International trade has always been an informatic exchange, from the grand exchange of culture and knowledge of the world to the tedious exchange of papers, bills of lading, customs certificates, and contracts in triplicate. Consistent with the epochal transition from paper as the informatic medium to digital,¹ contemporary international trade has become increasingly digitalized. Indeed, data has become the medium for international transactions. Consequently, cross-border data flow is essential to contemporary international trade (even when the goods or services are not traded in a digital form).² Supplementary to this, the volume of data flow is increasing through negotiated processes. For instance, in February 2021, the Framework Agreement on Facilitation of Cross-border Paperless Trade in Asia and the Pacific entered into force.³ The agreement aimed to progress efficiency in transactions and improve transparency and regulatory compliance.⁴ These negotiations highlight that the transition from paper to digital in international trade brought benefits and concerns. The benefits of immediacy, automation, and accessibility from the digital are realized through facilitating and reducing the costs of international trade. However, digital trade raises concerns about data security and personal privacy.⁵ These concerns and the regulation associated with them have led to risks of digital fragmentation in the global market.⁶ In this sense, fragmentation effectively means that the digital environment will be a series of smaller parts rather than one connected system that causes disruptions and unwelcome externalities on trade.

Concerns around data security and privacy are (at times) connected to the global recognition that data has value. For instance, Yakovleva argues that personal data is both a trade commodity and an asset.⁷ Chinese documentation recently referred to data as one of the five factors of production, alongside capital, labour, land, and technology.⁸ Other commentators have labelled data as “capital” and, as such, its value is increasingly recognized by corporate and governmental entities.⁹ As consumption does not decrease the value of data, it can be classified as a non-rival asset; hence, economic theory suggests that social welfare will increase where data is openly shared.¹⁰ However, that recognition of value has been accompanied by an upsurge in data regulation as nations impose restrictions on data flows and storage. As digital transactions become increasingly regulated by nations, there is a corresponding need for global cooperation to avoid laws and policies that lead to digital fragmentation, which in some instances can pose barriers to trade.¹¹ Fragmentation in this sense can lead to negative economic impacts, market access limitations, and restrictions on the rights of individuals.¹² Alternatively, cooperation may ensure that the benefits of trade facilitated by cross-border data flows can be realized within a policy setting that supports data security and personal privacy.¹³

In World Trade Organization (WTO) e-commerce negotiations, some parties targeted the objective of “data free flow with trust” (DFFT).¹⁴ Although the negotiations in this forum have been slow, they have allowed trade theorists to consider the many issues raised by this goal. In this respect, there are two key components that must be resolved by state parties in order to achieve DFFT. First, the data must be capable of being shared meaningfully. This requires data portability and interoperability, which has been cited as one of the most “challenging barriers to data reuse”.¹⁵ Data portability is the right to personally access your own data and reuse that data with another company.¹⁶ This could be considered one of the components of individual data rights. In contrast, interoperability requires corporations to support “interfaces” that “allow users to interact fluidly with users on other services”,¹⁷ which will protect individual data rights. The second challenge of DFFT is building a solid and stable shield of trust, much needed in the process of sharing data. This is a sizeable problem that ultimately requires global concerns about data security and privacy to be alleviated through technical standards and international agreements (enacted by private entities). These challenges can be addressed (in part) by negotiation, regulation, and corporate compliance; however, reconciling competing needs and interests is not a simple process.

This paper is a study of the challenges that arise in the pursuit of international DFFT. The key contribution of this paper is to identify actions needed to support this critical objective. Realizing this objective will be a way to avoid the externalities of digital fragmentation, the barriers to global cooperation are significant. The first section of this paper identifies how concerns about cross-border data flows have led to data sovereignty policies and national (and regional) data regulation. This section is both descriptive and analytical as it examines how data regulation, such as those enacted by the European Union (EU) and the People's Republic of China (China), has effectively created forms of trade barriers. The second section adds to the literature on the WTO in regulating global issues in the public-private nexus. Within this part, this paper provides evidence to show that the WTO has not yet been an effective forum for establishing a global consensus on cross-border data flows; nevertheless, negotiations continue and progress has been made through the joint statement on e-commerce, where parties have been promoting the objective of DFFT.¹⁸ The third section identifies the emergence of Preferential Trade Agreements (PTAs) as establishing some international norms in relation to the regulation of cross-border data flows; however, these agreements have not been effective in resolving data flow concerns, nor will they address the fragmentation issue. Hence, the final section is prescriptive and provides some initial steps to avoid fragmentation in the digital era.¹⁹ This paper supports new knowledge and demonstrates that discriminatory regulation of data flow and disproportionately prioritizing national interests will be a trade barrier that ultimately impacts on private entities and consumers. As such, cooperation on this matter is needed at a global level to avoid unintended externalities. For a digital future, this will include continued negotiations at the WTO alongside support for the Global South.

The phrase “digital globalization” has been termed to describe a new era of digitally facilitated trade.²⁰ Through e-commerce and the adoption of digital formats to facilitate paperless trade,²¹ the transfer of data across borders is becoming a significant global issue. This intensification of data flows is disrupting the established trading landscape and the long-recognized national and international norms of laws of trade and how information is regulated. Specifically, national concerns with data security, privacy, data portability, and interoperability have led to increasing volumes of national regulation of cross-border data flows. Some of these national regulations are starting to impact global trade,²² which mobilizes interest and action from the private sector.

Cross-border data flows occur when data is sent between parties that reside in different national jurisdictions. The rise of e-commerce has been one of the reasons for increased data flow (although by no means the only reason). In 1998, the WTO defined “e-commerce” to mean “the production, distribution, marketing, sale or delivery of goods and services by electronic means”.²³ Since 1998, e-commerce has changed both in scale and in nature. As Mitchell and Mishra suggest, it remains a “broad and evolving activity”.²⁴ Importantly, digital globalized trade extends beyond e-commerce platforms and retailers. The Australian Department of Foreign Affairs and Trade emphasizes that:

Digital trade is not just about buying and selling goods and services online, it is also the transmission of information and data across borders. It relies on the use of digital technologies to facilitate trade and improve productivity, for example through simplified customs procedures.²⁵

In short, cross-border data flows need to be understood, not just in the narrow e-commerce sense, but in the way these flows form the primary informatic engine for the global economy: “it is becoming clearer by the day that data flows are the heart and soul of digital trade”.²⁶ In particular, the era of digitalization has enabled trade where the absence of proximity previously made it impossible.²⁷ The increase in trade volumes has not just occurred in developed economies, developing countries have also benefit from easier access and distribution that digitization supports.²⁸

In addition, data has value beyond facilitating international trade. Indeed, data has been described as an asset,²⁹ as one of the five factors of production (as already stated),³⁰ and as capital.³¹ As noted, “[d]ata and connectivity are not just important tools to access overseas markets and customers but are also key ingredients for industrial production”.³² At the same time, the value of data is dependent upon the uses for which it is employed.³³ This means that not all data will lead to value creation, although much of it will.³⁴ Where it does generate value, as a non-rivalrous good (that is, its use by one person will not affect the use by another), open sharing of data should enhance social welfare.³⁵ Conversely, where barriers are erected to data sharing, costs will be imposed upon private entities that can potentially have detrimental flow-on consequences.

