Let the Data Flow
Over the last 25 years, the Internet has become a conduit for trillions of dollars in commerce, transforming industries, national economies, and the nature of globalization itself. Today, as global trade in goods and services has plateaued and global financial flows have declined dramatically, cross-border data flows are exploding in volume. Data flows in and out of the United States alone are estimated at 80 terabytes per minute—eight times the size of the entire print content of the Library of Congress. Since 2005, they have increased by a factor of 80, from just 5 terabits per second to an estimated 400 per second.
International data flows take many forms. Individuals generate them through e-mails, Skype calls, e-commerce transactions, social media posts, and Internet searches, as well as through the consumption of digital goods from around the world. By 2020, consumers are expected to spend $1 trillion on cross-border e-commerce. But these flows are more than just consumer transactions and social media posts. They are an integral part of the way companies now operate. According to research we conducted at the McKinsey Global Institute (MGI), cross-border data flows already make a larger contribution to global GDP than the goods trade. We term this rapid increase in both the size and the value of cross-border data flows “digital globalization.”
Like traditional globalization, however, digital globalization is threatened by a number of barriers and protectionist policies, such as data localization requirements, online censorship, market restrictions on digital content providers, and conflicting and overlapping rules on data privacy and protection. Although these policies are often adopted to address legitimate underlying concerns, they threaten to disrupt the flow of data around the world, imposing significant costs to companies and harm to consumers.
Just as nations have negotiated agreements establishing the terms of global trade in goods and services, they now need to confront digital protectionism by setting out detailed frameworks to govern cross-border electronic commerce and data flows. The world needs international norms and protocols to ensure the free flow of data and forums for settling disputes when they arise. Getting these right will ensure that the world can realize the full potential of digital globalization to promote economic growth and productivity.
GOING WITH THE FLOW
Cross-border data flows have been experiencing explosive growth in recent years. As noted above, MGI’s research found that they grew 80 times larger in volume between 2005 and 2016.
In addition to transmitting a valuable stream of communication, digital flows are transforming more traditional types of exchange. International e-commerce accounted for approximately 10 percent of the global goods trade by dollar volume in 2015. In China, close to 20 percent of imports and exports run through digital platforms—roughly double the share in Europe. The transformation is even more pronounced when the underlying product is digital. In 2014, the volume of cross-border, computer-to-computer Skype calls was equal that of 46 percent of international phone calls, as measured in minutes. And in 2015, international readers made up almost 80 percent of the Financial Times’ Web traffic, 60 percent of the BBC’s, and 50 percent of BuzzFeed’s.
The economic impact of such data flows is undeniable, opening up trade to new places and market players. Online marketplaces such as Alibaba and Amazon host millions of small merchants from all over the world. Some 50 million small companies are on Facebook, up from 25 million in 2013. And in 18 countries analyzed by eBay, anywhere from 88 to 100 percent of the sellers who operate on the company’s platform are exporters.
Digital business, moreover, is changing the structure of international trade. A great deal of trade has always involved countries exchanging goods with their regional neighbors. But the Internet reduces the barriers of distance. The MGI study confirms the conclusions of other researchers, who have found that digital commerce cuts home bias, or the likelihood that countries will confine their trade to their closest neighbors, roughly in half.
All of this activity has a real payoff. MGI estimates that between 2004 and 2014, global flows of data, finance, goods, people, and services raised world GDP by at least 10 percent compared to a hypothetical world without them, adding $7.8 trillion to the world economy in 2014 alone. Remarkably, cross-border data flows—which were negligible just 15 years ago—accounted for $2.8 trillion of this value, surpassing the impact of the global goods trade, which has evolved over centuries.
Despite the enormous value of digital globalization, dozens of countries have erected barriers to constrain it. One clear example is the set of Internet restrictions known as the Great Firewall of China; another is Russia’s requirement that data on its citizens be stored on servers located within the country. But there are more subtle forms of digital protectionism as well, including blocking websites with controversial content, banning instant-messaging services, and conducting national digital surveillance. Roughly a dozen countries, for instance, have banned the WhatsApp messaging service.
Although traditional trade restrictions are mainly erected to protect local industries from foreign competition, restrictions on data flows are often adopted for a more nuanced set of reasons. For instance, many are enacted to address legitimate concerns about data privacy or cybersecurity, even as others are indeed meant to shield local platforms from competition. The overlapping motivations behind these restrictions increase the complexity of developing international norms on data flows. But these concerns should be addressed through global cooperation, rather than restriction, so that the world economy does not miss out on the tremendous potential benefits of digital flows.
There are three major categories of policies that restrict data flows: data localization requirements, general barriers to the free cross-border flow of data, and national standards of data privacy.
The first category, that of data localization, involves policies whereby countries require companies to store data on servers located within their borders. Such policies may be broad rules covering most or all types of data, or they may be focused on specific types of data. Countries with broad localization requirements include China, Malaysia, Nigeria, Russia, and Vietnam, and India is also considering a very wide-ranging measure. Other countries have adopted narrower measures, such as requiring payments to be processed locally, or requiring personal information, such as medical or tax records, to be stored within the country.
