper from Brazil, supra n. 40; WTO, Non-paper from the United StatesWork Programme on Electronic Commerce, supra n. 40.

172 See discussion in Section 3 above.

173 See, e.g., Panel Report, China–Publications and Audiovisual Products [7.894], [7.900], where the Panel effectively endorsed state censorship as a reasonably available and less trade restrictive alternative to censorship by selected entities.

174 See, e.g., discussion on Article 37 of Draft Measures on Internet Domain Names introduced by China in D. Sepulveda and L. E. Strickling, ‘China's Internet Domain Name Measures and the Digital Economy’, on National Telecommunications and Information Administration blog (16 May 2016), www.ntia.doc.gov/blog/2016/china-s-internet-domain-name-measures-and-digital-economy. This measure was, however, ultimately removed from the final regulations.

175 GATS Art. VI(4) reads as follows:

With a view to ensuring that measures relating to qualification requirements and procedures, technical standards and licensing requirements do not constitute unnecessary barriers to trade in services, the Council for Trade in Services shall, through appropriate bodies it may establish, develop any necessary disciplines. Such disciplines shall aim to ensure that such requirements are, inter alia:

  1. (a)

    (a) based on objective and transparent criteria, such as competence and the ability to supply the service;

  2. (b)

    (b) not more burdensome than necessary to ensure the quality of the service;

  3. (c)

    (c) in the case of licensing procedures, not in themselves a restriction on the supply of the service.

176 See generally Mitchell, A. D. and Mishra, N., ‘Data at the Docks: Modernizing International Trade Law for the Digital Economy’, 20(4) Vanderbilt Journal of Entertainment & Technology Law (2018), 1073, 11091129Google Scholar.