Introduction
Digitalisation is significantly impacting international trade in goods and services, changing its scale, scope and speed.[1] Digital revolution has reduced the costs and increased the pace of international trade, facilitating the co-ordination of regional and global value chains, diffusing technologies, and linking many businesses and consumers globally.[2] Digital economy has resulted in higher volume of traditional trade, ‘more digitally ordered parcels, more digitally delivered services, more smart and connected goods, and more data crossing international borders’.[3] African countries are underpinned by the highest levels of barriers or restrictions in digital trade transactions and matters. The conclusion of the Protocol to the Agreement Establishing the AfCFTA on Digital Trade (PDT) therefore provides important basis to change the dynamics. In particular, data governance regime of the PDT deserves a closer scrutiny because of its capacity to foster or frustrate trade. Against this backdrop, this paper explores the optimal model for data governance in the implementation of PDT.
Digital Trade and Cross-Border Data Transfers
Digital data is crucial for the provisions of cross-border trade in goods and services given that firms of every size and across multiple sectors use data. While multinationals corporations depend significantly on cross-border data flows, cross-border data transfers have also assisted in the creation of the ‘micro-multinational’. [4] This is a new form of micro, small and medium-sized enterprises (MSMEs) which are born global and interconnected. Apart from being an important driver of international trade, cross-border data transfers also raise privacy issues, trust, and the regulation of legitimate and national security objectives. Thus, many countries are scrambling to find the optimal regulatory approaches to regulation of cross-border data transfers, depending on the sectors or type of data. Accordingly, the regulation of cross-border data transfer takes multiple forms, namely: limited transfer model; conditional transfer model; and open transfer model.[5] These models can also be conceptualized in the form of open model (no regulation of cross-border data transfers); ex-post accountability model (unconditional cross-border data transfers subject to ex-post accountability for the data exporter if data is sent abroad); adequacy determination model (conditional); and case-by-case model (data transfer subject to a review and somewhat discretionary approval by relevant authorities). [6]
In limited transfer model, data is usually associated with national security and public order. While cross-border data flows are not entirely prohibited, there are measures for ‘data localization’ and extensive and systematic monitoring of data flows across borders. Conditional transfer aims to provide a balance between privacy protection and data openness. Accordingly, conditional transfer ensures that there are mandatory regulatory safeguards which if complied with allow for cross-border data transfers. This model is defined by certain conditions for transfers such as consent, regulatory equivalence, and private sector assessment with earlier approval. Open transfer model is governed by the general absence of statutory requirements for cross-border data transfers, highest flexibility for cross-border data flows, and more regulatory heterogeneity. [7]
The PDT follows the middle path by adopting a conditional transfer model that allows cross-border transfer of data, subject to measures to maintain legitimate public policy and essential security interests. These measures must not be applied in a manner which would constitute a means of ‘arbitrary or unjustifiable discrimination’, or a disguised restriction on digital trade; and should ‘not impose restrictions on transfers of data greater than are required to achieve the objective’. These conditions import two vital points. First, the prohibition of ‘arbitrary or unjustifiable discrimination’ imports non-discrimination standards. Secondly, the expression ‘not impose restrictions on transfers of data greater than are required to achieve the objective’ imports proportionality requirement. Accordingly, a State Party’s imposition of restrictions on transfers of data must be proportional to the objective sought to be achieved.[8]
Protection of Personal Data
The PDT obliges State Parties to maintain a legal framework that provides for the protection of the natural persons engaged in digital trade. Such legal framework must take into account the relevant principles and guidelines adopted by regional, continental and international organizations. The implication is that the dominant principles and practices of personal data protection law and regulation apply. Accordingly, personal data in digital trade should conform to principles including, consistency and legitimacy; lawfulness and fairness; purpose, relevance and storage; data minimization; accuracy; transparency; confidentiality and security; non-retention beyond need for use; and data subject rights (including the right to be forgotten/erasure). Moreover, the PDT equally provides for notification, transparency, publication of information on data governance and other requirements.
Computing Facilities and Data Innovation
The PDT provides that State Parties should not require data localization,[9] subject to legitimate public policy objective and essential security interests. While the PDT favours the data-holders’ ability to retain control over data location and use, State Parties can rely on transparent regulation to alter the dynamics.[10] Arguably, State Parties should ensure that cross-border data flows are not impeded to promote digital trade. Evidence shows that limited data transfers model is negatively correlated to digital trade while conditional transfer model and open transfers model are positively associated with digital trade. The requirements of local storage, local processing and limited data flows, in many cases, are not good for digital trade. Accordingly, State Parties should follow the optimal regulatory model for digital trade, consistent with the PDT, involving flexible cross-border data flows rules backed by domestic safeguards.
Conclusion
The PDT embodies diverse provisions to upscale the participation of businesses in digital economy. State Parties therefore should follow the optimal regulatory model involving flexible cross-border data flows rules backed by domestic safeguards.
*This research is funded by the Alexander von Humboldt Foundation, Germany, as part of the return fellowship grant.
[1] https://www.oecd.org/trade/OECD-key-issues-in-digital-trade.pdf, accessed 25 June 2024.
[2] https://www.oecd.org/trade/topics/digital-trade/, accessed 25 June 2024.
[3] https://www.oecd.org/trade/OECD-key-issues-in-digital-trade.pdf, accessed 25 June 2024.
[4] https://www.oecd-ilibrary.org/docserver/b2023a47-en.pdf?expires=1718086661&id=id&accname=guest&checksum=B48CF621CBE54FABE85FED0033363DD2, accessed 25 June 2024.
[5] https://thedocs.worldbank.org/en/doc/1eca7ab3a21d58fb30d9478365a83c64-0050012022/original/WDR-Chapter-7-Data-and-Digital-Trade-Presentation.pdf, accessed 25 June 2024.
[6] https://www.oecd-ilibrary.org/docserver/b2023a47-en.pdf?expires=1718086661&id=id&accname=guest&checksum=B48CF621CBE54FABE85FED0033363DD2, accessed 25 June 2024.
[7] https://thedocs.worldbank.org/en/doc/1eca7ab3a21d58fb30d9478365a83c64-0050012022/original/WDR-Chapter-7-Data-and-Digital-Trade-Presentation.pdf, accessed 25 June 2024.
[8] Article 20(3) of PDT.
[9] Article 22 of PDT.
[10] Article 23 of PDT.
