Regulating for a digital economy: Understanding the importance of cross-border data flows in Asia

Global data flows and connectivity are creating new economic and trade opportunities

The world is experiencing unprecedented increases in connectivity and global data flows. This is underpinning the so-called fourth industrial revolution, which is characterized by end-to-end digitization of all assets and integration into a digital ecosystem.[1] It heralds the fourth major upheaval in modern manufacturing after the lean revolution of the 1970s, outsourcing in the 1990s, and automation in the 2000s.[2]

The Asia Pacific continues to be one of the fastest growing regions in the world, both economically, and in terms of connectivity. By 2017, Asia had the largest number of internet users in the world, with 1.9 billion people online.

Cross-border data access, usage, and exchange are essential to economic growth in the digital age. Every sector—including manufacturing, services, agriculture, and retail—relies on data and on the global flow of that data. Whether directly, or by indirectly taking advantage of global-scale data infrastructure such as cloud computing, global connectivity has enabled cross-border economic activity, allowing individuals, startups, and small businesses to participate in global markets.

At its core, the digitization of economies and international trade should improve efficiency and increase productivity.[3] By increasing access to information, the internet increases productivity and enables markets to function more efficiently. The free flow of data reduces transaction costs and the constraints of distance, and increases organizational efficiencies. Increases in connectivity accelerate the spread of ideas and allow users worldwide to make use of new research and technologies, leading to the emergence of new enterprises.[4] Extending internet access can also increase market efficiency by reducing barriers to market entry, and allowing small and medium-size enterprises to reach vastly broader markets.[5]

Global data flows are also transforming the nature of international trade, creating new opportunities for businesses to participate in the global economy by selling goods and services directly to customers and plugging into global value chains. McKinsey & Company estimates that global data flows raised global GDP by approximately 3.5 percent over what would have occurred without such flows, equivalent to $2.8 trillion dollars in 2014.[6]

Global Data are transforming international trade

Data flows are transforming international trade in the following ways:

  • Businesses can use the internet (i.e., digital platforms) to export goods.
  • Services can be purchased and consumed online.
  • Data collection and analysis is allowing new services (often also provided online) to add value to goods exports.
  • Global data flows underpin global value chains, creating new opportunities for participation.[7]

Global data flows also create economic and trade opportunities for small businesses

The internet and global data flows are a particular opportunity for small businesses to participate in international trade. This is particularly significant for East Asia, where small businesses comprise 60-99 percent of all businesses, are responsible for 50-98 percent of all employment, and contribute 35-70 percent of GDP.[8] Using digital platforms such as eBay or Alibaba, small businesses can reach customers globally.  Access to digital inputs such as cloud computing provides on-demand access to computing power and software that was previously reserved for large companies. Such digital services can be used to reduce fixed information technology costs and increase business competitiveness.

Measuring the economic and trade impacts of cross-border data flows

A number of studies have been published that highlight the scale and importance of cross-border data flows. These studies point to the growing economic significance of data flows, and are beginning to provide useful benchmarks and indicators of the extent of the impact.[9] Key findings of the studies include:

  • In 2014, the free flow of data was estimated to have contributed $2.8 trillion to the global economy,[10] a figure that could reach $11 trillion by 2025.[11] The same study estimates around 12 percent of international trade in goods has been estimated to occur through global e-commerce platforms such as Alibaba and Amazon.
  • In the United States, digital trade has raised GDP by 3.4–4.8 percent by increasing productivity and lowering the costs of trade; it has also increased wages and likely contributed to creating as many as 2.4 million new jobs.[12]
  • A 2016 World Bank study found that a 10 percent increase in internet penetration in the exporting country leads to a 1.9 percent increase in exports along the extensive margin (the quantity of goods), and a 10 percent increase in internet penetration in the importing country leads to a 0.6 percent increase exports along the intensive margin (the average value of goods).[13]

Because of limitations in the data, each of these pictures are still incomplete and, in almost all cases, provide only rough estimates of the impact of data on growth and jobs.

Governments are increasingly restricting cross-border data flows

While the economic and trade opportunity from connectivity and data flows are significant, governments are increasingly introducing measures which restrict data flows—data localization measures.

Such measures will have economic and trade costs. According to a study by Bauer et al, the cost of proposed and enacted data localization measures in India, Indonesia, and Vietnam would reduce GDP in India (-0.1 percent), Indonesia (-0.5 percent), and Vietnam (-1.7 percent).[14]

Cross-border data flow restrictions can take one of several forms. From most restrictive to least, examples include:

  • The data cannot be transferred outside national borders.
  • The data can be transferred outside national borders, but a copy must be maintained domestically.
  • Prior consent is required before global transfers are allowed.

