Part I - Enabling Datafication

1 Data Network as Enabler Digital Inclusion and Trade Policy

1.1 Introduction

Efficient and affordable digital physical infrastructure is the prerequisite that enables people to meaningfully participate in the data-driven economy. In this broadband era, people who are connected are empowered in a manner that allows them to access information, online education, health and banking services, and much more. Broadband communications services, which include fixed-line and wireless communications networks, contribute not only to the integration of remote regions and disadvantaged groups, but also to key infrastructure in the economic development of virtually all sectors. In this context, broadband infrastructure is essential to improvements in the quality of life, for both developed and developing countries.¹

The benefits of broadband development, however, are not evenly distributed. A long-debated concern expressed by developing economies is the inability to take advantage of evolving digital technology.² The reality is that digital transformation varies across countries and people.³ Generally, this inability underscores the importance of greater “digital inclusion,” which is defined as bridging the gap between individuals and groups, as well as economies.⁴ In measuring digital development, it is important to note that, in 2019, only about 40 percent of people in developing countries were able to access and use the Internet.⁵ According to International Telecommunications Union (ITU) statistics, although globally more than 1 billion new Internet users have been added from 2017 to 2022, outstanding digital divides persist between “connected countries, communities, and people.”⁶ By mid-2022, 5.3 billion people were Internet users, which means that almost 37 percent of the world’s population does not use the Internet.⁷ Most often, such divides stem from insufficient or slow connectivity, which is closely correlated to geography and socioeconomic status.⁸ Substantial digital divides exist between countries,⁹ with nearly 87 percent of people using the Internet in developed countries compared to approximately 44 percent in developing countries.¹⁰ In least developed countries (LDCs), only 19 percent of individuals are online.¹¹ At the same time, intercontinentally, the trend of datafication continues to boost international Internet traffic and therefore requires more and more international bandwidth. It is evident that the demand for submarine cable infrastructure is quickly growing. Currently, transatlantic cable connections are the densest routes, with the highest traffic capacity, which continues to grow annually at the rate of 38 percent.¹² According to the American Chamber of Commerce, submarine communications cables that link the US and the European Union (EU), two of the most developed areas, carry 55 percent more data than transpacific routes and 40 percent more data than US–Latin American routes.¹³

Evidently, the “haves” – people who are connected to the Internet – are empowered. Digital infrastructure allows people to participate in a digital world, which in turn increases their overall well-being in these countries.¹⁴ On the other hand, being “unconnected” means the “have-nots” cannot access online health services, make payments via mobile phone, or increase productivity through digital skills. The recent pandemic has convincingly demonstrated the need to bridge the digital divide. The COVID-19 crisis has stimulated a surge in the use of digital services. In the US, for example, home broadband traffic was up by roughly 20–40 percent from the onset of COVID-19.¹⁵ The unprecedented demand during the pandemic for online delivery, including e-commerce, e-education, and e-health, has underscored the need for efficient and affordable digital services.¹⁶ Even in developed countries, telecommunications regulators required Netflix and YouTube to reduce streaming loads in an attempt to prevent the Internet from collapsing under the strain of heavy usage due to the coronavirus pandemic. The need to address the challenges that hamper greater digital inclusion in developing countries, particularly in LDCs, is now more urgent than ever.¹⁷

Looking to the future, the core idea behind Industry 4.0,¹⁸ as supported by the fifth generation (5G) network, is to connect machinery to the Internet, which encompasses technologies including 3D printing, the Internet of Things (IoT), artificial intelligence (AI), and big data analytics.¹⁹ The connected devices associated with the IoT, for example, will dramatically increase demands on digital networks. Nearly every piece of technology we use will be part of an always-on, always-connected web of smart sensors and data feedback devices.²⁰ That in turn will unleash a torrent of data traffic across the Internet. However, the reality is that current networks are nowhere near ready to accommodate this level of Internet traffic.²¹ Accommodating the technology evolution and meeting ensuing connectivity demands will require continued modernization of legacy telecommunications infrastructure, as well as the creation of additional broadband networks.²² In light of the high levels of investment required to adopt 5G networks, developed countries’ early deployment of 5G networks is expected to exacerbate the current digital divide.²³ According to industry estimations, the cost to deploy a 5G network may range from USD 6.8 million to USD 55.5 million, depending on the size of the city.²⁴ The ITU predicts that 5G penetration will be around 60 percent in developed economies by 2025, whereas the same network connectivity during this period will be below 10 percent in Latin America and below 5 percent in African countries.²⁵

1.2 Opening the Services Market

1.2.1 Telecommunications Liberalization

In the context of international economic law, a few premise questions are in order. What role has the liberalization of telecommunications services played in the emergence of today’s broadband “digital divide?” How might international trade agreements have contributed to such inequalities? How can the WTO help to narrow the digital divide, or even to promote digital inclusion? To answer these questions, a brief overview of the negotiating context of the relevant WTO treaty obligations is discussed below.

Historically speaking, the pre-Uruguay Round General Agreement on Tariffs and Trade (GATT) system applied only to trade in goods. In light of the increased potential for international trade in services, the elimination of trade barriers to service sectors became a major priority of a number of developed countries in the Uruguay Round of trade negotiations in the early 1990s.²⁶ The conclusion of the General Agreement on Trade in Services (GATS) in 1994 forms an essential component of the legal framework for a global trading system.²⁷ The GATS is the first multilateral trade agreement to cover trade in services, through which WTO members commit to the liberalization of the services sectors. In scheduling their market access commitments, members indicate the limitations on market access for each services sector scheduled with regard to each of the “four modes of supply.”²⁸

Arguably, the GATS opened global telecommunications markets for multinational telecommunications companies in such a way that a critical mass of WTO members have included the telecommunications sector in their schedules of commitments. Overall, emerging economies have recorded a high incidence of commitments on Mode 3 (foreign investment). According to the WTO Secretariat, such unique patterns of commitment by emerging economies “illustrate the importance they have attached to foreign direct investment (FDI) as a means of improving and extending national telecommunications networks and universal access.”²⁹ Over the years, the interplay between the liberalization of the telecommunications market and the possibility of attracting foreign investment in the sector has been repeatedly raised by WTO members – with divergent viewpoints. While some delegates from developing countries pointed out that the degree of liberalization in the telecommunications sector should be based on “the possibility for such liberalization to promote both growth and development,”³⁰ delegates from developed countries continued to stress that the liberalization of telecommunications could help modernize the economy, promote development, and bring “considerable growth effects” in the FDI host countries.³¹

For a long time, even before the broadband era, developing countries and LDCs have required injections of foreign capital into their telecommunications infrastructure. In the pre-GATS world, however, most states maintained state-monopoly control over telecommunications. Despite the enormous demand for capital to build large-scale networks, the telecommunications services sector was generally closed to FDI. When the GATS became effective, market forces were unleashed, and monopoly telecommunications incumbents began to face both domestic and foreign competition. In theory, competition driven by market forces should deliver services more effectively than monopoly-based schemes.³² The economic assumption was that government-owned telecommunications companies were being privatized and confronted with the threat of entry from new competitors, thereby forcing these monopolies to become more efficient. At the same time, openness to foreign capital in the telecommunications industry could result in increased infrastructure investment and thus bridge the digital divide.³³

1.2.2 From Monopoly to Competition

The promised economic benefit of market access commitments, however, has never been realized in many developing countries and LDCs. There is a missing link between telecommunications liberalization and broadband investment. Before the WTO opened the global telecommunications market, cross-subsidization within a monopolized market was the traditional means of pursuing “universal service” goals for most countries. Under such a monopoly scheme, losses incurred from less lucrative activities were financed by income earned from more profitable ones.³⁴ The trend of telecommunications liberalization brought about by the GATS, however, has posed a significant threat to cross-subsidies.³⁵ As observed by Batura, in the pre-GATS age, monopolistic suppliers of telecommunications services financed universal service through cross-subsidization. Generally, one monopoly operator served the entire domestic telecommunications market and signed bilateral commercial agreements with the monopolists of other countries for international interconnection.³⁶ However, the operation had to be changed following the liberalization of the market. In competitive telecommunications markets, cross-subsidies have been squeezed out of the rate structure because prices in low-profit areas are not rebalanced to competitive levels. As a result, market forces may even broaden the digital divide.³⁷ Without governmental intervention, profit-motivated telecommunications network operators will prioritize serving densely populated, high-usage urban areas rather than rural areas or low-usage households – the “cream-skimming” or “cherry-picking” effect.³⁸

The transitional stages from a monopolistic to a competitive telecommunications market, therefore, have been a bumpy road in terms of reshaping universal service policies, especially for developing countries and LDCs, where infrastructure development needs are urgent. According to the United Nations Conference on Trade and Development (UNCTAD), a dominant part of FDI has been concentrated in a select few countries, leaving the LDCs to receive less than 2 percent of global FDI.³⁹ Over the past decade, FDI flows to LDCs have increased only marginally.⁴⁰ Among all infrastructure sectors, FDI in renewable energy generation and distribution services has increased since 2021, while FDI in other infrastructure sectors, including telecommunications services, barely grew.⁴¹

As Shaffer observed in a broader context, international trade liberalization results in the more efficient use of resources, but the gain from such economic efficiency may not be “inclusively shared.”⁴² Rather, international trade, together with “other primary culprits,” can contribute to increased inequality.⁴³ Evidently, market liberalization alone failed to promote broadband equality. In order to promote affordable access to physical networks, the challenge for governments is how to utilize competition to maximize access while enforcing a digital inclusion policy to minimize geographic inequalities. After all, while competition delivers broadband services in “abundance,” it distributes them unequally.⁴⁴ As discussed below, the domestic ‘funding’ mechanism therefore becomes the central issue in the alleviation of the digital divide.