For these reasons, striking the right balance in data security requirements represents a substantial challenge in the era of digital globalization.³⁶ Regulation of cross-border data flows is often introduced to ensure the safe movement of personal data and metadata around the world.³⁷ Indeed, data security to support data privacy, which is considered in many countries to be a fundamental human right,³⁸ is critical to ensure consumer confidence. In addition, data and system security is needed to combat cybercrimes. The Budapest Convention, which was opened for signature in 2001, was conceptualized with a view to minimize cybercrimes through harmonized domestic legislative measures and to promote security through “greater unity” between the signatories.³⁹ This convention recognized that harmonization can lead to better security for all nations and, although it will not prevent digital fragmentation, it is one element needed in a global framework that supports data flow.

The movement of data has become a critical issue in the global trading landscape. Aligned with this, nations are trying to find an equilibrium between data security and international economic cooperation, which requires some policy alignment at an international level to address competing concerns.⁴⁰ Despite the need for cooperation and alignment in an era characterized by economic statecraft,⁴¹ coupled with amplified data security risks (and fear),⁴² data sovereignty has become a policy objective within some nations. Enforcing sovereignty over data could be considered a way of exercising control over data subjects⁴³ and those entities that need data to engage in commerce. Data sovereignty is a phrase which indicates that nations can restrict the movement of data, prevent data transfer across borders, or at the very least, set minimum standards for the storage of that data.⁴⁴ Asserting data sovereignty can support multiple policy objectives that include: the security of personal data and the privacy of citizens, national security, censorship, and population control.⁴⁵ However, this is also an objective that challenges traditional notions of sovereignty, particularly in those countries that extend their legal reach into cyberspace and necessarily beyond their own borders.⁴⁶ The uncertainty posed by digital transfer may also mean that control is not possible (or desirable in some instances).⁴⁷

Globally, there are increasing numbers of laws that impact the digital domain, introduced at a national level.⁴⁸ Data policies often focus on data localization (or restrictions on cross-border data transfers), use, storage, and other data transfer requirements.⁴⁹ Each of these presents challenges and arguably increases the risk of digital fragmentation.⁵⁰ For instance, data localization rules attempt to stop personal data or metadata from flowing beyond a nation's borders,⁵¹ which is a measure that some countries employ to support both cybersecurity and privacy requirements. Komaitis describes “forced data localization” as a “conscious governance decision under which the storage of data takes place on a device that is physically located within the country where the data were created”.⁵² Indeed, data localization requirements often necessitate operators to provide within jurisdiction storage facilities to conduct business or trade within a nation.⁵³ This, of course, increases the costs of trade, which ultimately impacts consumers.

As data localization rules decrease productivity and increase the cost of doing business within a nation, they can be categorized as protectionist measures.⁵⁴ For this reason, they are (sometimes) considered an “extreme” response to two categories of real or perceived risks arising from cross-border data flow.⁵⁵ First, that cross-border data flow exposes the data to interception and appropriation by hostile entities – foreign powers, commercial rivals, or cyber criminals.⁵⁶ Second, transmitting data beyond the nation's borders means that a desired level of security of personal privacy (or other sensitive information) in the nation of origin might not apply to the data once it arrives in a different jurisdiction. Analysis of these risks demonstrates that it is not the location of the data that will assure its security (after all, most information will inevitably need to be transmitted even within a nation's borders); rather, it is the method of storage and/or data sharing that creates data vulnerabilities. However, this does not stop nations from requiring that their data be stored locally and, in some instances, these localization requirements are encapsulated within the legal framework.

Governments from most larger economies are in the process of “deploying a wide range of tools to shape and nurture the digital domain”.⁵⁷ One of the most well-known examples of regulation of cross-border data flow is the strict measures introduced by the EU through the General Data Protection Regulation (GDPR).⁵⁸ While the scope of the GDPR is limited to personal data,⁵⁹ the security level required once this threshold condition is met is significant. The extraterritorial scope was drafted to ensure that any personal data transferred out of the EU would be subject to the same level of security that would be offered within its borders. Although one of the EU's core objectives is to facilitate cooperation between nations (at least, within the EU),⁶⁰ the security of personal data has become one of the region's policy imperatives. In contrast to the objectives of the EU, China has also proposed laws that provide security of personal data for its citizens while maintaining national data sovereignty. Although the laws of these two jurisdictions align, the national security priority within China is far more prominent.⁶¹ Indeed, the objective of data sovereignty is far more pronounced in the Chinese requirements than those in the EU. These are, of course, just two examples of jurisdictions where such provisions have been enacted. There are many more. It is this bottom-up approach, supporting national and regional self-interest, that has led to fears of global digital fragmentation.

