Data Flows & National Security: A Conceptual Framework to Assess Restrictions on Data Flows Under GATS Security Exception

Under the General Agreement on Trade in Services (GATS), the members of the World Trade Organisation (WTO) have made commitments to liberalise trade in services. They have also agreed on several exceptions based on which they can deviate from these commitments. The most extensive of these exceptions is enshrined in Article XIV-bis and it allows WTO members to deviate from their trade commitments for national security reasons. While this exception has been used only rarely, questions on the ability of countries to invoke it (and its possible abuse to impose unnecessary restrictions to trade) are recently reviving as a new wave of restrictive measures on digital trade is imposed. Restrictions on data flows across borders are among the most controversial measures been imposed in recent years, which countries have justified in several occasions under national security concerns. This paper takes a potential WTO dispute against measures restricting data flows as an occasion to provide a basic conceptual framework to assess these restrictions under the existing WTO language. In doing so, the paper intends to fill a gap in the literature as there is not yet a comprehensive assessment of restrictions on data flows and national security. This paper intends to demystify the issue by providing a legal and technical analysis on how restrictions on data flows influence the capacity of a country to protect its national security. This paper looks first at the current thinking around restrictions on data flows as a trade restriction (Section I). This section looks both at the interpretation of current GATS language to assess restrictions on data flows as well as at the new language available in certain trade agreements that explicitly address the issue of data flows. Assuming that these measures can be considered a trade restriction, then it remains to be seen how they would be assessed in a potential WTO dispute if the defendant invokes the national security exception. In order to answer this question, the paper looks first at the debate on interpretation of GATS security exception (Section II), before presenting in detail legal and technical considerations on how restrictions on data flows can be assessed in a national security context (Section III). In particular, Section III looks at three cases: cyber espionage, attack on critical infrastructure and access to data to prevent terrorist attacks. These are considered the most relevant cases when it comes to data flows and national security, although the arguments presented can be applied to other scenarios. The final section concludes with suggestions and some food for thought for future discussions (Section IV).