Economic Implications of Data Regulation

Global traffic from data centres is estimated to have increased fourfold since 2015 – from 5 zettabytes in 2015 to around 20 in 2021.1 To put that into perspective, a zettabyte is 1 000 000 000 000 000 000 000 bytes (21 zeros), that is, a thousand exabytes, a billion terabytes, or a trillion gigabytes. There are 20 times more bytes of traffic from data centres than there are stars in the expanding universe.2 The pace of change shows no signs of slowing; quite the opposite: global IP traffic is expected to continue growing at an accelerating pace (CISCO, 2020[12]), including after faster growth in bandwidth demand during the first wave of the COVID-19 pandemic (OECD, 2020[13]).3

In terms of the cross-border elements of this traffic, data from Telegeography show a near 800-fold increase in international internet bandwidth capacity (a measure of international information-carrying capacity) in the period 2002-2021 (Figure 2.1). International internet bandwidth is especially high across OECD countries, but it is also important in emerging economies like the People’s Republic of China (hereafter “China”), India, the Russian Federation (hereafter “Russia), and Brazil (Figure 2.1), which are important exchange points in the global internet architecture. As data becomes increasingly critical to economic activity and trade, understanding what it is, how it flows and how value can be derived from its use becomes ever more pressing.

The economic activity that growing data traffic supports is not easy to identify and measure. How bits and bytes translate into dollars and cents is hard to establish. This is because, from an economics perspective, data is different (Aaronson, 2018[14]). It is unlike other resources, factors of production, or inputs.

• Data is valued at use, not at volume. For instance, a spreadsheet with 100 personal shopping entries may occupy the same memory space as one with 100 personal health records but its underlying value will be different. A retailer will value the shopping entries more than a health service provider (which will value the personal health records more).

• The value of data can increase when merged with other data to become greater than the sum of its parts. For instance, the shopping entries linked to the health records can help target advertisements towards the health-conscious shopper.

• Data has both inherent and potential value. Data not used today can become valuable tomorrow with changing business dynamics or when combined with other data yet to become available.4 Information in the health records may become more useful over time to analyse new conditions.

• Data can be used by different actors simultaneously (data is non-rivalrous) and can be copied and shared at virtually no cost. This means that its use can serve many different purposes at once.5 The 100 personal health records may be used both by one health service provider to research cures for cancer and by another to provide remote health services without being depleted.

These characteristics imply that although data remains excludable (that is, it can be reserved for only certain users or uses), there are significant economic and societal benefits from sharing and re-using data (OECD, 2019[15]; 2021[16]), including across borders.

Data can be thought of as a factor of production, an intangible asset, an intermediate input into production and even capital with increasing returns. This versatility makes data sui generis and is why characterisations of data as the “new oil” (The Economist, 2017[17]) can be misleading (Mandel, 2017[18]). Although, like oil, data is an essential input into the economy, data is not scarce, is neither consumed nor depleted when used, and can be copied and transferred at virtually no cost.6

Ultimately, data are vast and unordered or unprocessed records that carry little meaning; they become information when analysed to identify relationships between data points.7 Knowledge is generated by analysts who recognise the importance of the information, and wisdom is generated by the decisions that make the most of the streams of analysed data. In this data-information-knowledge-wisdom (DIKW) hierarchy (Figure 2.2), each stage is dependent on those that come before it. There is no wisdom without knowledge, no knowledge without information, and no information without data.8

Advances in AI, including the rise of generative AI models which now permeate all sectors of the economy, are leading to important changes for international trade (Ferencz, López-González and Oliván-García, 2022[20]; WTO, 2024[21]) and also raising new challenges for data governance (OECD, 2024[22]). In the age of GenAI, data availability, access and variance, coupled with processing power, are posed to deliver new opportunities and challenges (Agrawal, Gans and Goldfarb, 2019[23]).

The growing and pervasive use and exchange of data, including across borders, has fuelled concerns about the use and, especially the misuse, of data, including in the context of power relations among firms and between firms and consumers, and in particular with respect to privacy and personal data protection. These concerns are compounded when data moves beyond the reach of domestic regulatory bodies or is subject to differing regulations depending on where it is located and the type of information that it contains. While data and digital activity are inherently borderless, regulatory frameworks are not. Ensuring privacy and digital security, protecting intellectual property, enabling economic development, and maintaining the reach and oversight of regulatory and audit bodies can all become more complex when data crosses jurisdictions.

The reasons countries are regulating data are manifold but can be broadly grouped into five categories (OECD, 2020[24]).

• Much of the debate about data flows revolves around the movement of personally identifiable information, raising concerns about privacy and privacy and data protection. For some, the challenge is to ensure that when data is transferred outside a specific jurisdiction, they continue to receive the same protection received in the domestic jurisdiction. However, views on privacy and data protection can vary significantly across cultures, which is why regulation also differs.

• Some measures that condition data flows or mandate local storage aim to secure access to information for regulatory control or audit purposes. In this sense, requirements for data to be stored locally can be seen as the online equivalent of a longstanding practice in the offline world of ensuring that information is readily accessible to regulators. Such measures can be sector-specific, reflecting particular regulatory requirements and targeting specific data such as business accounts, telecoms or banking data.