Data security laws have been increasingly implemented around the world, particularly in G20 countries.⁶² Although a degree of homogeneity is demonstrated in these laws, digital fragmentation may be an undesirable outcome of small differences in the requirements. The EU has led the way with its regional GDPR.⁶³ The GDPR was enacted in 2018 with the objective of protecting the fundamental right to the security of personal data.⁶⁴ It prescribes a high level of personal data security in cross-border data flow with the aim of ensuring that all data transferred within and outside of the EU is protected. The GDPR provides a clear definition of what is meant by personal data and includes “any information relating to an identified or identifiable natural person”.⁶⁵ Further, the GDPR applies in circumstances where the data is processed by automated means or forms part of a filing system.⁶⁶ While these restrictions limit some of the applications of the GDPR, commentators have labelled the GDPR as the gold standard in data security.⁶⁷

The consequence of the GDPR's high level of security is that it often requires personal information to remain in the territory (specific localization),⁶⁸ prohibiting the transfer of data to a third-party nation unless an exemption applies.⁶⁹ There are three main exceptions to this within the GDPR. For instance, Article 45 allows transfers to a nation outside the EU where that nation's own data security laws provide an adequate level of security.⁷⁰ However, few countries have been recognized as having an adequate standard of security hence⁷¹ this exemption does little to eliminate the trade barrier erected by the restriction provision.⁷² Article 46 also provides an exemption where adequate safeguards are provided by the controllers of personal data.⁷³ This exemption places costs on the corporations that handle personal data of EU origin to ensure that adequate data security is maintained.⁷⁴ However, this exception is only supported for intra-company transfers, which significantly limits its application.⁷⁵ Finally, Article 49 outlines derogations for specific situations such as a public interest reason or where the data is necessary for the performance of a contract.⁷⁶ Chander summarizes Article 49 exception as “consent or necessity”.⁷⁷ Both consent and necessity are difficult to satisfy in the context of the GDPR. Consent is onerous and can be revoked, and the necessity exception is “narrowly construed”.⁷⁸ The end result is that the GDPR could be described as trade restrictive⁷⁹ by coaxing rather than mandating localization through extensive limitations on cross-border data transfer.

Although most countries in the world have introduced data security legislation,⁸⁰ the examination of the GDPR remains important as it was “designed to be a flagship of the user-centred approach”.⁸¹ For the purposes of this paper, consideration of this regional framework demonstrates that limitations on cross-border data transfer are not the same as strict data localization requirements. Both policy approaches will lead to data fragmentation; however, while restrictions on cross-border data transfer are relatively common,⁸² data localization requirements have featured in relatively few data security regimes.⁸³ One such example exists in China. In November 2016, China passed its first Cybersecurity Law,⁸⁴ and in 2021, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) have added to the framework. The DSL and the PIPL reflect some features of the GDPR, despite the policy differences that underpin them.⁸⁵ One point of contention is that of data localization requirements.

The 2016 Cybersecurity Law introduced strict data security standards on private operators. This legislation prescribed that network operators were not permitted to collect data unrelated to the service they provided,⁸⁶ and the collection and usage of private information was only permitted with the user's consent.⁸⁷ The data collected was not to be disclosed, damaged, tampered with, or shared with others unless the user gave permission.⁸⁸ Further, network operators were required to take security measures to ensure the safety of private information and in the event of an information breach or loss, notification was required to be sent to the relevant authority and users.⁸⁹

The Cybersecurity Law were extended in December 2019 with the Cybersecurity Multi-Level Protection Scheme (MLPS) imposing hierarchical obligations on network operators.⁹⁰ The level of obligation correlated with the scope of the damage caused to the Chinese people or their government that would result from any breach of the system.⁹¹ The Cybersecurity MLPS also placed an increased burden on Chinese companies to protect data and extended the compliance mechanisms to all companies that stored data in China. Further, more onerous requirements were imposed where the data was considered to fall within a “security sensitive” category. Combined, the cybersecurity laws mandate that companies which have access to and store Chinese data must store it in China in compliance with the requirements specified in the cybersecurity laws. As a point of difference (and potential concern), the laws provide that any data could be copied and kept by the Chinese government.⁹² This feature has been recognized as unique to Chinese law. Indeed, no technology that blocks access by the Ministry of Public Security is permitted. As noted:

China is creating a system to achieve two ultimately contradictory objectives: the system will be closed against intrusion by “bad actors” (foreigners and internal dissidents), but completely transparent to the Ministry of Public Security and other internet security agencies of the PRC government and the Chinese Communist Party (CCP).⁹³

Following the introduction of the 2019 Cybersecurity MLPS, the DSL was implemented.⁹⁴ Although the DSL provides no additional guarantee of data security against the state, it does demonstrate a commitment to protect “[Comprehensive Trans-Pacific Partnership] users against cyber criminals”.⁹⁵ Under Article 21 of the DSL, data is categorized according to its perceived importance and security risks. Data that is categorized as either the “core data of the state” or “important data” will have stricter security requirements over what is referred to as “general data”.⁹⁶ The DSL prohibits any entity from furnishing data to an external entity unless specific permission is granted by the Chinese government.⁹⁷ Article 31 reserves certain cross-border transfers of data to the Cybersecurity Law and provides additional requirements for cross-border flow. The DSL divides cross-border data flow into two areas: localization and outbound security assessment.⁹⁸ Article 37 of the Cybersecurity Law contains localization requirements: “[p]ersonal information and important data collected and generated by operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be stored within the territory”.⁹⁹

In August 2021, the National People's Congress adopted the PIPL,¹⁰⁰ which is intended to form the third pillar of China's data security regime.¹⁰¹ It entered into effect on 1 November 2021 with the aim to: “protect the rights and interests of individuals; regulate personal information processing activities; safeguard the lawful and ‘orderly flow’ of data; and facilitate reasonable use of personal information.”¹⁰² With these aims there is clear similarity between the PIPL and the GDPR. First, the definition of “personal information” as “various kinds of information related to identified or identifiable natural persons” other than that which is processed anonymously, is similar to the definition in the GDPR.¹⁰³ Second, the PIPL, together with the DSL, requires corporations to closely consider their own policies regarding collecting, processing, and storing information.¹⁰⁴ Third, the PIPL has extraterritorial reach, which requires that any company collecting Chinese citizens data must comply with the regulations.¹⁰⁵ Therefore, if compliance is difficult or not possible, the Chinese laws are de facto localization requirements.

The main difference between the Chinese regime and the GDPR is the very clear declaration of Chinese data sovereignty.¹⁰⁶ Within Chinese law, there are clear allowances for barriers to cross-border data flow due to national security. This is similar to the Indian Personal Data Protection Bill 2018,¹⁰⁷ which, at the time of writing, had been withdrawn by the Indian government.¹⁰⁸ The Chinese laws, in particular, “has a distinct ‘national security’ flavour, particularly around its provisions on localization and cross-border transfers”.¹⁰⁹ The PIPL, for instance, requires that there is content and risk assessment prior to the cross-border transfer of personal information.¹¹⁰ However, the differences in objectives have not necessarily resulted in substantive differences between the regimes and both impose restrictions on trade through cross-border data flow.