1.3 Bridging the Digital Divide

1.3.1 Universal Broadband Service

The lack of “universal access” to telecommunications services has been addressed nationally – primarily via “universal service” mechanisms administered by national communications regulators to spur infrastructure development in high-cost areas.⁴⁵ From a historical perspective, the contemporary concept of “universal service” carries a somewhat different meaning today than when it was coined by Theodore Vail, the chief architect of the Bell system.⁴⁶ When Vail first advocated for “one policy, one system, universal service” in 1908, the term “universal service” was conceived as a single provider offering a single telephone network, to which all customers were connected.⁴⁷ In that context, the losses could easily be “cross-subsidized” by the profits within a monopoly scheme – just as the Bell system did in the US.⁴⁸

Following the liberalization of telecommunications in the 1990s, it has been generally recognized by regulators around the world that increased competition, coupled with a domestic universal service fund,⁴⁹ may provide a nation with the best opportunity to achieve the goal of digital inclusion.⁵⁰ To bridge the digital divide, governments have typically turned to public policies that aim to both promote market efficiency and improve social welfare – namely, pro-competitive regulations complemented by “universal service” mechanisms that mitigate the digital divide between commercially viable and nonviable areas.⁵¹ The modern concept of “universal service” therefore means the availability of telecommunications services for all customers at an affordable price, supported by subsidies.⁵² One striking example is Section 254 of the US Telecommunications Act of 1996, which employs a funding mechanism to finance universal service through equitable contributions by all telecommunications operators.⁵³ The basic rationale is that while competition can foster affordability by reducing costs and prices in profitable areas, a “universal service fund” can help to ensure that “basic services” are provided to unprofitable rural areas.⁵⁴

Neither “universal” nor “service,” however, are self-defining terms. Considering the uncertainty surrounding technological developments, it is necessary for regulators to operate in a reactive manner, implementing universal service policies that can adjust to unique changes in digital technologies. Consequently, most jurisdictions use vague language in their regulations to offer a fair degree of interpretive flexibility.⁵⁵ For example, the scope of the universal service scheme in the US remains dynamic, which comprises “an evolving level of telecommunications services” that regulators must periodically revisit and reevaluate.⁵⁶

1.3.2 Evolving Technologies

In practice, the definition of “universal service” is pragmatic in order to ensure that policies will keep pace with technological developments. As technology evolves, much of the debate focuses on what should be included under the definition of universal service. In this regard, “universal service” in many jurisdictions essentially refers to the provision of “minimum” telecommunications service to people at an affordable price.⁵⁷ Nevertheless, the core question is as follows: What level of telecommunications service represents the “minimum”? Should it include both fixed and mobile broadband Internet access? If yes, how “broad” is the broadband of the network? How should the definition of universal service evolve toward a higher standard of service as digital technologies improve and demands for advanced services increase?

There are variations in the definitions of universal service, and policy tools and financing approaches differ from country to country.⁵⁸ Broadband Internet access has been advocated as a “fundamental right.”⁵⁹ Finland, as a Utopian example, is the first country in the world to enshrine broadband access as a right in law – legally guaranteeing the Finnish people a 1 MB speed by 2010 and a 100Mbps (megabit per second) broadband connection by the end of 2015.⁶⁰ Similarly, the UK government has recognized that access to the Internet is “the passport to the information society”⁶¹ and an “essential element to participate in the economy,” which is “as vital as access to electricity a century ago.” In practice, the UK government announced a new “legal right” to 25 Mbps broadband in 2015, which ensures that all residents and businesses in the UK have access to broadband through a “Universal Broadband Obligation.”⁶² The government has also used “coverage obligations” attached to the mobile operators’ licenses and has required operators to reach 95 percent of the UK population by 2025.⁶³ In this context, Taiwan, which is classified as a developing country, was also set to ensure “broadband human rights” to “all disadvantaged people,” enabling access to 25 Mbps broadband services.⁶⁴ At the other end of the spectrum, however, the United Nations’ 2025 targets for 25 Mbps broadband-Internet user penetration are 65 percent in developing countries and 35 percent in LDCs.⁶⁵

It should be noted, however, that the above fundamental right-oriented approach was to guarantee minimum broadband access to disadvantaged groups in rural areas. The reality is that a “broadband human right” is “not enough” in developed countries. Despite the relatively low floor set by developed countries in terms of standards,⁶⁶ the EU also has ambitious digital plans for 2025, including Gigabit (1000 Mbps) connectivity for all main socioeconomic drivers, such as schools, transport hubs, hospitals, and public administrations.⁶⁷ On the other side of the Atlantic, the US Federal Communications Commission (FCC) has allocated $9.2 billion from its Rural Digital Opportunity Fund for high-speed broadband services – with the vast majority of locations receiving Gigabit broadband.⁶⁸ Indeed, as Moyn pointed out, it is critical to note that “sufficiency” and “equality” are different.⁶⁹ The “basic needs,” “human rights” oriented solutions to digital inclusion – providing the minimum broadband speed – “coexist with a crisis of material inequality.”⁷⁰

To conclude, at present, a universal service policy has been the most popular legal mechanism for countries in the promotion of digital inclusion.⁷¹ Generally, a universal service policy provides a certain level of interpretive flexibility as technology evolves. Textually speaking, “universal” may mean that everyone is entitled to services that meet their needs, regardless of their ability to pay.⁷² “Minimum” may also be defined as “something people actually want”⁷³ – as part of their “basic needs.”⁷⁴ In today’s digital age, how much broadband do we need? Based on the UN’s 2025 targets, 25 Mbps seems to be the answer for developing countries and LDCs – a wide gap compared to the EU 2025 Gigabit connectivity goal. This reconfirms both the theory and the experience that human rights are rarely an effective tool to address socioeconomic inequalities.

1.4 Digital Inclusion under International Trade Agreements

1.4.1 The GATS Telecommunications Reference Paper: Universal Service

Universal service policies, which are now generally accomplished through national funding, are explicitly recognized by the GATS Telecommunications Reference Paper (Telecom Reference Paper). More specifically, in stipulating that WTO members have the right to define the kind of universal service obligations they wish to adopt, Section 3 (Universal Service) of the Telecom Reference Paper implicitly permits members to establish a universal service support fund, stating the following:

Any Member has the right to define the kind of universal service obligation it wishes to maintain. Such obligations will not be regarded as anti-competitive per se, provided they are administered in a transparent, non-discriminatory and competitively neutral manner and are not more burdensome than necessary for the kind of universal service defined by the Member.⁷⁵

(emphasis added)

Section 3 of the Telecom Reference Paper, however, is silent as to whether such a fund should be maintained through operator levies or the general tax system. As a whole, the Telecom Reference Paper does not impose a single method by which universal service providers should be chosen or a specific mechanism by which universal service should be funded.⁷⁶ Rather, it leaves WTO members free to define the scope and method of a universal service policy that suits them depending on unique national circumstances. Such flexibility allows members to pursue universal service objectives through a wide range of methods, as long as these social objectives are achieved in a transparent, non-discriminatory manner.⁷⁷ In addition, Section 3 requires that the collection and distribution of a subsidy fund should be performed in a competitively neutral manner, and that the funding levied should not be more than is necessary to meet the member’s universal service policy requirements.⁷⁸ In practice, a member’s universal service scheme should be administered in alignment with the general principles required by Section 3 of the Telecom Reference Paper. For example, when implementing a universal service fund, a member should specify that such a fund is to be financed by all physical network operators, regardless of whether they are domestic or foreign enterprises or joint ventures. Nevertheless, WTO members have the discretion to impose self-defined universal service obligations on services suppliers. A member’s telecommunications regulator has wide policy space in advancing universal broadband service.

In this datafied world, potential reform in this regard is moving toward a requirement that big tech companies contribute their fair share to support the universal service mechanism. In the “FCC Reports to Congress on Future of the Universal Service Fund,” the FCC Commissioners, and in particular Brendan Carr, advocated for a new approach to funding the government’s universal service system.⁷⁹ After pointing out that Netflix, YouTube, Amazon Prime, Disney+, and Microsoft have been “enjoying a free ride on … Internet infrastructure,” Carr specifically asked the US Federal-State Joint Board on Universal Service to ensure that “the businesses that derived the greatest benefit from a communications network … are required to pay the lion’s share of the costs.”⁸⁰ Similarly, the EU has launched a public consultation surrounding how to fund infrastructure upgrades needed for transformative digital technologies, including AI and Metaverse/virtual reality (VR) applications.⁸¹ By underscoring that all players benefiting from the digital economy should “fairly contribute to the required investments,” and that the entire industry should make “proportionate contribution to the costs” of public infrastructure,⁸² it is clear that EU policymakers recognize the need for big tech companies to bear greater responsibility for the universal service goal. Turning back to the Telecom Reference Paper, this book contends that the proposed reforms to the member’s universal service system are aligned with Section 3, which provides sufficient policy leeway to accommodate the divergent policy needs of WTO members and structural changes to the broadband market, as long as they are administered in a transparent, non-discriminatory, and competitively neutral manner. Despite this, the Mexico–Telecom case below demonstrates how a WTO member’s universal service policy can go too far.

1.4.2 The Mexico–Telecom Case: Cost-Oriented Rates

The Mexico–Telecom dispute⁸³ was the first WTO panel proceeding to solely address the GATS, and it is also the only dispute settlement case to address international trade of telecommunications services.⁸⁴ The US asserted that Mexico’s rules governing connection rates for international telecommunications traffic violated its WTO commitments to provide interconnection at reasonable rates. It claimed that the interconnection rates negotiated by Telmex, the incumbent telecommunications supplier in Mexico, were not consistent with the “cost-oriented” requirement imposed by Section 2.2(b) of the Telecom Reference Paper.⁸⁵ Mexico argued that the US erroneously interpreted “cost-oriented” rates as simply equal to the “bare cost” of supplying the telecommunications services, and that instead, the term must be interpreted by taking into account the qualifying phrase “transparent, reasonable, and economically feasible” in Section 2.2(b) of the Telecom Reference Paper.⁸⁶ In the view of Mexico, relevant factors in assessing whether cost-oriented rates were “reasonable” include “the state of a WTO member’s telecommunications industry; the coverage and quality of its telecommunications network; and the return on investment.”⁸⁷ Mexico further argued that in assessing whether the cost-oriented rates were “economically feasible,” key factors should include “the efficient use of income and wealth” and “the needs of the operator and the policy goals of the country.”⁸⁸ In this respect, Mexico’s policy objectives to promote universal service, which “depended to a large extent on interconnection revenues,” should be taken into consideration.⁸⁹ Throughout the litigation, Mexico repeatedly stressed the need for “infrastructure development” and “universal service.”⁹⁰ The main argument is clear: The term “economic feasibility” in Section 2.2(b) of the Telecom Reference Paper provides great latitude in allowing its major supplier, Telmex, to include charges for infrastructure development or universal service.⁹¹

In response to Mexico’s arguments, the US clarified the relationship between Section 2.2 (cost-oriented rate) and Section 3 (universal service) of the Telecom Reference Paper. In the view of the US, “interconnection charges are limited to the specific network components and facilities required for the interconnection service provided.”⁹² Therefore, Telmex’s interconnection charge, which includes a universal service component, violates the “cost-orientation” requirement in Section 2.2. At the same time, the recovery of universal service subsidies hidden in Mexico’s interconnection charges also violates the “transparent administration” of universal service obligations in Section 3.⁹³ The US further pointed out that the Telecom Reference Paper separates the disciplines on cost-orientation rates in Section 2 from the disciplines on universal service in Section 3.⁹⁴ The US delegation argued that if Mexico wished to promote “investment” in its national telecommunications infrastructure, it should “fund” its rollout costs in a way that is consistent with Section 3 of the Telecom Reference Paper. The US contended that Mexico’s recovery of universal service subsidies paid to Telmex through the levy of hidden, inflated interconnection rates from foreign suppliers would be inconsistent with the Section 3 requirement that universal service obligations be administered in a transparent, non-discriminatory and competitively neutral manner.⁹⁵ Interestingly enough, during the oral hearing in the litigation, the US delegation “lectured” that Mexico’s above-cost interconnection rates had not and could not lead to infrastructure rollout and increase the country’s teledensity. The statement went on as follows: “competition, along with … the imposition of a universal service obligation that is consistent with the requirements of Section 3 of the Telecom Reference Paper, will help Mexico achieve infrastructure rollout and increased teledensity.”⁹⁶

While recognizing that the high degree of flexibility embedded in the term “cost-oriented” implies that more than one pricing methodology can be employed when calculating “cost-oriented” rates, the panel nevertheless noted that the widespread use of long-term incremental cost methodologies among WTO members should serve as a reference in determining the costs incurred in supplying the service.⁹⁷ On that basis, the panel concluded that Mexico was in violation of its “cost-orientation rate” commitments under Section 2.2(b) of the Telecom Reference Paper, because the interconnection rates charged by Telmex were substantially higher than the costs actually incurred in supplying the interconnection services.⁹⁸ The panel’s interpretation of the cost-orientation principle, which did not consider domestic regulatory objectives and practices, has been criticized by Howse as “laissez-faire ideology” and a “hyperliberal teleological view” toward the liberalization and deregulation of the telecommunications sector.⁹⁹ Twenty years after the Mexico–Telecom case, the issue of universal service, although framed in different legal contexts, once again came to the fore in the Brazil – Taxation case.

