1.1 Introduction
Efficient and affordable digital physical infrastructure is the prerequisite that enables people to meaningfully participate in the data-driven economy. In this broadband era, people who are connected are empowered in a manner that allows them to access information, online education, health and banking services, and much more. Broadband communications services, which include fixed-line and wireless communications networks, contribute not only to the integration of remote regions and disadvantaged groups, but also to key infrastructure in the economic development of virtually all sectors. In this context, broadband infrastructure is essential to improvements in the quality of life, for both developed and developing countries.Footnote 1
The benefits of broadband development, however, are not evenly distributed. A long-debated concern expressed by developing economies is the inability to take advantage of evolving digital technology.Footnote 2 The reality is that digital transformation varies across countries and people.Footnote 3 Generally, this inability underscores the importance of greater “digital inclusion,” which is defined as bridging the gap between individuals and groups, as well as economies.Footnote 4 In measuring digital development, it is important to note that, in 2019, only about 40 percent of people in developing countries were able to access and use the Internet.Footnote 5 According to International Telecommunications Union (ITU) statistics, although globally more than 1 billion new Internet users have been added from 2017 to 2022, outstanding digital divides persist between “connected countries, communities, and people.”Footnote 6 By mid-2022, 5.3 billion people were Internet users, which means that almost 37 percent of the world’s population does not use the Internet.Footnote 7 Most often, such divides stem from insufficient or slow connectivity, which is closely correlated to geography and socioeconomic status.Footnote 8 Substantial digital divides exist between countries,Footnote 9 with nearly 87 percent of people using the Internet in developed countries compared to approximately 44 percent in developing countries.Footnote 10 In least developed countries (LDCs), only 19 percent of individuals are online.Footnote 11 At the same time, intercontinentally, the trend of datafication continues to boost international Internet traffic and therefore requires more and more international bandwidth. It is evident that the demand for submarine cable infrastructure is quickly growing. Currently, transatlantic cable connections are the densest routes, with the highest traffic capacity, which continues to grow annually at the rate of 38 percent.Footnote 12 According to the American Chamber of Commerce, submarine communications cables that link the US and the European Union (EU), two of the most developed areas, carry 55 percent more data than transpacific routes and 40 percent more data than US–Latin American routes.Footnote 13
Evidently, the “haves” – people who are connected to the Internet – are empowered. Digital infrastructure allows people to participate in a digital world, which in turn increases their overall well-being in these countries.Footnote 14 On the other hand, being “unconnected” means the “have-nots” cannot access online health services, make payments via mobile phone, or increase productivity through digital skills. The recent pandemic has convincingly demonstrated the need to bridge the digital divide. The COVID-19 crisis has stimulated a surge in the use of digital services. In the US, for example, home broadband traffic was up by roughly 20–40 percent from the onset of COVID-19.Footnote 15 The unprecedented demand during the pandemic for online delivery, including e-commerce, e-education, and e-health, has underscored the need for efficient and affordable digital services.Footnote 16 Even in developed countries, telecommunications regulators required Netflix and YouTube to reduce streaming loads in an attempt to prevent the Internet from collapsing under the strain of heavy usage due to the coronavirus pandemic. The need to address the challenges that hamper greater digital inclusion in developing countries, particularly in LDCs, is now more urgent than ever.Footnote 17
Looking to the future, the core idea behind Industry 4.0,Footnote 18 as supported by the fifth generation (5G) network, is to connect machinery to the Internet, which encompasses technologies including 3D printing, the Internet of Things (IoT), artificial intelligence (AI), and big data analytics.Footnote 19 The connected devices associated with the IoT, for example, will dramatically increase demands on digital networks. Nearly every piece of technology we use will be part of an always-on, always-connected web of smart sensors and data feedback devices.Footnote 20 That in turn will unleash a torrent of data traffic across the Internet. However, the reality is that current networks are nowhere near ready to accommodate this level of Internet traffic.Footnote 21 Accommodating the technology evolution and meeting ensuing connectivity demands will require continued modernization of legacy telecommunications infrastructure, as well as the creation of additional broadband networks.Footnote 22 In light of the high levels of investment required to adopt 5G networks, developed countries’ early deployment of 5G networks is expected to exacerbate the current digital divide.Footnote 23 According to industry estimations, the cost to deploy a 5G network may range from USD 6.8 million to USD 55.5 million, depending on the size of the city.Footnote 24 The ITU predicts that 5G penetration will be around 60 percent in developed economies by 2025, whereas the same network connectivity during this period will be below 10 percent in Latin America and below 5 percent in African countries.Footnote 25
1.2 Opening the Services Market
1.2.1 Telecommunications Liberalization
In the context of international economic law, a few premise questions are in order. What role has the liberalization of telecommunications services played in the emergence of today’s broadband “digital divide?” How might international trade agreements have contributed to such inequalities? How can the WTO help to narrow the digital divide, or even to promote digital inclusion? To answer these questions, a brief overview of the negotiating context of the relevant WTO treaty obligations is discussed below.
Historically speaking, the pre-Uruguay Round General Agreement on Tariffs and Trade (GATT) system applied only to trade in goods. In light of the increased potential for international trade in services, the elimination of trade barriers to service sectors became a major priority of a number of developed countries in the Uruguay Round of trade negotiations in the early 1990s.Footnote 26 The conclusion of the General Agreement on Trade in Services (GATS) in 1994 forms an essential component of the legal framework for a global trading system.Footnote 27 The GATS is the first multilateral trade agreement to cover trade in services, through which WTO members commit to the liberalization of the services sectors. In scheduling their market access commitments, members indicate the limitations on market access for each services sector scheduled with regard to each of the “four modes of supply.”Footnote 28
Arguably, the GATS opened global telecommunications markets for multinational telecommunications companies in such a way that a critical mass of WTO members have included the telecommunications sector in their schedules of commitments. Overall, emerging economies have recorded a high incidence of commitments on Mode 3 (foreign investment). According to the WTO Secretariat, such unique patterns of commitment by emerging economies “illustrate the importance they have attached to foreign direct investment (FDI) as a means of improving and extending national telecommunications networks and universal access.”Footnote 29 Over the years, the interplay between the liberalization of the telecommunications market and the possibility of attracting foreign investment in the sector has been repeatedly raised by WTO members – with divergent viewpoints. While some delegates from developing countries pointed out that the degree of liberalization in the telecommunications sector should be based on “the possibility for such liberalization to promote both growth and development,”Footnote 30 delegates from developed countries continued to stress that the liberalization of telecommunications could help modernize the economy, promote development, and bring “considerable growth effects” in the FDI host countries.Footnote 31
For a long time, even before the broadband era, developing countries and LDCs have required injections of foreign capital into their telecommunications infrastructure. In the pre-GATS world, however, most states maintained state-monopoly control over telecommunications. Despite the enormous demand for capital to build large-scale networks, the telecommunications services sector was generally closed to FDI. When the GATS became effective, market forces were unleashed, and monopoly telecommunications incumbents began to face both domestic and foreign competition. In theory, competition driven by market forces should deliver services more effectively than monopoly-based schemes.Footnote 32 The economic assumption was that government-owned telecommunications companies were being privatized and confronted with the threat of entry from new competitors, thereby forcing these monopolies to become more efficient. At the same time, openness to foreign capital in the telecommunications industry could result in increased infrastructure investment and thus bridge the digital divide.Footnote 33
1.2.2 From Monopoly to Competition
The promised economic benefit of market access commitments, however, has never been realized in many developing countries and LDCs. There is a missing link between telecommunications liberalization and broadband investment. Before the WTO opened the global telecommunications market, cross-subsidization within a monopolized market was the traditional means of pursuing “universal service” goals for most countries. Under such a monopoly scheme, losses incurred from less lucrative activities were financed by income earned from more profitable ones.Footnote 34 The trend of telecommunications liberalization brought about by the GATS, however, has posed a significant threat to cross-subsidies.Footnote 35 As observed by Batura, in the pre-GATS age, monopolistic suppliers of telecommunications services financed universal service through cross-subsidization. Generally, one monopoly operator served the entire domestic telecommunications market and signed bilateral commercial agreements with the monopolists of other countries for international interconnection.Footnote 36 However, the operation had to be changed following the liberalization of the market. In competitive telecommunications markets, cross-subsidies have been squeezed out of the rate structure because prices in low-profit areas are not rebalanced to competitive levels. As a result, market forces may even broaden the digital divide.Footnote 37 Without governmental intervention, profit-motivated telecommunications network operators will prioritize serving densely populated, high-usage urban areas rather than rural areas or low-usage households – the “cream-skimming” or “cherry-picking” effect.Footnote 38
The transitional stages from a monopolistic to a competitive telecommunications market, therefore, have been a bumpy road in terms of reshaping universal service policies, especially for developing countries and LDCs, where infrastructure development needs are urgent. According to the United Nations Conference on Trade and Development (UNCTAD), a dominant part of FDI has been concentrated in a select few countries, leaving the LDCs to receive less than 2 percent of global FDI.Footnote 39 Over the past decade, FDI flows to LDCs have increased only marginally.Footnote 40 Among all infrastructure sectors, FDI in renewable energy generation and distribution services has increased since 2021, while FDI in other infrastructure sectors, including telecommunications services, barely grew.Footnote 41
As Shaffer observed in a broader context, international trade liberalization results in the more efficient use of resources, but the gain from such economic efficiency may not be “inclusively shared.”Footnote 42 Rather, international trade, together with “other primary culprits,” can contribute to increased inequality.Footnote 43 Evidently, market liberalization alone failed to promote broadband equality. In order to promote affordable access to physical networks, the challenge for governments is how to utilize competition to maximize access while enforcing a digital inclusion policy to minimize geographic inequalities. After all, while competition delivers broadband services in “abundance,” it distributes them unequally.Footnote 44 As discussed below, the domestic ‘funding’ mechanism therefore becomes the central issue in the alleviation of the digital divide.