In sum, differences between newly introduced data security laws could have significant flow-on consequences for market access and international trade. In China, the restrictions imposed through the DSL and the PIPL manifest a formal agenda of personal privacy for Chinese citizens. However, with the Chinese laws, the sovereignty of the Chinese state over Chinese data is particularly emphasized by the myriad of provisions that allow for state entities to access data. Although the GDPR does not support state access to data in the same way as the Chinese framework, it does introduce onerous requirements upon all companies who collect personal information. Putting the virtues of these laws aside, both impose a non-tariff barrier to trade by mandating standards and processes in how personal data can be transferred, stored, and used.¹¹¹ This is not an unusual situation for world trade. Nations often introduce domestic laws and regulations that impact trade relationships at the cost of international commerce.¹¹² While the digitalization of trade and the intensification of cross-border data flows present novel and emerging problems, the need for forums to cooperate on “trade impacting” national laws and regulations is an evergreen concern. However, the particular challenge of DFFT has proven a difficult one to address using existing negotiation arrangements. Although analysis of different regulatory regimes indicates that barriers already exist,¹¹³ cooperation will be needed in order to avoid exacerbating the economic and social pitfalls of data fragmentation. Unfortunately, cooperation in the current era is elusive.

The WTO is the only international institutional body governing global trade.¹¹⁴ It should have a significant role in the globalized economy and should be the forum where tensions between data sovereignty and data free flow are resolved. The WTO framework has some clear strengths. Within this forum, there have been successful negotiations on many complex matters borne out of the common interest of negotiating parties. Further, it is an international setting where member nations should negotiate common values and principles, such as rules aligned with societal values and interests. The common recognized values include (inter alia ): protecting human, animal, or plant life or health; protecting natural resources; protecting public morals; and protecting privacy.¹¹⁵ In addition, there are also rules designed to promote the harmonization of national regulations. For instance, the agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) lays down the minimum requirements for the protection of intellectual property rights. This is a point of difference from other WTO agreements; they are considered to be beyond-the-border measures. These forms of agreement are generally considered to be more troublesome to negotiate. As noted, “[t]he rules in these … agreements … go far beyond the usual trade liberalization rules and venture into behind-the-border regulatory areas to a greater extent than other WTO agreements dealing with other non-tariff barriers to trade”.¹¹⁶

In such instances, finding an appropriate balance between the right to regulate and enforcing the rules-based order of the world trading system is a challenge that is increasing rather than decreasing. This challenge is exacerbated by the growing interconnectedness of economies. There are different theories on what the balance should be. For instance, Rigod suggests that it is only where domestic (or regional) policies cause unnecessary externalities that they should be subject to the rigours of WTO dispute settlement.¹¹⁷ Although there are merits in this approach, providing rules and adjudication in support of this standard could present difficulties. Data fragmentation will cause disruptions to trade in the form of externalities. Thus, in this respect, data fragmentation could cause unnecessary tensions between nations.¹¹⁸ Consequently, the negotiations and, ideally, the rules of the WTO should legitimately extend to matters of data security in the hope of avoiding the costs associated with these increasing trade barriers. For these reasons, the WTO should prioritize discussions to foster cooperation in this policy space.

Unfortunately, the current rules of international trade do not address or protect data flow in a way that is “consistent, comprehensible and predictable”.¹¹⁹ In addition, there are challenges in applying the existing rules to laws and regulations that reflect data sovereigntist stances. Although some restrictive data flow practices, such as in the GDPR or the Chinese laws, arguably constitute a violation or breach of obligations under the current trade rules, there is considerable uncertainty in the application of the WTO framework to these matters.¹²⁰ While there has been some deliberation about the applicability of the current framework, members generally agree that the best way forward will require new rules that specifically address cross-border data flows.¹²¹ Indeed, it is the existing gaps in the WTO rules that have enabled members to unilaterally impose data localization requirements and other trade-restrictive measures.¹²² However, due to the current state of disorder in the WTO's dispute settlement system, enforcement of even the strictest measures is difficult. Despite this, a new agreement or amendments to existing agreements could potentially support a smoother transition for existing or revised exception provisions. ¹²³ However, at this stage, members appear to be aligned on keeping data flow as a matter of state sovereignty, which means that a state of digital fragmentation will continue.

Members within the WTO have debated digital enabled trade over the past three decades.¹²⁴ A specific point of contention is categorizing cross-border data flows, which, as identified, can be both the end objective of trade (trade of digital or virtual goods and services) and a side-effect of a transaction between parties (with digital communication the norm for international trade). In the absence of explicit definitions and categorization, several scholars have argued that digital trade should logically fall under the General Agreement of Trade in Services (GATS);¹²⁵ however, the application of the GATS in these instances would be limited in scope and would only be inclusive of traditional digitally transmitted products (or services),¹²⁶ leaving other data flow questions unanswered.¹²⁷ Of course, the GATS is just one possible agreement for dealing with cross-border data flows. The Information Technology Agreement removes tariffs on information technology products (hardware products)¹²⁸ and the TRIPS agreement protects intellectual property including trade secrets.¹²⁹ Both agreements complement the GATS provisions, which include annexes like those on financial services or telecommunication, designed to take into account the circumstances of specific sectors.¹³⁰ Together, these agreements and annexes establish a broad framework that collectively sets some standards for technology transfer and some level of data security.¹³¹ However, despite several agreements intended to address areas related to digital technologies, cross-border data flow represents a vast chasm in the WTO rules landscape.¹³²

There are some elements of existing agreements that could spark a future agreement on privacy and data flows; for instance, in the GATS exception provisions. Article XIV(c)(ii) of the GATS permits trade restrictions that are necessary for the “protection of privacy of individuals in relation to the processing and dissemination of personal data”.¹³³ Although this indicates that members agree that privacy is essential, this provision was drafted in the early days of digitalization (of the global economy) before many of the complexities of the digital trade environment were identified. As a result, the rules were not designed to deal with the volume of data transfer from cross-border transactions that subsequently arose.¹³⁴ As Tuthill and Roy identified, digital advances moved many services to online supply, where this was once impractical (if not impossible).¹³⁵ Further, the question of what the exception allows has not been tested through the dispute settlement procedures.¹³⁶ Hence, there is a risk that members could attempt to rely on the “right to privacy” to excuse disguised restrictions on international trade, much like some members have attempted to do through the invocation of the national security exception.