1.4.3 The Brazil Taxation Case: Public Morals Exception

Digital inclusion measures that extend beyond the context of the Telecom Reference Paper might also violate other WTO obligations and therefore raise the question of whether such measures can be justified by the WTO’s general exceptions. At the core of the issue is to what extent digital inclusion falls within the scope of the “public morals” exceptions. In this regard, the Brazil – Taxation dispute represents a remarkable case surrounding the challenges faced by international economic law in striking a balance between trade efficiency and digital inclusion.¹⁰⁰ The measures at issue concerned four Brazilian tax incentive programs.¹⁰¹ Among others, under the Brazilian Digital Inclusion Program, only goods eligible for tax benefits are Brazilian domestic products,¹⁰² representing a straightforward situation of incentives that are provided in respect of a preference for domestic over imported goods. The complaining parties – the EU and Japan – claimed that the Digital Inclusion Program is inconsistent with Article III:4 National Treatment principle of the GATT.¹⁰³

One key issue in the dispute was whether the discriminatory aspects of the measures could be justified under Article XX(a) of the GATT 1994¹⁰⁴ – the public morals exception.¹⁰⁵ In the litigation, Brazil argued that “there is a gap between demographics and regions that have access to modern information and telecommunications technology and those that do not have access or have restricted access.”¹⁰⁶ According to Brazil, the measures in dispute represented an important means to “bridge this digital divide and promote social inclusion,” which would in turn “improve literacy, democracy, social mobility, economic quality, and growth.”¹⁰⁷ To support its overarching policy goals, Brazil submitted as evidence the United Nations’ Millennium Development Goals Report, which stressed that “ICT access and use are unequally distributed within and between countries,” and that “it will be essential to address the widening digital divide.”¹⁰⁸ It further stated: “Only then will the transformative power of ICTs and the data revolution be harnessed to deliver sustainable development for all.”¹⁰⁹ In this regard, the EU argued that the social and economic development objectives claimed by Brazil may “characterize any governmental action.”¹¹⁰ According to the EU, if objectives such as access to information were protected under Article XX, “then any governmental action taken in the public interest could be justifiable under Article XX.”¹¹¹

The panel found that a concern existed in Brazilian society with respect to the need to bridge the digital divide, and that such concern was within the meaning of Article XX(a) of the GATT 1994.¹¹² The panel therefore proceeded to examine whether the measures at issue satisfied the “necessity test” – the principle of proportionality in the context of international economic law. Under this “necessity test” practice, a central question is whether the discriminatory aspects of the measure are necessary to achieve the claimed objective: closing the digital divide.¹¹³ More specifically, the central question in Brazil – Taxation concerned whether the alternative measures proposed by the complaining parties were WTO-consistent measures that were reasonably available to Brazil, that were less trade restrictive than the measures at issue, and that could achieve an equal or higher level of contribution to the objective of bridging the digital divide.¹¹⁴ The panel found that the alternatives proposed by the complaining parties would not only be WTO-consistent and less trade restrictive than the Brazilian tax incentive programs,¹¹⁵ but that they would also make a more substantial contribution to the claimed objective than the measures at issue.¹¹⁶ The panel therefore concluded that Brazil had not demonstrated that the measures at issue were “necessary” to achieve digital inclusion within the meaning of Article XX(a) of the GATT 1994.¹¹⁷ In other words, Brazil’s developmental concerns could not justify the imposition of national-origin measures.

In a broader sense, it is an awkward task for a WTO panel to address the “digital divide” within the context of Article XX of the GATT. Limited to its mandate, the panel’s primary task is to safeguard trade interests and address problems that arise when digital policies have an impact on trade. Nonetheless, the development of network infrastructure is the foundation upon which individuals are empowered to benefit from digital opportunities. Infrastructural dimensions, including enhancements to teledensity and Internet density by wireline, as well as wireless connections, often involve WTO-inconsistent subsidization measures that grant tax exemptions or subsidize ICT-related sectors in any possible way. The mere fact that a responding party must have attempted to stretch the scope of the “public morals” exception to justify its digital inclusion policy within the WTO indicates that the interplay between international economic law and digital inequality invites further reflection.

The WTO’s general exceptions provide a hierarchical framework by which to balance international trade commitments against national social preferences, ranging from the protection of public morals to the maintenance of public health.¹¹⁸ WTO members can, for example, justify violations of their obligations assumed under the GATS through recourse based upon one of the grounds delineated in GATS Article XIV.¹¹⁹ The opening sentence of Article XIV (the Chapeau) indicates that the negotiators’ intent was that all grounds listed in this provision “trump” trade obligations delineated in the rest of the GATS.¹²⁰ In other words, trade liberalization is not the supreme goal that all WTO members must strive to achieve at the expense of other public objectives. Domestic measures aimed at bridging the digital divide, if successfully invoked under GATS Article XIV, may provide WTO members with a lawful escape route from their GATS obligations.

Although the term “public morals” is not further defined in the WTO’s general exceptions, WTO jurisprudence offers examples of public policies that have been found by panels or the Appellate Body to pertain to public morals,¹²¹ which include preventing underage gambling,¹²² combatting money laundering,¹²³ protecting national culture and traditional values,¹²⁴ safeguarding animal welfare,¹²⁵ and, as demonstrated in the Brazil – Taxation case, bridging the digital divide and promoting social inclusion.¹²⁶ Nevertheless, only measures that are necessary to protect public morals will be deemed consistent with the GATS. In this context, the criteria for the “necessity test” have been consistently reproduced and emphasized in WTO jurisprudence, under which WTO members “have the right to decide which level of protection of the objectives it pursues.”¹²⁷ In this particular respect, it is up to WTO members to determine the level of protection of digital inclusion they consider appropriate, and other WTO members cannot challenge the level of digital inclusion pursued.¹²⁸ However, the “necessity test” requires the consideration of alternatives to the measure taken in order to determine whether existing options are “less trade restrictive” while “providing an equivalent contribution to the achievement of the objective pursued.”¹²⁹

As evidenced in Brazil – Taxation, the overall structure of the necessity test developed by the dispute settlement organs of the WTO serves as a critical tool by which to balance the public interests of the regulating member and the trade interests of other WTO members. Consistent with overall Article XX jurisprudence, while the panel in Brazil – Taxation reaffirmed the validity of “digital divide” concerns for purposes of the public morals exception, it also reinforced the necessity test as a limit in terms of how such measures can be applied. To conclude, when trade policy collides with digital inclusion policy, it leads to a dilemma between trade and non-trade values. Faced with such a dilemma, the WTO remains the most effective forum for balancing competing interests. Normatively speaking, however, there is little room for the panels to further expand the reach of the exceptions, and this is attributable to the prominence of the “necessity test” in applying the GATT/GATS general exception language.

1.4.4 DEPA: Digital Inclusion Module

Further disciplines of digital trade have been realized in FTAs and other preferential trade agreements (PTAs) in recent years.¹³⁰ In particular, significant achievements have been advanced by the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)¹³¹ and the United States–Mexico–Canada Agreement (USMCA).¹³² Moreover, the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile, and New Zealand represents an innovative and collaborative approach to digital trade issues.¹³³ Other recently concluded FTAs, such as the EU–UK Trade and Cooperation Agreement (EU–UK TCA),¹³⁴ the Regional Comprehensive Economic Partnership (RCEP) and the EU-New Zealand Free Trade Agreement (EU–NZ FTA), also serve as indicators of future digital trade negotiations.¹³⁵

One important feature of these FTAs, although it may not immediately affect digital inclusion policies, is worth emphasizing: There has been increasing recognition of a state’s “right to regulate.” Moving beyond the GATS preamble, participating parties have increasingly reserved a more concrete “right to regulate” in the FTAs. The Preamble of the CPTPP, for example, includes language stipulating that CPTPP members recognize their inherent right to regulate and resolve issues, preserving the flexibility of the parties to “set legislative and regulatory priorities, safeguard public welfare, and protect legitimate public welfare objectives,” including “public morals.”¹³⁶ As another example, in the Digital Trade Chapter, the parties of the EU–UK TCA reaffirm the right to regulate for the purpose of achieving legitimate policy objectives, such as “public morals.”¹³⁷ Over the long run, this trend may help to strike a balance between trade efficiency and digital inclusion, especially in trade dispute litigation where the preamble of a treaty is a source of interpretative guidance.

Nonetheless, the DEPA represents a new form of digital trade agreement that directly addresses the issue of digital inclusion.¹³⁸ The Digital Inclusion module in the DEPA – the first of its kind – establishes new collaborations pertaining to digital trade issues, including reduced disparities between developed and developing countries, and among haves and have-nots within a given country.¹³⁹ Article 11 stipulates that the parties acknowledge “the importance of digital inclusion to ensure that all people and businesses have what they need to participate in, contribute to, and benefit from the digital economy.”¹⁴⁰ The parties also recognize “the importance of improving access for women, rural populations and low socio-economic groups.”¹⁴¹ Toward that end, the parties have agreed to cooperate on matters relating to digital inclusion, which may comprise, in part, the promotion of “inclusive and sustainable economic growth,” to ensure that the benefits and opportunities of the digital economy are more widely shared.¹⁴²

Surely, the language in Article 11 is relatively “soft” in terms of enforceability. The parties simply “acknowledge” or “recognize” the importance of digital inclusion, a scenario that does not provide countries involved with adequate legal tools by which to enhance their broadband infrastructure. It should be noted, however, that Article 14 renders Article 11 subject to dispute settlement.¹⁴³ A party may request the appointment of an arbitral tribunal to settle disputes among the parties concerning their rights and obligations with regard to digital inclusion. Overall, there is still a long way to go in transforming “digital inclusion” from a “shield” (i.e., a defense) to a “sword” (i.e., an affirmative obligation) under international trade agreements. However, a relatively softer cross-border regime like DEPA provides an early signal of the direction that stronger international commitments to digital inclusion may eventually take in the future. To conclude, a DEPA-type digital inclusion provision that requires cooperation in bridging the digital divide is a feasible starting point.¹⁴⁴ DEPA has apparently resulted in minor but highly symbolic progress in global digital inclusion efforts.