1.3 Bridging the Digital Divide
1.3.1 Universal Broadband Service
The lack of “universal access” to telecommunications services has been addressed nationally – primarily via “universal service” mechanisms administered by national communications regulators to spur infrastructure development in high-cost areas.Footnote 45 From a historical perspective, the contemporary concept of “universal service” carries a somewhat different meaning today than when it was coined by Theodore Vail, the chief architect of the Bell system.Footnote 46 When Vail first advocated for “one policy, one system, universal service” in 1908, the term “universal service” was conceived as a single provider offering a single telephone network, to which all customers were connected.Footnote 47 In that context, the losses could easily be “cross-subsidized” by the profits within a monopoly scheme – just as the Bell system did in the US.Footnote 48
Following the liberalization of telecommunications in the 1990s, it has been generally recognized by regulators around the world that increased competition, coupled with a domestic universal service fund,Footnote 49 may provide a nation with the best opportunity to achieve the goal of digital inclusion.Footnote 50 To bridge the digital divide, governments have typically turned to public policies that aim to both promote market efficiency and improve social welfare – namely, pro-competitive regulations complemented by “universal service” mechanisms that mitigate the digital divide between commercially viable and nonviable areas.Footnote 51 The modern concept of “universal service” therefore means the availability of telecommunications services for all customers at an affordable price, supported by subsidies.Footnote 52 One striking example is Section 254 of the US Telecommunications Act of 1996, which employs a funding mechanism to finance universal service through equitable contributions by all telecommunications operators.Footnote 53 The basic rationale is that while competition can foster affordability by reducing costs and prices in profitable areas, a “universal service fund” can help to ensure that “basic services” are provided to unprofitable rural areas.Footnote 54
Neither “universal” nor “service,” however, are self-defining terms. Considering the uncertainty surrounding technological developments, it is necessary for regulators to operate in a reactive manner, implementing universal service policies that can adjust to unique changes in digital technologies. Consequently, most jurisdictions use vague language in their regulations to offer a fair degree of interpretive flexibility.Footnote 55 For example, the scope of the universal service scheme in the US remains dynamic, which comprises “an evolving level of telecommunications services” that regulators must periodically revisit and reevaluate.Footnote 56
1.3.2 Evolving Technologies
In practice, the definition of “universal service” is pragmatic in order to ensure that policies will keep pace with technological developments. As technology evolves, much of the debate focuses on what should be included under the definition of universal service. In this regard, “universal service” in many jurisdictions essentially refers to the provision of “minimum” telecommunications service to people at an affordable price.Footnote 57 Nevertheless, the core question is as follows: What level of telecommunications service represents the “minimum”? Should it include both fixed and mobile broadband Internet access? If yes, how “broad” is the broadband of the network? How should the definition of universal service evolve toward a higher standard of service as digital technologies improve and demands for advanced services increase?
There are variations in the definitions of universal service, and policy tools and financing approaches differ from country to country.Footnote 58 Broadband Internet access has been advocated as a “fundamental right.”Footnote 59 Finland, as a Utopian example, is the first country in the world to enshrine broadband access as a right in law – legally guaranteeing the Finnish people a 1 MB speed by 2010 and a 100Mbps (megabit per second) broadband connection by the end of 2015.Footnote 60 Similarly, the UK government has recognized that access to the Internet is “the passport to the information society”Footnote 61 and an “essential element to participate in the economy,” which is “as vital as access to electricity a century ago.” In practice, the UK government announced a new “legal right” to 25 Mbps broadband in 2015, which ensures that all residents and businesses in the UK have access to broadband through a “Universal Broadband Obligation.”Footnote 62 The government has also used “coverage obligations” attached to the mobile operators’ licenses and has required operators to reach 95 percent of the UK population by 2025.Footnote 63 In this context, Taiwan, which is classified as a developing country, was also set to ensure “broadband human rights” to “all disadvantaged people,” enabling access to 25 Mbps broadband services.Footnote 64 At the other end of the spectrum, however, the United Nations’ 2025 targets for 25 Mbps broadband-Internet user penetration are 65 percent in developing countries and 35 percent in LDCs.Footnote 65
It should be noted, however, that the above fundamental right-oriented approach was to guarantee minimum broadband access to disadvantaged groups in rural areas. The reality is that a “broadband human right” is “not enough” in developed countries. Despite the relatively low floor set by developed countries in terms of standards,Footnote 66 the EU also has ambitious digital plans for 2025, including Gigabit (1000 Mbps) connectivity for all main socioeconomic drivers, such as schools, transport hubs, hospitals, and public administrations.Footnote 67 On the other side of the Atlantic, the US Federal Communications Commission (FCC) has allocated $9.2 billion from its Rural Digital Opportunity Fund for high-speed broadband services – with the vast majority of locations receiving Gigabit broadband.Footnote 68 Indeed, as Moyn pointed out, it is critical to note that “sufficiency” and “equality” are different.Footnote 69 The “basic needs,” “human rights” oriented solutions to digital inclusion – providing the minimum broadband speed – “coexist with a crisis of material inequality.”Footnote 70
To conclude, at present, a universal service policy has been the most popular legal mechanism for countries in the promotion of digital inclusion.Footnote 71 Generally, a universal service policy provides a certain level of interpretive flexibility as technology evolves. Textually speaking, “universal” may mean that everyone is entitled to services that meet their needs, regardless of their ability to pay.Footnote 72 “Minimum” may also be defined as “something people actually want”Footnote 73 – as part of their “basic needs.”Footnote 74 In today’s digital age, how much broadband do we need? Based on the UN’s 2025 targets, 25 Mbps seems to be the answer for developing countries and LDCs – a wide gap compared to the EU 2025 Gigabit connectivity goal. This reconfirms both the theory and the experience that human rights are rarely an effective tool to address socioeconomic inequalities.
1.4 Digital Inclusion under International Trade Agreements
1.4.1 The GATS Telecommunications Reference Paper: Universal Service
Universal service policies, which are now generally accomplished through national funding, are explicitly recognized by the GATS Telecommunications Reference Paper (Telecom Reference Paper). More specifically, in stipulating that WTO members have the right to define the kind of universal service obligations they wish to adopt, Section 3 (Universal Service) of the Telecom Reference Paper implicitly permits members to establish a universal service support fund, stating the following:
Any Member has the right to define the kind of universal service obligation it wishes to maintain. Such obligations will not be regarded as anti-competitive per se, provided they are administered in a transparent, non-discriminatory and competitively neutral manner and are not more burdensome than necessary for the kind of universal service defined by the Member.Footnote 75
Section 3 of the Telecom Reference Paper, however, is silent as to whether such a fund should be maintained through operator levies or the general tax system. As a whole, the Telecom Reference Paper does not impose a single method by which universal service providers should be chosen or a specific mechanism by which universal service should be funded.Footnote 76 Rather, it leaves WTO members free to define the scope and method of a universal service policy that suits them depending on unique national circumstances. Such flexibility allows members to pursue universal service objectives through a wide range of methods, as long as these social objectives are achieved in a transparent, non-discriminatory manner.Footnote 77 In addition, Section 3 requires that the collection and distribution of a subsidy fund should be performed in a competitively neutral manner, and that the funding levied should not be more than is necessary to meet the member’s universal service policy requirements.Footnote 78 In practice, a member’s universal service scheme should be administered in alignment with the general principles required by Section 3 of the Telecom Reference Paper. For example, when implementing a universal service fund, a member should specify that such a fund is to be financed by all physical network operators, regardless of whether they are domestic or foreign enterprises or joint ventures. Nevertheless, WTO members have the discretion to impose self-defined universal service obligations on services suppliers. A member’s telecommunications regulator has wide policy space in advancing universal broadband service.
In this datafied world, potential reform in this regard is moving toward a requirement that big tech companies contribute their fair share to support the universal service mechanism. In the “FCC Reports to Congress on Future of the Universal Service Fund,” the FCC Commissioners, and in particular Brendan Carr, advocated for a new approach to funding the government’s universal service system.Footnote 79 After pointing out that Netflix, YouTube, Amazon Prime, Disney+, and Microsoft have been “enjoying a free ride on … Internet infrastructure,” Carr specifically asked the US Federal-State Joint Board on Universal Service to ensure that “the businesses that derived the greatest benefit from a communications network … are required to pay the lion’s share of the costs.”Footnote 80 Similarly, the EU has launched a public consultation surrounding how to fund infrastructure upgrades needed for transformative digital technologies, including AI and Metaverse/virtual reality (VR) applications.Footnote 81 By underscoring that all players benefiting from the digital economy should “fairly contribute to the required investments,” and that the entire industry should make “proportionate contribution to the costs” of public infrastructure,Footnote 82 it is clear that EU policymakers recognize the need for big tech companies to bear greater responsibility for the universal service goal. Turning back to the Telecom Reference Paper, this book contends that the proposed reforms to the member’s universal service system are aligned with Section 3, which provides sufficient policy leeway to accommodate the divergent policy needs of WTO members and structural changes to the broadband market, as long as they are administered in a transparent, non-discriminatory, and competitively neutral manner. Despite this, the Mexico–Telecom case below demonstrates how a WTO member’s universal service policy can go too far.
1.4.2 The Mexico–Telecom Case: Cost-Oriented Rates
The Mexico–Telecom disputeFootnote 83 was the first WTO panel proceeding to solely address the GATS, and it is also the only dispute settlement case to address international trade of telecommunications services.Footnote 84 The US asserted that Mexico’s rules governing connection rates for international telecommunications traffic violated its WTO commitments to provide interconnection at reasonable rates. It claimed that the interconnection rates negotiated by Telmex, the incumbent telecommunications supplier in Mexico, were not consistent with the “cost-oriented” requirement imposed by Section 2.2(b) of the Telecom Reference Paper.Footnote 85 Mexico argued that the US erroneously interpreted “cost-oriented” rates as simply equal to the “bare cost” of supplying the telecommunications services, and that instead, the term must be interpreted by taking into account the qualifying phrase “transparent, reasonable, and economically feasible” in Section 2.2(b) of the Telecom Reference Paper.Footnote 86 In the view of Mexico, relevant factors in assessing whether cost-oriented rates were “reasonable” include “the state of a WTO member’s telecommunications industry; the coverage and quality of its telecommunications network; and the return on investment.”Footnote 87 Mexico further argued that in assessing whether the cost-oriented rates were “economically feasible,” key factors should include “the efficient use of income and wealth” and “the needs of the operator and the policy goals of the country.”Footnote 88 In this respect, Mexico’s policy objectives to promote universal service, which “depended to a large extent on interconnection revenues,” should be taken into consideration.Footnote 89 Throughout the litigation, Mexico repeatedly stressed the need for “infrastructure development” and “universal service.”Footnote 90 The main argument is clear: The term “economic feasibility” in Section 2.2(b) of the Telecom Reference Paper provides great latitude in allowing its major supplier, Telmex, to include charges for infrastructure development or universal service.Footnote 91
In response to Mexico’s arguments, the US clarified the relationship between Section 2.2 (cost-oriented rate) and Section 3 (universal service) of the Telecom Reference Paper. In the view of the US, “interconnection charges are limited to the specific network components and facilities required for the interconnection service provided.”Footnote 92 Therefore, Telmex’s interconnection charge, which includes a universal service component, violates the “cost-orientation” requirement in Section 2.2. At the same time, the recovery of universal service subsidies hidden in Mexico’s interconnection charges also violates the “transparent administration” of universal service obligations in Section 3.Footnote 93 The US further pointed out that the Telecom Reference Paper separates the disciplines on cost-orientation rates in Section 2 from the disciplines on universal service in Section 3.Footnote 94 The US delegation argued that if Mexico wished to promote “investment” in its national telecommunications infrastructure, it should “fund” its rollout costs in a way that is consistent with Section 3 of the Telecom Reference Paper. The US contended that Mexico’s recovery of universal service subsidies paid to Telmex through the levy of hidden, inflated interconnection rates from foreign suppliers would be inconsistent with the Section 3 requirement that universal service obligations be administered in a transparent, non-discriminatory and competitively neutral manner.Footnote 95 Interestingly enough, during the oral hearing in the litigation, the US delegation “lectured” that Mexico’s above-cost interconnection rates had not and could not lead to infrastructure rollout and increase the country’s teledensity. The statement went on as follows: “competition, along with … the imposition of a universal service obligation that is consistent with the requirements of Section 3 of the Telecom Reference Paper, will help Mexico achieve infrastructure rollout and increased teledensity.”Footnote 96
While recognizing that the high degree of flexibility embedded in the term “cost-oriented” implies that more than one pricing methodology can be employed when calculating “cost-oriented” rates, the panel nevertheless noted that the widespread use of long-term incremental cost methodologies among WTO members should serve as a reference in determining the costs incurred in supplying the service.Footnote 97 On that basis, the panel concluded that Mexico was in violation of its “cost-orientation rate” commitments under Section 2.2(b) of the Telecom Reference Paper, because the interconnection rates charged by Telmex were substantially higher than the costs actually incurred in supplying the interconnection services.Footnote 98 The panel’s interpretation of the cost-orientation principle, which did not consider domestic regulatory objectives and practices, has been criticized by Howse as “laissez-faire ideology” and a “hyperliberal teleological view” toward the liberalization and deregulation of the telecommunications sector.Footnote 99 Twenty years after the Mexico–Telecom case, the issue of universal service, although framed in different legal contexts, once again came to the fore in the Brazil – Taxation case.