While this exception provision points to the agreed values of WTO members, it does nothing to fill the gap that exists in relation to the digitization of trade and cross-border data flows. At the same time, the specific matters have not been completely overlooked by members, but it has certainly not been “comprehensively” addressed.¹³⁷ The Work Programme on Electronic Commerce (WPE), commissioned in 1998, was the first attempt to develop minimal standards on the legal structures surrounding e-commerce.¹³⁸ The Work Programme has been on the WTO negotiation agenda since this time, with the only substantive issue resolved (and repeatedly revisited) being the moratorium on customs duties on electronic transmissions. The agreement not to impose customs duties on electronic transmissions has been reaffirmed every two years since the establishment of the WPE.¹³⁹ The WPE was not established to deal with matters that have since arisen in relation to data security and localization rules, with the exception of the requirement to consider the GATS privacy exception provisions.¹⁴⁰ Indeed, the national security exception provisions were excluded from reference in the WPE documentation.¹⁴¹ Therefore, as one would expect, the WPE has not been a forum where data localization and other protectionist policies have been raised.

Interestingly, the decade-long negotiation “deadlock” that followed the Doha negotiations has led members to pursue alternatives to traditional agreements. In particular, plurilateral “discussions” have been pursued as a tangential approach.¹⁴² Referred to as joint statement initiatives (JSIs), this plurilateral approach to negotiations is recognized by the WTO rules.¹⁴³ It is through this medium that e-commerce has been addressed by a growing number of nations.¹⁴⁴ In 2021, the participation in the e-commerce discussions, labelled Trade Related Aspects of Electronic Commerce, increased to eighty-six members.¹⁴⁵ This is unsurprising given the importance of e-commerce, and the regulation of it, to the private sector. The scope of discussions in this JSI are far broader than matters of e-commerce and include data localization requirements,¹⁴⁶ cybersecurity threats, and online consumer protection.¹⁴⁷ Although these issues must be considered, it is uncertain whether this JSI (or any other) will have a broader impact on WTO rules or even on the commitments made by participating nations. Although the process of negotiations is supported, the legal status of the outcomes of the talks is not addressed by the WTO Agreements.¹⁴⁸ The uncertain status is unlikely to be resolved by consensus as the process of JSI negotiations has been criticized by some nations for lacking transparency¹⁴⁹ and resisted for being contrary to consensus-based decision-making.¹⁵⁰ Other commentators recognize that although JSIs may not solve the problems created by the WTO negotiation deadlock, they have been seen as a partial solution that could address the stalemates created through the consensus approach.¹⁵¹

To conclude, the WTO should be the forum where nations develop global rules for cross-border data flows that facilitate international trade and provide basic standards in relation to personal data privacy and data security. The issues of data localization and cross-border restriction requirements (which are a part of most cybersecurity and privacy strategies)¹⁵² is one that should be discussed within this setting. It should be where a consensus between the data sovereignty of nations and the benefit of an open global digital economy is forged. There are some signs that the WTO is facilitating this mission with the JSI on Trade Related Aspects of Electronic Commerce. However, progress has been slow. Reflecting a broader malaise within the WTO, which has not seen new agreements since the halcyon days of its formation, it is doubtful whether the JSI process will provide the needed framework in a timely manner. Furthermore, the digitalization of national economies and the global economy continue apace. Data and data flows across national borders is becoming more significant to the lives and wellbeing of all humans on the planet. Within this context, nations are using other international arrangements to address some of the challenges from digitalization. In particular, provisions on cross-border data flows are becoming a feature of PTAs. These negotiations show a desire to eliminate barriers to data flows and reduce the risk of digital fragmentation, but at the same time, there is a distinct weakness in that there is a reluctance to enforce these arrangements. Despite this, the provisions from PTAs may be critical to provide something of a path forward for progress within the multilateral trading system.¹⁵³

PTAs provide an alternative platform to negotiate on challenges left unaddressed by the multilateral system.¹⁵⁴ In particular, PTAs are becoming the preferred instrument that some nations are using to provide standards and regulation of cross-border data flows.¹⁵⁵ This section highlights some of the key developments in newly negotiated PTAs and, in doing so, recognizes the weaknesses within these agreements. In this section, this paper demonstrates that PTAs could lead to cooperation on matters related to data security, cross-border data transfer, and privacy. Alternatively, it may further assure a fragmented future.

PTAs exist outside of the complexities of the WTO and represent a smaller grouping of nations agreeing to shared rules and processes relating to intra-group trade. PTAs are considered to be an alternative to pursuing agreements through the WTO process, with some members suggesting this is preferred to the JSI process.¹⁵⁶ Many countries have used PTA negotiation processes to agree on matters that are currently without guidance under the multilateral rules framework.¹⁵⁷ For instance, there are currently over seventy PTAs that incorporate an e-commerce chapter, including the United States - Mexico - Canada Agreement (USMCA, previously the North American Free Trade Agreement); the Comprehensive Trans-Pacific Partnership (CPTPP);¹⁵⁸ and the dedicated digital trade agreements, the Digital Economy Partnership Agreement (DEPA) and the Digital Economy Agreement (DEA).¹⁵⁹ Interestingly, not all agreements have included cross-border data flow commitments. The Japan-EU Economic Partnership Agreement shelved the matter for three years post-entry into force of the agreement,¹⁶⁰ based on the premise that parties will consider domestic legislative strategies on data flow and data security.¹⁶¹

In contrast to this, the Comprehensive and Progressive Treatment for Trans-Pacific Partnership (CPTPP)¹⁶² and the Regional Comprehensive Economic Partnership (RCEP) both include specific e-commerce chapters.¹⁶³ Both agreements include sections that deal with cross-border data flow and localization with what appears to be, at first glance, a (somewhat) liberalized approach to data. The CPTPP Agreement was signed by eleven countries: Australia, Brunei Darussalam, Canada, Chile, Japan, Malaysia, Mexico, Peru, New Zealand, Singapore, and Vietnam, with the Australian government considering it a breakthrough in the promotion of the free flow of data across international borders for business activities.¹⁶⁴ Although the CPTPP suspended some provisions from the original Trans-Pacific Partnership text, Chapter 14, which focuses on “electronic commerce”, was adopted in its entirety.¹⁶⁵

