Trans Border Data Flow
Trans Border Data Flow
Trans Border Data Flow
R45584
Data Flows, Online Privacy, and Trade Policy
March 11, 2019
“Cross-border data flows” refers to the movement or transfer of information between computer
servers across national borders. Such data flows enable people to transmit information for online Rachel F. Fefer
communication, track global supply chains, share research, provide cross-border services, and Analyst in International
support technological innovation. Trade and Finance
Ensuring open cross-border data flows has been an objective of Congress in recent trade
agreements and in broader U.S. international trade policy. The free flow of personal data,
however, has raised security and privacy concerns. U.S. trade policy has traditionally sought to
balance the need for cross-border data flows, which often include personal data, with online privacy and security. Some
stakeholders, including some Members of Congress, believe that U.S. policy should better protect personal data privacy and
security, and have introduced legislation to set a national policy. Other policymakers and analysts are concerned about
increasing foreign barriers to U.S. digital trade, including data flows.
Recent incidents of private information being shared or exposed have heightened public awareness of the risks posed to
personal data stored online. Consumers’ personal online data is valued by organizations for a variety of reasons, such as
analyzing marketing information and easing the efficiency of transactions. Concerns are likely to grow as the amount of
online data organizations collect and the level of global data flows expand. As Congress assesses policy options, it may
further explore the link between cross-border data flows, online privacy, and trade policy; the trade implications of a
comprehensive data privacy policy; and the U.S. role in establishing best practices and binding trade rules that seek to
balance public policy priorities.
There is no globally accepted standard or definition of data privacy in the online world, and there are no comprehensive
binding multilateral rules specifically about cross-border data flows and privacy. Several international organizations,
including the Organization for Economic Co-operation and Development (OECD), G-20, and Asia-Pacific Economic
Cooperation (APEC) forum have sought to develop best practice guidelines or principles related to privacy and cross-border
data flows, although none are legally binding. U.S. and other recent trade agreements are establishing new enforceable trade
rules and disciplines.
Countries vary in their data policies and laws; some focus on limiting access to online information by restricting the flow of
data beyond a country’s borders, aiming to protect domestic interests (e.g., constituents’ privacy). However, these policies
can also act as protectionist measures. The EU and China, two top U.S. trading partners, have established prescriptive rules
on cross-border data flows and personal data from different perspectives. The EU General Data Protection Regulation
(GDPR) is driven by privacy concerns; China is focused on security. Their policies affect U.S. firms seeking to do business
in those regions, as well as in other markets that emulate the EU and Chinese approaches. Unlike the EU or China, the United
States does not broadly restrict cross-border data flows and has traditionally regulated privacy at a sectoral level to cover
data, such as health records.
U.S. trade policy has sought to balance the goals of consumer privacy, security, and open commerce. The proposed United
States-Mexico-Canada Agreement (USMCA) represents the Trump Administration’s first attempt to include negotiated trade
rules and disciplines on privacy, cross-border data flows, and security in a trade agreement. While the United States and other
countries work to define their respective national privacy strategies, many stakeholders seek a more global approach that
would allow interoperability between differing national regimes to facilitate and remove discriminatory trade barriers to
cross-border data flows; this could offer an opportunity for the United States to lead the global conversation.
Although Congress has examined issues surrounding online privacy and has considered multiple bills, there is not yet
consensus on a comprehensive U.S. online data privacy policy. Congress may weigh in as the Administration seeks to define
U.S. policy on data privacy and engages in international negotiations on cross-border data flows.