1.4.5 WTO JSI on E-Commerce: Digital Trade and Development

At the multilateral level, the dynamics in the interplay between trade liberalization and digital (in)equality likely will continue. Recent negotiating proposals in the WTO JSI on E-commerce reveal the uneasy relationship between digital trade and development.¹⁴⁵ Central debates include how to promote digital capacity and take into account the special constraints that developing countries face in the digital economy.¹⁴⁶ Communication from Côte d’Ivoire, among other interventions, called for the WTO Secretariat to be responsible for establishing a multilateral cooperation forum to “ensure universal benefits from the digital economy.”¹⁴⁷ Reiterating the fact that they “lack the infrastructure to fully exploit the potential of e-commerce,”¹⁴⁸ developing countries’ position is that they “have not felt the effects of trade digitalization on their economic development,” and that the ongoing e-commerce negotiations may “ignore the development interests of low-income countries.”¹⁴⁹ Similar communications from developing country members also requested that the WTO Secretariat establish a fund to support the integration of developing countries and LDCs into the digital economy. In their view, the WTO “should be responsible” for identifying and cataloguing the various programs, which are aimed at “providing technical assistance and implementing pilot projects for the development of e-commerce.”¹⁵⁰ In summary, developing countries have been pressing for “development-focused digital industrialization,”¹⁵¹ stressing that needs more pressing than digital liberalization include the promotion of digital capacity and the safeguarding of universal benefits of the data-driven economy.¹⁵² They have clearly positioned themselves in support of the argument that the WTO JSI on E-commerce should specifically address the urgent needs of digital connectivity, namely, the enabling infrastructure of e-commerce activities.¹⁵³

Drawing upon the experiences of the FTA negotiations, the issue of how to tackle digital trade and development will continue to be one of the primary battles in the WTO JSI on E-commerce.¹⁵⁴ Among others, one key issue is how to extend special and differential (S&D) treatment in the area of digital trade, which typically offers trade preferences, flexibility, transition periods, and technical assistance to developing countries.¹⁵⁵ The concept of S&D has been incorporated into the E-Commerce/Digital Trade Chapters of the FTA. In the CPTPP, Vietnam has been given a transition period, during which its existing data localization measures cannot be challenged by other parties. Similarly, a grace period has also been extended to both Vietnam and Malaysia for existing measures concerning the cross-border transfer of information by electronic means.¹⁵⁶ By the same token, obligations concerning interactive computer services will not apply to Mexico until three years after the USMCA becomes effective.¹⁵⁷ It remains to be seen how S&D provisions will be incorporated into the WTO e-commerce trade rules.¹⁵⁸

Amid the JSI negotiations, it is important to save the WTO e-commerce trade deal from being a digital “haves” trade agreement. In the digital world, developed countries might just as well be from Mars, while developing countries might just as well be from Venus. In the meantime, the latter are still at the stage where they are struggling to provide Internet access in rural areas and among disadvantaged groups, whereas the former are already focusing on cutting edge issues such as open government data, e-invoicing facilitation, etc.¹⁵⁹ Such gaps have posed challenges to the promotion of the more widespread adoption of multilateral e-commerce trade rules. The WTO must be very careful not to give emerging economies a reason to think they are being excluded from the multilateral process. Priority in the negotiating agenda should be given to addressing the issues surrounding infrastructure development, including both goods (e.g., tax measures on ICT products)¹⁶⁰ and services (e.g., broadband FDI).¹⁶¹ It remains to be seen how WTO members can find the common ground needed to balance digital trade liberalization and development needs. Unless infrastructure concerns from developing countries and LDCs are addressed, the ongoing e-commerce trade deal may end up being labeled a digital “haves” trade agreement.

1.5 Broadband Investment in a Broader Policy Context

1.5.1 Network Neutrality

From a broader policy perspective, a long and painful debate that has been repeatedly asserted as central to broadband investment centers on the regulations regarding network neutrality.¹⁶² Briefly, the erosion of broadband telecommunications revenues has had a disruptive effect on the sector over the past decade. Digital applications such as WhatsApp have become practical alternatives to “traditional” telecommunications services.¹⁶³ Voice and messaging services provided by Internet applications have dramatically drawn voice and short messaging service (SMS) traffic away from mobile operators, causing a significant impact on “traditional” network volumes and revenues.¹⁶⁴ In addition to these revenue-eroding trends, streaming content delivered by suppliers such as Netflix has resulted in the growing demand for broadband infrastructure to seamlessly connect data. Taken together, broadband infrastructure itself is becoming the so-called dumb pipe.¹⁶⁵ Internet content and applications “piggyback” on physical network infrastructure for delivery,¹⁶⁶ while at the same time directly competing with services offered by infrastructure operators. Because of these perceived vulnerabilities, some broadband operators have resorted to blocking or degrading Internet traffic.¹⁶⁷

Against this backdrop, network neutrality is a term that encompasses various levels of equal treatment of online traffic. The primary concept behind network neutrality is that “all data traffic on a network should be treated indiscriminately.”¹⁶⁸ This means that in practice, Internet service providers (ISPs) would be restricted from blocking, degrading, or prioritizing the delivery of online content and applications at their discretion.¹⁶⁹ Whether network neutrality should be imposed as a regulatory requirement has become a controversial issue in many jurisdictions, with politically powerful advocates both in favor of and against its imposition.¹⁷⁰ Especially in the US, since network neutrality’s emergence as an academic idea in the early 2000s, the controversy surrounding it has never ceased.¹⁷¹ Network neutrality opponents have claimed,¹⁷² among other issues, that incentives for physical network operators to continually invest in broadband infrastructure may be reduced if operators cannot realize revenues from the additional traffic generated by online content and application suppliers such as Netflix and YouTube.¹⁷³ In their view, increasing Internet traffic has resulted in a congestion problem, and without new sources of revenue, necessary infrastructure investments in the transmission network layer will be at risk.¹⁷⁴ Based on some empirical data, network neutrality opponents have argued that “the digital divide would have widened” if network neutrality rules were restored.¹⁷⁵ On the other hand, based on an analysis of broadband economics, supporters of network neutrality have advanced arguments suggesting that the neutrality policy would not overly interfere with broadband operators’ ability to “earn a return on their infrastructure investment.”¹⁷⁶

In the arena of international economic law, a looming version of network neutrality – “Open Networks, Network Access and Use” – has emerged since the early 2010s in both bilateral and plurilateral trade negotiations.¹⁷⁷ More recently, a quasi-network neutrality provision, “Principles on Access to and Use of the Internet for Electronic Commerce/Digital Trade” (Access Principles), has been incorporated into the FTAs such as CPTPP’s E-Commerce Chapter and the USMCA’s Digital Trade Chapter.¹⁷⁸ In other words, although the provision did not come closer to a comprehensive approach to network neutrality, a miniature concept of this has been injected into FTAs, with one outstanding caveat: reasonableness.

To illustrate, under both trade agreements, broadband operators within the territories of the parties are still allowed to maintain “reasonable network management.” In this regard, it is permissible for broadband operators within the CPTPP parties to offer their subscribers certain content on an exclusive basis.¹⁷⁹ It should be noted that the concept of “reasonable network management” has been highly controversial within the domestic context, and there is no guidance surrounding its meaning in most jurisdictions. Some broadband operators have claimed that “reasonable network management” may require practices “to reduce or mitigate congestion on the network, ensure quality-of-service, or address traffic that is unwanted or harmful to users, among other things.”¹⁸⁰ If so, this caveat creates a space for broadband operators to throttle Internet traffic or downgrade bandwidth for certain data flows.¹⁸¹

After all, if we borrow from the WTO’s jurisprudence on the “reasonableness” standard, the term “reasonable” is defined by several WTO panels as “in accordance with reason,” “not irrational or absurd,” “sensible,” “within the limits of reason,”¹⁸² and “not greatly less or more than might be thought likely or appropriate.”¹⁸³ Compared with other, more “advanced” standards, such as necessity and proportionality, reasonableness represents a basic standard, which merely requires that the acts are not “irrational or absurd.”¹⁸⁴ It can be argued, however, that under the “reasonableness test,” the question of whether a broadband operator’s network management practices violate the Access Principles should be examined under specific country conditions. Namely, the state of broadband development of a party, especially in the developing world, should be taken into account. When viewed in this light, “reasonableness” is to be determined in context, accommodating local development needs.¹⁸⁵ For example, broadband operators’ practices in Vietnam might be more likely to be considered “reasonable” Internet traffic management if the degraded service was due to traffic congestion concerns. On the other hand, an ISP’s degrading of Internet traffic in Singapore, a leading country in the world in terms of broadband speeds,¹⁸⁶ might be found “unreasonable” as a whole.

In any event, these quasi-network neutrality “rules” under the FTAs are of a soft law nature. The parties merely “recognize” the benefits of the Access Principles, which are subject to a party’s domestic “policies, laws and regulations.” To a large extent, these provisions do not impose mandatory or legally binding obligations. Such obligations carry little institutionalized enforcement for noncompliant behavior. The softness of these provisions reflects the political sensitivity surrounding this issue.

1.5.2 Digital Silk Road

From a foreign policy angle, there has been unconventional but potentially overwhelming progress regarding digital connectivity: the Digital Silk Road (DSR) component of China’s Belt and Road Initiative (BRI).¹⁸⁷ The BRI, as China’s most significant strategic agenda following its accession to the WTO, has centered its initiatives on infrastructure development. Despite mounting concerns regarding debt sustainability and the commercial as well as the political rationale behind the initiative, China’s actions to bridge the global infrastructure gap – whether roads, railways, ports, electricity, or telecommunications infrastructure – are nevertheless welcome in many developing countries and LDCs.¹⁸⁸ Under the umbrella of the BRI, the DSR has gained its own momentum since its emergence in 2015 and is becoming more and more central to the BRI.¹⁸⁹

The DSR’s primary undertaking is straightforward: rolling out broadband in dozens of countries in BRI regions where digital infrastructure is underdeveloped or even nonexistent, and upgrading existing Internet connections to a higher broadband across BRI regions.¹⁹⁰ Under the DSR, dozens of projects have been implemented with the help of Chinese government investments, which generally involve financial aid and technical support for digital infrastructure and related industries. For example, China has been deeply involved in the Infrastructure Consortium for Africa, including the establishment of national broadband networks. Several African countries have substantially benefited from the DSR, primarily in the areas of 5G networks and fiber-optic cables.¹⁹¹ Overall, the DSR has been concentrating on the urgent needs of broadband connectivity in the Global South.¹⁹²

From a “legal” perspective,¹⁹³ China has signed memoranda of understanding (MoU) along the path of the DSR, with at least sixteen countries agreeing to closer cooperation in the development of digital infrastructure.¹⁹⁴ In the Belt and Road Digital Economy Cooperation Initiative, for example, the parties to the MoU declare their intentions to “expand broadband access and improve quality, improve the construction of regional communication, Internet, satellite navigation, as well as other important information infrastructure and facilitate interconnection.”¹⁹⁵ The parties also stress the priority to “explore ways to expand high-speed Internet access and connectivity at [an] affordable price,” as well as to “promote broadband network coverage and improve service capacity and quality.”¹⁹⁶