Data localization requirements increase the cost of doing business by forcing Internet companies and online platforms to build redundant server locations. The costs of doing so are often passed on to local consumers. One study estimates that for companies in countries with data localization laws, the laws increase the price of computing by 30 to 60 percent. In smaller markets, the cost of building local data servers may create so much inefficiency that Internet service provides choose to exit the market altogether.
Advocates for data localization typically justify it on several grounds. One is that it protects data from surveillance by foreign governments. But many cybersecurity experts reject this argument, arguing that the location of a server has no impact on its vulnerability to foreign hackers or government surveillance. A second justification is that localization enables the government to maintain access to the data stored on its territory. China, for instance, requires companies to share the security keys for some types of data with government officials. Finally, policymakers in many countries believe that data localization requirements will create local technology jobs. But today’s data server farms are largely self-regulating and autonomous, requiring very few employees. Facebook’s massive data farm in Sweden, for instance, employs only 150 people, or one technician for every 25,000 servers.
The second category of protectionism is that of more general restrictions on data flows. It is important here to differentiate between restrictions on legal and illegal activity. Supporting free data flows, of course, should not extend to illegal activities—just as free trade principles allow for bans on trade in specific goods, such as ivory or drugs, the free movement of data can similarly exclude illegal digital material, such as child pornography, pirated digital content, or malware. Indeed, numerous countries, including Denmark, Italy, Spain, Portugal, and the United Kingdom, have blocked websites that sell pirated digital content. Yet many countries, such as China, censor the Internet or restrict access to legitimate (that is, noncriminal) foreign websites.
Despite the enormous value of digital globalization, dozens of countries have erected barriers to constrain it.
The third category is the most diffuse, covering the variations in national data privacy requirements. Different countries have different views on the appropriate amount of privacy for consumer data. The EU, for instance, places sharp restrictions on the ability of companies to commercialize or sell consumer data, whereas the United States is more lenient. For global companies, however, complying with myriad national rules can be cumbersome. Harmonizing privacy requirements, or creating international regulatory or legal frameworks to deal with country by country variation, would be hugely beneficial. The U.S.-EU and U.S.-Swiss Privacy Shield Framework, for example, is an agreement that creates standards for how U.S. companies should handle personal data on EU citizens, in order to facilitate transatlantic commerce while addressing European privacy concerns. The agreement sets out rules about U.S. government access to personal data and creates dispute-settlement mechanisms for individuals who feel their data has been misused. U.S. companies register for the program, and the U.S. Department of Commerce conducts reviews to ensure compliance. Registration is voluntary, but companies that don’t join are open to prosecution by the EU for failure to comply with their digital privacy laws.
The privacy shield is critical for enabling international businesses to operate. One study found that half of the U.S. companies that registered for the program did so in order to process data and personnel files on their own European-based employees. In the absence of the framework, it would be illegal to share and transfer such information across borders, creating enormous costs and inefficiencies for global companies and lowering their productivity at a time when faster productivity growth is needed on both sides of the Atlantic.
THE ROAD AHEAD
In the face of a growing worldwide backlash against globalization, the need for new rules to ensure the free flow of data is becoming urgent. The good news is that several existing pieces of trade legislation have provisions that could provide a useful starting point for negotiation, helping countries arrive at balanced agreements that enable the free flow of data while protecting security and privacy.
For example, the Trans Pacific Partnership (TPP) agreement contained a chapter on electronic commerce that represented the most modern and comprehensive approach to data liberalization to date. Among its provisions were measures that explicitly prohibited countries from requiring data to be stored on local servers, imposing duties on data flows and digital goods, or forcing service providers to share valuable source code with foreign governments or rival companies. The chapter also set standards for the use of digital authentication and signatures, and required TPP signatories to enact laws protecting consumers from unsolicited e-mails and other fraudulent online activity. Although the United States withdrew from the TPP in January, it may be possible to revive its electronic commerce chapter within other trade agreements.
Another trade deal that might address data flows is the proposed Trade in Services Agreement (TISA), a 23-party trade deal that includes the United States, the EU, Japan, and Australia. Today roughly half of global trade in services occurs digitally, and that share is growing rapidly. This makes TISA an important agreement for advancing rules on free digital trade. The agreement currently being negotiated includes proposals to open markets and to establish clearer rules in industries such as licensing, financial services, telecommunications, and transportation. It would be a small step to expand TISA to include proposals for protecting the free flow of data.
These multilateral trade deals are not the only avenues for setting rules of the road. The Information Technology and Innovation Foundation (ITIF), for example, has argued for a data services agreement at the WTO that would commit countries to protecting cross-border data flows. The ITIF also suggests coming up with so-called Geneva Conventions for data. Just as the Geneva Conventions set international rules for warfare, the hypothetical data conventions would establish a standard set of protocols for handling and securing data—and respecting privacy—that network administrators, IT professionals, and government regulators around the world would be expected to adhere to. Such conventions would codify procedures and help nations create greater regulatory transparency for companies.
Like the globalization of trade, digital globalization is not a zero-sum game. One country’s participation does not necessarily come at another’s expense. The digital economy has introduced a new set of legitimate concerns, but it is important to address these through frameworks that do not limit the substantial benefits that digital globalization can bring. Now more than ever, it is time for countries to establish a framework that allows them to take advantage of the opportunities beyond their own borders.