Contents
Overview ......................................................................................................................................... 1
Defining Online Privacy ........................................................................................................... 2
Cross-Border Data Flows and Online Privacy .......................................................................... 3
Balancing Policy Objectives ..................................................................................................... 5
Multilateral Rules ............................................................................................................................ 5
WTO General Agreement on Trade in Services ........................................................................ 5
WTO Plurilateral Effort............................................................................................................. 6
International Guidelines and Best Practices .................................................................................... 6
OECD ........................................................................................................................................ 7
G-20 .......................................................................................................................................... 7
APEC ........................................................................................................................................ 7
APEC CBPR ....................................................................................................................... 8
Expanding CBPR Beyond APEC........................................................................................ 9
Foreign Government Policies .......................................................................................................... 9
EU: Privacy First ..................................................................................................................... 10
U.S.-EU Privacy Shield .................................................................................................... 10
EU GDPR .......................................................................................................................... 11
Exporting Personal Data under EU GDPR ....................................................................... 12
Expanding GDPR Beyond the EU .................................................................................... 12
China: Security First ............................................................................................................... 13
Defining the U. S. Approach ......................................................................................................... 14
Data Flows and Privacy in U.S. Trade Agreements ................................................................ 14
U.S. Federal Data Privacy Policy Efforts ................................................................................ 16
Stakeholder Perspectives ......................................................................................................... 18
Shaping a Global Approach ........................................................................................................... 19
Issues for Congress ........................................................................................................................ 20
Future U.S. Trade Negotiations and Agreements .................................................................... 20
Global Approach ..................................................................................................................... 21
Impact on U.S. Trade .............................................................................................................. 21
Domestic Policy ...................................................................................................................... 21
Figures
Figure 1. Digital Trade Restrictiveness Index ............................................................................... 10
Figure 2. Goods and Services Trade under Differing Data Privacy Regimes ............................... 20
Contacts
Author Information........................................................................................................................ 22
Overview
Cross-border data flows underlie today’s globally connected world and are essential to
conducting international trade and commerce. Data flows enable companies to transmit
information for online communication, track global supply chains, share research, and provide
cross-border services. One study estimates that digital commerce relying on data flows drives
22% of global economic output, and that global GDP will increase by another $2 trillion by 2020
due to advances in emerging technologies.1 However, while cross-border data flows increase
productivity and enable innovation, they also raise concerns around the security and privacy of
the information being transmitted.
Cross-border data flows are central to trade and trade negotiations as organizations rely on the
transmission of information to use cloud services, and to send non-personal corporate data as well
as personal data to partners, subsidiaries, and customers. U.S. policymakers are considering
various policy options to address online privacy, some of which could affect cross-border data
flows. For example, new consumer rights to control their personal data may impact how
companies can use such data. To enable international data flows and trade, the United States has
aimed to eliminate trade barriers and establish enforceable international rules and best practices
that allow policymakers to achieve public policy objectives, including promoting online security
and privacy.
Building consensus for international rules and norms on data flows and privacy has become
increasingly important as recent incidents have heightened the public’s awareness of the risk of
personal data stored online. For example, the 2018 Cambridge Analytica scandal drew attention
because the firm reportedly acquired and used data on more than 87 million Facebook accounts in
an effort to influence voters in the 2016 U.S. presidential election and the UK referendum on
continued European Union (EU) membership (“Brexit”).2 In addition, security concerns have
been raised about data breaches, such as those that exposed the personal data of half a million
Google users or 500 million Marriot hotel customers.3
Organizations value consumers’ personal online data for a variety of reasons. For example,
companies may seek to facilitate business transactions, analyze marketing information, detect
disease patterns from medical histories, discover fraudulent payments, improve proprietary
algorithms, or develop competitive innovations. Some analysts compare data to oil or gold, but
unlike those valuable substances, data can be reused, analyzed, shared, and combined with other
information; it is not a scarce resource.
However, personal data is considered personal private property. Individuals often want to control
who accesses their data and how it is used. Experts suggest that data may therefore be considered
both a benefit and a liability that organizations hold. Data has value, but an organization takes on
risk by collecting personal data; they become responsible for protecting users’ privacy and not
1 Mark Knickrehm, Bruno Berthon, and Paul Daugherty, “Digital Disruption: The Growth Multiplier,” Accenture,
January, 2016.
2 Alvin Chang, “The Facebook and Cambridge Analytica scandal, explained with a simple diagram,” Vox, May 2,
2018, https://www.vox.com/policy-and-politics/2018/3/23/17151916/facebook-cambridge-analytica-trump-diagram.