In practice, the DSR is driven by China’s private companies. Supported by the DSR, telecommunications services suppliers such as China Telecom Corporation, China Mobile, and China Unicom, together with telecommunications equipment vendors such as Huawei and ZTE, take advantage of the “DSR label” to expand their 5G markets overseas.¹⁹⁷ These Chinese companies work together, supply integrated solutions, and – at the same time – “transplant” Chinese standards to the DSR regions.¹⁹⁸ In the long run, the more the DSR’s beneficiary countries depend on Chinese systems in their digital infrastructure, the more progress China realizes in leading the way in global standards for 5G and beyond. In addition to its technical standard-setting efforts, China’s involvement in digital infrastructure through the DSR is increasingly leading to geopolitical and security implications.¹⁹⁹ Concerns have been raised that China can leverage the DSR to “export” its model of technology-enabled authoritarianism to recipient regions,²⁰⁰ which would compromise personal data protection and human rights in those countries.²⁰¹ More specifically, commentators argue that China, through the DSR, will further influence recipient countries to adopt surveillance measures that are detrimental to Internet freedoms.²⁰² In this context, the 2021 G7 summit in Cornwall highlighted such concerns.²⁰³ During the 2021 summit, allied leaders announced a “global infrastructure plan” – the Build Back Better World program – to “provide an infrastructure alternative to China’s BRI.”²⁰⁴ At the 2022 Summit, G7 leaders formally launched “the Partnership for Global Infrastructure and Investment,” which aims to “close the infrastructure gap in developing countries,”²⁰⁵ and to offer, if not rival, an alternative to China’s BRI in developing countries and LDCs.

In summary, although primarily driven by a political agenda and strategic propaganda, the DSR represents an indispensable component in mapping the whole contours of the issues surrounding digital inclusion. The DSR has often been conceptualized as a strategic extension of China’s digital technologies and authoritarian policies, and China’s digital push for development cooperation has long been framed as a part of the Chinese effort to assert itself as the dominant technological power in the world.²⁰⁶ In any event, China’s support for major telecommunications infrastructure projects under the DSR has proven to be a rather strategic and thus effective approach to influencing the developing and the less developed worlds. Admittedly, the DSR can help to enhance digital connectivity in underserved regions, improve broadband access in developing countries, and, at the end of the day, narrow the infrastructure gap.²⁰⁷ Of course, the most pressing challenge facing recipient countries undergoing digital development with the aid of China is how to bargain for their “digital sovereignty.”²⁰⁸

1.6 Conclusion

The “enabling” character of digital physical infrastructure raises questions regarding how best to tackle the issue of “trade and development” in a datafied world. In this chapter, we have examined the issue of digital inclusion at the broadband infrastructure level. This chapter should be read in conjunction with Chapters 5 and 6 of this book. After all, the remedy for broadband access (Chapter 1) cannot be meaningfully realized without ensuring it is in sync with digital application (Chapter 5) and data flow (Chapter 6). Put simply, this is attributable to the fact that the more people access the Internet, the more data digital platforms gain. The far-reaching datafication of human activities goes hand in hand with communications on the 5G broadband. Moreover, as Chapter 2 will continue to address, cybersecurity risks have been growing in parallel with the increasing penetration of broadband networks. Increasing Internet connectivity has led to a surge in cybersecurity threats. Although Huawei’s campaign has emphasized how its exclusion from many countries’ telecommunications markets would “exacerbate the digital divide,”²⁰⁹ the digital economy relies not only on the availability, but also on the resilience, of broadband infrastructure.²¹⁰ Secure and trusted broadband services are equally, if not more, important to a universal broadband service in this datafied world. The security and availability of 5G networks in some way conflict.

2 Data Network as Critical Infrastructure National Security and the Digital Economy

2.1 Introduction

Digital technologies have significantly transformed the way we live our lives. The workings of both the public and private sectors have become reliant on digital infrastructure that enables data flows. The rapid development of “smart cities,” in conjunction with progress in the IoT and AI, has converted more and more social and economic activities into digital data, which has in turn produced new forms of vulnerabilities: the multiplication of cybersecurity risks. Cybersecurity threats, for which digital technology suppliers can build back doors into hardware or software, have become major concerns for policymakers in this datafied era.¹ Along with digitalization, platformization, and datafication, the probability of cyberattacks against critical infrastructure increases as well. Therefore, supply chains of critical industries become intrinsically linked to broader digital and national security policies.

More specifically, the global data network has generated vulnerabilities for states in terms of protecting national security. Cyber risks in the supply chains of critical industries are specifically perceived as threats to the integrity of a state’s critical infrastructure. A cyberattack to a critical national infrastructure is far beyond a mere criminal offence that the nation’s judicial organs can meaningfully address.² Rather, it is a matter of national security that affects the foundation of a sovereign.³ Due to the relatively low cost and wide availability of digital technologies, cyberattacks and cyber terrorists now represent key methods of warfare.⁴ High-profile, hostile incidents over the years⁵ and the recent war in Ukraine offer lessons to other countries about the importance of a cyber defense.⁶ As the backbone infrastructural sector and an interactive central nervous system for the digital economy, 5G networks face acute challenges as a result of cyber espionage, surveillance, and other cybersecurity risks, creating an intertwined relationship between data networks, cybersecurity, and national security.

In terms of national regulations, the mobile telecommunications sector has long been subject to heavy regulations. Traditional command and control mechanisms have been in place, primarily because the sector involves spectrum allocation and other public interests. More recently, controversies surrounding vulnerabilities in 5G goods and services have become a common concern, which has in turn amplified the role of state oversight. National security is now the central theme in the global 5G crisis,⁷ and it is becoming more and more acute given the increasing tensions between the US and China. Taking in the entire picture, the US–China trade war has been intensified due to, or partially under the pretext of, US national security concerns. It has become a general perception that China’s leading role in the 5G standardization process and Huawei’s potential dominance in the global 5G market increase security risks, which could be exploited for spying and industrial espionage.⁸ Facing the potential threat of a “Cyber Pearl Harbor,”⁹ states have resorted to domestic regulation to protect their cybersecurity interests, leveraging their regulatory power to address such concerns, especially in critical industries in which the integrity of critical infrastructure would be in peril if not properly guarded.¹⁰

At the same time, the interdependencies and interconnectedness of cyberspace cannot be fully understood without considering their transnational dimension.¹¹ Cyber risks do not stop at national borders. Critical infrastructure resilience should therefore be examined in the cross-border context. Recent initiatives, such as the EU–US Trade and Technology Council (TTC) and the Pillar of Supply Chain of the Indo-Pacific Economic Framework (IPEF), further demonstrate policy directions to promote supply chain security and strengthen the resilience of ICT ecosystems. With regard to transatlantic allies, the impact of Russia’s invasion of Ukraine on Europe’s supply chains presents an urgent need to “identify and address supply chain vulnerabilities.”¹² Thus, the main agenda for TTC is to cooperate on trust and security issues in the areas of ICT goods and services – namely, to prevent political and economic disruption caused by the over-concentration of resources in key supply chains. If the US is able to replicate the TTC level of cooperation and momentum under the IPEF, the transpacific allies may move forward to establish criteria, jointly identify goods and services critical to their national security, and “increase resiliency and investment in critical sectors.”¹³ Evidently, strengthening international cooperation toward critical infrastructure resilience is a compelling policy option among geopolitical allies.

2.2 Critical Infrastructure as the Backbone of the Digital Economy

2.2.1 Critical Infrastructure and Cyber Resilience

The concept of “critical infrastructure” is constantly evolving. In order to reflect and respond to new challenges in network security, both the number and variety of critical infrastructure are rapidly increasing. Critical infrastructure is now a term commonly used to identify services of a sensitive nature that have the potential to “cause massive disruption to dependent systems/services if they are compromised or destroyed.”¹⁴ Public utilities and emergency services, among others,¹⁵ are most frequently associated with the concept of critical infrastructure.¹⁶ In this datafied age, however, critical infrastructure operates across both the physical and the digital world,¹⁷ and as a result, cybersecurity threats may originate from both the hardware and software components. Indeed, critical infrastructure is “increasingly if not exclusively controlled by computers.”¹⁸ In other words, infrastructure systems have undergone a digital transformation, with consequences to cyber risks and vulnerabilities. Cyberattacks can damage critical infrastructure in various ways, including directly taking control of industrial processes to block the functioning of energy distribution or transport services.

The complex ecosystem of critical infrastructure therefore requires a holistic and convergent security approach that protects both physical security and cybersecurity. Taking the energy sector as an example, the development of a smart grid and other innovative services means that the sector is increasingly reliant on data flows. Thus, an aggregate level of safety is necessary to mitigate both physical and cyber risks to energy systems.¹⁹ Ultimately, critical infrastructure resilience is multifaceted. The disruption of critical infrastructure – whether 5G networks, transportation systems, water or energy supplies, or emergency hospital services – can lead to significant harm to societies and cause cascading effects across sectors. The cross-sectoral, systematically interdependent nature of critical infrastructure therefore calls for a comprehensive resilience strategy through which security risks are assessed in their entirety.²⁰

Notably, some infrastructure assets are the key components of a wider, complex system. In this regard, the 5G broadband infrastructure has been considered one of the most critical utilities, which “if destroyed, degraded or rendered unavailable for an extended period, would adversely impact the social or economic well-being of the nation or affect a state’s ability to ensure national security.”²¹ Ensuring the cyber resilience of the 5G broadband infrastructure and preventing it from being either a direct target or an indirect vehicle for cyber threats has become a prominent mission of the national security efforts of most countries. That being said, such an infrastructure is generally owned and operated by the private sector. As discussed in Chapter 1, telecommunications services have undergone privatization over the last several decades, and currently, government control over telecommunications infrastructure assets has, to a large extent, decreased. The need for cyber resilience, however, has resulted in escalating governmental intervention.²² To tackle cross-border security challenges, governments have reviewed and strengthened their national security strategies and have adopted more far-reaching regulations, with the aim of fostering a secure and resilient ICT environment against cyberattacks.