Two provisions outlined within Article 14 have particular significance in indicating support for a liberalized approach to cross-border data flow and preventing digital fragmentation.¹⁶⁶ The first prescribes an obligation on all signatories to allow cross-border data flows, including personal data, for the purpose of business transactions or operation.¹⁶⁷ The second restricts a nation from applying localization requirements within its borders as a condition for conducting business or operating within that nation.¹⁶⁸ Both of these provisions are subject to exceptions, which are contained within Articles 14.11(3) and 14.13(3). These exceptions provide that any national measure inconsistent with its obligations must not be arbitrary, unjustifiable, or a disguised restriction on trade.¹⁶⁹ The exemptions make it essential that any national law or regulation does not restrict the transfer of cross-border data flow or impose localization requirements beyond what is required to achieve the permitted objective.¹⁷⁰ Hence, the CPTPP does not leave the exemptions to the fiat of individual nations. Rather, exception claims can be referred to the dispute resolution system outlined in the text.¹⁷¹

The purpose of Chapter 14 is to encourage open cross-border trade and limit exercises of data sovereignty to agreed zones of legitimate national interest. Furthermore, it provides for a dispute resolution mechanism to scrutinize and ensure that national measures that affect cross-border data flows remain within the agreed exemptions. This is a substantial improvement over the WTO in that issues relating to data flows,¹⁷² personal data privacy,¹⁷³ minimal standards for cooperation on electronic commerce,¹⁷⁴ online consumer protection,¹⁷⁵ cybersecurity cooperation,¹⁷⁶ and prohibiting localization requirements¹⁷⁷ are addressed. Furthermore, the dispute resolution process allows scrutiny of national data restrictions to determine whether those restrictions are supported by the agreed exemption for a “legitimate public policy objective”.¹⁷⁸ These provisions in the CPTPP show promise for future multilateral agreements that facilitate DFFT, albeit with the shadow of a broad “legitimate public policy objective” exemption jeopardizing the provisions’ enforceability. Indeed, the wording and form of the CPTPP provisions have been largely replicated in other agreements, specifically the DEPA and DEA.¹⁷⁹ This could be seen as a convergence of nations agreeing to the form of DFFT articulated within the CPTPP. However, there is an exception to this convergence.

Parallel to the ratification of the CPTPP, RECEP negotiations, which included China as a party, have been ongoing.¹⁸⁰ In 2020, the RCEP agreement was signed by all parties and entered into force 1 January 2022.¹⁸¹ The agreement has fifteen signatories: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand, Vietnam, Australia, China, Japan, New Zealand, and South Korea, with India withdrawing from negotiations in the final stages.¹⁸² Clearly, there is overlap between the parties to the RCEP agreement and the CPTPP, with Singapore, Vietnam, Malaysia, Japan, Australia, and New Zealand participating in both. This overlap in parties could in part explain the similarities evident in the two PTAs.¹⁸³ However, disparities that some commentators attribute to China's presence in the RCEP remain between the agreements.¹⁸⁴

The RCEP agreement is one of the largest PTAs and includes multilateral rules that aim to liberalize cross-border data flow and set requirements for privacy and consumer protection regulations for member nations. In this regard, the RCEP echoes similar provisions to the CPTPP. For example, Chapter 12 prevents parties from restricting the cross-border transfer of information and prohibiting data localization conditions.¹⁸⁵ However, some commentators have noted that the substantive provisions of the RCEP's “electronic commerce”, Chapter 12, has been pared back from what the nations agreed to in the CPTPP.¹⁸⁶ For instance, a footnote to Provision 12.14.3(a), which is the “legitimate public policy objective” exception, states:

“[f]or the purposes of this subparagraph, the Parties affirm that the necessity behind the implementation of such legitimate public policy shall be decided by the implementing Party.” This footnote has the effect of allowing any party to determine when the exception should apply, thus excusing data localization requirements whenever desired.¹⁸⁷ Hence, parties may operate outside the provisions if they choose to.

Chapter 12 of the RCEP also includes provisions to cooperate with other signatories on matters of cybersecurity in the interests of capacity building.¹⁸⁸ The Australian government has identified the importance of these provisions in terms of future trade and data flows. Notably, suggesting that:

By including commitments to support the flow of data, promote privacy and consumer protection and enable electronic authentication and electronic signature, [the] RCEP will help to facilitate digital trade in the region and support consumer confidence in the online environment.¹⁸⁹

Despite the positive comments of the Australian Government, there are some limitations to these conditions. First, as noted, the agreement differs from the CPTPP by incorporating additional exception provisions. In addition to the “legitimate public policy objective” exception and the environmental exceptions of the GATS and the GATT,¹⁹⁰ the RCEP follows the WTO in acknowledging the importance of national security through its “essential security interests” exception.¹⁹¹ This was an interesting inclusion, particularly in light of the so-called “abuse” of the national security exception in WTO disputes since 2016.¹⁹²

The second point of limitation in Chapter 12 is the specific exclusion of dispute mechanisms, unlike the CPTPP. In particular, under Article 12.14 members are not able to dispute the location of computing facilities when such actions have been taken for essential security interests.¹⁹³ The position on security interests is the same with respect to the cross-border transfer of information by electronic means.¹⁹⁴ However, at this stage, the exemption from dispute settlement is unnecessary as Article 12.17 precludes all of Chapter 12 from the dispute settlement mechanism contained in Chapter 19.¹⁹⁵ Paragraph 3 of this Article states:

No Party shall have recourse to dispute settlement under Chapter 19 (Dispute Settlement) for any matter arising under this Chapter. As part of any general review of this Agreement undertaken in accordance with Article 20.8 (General Review), the Parties shall review the application of Chapter 19 (Dispute Settlement) to this Chapter. Following the completion of the review, Chapter 19 (Dispute Settlement) shall apply to this Chapter between those Parties that have agreed to its application.¹⁹⁶

The exclusion from dispute settlement is significant. This exclusion indicates that although parties agree to the requirements for cross-border data flow, privacy, and localization requirements, they are not willing to be held to account by other parties. In this, RCEP goes against the general trend, noted by Froese, of increased enforceability of e-commerce chapters.¹⁹⁷ In this regard, Chapter 12 of the agreement is seemingly unique. Without recourse to a dispute mechanism, the substantive commitments in Chapter 12, to open cross-border data flows, can only be read as aspirational. Given the data sovereignty objectives of recent Chinese laws, it could be suggested that this provision was a condition of China's participation.¹⁹⁸ Whatever the reasoning of the parties to exempt Chapter 12 from the dispute resolution procedures, the effect is that they will have to rely on good faith that measures will not be enacted which interfere with cross-border data flows. Extensive national regulation of data, such as seen within the Chinese laws, possibly goes beyond the boundaries of the “legitimate public policy objective” or the “essential national security” exemptions of the RCEP. However, as these exemptions, coupled with the exemption from the dispute resolution processes, allow for the parties to determine the boundaries themselves,¹⁹⁹ whether any other party exceeds those boundaries is irrelevant.