3 Gabriella Munoz, “Sen. Chuck Grassley hits Google with questions about security breach,” The Washington Times,
October 12, 2018, and Taylor Telford and Craig Timberg, “Marriott discloses massive data breach affecting up to 500
million guests,” The Washington Post, November 30, 2018.
misusing the information. Data privacy concerns may become more urgent as the amount of
online information organizations access and collect, and the level of global data flows, continue
to expand.4
Countries vary in their policies and laws on these issues. The United States has traditionally
supported open data flows and has regulated privacy at a sectoral level to cover data, such as
health records, rather than create a comprehensive policy. U.S. trade policy has sought to balance
the goals of consumer privacy, security, and open commerce, including eliminating trade barriers
and opening markets. Other countries are developing data privacy policies that affect international
trade as some governments or groups seek to limit data flows outside of an organization or across
national borders for a number of reasons. Blocking international data flows may impede the
ability of a firm to do business or of an individual to conduct a transaction, creating a form of
trade protectionism. Research demonstrates not only the economic gains from digital trade and
international data flows, but also the real economic costs of restrictions on such flows.5
For many policymakers, the crux of the issue is: How can governments protect individual privacy
in the least trade-restrictive way possible? The question is similar to concerns raised about
ensuring cybersecurity while allowing the free flow of data. In recent years, Congress has
examined multiple issues related to cross-border data flows and online privacy.
In the 115th Congress, Congressional committees held hearings on these topics,6 introduced
multiple bills,7 and conducted oversight over federal laws on related issues such as data breach
notification.8 Members are introducing new bills and holding hearings in the 116th Congress.9
Congress may consider the proposed U.S.-Mexico-Canada Agreement (USMCA) and examine
the digital trade chapter as an example of how to address the issues through trade agreements.
4 One source estimates 2.5 quintillion bytes of data are generated globally daily,
https://www.iflscience.com/technology/how-much-data-does-the-world-generate-every-minute/.
5 Aaditya Mattoo and Joshua Meltzer, “International Data Flows and Privacy,” World Bank, p. 6, May 2018.
6 For example, U.S. Congress, Senate Committee on Commerce, Science, and Transportation, Subcommittee on
Consumer Protection, Product Safety, Insurance, and Data Security, Oversight of the Federal Trade Commission, 115th
Cong., November 27, 2018; U.S. Congress, House Committee on Energy and Commerce, Subcommittee on Digital
Commerce and Consumer Protection, 21st Century Trade Barriers: Protectionist Cross Border Data Flow Policies’
Impact on U.S. Jobs, 115th Cong., October 12, 2017; U.S. Congress, Senate Committee on Commerce, Science, and
Transportation, Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection
Regulation and the California Consumer Privacy Act, 115th Cong., October 10, 2018; and U.S. Congress, Senate
Committee on Commerce, Science, and Transportation, Examining Safeguards for Consumer Data Privacy, 115th
Cong., September 26, 2018.
7 See for example, H.R. 2520, S. 2728, S. 3744, and H.R. 5815.
8 For more information on data breach notification laws, see CRS Legal Sidebar LSB10210, What Legal Obligations do
Internet Companies Have to Prevent and Respond to a Data Breach?, by Chris D. Linebaugh.
9 For example, S. 142 and S. 189; U.S. Congress, House Committee on Energy and Commerce, Subcommittee on
Consumer Protection and Commerce, Protecting Consumer Privacy in the Era of Big Data, 116th Cong., February 26,
2019; U.S. Congress, Senate Committee on Commerce, Science, and Transportation, Subcommittee on Commerce,
Science, and Transportation, Policy Principles for a Federal Data Privacy Framework in the United States, committee
print, 116th Cong., February 27, 2019; U.S. Congress, Senate Committee on the Judiciary, GDPR & CCPA: Opt-ins,
Consumer Control, and the Impact on Competition and Innovation, 116th Cong., March 12, 2019.
may need to define personal data and differentiate between sensitive and non-sensitive personal
data. In general, data privacy can be defined by an individual’s ability to prevent access to
personally identifiable information (PII).
According to the U.S. Office of Management and Budget (OMB) guidance to federal agencies,
PII refers to:
information that can be used to distinguish or trace an individual's identity, either alone or
when combined with other information that is linked or linkable to a specific individual.10
Since electronic data can be readily shared and combined, some data not traditionally considered
PII may have become more sensitive. For example, the OMB definition does not specifically
mention data on location tracking, purchase history, or preferences, but these digital data points
can be tracked by a device such as a mobile phone or laptop that an individual carries or logs into.
