Regulating the Globalisation of Data: Which Model Works Best?

This publication is also available via the ECIPE website

Executive Summary

Novel flows that define the future of globalization require new regulatory approaches, which are likely to differ between countries. So too for regulatory approaches to personal data.

Globally, there are three different regulatory models for personal data: the model applied by the US, based on an open approach to transfer data and process data locally; the model developed by the EU, which is a model based on so-called conditional transfers and processing; and finally, the model put forward by China, a framework that lurches towards autarky.

The differences in regulatory approaches reflect different economic realities, and it is important to better understand how and why countries regulate in the way they do – particularly in the EU and US. The EU’s regulatory approach seeks model followers among trading partners and offers adequacy for countries following a different model. Many countries apply a similar model and, together, they cover a big portion of global trade in data-reliant services.

In contrast, the US model has fewer followers and represents a much smaller share of trade. However, this model comes with other benefits as it allows firms to experiment more than in the EU and China, leading to more digital innovations with data and faster growth of new firms with a strong boosting effect on productivity. The US model aims to capture the benefits to prosperity that comes from data-based innovation.

The China model is in a league of its own. It is a large economy in itself and its economic scale has served the country well by developing many new and fast-moving digital technologies; China therefore shares some impulses of an experimental approach. Yet, this regulatory approach comes along with great restrictions, which inhibit the cross-border integration with other countries. The China model has the lowest number of followers and represents the smallest share of digital services trade. China’s closed economy makes it therefore much harder to regulate internationally.

These three blocs have chosen regulatory models that reflect their institutional structures and economic opportunities. Hence, there may not be one model that fits every type of economy: there is rather a path dependence in the way regulations are developed.

However, it is important to acknowledge that the different regulatory structures will produce different economic outcomes. The US model will generate a lot of innovation-led growth – but not necessarily a lot of innovation-driven trade. European outcomes are the opposite: the regulatory structure doesn’t produce as much Schumpeterian growth, but it encourages trade and Smithian growth.  

Introduction

It is a challenge for governments to regulate something that is new. This is also true for the cross-border digital flows that are defining new globalization. Because these flows are novel and often the result of new technologies, they require new regulatory approaches because old regulation don’t apply. But these regulatory responses are likely to differ between countries that face different economic opportunities and institutional constraints and there is a surprisingly strong path dependency in the structure of regulation.   

So too for the regulatory response to personal data. Countries have regulated these new flows with different ambitions that vary politically and economically. Ultimately, these regulatory differences to personal data reflect differences in institutional order and market outcomes. For instance, the US with its large dynamic market sees a greater role in entrepreneurial growth and innovation creation through data. As a consequence, they choose a regulatory model for data that will allow for experimentation and business change.

The EU, however, is made up of smaller economies that traditionally places a much higher premium on cross-border integration given their need to expand markets to get access to critical imports and technology. As a result, Europe’s approach to data should also be driven by the need to access data-based technologies and services, and how these imports enter the EU market. China is yet again different: the country’s prime institutional constraint is the power of the government and the ruling party. Therefore, China will regulate data harder because it is a closed economy that worries more about the power of institutions to control the outcomes of new data-based developments and enterprises.

There may not be one regulatory model that fits all economies – just as there is not one tax policy that is suitable to all countries. In matters of state regulation, many economies gradually conform to a model that reflect their broader economic and institutional conditions. However, these regulatory conditions are likely to result in different economic outcomes, which are hard to modify.

In essence, differences in regulatory approaches for data and other new technologies can be traced back to the differing economic and political paradigms, and how they have defined economies. Regulatory models that allow for the experimentation of technologies, such as in the US, have an open and entrepreneurial outlook to market competition, often enabled by strong firm dynamics. Such a “Schumpeterian approach” – after economist Joseph Schumpeter – puts the emphasis on the creation of and experimentation with new technologies and business models. Its main aim is to capture the benefits to prosperity that comes from innovation.

The alternative model, as in the EU, is one that is mainly concerned with capturing the efficiency gains from adopting and supporting the scalability of new technologies through trade. It is less occupied with creating the space for new technological innovations and focusses instead on the diffusion of goods and services in which new technologies are used. This also leads to an ambition on the export side to achieve compatibility between different regulatory models in order to reduce border costs. In such a “Smithian approach” – after Adam Smith – the ambition is to spread the innovation as much as possible in as many countries as possible, which therefore leads to a different regulatory outcome.

China may have some impulses of both models, but it’s state-centric approach will push it towards regulations that make data-based economic integration difficult and that only allows for state-controlled forms of diffusion.