The RCEP negotiations provide some insight into what nations are willing to agree to in principle. This agreement does demonstrate that nations regard e-commerce and data flows as important. However, at the same time, the inability to enforce the provisions leaves open questions in terms of the commitment to genuine cooperation on DFFT. The discretion afforded indicates that parties could still be on a trajectory of fragmentation.²⁰⁰ Although the CPTPP set a standard of liberalization in terms of localization requirements,²⁰¹ it is also apparent that this is a standard that may only be acceptable to some nations in principle rather than practice. PTAs are indicative of progress towards DFFT, but the requirement to avoid localization is not the same as finding common ground and cooperation. As such, more is needed to avoid fragmentation in the global economy.

It has been identified that the interdependence created by digital globalization has resulted in a “transformation of global politics”, which means privacy, cross-border data flows, and data security are matters that unquestionably extend beyond national borders.²⁰² As noted above, restrictions on cross-border data flows result in costs to industry and to national economies.²⁰³ These restrictions may have other negative flow-on consequences, such as weakening cybersecurity, infringing key WTO provisions, and (will likely lead to) trade tensions and discontent in the private sector. Further, the costs will be disproportionately imposed on small businesses with limited resources to understand “divergent national regulatory regimes”.²⁰⁴ Hence, the positive impact of digitalization on developing economies is thwarted by the imposition of restrictions on cross-border data flows.²⁰⁵ For this reason, the costs of regulatory restrictions on cross-border data flows are considered externalities which, ultimately, “pose a threat to global supply chains”.²⁰⁶ The issues remain, however, as to what can be done on a global level and whether multilateral agreements will achieve anything in practice. The purpose of this part of the article is to address these issues.

Farrell and Newman contend that “power rarely resides in brute coercion, but rather in the political opportunities generated by interaction”.²⁰⁷ In this respect, the WTO as a forum could be part of the solution to aid cooperation and support the free flow of data. The EU, China, Japan, and the United States have each been a part of the WTO JSI negotiations on e-commerce.²⁰⁸ Abendin and Duan argue that in order to conclude an agreement within the WTO framework, the positions of these four members will need to be reconciled,²⁰⁹ although the umbrella term “e-commerce” is unlikely to capture the many evolving issues from the digitalization of international trade.²¹⁰

Reconciliation of the many interests that exist in each of these four members presents a significant challenge, particularly in countries susceptible to influence from the private sector. There is some promise: the JSI discussions have touched on difficult topics such as a prohibition of unjustified localization requirements, ²¹¹ however, the discussions have not yet led to the necessary reconciliation of strategic positions of key members.²¹² Further, other WTO members have refused to accept the legitimacy of these negotiations.²¹³

The essentiality of data and data flows for the global economy and human well-being means that DFFT is essential to address digital fragmentation. Agreed rules between nations will be integral in achieving cooperation. Increased national restrictions on cross-border data flows, the difficulties with the WTO, and the e-commerce chapters in the CPTPP and the RCEP identify three main foci that need to be considered in a DFFT framework: individual data rights, including privacy protections in relation to personal data; support for cybersecurity and data security in Global South nations; and international cooperation to support intelligence sharing and flexible outcomes. Each may seem simple enough, yet all three present their own unique challenges in a multilateral setting.

The right to privacy is considered a fundamental human right in accordance with the International Covenant on Civil and Political Rights²¹⁴ and within the European Charter of Fundamental Rights.²¹⁵ Despite this, at present, the right to privacy is not universal, which creates fragmentation. To avoid fragmentation, it is critical that measures to protect privacy (and other data rights) exist globally, but, at the same time, they are not disguised restrictions on international trade. Hence, it will be necessary to consider measures that are reasonable and necessary for the protection of individual privacy. It would be reasonable for nations to agree on minimum regulatory protections, much like those imposed by the TRIPS agreement.²¹⁶ Indeed, the development of TRIPS demonstrates that conceptualizing behind-the-border rules for harmonization purposes at a multilateral level can be achieved; however, the inclusion of minimum regulatory requirements within the WTO agreements has traditionally been difficult due to the additional costs and the complexity that these provisions require.²¹⁷ Much like the minimum provisions under TRIPS, many nations have already enacted privacy laws. However, “some developing countries suffer from a distinct lack of national laws regulating, for instance, online consumer protection, electronic transactions, data protection, and cybercrime”.²¹⁸ Although the GATS framework does support privacy through the exception provisions, this is a matter entirely different to a minimum requirement for personal data privacy. An exception provision does little more than allow for privacy, whereas a “beyond-the-border” provision (such as imposed by the GDPR) will do far more to foster trust and consumer confidence. Therefore, the discussion on privacy should encompass standards and a definition of personal data that can be universally accepted. Alternatively, recognition of different members’ standards could be a pathway forward for resolving these issues.

A meaningful starting point may be a common definition of “personal information” or “personal data”. In the GDPR and the PIPL, these are largely aligned to include only data that is related to “natural persons”.²¹⁹ Indeed, a decision on the type of data to be protected by regulatory frameworks to support the recognition of the human right privacy is a logical first step and one that should be easily negotiated at a multilateral level. It is when ambitions move beyond these seemingly simple outcomes that minimum requirements may become troublesome. The use of encryption as a means to provide data protection provides an example of this. “Data encryption is a process or technique of translating data from text to hashed code that can only be decrypted with a special key.”²²⁰ Under the GDPR, encryption is referenced many times and identified as a best practice approach. Far from being a mandate, the GDPR repeatedly mentions encryption as an appropriate measure for data security.²²¹ The GDPR directive can be contrasted to the Chinese approach where data encryption is now supported, but only with the caveat that Chinese government entities must have access to the encryption key.²²² In this respect, the competing values of these major trading nations will impose potentially challenging barriers to any agreement in the short term. As an alternative, mutual recognition poses an alternative to harmonization, which may prove successful.²²³ Mutual recognition would mean that no harmonization of definitions or processes is necessary but, at the same time, it would require members to agree to support differences in other domestic jurisdictions. However, mutual recognition of privacy standards may prove equally difficult to agree upon. The benefit would be that the mutual recognition pathway may allow members to maintain a degree of flexibility to ensure that specific regulatory priorities could be pursued.²²⁴