The EU definition of PII attempts to capture the breadth of data available in the online world:
“personal data” means any information relating to an identified or identifiable natural
person (‘data subject’); an identifiable natural person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.11
Policymakers may consider differentiating between sensitive and non-sensitive personal data. For
example, sensitive personal data could include ethnic origin, political or religious affiliation,
biometric data, health data, sexual orientation, precise geolocation data, etc.
10 Office of Management and Budget, OMB Memorandum M-17-12, Preparing for and Responding to a Breach of
Personally Identifiable Information, January 2017. This definition is based on OMB Circular No. A-130, Managing
Information as a Strategic Resource, July 28, 2016.
11 European Union General Data Protection Regulation Article 4.
12 Jacques Bughin and Susan Lund, “The ascendancy of international data flows,” McKinsey Global Institute, January
9, 2017.
13 A. Michael Spence, “Preventing the Balkanization of the Internet,” The Council on Foreign Relations, March 18,
2018.
block companies from using cloud computing to aggregate and analyze global
data, or from gaining economies of scale,
constrain e-commerce by limiting international online payments,
hinder global supply chains seeking to use blockchain to track products, manage
supply chains, customs documentation, or electronic payments,14
impede the trading of crypto-currency, or
limit the use of advanced technology like artificial intelligence.15
According to the World Trade Organization (WTO), one of the most significant overall impacts of
the growth of digital technologies is in transforming international trade. Technology can lower the
costs of trade, change the types of goods and services that are traded, and may even change the
factors defining a country’s comparative
Business and Cross-Border Data Flows
advantage.20 The extent of the impact of
digital technologies on trade, however, Data flows (terabits per second) grew by a factor
of 45 from 2005 to 2016.16
depends in large part on open cross-border
More than 50% of businesses globally rely on data
data flows. flows for cloud computing.17
One study of U.S. companies found that data Skype, a voice-over-internet-protocol (VoIP)
localization rules (i.e., requiring organizations service that accounted for 30% of global
to store data on local servers) were the most- communication in 2016, depends on international
data flows.18
cited digital trade barrier. Some governments
21
advocate privacy or security policies that Data localization rules impeding data flows are the
#1 digital trade barrier cited by U.S. firms.19
require data localization and limit cross-border
data flows. However, many industry
stakeholders argue that blocking cross-border data flows and storing data domestically does not
make such data more secure or private.22
14 Blockchain is a decentralized, distributed record or ledger of transactions in which the transactions are stored in a
permanent using cryptography. For more information on blockchain and international trade, see CRS In Focus
IF10810, Blockchain and International Trade, by Rachel F. Fefer.
15 Artificial intelligence can generally be thought of as computerized systems that work and react in ways commonly
thought to require intelligence, such as solving complex problems in real-world situations. For more information, see
CRS In Focus IF10608, Overview of Artificial Intelligence, by Laurie A. Harris.
16 Jacques Bughin and Susan Lund, “The ascendancy of international data flows,” McKinsey Global Institute, January
9, 2017.
17 U.S. International Trade Commission, Global Digital Trade 1:Market Opportunities and Key Foreign Trade
https://www.wto.org/english/res_e/publications_e/wtr18_e.htm.
21 U.S. International Trade Commission, Global Digital Trade 1:Market Opportunities and Key Foreign Trade
Testifies Before U.S. International Trade Commission,” Information Technology and Innovation Foundation (ITIF),
April 4, 2017.
Multilateral Rules
There are no comprehensive multilateral rules specifically about privacy or cross-border data
flows. However, the United States and other countries have begun to address these issues in
negotiating new and updated trade agreements, and through international economic forums and
organizations such as the Asia-Pacific Economic Cooperation (APEC) and Organization for
Economic Co-operation and Development (OECD).
23 For more information on data breach notification laws, see CRS Legal Sidebar LSB10210, What Legal Obligations
do Internet Companies Have to Prevent and Respond to a Data Breach?, by Chris D. Linebaugh.
24 Multiple witness testimonies during U.S. International Trade Commission hearing on “Global Digital Trade I:
personal data and the protection of confidentiality of individual records and accounts,” as long as
those measures are not arbitrary or a disguised trade restriction.27
Efforts to update the multilateral agreement and discussions for new digital trade rules under the
WTO Electronic Commerce Work Program stalled in 2017.28 Given the lack of progress on
multilateral rules, some have suggested that the WTO should identify best practices or guidelines
for digital trade rules that could lay the foundation for a future multilateral WTO agreement.
https://ustr.gov/sites/default/files/files/Press/Releases/Joint%20Statement%20on%20Electronic%20Commerce.pdf.