1.4.3 The Brazil Taxation Case: Public Morals Exception
Digital inclusion measures that extend beyond the context of the Telecom Reference Paper might also violate other WTO obligations and therefore raise the question of whether such measures can be justified by the WTO’s general exceptions. At the core of the issue is to what extent digital inclusion falls within the scope of the “public morals” exceptions. In this regard, the Brazil – Taxation dispute represents a remarkable case surrounding the challenges faced by international economic law in striking a balance between trade efficiency and digital inclusion.Footnote 100 The measures at issue concerned four Brazilian tax incentive programs.Footnote 101 Among others, under the Brazilian Digital Inclusion Program, only goods eligible for tax benefits are Brazilian domestic products,Footnote 102 representing a straightforward situation of incentives that are provided in respect of a preference for domestic over imported goods. The complaining parties – the EU and Japan – claimed that the Digital Inclusion Program is inconsistent with Article III:4 National Treatment principle of the GATT.Footnote 103
One key issue in the dispute was whether the discriminatory aspects of the measures could be justified under Article XX(a) of the GATT 1994Footnote 104 – the public morals exception.Footnote 105 In the litigation, Brazil argued that “there is a gap between demographics and regions that have access to modern information and telecommunications technology and those that do not have access or have restricted access.”Footnote 106 According to Brazil, the measures in dispute represented an important means to “bridge this digital divide and promote social inclusion,” which would in turn “improve literacy, democracy, social mobility, economic quality, and growth.”Footnote 107 To support its overarching policy goals, Brazil submitted as evidence the United Nations’ Millennium Development Goals Report, which stressed that “ICT access and use are unequally distributed within and between countries,” and that “it will be essential to address the widening digital divide.”Footnote 108 It further stated: “Only then will the transformative power of ICTs and the data revolution be harnessed to deliver sustainable development for all.”Footnote 109 In this regard, the EU argued that the social and economic development objectives claimed by Brazil may “characterize any governmental action.”Footnote 110 According to the EU, if objectives such as access to information were protected under Article XX, “then any governmental action taken in the public interest could be justifiable under Article XX.”Footnote 111
The panel found that a concern existed in Brazilian society with respect to the need to bridge the digital divide, and that such concern was within the meaning of Article XX(a) of the GATT 1994.Footnote 112 The panel therefore proceeded to examine whether the measures at issue satisfied the “necessity test” – the principle of proportionality in the context of international economic law. Under this “necessity test” practice, a central question is whether the discriminatory aspects of the measure are necessary to achieve the claimed objective: closing the digital divide.Footnote 113 More specifically, the central question in Brazil – Taxation concerned whether the alternative measures proposed by the complaining parties were WTO-consistent measures that were reasonably available to Brazil, that were less trade restrictive than the measures at issue, and that could achieve an equal or higher level of contribution to the objective of bridging the digital divide.Footnote 114 The panel found that the alternatives proposed by the complaining parties would not only be WTO-consistent and less trade restrictive than the Brazilian tax incentive programs,Footnote 115 but that they would also make a more substantial contribution to the claimed objective than the measures at issue.Footnote 116 The panel therefore concluded that Brazil had not demonstrated that the measures at issue were “necessary” to achieve digital inclusion within the meaning of Article XX(a) of the GATT 1994.Footnote 117 In other words, Brazil’s developmental concerns could not justify the imposition of national-origin measures.
In a broader sense, it is an awkward task for a WTO panel to address the “digital divide” within the context of Article XX of the GATT. Limited to its mandate, the panel’s primary task is to safeguard trade interests and address problems that arise when digital policies have an impact on trade. Nonetheless, the development of network infrastructure is the foundation upon which individuals are empowered to benefit from digital opportunities. Infrastructural dimensions, including enhancements to teledensity and Internet density by wireline, as well as wireless connections, often involve WTO-inconsistent subsidization measures that grant tax exemptions or subsidize ICT-related sectors in any possible way. The mere fact that a responding party must have attempted to stretch the scope of the “public morals” exception to justify its digital inclusion policy within the WTO indicates that the interplay between international economic law and digital inequality invites further reflection.
The WTO’s general exceptions provide a hierarchical framework by which to balance international trade commitments against national social preferences, ranging from the protection of public morals to the maintenance of public health.Footnote 118 WTO members can, for example, justify violations of their obligations assumed under the GATS through recourse based upon one of the grounds delineated in GATS Article XIV.Footnote 119 The opening sentence of Article XIV (the Chapeau) indicates that the negotiators’ intent was that all grounds listed in this provision “trump” trade obligations delineated in the rest of the GATS.Footnote 120 In other words, trade liberalization is not the supreme goal that all WTO members must strive to achieve at the expense of other public objectives. Domestic measures aimed at bridging the digital divide, if successfully invoked under GATS Article XIV, may provide WTO members with a lawful escape route from their GATS obligations.
Although the term “public morals” is not further defined in the WTO’s general exceptions, WTO jurisprudence offers examples of public policies that have been found by panels or the Appellate Body to pertain to public morals,Footnote 121 which include preventing underage gambling,Footnote 122 combatting money laundering,Footnote 123 protecting national culture and traditional values,Footnote 124 safeguarding animal welfare,Footnote 125 and, as demonstrated in the Brazil – Taxation case, bridging the digital divide and promoting social inclusion.Footnote 126 Nevertheless, only measures that are necessary to protect public morals will be deemed consistent with the GATS. In this context, the criteria for the “necessity test” have been consistently reproduced and emphasized in WTO jurisprudence, under which WTO members “have the right to decide which level of protection of the objectives it pursues.”Footnote 127 In this particular respect, it is up to WTO members to determine the level of protection of digital inclusion they consider appropriate, and other WTO members cannot challenge the level of digital inclusion pursued.Footnote 128 However, the “necessity test” requires the consideration of alternatives to the measure taken in order to determine whether existing options are “less trade restrictive” while “providing an equivalent contribution to the achievement of the objective pursued.”Footnote 129
As evidenced in Brazil – Taxation, the overall structure of the necessity test developed by the dispute settlement organs of the WTO serves as a critical tool by which to balance the public interests of the regulating member and the trade interests of other WTO members. Consistent with overall Article XX jurisprudence, while the panel in Brazil – Taxation reaffirmed the validity of “digital divide” concerns for purposes of the public morals exception, it also reinforced the necessity test as a limit in terms of how such measures can be applied. To conclude, when trade policy collides with digital inclusion policy, it leads to a dilemma between trade and non-trade values. Faced with such a dilemma, the WTO remains the most effective forum for balancing competing interests. Normatively speaking, however, there is little room for the panels to further expand the reach of the exceptions, and this is attributable to the prominence of the “necessity test” in applying the GATT/GATS general exception language.
1.4.4 DEPA: Digital Inclusion Module
Further disciplines of digital trade have been realized in FTAs and other preferential trade agreements (PTAs) in recent years.Footnote 130 In particular, significant achievements have been advanced by the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)Footnote 131 and the United States–Mexico–Canada Agreement (USMCA).Footnote 132 Moreover, the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile, and New Zealand represents an innovative and collaborative approach to digital trade issues.Footnote 133 Other recently concluded FTAs, such as the EU–UK Trade and Cooperation Agreement (EU–UK TCA),Footnote 134 the Regional Comprehensive Economic Partnership (RCEP) and the EU-New Zealand Free Trade Agreement (EU–NZ FTA), also serve as indicators of future digital trade negotiations.Footnote 135
One important feature of these FTAs, although it may not immediately affect digital inclusion policies, is worth emphasizing: There has been increasing recognition of a state’s “right to regulate.” Moving beyond the GATS preamble, participating parties have increasingly reserved a more concrete “right to regulate” in the FTAs. The Preamble of the CPTPP, for example, includes language stipulating that CPTPP members recognize their inherent right to regulate and resolve issues, preserving the flexibility of the parties to “set legislative and regulatory priorities, safeguard public welfare, and protect legitimate public welfare objectives,” including “public morals.”Footnote 136 As another example, in the Digital Trade Chapter, the parties of the EU–UK TCA reaffirm the right to regulate for the purpose of achieving legitimate policy objectives, such as “public morals.”Footnote 137 Over the long run, this trend may help to strike a balance between trade efficiency and digital inclusion, especially in trade dispute litigation where the preamble of a treaty is a source of interpretative guidance.
Nonetheless, the DEPA represents a new form of digital trade agreement that directly addresses the issue of digital inclusion.Footnote 138 The Digital Inclusion module in the DEPA – the first of its kind – establishes new collaborations pertaining to digital trade issues, including reduced disparities between developed and developing countries, and among haves and have-nots within a given country.Footnote 139 Article 11 stipulates that the parties acknowledge “the importance of digital inclusion to ensure that all people and businesses have what they need to participate in, contribute to, and benefit from the digital economy.”Footnote 140 The parties also recognize “the importance of improving access for women, rural populations and low socio-economic groups.”Footnote 141 Toward that end, the parties have agreed to cooperate on matters relating to digital inclusion, which may comprise, in part, the promotion of “inclusive and sustainable economic growth,” to ensure that the benefits and opportunities of the digital economy are more widely shared.Footnote 142
Surely, the language in Article 11 is relatively “soft” in terms of enforceability. The parties simply “acknowledge” or “recognize” the importance of digital inclusion, a scenario that does not provide countries involved with adequate legal tools by which to enhance their broadband infrastructure. It should be noted, however, that Article 14 renders Article 11 subject to dispute settlement.Footnote 143 A party may request the appointment of an arbitral tribunal to settle disputes among the parties concerning their rights and obligations with regard to digital inclusion. Overall, there is still a long way to go in transforming “digital inclusion” from a “shield” (i.e., a defense) to a “sword” (i.e., an affirmative obligation) under international trade agreements. However, a relatively softer cross-border regime like DEPA provides an early signal of the direction that stronger international commitments to digital inclusion may eventually take in the future. To conclude, a DEPA-type digital inclusion provision that requires cooperation in bridging the digital divide is a feasible starting point.Footnote 144 DEPA has apparently resulted in minor but highly symbolic progress in global digital inclusion efforts.
