Reversal of US Trade Policy Threatens the Free and Open Internet

Jennifer Brody is Deputy Director of Policy and Advocacy for Technology and Democracy at Freedom House. Allie Funk is Research Director for Technology and Democracy.

A surprising reversal of long-standing US policy is slipping under the radar. The US government has long advocated for cross-border data flows, which are foundational for the global internet to function and help facilitate the protection of human rights. However, in late October, the US Trade Representative (USTR), Katherine Tai, dropped support for these provisions, taking by surprise many people in government, civil society, and the private sector.

The abrupt policy pivot took place at the World Trade Organization (WTO) amid negotiations for the Joint Statement Initiative on E-Commerce. The need to create policy space for Congress and other bodies to regulate major tech firms is one explanation justifying the decision. But limiting cross-border data flows will likely do little to achieve this aim. It instead risks further fragmenting the global internet, emboldening authoritarian governments and their aspiring counterparts, and violating rights around the world. Particularly for people living in countries that already have data localization requirements, the impact on human rights is grave.

The US should instead wield its influence at the WTO to preserve cross-border data flows and demonstrate the myriad of alternative ways to regulate the private sector while protecting the free and open internet.

Ceding to the authoritarian model of cyber sovereignty

This sudden reversal of US policy can be seen, as Senator Ron Wyden (D-OR) aptly noted, a “win for China’s Great Firewall.” At multilateral forums, the Chinese government has been working alongside like-minded governments to divide the global internet into state-run enclaves that can be more easily monitored, censored, and controlled. The former secretary general of the International Telecommunications Union (ITU), China’s Houlin Zhao, encouraged shifting control over the setting of technical standards toward the ITU, where states hold the power, and away from civil society and other non-governmental experts. Similarly, the United Nations is currently negotiating a cybercrime treaty, originally proposed by Russian officials and co-sponsored by other authoritarian states including China, that could serve as a new vector for governments to criminalize online speech and access people’s personal data if strong human rights safeguards are not incorporated.

Unsurprisingly, Chinese officials view the WTO as yet another forum to assert their approach. In negotiations over electronic commerce rules, the Chinese delegation has advocated for the need to consider “internet sovereignty” as a legitimate public policy objective.

The US has long taken an alternative approach to internet governance. Under President Joe Biden’s leadership, the US and more than 60 countries signed the Declaration for the Future of the Internet, the cornerstone of US cyber and digital policy and a clear commitment to defend an interoperable, free, and global internet. The US also assumed the chair of the Freedom Online Coalition, a multilateral body of 38 governments, and a US official was elected over a Russian diplomat to lead the ITU. The administration’s clear commitment to a global, open, and interoperable internet through these and other relevant initiatives makes the USTR’s decision all the more puzzling.

The USTR argues that its position at the WTO aligns with its approach at the Indo-Pacific Economic Framework, another trade deal the administration is negotiating that has also since been halted for similar reasons. But disagreement within the government about the decision at the WTO is mounting. For instance, the National Security Council is reportedly frustrated and has pointed to the need for a “robust” inter-agency process to determine how best to move forward.

The human rights implications of a more fragmented internet

Restrictions on cross-border data flows can undermine how the global internet operates. The transfer of data across jurisdictions improves internet speeds, enables companies to provide critical services worldwide, and allows data to be stored in the most secure data centers. There are also real human rights risks. On a fragmented internet, people have limited access to information from foreign sources, may struggle to connect with loved ones abroad, and may face barriers to organizing online with communities around the world.

Data localization laws are far from novel—and have long existed in countries such as China, Vietnam, and Russia—but the trend is clearly accelerating. From June 2021 to May 2022, Freedom House identified at least 23 countries that proposed or passed new requirements for local data storage. And over the past year, this number has only grown. By weakening support for cross-border data flows, the USTR may incentivize more governments to adopt these requirements.

Governments often point to concerns over privacy, cybersecurity, monopolistic practices, and online harms to justify the need for data localization. However, these requirements do little in addressing such genuine challenges. Instead, they enhance a government’s ability to conduct digital repression by placing massive datasets of people’s most intimate information more easily within reach. Particularly in countries with poor rule of law contexts, unconstrained and centralized access to people’s data can lead to serious harms to privacy, free expression, freedom of belief, due process, and even physical security.

Growing requirements for data localization are happening alongside a record-breaking crackdown on free expression. And people’s personal data – which can reveal who they voted for, who they worship, and who they love – help facilitate this. Rwanda’s data protection law, for instance, mandates that companies store data locally unless the country’s non-independent cybersecurity regulator approves otherwise. This requirement leaves personal data easily accessible in an environment in which authorities have embedded agents in telecommunications companies and used data from private messages to prosecute dissidents. Rwanda is not an outlier. 78 percent of the world’s internet users live in countries where simply expressing political, social, and religious viewpoints leads to legal repercussions.

In Uzbekistan, authorities temporarily blocked Skype, TikTok, Twitter, VKontakte, WeChat, and other popular platforms due to their noncompliance with a data localization law, severely limiting people’s ability to communicate and access information. While there are a range of reasons companies have resisted data localization requirements, some are at least in part doing so over concerns they will be complicit in government repression. When data is not stored locally, the respective government often must go through a legitimate–albeit far from perfect–legal process for accessing the information from US companies. But when data is stored on local servers, the ability for companies to resist problematic state demands is hampered. This challenge is further compounded by the emergence of so-called hostage-taking laws, in which international companies are required to have a local presence in a particular country, curbing their willingness to push back against user data requests over concerns for employee safety.

Regulating Big Tech while protecting a global internet

Regulatory action against the private sector does not require limiting cross-border data flows. Instead, the US can demonstrate how to address poor data security and privacy, a lack of competitiveness in the tech sector, and ineffective oversight mechanisms while still safeguarding the global internet and advocating against data localization elsewhere.

For example, as called for in the Biden Administration’s new AI executive order, Congress should pass a federal privacy law that sets strong rules for what data companies can collect, how they can store it, and with whom it can be shared. New laws should also require transparency of companies’ AI and data collection systems, human rights due diligence reporting, and sharing platform data with vetted researchers. These safeguards could help people not only in the US but in countries around the world.

Regulatory bodies can also leverage their existing authority to act. The Federal Trade Commission (FTC) and Consumer Financial Protection Bureau are tackling challenges related to commercial surveillance, data security, and the data broker industry. Antitrust lawsuits from the FTC, state attorneys general, and Department of Justice could lay the groundwork for a more diverse and competitive tech sector, leading to better outcomes for people suffering the consequences of corporate malfeasance.

Protecting human rights online, strengthening platform responsibility, and safeguarding a global and interoperable internet are all mutually reinforcing. The US should be transparent about why this decision was made and develop a whole-of-government approach on the topic moving forward. Ultimately, USTR should return to the WTO negotiating table with a renewed commitment in support of cross-border data flows and galvanize allies to reach consensus on this issue. The internet’s future – and the rights of the people who use it – depend on it.