2.2.2 Trade-Restrictive Critical Infrastructure Security Measures

The cyber arms race and digital tit-for-tat have intensified geopolitical frictions. The major geopolitical players in the digital economy have adopted increasingly comprehensive security measures at the national level. By stressing that the backbone of the digital economy must be trusted and reliable, the Biden administration has accelerated the implementation of a set of trade measures to diversify supply chains and thereby secure the infrastructural resilience of 5G networks.²³ In fact, under both Trump and Biden, 5G supply chain security has been at the center of the national security strategy of the US. At the data network level, following Trump’s “Clean Network” and “Clean Path” initiatives,²⁴ the current FCC of the Biden administration, citing the same national security grounds, has continued to order US telecommunications companies to remove Huawei equipment from their networks.²⁵ At the digital platform level, although the Biden administration has withdrawn Trump’s executive orders that banned transactions with eight Chinese software applications,²⁶ the current FCC proceeded to request that US digital platforms remove TikTok from their app stores.²⁷ Overall, the government has been actively engaged and has closely scrutinized transactions in the ICT sector. Among other measures, the Committee on Foreign Investment in the United States (CFIUS)²⁸ ordered ByteDance, a Chinese startup, to divest in TikTok due to national security concerns. Although that order was not enforced by the Biden administration, the CFIUS has continued to monitor whether TikTok’s partnership with Oracle can sufficiently resolve national security issues.²⁹

Across the Atlantic, recognizing that digital technologies are now a vulnerable target, protecting resilience against cybersecurity threats has been placed at the center of the EU’s cybersecurity policies. The adoption of the “5G Toolbox of Risk-Mitigating Measures” (the “5G Toolbox”),³⁰ which delineates potential areas of risk and remedial measures connected with suppliers of 5G infrastructure, sought to achieve diversity among suppliers and reduce Chinese companies’ (especially Huawei’s) participation in the 5G rollout.³¹ In practice, one important category in the 5G Toolbox is the risks connected with suppliers of 5G infrastructure. Among all possible strategic remedial measures, the 5G Toolbox underscores the importance of restricting or excluding “high risk suppliers” to ensure that dependencies on certain suppliers do not “negatively affect the security of networks and/or services.”³² Along this policy path, the proposed EU Cyber Resilience Act is expected to “bolster cybersecurity rules to ensure more secure hardware and software products.”³³

Other striking cases of trade-restrictive security measures surrounding 5G and its applications include the Australian government’s ban on Huawei’s participation in building the nation’s broadband infrastructure and India’s decision to block access to dozens of mobile applications originating in China, including WeChat.³⁴ It should also be noted that after joining the so-called Five Eyes intelligence-sharing network, which consists of the US, Canada, the UK, Australia, and New Zealand, Canada decided to ban Huawei/ZTE 5G equipment to protect its national security. Retroactively, Canadian telecommunications operators that already have this equipment installed are required to remove it by June 2024.³⁵

At the same time, from “Great Firewall” to direct virtual private network (VPN) blocking,³⁶ VPN traffic is generally filtered in China to ensure compliance with its social stability and national security agendas. China’s cybersecurity regime has become even more complex and strict since its Cybersecurity Law was implemented,³⁷ primarily due to its lack of tailored definitions and transparent guidance. The vague language and broad scope of China’s Cybersecurity Law accord the government even wider latitude to facilitate its political and economic agendas.³⁸ The Chinese government has issued implementation measures for its cybersecurity law, including the “cybersecurity review,” which imposes restrictions on foreign ICT goods and services based on “potential national security risks” related to the reliability of supply chains. Moreover, the Chinese Cryptography Law contains trade-restrictive requirements for encryption products that involve national security.³⁹ Under the Chinese regulatory framework, loosely defined “encryption products,” which encompass a wide range of ICT goods and services, must mandatorily undergo a cybersecurity risk assessment.⁴⁰

2.2.3 The Inherent Clash with International Trade Rules

Through a broader lens, security-related trade restrictions – regardless of whether or not they directly address critical infrastructure – have the potential to clash with international trade rules in many ways, at both the multilateral and regional levels. Country-specific bans on ICT goods and services may violate the most-favored-nation principle, given the fact that the competitors of other countries will be the beneficiaries of such restrictions.⁴¹ Security measures may be inconsistent with national treatment obligations if the domestic ICT goods or services and the banned foreign goods or services are “like products” or “like services.”⁴² Moreover, non-discrimination provisions in the Electronic Commerce/Digital Trade Chapters of the FTAs also require the parties to ensure non-discriminatory treatment of “like digital products.”⁴³ In other words, a violation could be found by comparing domestic and foreign digital products. If they are “like” digital goods or services, the adverse treatment of foreign digital products may be considered discrimination. Furthermore, security measures can simultaneously constitute quantitative restrictions on international trade in goods and violate the obligations to eliminate such restrictions.⁴⁴ Similarly, when a state undertakes market access commitments in relevant services sectors, these measures may restrict ICT services and violate relevant market access obligations.⁴⁵ Additionally, security-related trade restrictions in the public procurement of network equipment may breach a state’s market access schedules of commitment under the Government Procurement Agreement (GPA), which lists the procurement activities open to international competition.

In cases in which the security standards constitute “technical regulations” under the Technical Barriers to Trade Agreement (TBT Agreement), unique security standards that accord less favorable treatment to imported products than that accorded to like products of national origin may also breach non-discrimination obligations.⁴⁶ Given the technical characteristics of cybersecurity measures, the TBT Agreement has become the legal battleground for trade-restrictive security measures. To be more straightforward, China and the EU have been accusing each other of using mandatory cybersecurity standards to protect their own 5G equipment suppliers, namely, Huawei/ZTE and Ericsson/Nokia. On the one hand, China’s paradigmatic approach to the use of technical standards in the ICT sector, which in many instances appears designed to favor China-specific approaches, has caused substantial worldwide concern within the industry. In particular, the EU has consistently claimed that the requirement of the Chinese ICT security certification regime “appears to extend well beyond what the EU would consider justified for national security protection, which was cited by China as the legitimate objective to be achieved.”⁴⁷ The EU also repeatedly requested that China clarify the rationale for its cybersecurity measures and their relationship to national security. On the other hand, the EU 5G policy – notably, trade-related cybersecurity measures designed to decrease (over)dependence on non-EU goods and services – has been criticized by China for being inconsistent with the EU’s dedication to open market principles. In particular, China has raised concerns about the measures adopted by Sweden, which aims to remove Huawei and ZTE from its 5G infrastructure by 2025 based on the EU 5G Toolbox.⁴⁸ The delegate for China in the WTO meetings also claimed that the Swedish decision violates the WTO rules of transparency and non-discrimination, that the assessment criteria in the 5G Toolbox have led to de facto discrimination, and that the favorable treatment of Ericsson is inconsistent with the TBT Agreement.⁴⁹ Similarly, at the same WTO meeting, China reiterated its “regret” that Chinese companies cannot participate in Australia’s 5G network construction, and that their equipment in the existing 4G network has also been removed in Australia.⁵⁰ Interestingly, China asserted that “the issue of telecommunication network security should be addressed based on scientific verifiable facts and data, rather than the origin of suppliers.”⁵¹ China urged Australia to amend its 5G policy to bring its measures in line with WTO rules. In response to China’s assertion, the Australian government stressed that its 5G policy is “country-agnostic, transparent, risk-based, non-discriminatory, and fully WTO-consistent.”⁵²

2.3 Contextualizing Security-Related Exceptions: Possible Reconciliation

Nonetheless, general and security exceptions provide a normative framework by which to balance free trade obligations against national policy interests. Thus, the key issues here relate to whether and how those exceptions would protect a state’s policy space through regulatory actions directed at national security matters. In this context, Figure 2.1 distinguishes between the types of exception clauses related to national security in international trade agreements. The vertical axis, with the “necessity test”⁵³ and “good faith standard” at each end,⁵⁴ represents the discretionary nature of the necessity element required by the exception. The horizontal axis, with “limitative qualifying clauses” and “expansive security clauses” at each end, represents the scope of situations allowed by the exception. This book argues that although on the face of it multiple exceptions may be available, complex technical and political-economic factors trigger their applicability. On the one hand, in the pre-digital age, “conventional” general exceptions (quadrant III)⁵⁵ and security exceptions (quadrant II)⁵⁶ are too narrowly framed to address cybersecurity objectives. On the other hand, trends to create open-ended or digital sector-specific security exceptions (quadrant I) may also fall short for being excessively unrestrained if due process and good faith are not accorded. The four quadrants are respectively discussed below.

Figure 2.1 Contextualizing security-related exceptions

2.3.1 GATT-Type General Exceptions

2.3.1.1 GATT General Exceptions

The exception clauses in quadrants II & III were drafted in the brick-and-mortar age. Therefore, these “pre-digital era exceptions” are not properly formulated to address today’s cyber threats. Taking GATS Article XIV General Exception (in quadrant III) as an example, although none of the grounds enumerated under the general exception explicitly refer to cyber risks, a WTO panel may find that the “public morals” exception affords an avenue through which to protect cybersecurity.⁵⁷ The parties in dispute, however, must present evidence – most likely involving classified documents – to demonstrate whether alternative measures, such as cybersecurity certifications or conformity assessment procedures, are less intrusive but equally effective. The Panel would have to assess whether such alternative measures should be regarded as WTO-consistent measures that are reasonably available to the responding party. Arguably, the necessity test can serve as a tool that guides states in taking targeted actions necessary to address cybersecurity concerns and refrain from creating unnecessary barriers to international trade.⁵⁸

To be more concrete, the core issue here is the connection between the trade-related cybersecurity measures and the public morals objectives upon which such cybersecurity measures are based. The standard necessity test requires the consideration of alternatives to the measures taken in order to determine whether existing options are “less trade restrictive,” while “providing an equivalent contribution to the achievement of the objective pursued.”⁵⁹ In litigation, however, it would be unrealistic to expect two hostile states to present their intelligence information for or against the cybersecurity measures at issue. Because the complaining party must present scientific evidence to demonstrate that the proposed cybersecurity alternatives are at least “as good as” the trade measures taken by the responding party, the confidential and politically sensitive nature of security matters makes it particularly difficult for the parties to prove their case to a trade tribunal’s satisfaction. It is equally impractical for the tribunal to engage in an evidence-based necessity test.

In any event, it will be a politically and technically challenging task for a trade tribunal to engage in an examination of whether the chapeau of the general exceptions can be satisfied. The two key concepts are “arbitrary or unjustifiable discrimination between countries where the same conditions prevail” and “disguised restriction on international trade,” which “prohibit the abusive exercise of rights by states,”⁶⁰ and oblige a responding party to “articulate its defense promptly and clearly.”⁶¹ Again, such a procedural safeguard, however, poses a fundamental conflict with cybersecurity matters, where intelligence and other classified information are involved.⁶² As Cohen argued, trade and security reflect different paradigms. The conflicts between the two competing interests occur not only at the legal technical level, but also at the systems level.⁶³ As a result, in most cases, the conventional GATT-type general exceptions operate awkwardly when balancing trade and security interests.