30 WTO, “Joint Statement on Electronic Commerce Initiative Communication from the United States,” JOB/GC/178,
32 Subhayan Chakraborty, “India refuses to join e-commerce talks at WTO, says rules to hurt country,” The Business
34 USTR, “USTR Robert Lighthizer on the Joint Statement on Electronic Commerce,” January 25, 2019,
https://ustr.gov/about-us/policy-offices/press-office/press-releases/2019/january/ustr-robert-lighthizer-joint.
35 “Japan, US and EU to establish data transfer rules,” Nikkei Asian Review, December 18, 2018.
OECD
The OECD 1980 Privacy Guidelines established the first international set of privacy principles
emphasizing data protection as a condition for the free flow of personal data across borders.36
These OECD guidelines were intended to assist countries with drawing up national data privacy
policies.
The guidelines were updated in 2013, focusing on national level implementation based on a risk
management approach and improving interoperability between national privacy strategies.37 The
updated guidelines identify specific principles for countries to take into account in establishing
national policies. The guidelines are to be reviewed and updated again in 2019.
APEC
APEC is a regional forum for economic cooperation whose initiatives on privacy and cross-
border data flows have influenced members’ domestic policies. APEC’s 21 members, including
the United States, agreed to the 2005 APEC Privacy Framework, based on the OECD guidelines.
The framework identifies a set of principles and implementation guidelines to provide members
with a flexible approach to regulate privacy at a national level.39 Once the OECD publishes
36 OECD, “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” 1980,
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
37 OECD, “Revised Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” 2013,
http://www.oecd.org/internet/ieconomy/privacy-guidelines.htm.
38 G-20 Digital Economy Ministerial Declaration, “G-20 Digital Economy,” August 24, 2018.
39 APEC CTI Sub-Fora & Industry Dialogues Groups, Electronic Commerce Steering Group (ECSG), “APEC Privacy
updated guidelines in 2019, APEC members may revise the framework and principles to reflect
the updated guidelines.
40 http://cbprs.org/.
41 More information on APEC CBPR accountability agents is available at: http://cbprs.org/accountability-agents/.
In the United States, the Federal Trade Commission (FTC) is the regulator and enforcement
authority. TrustArc is the only accountability agent, but many expect the U.S. Department of
Commerce to recognize additional agents soon. As of this writing, TrustArc lists about 20 U.S.
firms that are APEC CBPR certified.42
42 See https://www.trustarc.com/consumer-resources/trusted-directory/#list.
43 “U.S. recruiting countries to join APEC privacy system,” World Trade Online, February 7, 2019.
44 ECIPE, “DTRI Trade Restrictiveness Index,” April 2018, https://ecipe.org/dte/dte-report/.
45 The index ranks individual countries and does not rank the EU as a single unit. The EU is composed of shared as
well as non-shared competences among its member states; some measures in the index belong to individual EU
member countries while others (such as data privacy regulations) are set at the EU level.
46 Ibid, p.54.
47 Turkish Personal Data Protection Law no. 6698 entered into force on April 7, 2016.
EU GDPR
The EU’s General Data Protection Regulation (GDPR), effective May 2018, establishes rules for
EU members, with extraterritorial implications.49 The GDPR is a comprehensive privacy regime
that builds on previous EU data protection rules. It grants new rights to individuals to control
personal data and creates specific new data protection requirements.
The GDPR applies to (1) all businesses and EU’s GDPR New Individual Rights:
organizations with an EU establishment that Receive clear and understandable information
process (i.e., perform operations on) personal about who is processing one's personal data and
data of individuals in the EU, regardless of why.
where the actual processing of the data takes Consent affirmatively to any data processing.
place; and (2) entities outside the EU that offer Access any personal data collected.
goods or services (for payment or for free) to Rectify inaccurate personal data.
individuals in the EU or monitor the behavior Erase one's personal data, cease further
of individuals in the EU. While the GDPR is dissemination of the data, and potentially have
directly applicable at the EU member state third parties halt processing of the data (the "right
level, individual countries are responsible for to be forgotten").
establishing some national-level rules and Restrict or object to certain processing of one's
policies as well as enforcement authorities, data.
and some are still in the process of doing so. Be notified without "undue delay" of a data breach
if there is a high risk of harm to the data subject.