1.4.5 WTO JSI on E-Commerce: Digital Trade and Development
At the multilateral level, the dynamics in the interplay between trade liberalization and digital (in)equality likely will continue. Recent negotiating proposals in the WTO JSI on E-commerce reveal the uneasy relationship between digital trade and development.Footnote 145 Central debates include how to promote digital capacity and take into account the special constraints that developing countries face in the digital economy.Footnote 146 Communication from Côte d’Ivoire, among other interventions, called for the WTO Secretariat to be responsible for establishing a multilateral cooperation forum to “ensure universal benefits from the digital economy.”Footnote 147 Reiterating the fact that they “lack the infrastructure to fully exploit the potential of e-commerce,”Footnote 148 developing countries’ position is that they “have not felt the effects of trade digitalization on their economic development,” and that the ongoing e-commerce negotiations may “ignore the development interests of low-income countries.”Footnote 149 Similar communications from developing country members also requested that the WTO Secretariat establish a fund to support the integration of developing countries and LDCs into the digital economy. In their view, the WTO “should be responsible” for identifying and cataloguing the various programs, which are aimed at “providing technical assistance and implementing pilot projects for the development of e-commerce.”Footnote 150 In summary, developing countries have been pressing for “development-focused digital industrialization,”Footnote 151 stressing that needs more pressing than digital liberalization include the promotion of digital capacity and the safeguarding of universal benefits of the data-driven economy.Footnote 152 They have clearly positioned themselves in support of the argument that the WTO JSI on E-commerce should specifically address the urgent needs of digital connectivity, namely, the enabling infrastructure of e-commerce activities.Footnote 153
Drawing upon the experiences of the FTA negotiations, the issue of how to tackle digital trade and development will continue to be one of the primary battles in the WTO JSI on E-commerce.Footnote 154 Among others, one key issue is how to extend special and differential (S&D) treatment in the area of digital trade, which typically offers trade preferences, flexibility, transition periods, and technical assistance to developing countries.Footnote 155 The concept of S&D has been incorporated into the E-Commerce/Digital Trade Chapters of the FTA. In the CPTPP, Vietnam has been given a transition period, during which its existing data localization measures cannot be challenged by other parties. Similarly, a grace period has also been extended to both Vietnam and Malaysia for existing measures concerning the cross-border transfer of information by electronic means.Footnote 156 By the same token, obligations concerning interactive computer services will not apply to Mexico until three years after the USMCA becomes effective.Footnote 157 It remains to be seen how S&D provisions will be incorporated into the WTO e-commerce trade rules.Footnote 158
Amid the JSI negotiations, it is important to save the WTO e-commerce trade deal from being a digital “haves” trade agreement. In the digital world, developed countries might just as well be from Mars, while developing countries might just as well be from Venus. In the meantime, the latter are still at the stage where they are struggling to provide Internet access in rural areas and among disadvantaged groups, whereas the former are already focusing on cutting edge issues such as open government data, e-invoicing facilitation, etc.Footnote 159 Such gaps have posed challenges to the promotion of the more widespread adoption of multilateral e-commerce trade rules. The WTO must be very careful not to give emerging economies a reason to think they are being excluded from the multilateral process. Priority in the negotiating agenda should be given to addressing the issues surrounding infrastructure development, including both goods (e.g., tax measures on ICT products)Footnote 160 and services (e.g., broadband FDI).Footnote 161 It remains to be seen how WTO members can find the common ground needed to balance digital trade liberalization and development needs. Unless infrastructure concerns from developing countries and LDCs are addressed, the ongoing e-commerce trade deal may end up being labeled a digital “haves” trade agreement.
1.5 Broadband Investment in a Broader Policy Context
1.5.1 Network Neutrality
From a broader policy perspective, a long and painful debate that has been repeatedly asserted as central to broadband investment centers on the regulations regarding network neutrality.Footnote 162 Briefly, the erosion of broadband telecommunications revenues has had a disruptive effect on the sector over the past decade. Digital applications such as WhatsApp have become practical alternatives to “traditional” telecommunications services.Footnote 163 Voice and messaging services provided by Internet applications have dramatically drawn voice and short messaging service (SMS) traffic away from mobile operators, causing a significant impact on “traditional” network volumes and revenues.Footnote 164 In addition to these revenue-eroding trends, streaming content delivered by suppliers such as Netflix has resulted in the growing demand for broadband infrastructure to seamlessly connect data. Taken together, broadband infrastructure itself is becoming the so-called dumb pipe.Footnote 165 Internet content and applications “piggyback” on physical network infrastructure for delivery,Footnote 166 while at the same time directly competing with services offered by infrastructure operators. Because of these perceived vulnerabilities, some broadband operators have resorted to blocking or degrading Internet traffic.Footnote 167
Against this backdrop, network neutrality is a term that encompasses various levels of equal treatment of online traffic. The primary concept behind network neutrality is that “all data traffic on a network should be treated indiscriminately.”Footnote 168 This means that in practice, Internet service providers (ISPs) would be restricted from blocking, degrading, or prioritizing the delivery of online content and applications at their discretion.Footnote 169 Whether network neutrality should be imposed as a regulatory requirement has become a controversial issue in many jurisdictions, with politically powerful advocates both in favor of and against its imposition.Footnote 170 Especially in the US, since network neutrality’s emergence as an academic idea in the early 2000s, the controversy surrounding it has never ceased.Footnote 171 Network neutrality opponents have claimed,Footnote 172 among other issues, that incentives for physical network operators to continually invest in broadband infrastructure may be reduced if operators cannot realize revenues from the additional traffic generated by online content and application suppliers such as Netflix and YouTube.Footnote 173 In their view, increasing Internet traffic has resulted in a congestion problem, and without new sources of revenue, necessary infrastructure investments in the transmission network layer will be at risk.Footnote 174 Based on some empirical data, network neutrality opponents have argued that “the digital divide would have widened” if network neutrality rules were restored.Footnote 175 On the other hand, based on an analysis of broadband economics, supporters of network neutrality have advanced arguments suggesting that the neutrality policy would not overly interfere with broadband operators’ ability to “earn a return on their infrastructure investment.”Footnote 176
In the arena of international economic law, a looming version of network neutrality – “Open Networks, Network Access and Use” – has emerged since the early 2010s in both bilateral and plurilateral trade negotiations.Footnote 177 More recently, a quasi-network neutrality provision, “Principles on Access to and Use of the Internet for Electronic Commerce/Digital Trade” (Access Principles), has been incorporated into the FTAs such as CPTPP’s E-Commerce Chapter and the USMCA’s Digital Trade Chapter.Footnote 178 In other words, although the provision did not come closer to a comprehensive approach to network neutrality, a miniature concept of this has been injected into FTAs, with one outstanding caveat: reasonableness.
To illustrate, under both trade agreements, broadband operators within the territories of the parties are still allowed to maintain “reasonable network management.” In this regard, it is permissible for broadband operators within the CPTPP parties to offer their subscribers certain content on an exclusive basis.Footnote 179 It should be noted that the concept of “reasonable network management” has been highly controversial within the domestic context, and there is no guidance surrounding its meaning in most jurisdictions. Some broadband operators have claimed that “reasonable network management” may require practices “to reduce or mitigate congestion on the network, ensure quality-of-service, or address traffic that is unwanted or harmful to users, among other things.”Footnote 180 If so, this caveat creates a space for broadband operators to throttle Internet traffic or downgrade bandwidth for certain data flows.Footnote 181
After all, if we borrow from the WTO’s jurisprudence on the “reasonableness” standard, the term “reasonable” is defined by several WTO panels as “in accordance with reason,” “not irrational or absurd,” “sensible,” “within the limits of reason,”Footnote 182 and “not greatly less or more than might be thought likely or appropriate.”Footnote 183 Compared with other, more “advanced” standards, such as necessity and proportionality, reasonableness represents a basic standard, which merely requires that the acts are not “irrational or absurd.”Footnote 184 It can be argued, however, that under the “reasonableness test,” the question of whether a broadband operator’s network management practices violate the Access Principles should be examined under specific country conditions. Namely, the state of broadband development of a party, especially in the developing world, should be taken into account. When viewed in this light, “reasonableness” is to be determined in context, accommodating local development needs.Footnote 185 For example, broadband operators’ practices in Vietnam might be more likely to be considered “reasonable” Internet traffic management if the degraded service was due to traffic congestion concerns. On the other hand, an ISP’s degrading of Internet traffic in Singapore, a leading country in the world in terms of broadband speeds,Footnote 186 might be found “unreasonable” as a whole.
In any event, these quasi-network neutrality “rules” under the FTAs are of a soft law nature. The parties merely “recognize” the benefits of the Access Principles, which are subject to a party’s domestic “policies, laws and regulations.” To a large extent, these provisions do not impose mandatory or legally binding obligations. Such obligations carry little institutionalized enforcement for noncompliant behavior. The softness of these provisions reflects the political sensitivity surrounding this issue.
1.5.2 Digital Silk Road
From a foreign policy angle, there has been unconventional but potentially overwhelming progress regarding digital connectivity: the Digital Silk Road (DSR) component of China’s Belt and Road Initiative (BRI).Footnote 187 The BRI, as China’s most significant strategic agenda following its accession to the WTO, has centered its initiatives on infrastructure development. Despite mounting concerns regarding debt sustainability and the commercial as well as the political rationale behind the initiative, China’s actions to bridge the global infrastructure gap – whether roads, railways, ports, electricity, or telecommunications infrastructure – are nevertheless welcome in many developing countries and LDCs.Footnote 188 Under the umbrella of the BRI, the DSR has gained its own momentum since its emergence in 2015 and is becoming more and more central to the BRI.Footnote 189
The DSR’s primary undertaking is straightforward: rolling out broadband in dozens of countries in BRI regions where digital infrastructure is underdeveloped or even nonexistent, and upgrading existing Internet connections to a higher broadband across BRI regions.Footnote 190 Under the DSR, dozens of projects have been implemented with the help of Chinese government investments, which generally involve financial aid and technical support for digital infrastructure and related industries. For example, China has been deeply involved in the Infrastructure Consortium for Africa, including the establishment of national broadband networks. Several African countries have substantially benefited from the DSR, primarily in the areas of 5G networks and fiber-optic cables.Footnote 191 Overall, the DSR has been concentrating on the urgent needs of broadband connectivity in the Global South.Footnote 192
From a “legal” perspective,Footnote 193 China has signed memoranda of understanding (MoU) along the path of the DSR, with at least sixteen countries agreeing to closer cooperation in the development of digital infrastructure.Footnote 194 In the Belt and Road Digital Economy Cooperation Initiative, for example, the parties to the MoU declare their intentions to “expand broadband access and improve quality, improve the construction of regional communication, Internet, satellite navigation, as well as other important information infrastructure and facilitate interconnection.”Footnote 195 The parties also stress the priority to “explore ways to expand high-speed Internet access and connectivity at [an] affordable price,” as well as to “promote broadband network coverage and improve service capacity and quality.”Footnote 196
In practice, the DSR is driven by China’s private companies. Supported by the DSR, telecommunications services suppliers such as China Telecom Corporation, China Mobile, and China Unicom, together with telecommunications equipment vendors such as Huawei and ZTE, take advantage of the “DSR label” to expand their 5G markets overseas.Footnote 197 These Chinese companies work together, supply integrated solutions, and – at the same time – “transplant” Chinese standards to the DSR regions.Footnote 198 In the long run, the more the DSR’s beneficiary countries depend on Chinese systems in their digital infrastructure, the more progress China realizes in leading the way in global standards for 5G and beyond. In addition to its technical standard-setting efforts, China’s involvement in digital infrastructure through the DSR is increasingly leading to geopolitical and security implications.Footnote 199 Concerns have been raised that China can leverage the DSR to “export” its model of technology-enabled authoritarianism to recipient regions,Footnote 200 which would compromise personal data protection and human rights in those countries.Footnote 201 More specifically, commentators argue that China, through the DSR, will further influence recipient countries to adopt surveillance measures that are detrimental to Internet freedoms.Footnote 202 In this context, the 2021 G7 summit in Cornwall highlighted such concerns.Footnote 203 During the 2021 summit, allied leaders announced a “global infrastructure plan” – the Build Back Better World program – to “provide an infrastructure alternative to China’s BRI.”Footnote 204 At the 2022 Summit, G7 leaders formally launched “the Partnership for Global Infrastructure and Investment,” which aims to “close the infrastructure gap in developing countries,”Footnote 205 and to offer, if not rival, an alternative to China’s BRI in developing countries and LDCs.