There are different goals being pursued by data flow restrictions

Governments restrict cross-border data flows with several goals in mind, with the main ones being to:

  1. Protect or improve citizens’ personal privacy
  2. Ensure rapid access to data by law enforcement officials.
  3. Protect or ensure national security
  4. Improve economic growth or economic competitiveness
  5. Level the regulatory playing field

The key focus for all governments when designing regulation to achieve legitimate goals should be to manage risk—whether to privacy, from cyberattack or the impact of delays to law enforcement agencies—to an acceptable level relative to the economic and social benefits, including innovation, expected from these activities.[15]

While it is up to each government to determine its acceptable level of risk, in most cases, data localization is suboptimal in that there are ways to achieve legitimate regulatory goals with less impact on economic growth and trade.

The impact of data localization requirements on overall domestic investments has been shown to be considerable, causing lower economic growth and reduced exports.[16]

Restrictions on cross-border data flows harm both the competitiveness of the country implementing the policies and other countries. Every time one country erects barriers to data flows, another country that relies on these data flows is also affected.[17]

Regulating for a digital economy that maximizes the economic and trade opportunities

Privacy and data localization

The capacity to move large quantities of data seamlessly and rapidly across borders can undermine domestic regulatory standards in areas such as privacy, consumer protection, and health care.  For example, cross-border data flows to a jurisdiction with lower levels of privacy protection can undermine domestic privacy protection. This creates an incentive for regulators to restrict cross-border transfers of personal information. For instance, the European Union’s General Data Protection Regulation (GDPR) prevents transfers of personal data to another jurisdiction that has not been deemed by the EU to have adequate privacy protection and the European Court of Justice has found that a finding of adequacy requires the other country to provide privacy protection that is “essentially equivalent” to that found in the EU.

Yet, different countries are developing privacy laws that reflect their own sense of how to reap the opportunities of data flows for growth and trade and minimize the risks to privacy. For example, the U.S. while pursuing high levels of privacy protection, relies on companies to keep personal data private with mechanisms for sanction in cases of breach. India is currently considering its own privacy law, which will reflect its own cultural, historical, and legal tradition as well as its development needs.

The challenge is finding ways for data to flow freely between countries with different approaches to privacy. This will require a principles-based approach to privacy, which prioritizes agreement on common privacy outcomes and gives each country the flexibility to achieve these goals.

Data localization not only fails to achieve this – it also creates economic and trade costs.

One way forward is being developed by the Asia-Pacific Economic Cooperation (APEC) forum through Cross-Border Privacy Rules (CBPR) system, serving as a mechanism that fosters trust and facilitate data flows amongst participants. A key benefit of the APEC regime is that it enables personal data to flow freely even in the absence of two governments having agreed to formally recognize each other’s privacy laws as equivalent. Instead, APEC relies on businesses to ensure that data collected and then sent to third parties either domestically or overseas continues to protect the data consistent with APEC privacy principles. The APEC CBPR regime also requires independent entities who can monitor and hold businesses accountable for privacy breaches.

The U.S.-EU Privacy Shield is another example of how interoperability between the EU approach to privacy and the U.S. accountability-approach might be achieved. In this regard, Privacy Shield avoids countries (in this case the U.S.) having to adopt a top-down privacy regime akin to the EU’s GDPR. Instead, Privacy Shield allows a subset of businesses in a given country to agree to a particular privacy regime in order to be deemed equivalent by the EU. This enables the free flow of personal data between the EU and the business participating in Privacy Shield.

For those countries party to the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP), the commitments on privacy in the e-commerce chapter provide another framework for integrating privacy, trade, and cross-border data flows.


Security is not necessarily strengthened when data is kept locally, and may well be weakened.

Security is a function of a number of elements—technical, financial, physical, and personnel.

Moreover, increasingly large amounts of data are stored using cloud computing. For instance, in 2015, 70 percent of all internet traffic was going through cloud data centers, up from roughly 30 percent in 2011.[18] As a result, it is the security of the cloud that is often relevant when assessing the exposure of data to cyberattack.

The experience, technical, and financial capacity of cloud providers is an increasingly important determinant of data security. Specifically, resilience, data recovery, and business continuity are key elements of security that are best addressed by maintaining rapidly accessible redundant sets of data at multiple data centers. Where those data centers are in different geographic locations, or in different countries, resilience is further enhanced. These considerations are at variance with data localization.