Three Global Data Models

These three frameworks reflect distinct models to regulate personal data and they differ significantly. Each data model is characterised by different conditions regulating which data can flow between countries and in what manner data should be dealt with domestically. They impose differing rules for businesses engaged in data-based trade with the three blocks. The model applied by the US is based on an open approach to transfer data and process data locally. The EU has formulated a model that is based on so-called conditional transfers and processing. China, at the other extreme, has a model that lurches towards autarky.

The US’s open data model is characterized by the absence of restrictions on cross-border data flows. This model usually relies on a baseline set of privacy principles and leaves to companies the flexibility to self-regulate on a voluntary basis. Firms usually remain accountable for how personal data is treated, also when it is transferred to a recipient in a third country. For processing, the open model is defined by the lack of a comprehensive framework on personal data. Therefore, data subjects have only limited rights when it comes to how their data is handled. It is not uncommon in the US model that certain sensitive categories of data, such as in finance and health, have sectoral rules on data processing. In general, countries that follow this model consider data protection a consumer right.

The European data model comes along with conditions. For data transfers across borders, this model imposes certain ex ante conditions. These conditions are quite diverse and include the consent of the data subject, the use of specific legal mechanisms such as binding corporate rules (BCRs), the compliance with specific codes of conduct, and the requirement for the destination country to have a data protection regime considered as “adequate”. For data processing, this model is characterized by the presence of a comprehensive regime for personal data protection, which includes the consent for data collection, and the extensive data subject rights such as the right to access, modify and delete data. In most cases, this model also establishes data protection authorities.

China has developed its own data model with strong distinctive features based on controlled transfers and handling of data. Typically, the China model links data privacy to cybersecurity, and data regulation is considered a matter of national security (Gao, 2019).[1] This approach is characterised by extensive restrictions on the cross-border transfers of data which also imposes strict requirements that include the local processing of data or the ex-ante authorization by the government following a security assessment.[2] This model also distinguishes itself by systematic control of personal data by national authorities, which can be extensive, and includes indiscriminate government access to data to protect national security and public order (Wang, 2012; Rubinstein et al., 2014).

Regulatory Reach

The three data models put forward by the EU, US, and China have become a reference for many countries when they have developed their regulations. Even if there are differences, it is possible to identify and classify their regulatory approach to data along the lines of the three data models. Figures 1 and 2 show an overview of countries with their chosen data model for the regulations for the cross-border flows of data and domestic processing, respectively.

When considering the EU as one entity, the share of countries following the EU and US data model becomes almost equally widespread: 44 percent of the countries covered have the EU approach in place for cross-border data flows against 42 for the US model. The China model only represents a 13 percent stake – and those who share it tends to share China’s political choice for control. The share of countries following the EU model for rules on domestic processing is much higher, namely 54 percent compared to 32 percent for the US model. The China model holds a 13 percent share for this component, too.

Additional figures provide further insights on the global economic potential of each model. The left-hand panel of Figure 3 summarizes the world share of GDP, population, and digital services trade each models covers. The EU framework for cross-border regulations represents by far the greatest portion worldwide for the three measures, which is followed by the US model, then China’s. In fact, the China model only represent a negligible share of less than 1 percent of global digital services trade in the world, even though occupying a share of almost one third in terms of world population.

Source: Author’s using World Bank World Development Indicators and BaTiS. Number for Taiwan unavailable for GDP and population. The share of digital services trade is based on the bilateral trade relationships of all exporters and importers having the same data model in place as a share of global digital services trade based on the 116 countries covered, excluding intra-EU trade. Digital services are defined by their high software-over-labour ratios and cover financial services, IPR, computer and information services, and telecom. Both imports and exports are covered. Numbers of all shares are shown in Table A1 in the Annex.

When considering domestic processing (right-hand panel), the EU approach also by far represents the greatest GDP portion in the world, but its global share for population and digital services trade diminishes. Instead, China’s data model contains more than half of the world population and gains some coverage in digital services trade now that India and Turkey have opted for the China model. Traditionally, India’s second largest trading partners for digital services is the EU. But India has recently introduced more stricter rules on data processing, pushing the country closer to the China model. The US model also weakens in economic size and trade given that countries such as Mexico, Canada, and Australia now follow the EU model for regulations of data protection.

Trade Effects of Data Models

Global digital services trade therefore shows a skewed pattern in favour of the EU model. But even though this model covers by far the largest world share, there is still a huge untapped potential for each model to cover more trade in digital services. As the two panels show, more than two thirds of all bilateral trade relationships in the world is performed by countries with different data models in place. Around a quarter of this trade happens between the EU and the US, about five percent between EU and China, and 3 percent between the US and China. (See also Annex Table A1.)

