In 1998, WTO Members first addressed digital issues, agreeing to prohibit customs duties on electronic transmissions. In that year, according to the International Telecommunication Union (ITU), there were just over 1 million broadband connections in the world. Two decades later, there are over 1 billion fixed broadband connections – a thousand-fold increase – enabling nearly 4 billion people around the world to use the Internet.
As the number of connections has grown, so has digitally enabled trade. Firms in every industry are leveraging digital services, often supplied across borders, to streamline their operations and compete globally. Small enterprises have seen especially significant benefits from digitalization. Data analytics, cloud computing, and online platforms allow small businesses to keep costs low, scale up quickly without costly infrastructure investments, and compete against larger, more established firms.
But barriers to digital trade threaten the ability of all firms – including small businesses – to benefit from the advantages of the digital economy. When governments impose unnecessary barriers to cross-border data flows or discriminate against foreign digital services, local firms are often hurt the most, as they cannot take advantage of cross-border digital services that facilitate global competitiveness.
That is why USTR focuses on achieving strong, binding rules on digital trade in all of its negotiations. The U.S.-Mexico-Canada Agreement includes the most comprehensive and advanced digital trade rules ever negotiated, which USTR hopes will serve as a template for similarly strong and comprehensive rules elsewhere. And after 20 years, WTO Members have renewed their focus on digital issues, as the United States and other Members work toward a high-standard agreement on digital trade that would meaningfully reduce digital trade barriers around the world.
In this year’s National Trade Estimate (NTE), USTR continues its focus on barriers to digital trade. The key barriers to digital trade identified in the 2019 NTE include:
- China’s Restrictions on Cross-Border Data Flows and Data Localization Requirements: China’s Cybersecurity Law and a range of related implementing regulations would prohibit or severely restrict routine cross-border transfers of information, including a broad range of information falling into the undefined category of being “important”. The law also imposes data localization requirements on companies, including those that operate “critical information infrastructure.”
- China’s Cloud Computing Restrictions: China prohibits foreign companies from directly providing cloud computing services to customers in China, requiring foreign service suppliers to partner with a Chinese company and to turn over to that partner their technology, intellectual property, know-how, and brands in order to enter the market.
- China’s Web Filtering and Blocking of Legitimate Websites: China continues to engage in extensive blocking of legitimate websites. China currently blocks 10 of the top 30 global sites and over 10,000 domains in total, affecting billions of dollars in potential U.S. business.
- EU and EU Member States’ Digital Services Taxes: In 2018, the European Commission proposed a directive to levy an interim tax on revenues from digital services, including advertising, online marketplaces, and data services, on large companies, including those without a physical presence in the European Union. EU Member States including France, the United Kingdom, Italy, Spain and Austria are currently considering similar proposals. The U.S. opposes proposals that single out digital services for tax purposes. In addition, to the extent these proposals apply almost exclusively to U.S. companies, they raise further concerns of a discriminatory effect on U.S. suppliers participating in EU markets.
- India's Restrictions on Cross-Border Data Flows and Data Localization Requirements: In 2018, India published a number of measures that would restrict the cross-border flow of data and create onerous data localization requirements. In October, one such measure was implemented, requiring payment service suppliers to store all information related to electronic payments by Indian citizens within India. Much broader restrictions included in India’s draft Personal Data Protection law and draft e-Commerce Policy threaten to undermine the digital economy as a major source of growth for India.
- Indonesia’s Data Localization Requirements: Indonesia requires providers of a “public service” to establish local data centers and disaster recovery centers in Indonesia, and has proposed substantially expanding the categories of data subject to localization. Other regulations require local storage and processing of certain personal data and financial data.
- Indonesia’s Barriers to Internet Services: Indonesia is considering multiple new regulations that would require foreign providers of Internet services including online intermediaries, e-commerce companies and “digital platform services” suppliers to register with the government, designate permanent local representatives, and prioritize local goods and services.
- Indonesia’s Tariffs on Digital Products: In 2018, Indonesia issued a new regulation establishing tariff lines for digital products transmitted electronically such as software, apps, video, and music. Although tariffs are currently set at zero, imposing duties on digital products would raise concerns regarding Indonesia’s longstanding WTO commitment—renewed on a multilateral basis in December 2017—not to impose duties on electronic transmissions. Similarly, customs reporting requirements, even in the absence of a duty, would be highly disruptive of existing trade.
- Kenya’s Data Localization Requirements: A draft data protection law would require the local storage of personal data, prohibit the cross-border processing of certain “sensitive personal data,” and place unduly strict conditions on the transfer of personal data outside Kenya. Such restrictions will hamper the development of Kenya’s digital economy, and may undermine data security without providing any meaningful benefit to data privacy.
- Korea’s Restrictions on Cross-Border Data Flows: Korea restricts the export of geo-location data, disadvantaging international suppliers that incorporate services such as traffic updates and navigation into their products. Korea is the only market in the world that USTR is aware of maintaining such restrictions. In addition, while Korea has taken steps to expand cloud computing opportunities in its territory, restrictions on the cross-border use of cloud computing for financial services remains a serious impediment.
- Nigeria’s Data Localization Requirements: Nigeria requires businesses to store all data concerning Nigerian citizens in Nigeria. Nigeria also requires businesses to host all government data locally unless officially exempted. In practice, these requirements disproportionately affect foreign businesses, which distribute their data storage and processing globally.
- Russia’s Data Localization Requirements: Russian law requires that certain data on Russian citizens collected electronically by companies be processed and stored in Russia. U.S.-based services have been blocked for failure to comply with this law, including numerous IP addresses associated with U.S. cloud services providers in 2018. Many U.S. companies face a choice between withdrawing from the Russian market and operating under significant legal uncertainty.
- Saudi Arabia's Data Localization Requirements: In 2018, Saudi Arabia issued the Cloud Computing Regulatory Framework, requiring localization for certain types of data. The framework also increases liability for Internet service providers and creates broad regulatory powers to require cloud and other ICT service providers to install government filtering software. Such requirements may create market access barriers for many ICT services provided by foreign companies.
- Turkey’s Data Localization Requirements: Turkey maintains multiple data localization requirements in various laws and regulations, including limitations on transfers of personal data abroad, requirements that suppliers of electronic payment services maintain information systems within Turkey, and a new 2018 requirement that publicly traded companies keep their primary and secondary information systems and data in Turkey.
- Vietnam’s Restrictions on Online Advertising: Vietnam requires advertisers to contract with a local services supplier as a condition of placing advertisements on foreign websites targeting Vietnam. This requirement is burdensome and impractical, given that the online advertising market typically functions through automated, real-time auctions for ad space.
- Vietnam’s Data Localization Requirements: In 2018, Vietnam passed a law on cybersecurity that requires online service suppliers to store data and establish a local presence in Vietnam. It is currently considering implementing regulations that narrow the applicability of such requirements and apply them only after a company fails to comply with specific provisions of the law, such as failing to meet 24-hour takedown requirements for a wide array of online content. However, the requirements would still apply to a range of digital services and, as such, remain problematic.