/SMEWG41/039 Agenda Item: 16.3 Benefits of Open Cross Border Data Flows Purpose: Information Submitted by: United States 41 st Small and Medium Enterprises Working Group Meeting Iloilo, Philippines 23-24 September
7/10/ SMEWG 41 Iloilo City, September 23-24 Mr. Michael Mudd The Open Computing Alliance 1
7/10/ Micro and small business are using online marketplaces and payment systems to advertise, transact and grow their business Alibaba, ebay, Global Sources, Amazon - all provide low cost marketing services to enable SME s join the Global Value Chain. These form what may be described as a new Digital Supply Chain where the flow of physical goods is enabled by the information flow resulting in increased trade. Local data storage requirements and restrictions on cross-border data flows (domestic routing requirements) road bumps Examples:* All Internet service providers to store any retained subscriber traffic data in-country; All taxpayers to store business records incountry, even when cloud services are used. All personal financial information collected incountry to be stored locally. More importantly, they may violate legal obligations under the GATT/WTO. * www.brt.org 2
7/10/ Non APEC 50% APEC 50% Half of all economies that have localisation policies are part of APEC. Its 21member economies account for approximately 41% of the world s population, 54% of the world s total GDP, and 44% of the world s trade. Economic job creation support of domestic industries, including SMEs increasing domestic competitiveness vis-a-vis global companies Non-economic Data privacy and protection Cyber-security National security Protection of health, safety, or the environment 3
7/10/ Of the six stated goals of the identified localization policies, data localization policies were used to attempt to achieve four of them; - more than any other method. Data localization may be used as a means to reach objectives concerning ICT sector development, data privacy and protection, law enforcement access, and national security. Agriculture Manufacturing especially Automobiles/trucks Communications Crisis Response Education Energy Environment Financial Services Insurance Supply chain logistics Health News and Entertainment Professional Services Retail Travel and Transport and in particular SME s! 4
7/10/ Myth: Data storage localization requirements make personal or important data more secure. Reality: Such requirements generally make data less secure and more vulnerable to natural disasters and data breaches. Data localization prevents companies from diversifying their storage solutions, thereby further enhancing risks. Solution: Don t require data to be stored locally; adopt global best practices rather than creating market-specific approaches. Myth: Data storage localization requirements create jobs and support domestic industries. Reality: Data centers are like todays giant cargo ships; they require low staffing and won t be used by companies whether foreign or domestic if their operational costs are high and they do not meet global standards for data privacy and security. Solution: Don t force data to be stored locally; involve economic decision-makers and in rulemaking processes concerning non-economic objectives. 5
7/10/ Myth: Data storage localization requirements help SMEs access global markets. Reality: Such requirements keep SMEs local and cut them off of global value chains SMEs can t use online marketplaces or low cost, highly secure cloud services and applications if required to keep data locally. Benefits larger domestic companies who might be willing to pay higher costs at the expense of SMEs Degrades any efforts to promote innovation or promote SMEs access global markets. Solution: Don t require data to be stored locally; involve economic decision-makers and ministries in rulemaking process concerning non-economic objectives. Myth: Restrictions on cross-border data flows help protect data privacy and security and are critical to law enforcement efforts. Reality: Unique approaches to data privacy and security create greater risks for governments and data controllers and processers, therefore complicating law enforcement efforts. Solution: APEC economies should adopt the APEC Privacy Framework and join the APEC Cross Border Data Privacy Rules System as well as adopt ISO Standards such as ISO27018 that specifies controls to protect personal data. 6
7/10/ Positive Impact on economic growth The Internet contributes to up to 20% of GDP growth in some economies (Brazil, China, India, Russia) (McKinsey Global Institute 2011). Negative Impact data localisation requirements: 1. Act as a drag on this growth. 2. Cut economies out of global value chains in particular SME s. 3. Deprive innovative SMEs from growth, market access and employment opportunities. 4. Weaken the interoperability of the Internet. 5. Create market segmentation. http://www.usitc.gov/publications/332/pub4485.pdf ECIPE study* Negation of any growth gains from trade agreements for specific economies. Negative growth from full data localization requirements and restrictive data privacy rules, but growth more negative with both policies in force. May decrease GDP between 0.6 to 1.7%. *http://www.ecipe.org 7
7/10/ Globally connected countries increase their gross domestic product (GDP) growth by up to 40 percent more than less connected countries. ICT enables growth, particularly in emerging economies, by giving SME s ready access to global service delivery platforms. Removing trade barriers faced by digitally intensive firms would markedly increase GDP, wages, sales and employment of all. Embracing cross-border data flows reduces physical trade barriers and reduces the impact of geographical isolation from major export markets * http://businessroundtable.org/sites/default/ files/reports/brt%20puttingdatatowork.pdf Local companies would be required to pay 30-60% more for their computing needs than if they could choose freely. (Leviathan Security Group, July ) Raises costs of data breaches, since recovery options may be limited, in particular within a smaller economy. 8
7/10/ APEC Privacy Framework and CBPRS. APEC Innovation and Trade Policy Principles. APEC Best Practices to Create Jobs and Increase Competitiveness. APEC Initiative of Cooperation to Promote the Internet Economy. CBPR developed by participating APEC economies. Objective to build consumer, business and regulator trust in cross border flows of personal information. The APEC CBPR system requires participating businesses to develop and implement data privacy policies consistent with the APEC Privacy Framework. Compliance with the minimum program requirements of the APEC CBPR system and be enforceable by law. http://www.cbprs.org/ 9
7/10/ Clarify that the APEC Leaders anti-protectionism pledge covers digital protectionism and therefore data localization. Leaders commit to roll back and avoid any requirements to store data locally or condition on the provision of a service on building a local data center. Initiate a detailed study on macro and micro costs of data localization in APEC economies and impact on regional economic integration. Together with the OECD, provide new guidance to APEC economies on internal coordination of regulatory work, so that economic an non-economic ministries and regulators coordinate with each other during rule-making and take into account the trade and investment impacts of any proposed regulations concerning cross-border data flows. Acknowledgments Ed Brzytwa, Director of Global Policy Information Technology Industry Council www.itic.org Thank You! Michael Mudd mmudd@asiapolicypartners.com www.opencomputingalliance.org www.asiapolicypartners.com 20 10