In addition, improving security from attack requires collaboration among governments and experts in the private sector. Data localization often short-circuits any chance of developing a collective response to security threats.

Data localization for law enforcement purposes

The globalization of the internet and the rise in the use of cloud computing mean that a person’s data is often held in a separate jurisdiction. Currently, where data is held in another jurisdiction, officials need to rely on the processes under mutual legal assistance treaties (MLATs) to obtain access.

A MLAT provides a process whereby one country’s law enforcement personnel can request information held by a communication service provider in another country. MLATs were originally designed to facilitate sharing evidence in exceptional circumstances and have proved to be ill-suited when responding to regular requests for access to electronic data.[19]

A key limit with MLATs is the time taken to respond to a request for data. For example, to obtain data from a U.S.-based company takes approximately 10 months. [20] This is too long in cases where law enforcement needs to respond to international terrorism or cybercrime.

Data localization is a second-best option when responding to the challenges facing local law enforcement and in countering the inadequacies of the MLAT process. As outlined above, data localization creates a range of economic and trade costs and can degrade data security.

Instead, two reforms should be considered.  The most immediate is reform of the MLAT process to better accommodate requests for electronic data. The second longer term reform is to consider negotiating data sharing agreements—bilaterally or multilaterally.

Digital protectionism

Governments also restrict data flows to protect domestic companies from online competition. This type of protection has various negative consequences. Data flow restrictions may be inconsistent with a country’s commitments under the World Trade Organization.[21] Protectionist data restrictions can lead to retaliation by other countries, which increases the costs for local companies that want to use data to operate globally.

As outlined above, the internet and global data flows can provide significant economy-wide opportunities. Governments need to ensure their countries are digitally ready and have a strategy for making the most of the new digital trade opportunities. This means avoiding narrow protectionist responses such as data localization.

Instead, governments should undertake the reforms needed to ensure that their regulations are designed to maximize the opportunities of digital technologies. In addition, government should use data to better tailor government services and to ensure that the education system is preparing workers for the jobs that a digital economy will produce.

Leveling the regulatory playing field

Another driver of cross-border data flows has been based on the need to apply existing regulation to new digital entrants. The concern is that over-the-top (OTT) service providers that use telecommunications infrastructure do not pay license fees and are not subject to similar regulations governing their operations or their content. Evidence suggests that, contrary to the fears of many communications ministers, the impact of OTT entry is a positive one in terms of infrastructure investment. As OTT providers such as Google, Facebook, and Netflix invest in infrastructure to bring content to the edge of the internet to improve services delivery and reduce latency, consumers are prepared to pay to upgrade their internet connection, thus creating what the OECD has described as “a virtuous cycle” between OTT access, consumer use, and infrastructure investment.

This underscores the broad point when it comes to regulating in a digital economy. Regulators need to be careful about knee-jerk regulatory responses to the impact of digital providers and to focus instead on regulation that can enable these new technologies and business models to thrive. For instance, this case it could include reforming licensing regimes in a manner similar to what has been done in India. The country was the first to introduce unified licensing in 2013—which recognized that convergence of fixed and mobile, voice, text, and video offered opportunities to attract new investment into the information and communications and media sector.[22]


[1] Schwab 2016.
[2] Germany Trade and Invest 2017.
[3] World Bank 2016; Bernard, et al 2007, 105-130.
[4] Deloitte 2014.
[5] Deloitte 2014.
[6] Manyika et al 2016.
[7] Baldwin 2016.
[8] Asia Cloud Computing Association 2015, 4.
[9] U.S. Department of Commerce 2016, iii.
[10] Manyika et al 2016.
[11] McKinsey & Company 2015.
[12] Castro and McQuinn 2015, 11.
[13] Osnago and Tan 2016.
[14] The study uses a computable general equilibrium model called GTAP8. The effect on productivity is created using a so-called augmented product market-regulatory index for all regulatory barriers on data, including data localization, to calculate domestic price increases or total factor productivity losses. Bauer et al 2013.
[15] OECD 2015, Principle 5.
[17] Castro and McQuinn 2015, 10-13.
[18] USITC estimates based on data from Cisco Global Cloud Index, 2016; Cisco Global Cloud Index, 2012; Cisco Visual Networking Index, 2016; and Cisco Visual Networking Index, 2012.
[19] Mohanty and Srikumar 2017.
[20] Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies 2013, 227.
[21]  WTO Council for Trade in Services 2017.
[22] ITU 2013.