The digital trade regulatory landscape has experienced important changes in the last decade for most countries. The average digital trade restrictiveness in Africa and the Americas has decreased in the last decade, while restrictions have increased in Europe and Asia-Pacific (Figure 12).
Examples of these important changes in the regulatory landscape for digital services include the uptake of privacy and data protection regulation in many countries. Some of these regulations include new provisions on cross-border data transfers affecting how digital services are traded. In this regard, between 2014 and 2025, 44 countries introduced or deeply modified the rules applicable to cross-border data flows. Examples of these reforms include Korea’s amendment of its Personal Information Protection Act that allows cross-border transfers of personal data provided the transfer is notified or disclosed in the controller’s privacy policy and appropriate statutory safeguards are implemented. Further amendments in 2023 facilitated overseas transfers in cases where transfer is contractually necessary and disclosed, made to a certified or adequate-protection jurisdiction, or conducted pursuant to an applicable treaty or international agreement. Likewise, in 2019, Nigeria adopted the Nigeria Data Protection Regulation (NDPR) that was replaced in 2023 by the Nigeria Data Protection Act (NDPA). The law permits transfers of personal data to recipients that are subject to legal requirements that afford adequate levels of protection. The adequacy of the level of protection is determined by the Nigeria Data Protection Commission. Thailand also addressed the lack of regulation on cross-border data flows by enacting its Personal Data Protection Act, in force since 2022, which allows transfers of personal data only to jurisdictions with adequate protection. To assess whether a jurisdiction provides adequate protection, Thailand considers whether its laws match Thailand’s standards for data protection and rights enforcement, and whether it has a dedicated authority to enforce them. While most of these reforms aim at increasing trust in digital services by enhancing the protection of data and consumers, implementation approaches vary significantly, making it difficult for businesses to develop global or regional compliance strategies.
Other countries have introduced heavier rules relating to cross-border data flows (Casalini, López González and Nemoto, 2021[13]). For instance, since 2016, Kazakhstan has prohibited the cross-border transfer of personal data, requiring that all collected data be stored within its territory. Similarly, Türkiye has tightened its cross-border data transfer rules in recent years. From 2019, critical information and data must be stored domestically. Additionally, since 2020, social network providers with over one million daily users in Türkiye, whether domestic or foreign, are required to store data of Turkish users in local data centres and implement the necessary technical and administrative safeguards. While there are legitimate reasons for diversity in regulations, the regulatory landscape that underpins cross-border data flows and local storage requirements continues to increase in complexity. Against this backdrop, it is important to find commonalities in regulatory approaches to mechanisms to move data across borders also by increasing engagement in international discussions on digital trade related issues (OECD, 2025[14]).
From a more general perspective on regulations affecting digital trade, several countries have implemented important reforms over the last decade (Figure 13). Some examples include:
Uganda: A series of legislative changes introduced in 2019 enhanced market openness and reduced digital trade restrictions. Most notably, Uganda introduced new Interconnection and Access Regulations under the Communications Act to regulate interconnection prices and conditions in mobile and fixed-line telecommunications. The Regulations allowed the Communications Commission to set maximum interconnection rates based on service accessibility and fair treatment among operators and to impose charges for interconnection services for all operators or only for those operators designated as having significant market power. The Communications Commission also introduced new licensing regulations that implemented vertical separation in the market. In addition, the Communications Competition Regulations empower operators, third parties, and the Communications Commission to monitor competitive conduct in the telecommunications market. In the area of cross-border data flows, the Data Protection and Privacy Act allowed data to be stored outside Uganda, provided that the receiving country ensures adequate data protection safeguards.
Vanuatu: As of 2016, the Registrar, authorised to register domain names, is required to establish a dispute and complaints resolution process. Moreover, since 2020, non-resident foreign providers have been able to access e-registration and e-payment services with the tax administration. Vanuatu also acceded to the World Intellectual Property Organization (WIPO) Copyright Treaty and the WIPO Performances and Phonograms Treaty in 2020, and, in 2025, authorised cross-border transfer of personal data in third countries provided prior approval is obtained from the Minister and the destination country ensures adequate data protection safeguards.
Seychelles: Since 2023, the Communications Act requires operators of mobile and fixed-line telecommunications to publish the approved reference interconnection offers on the interconnect provider’s website and provide a copy to any interconnect seeker upon request. In addition, it requires operators with significant market power in mobile telecommunications to establish and maintain a cost accounting system, ensuring vertical separation via the proper attribution of costs and revenues to specific activities. The Data Protection Act, which entered into force in 2023, provides that personal data may be transferred outside the country where the destination country ensures adequate data protection safeguards, subject to approval by the Information Commission. The Commission may prohibit cross-border data transfers where necessary in the public interest.
Mexico: In 2014, Mexico introduced the federal telecommunications law that eased foreign participation in mobile and fixed-line telecommunications. It also introduced a new independent regulator, the Federal Telecommunications Institute (IFT), with exclusive authority over the sector and new sanctioning powers, and a series of pro-competitive measures challenging the dominant position of incumbent firms. In 2025, Mexico replaced this law by a new telecommunications and broadcasting law (Ley en Materia de Telecomunicaciones y Radiodifusión), which introduced significant institutional restructuring. The Telecommunications Regulatory Commission (CRT), operational as of October 2025, was established to assume the functions previously carried out by the now-dissolved IFT. CRT has technical, operational, and managerial independence and operates as a decentralised body under the Digital Transformation and Telecommunications Agency (ATDT). Its responsibilities include regulating telecommunications, managing the radio spectrum, overseeing broadcasting, and coordinating government digital transformation efforts. This institutional restructuring also led to the creation of the National Antitrust Commission (CNA), likewise operational as of October 2025, which now serves as the authority on economic competition matters, including functions previously exercised by the IFT.