As a result, some U.S. stakeholders have
voiced concerns about a lack of clarity and Require the transmission of one's data to another
controller (data portability).
inadequate country compliance guidelines.
Many U.S. firms doing business in the EU have made and are making changes to comply with the
GDPR, such as revising and clarifying user terms of agreement and asking for explicit consent.
For some U.S. companies, it may be easier and cheaper to apply GDPR protections to all users
worldwide rather than to maintain different policies for different users. Large firms may have the
resources to hire consultants and lawyers to guide implementation and compliance; it may be
harder and costlier for small and mid-sized enterprises to comply, possibly deterring them from
entering the EU market and creating a de facto trade barrier.
Since the GDPR went into effect on May 25, 2018, some U.S. businesses, including some
newspaper websites and digital advertising firms, have opted to exit the EU market given the
complexities of complying with the GDPR and the threat of potential enforcement actions.50
European Data Protection Authorities (DPAs) have received a range of GDPR complaints and
initiated several GDPR enforcement actions in the Fall of 2018. In January 2019, the French DPA
issued the largest penalty to date for a data privacy breach. The agency imposed a €50 million
(approximately $57 million) fine on Google for the “lack of transparency” regarding how the
search engine processes user data.51 Analysts contend that the high fine may set a benchmark and
signal for future enforcement, raising concerns among some firms doing business in the EU.52
49 The full text of the GDPR is available at https://gdpr-info.eu/. Also see CRS In Focus IF10896, EU Data Protection
Rules and U.S. Implications, by Rachel F. Fefer and Kristin Archick.
50 “Websites not available in the European Union after GDPR,” VerifiedJoseph.com, July 11, 2018, updated November
52 Denis Charlet, “Big Google Privacy Fine May Set Bar for EU Privacy Penalties,” Bloomberg Law, January 24, 2019.
53 https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-
non-eu-countries_en.
54 For example, see Anick, Jesdanun, “Microsoft pledges to extend EU data rights worldwide,” May 21, 2018.
55 Pablo Palazzi, “New draft of Argentine data protection law open for comment,” IAPP Privacy Tracker, February 17,
2017, and Diego Fernandez, “Argentina's new Bill on Personal Data Protection,” IAPP Privacy Tracker, October 2,
2018.
56 European Commission, “The European Union and Japan agreed to create the world's largest area of safe data flows,”
58 USTR, “2018 USTR Report to Congress on China’s WTO Compliance,” February 2019, p. 156.
59 Kelsey Munro, “China’s social credit system ‘could interfere in other nations’ sovereignty’,” The Guardian, June 27,
2018.
60 Jack Karsten and Darrell M. West, “China’s social credit system spreads to more daily transactions,” Brookings,
63 INDUSLaw, “India: The Debate – Data Localization And Its Efficacy,” September 17, 2018, mondaq.com.
64 U.S. Trade Representative, 2018 National Trade Estimate Report on Foreign Trade Barriers, 2018.
65 https://ustr.gov/sites/default/files/Digital-2-Dozen-Updated.pdf.
66 https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905-2.pdf.
67 P.L. 114-26, Title I (b)(6)(C).
68 The CPTPP includes Australia, Brunei Darussalam, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru,
Singapore, and Vietnam. For more information on the digital trade provisions contained in the proposed TPP, see CRS
In Focus IF10390, TPP: Digital Trade Provisions, by Rachel F. Fefer.
2017. The Electronic Commerce chapter in TPP, left unchanged in CPTPP, contains the strongest
binding trade agreement commitments on digital trade in force globally. 69
CPTPP includes provisions on cross-border data flows and personal information protection. The
text specifically states that the parties “shall allow the cross-border transfer of information.” 70
The agreement allows restrictive measures for legitimate public policy purposes if they are not
discriminatory or disguised trade barriers. The agreement also prohibits localization requirements
for computing facilities, with similar exceptions.