A second critical element is that governments in developed economies need to provide knowledge and financial support to the Global South. DFFT requires emphasis on supporting data and cybersecurity in Global South nations for two reasons.²²⁵ First, the development of emerging economies is in the global interest as well as a matter of distributive justice. There is no fairness in enforcing the same measures in all nations unless support is provided to nations that need it most. Second, in matters of global privacy, cybersecurity, and consumer protection, any system weakness will result in unintended and negative outcomes, creating a global weakness that would not otherwise exist.²²⁶ The Budapest Convention provides evidence of this, in particular, its provisions that support harmonization of laws addressing cybercrimes.²²⁷ Hence, more minimum standards on cybercrimes may not be necessary – what is needed is a global data framework to provide for capacity building for Global South nations as a priority.²²⁸ Capacity building should focus on data security measures and privacy requirements to ensure that Global South nations are not disadvantaged by any new developing minimum standards. Capacity building within the Global South will be critical to support “varying levels of e-commerce readiness”.²²⁹

The role of the WTO needs to be recognized. There is no global institution that has a “mandate to evaluate and track policy intervention in the digital domain”.²³⁰ Some scholars suggest that this may be a time when an institutionalized approach is unwarranted. “Regulatory sandboxes” rather than “binding agreements” could be a pathway forward in the data driven economy.²³¹ However, accepting that argument means that the pursuit of DFFT through cooperation should effectively be abandoned. It is critical that this does not happen. It is unfortunate that the pathway forward through the multilateral trade regime is far from clear for participating nations. Indeed, despite progress through the JSI, member resistance means that the outcomes of negotiations are uncertain and are at risk of being nothing more than a talkfest. Nevertheless, these challenges do not present insurmountable barriers to the ongoing ability for the WTO²³² to work against fragmentation through the rules-based order and the negotiation platform it supports.²³³

Although new and existing PTAs have foreshadowed a promising trend,²³⁴ the differences between the agreements could potentially exacerbate fragmentation rather than address it. In this respect, each PTA will be signed by a handful of nations compared to the 164 members of the WTO. This means that fragmentation will not be overcome with each PTA. As such, the objective of DFFT must remain on the negotiating agenda of the WTO in order to avoid “a silo-oriented data-driven economy”.²³⁵ The precise nature of the terms of negotiation may be difficult to predict. However, the objective of trade for the benefit of all should remain central and global cooperation should continue to be pursued. Where sovereignty is prioritized over the global good, nations engage in economic statecraft, which will only exacerbate digital fragmentation and the North/South digital divide.²³⁶

The final and critical point is that there needs to be acceptance by the private sector to avoid fragmentation.²³⁷ Presently, localization trends have been set by governments through legal requirements and corporate demands. Hence, the connection between government policy and industry needs should be strengthened, but with a view to consider global markets (over time), not just local and present concerns. In this regard, trust will be critical for private entities to have confidence in data security and protection beyond their own borders. The analysis in this paper does not provide a pathway to trust between entities, nations, or regions; rather, minimum requirements for cooperation have been identified. Trust is a higher standard that will require seismic shifts and perseverance. However, in a world where national interests have always trumped global ones, trust may be nothing more than an unattainable aspiration.

Data localization rules and barriers to cross-border data flows are inefficient, leading to slow movement of capital and lost profits for private entities.²³⁸ Alternatively, a secure digital environment improves efficiency through consumer confidence and by supporting a safe online environment. In the age of digital trade, there is a need for nations to cooperate so the global community can benefit. At the same time, individual nation priorities in terms of data security remain essential for an effective digital society. This presents its own issues. As Farrell and Newman posit, one of the most significant concerns with a globalized society is the problem of rule overlap.²³⁹ That is, “different regulatory systems come to interfere with and influence each other”.²⁴⁰ The extension of rules beyond borders (such as is done by the GDPR and China's PIPL) means that this is even more problematic. However, given the nature of digital transfers, extraterritorial rules in these matters are necessary. An agreement between WTO members, providing for a global data framework, may help minimize costs and allow trading partners from different jurisdictions to participate in open cross-border transactions. However, the differences in national approaches, both to privacy and data security, underscore the need for flexible co-operation and agreement.²⁴¹ Unfortunately, it is possible that an agreement at a multilateral level may result in “watered down” standards (such as those contained in the RCEP) as a result of individual national interests overriding any desire to maintain the integrity of the multilateral trading regime.

If negotiations are pursued fairly and the provisions are subsequently successful, PTAs could be a metaphorical sandpit for the data flow provisions that may later be agreed at a multilateral level. PTAs present a simpler negotiation environment by avoiding the complexity of the 164 different party interests and the diversity that results from the inclusion of the interests of Global South nations (although in the opinions of the authors, this is a necessary complication). However, a PTA can still take many years of dedicated negotiations, with the RCEP being only recently signed after eight years, twenty-one ministerial meetings, and thirty-one negotiation rounds.²⁴² Thus, PTAs are not able to provide a quick resolution for difficult global issues and may not lead to the widespread benefits that larger multilateral agreements can potentially achieve. Further, the RCEP “carve out” of the e-commerce chapter from dispute settlement indicates that these agreements are not without their weaknesses.

Finally, the importance of DFFT should be underscored. For individuals, privacy is (often) a fundamental human right and a universal concern in the digital age.²⁴³ The objective to protect individual privacy has led many nations, including the EU and China, to establish strict approaches to data protection. At the same time, these strict approaches could create a large divide between nations at different levels of economic development and technical capacities. Further, there is a fear that the introduction of privacy protections may provide a disguised form of trade restrictions or, alternatively, increase the power of central governments to access data of citizens and those that they have commerce with. The intensification of digital trade and the increasing dependence of humans flourishing on digital technologies presents these issues as fundamental challenges for people, businesses, and governments in the twenty-first century. Presently, the path to a global data framework might not be obvious or easy, but it is increasingly essential for a fair digital economic future.