In summary, although primarily driven by a political agenda and strategic propaganda, the DSR represents an indispensable component in mapping the whole contours of the issues surrounding digital inclusion. The DSR has often been conceptualized as a strategic extension of China’s digital technologies and authoritarian policies, and China’s digital push for development cooperation has long been framed as a part of the Chinese effort to assert itself as the dominant technological power in the world.Footnote 206 In any event, China’s support for major telecommunications infrastructure projects under the DSR has proven to be a rather strategic and thus effective approach to influencing the developing and the less developed worlds. Admittedly, the DSR can help to enhance digital connectivity in underserved regions, improve broadband access in developing countries, and, at the end of the day, narrow the infrastructure gap.Footnote 207 Of course, the most pressing challenge facing recipient countries undergoing digital development with the aid of China is how to bargain for their “digital sovereignty.”Footnote 208
1.6 Conclusion
The “enabling” character of digital physical infrastructure raises questions regarding how best to tackle the issue of “trade and development” in a datafied world. In this chapter, we have examined the issue of digital inclusion at the broadband infrastructure level. This chapter should be read in conjunction with Chapters 5 and 6 of this book. After all, the remedy for broadband access (Chapter 1) cannot be meaningfully realized without ensuring it is in sync with digital application (Chapter 5) and data flow (Chapter 6). Put simply, this is attributable to the fact that the more people access the Internet, the more data digital platforms gain. The far-reaching datafication of human activities goes hand in hand with communications on the 5G broadband. Moreover, as Chapter 2 will continue to address, cybersecurity risks have been growing in parallel with the increasing penetration of broadband networks. Increasing Internet connectivity has led to a surge in cybersecurity threats. Although Huawei’s campaign has emphasized how its exclusion from many countries’ telecommunications markets would “exacerbate the digital divide,”Footnote 209 the digital economy relies not only on the availability, but also on the resilience, of broadband infrastructure.Footnote 210 Secure and trusted broadband services are equally, if not more, important to a universal broadband service in this datafied world. The security and availability of 5G networks in some way conflict.
2.1 Introduction
Digital technologies have significantly transformed the way we live our lives. The workings of both the public and private sectors have become reliant on digital infrastructure that enables data flows. The rapid development of “smart cities,” in conjunction with progress in the IoT and AI, has converted more and more social and economic activities into digital data, which has in turn produced new forms of vulnerabilities: the multiplication of cybersecurity risks. Cybersecurity threats, for which digital technology suppliers can build back doors into hardware or software, have become major concerns for policymakers in this datafied era.Footnote 1 Along with digitalization, platformization, and datafication, the probability of cyberattacks against critical infrastructure increases as well. Therefore, supply chains of critical industries become intrinsically linked to broader digital and national security policies.
More specifically, the global data network has generated vulnerabilities for states in terms of protecting national security. Cyber risks in the supply chains of critical industries are specifically perceived as threats to the integrity of a state’s critical infrastructure. A cyberattack to a critical national infrastructure is far beyond a mere criminal offence that the nation’s judicial organs can meaningfully address.Footnote 2 Rather, it is a matter of national security that affects the foundation of a sovereign.Footnote 3 Due to the relatively low cost and wide availability of digital technologies, cyberattacks and cyber terrorists now represent key methods of warfare.Footnote 4 High-profile, hostile incidents over the yearsFootnote 5 and the recent war in Ukraine offer lessons to other countries about the importance of a cyber defense.Footnote 6 As the backbone infrastructural sector and an interactive central nervous system for the digital economy, 5G networks face acute challenges as a result of cyber espionage, surveillance, and other cybersecurity risks, creating an intertwined relationship between data networks, cybersecurity, and national security.
In terms of national regulations, the mobile telecommunications sector has long been subject to heavy regulations. Traditional command and control mechanisms have been in place, primarily because the sector involves spectrum allocation and other public interests. More recently, controversies surrounding vulnerabilities in 5G goods and services have become a common concern, which has in turn amplified the role of state oversight. National security is now the central theme in the global 5G crisis,Footnote 7 and it is becoming more and more acute given the increasing tensions between the US and China. Taking in the entire picture, the US–China trade war has been intensified due to, or partially under the pretext of, US national security concerns. It has become a general perception that China’s leading role in the 5G standardization process and Huawei’s potential dominance in the global 5G market increase security risks, which could be exploited for spying and industrial espionage.Footnote 8 Facing the potential threat of a “Cyber Pearl Harbor,”Footnote 9 states have resorted to domestic regulation to protect their cybersecurity interests, leveraging their regulatory power to address such concerns, especially in critical industries in which the integrity of critical infrastructure would be in peril if not properly guarded.Footnote 10
At the same time, the interdependencies and interconnectedness of cyberspace cannot be fully understood without considering their transnational dimension.Footnote 11 Cyber risks do not stop at national borders. Critical infrastructure resilience should therefore be examined in the cross-border context. Recent initiatives, such as the EU–US Trade and Technology Council (TTC) and the Pillar of Supply Chain of the Indo-Pacific Economic Framework (IPEF), further demonstrate policy directions to promote supply chain security and strengthen the resilience of ICT ecosystems. With regard to transatlantic allies, the impact of Russia’s invasion of Ukraine on Europe’s supply chains presents an urgent need to “identify and address supply chain vulnerabilities.”Footnote 12 Thus, the main agenda for TTC is to cooperate on trust and security issues in the areas of ICT goods and services – namely, to prevent political and economic disruption caused by the over-concentration of resources in key supply chains. If the US is able to replicate the TTC level of cooperation and momentum under the IPEF, the transpacific allies may move forward to establish criteria, jointly identify goods and services critical to their national security, and “increase resiliency and investment in critical sectors.”Footnote 13 Evidently, strengthening international cooperation toward critical infrastructure resilience is a compelling policy option among geopolitical allies.
2.2 Critical Infrastructure as the Backbone of the Digital Economy
2.2.1 Critical Infrastructure and Cyber Resilience
The concept of “critical infrastructure” is constantly evolving. In order to reflect and respond to new challenges in network security, both the number and variety of critical infrastructure are rapidly increasing. Critical infrastructure is now a term commonly used to identify services of a sensitive nature that have the potential to “cause massive disruption to dependent systems/services if they are compromised or destroyed.”Footnote 14 Public utilities and emergency services, among others,Footnote 15 are most frequently associated with the concept of critical infrastructure.Footnote 16 In this datafied age, however, critical infrastructure operates across both the physical and the digital world,Footnote 17 and as a result, cybersecurity threats may originate from both the hardware and software components. Indeed, critical infrastructure is “increasingly if not exclusively controlled by computers.”Footnote 18 In other words, infrastructure systems have undergone a digital transformation, with consequences to cyber risks and vulnerabilities. Cyberattacks can damage critical infrastructure in various ways, including directly taking control of industrial processes to block the functioning of energy distribution or transport services.
The complex ecosystem of critical infrastructure therefore requires a holistic and convergent security approach that protects both physical security and cybersecurity. Taking the energy sector as an example, the development of a smart grid and other innovative services means that the sector is increasingly reliant on data flows. Thus, an aggregate level of safety is necessary to mitigate both physical and cyber risks to energy systems.Footnote 19 Ultimately, critical infrastructure resilience is multifaceted. The disruption of critical infrastructure – whether 5G networks, transportation systems, water or energy supplies, or emergency hospital services – can lead to significant harm to societies and cause cascading effects across sectors. The cross-sectoral, systematically interdependent nature of critical infrastructure therefore calls for a comprehensive resilience strategy through which security risks are assessed in their entirety.Footnote 20
Notably, some infrastructure assets are the key components of a wider, complex system. In this regard, the 5G broadband infrastructure has been considered one of the most critical utilities, which “if destroyed, degraded or rendered unavailable for an extended period, would adversely impact the social or economic well-being of the nation or affect a state’s ability to ensure national security.”Footnote 21 Ensuring the cyber resilience of the 5G broadband infrastructure and preventing it from being either a direct target or an indirect vehicle for cyber threats has become a prominent mission of the national security efforts of most countries. That being said, such an infrastructure is generally owned and operated by the private sector. As discussed in Chapter 1, telecommunications services have undergone privatization over the last several decades, and currently, government control over telecommunications infrastructure assets has, to a large extent, decreased. The need for cyber resilience, however, has resulted in escalating governmental intervention.Footnote 22 To tackle cross-border security challenges, governments have reviewed and strengthened their national security strategies and have adopted more far-reaching regulations, with the aim of fostering a secure and resilient ICT environment against cyberattacks.