On privacy, the CPTPP requires parties to have a legal framework in place to protect personal
information and to have consumer protection laws that cover online commerce. It encourages
interoperability between data privacy regimes and encourages cooperation between consumer
protection authorities.
United States-Mexico-Canada Agreement (USMCA). The released text for the proposed
USMCA aims to revise and update the trilateral North American Free Trade Agreement
(NAFTA), and illustrates the Trump Administration’s approach.
The USMCA Chapter 19 on Digital Trade includes articles on consumer protection, personal
information protection, cross-border transfer of information by electronic means, and
cybersecurity, among other topics.71 Building on the TPP, the agreement seeks to balance the
legitimate objectives by requiring parties to:
Have a legal framework to protect USMCA Key Principles for Personal
personal information. Information Protection
Have consumer protection laws for Limitation on collection
online commercial activities. Choice
Not prohibit or restrict cross-border Data quality
transfer of information. Purpose specification
Use limitation
While the agreement does not prescribe
specific rules or measures that a party must Security safeguard
take to protect privacy, it goes further than the Transparency
TPP (or CPTPP) provisions and provides Individual participation
guidance to inform a country’s privacy Accountability
regime. In particular, the USMCA explicitly
refers to the APEC Privacy Framework and OECD Guidelines as relevant and identifies key
principles.
In general, the proposed USMCA requires that parties not restrict cross-border data flows.
Governments are allowed to do so to achieve a legitimate public policy objective (e.g.,
privacy, national security), provided the measure is not arbitrary, discriminatory, a
disguised trade barrier, or greater than necessary to achieve the particular objective. In
this way, the parties seek to balance the free flow of data for commerce and
communication with protecting privacy and security. The agreement specifically states
that the parties may take different legal approaches to protect personal data and also
https://ustr.gov/sites/default/files/files/agreements/FTA/USMCA/19%20Digital%20Trade.pdf.
Privacy and Promoting Innovation in the Global Digital Economy, February 2012,
https://obamawhitehouse.archives.gov/sites/default/files/privacy-final.pdf.
75 For more information on the NIST cybersecurity framework, see https://www.nist.gov/cyberframework.
78 83 FRN 48600, Docket No. 180821780-8780-01. All comments submitted to NTIA can be found at:
https://www.ntia.doc.gov/other-publication/2018/comments-developing-administration-s-approach-consumer-privacy.
79 For example, see testimony from Laura Moy, Georgetown Law Center on Privacy & Technology, U.S. Congress,
Senate Committee on Commerce, Science, and Transportation, Consumer Data Privacy: Examining Lessons From the
European Union’s General Data Protection Regulation and the California Consumer Privacy Act, 115th Cong.,
October 10, 2018
80 Committee on Energy and Commerce Ranking Member Frank Pallone, Jr., letter to U.S. Government Accountability
https://www.gao.gov/assets/700/696437.pdf.
82 Ibid.
http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1121.
84 For more information on the California law, see CRS Legal Sidebar LSB10213, California Dreamin’ of Privacy
Regulation: The California Consumer Privacy Act and Congress, by Wilson C. Freeman.
On the other hand, some stakeholders such as states’ rights and privacy advocates seek to limit federal level
involvement One coalition of consumer advocate organizations seeks to expand the California law further and
supports state-level implementation and enforcement.85
Stakeholder Perspectives
Recognizing the importance of protecting open data flows amid growing concerns about online
privacy, some stakeholders seek to influence U.S. policies on these issues. In addition to
submitting comments in response to NTIA and NIST requests and participating in their forums,
multiple organizations issued their own sets of principles or guidelines, some referencing the EU
GDPR. The U.S. Chamber of Commerce has also published model privacy legislation for
Congress to consider.86
Though they vary in emphasis, these proposals share common themes.87
transparency on what data is being collected and how it is being used;
user control, including the ability to opt out of sharing at least some information
and to access and correct personal data collected;
data security measures, like data breach notification requirements; and
enforcement by the FTC; FTC commissioners also voiced support for the agency
as the appropriate federal enforcer for consumer privacy.88
But these groups also differ in some areas, such as whether, or to what extent, to include
certain aspects included in the GDPR, such as the right to deletion (so-called “right to be
forgotten”), requirements for data minimization, or extra-territorial reach. There is not
consensus on whether the FTC should be given rule-making authority or additional
resources, the enforcement role of states, or if an independent data protection commission
is needed similar to EU DPAs.