One model will find it easier to seize this trade opportunity than another as the different models lead to different trade outcomes.[1] For instance, countries following the US model for rules on the cross-border transfer of personal data generally show a positive trade effect compared to countries following dissimilar models. This is also true for the EU model, but the results are mixed and vary between sectors.

Trade outcomes are different for rules on domestic processing. Trading partners having in place the US model for these rules generally exhibit lower digital services trade. In contrast, however, countries applying the EU model for data processing show positive trade effect.[2] The China model is a double whammy: countries applying this data framework have lower trade effects in digital services for both categories of cross-border transfers of personal data and data processing.

These differing trade outcomes tell us something about each model’s associated trade costs and therefore as well how to best realize the untapped trade potential in the world. The US model’s open approach to cross-border data flows lowers trade costs and therefore stimulates digital services trade. The EU’s approach comes along with conditions how data is treated domestically, which may create trust giving an incentive for countries to boost trade between them, too. Trade costs for countries working under the China model are higher regardless of which aspect. 

The Trade Effects of Adequacy

These results do not mean that countries without a common data model cannot overcome their regulatory differences and have digital services trade. Countries can also take action to bridge the different models. A case in point is EU adequacy rules. To overcome regulatory differences, the EU has developed an adequacy system in which the European Commission determines whether a country outside the EU offers an adequate level of data protection. Obtaining adequacy means that personal data can flow freely from the EU (as well as other EEA members) and the receiving third-party country without any further safeguard being necessary. The condition is that the latter protects the privacy of EU citizens (Mattoo and Metlzer, 2018).

Essentially, adequacy is a contract between sending and destination countries to achieve both data protection and a better cross-border opportunity for trade. Cooperation between regulators is key for that contract as there is a legal obligation by the receiving country to protect privacy of the data subject from the sending country. However, required conditions associated with adequacy may bring along additional regulatory compliance costs for the receiving country, which if set too high can inhibit trade. The extent to which data protection is a significant cost burden to trade in digital services depends on how strictly these regulatory conditions are set.

Ultimately, it is an empirical task to figure this out. Estimates suggest that adequacy recognition by the EU (and Switzerland) is positively associated with digital services trade.[3] In fact, this positive link is substantial: adequacy improves digital services trade by around 5-6 percent. In sum, even though regulatory approaches can differ across countries, international cooperation between regulators in the form of bilateral agreements can facilitate digital services trade.

Different Regulatory Frameworks Lead to Different Outcomes

The differences in regulatory approaches are likely to reflect different economic realities, and it is important to better understand how and why countries regulate in the way they do – particularly between the EU and US. The EU’s regulatory approach seems to follow the Smithian approach insofar as it seeks model followers among trading partners and offers adequacy for countries following a different model. Many countries apply a similar model and, together, they cover a big portion of global trade in data-reliant services.

In contrast, the US model have fewer followers and represents a much smaller share of trade. However, this model comes with benefits. The open model allows firms to experiment more than in the EU and China, leading to more digital innovations and faster growth of new firms with a strong boosting effect on productivity. The model is Schumpeterian in the sense that it gives priority to the creation of innovation rather than the diffusion of it. As fast-moving and technology-intensive sectors are more sensitive to the regulatory context in which they develop (Calvino et al., 2016; 2019, Bravo-Biosca et al., 2013), tightly regulated conditions for transferring and utilizing personal data may therefore stymie dynamic firm growth in data-reliant sectors using new technologies such as AI.

The alternative route to improve productivity and prosperity is through trade. Since the EU is made up of economies that are relatively small and do not command enough economic size to be innovation powerhouses on their own, this is the preferred regulatory model for many of them. By choice and economic necessity, many European countries have developed dense trading networks with the outside world in order to import new ideas and technologies. As a consequence, they tend to follow the Smithian approach to regulation: avoid barriers that reduces trade, and bridge between regulatory models. For the EU, the size and burden of regulations are secondary to the ambition of internationalising regulatory approaches, preferably its own.

So far, the EU has been pretty successful in its ambition, but some problems are arising, and they are linked to the growing desire among EU politicians to have economic outcomes that are associated with a Schumpeterian approach. There is an obvious defensiveness in European policy making on matters related to data and the digital economy that comes from the fact that European firms are not at the top of the platform economy. Problems around data adequacy with the US is one example. Europe cherishes the trade benefits of its model, but now also wants to be the place where new technological creation and business experimentation happen. This is understandable, but it is also a development that might require a different economic and regulatory approach.

