Can Cybersecurity Be a Unifying Factor in Digital Trade Negotiations?
COMMENTARY
Over the past decade, the digital trade policy community has been consumed by battles over data privacy, cross-border data flows, and e-customs duties, on which forging an international consensus remains elusive. Yet among the geopolitical jostling on these issues, there is at least one critical area where we see steady, tangible progress in digital trade policy: cybersecurity.
In today’s global economy, the increasingly fragmented state of global cyber regulation undermines cybersecurity and the growth potential of digital trade. Trade negotiators should leverage the opportunity to secure more ambitious cybersecurity commitments, advancing a fair, inclusive, sustainable, and secure digital trade environment, even as negotiations on more contentious digital issues remain stalled.
How We Got Here
The European Union’s General Data Protection Regulation (GDPR) and the ensuing transatlantic battles over secure data flows were the initial source of digital trade tension in recent negotiations. GDPR’s adequacy requirements — which set steep data protection standards for non-EU member states — blocked prior US–EU cooperation around cross-border data flows, creating panic around whether data could continue to cross the Atlantic.
The attention that wasn’t consumed by data policy focused on negotiations around digital taxes and customs duties at the Organisation for Economic Co-operation and Development (OECD) and World Trade Organization (WTO), respectively.
Then, last October, the US Trade Representative sent a thunderbolt out of the blue, upending several decades’ worth of US Digital Trade Policy. The decision to withdraw US support for the issues of cross-border data flows, data localization, and source code review in negotiations for the Joint Statement Initiative on eCommerce at the WTO came as a shock to many.
US industry and trade associations called for the US government to reverse its decision and reaffirm its support for cross-border data flows. The concern spread to Congress, where hearings were held to understand the underlying cause of the decision. US trading partners, meanwhile, felt left out in the cold, having advocated for such provisions for years with the encouragement of the US.
A Bright Spot in Digital Policy
Cybersecurity policy, meanwhile, has proved far less contentious, facilitating more international cooperation, and with good reason: It is foundational to trust in the digital economy. As policymakers continue to take a more active role in domestic cybersecurity policymaking, governments must also ensure that regulations are interoperable with those of their counterparts in order to avoid unnecessary non-tariff barriers to trade. So far, central governments around the world have laid a strong foundation, grounded in international consensus, but there’s far more work to be done to negotiate digital security standards across borders.
This groundwork can be found in a new report, “Guarding Global Commerce: How Cybersecurity is Addressed in International Trade Agreements,” from the Coalition to Reduce Cyber Risk. The report assesses the 11 free trade agreements (FTAs) that have incorporated cybersecurity provisions to date. It categorizes these provisions into eight distinct areas and analyzes the commonalities and differences in how they are addressed.
The report finds that since 2018, a growing number of FTAs have incorporated cybersecurity provisions, and these provisions have become increasingly comprehensive. Building government cybersecurity capacities, cooperating in addressing security incidents, and leveraging risk-management-based approaches and international standards in domestic cyber policymaking are becoming baseline expectations in modern trade agreements. Meanwhile, more ambitious agreements, such as the Singapore–UK Digital Economy Agreement, have gone as far as to “establish a mutual recognition agreement of a baseline security standard” for Internet of Things devices.
While trade policy writ large continues to face challenges, there are opportunities to make further progress. The World Trade Organization Joint Statement Initiative on eCommerce — a 90-country agreement spanning most of the global economy — could yet be concluded before the fall. Future trade discussions between the US and Taiwan offer an opportunity to match the ambitious digital trade commitments that have been made by peer countries — such as the UK, Singapore, and Australia.
For the US, adoption of language mirroring the Singapore–UK DEA on mutual recognition of IoT security baselines would be an excellent place to start. Incorporating coordinated vulnerability disclosure requirements for critical infrastructure would place the US at the forefront of this topic once again. Even as we face continued headwinds on provisions like data flows and e-customs duties, further progress is both needed and achievable in digital trade policy. The Office of the United States Trade Representative should seize this opportunity.