What are the main operational challenges to digital trade?
Digital trade barriers doubled between 2009-2019, and restrictions on international data transfers have more than doubled since 2017, putting increasing pressure on global digital supply chains and making it increasingly difficult to operate a global business.
Digital protectionism is raising prices for businesses and consumers and restricting choice and competition. The main policy challenges facing industry businesses include:
- Data localisation measures which make it hard for businesses to support their clients, push companies to leave some markets and avoid entering others, threaten data protection, and undermine the fight against financial crime.
- Regulatory requirements that make it hard for UK businesses to work with global technology providers.
- An onrush of divergent regulations which businesses need to reconcile to view basic information about their business.
- Uncertainty about how to implement regulations that distinguish sharply between personal and non-personal data when, in practice, data often fluctuates between the two states.
The digital supply chain of a typical global financial institution
1. relies on data flows to investigate FinTech/RegTech investment opportunity in Silicon Valley
2. locates data analytics function in Krakow to take advantage of highly skilled, multilingual technology talent
3. gathers data from a FinTech operating in Singapore’s regulatory sandbox to support the development its new digital ID applications
4. stores and processes data stemming from their subsidiary based in Dublin’s International Financial Centre
5. relies on data flows to access the services of highly skilled software engineers in Bangalore
6. outsources work to a skilled, English speaking operations team in Hyderabad
7. stores and processes client data and hosts software-as-a-service applications on a cloud-based server in Brussels
8. uses a contact centre in Cape Town so that customers can benefit from skilled English language telephony
9. uses a contact centre in Manila so that customers can benefit from skilled English language telephony
10. accesses leading cybersecurity offerings from Tel Aviv
11. operates a joint venture with Chinese payments platforms based in Shenzen so that it can enable the payments platforms to be used in the UK.
What solutions should the UK adopt to strengthen its position as a global centre for data and to boost global
The UK government and regulators should facilitate digital trade by refining UK data policies and agreeing new bilateral and multilateral digital partnerships.
The UK’s ultimate goal should be to secure a global agreement on data that realises the G20 ambition of “data free flows with trust”. In the meantime, the UK should optimise international data flows where it can, removing digital frictions wherever possible and avoiding raising new digital trade barriers. The recommendations below set out the key steps the UK should take.
Policy changes that the UK government and regulators should make unilaterally:
- UK data regulators should provide more practical examples to businesses to explain how to handle data that is not clearly “personal” or “non-personal” from a regulatory perspective.
- UK data regulators should provide examples set out the circumstances in which they may share their customers’ personal data with other financial institutions.
- UK data regulators should create an information bank that provides data on the risk profiles of various international data
regimes available to businesses when making Transfer Risk Assessments.
- The UK government should avoid domestic localisation measures where possible including, for example, when implementing
the Telecommunications (Security) Act 2021 and offering government procurement.
- The UK government should review the UK’s subsea data cables every two years to ensure that they are fit for purpose and
publish the findings.
Policy changes that the UK can agree bilaterally with international partners:
- The UK government should agree Free Trade Agreements (FTAs) that prevent unjustified data localisation laws, protect digital intellectual property, prevent customs duties on electronic transmissions and support a risk management based approach to cybersecurity.
- The UK government should use bilateral economic dialogues (e.g. Economic & Financial Dialogues) to urge countries imposing data localisation laws to avoid restrictions on the movement of offshore data and allow their citizens’ data to flow to at least some markets, even if not all markets.
- The UK should use financial regulatory dialogues to urge countries that have imposed data localisation requirements to
grant financial institutions targeted exemptions from localisation requirements to perform anti-money laundering and cybersecurity checks.
- UK data regulators should consider whether to extend data adequacy assessments to countries like Australia, Singapore and South Korea provided they are satisfied that their data standards are comparable to UK standards.
- The UK should use bilateral regulatory dialogues and regulation chapters in FTAs to bind other countries to follow good digital regulatory practices.
- The UK should use bilateral financial regulatory dialogues to ensure that the regulators of the UK’s main trade partners can provide a secure portal through which businesses can share encrypted information.
- UK regulators and the regulators of other key financial centres should conclude financial data connectivity agreements that set out the importance of enabling free data flows with trust for financial data and avoiding localisation of financial data.
Policy changes that the UK needs to realise through global co-operation:
- The UK should work with members of the World Trade Organisation (WTO) Joint Statement Initiative on E-Commerce to conclude a WTO E-Commerce Agreement that prevents unjustified localisation measures (including on financial data), protects digital intellectual property, prevents customs duties on electronic transmissions, and supports a risk management based approach to cybersecurity.
- The UK should work with the Global Cross Border Privacy Forum, EU, and other partners to shape a global data agreement whereby regulators agree to common standards for recognising the validity of each other’s personal and non-personal data regimes. Regulators could consider if Council of Europe Convention 108 on Data Transfers or OECD Guidelines on Transborder Flows of Personal Data provide a sufficient basis for data protection, especially if tailored to cover all data flows, not only personal data.