The China model is a league on its own as it is a large economy in itself. That scale has served the country well by developing many new and fast-moving digital technologies, and China therefore has some Schumpeterian features. Yet, this regulatory approach comes along with great restrictions, which inhibit the cross-border integration with other countries. The China model has the lowest number of followers and represents the smallest share of digital services trade. For China, the Smithian approach is much less important as it tries to strictly control its institutional structure. China’s closed economy makes it therefore much harder to regulate internationally.

[1] Regarding China, Gao (2019) adds that “the key to understand data regulation in China, therefore, must be security”. The heightened link with security not only explains the domestic regulatory framework in China, but also informs how China would deal with the issue at the international level. As stated by President Xi, “there is no national security without cybersecurity”.

[2] See China’s 2017 Cybersecurity Law, which imposed several restrictions aiming to “safeguard cyber security, protect cyberspace sovereignty and national security”, as stated in the Cybersecurity Law of the People's Republic of China, as adopted at the 24th Session of the Standing Committee of the Twelfth National People's Congress of the People's Republic of China on November 7, 2016, Art. 1, available at http://www.chinalawinfo.com. On China, see also Ferracane and Lee-Makiyama (2017) and Gao (2019).

[1] Ferracane and van der Marel (2021).

[2] It is difficult to check for endogeneity in these results. It’s hard to distinguish, for instance, if countries following the EU model do so because they are generally trading intensively with the EU.

[3] Ferracane et al. (2021).

References

Bravo-Biosca, A., C. Criscuolo and C. Menon (2013) “What Drives the Dynamics of Business Growth?”, OECD Science, Technology and Industry Policy Papers, No. 1, OECD Publishing, Paris.

Calvino, F. and C. Criscuolo (2019), "Business Dynamics and Digitalisation", OECD Science, Technology and Industry Policy Papers, No. 62, OECD Publishing, Paris.

Calvino, F., C. Criscuolo and C. Menon (2016) “No Country for Young Firms?: Start-up Dynamics and National Policies”, OECD Science, Technology and Industry Policy Papers, No. 29, OECD Publishing, Paris.

Ferracane, M.F. and E. van der Marel (2021) “Regulating Personal Data: Data Models and Digital Services Trade”, World Bank Policy Research Working Paper No. 9596, World Development Report 2021 Background Paper, Washington DC, World Bank.

Ferracane, M.F. and H. Lee-Makiyama (2017) “China’s Technology Protectionism and Its Non-Negotiable Rationales”, ECIPE Discussion Paper, Brussels: ECIPE.

Ferracene, M.F., M. Fiorini, E. van der Marel (2021) “To Adequate or Not to Adequate: The Trade Effects of Data Protection”, mimeo.

Gao, H. S. (2019) “Data Regulation with Chinese Characteristics”, SMU Centre for AI & Data Governance Research Paper No. 2019/04; Singapore Management University School of Law Research Paper No. 28/2019.

Mattoo, A. and J. Meltzer (2018) “International Data Flows and Privacy: The Conflict and Its Resolution”, Journal of International Economic Law, Vol. 21, Issue 4, pages 769-789.

Rubinstein, I., G. Nojeim and R. Lee (2014) “Systematic Government Access to Personal Data: A Comparative Analysis”, International Data Privacy Law, Vol. 4, No. 2, pages 96–119.

Wang, Z. (2012) “Systematic Government Access to Private-Sector Data in China”, International Data Privacy Law 220, Vol. 2, No. 4, pages 220-229.

WTO (2021) “World Trade Primed for Strong but Uneven Recovery after COVID-19 Pandemic Shock”, WTO Press 876/ Press Release, Geneva.

Annex

Table A1: Share market size and digital services trade by data model (2019)

Cross-border component

Data model

GDP

Population

Digital services trade

(%)

(%)

 (%)

EU (conditional)

47.6

42.1

26.3

USA (open)

32.8

25.2

7.9

China (control)

19.7

32.7

0.3

Other (dissimilar models)

65.5

Domestic processing component

Data model

GDP

Population

Digital services trade

(%)

(%)

 (%)

EU (conditional)

50.1

30.4

24.8

USA (open)

25.7

17.1

1.1

China (control)

24.3

52.5

2.0

Other (dissimilar models)

72.1

Source: Author’s using World Bank World Development Indicators and BaTiS. Number for Taiwan unavailable for GDP and population. The share of digital services trade is based on the bilateral trade relationships of exporters and importers having the same data model in place as a share of global digital services trade based on the 116 countries covered, excluding intra-EU trade. Digital services are defined by their high software-over-labour ratios and cover financial services, IPR, computer and information services, and telecom. Both imports and exports are covered.