2.3.1.2 TBT Legitimate Objectives

In contrast to GATT Article XX and GATS Article XIV, the TBT exceptions, and in particular the “non-exhaustive” list provided in the TBT Agreement Article 2.2,⁶⁴ fall between quadrants III and IV due to their broader scope. As shown in Figure 2.1, unlike the conventional GATT general exceptions, which have a relatively narrow application in terms of the scope of the qualifying conditions, WTO jurisprudence makes it very clear that TBT Article 2.2 provides a “non-exhaustive list of legitimate objectives.”⁶⁵ In other words, the open and illustrative list under TBT 2.2, which uses the word “inter alia,” provides wider policy space for legitimate objectives advanced by the invoking party. Overall, it should be relatively easy to establish that the disputed cybersecurity standards fall within the scope of the exceptions provided under TBT 2.2.⁶⁶

Nevertheless, the necessity requirement remains. TBT exceptions resemble those of the GATT general exceptions in the way that the standard necessity test applies. The key issue here involves whether certain cybersecurity measures, while serving “legitimate objectives,” are “more trade restrictive than necessary” to fulfill the legitimate objective. The complaining party bears the burden of establishing that the cybersecurity measures are inconsistent with TBT Article 2.2 because the challenged standards created an “unnecessary” obstacle to international trade.⁶⁷ Further, the complaining party must explain why there are reasonably available, less trade-restrictive means of achieving the same level of protection.⁶⁸ The confidential, nontransparent nature of the cybersecurity matters once again renders the exercise of the necessity test relatively difficult.⁶⁹

2.3.2 GATT-Type Security Exceptions

Conventional security exceptions (in quadrant II), which can be found in the WTO and many FTAs, represent another form of pre-digital era exceptions that are out of touch with cybersecurity policies. GATT Article XXI(b), as a representative clause, allows a state to take any action “it considers necessary” to protect its “essential security interests,” stating the following:

Nothing in this Agreement shall be construed:

• …

  1. (b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests

     1. (i) relating to fissionable materials or the materials from which they are derived;

     2. (ii) relating to the traffic in arms, ammunition and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment;

     3. (iii) taken in time of war or other emergency in international relations; or

• … (emphasis added)

Historically speaking, national security exceptions had been utilized in a restrained and cautious manner. China, in both China – Raw Materials and China – Rare Earths, considered but eventually did not invoke the national security exceptions.⁷⁰ In those disputes, despite the fact that the Chinese government repeatedly stressed that China’s restrictions were based on important national security concerns surrounding its reliance on foreign suppliers for its military supply chain since rare earth minerals are used in missile and aircraft systems,⁷¹ China nevertheless did not invoke Article XXI(b) of the GATT.⁷² In short, before the Panel Report of Russia – Traffic in Transit broke the ice, the GATT/WTO consistently avoided issuing findings on the merits of security exceptions for decades. The Russia – Traffic in Transit dispute somehow served as a catalyst for WTO members to bring legal challenges against security-based measures, and to invoke the security exception as a defense.

Since Russia – Traffic in Transit, WTO panels have clarified how the so-called self-judging clauses operate.⁷³ In theory, the term “it considers necessary” was drafted to reserve the right to opt out of certain treaty obligations otherwise imposed by the WTO agreements.⁷⁴ For decades, it was not clear how the concept of self-judging worked under Article XXI. How much discretion should there be in the determination of a measure’s necessity? Should these national security exceptions be construed as entirely self-judging so as to sufficiently preserve the autonomy of a state’s security matters? Does this mean that a state is entitled to unilaterally decide on what its essential security interests are, as well as what action is necessary to protect those interests?⁷⁵ In this regard, the Panel in Russia – Traffic in Transit conceded that Article XXI(b)(iii) “is not totally self-judging.”⁷⁶ According to the panel, the discretion of a member to designate particular concerns as “essential security interests” is limited by its obligation to apply GATT Article XXI(b)(iii) “in good faith.”⁷⁷ The panel pointed out that the obligation of good faith requires members not to use the security exceptions as a means to circumvent their WTO obligations.⁷⁸ The panel must therefore review whether the security measures have been applied in good faith.⁷⁹ In this context, a “plausible link” must be established between the invoking state’s “essential security interests” and the trade-restrictive measures in dispute.⁸⁰ If we follow the reasoning in Russia – Traffic in Transit, an invoking member must demonstrate that the disputed cybersecurity regulations “meet a minimum requirement of plausibility” in relation to the member’s national security.⁸¹ In this regard, “plausible link” might be questioned, and “bad faith” might be found, when network security regulations substantially favor domestic goods or services. However, the “good faith” standard will be particularly problematic when the measure at issue is motivated by both “protectionism” and “patriotism,” namely, when commercial and security interests are inextricably linked.

More importantly, from Russia – Traffic in Transit to U.S. – Steel and Aluminium Products, WTO panels have adopted the view that the subparagraphs (“fissionable materials,” “traffic in arms,” and “war or other emergency in international relations”) of Article XXI(b) are exhaustive in establishing the circumstances under which a state may “take the action which it considers necessary for the protection of its essential security interests.”⁸² In U.S. – Steel and Aluminium Products, the panel did not find that the measures at issue were “taken in time of war or other emergency in international relations” within the meaning of GATT Article XXI(b)(iii). In the panel’s view, the subparagraphs “form alternative endings to a complete sentence under Article XXI(b).”⁸³ In other words, the opening terms in each subparagraph qualify the “action” referred to in Article XXI(b), and the three subparagraphs are exhaustive in establishing the circumstances under which a member may take the “action” under Article XXI(b).⁸⁴ After emphasizing that there is no textual indication that the subparagraphs of Article XXI(b) are merely illustrative,⁸⁵ the panel also specifically pointed out – contrary to TBT Article 2.2, which explicitly indicates the illustrative nature of the provisions – that the subparagraphs of GATT Article XXI(b) are exhaustive in establishing the circumstances under which a member may take action to protect its essential security interests.⁸⁶

Thus, trade-restrictive security measures can only be justified under Article XXI(b) if they meet one of the subparagraphs of Article XXI(b), specifically, the existence of an “emergency in international relations” within the meaning of Article XXI(b)(iii). An “emergency in international relations” within the meaning of Article XXI(b)(iii), however, must be “at least comparable in its gravity or severity to a war” in terms of its impact on international relations.⁸⁷ In this regard, where cybersecurity risks are routine and unexceptional in modern days, the gravity or severity of an “emergency in international relations,” particularly with regard to its impact on international relations, may not be established. Moreover, the phrase “taken in time of” indicates a temporal relationship to the “war or other emergency in international relations.”⁸⁸ The temporal link that requires cybersecurity measures to be “taken in time of” the “emergency in international relations” is also logically confusing when addressing a long-standing cybersecurity matter that,⁸⁹ as Heath observes, is of a permanent nature and must be systematically addressed over time.⁹⁰ Evidently, (conventional) security exceptions must be modernized to meet the policy needs of this digital era.

2.3.3 CPTPP-Type Data Localization Exceptions

CPTPP-type exceptions to data localization, which are contextualized in quadrant IV of Figure 2.1, contain a “non-exhaustive” list of policy objectives, under which security measures that are subject to the necessity test may be justified.⁹¹ To illustrate, Article 14.13 of the CPTPP (Location of Computing Facilities), while recognizing the parties’ regulatory autonomy regarding requirements that seek to ensure the security and confidentiality of communications, prohibits parties from adopting data localization measures as a condition for conducting business. The Article also states the following:

Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:

1. (a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and

2. (b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.⁹²

Article 14.13 should be understood to mean that parties are allowed to maintain data localization measures to pursue their national security objectives as long as the measure satisfies the anti-protectionism requirements set out in the Article, namely, the procedural safeguard and the necessity test. Although locating computing facilities and storing data in multiple data centers within diverse jurisdictions seem to make more technological sense in managing cybersecurity risks, data localization measures that restrict the ability of companies to transfer data or, more narrowly, require local storage within a particular national border, have been a feature of national security policies. For example, China’s Cybersecurity Law, citing national security, requires “critical information infrastructure” operators to store personal information or important data within the territory of China.⁹³ The Cybersecurity Law of Vietnam, as another example, requires Vietnamese data to be stored locally so as to protect national sovereignty.⁹⁴ Similar regulatory initiatives, with different degrees of emphasis on cybersecurity, can be found in various developed and developing countries, including Australia, Brazil, Canada, the EU, India, Peru, Malaysia, New Zealand, Russia, South Korea, and Taiwan, to name just a few.⁹⁵

Note that, much like TBT Article 2.2, the CPTPP-type data localization exceptions contain an open-ended list of legitimate objectives and require an initial determination regarding whether, as an objective, the cybersecurity policy is legitimate. Such an approach leaves much ambiguity about how far the exceptions can go in curbing protectionist practices.⁹⁶ A CPTPP panel may consider relevant WTO jurisprudence with respect to the general exceptions of the WTO Agreement.⁹⁷ Additionally, as previously illustrated, precedent holds that the weighing and balancing exercise under the necessity analysis contemplates a determination as to whether a cybersecurity measure that is less inconsistent with the CPTPP rules is reasonably available.⁹⁸ Such alternative measures must provide an equivalent contribution to the achievement of the cybersecurity objectives pursued through the challenged measure. This “trade v. security” balancing exercise is likely to be impractical when confidential national security matters are involved. That being said, a trade tribunal is expected to be cautious when balancing trade and security interests if the localization measures overwhelmingly boost the domestic data industry.⁹⁹

2.3.4 New Generation Trade Agreements’ Security Exceptions

Trends in the new generation of international trade agreements suggest that “updated” security exceptions, either via expansive, open-ended formats or through a sectoral approach, are designed to reset the balance between international trade and national security. As shown in quadrant I in Figure 2.1, innovative clauses have been incorporated to reconcile the conflicts between (digital) trade and (cyber) security. The four types of security exceptions in quadrant I represent a dramatically expansive scope and excessively unfettered discretion in security exceptions under the international trade agreements.

2.3.4.1 CPTPP/USMCA-Type Broad Security Exceptions

Contrary to conventional security exceptions, under the CPTPP and USMCA, for example, security exceptions omit the subparagraphs that list the circumstances under which such exceptions could be triggered. By way of illustration, the security exceptions to the CPTPP state that “Nothing in this Agreement shall be construed to … preclude a Party from applying measures that it considers necessary for the fulfilment of its obligations with respect to the maintenance or restoration of international peace or security, or the protection of its own essential security interests.” This type of exception borrows the self-judging element from the WTO security exceptions but contains no limitative qualifying clauses that condition the application of security exceptions,¹⁰⁰ representing an open-ended, broad security clause.

2.3.4.2 DEPA-Type Security Exceptions

Similarly, the security exceptions under the DEPA – a digital sector-specific comprehensive framework – accommodate open-ended exceptions, which are not followed by a closed list of situations.¹⁰¹ Given the fact that CPTPP is the primary textual source of the DEPA, it is not unusual that the three founding parties of the DEPA – Chile, New Zealand, and Singapore – incorporate the CPTPP-type broad security clauses into the DEPA text. Considering that DEPA is an international trade agreement tailored to the digital economy, and that cybersecurity threats take place across the entire digital ecosystem, such broad and loose security exceptions to the DEPA may mean that there is “no certainty of digital market access.”¹⁰² In other words, security interests will easily prevail over economic interests.