2.2.2 Trade-Restrictive Critical Infrastructure Security Measures
The cyber arms race and digital tit-for-tat have intensified geopolitical frictions. The major geopolitical players in the digital economy have adopted increasingly comprehensive security measures at the national level. By stressing that the backbone of the digital economy must be trusted and reliable, the Biden administration has accelerated the implementation of a set of trade measures to diversify supply chains and thereby secure the infrastructural resilience of 5G networks.Footnote 23 In fact, under both Trump and Biden, 5G supply chain security has been at the center of the national security strategy of the US. At the data network level, following Trump’s “Clean Network” and “Clean Path” initiatives,Footnote 24 the current FCC of the Biden administration, citing the same national security grounds, has continued to order US telecommunications companies to remove Huawei equipment from their networks.Footnote 25 At the digital platform level, although the Biden administration has withdrawn Trump’s executive orders that banned transactions with eight Chinese software applications,Footnote 26 the current FCC proceeded to request that US digital platforms remove TikTok from their app stores.Footnote 27 Overall, the government has been actively engaged and has closely scrutinized transactions in the ICT sector. Among other measures, the Committee on Foreign Investment in the United States (CFIUS)Footnote 28 ordered ByteDance, a Chinese startup, to divest in TikTok due to national security concerns. Although that order was not enforced by the Biden administration, the CFIUS has continued to monitor whether TikTok’s partnership with Oracle can sufficiently resolve national security issues.Footnote 29
Across the Atlantic, recognizing that digital technologies are now a vulnerable target, protecting resilience against cybersecurity threats has been placed at the center of the EU’s cybersecurity policies. The adoption of the “5G Toolbox of Risk-Mitigating Measures” (the “5G Toolbox”),Footnote 30 which delineates potential areas of risk and remedial measures connected with suppliers of 5G infrastructure, sought to achieve diversity among suppliers and reduce Chinese companies’ (especially Huawei’s) participation in the 5G rollout.Footnote 31 In practice, one important category in the 5G Toolbox is the risks connected with suppliers of 5G infrastructure. Among all possible strategic remedial measures, the 5G Toolbox underscores the importance of restricting or excluding “high risk suppliers” to ensure that dependencies on certain suppliers do not “negatively affect the security of networks and/or services.”Footnote 32 Along this policy path, the proposed EU Cyber Resilience Act is expected to “bolster cybersecurity rules to ensure more secure hardware and software products.”Footnote 33
Other striking cases of trade-restrictive security measures surrounding 5G and its applications include the Australian government’s ban on Huawei’s participation in building the nation’s broadband infrastructure and India’s decision to block access to dozens of mobile applications originating in China, including WeChat.Footnote 34 It should also be noted that after joining the so-called Five Eyes intelligence-sharing network, which consists of the US, Canada, the UK, Australia, and New Zealand, Canada decided to ban Huawei/ZTE 5G equipment to protect its national security. Retroactively, Canadian telecommunications operators that already have this equipment installed are required to remove it by June 2024.Footnote 35
At the same time, from “Great Firewall” to direct virtual private network (VPN) blocking,Footnote 36 VPN traffic is generally filtered in China to ensure compliance with its social stability and national security agendas. China’s cybersecurity regime has become even more complex and strict since its Cybersecurity Law was implemented,Footnote 37 primarily due to its lack of tailored definitions and transparent guidance. The vague language and broad scope of China’s Cybersecurity Law accord the government even wider latitude to facilitate its political and economic agendas.Footnote 38 The Chinese government has issued implementation measures for its cybersecurity law, including the “cybersecurity review,” which imposes restrictions on foreign ICT goods and services based on “potential national security risks” related to the reliability of supply chains. Moreover, the Chinese Cryptography Law contains trade-restrictive requirements for encryption products that involve national security.Footnote 39 Under the Chinese regulatory framework, loosely defined “encryption products,” which encompass a wide range of ICT goods and services, must mandatorily undergo a cybersecurity risk assessment.Footnote 40
2.2.3 The Inherent Clash with International Trade Rules
Through a broader lens, security-related trade restrictions – regardless of whether or not they directly address critical infrastructure – have the potential to clash with international trade rules in many ways, at both the multilateral and regional levels. Country-specific bans on ICT goods and services may violate the most-favored-nation principle, given the fact that the competitors of other countries will be the beneficiaries of such restrictions.Footnote 41 Security measures may be inconsistent with national treatment obligations if the domestic ICT goods or services and the banned foreign goods or services are “like products” or “like services.”Footnote 42 Moreover, non-discrimination provisions in the Electronic Commerce/Digital Trade Chapters of the FTAs also require the parties to ensure non-discriminatory treatment of “like digital products.”Footnote 43 In other words, a violation could be found by comparing domestic and foreign digital products. If they are “like” digital goods or services, the adverse treatment of foreign digital products may be considered discrimination. Furthermore, security measures can simultaneously constitute quantitative restrictions on international trade in goods and violate the obligations to eliminate such restrictions.Footnote 44 Similarly, when a state undertakes market access commitments in relevant services sectors, these measures may restrict ICT services and violate relevant market access obligations.Footnote 45 Additionally, security-related trade restrictions in the public procurement of network equipment may breach a state’s market access schedules of commitment under the Government Procurement Agreement (GPA), which lists the procurement activities open to international competition.
In cases in which the security standards constitute “technical regulations” under the Technical Barriers to Trade Agreement (TBT Agreement), unique security standards that accord less favorable treatment to imported products than that accorded to like products of national origin may also breach non-discrimination obligations.Footnote 46 Given the technical characteristics of cybersecurity measures, the TBT Agreement has become the legal battleground for trade-restrictive security measures. To be more straightforward, China and the EU have been accusing each other of using mandatory cybersecurity standards to protect their own 5G equipment suppliers, namely, Huawei/ZTE and Ericsson/Nokia. On the one hand, China’s paradigmatic approach to the use of technical standards in the ICT sector, which in many instances appears designed to favor China-specific approaches, has caused substantial worldwide concern within the industry. In particular, the EU has consistently claimed that the requirement of the Chinese ICT security certification regime “appears to extend well beyond what the EU would consider justified for national security protection, which was cited by China as the legitimate objective to be achieved.”Footnote 47 The EU also repeatedly requested that China clarify the rationale for its cybersecurity measures and their relationship to national security. On the other hand, the EU 5G policy – notably, trade-related cybersecurity measures designed to decrease (over)dependence on non-EU goods and services – has been criticized by China for being inconsistent with the EU’s dedication to open market principles. In particular, China has raised concerns about the measures adopted by Sweden, which aims to remove Huawei and ZTE from its 5G infrastructure by 2025 based on the EU 5G Toolbox.Footnote 48 The delegate for China in the WTO meetings also claimed that the Swedish decision violates the WTO rules of transparency and non-discrimination, that the assessment criteria in the 5G Toolbox have led to de facto discrimination, and that the favorable treatment of Ericsson is inconsistent with the TBT Agreement.Footnote 49 Similarly, at the same WTO meeting, China reiterated its “regret” that Chinese companies cannot participate in Australia’s 5G network construction, and that their equipment in the existing 4G network has also been removed in Australia.Footnote 50 Interestingly, China asserted that “the issue of telecommunication network security should be addressed based on scientific verifiable facts and data, rather than the origin of suppliers.”Footnote 51 China urged Australia to amend its 5G policy to bring its measures in line with WTO rules. In response to China’s assertion, the Australian government stressed that its 5G policy is “country-agnostic, transparent, risk-based, non-discriminatory, and fully WTO-consistent.”Footnote 52
2.3 Contextualizing Security-Related Exceptions: Possible Reconciliation
Nonetheless, general and security exceptions provide a normative framework by which to balance free trade obligations against national policy interests. Thus, the key issues here relate to whether and how those exceptions would protect a state’s policy space through regulatory actions directed at national security matters. In this context, Figure 2.1 distinguishes between the types of exception clauses related to national security in international trade agreements. The vertical axis, with the “necessity test”Footnote 53 and “good faith standard” at each end,Footnote 54 represents the discretionary nature of the necessity element required by the exception. The horizontal axis, with “limitative qualifying clauses” and “expansive security clauses” at each end, represents the scope of situations allowed by the exception. This book argues that although on the face of it multiple exceptions may be available, complex technical and political-economic factors trigger their applicability. On the one hand, in the pre-digital age, “conventional” general exceptions (quadrant III)Footnote 55 and security exceptions (quadrant II)Footnote 56 are too narrowly framed to address cybersecurity objectives. On the other hand, trends to create open-ended or digital sector-specific security exceptions (quadrant I) may also fall short for being excessively unrestrained if due process and good faith are not accorded. The four quadrants are respectively discussed below.

Figure 2.1 Contextualizing security-related exceptions
2.3.1 GATT-Type General Exceptions
2.3.1.1 GATT General Exceptions
The exception clauses in quadrants II & III were drafted in the brick-and-mortar age. Therefore, these “pre-digital era exceptions” are not properly formulated to address today’s cyber threats. Taking GATS Article XIV General Exception (in quadrant III) as an example, although none of the grounds enumerated under the general exception explicitly refer to cyber risks, a WTO panel may find that the “public morals” exception affords an avenue through which to protect cybersecurity.Footnote 57 The parties in dispute, however, must present evidence – most likely involving classified documents – to demonstrate whether alternative measures, such as cybersecurity certifications or conformity assessment procedures, are less intrusive but equally effective. The Panel would have to assess whether such alternative measures should be regarded as WTO-consistent measures that are reasonably available to the responding party. Arguably, the necessity test can serve as a tool that guides states in taking targeted actions necessary to address cybersecurity concerns and refrain from creating unnecessary barriers to international trade.Footnote 58
To be more concrete, the core issue here is the connection between the trade-related cybersecurity measures and the public morals objectives upon which such cybersecurity measures are based. The standard necessity test requires the consideration of alternatives to the measures taken in order to determine whether existing options are “less trade restrictive,” while “providing an equivalent contribution to the achievement of the objective pursued.”Footnote 59 In litigation, however, it would be unrealistic to expect two hostile states to present their intelligence information for or against the cybersecurity measures at issue. Because the complaining party must present scientific evidence to demonstrate that the proposed cybersecurity alternatives are at least “as good as” the trade measures taken by the responding party, the confidential and politically sensitive nature of security matters makes it particularly difficult for the parties to prove their case to a trade tribunal’s satisfaction. It is equally impractical for the tribunal to engage in an evidence-based necessity test.
In any event, it will be a politically and technically challenging task for a trade tribunal to engage in an examination of whether the chapeau of the general exceptions can be satisfied. The two key concepts are “arbitrary or unjustifiable discrimination between countries where the same conditions prevail” and “disguised restriction on international trade,” which “prohibit the abusive exercise of rights by states,”Footnote 60 and oblige a responding party to “articulate its defense promptly and clearly.”Footnote 61 Again, such a procedural safeguard, however, poses a fundamental conflict with cybersecurity matters, where intelligence and other classified information are involved.Footnote 62 As Cohen argued, trade and security reflect different paradigms. The conflicts between the two competing interests occur not only at the legal technical level, but also at the systems level.Footnote 63 As a result, in most cases, the conventional GATT-type general exceptions operate awkwardly when balancing trade and security interests.