Consistent with U.S. trade policy, industry groups generally point out the need to be flexible,
encourage private sector innovation, establish sector- and technology-neutral rules, create
international interoperability between privacy regimes, and facilitate cross-border data flows.
Private sector stakeholders generally want to avoid what they regard as overregulation or high
compliance burdens. These groups emphasize risk management and a harm-based approach,
which they state keeps an organization’s costs proportional to the consumer harm prevented.
Chamber, “Privacy Principles”; Internet Association, “IA Privacy Principle for a Modern National Regulatory
Framework”; Google, “Framework for Responsible Data Protection Regulation,” September 2018; Verizon, “Privacy:
It’s time for Congress to do right by consumers,” October 9, 2018; ITI, Framework to Advance Interoperable Rules
(FAIR) on Privacy,” October 22, 2018.
88 U.S. Congress, Senate Committee on Commerce, Science, and Transportation, Subcommittee on Consumer
Protection, Product Safety, Insurance, and Data Security, Oversight of the Federal Trade Commission, 115th Cong.,
November 27, 2018.
On the other hand, some consumer advocates point to a need for baseline obligations to protect
against discrimination, disinformation, or other harm. In general, consumer advocates believe that
any comprehensive federal privacy policy should complement, and not supplant, sector-specific
privacy legislation or state-level legislation.
89 C&M International, “Benefits of the APEC Cross-Border Privacy Rules,” October 2018,
https://www.crowell.com/files/20181001-Benefits-of-CBPR-System%20Guide_Oct%202018_final.pdf.
90 The Editorial Board, “There May Soon Be Three Internets. America’s Won’t Necessarily Be the Best,” The New
Figure 2. Goods and Services Trade under Differing Data Privacy Regimes
91USTR, “United States-Japan Trade Agreement (USJTA) Negotiations Summary of Specific Negotiating Objectives,”
December 2018; USTR, “United States-European Union Negotiations Summary of Specific Negotiating Objectives,”
January 2019.
Global Approach
Congress may further consider how best to achieve broader consensus on data flows and privacy
at the global level. Congress could, for example, conduct additional oversight of current best
practice approaches (e.g., OECD, APEC) or ongoing negotiations in the WTO on e-commerce to
create rules through plurilateral or multilateral agreements. Congress may consider endorsing
certain of these efforts to influence international discussions and the engagement of other
countries. Congress may want to examine the potential challenges and implications of building a
system of interoperability between APEC, CBPR, and the EU GDPR.
Related issues are the extent to which the EU is establishing its system as a potential de facto
global approach through its trade agreements and other mechanisms, and how U.S. and other
trade agreements may ultimately provide approaches that could be adopted more globally.
Domestic Policy
Congress may enact comprehensive privacy legislation. In considering such action, Congress
could investigate and conduct oversight of the Administration’s ongoing privacy efforts,
including requesting briefings and updates on the NTIA, NIST, and ITA initiatives to provide
congressional feedback and direction and ensure they are aligned with U.S. trade objectives.
Congress may also seek input from other federal agencies.
In deliberating a comprehensive U.S. policy on personal data privacy, Congress may review the
GAO report’s findings and conclusions. Congress may also weigh several factors, including:
How can U.S. trade and domestic policy achieve the appropriate balance to
encourage cross-border commerce, economic growth, and innovation, while
safeguarding individual privacy and national security?
What would be the impact of a new privacy regime on U.S. consumers and U.S.
businesses, including large multinationals who must comply with different
national privacy regimes, as well as small- and medium-sized enterprises with
limited resources and technology expertise? Do U.S. agencies have the necessary
tools to accurately measure the size and scope of cross-border data flows to help
analyze the economic impact of different privacy policies, or measure the costs of
trade barriers?
How should an evolving U.S. privacy regime align with U.S. trade policy
objectives and evolving international standards, such as the OECD Guidelines for
privacy and cybersecurity and should U.S. policymakers prioritize
interoperability with other international privacy frameworks to avoid further
fragmentation of global markets and so-called balkanization of the internet?
In addition, there are a host of other policy considerations not directly related to trade.
Author Information
Rachel F. Fefer
Analyst in International Trade and Finance
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.