• Measures related to national security often mandate that data be stored and processed locally for the purpose of protecting information deemed to be sensitive, or securing the ability of national security services to access and review data. The latter, in particular, can be very broad in nature, providing wide scope of access to any form of data.

• Governments also promote local storage and processing with a view to ensuring digital security. Implementing countries argue that data security can best be guaranteed when storage and processing is domestic.

• Finally, conditioning the flow of data or mandating that it be stored locally can be motivated by the desire to use a pool of data to encourage or help develop domestic capacity in digitally intensive sectors, a kind of digital industrial policy, including in the context of economic development. This can reflect a view that data is a resource that must be made available first and foremost to national producers or suppliers. These approaches can be sector-specific or apply to a range of data types.

Different motivations can lead to different measures, whether conditions on how data can flow or local storage requirements (data localisation). However, in discussing these measures it is important to consider the underlying policy objective for which they are applied.9 This can help think through how effective the measures are in achieving their stated aims, the associated costs and trade-offs of such measures, and whether there are alternatives offering a better balance among different aims to maximise overall benefits for the population and across countries. From a trade policy perspective, these elements are relevant to identify how a policy objective can be fulfilled in a way that is least trade restrictive.

Domestic approaches to cross-border data flow regulation vary widely, reflecting different cultural preferences and policy objectives. Four ‘types’ of approaches to data flow regulation have emerged (Figure 2.3). These are not mutually exclusive: different approaches can apply to different types of data even within the same jurisdiction. For example, health data might be subject to more stringent approaches than data related to product maintenance.

• At one extreme, in some jurisdictions (often Least Developed Countries – LDCs), there is no cross-border data flow regulation (Category 0), usually because there is no privacy and data protection legislation at all. While this implies no restrictions on the movement of data, the absence of regulation can affect the willingness of firms in other countries to send data to these locations.

• The second type of broad approach relates to open safeguards (Category 1). These refer to transfer mechanisms that tend to leave more discretion to the private sector as to how to safeguard transfers (often in the context of existing principles or guidance provided in domestic regulation). These include ex post accountability principles (where sending entity is liable for how the data is treated at its destination), contracts governing the conditions for data flows or private sector-led adequacy decisions.10

• A third broad approach, pre-authorised safeguards (Category 2), includes approaches relying on pre-determined and transparent public sector approval before transfers can be made. In the context of privacy and personal data protection, these relate to determinations of adequacy or equivalence of protection by a public authority. Where an adequacy determination has not yet been made, firms can generally move data under model or approved contractual clauses or using binding corporate rules, or among other mechanisms.11

• The last broad type of approach, flow conditional on ad hoc authorisation (Category 3), relates to systems that only allow data to be transferred on a case-by-case basis subject to review and approval by relevant authorities. This approach relates to personal data for privacy reasons, but also to a more sweeping category of “important data”, including in the context of national security.

Across these different types of approaches, a number of exceptions are also envisaged to permit the transfer of data. These include transfers in relation to “legitimate interest”, or for the “public interest”, or in relation to legal claims (among others). Data-subject consent is also a frequently used exception for permitting otherwise precluded data transfers, but its use remains the subject of debate (Innovation, Science and Economic Development Canada, 2019[25]).

Data localisation measures constitute another type of emerging data regulation. While there is no single, and widely accepted definition of data localisation, there is agreement that it results in more local storage or processing than would have otherwise taken place. Some consider more implicit measures, such as restrictions on cross-border data flows, to be a form of data localisation since they can lead to more data being stored or processed locally [see Cory and Dascoli (2021[4]) and Svantesson (2020[27])]. However, others focus on more explicit measures which directly legislate to require the location or processing of data within a particular territory, defining data localisation as: “an explicit requirement that data be stored and/or processed within the domestic territory [see Del Giovane, López González and Ferencz (2023[8])]. This narrower definition avoids subjective discussions about what other measures might or might not lead to more local storage or processing.12

Although data localisation is distinct from conditions on cross-border data flows, a complete prohibition on the transfer of data amounts to a de facto requirement for local storage and processing. Similarly, a local storage requirement that is applied horizontally and combined with a local processing requirement is tantamount to a complete ban on the transfer of data abroad, as the relevant data would not be able to be stored anywhere else (Del Giovane, López González and Ferencz, 2023[8]). One key difference between measures conditioning data flows and data localisation measures is that data localisation measures tend to be more sector specific, with most measures arising in financial, banking or payments sector; the public sector; telecommunications or cloud computing (Del Giovane, López González and Ferencz, 2023[8]). By contrast, data flow restrictions often apply to all sectors of the economy, largely in the context of privacy and data protection (Casalini, López González and Nemoto, 2021[26]).

Data localisation measures in place today vary widely, often in relation to their underlying policy objectives; the sectors or types of data targeted; and the wider legal and policy environment (López González, Casalini and Porras, 2022[6]; Del Giovane, López González and Ferencz, 2023[8]). Even within a particular economy, or regions within economies, different types of data localisation measures can apply to different types of data (e.g. personal data, health data, telecommunication data, banking or payment processing data; insurance data; or satellite and mapping data). There are also cases where data localisation requirements are aimed at less well-defined data categories such as “important data”, “core data” or “critical data”.