2.3.1.2 TBT Legitimate Objectives
In contrast to GATT Article XX and GATS Article XIV, the TBT exceptions, and in particular the “non-exhaustive” list provided in the TBT Agreement Article 2.2,Footnote 64 fall between quadrants III and IV due to their broader scope. As shown in Figure 2.1, unlike the conventional GATT general exceptions, which have a relatively narrow application in terms of the scope of the qualifying conditions, WTO jurisprudence makes it very clear that TBT Article 2.2 provides a “non-exhaustive list of legitimate objectives.”Footnote 65 In other words, the open and illustrative list under TBT 2.2, which uses the word “inter alia,” provides wider policy space for legitimate objectives advanced by the invoking party. Overall, it should be relatively easy to establish that the disputed cybersecurity standards fall within the scope of the exceptions provided under TBT 2.2.Footnote 66
Nevertheless, the necessity requirement remains. TBT exceptions resemble those of the GATT general exceptions in the way that the standard necessity test applies. The key issue here involves whether certain cybersecurity measures, while serving “legitimate objectives,” are “more trade restrictive than necessary” to fulfill the legitimate objective. The complaining party bears the burden of establishing that the cybersecurity measures are inconsistent with TBT Article 2.2 because the challenged standards created an “unnecessary” obstacle to international trade.Footnote 67 Further, the complaining party must explain why there are reasonably available, less trade-restrictive means of achieving the same level of protection.Footnote 68 The confidential, nontransparent nature of the cybersecurity matters once again renders the exercise of the necessity test relatively difficult.Footnote 69
2.3.2 GATT-Type Security Exceptions
Conventional security exceptions (in quadrant II), which can be found in the WTO and many FTAs, represent another form of pre-digital era exceptions that are out of touch with cybersecurity policies. GATT Article XXI(b), as a representative clause, allows a state to take any action “it considers necessary” to protect its “essential security interests,” stating the following:
Nothing in this Agreement shall be construed:
…
(b) to prevent any contracting party from taking any action which it considers necessary for the protection of its essential security interests
(i) relating to fissionable materials or the materials from which they are derived;
(ii) relating to the traffic in arms, ammunition and implements of war and to such traffic in other goods and materials as is carried on directly or indirectly for the purpose of supplying a military establishment;
(iii) taken in time of war or other emergency in international relations; or
… (emphasis added)
Historically speaking, national security exceptions had been utilized in a restrained and cautious manner. China, in both China – Raw Materials and China – Rare Earths, considered but eventually did not invoke the national security exceptions.Footnote 70 In those disputes, despite the fact that the Chinese government repeatedly stressed that China’s restrictions were based on important national security concerns surrounding its reliance on foreign suppliers for its military supply chain since rare earth minerals are used in missile and aircraft systems,Footnote 71 China nevertheless did not invoke Article XXI(b) of the GATT.Footnote 72 In short, before the Panel Report of Russia – Traffic in Transit broke the ice, the GATT/WTO consistently avoided issuing findings on the merits of security exceptions for decades. The Russia – Traffic in Transit dispute somehow served as a catalyst for WTO members to bring legal challenges against security-based measures, and to invoke the security exception as a defense.
Since Russia – Traffic in Transit, WTO panels have clarified how the so-called self-judging clauses operate.Footnote 73 In theory, the term “it considers necessary” was drafted to reserve the right to opt out of certain treaty obligations otherwise imposed by the WTO agreements.Footnote 74 For decades, it was not clear how the concept of self-judging worked under Article XXI. How much discretion should there be in the determination of a measure’s necessity? Should these national security exceptions be construed as entirely self-judging so as to sufficiently preserve the autonomy of a state’s security matters? Does this mean that a state is entitled to unilaterally decide on what its essential security interests are, as well as what action is necessary to protect those interests?Footnote 75 In this regard, the Panel in Russia – Traffic in Transit conceded that Article XXI(b)(iii) “is not totally self-judging.”Footnote 76 According to the panel, the discretion of a member to designate particular concerns as “essential security interests” is limited by its obligation to apply GATT Article XXI(b)(iii) “in good faith.”Footnote 77 The panel pointed out that the obligation of good faith requires members not to use the security exceptions as a means to circumvent their WTO obligations.Footnote 78 The panel must therefore review whether the security measures have been applied in good faith.Footnote 79 In this context, a “plausible link” must be established between the invoking state’s “essential security interests” and the trade-restrictive measures in dispute.Footnote 80 If we follow the reasoning in Russia – Traffic in Transit, an invoking member must demonstrate that the disputed cybersecurity regulations “meet a minimum requirement of plausibility” in relation to the member’s national security.Footnote 81 In this regard, “plausible link” might be questioned, and “bad faith” might be found, when network security regulations substantially favor domestic goods or services. However, the “good faith” standard will be particularly problematic when the measure at issue is motivated by both “protectionism” and “patriotism,” namely, when commercial and security interests are inextricably linked.
More importantly, from Russia – Traffic in Transit to U.S. – Steel and Aluminium Products, WTO panels have adopted the view that the subparagraphs (“fissionable materials,” “traffic in arms,” and “war or other emergency in international relations”) of Article XXI(b) are exhaustive in establishing the circumstances under which a state may “take the action which it considers necessary for the protection of its essential security interests.”Footnote 82 In U.S. – Steel and Aluminium Products, the panel did not find that the measures at issue were “taken in time of war or other emergency in international relations” within the meaning of GATT Article XXI(b)(iii). In the panel’s view, the subparagraphs “form alternative endings to a complete sentence under Article XXI(b).”Footnote 83 In other words, the opening terms in each subparagraph qualify the “action” referred to in Article XXI(b), and the three subparagraphs are exhaustive in establishing the circumstances under which a member may take the “action” under Article XXI(b).Footnote 84 After emphasizing that there is no textual indication that the subparagraphs of Article XXI(b) are merely illustrative,Footnote 85 the panel also specifically pointed out – contrary to TBT Article 2.2, which explicitly indicates the illustrative nature of the provisions – that the subparagraphs of GATT Article XXI(b) are exhaustive in establishing the circumstances under which a member may take action to protect its essential security interests.Footnote 86
Thus, trade-restrictive security measures can only be justified under Article XXI(b) if they meet one of the subparagraphs of Article XXI(b), specifically, the existence of an “emergency in international relations” within the meaning of Article XXI(b)(iii). An “emergency in international relations” within the meaning of Article XXI(b)(iii), however, must be “at least comparable in its gravity or severity to a war” in terms of its impact on international relations.Footnote 87 In this regard, where cybersecurity risks are routine and unexceptional in modern days, the gravity or severity of an “emergency in international relations,” particularly with regard to its impact on international relations, may not be established. Moreover, the phrase “taken in time of” indicates a temporal relationship to the “war or other emergency in international relations.”Footnote 88 The temporal link that requires cybersecurity measures to be “taken in time of” the “emergency in international relations” is also logically confusing when addressing a long-standing cybersecurity matter that,Footnote 89 as Heath observes, is of a permanent nature and must be systematically addressed over time.Footnote 90 Evidently, (conventional) security exceptions must be modernized to meet the policy needs of this digital era.
2.3.3 CPTPP-Type Data Localization Exceptions
CPTPP-type exceptions to data localization, which are contextualized in quadrant IV of Figure 2.1, contain a “non-exhaustive” list of policy objectives, under which security measures that are subject to the necessity test may be justified.Footnote 91 To illustrate, Article 14.13 of the CPTPP (Location of Computing Facilities), while recognizing the parties’ regulatory autonomy regarding requirements that seek to ensure the security and confidentiality of communications, prohibits parties from adopting data localization measures as a condition for conducting business. The Article also states the following:
Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.Footnote 92
Article 14.13 should be understood to mean that parties are allowed to maintain data localization measures to pursue their national security objectives as long as the measure satisfies the anti-protectionism requirements set out in the Article, namely, the procedural safeguard and the necessity test. Although locating computing facilities and storing data in multiple data centers within diverse jurisdictions seem to make more technological sense in managing cybersecurity risks, data localization measures that restrict the ability of companies to transfer data or, more narrowly, require local storage within a particular national border, have been a feature of national security policies. For example, China’s Cybersecurity Law, citing national security, requires “critical information infrastructure” operators to store personal information or important data within the territory of China.Footnote 93 The Cybersecurity Law of Vietnam, as another example, requires Vietnamese data to be stored locally so as to protect national sovereignty.Footnote 94 Similar regulatory initiatives, with different degrees of emphasis on cybersecurity, can be found in various developed and developing countries, including Australia, Brazil, Canada, the EU, India, Peru, Malaysia, New Zealand, Russia, South Korea, and Taiwan, to name just a few.Footnote 95
Note that, much like TBT Article 2.2, the CPTPP-type data localization exceptions contain an open-ended list of legitimate objectives and require an initial determination regarding whether, as an objective, the cybersecurity policy is legitimate. Such an approach leaves much ambiguity about how far the exceptions can go in curbing protectionist practices.Footnote 96 A CPTPP panel may consider relevant WTO jurisprudence with respect to the general exceptions of the WTO Agreement.Footnote 97 Additionally, as previously illustrated, precedent holds that the weighing and balancing exercise under the necessity analysis contemplates a determination as to whether a cybersecurity measure that is less inconsistent with the CPTPP rules is reasonably available.Footnote 98 Such alternative measures must provide an equivalent contribution to the achievement of the cybersecurity objectives pursued through the challenged measure. This “trade v. security” balancing exercise is likely to be impractical when confidential national security matters are involved. That being said, a trade tribunal is expected to be cautious when balancing trade and security interests if the localization measures overwhelmingly boost the domestic data industry.Footnote 99
2.3.4 New Generation Trade Agreements’ Security Exceptions
Trends in the new generation of international trade agreements suggest that “updated” security exceptions, either via expansive, open-ended formats or through a sectoral approach, are designed to reset the balance between international trade and national security. As shown in quadrant I in Figure 2.1, innovative clauses have been incorporated to reconcile the conflicts between (digital) trade and (cyber) security. The four types of security exceptions in quadrant I represent a dramatically expansive scope and excessively unfettered discretion in security exceptions under the international trade agreements.
2.3.4.1 CPTPP/USMCA-Type Broad Security Exceptions
Contrary to conventional security exceptions, under the CPTPP and USMCA, for example, security exceptions omit the subparagraphs that list the circumstances under which such exceptions could be triggered. By way of illustration, the security exceptions to the CPTPP state that “Nothing in this Agreement shall be construed to … preclude a Party from applying measures that it considers necessary for the fulfilment of its obligations with respect to the maintenance or restoration of international peace or security, or the protection of its own essential security interests.” This type of exception borrows the self-judging element from the WTO security exceptions but contains no limitative qualifying clauses that condition the application of security exceptions,Footnote 100 representing an open-ended, broad security clause.
2.3.4.2 DEPA-Type Security Exceptions
Similarly, the security exceptions under the DEPA – a digital sector-specific comprehensive framework – accommodate open-ended exceptions, which are not followed by a closed list of situations.Footnote 101 Given the fact that CPTPP is the primary textual source of the DEPA, it is not unusual that the three founding parties of the DEPA – Chile, New Zealand, and Singapore – incorporate the CPTPP-type broad security clauses into the DEPA text. Considering that DEPA is an international trade agreement tailored to the digital economy, and that cybersecurity threats take place across the entire digital ecosystem, such broad and loose security exceptions to the DEPA may mean that there is “no certainty of digital market access.”Footnote 102 In other words, security interests will easily prevail over economic interests.