2.3.4.3 RCEP-Type Data Localization Exceptions

Another digital sector-specific security clause worth particular attention can be found in the security exceptions to data localization in the Regional Comprehensive Economic Partnership (RCEP). Article 12.14 (Location of Computing Facilities) allows the parties to undertake any data localization measures they consider necessary for the protection of essential security interests.¹⁰³ Unlike the CPTPP-type data localization exceptions, which are subject to the standard necessity test, RCEP data localization exceptions, by allowing a party to adopt any measure that “it considers necessary” for the protection of its “essential security interests,” impose a lower and softer threshold. This threshold requires the invoking party to substantiate its good faith belief – albeit subjectively – that there is a threat to its “essential security interest,” and that data localization measures are necessary for the protection of that essential security interest. It should also be noted that in the RCEP data localization exceptions, the self-judging element has been strengthened with a subparagraph stating that such measures shall not be disputed by other parties.¹⁰⁴

2.3.4.4 RCEP-Type Critical Infrastructure Security Exceptions

As previously explained, critical infrastructure, such as 5G networks, constitutes the backbone of the functioning of a state. Given that the risk of compromised critical infrastructure can cause massive disruptions to the well-being of citizens, the protection of “critical public infrastructure” – whether publicly or privately owned – has been added to several new generation FTAs as one of the enumerated situations under which security exceptions can be invoked.¹⁰⁵ The textual structure of RCEP Article 17.13, which lists “national/international relations emergency” (Article 17.13(b)(iv)) and “critical infrastructures protection” (Article 17.13(b)(iii)) as parallel circumstances under which the security exceptions could be triggered, indicates that the negotiators of the RCEP intended to distinguish between “national/international emergency” and “critical infrastructures protection.” Simply put, the structural separation signals that, when interpreting RCEP Article 17.13 (b) (iii) in context, the “emergency” element, which strictly limits the application of the GATT-type security exceptions, does not extend to critical infrastructure security exceptions. The textual structure thus effectively creates a broad and relatively easily satisfied enumerated exception to trade rules – the protection of critical infrastructure.

2.4 National Security and Trade Governance in a Datafied World

2.4.1 Scoping “Essential Security Interests”: “Critical Infrastructure” as Touchstone

Taken together, the pre-digital era general and security exceptions are ill-tailored to address today’s national security concerns. On the contrary, the new trends, which create open-ended or digital sector-specific security exceptions, are encouraging directions to ensure that the exceptions to international trade rules are aligned with the policy needs of the digital economy. However, the approaches taken in quadrant I may risk the potential for abuse and excessively broad overuse. In particular, the CPTPP/USMCA-Type Broad Security Exceptions – should they become a template for future international trade negotiations – may prove to be a fractious way forward in assessing the concepts of cybersecurity and national security. How can the good faith that requires minimum plausibility curb the potentially expansive interpretations of these types of security exceptions? In this age of digital capitalism, commercial and cybersecurity interests are entangled and often overlap. Most national regulations sit at the intersection of economic and security interests and can serve as both economic and national defense tools. Therefore, two fundamentally difficult issues, legally and technologically speaking, are to what extent cybersecurity concerns are legitimate, and how to distinguish the boundaries of these concerns from illegitimate protectionist measures that primarily stem from considerations surrounding economic competition. Moreover, in terms of sector-specific security exceptions, the questions of what constitutes “critical infrastructure” and how to designate it require due process mechanisms to constrain discretionary abuse.¹⁰⁶ Should social media platforms be considered “critical infrastructure”? How can we ensure non-discrimination in the process of identification and designation of critical infrastructure? These are the key issues the new generation trade agreements’ security exceptions will confront.

It appears that the irreversible regulatory trends are designed to provide greater discretion for states in defining their own national security agenda. The excessively broad definition of “national security,” as a result, is challenging the boundary between economic and security concerns. In its 2017 National Security Plan, the US explicitly declared that “economic security is national security.”¹⁰⁷ As Claussen stated, the term “economic security” is now the central point, combining various concepts including economic dominance, independence, and hegemony.¹⁰⁸ Converged with the domain of economic security, the term “national security” is now being used in more and more expansive ways, literally including nearly everything – ranging from national broadband, industrial supply chain, and digital trade to steel tariffs, semiconductor export control, etc. This expansion will continue and will lead to an endless list in this digitally connected world. In the context of international economic law, the flexibilities provided under the new generation trade agreements’ security exceptions could prove to be an inefficient approach in addressing legitimate security concerns. The overexpansion of the conceptual scope of national security may either mask legitimate objectives or fail to appropriately constrain illegitimate objectives.

What are the possible solutions to the dilemmas surrounding the overly limited quadrants II and III and the overly broad quadrant I approaches to national security? To be sure, there is no such thing as “zero risk” in cybersecurity.¹⁰⁹ In this hyper-connected datafied age,¹¹⁰ the ever-increasing digital connectivity between computers and devices may mean that vulnerabilities can be introduced at any phase, and in any place.¹¹¹ Technical experts agree that a perfectly secure digital environment, free of vulnerabilities, is a dream, and “the notion of perfectly secure software almost certainly is a white whale.”¹¹² The core issue turns out to be determining how much “risk” in cyberspace would amount to a danger to a state’s “essential security interests.”¹¹³ Along a continuum of low to high national security risks, it is all about the relativities. In the context of “trade v. security,” however, a borderline must be drawn somewhere, and trade-offs must be made.

That being the case, one possible future direction for trade and cybersecurity governance is to scrutinize the distinction between critical and noncritical infrastructure. Bearing in mind that more and more jurisdictions are now classifying critical infrastructure as a special category that is essential to national security in their domestic legal frameworks,¹¹⁴ the creation of a commonly accepted definition of “critical infrastructure” would serve as a touchstone in determining the boundaries of “essential security interests.” In other words, the protection of critical infrastructure presents a much stronger case than noncritical infrastructure in meeting the minimum requirement of plausibility in relation to a state’s “essential security interests.” In this regard, Shaffer observes that “the national security risks in the TikTok case are much lower than regarding Huawei’s construction of critical infrastructure.”¹¹⁵ All in all, not every infrastructure is judged to be critical,¹¹⁶ not every good or service from China is of national security concern,¹¹⁷ and not all issues relating to innovative technology are equated with essential national security.¹¹⁸ To conclude, “minimum plausibility” within the meaning of international economic law should be relatively easier to establish when it comes to critical infrastructure protection, because such risks, when severe, can disrupt the operations of a state’s vital services, resulting in significant loss of life and detrimental economic and social impacts. In this way, the concept of critical infrastructure may serve as a useful tool in filtering out the overgeneralization of national security claims. Ultimately, a more proper balance may be sustained between free trade and national security, and, in particular, cybersecurity.

2.4.2 Risk Assessment and Technical Standards

Another important direction for trade and cybersecurity governance is to prevent unfettered administrative discretion in security matters. This is particularly important in view of the fact that governments are moving toward risk-based approaches to protect national security and cybersecurity.¹¹⁹ Instead of adopting prescriptive, one-size-fits-all rules, states assess cyber risks and exercise discretion to reduce them in a timely and proactive manner. It can be said that the most significant difference between ancient and modern security infrastructure is the rapid pace of change in security threats. The Great Wall of China was built across the northern border to protect imperial China against security threats. It took hundreds of years for ancient China’s security situation to change. On the other hand, the modern security landscape has been measured in mere months, or even days. Literally, the perception of risks is in real time. In light of the dynamic nature of national security in modern days, it makes more sense for national regulators to take a risk-based approach rather than laying down prescriptive rules.

In this regard, several FTAs such as the Digital Trade Chapter of the USMCA include recognition of “the evolving nature of cybersecurity threats”¹²⁰ and the importance of taking risk-based approaches instead of adopting prescriptive regulations in addressing those threats.¹²¹ On the one hand, a risk-based approach provides national regulators with some extent of flexibility to encourage innovation that may otherwise be constrained under a catch-all approach. Rather than a uniform set of blanket prohibitions that apply to all in the same manner, the risk-based approach recognizes variances across or within critical sectors, allows for individual assessments, more efficiently targets implementation efforts in those sectors that pose the highest risk, and, at the same time, minimizes the regulatory impact on the critical industry and avoids unintended side effects of regulation.¹²² In short, because digital technologies are rapidly evolving, any overly specific or rigidly prescriptive rules governing cybersecurity will either become quickly outdated or hinder innovation in the digital market.

On the other hand, the risk-based approach to cybersecurity comes with the danger of abuse of decision-making powers. Instead of applying the same rules in an equal way, irrespective of the level of risk or harm, the risk-based approach provides tailored protection, depending upon the level of risk at stake under each specific situation. Rather than imposing any kind of inflexible rules, national regulators exercise a degree of discretion when weighing cybersecurity risks, cyberattack harms, and regulatory benefits.¹²³ Because the approach relies on policy judgements rather than detailed prescriptions, the cybersecurity regulatory scheme leaves national regulators with broad discretion when conducting risk assessments. After all, at the core of the risk-based approach is a regulatory strategy through which regulators target resources toward sectors or activities that present the highest risk and, at the same time, reduce resources in those sectors or activities with relatively low risk. These decision-making processes designed to achieve the “right” balance between lower and higher risks “are all matters of judgement that regulators have to confront along the way,” according to Black and Baldwin.¹²⁴ In many jurisdictions, cybersecurity measures will only be proposed where a need has been identified, namely, the regulatory targets. The danger of a risk-based approach, therefore, is discretionary abuse.

In this regard, there are rules that provide due process and other procedural safeguards at both the national and international levels to constrain discretionary power when assessing cybersecurity risks. In particular, international economic law is increasingly designed to constrain domestic regulation where the application of these regulations has external effects on other states. At the multilateral level, the obligations of GATT X:3(a) and GATS Article VI:1,¹²⁵ which allow challenges to the administration of domestic regulations that are otherwise consistent with the GATT or GATS, were designed to be an important tool in tackling situations in which a general scheme does not make any distinction between foreign and domestic service suppliers, but the administration of this scheme is not “reasonable, objective, or impartial.”¹²⁶ Admittedly, GATT X:3(a) and GATS Article VI:1 may not be sufficiently forceful in a manner that safeguards due process and counters the potential abuse of administrative power in the process of risk assessment.¹²⁷ That said, as Chapters 3 and 5 will continue to address, the “good regulatory practices” agenda in the new generation FTAs, which seeks to enhance due process, transparency, legal clarity, and judicial review of administrative decisions, may shed light on how international trade agreements might prove helpful in preventing irrational, biased, or arbitrary cybersecurity risk assessments. Moreover, the adoption of international cybersecurity standards can mitigate concerns surrounding discretionary abuses in risk assessment. In this regard, the TBT Agreement can assume a substantial role in promoting international standards on cybersecurity, which can in turn facilitate the global development of common security approaches. At the end of the day, a nonregulatory approach and international soft law play important roles in governing cybersecurity and reshaping international economic order in the age of datafication. Chapter 6 will dive deeper into this aspect.

2.5 Conclusion

This chapter addresses the data network in the context of the cybersecurity threat landscape, which is increasingly perceived as a national security issue, especially when critical infrastructure is directly involved. Before we shift the focus to digital applications that drive datafication, it is worth reiterating that data networks have become strategic political and economic assets of a state. As the backbone infrastructure, 5G networks literally resemble interactive central nervous systems in the data-driven economy. The weaponization of 5G networks has brought about further challenges to international economic legal order. In Chapters 1 and 2, we explored two important dimensions of the broadband infrastructure – “trade and development” and “trade and security” – both of which are the foundations for a platform-driven, data-fueled world. The chapters in Part II will zoom in on digital applications, analyze the phenomenon of platformization, and explore considerations pertaining to the regulation of digital platforms.