Overall, data localisation measures can be grouped into three broad categories (Figure 2.4).

• The first refers to local storage requirements without flow restrictions (DL Category 1). These are measures that require a copy of the relevant data to be kept within the economy’s territory, but without prohibiting storage or processing in other countries. These measures are often applied in the context of ensuring that regulators do not encounter issues related to jurisdictional reach. Approaches falling under this category often target business data (accounts) or telecommunication metadata, including in the context of data retention policies. For example, Sweden’s Accounting Act13 stipulates that accounting information is to be retained and stored for seven years in Sweden.14

• The second refers to local storage and processing requirements with clearly defined transfer or access conditions (DL Category 2). These require a copy of the data to be kept within the economy but allows the data to be transmitted abroad on the basis of clearly defined transfer or access conditions. For example, the Electronic Health Records Act in Australia requires that health record information be stored in Australia but provides for access overseas in cases where access is needed by users (the data subjects) or by registered healthcare providers overseas.

• The third refers to local storage and processing requirements with prohibitions on transfer (or ad hoc exceptions) (DL Category 3). These are measures that mandate local storage of data while also prohibiting transfers to other countries (or allowing transfer only on the basis of ad hoc authorisations). These more sweeping restrictions can apply to a range of data, including banking, telecommunications or payment data, as well as to broader categories of information. For instance, in Indonesia, Regulation 71 (2019) concerning the implementation of electronic systems and transactions foresees that all data is to be managed, processed and stored in Indonesia.15 Exceptions to this rule arise in the event that relevant storage technology are not available domestically, with the criteria for is the exception determined by a government authority. Another example is China’s Cybersecurity Law, where Article 37 requires “critical information infrastructure operators” to store “important data” in China.16

Moreover, outside this typology, a new category of approaches is emerging (DL Category 0). These are measures that do not require data to be stored locally but require firms to guarantee access to data irrespective of where it is stored. For instance, New Zealand’s data retention regulation for business records allows for data to be stored outside of New Zealand provided it meets certain data integrity and access criteria.17 Within the European Union, legislation on the movement of nonpersonal data forbids data localisation within the European Union but requires that data be made accessible to the relevant national authorities.18

Cross-border data flow and data localisation measures often co-exist within jurisdictions but they tend to be used to attain different policy objectives.19 While data flow regulation arises in the context of privacy and data protection and tends to apply across all economic activities (Casalini and López González, 2019[5]), only 14% of data localisation measures are directly targeted to personal data, these also tend to target particular sectors like payments, telecommunications or cloud computing (Del Giovane, López González and Ferencz, 2023[8]). Measures might therefore not be substitutes insofar as they might not help attain the same policy objectives.

While there are legitimate reasons for regulating data flows, and indeed for the diversity in this regulation, the multiplicity of applicable regimes is leading to an increasingly complex and fragmented regulatory landscape [see also OECD (2022[28]) and Evenett and Fritz (2022[10])]. Digital fragmentation can take different forms. It can relate to the diversity and number of regulations that affect digital trade (see Ferencz (2019[29])) or it can relate to fragmented approaches to particular issues that matter for digital trade, such as approaches to data flow regulation [see also OECD (2023[30])].

Diversity in data flow regulation can make it difficult to effectively enforce public policy goals such as privacy and data protection, national security and regulatory reach when data crosses jurisdictions (OECD, 2022[31]). At the same time, it can also make it more difficult for firms to operate across markets, affecting their ability to internationalise and benefit from operating on a global scale. Indeed, a recent paper by Sun and Trefler (2023[32]) shows that AI adoption raises the number of foreign users ten-fold, but the impact is halved if foreign users are in a country with strong restrictions on cross-border data flows (measured using the OECD Digital Services Trade Restrictiveness Index).20 The challenge for governments is therefore to promote regulatory approaches that enable the movement of data while, at the same time, ensuring that, when data crosses a border, it receives the desired protection, safeguard or oversight.

The notion of trust is at the centre of this debate. The benefits of digitalisation for trade are likely to depend on the degree of “trust” in the digital environment that underpins economic and social transactions. Individuals are unlikely to engage with, or send their data to, businesses they do not trust, and businesses are likely to struggle to reap the benefits of scale unless they can operate with trust globally. The concept of “data free flow with trust” (DFFT), championed by Japan under the G20 “Osaka Track” in 2019, is aimed at encapsulating the policy impetus to find a balanced solution to these challenges. Discussions on DFFT have also taken place under the G7, including under Trade and Digital Ministers’ discussions during the United Kingdom, German, and the Japanese presidencies in 2021, 2022, and 2023, respectively.

Having a clear understanding of the evolving regulatory environment is a first step to enabling greater trust in data flows. Another important factor is to provide policy makers with a clearer picture of the potential economic implications ̶ and the transmission mechanisms for those implications ̶ of different regulatory approaches (OECD, 2023[30]).