2.3.4.3 RCEP-Type Data Localization Exceptions
Another digital sector-specific security clause worth particular attention can be found in the security exceptions to data localization in the Regional Comprehensive Economic Partnership (RCEP). Article 12.14 (Location of Computing Facilities) allows the parties to undertake any data localization measures they consider necessary for the protection of essential security interests.Footnote 103 Unlike the CPTPP-type data localization exceptions, which are subject to the standard necessity test, RCEP data localization exceptions, by allowing a party to adopt any measure that “it considers necessary” for the protection of its “essential security interests,” impose a lower and softer threshold. This threshold requires the invoking party to substantiate its good faith belief – albeit subjectively – that there is a threat to its “essential security interest,” and that data localization measures are necessary for the protection of that essential security interest. It should also be noted that in the RCEP data localization exceptions, the self-judging element has been strengthened with a subparagraph stating that such measures shall not be disputed by other parties.Footnote 104
2.3.4.4 RCEP-Type Critical Infrastructure Security Exceptions
As previously explained, critical infrastructure, such as 5G networks, constitutes the backbone of the functioning of a state. Given that the risk of compromised critical infrastructure can cause massive disruptions to the well-being of citizens, the protection of “critical public infrastructure” – whether publicly or privately owned – has been added to several new generation FTAs as one of the enumerated situations under which security exceptions can be invoked.Footnote 105 The textual structure of RCEP Article 17.13, which lists “national/international relations emergency” (Article 17.13(b)(iv)) and “critical infrastructures protection” (Article 17.13(b)(iii)) as parallel circumstances under which the security exceptions could be triggered, indicates that the negotiators of the RCEP intended to distinguish between “national/international emergency” and “critical infrastructures protection.” Simply put, the structural separation signals that, when interpreting RCEP Article 17.13 (b) (iii) in context, the “emergency” element, which strictly limits the application of the GATT-type security exceptions, does not extend to critical infrastructure security exceptions. The textual structure thus effectively creates a broad and relatively easily satisfied enumerated exception to trade rules – the protection of critical infrastructure.
2.4 National Security and Trade Governance in a Datafied World
2.4.1 Scoping “Essential Security Interests”: “Critical Infrastructure” as Touchstone
Taken together, the pre-digital era general and security exceptions are ill-tailored to address today’s national security concerns. On the contrary, the new trends, which create open-ended or digital sector-specific security exceptions, are encouraging directions to ensure that the exceptions to international trade rules are aligned with the policy needs of the digital economy. However, the approaches taken in quadrant I may risk the potential for abuse and excessively broad overuse. In particular, the CPTPP/USMCA-Type Broad Security Exceptions – should they become a template for future international trade negotiations – may prove to be a fractious way forward in assessing the concepts of cybersecurity and national security. How can the good faith that requires minimum plausibility curb the potentially expansive interpretations of these types of security exceptions? In this age of digital capitalism, commercial and cybersecurity interests are entangled and often overlap. Most national regulations sit at the intersection of economic and security interests and can serve as both economic and national defense tools. Therefore, two fundamentally difficult issues, legally and technologically speaking, are to what extent cybersecurity concerns are legitimate, and how to distinguish the boundaries of these concerns from illegitimate protectionist measures that primarily stem from considerations surrounding economic competition. Moreover, in terms of sector-specific security exceptions, the questions of what constitutes “critical infrastructure” and how to designate it require due process mechanisms to constrain discretionary abuse.Footnote 106 Should social media platforms be considered “critical infrastructure”? How can we ensure non-discrimination in the process of identification and designation of critical infrastructure? These are the key issues the new generation trade agreements’ security exceptions will confront.
It appears that the irreversible regulatory trends are designed to provide greater discretion for states in defining their own national security agenda. The excessively broad definition of “national security,” as a result, is challenging the boundary between economic and security concerns. In its 2017 National Security Plan, the US explicitly declared that “economic security is national security.”Footnote 107 As Claussen stated, the term “economic security” is now the central point, combining various concepts including economic dominance, independence, and hegemony.Footnote 108 Converged with the domain of economic security, the term “national security” is now being used in more and more expansive ways, literally including nearly everything – ranging from national broadband, industrial supply chain, and digital trade to steel tariffs, semiconductor export control, etc. This expansion will continue and will lead to an endless list in this digitally connected world. In the context of international economic law, the flexibilities provided under the new generation trade agreements’ security exceptions could prove to be an inefficient approach in addressing legitimate security concerns. The overexpansion of the conceptual scope of national security may either mask legitimate objectives or fail to appropriately constrain illegitimate objectives.
What are the possible solutions to the dilemmas surrounding the overly limited quadrants II and III and the overly broad quadrant I approaches to national security? To be sure, there is no such thing as “zero risk” in cybersecurity.Footnote 109 In this hyper-connected datafied age,Footnote 110 the ever-increasing digital connectivity between computers and devices may mean that vulnerabilities can be introduced at any phase, and in any place.Footnote 111 Technical experts agree that a perfectly secure digital environment, free of vulnerabilities, is a dream, and “the notion of perfectly secure software almost certainly is a white whale.”Footnote 112 The core issue turns out to be determining how much “risk” in cyberspace would amount to a danger to a state’s “essential security interests.”Footnote 113 Along a continuum of low to high national security risks, it is all about the relativities. In the context of “trade v. security,” however, a borderline must be drawn somewhere, and trade-offs must be made.
That being the case, one possible future direction for trade and cybersecurity governance is to scrutinize the distinction between critical and noncritical infrastructure. Bearing in mind that more and more jurisdictions are now classifying critical infrastructure as a special category that is essential to national security in their domestic legal frameworks,Footnote 114 the creation of a commonly accepted definition of “critical infrastructure” would serve as a touchstone in determining the boundaries of “essential security interests.” In other words, the protection of critical infrastructure presents a much stronger case than noncritical infrastructure in meeting the minimum requirement of plausibility in relation to a state’s “essential security interests.” In this regard, Shaffer observes that “the national security risks in the TikTok case are much lower than regarding Huawei’s construction of critical infrastructure.”Footnote 115 All in all, not every infrastructure is judged to be critical,Footnote 116 not every good or service from China is of national security concern,Footnote 117 and not all issues relating to innovative technology are equated with essential national security.Footnote 118 To conclude, “minimum plausibility” within the meaning of international economic law should be relatively easier to establish when it comes to critical infrastructure protection, because such risks, when severe, can disrupt the operations of a state’s vital services, resulting in significant loss of life and detrimental economic and social impacts. In this way, the concept of critical infrastructure may serve as a useful tool in filtering out the overgeneralization of national security claims. Ultimately, a more proper balance may be sustained between free trade and national security, and, in particular, cybersecurity.
2.4.2 Risk Assessment and Technical Standards
Another important direction for trade and cybersecurity governance is to prevent unfettered administrative discretion in security matters. This is particularly important in view of the fact that governments are moving toward risk-based approaches to protect national security and cybersecurity.Footnote 119 Instead of adopting prescriptive, one-size-fits-all rules, states assess cyber risks and exercise discretion to reduce them in a timely and proactive manner. It can be said that the most significant difference between ancient and modern security infrastructure is the rapid pace of change in security threats. The Great Wall of China was built across the northern border to protect imperial China against security threats. It took hundreds of years for ancient China’s security situation to change. On the other hand, the modern security landscape has been measured in mere months, or even days. Literally, the perception of risks is in real time. In light of the dynamic nature of national security in modern days, it makes more sense for national regulators to take a risk-based approach rather than laying down prescriptive rules.
In this regard, several FTAs such as the Digital Trade Chapter of the USMCA include recognition of “the evolving nature of cybersecurity threats”Footnote 120 and the importance of taking risk-based approaches instead of adopting prescriptive regulations in addressing those threats.Footnote 121 On the one hand, a risk-based approach provides national regulators with some extent of flexibility to encourage innovation that may otherwise be constrained under a catch-all approach. Rather than a uniform set of blanket prohibitions that apply to all in the same manner, the risk-based approach recognizes variances across or within critical sectors, allows for individual assessments, more efficiently targets implementation efforts in those sectors that pose the highest risk, and, at the same time, minimizes the regulatory impact on the critical industry and avoids unintended side effects of regulation.Footnote 122 In short, because digital technologies are rapidly evolving, any overly specific or rigidly prescriptive rules governing cybersecurity will either become quickly outdated or hinder innovation in the digital market.
On the other hand, the risk-based approach to cybersecurity comes with the danger of abuse of decision-making powers. Instead of applying the same rules in an equal way, irrespective of the level of risk or harm, the risk-based approach provides tailored protection, depending upon the level of risk at stake under each specific situation. Rather than imposing any kind of inflexible rules, national regulators exercise a degree of discretion when weighing cybersecurity risks, cyberattack harms, and regulatory benefits.Footnote 123 Because the approach relies on policy judgements rather than detailed prescriptions, the cybersecurity regulatory scheme leaves national regulators with broad discretion when conducting risk assessments. After all, at the core of the risk-based approach is a regulatory strategy through which regulators target resources toward sectors or activities that present the highest risk and, at the same time, reduce resources in those sectors or activities with relatively low risk. These decision-making processes designed to achieve the “right” balance between lower and higher risks “are all matters of judgement that regulators have to confront along the way,” according to Black and Baldwin.Footnote 124 In many jurisdictions, cybersecurity measures will only be proposed where a need has been identified, namely, the regulatory targets. The danger of a risk-based approach, therefore, is discretionary abuse.
In this regard, there are rules that provide due process and other procedural safeguards at both the national and international levels to constrain discretionary power when assessing cybersecurity risks. In particular, international economic law is increasingly designed to constrain domestic regulation where the application of these regulations has external effects on other states. At the multilateral level, the obligations of GATT X:3(a) and GATS Article VI:1,Footnote 125 which allow challenges to the administration of domestic regulations that are otherwise consistent with the GATT or GATS, were designed to be an important tool in tackling situations in which a general scheme does not make any distinction between foreign and domestic service suppliers, but the administration of this scheme is not “reasonable, objective, or impartial.”Footnote 126 Admittedly, GATT X:3(a) and GATS Article VI:1 may not be sufficiently forceful in a manner that safeguards due process and counters the potential abuse of administrative power in the process of risk assessment.Footnote 127 That said, as Chapters 3 and 5 will continue to address, the “good regulatory practices” agenda in the new generation FTAs, which seeks to enhance due process, transparency, legal clarity, and judicial review of administrative decisions, may shed light on how international trade agreements might prove helpful in preventing irrational, biased, or arbitrary cybersecurity risk assessments. Moreover, the adoption of international cybersecurity standards can mitigate concerns surrounding discretionary abuses in risk assessment. In this regard, the TBT Agreement can assume a substantial role in promoting international standards on cybersecurity, which can in turn facilitate the global development of common security approaches. At the end of the day, a nonregulatory approach and international soft law play important roles in governing cybersecurity and reshaping international economic order in the age of datafication. Chapter 6 will dive deeper into this aspect.
2.5 Conclusion
This chapter addresses the data network in the context of the cybersecurity threat landscape, which is increasingly perceived as a national security issue, especially when critical infrastructure is directly involved. Before we shift the focus to digital applications that drive datafication, it is worth reiterating that data networks have become strategic political and economic assets of a state. As the backbone infrastructure, 5G networks literally resemble interactive central nervous systems in the data-driven economy. The weaponization of 5G networks has brought about further challenges to international economic legal order. In Chapters 1 and 2, we explored two important dimensions of the broadband infrastructure – “trade and development” and “trade and security” – both of which are the foundations for a platform-driven, data-fueled world. The chapters in Part II will zoom in on digital applications, analyze the phenomenon of platformization, and explore considerations pertaining to the regulation of digital platforms.