- #Economy & Trade
- #Technology & Cybersecurity
► Cybersecurity measures can create barriers to international trade, some of which result in a violation of obligations under trade agreements, and some policymakers seek to justify these measures on the basis of security exceptions. Yet security exception clauses drafted in the pre-digital era (or in the inception of the digital era) do not fit into cybersecurity.
► States can exceptionally take actions for cybersecurity in prima facie violation of rules 1) if the measures are to comply with its obligation under the UN Charter for the maintenance of international peace and security, 2) if the country considers the disclosure of such information is contrary to its essential security interests, and 3) if the country considers that the measures are necessary for the protection of its essential security interests.
► Cybersecurity itself is not a problem for international trade. Rather, unnecessary or disguised cybersecurity measures are the problem. That is the area where trade rules should play a role.
Introduction
Sovereign countries hold the right to pursue their national policy objectives in consistent with international law. One of the objectives is cybersecurity. The uses of information communications technologies for malicious purposes have been constantly evolving and become a major concern for policymakers. In particular, one of the challenges they face is striking a balance between compliance with trade rules and achievement of national cybersecurity. Cybersecurity measures can create barriers to international trade, some of which result in a violation of obligations under trade agreements. Being aware of potential non-compliance risks, some policymakers seek to justify these measures on the basis of security exceptions. Unfortunately, security exception clauses drafted in the pre-digital era (or in the inception of the digital era) do not fit into cybersecurity. This paper briefly describes the reasons and suggests the way forward for global trade rules.
Cybersecurity Policies as Trade Barriers
A nation should protect itself and its people from threats posed by malicious use of cyberspace. Policymakers therefore introduce various types of measures to prevent their national security, public order, or public morals from being disrupted by cyber threats. However, some of them can set barriers to international trade and can sometimes constitute a violation of international trade rules. Therefore, when a WTO (World Trade Organization) member introduces cybersecurity laws and policies,[1] it is desirable for the member to assess the incompatibility of the measures in question with the WTO rules, inter alia, the GATT (General Agreement on Tariffs and Trade), GATS (General Agreement on Trade in Service), or TBT (Agreement on Technical Barriers to Trade), and other rules under applicable FTAs. In particular, the examination on relations of the cybersecurity measures with applicable rules on digital trade has been increasingly imperative.
Digital trade rules cover trade by electronic means, i.e. trade in data. As of 23 October 2023, 90 WTO members are taking part in the negotiation to conclude a plurilateral agreement on digital trade, the so-called “WTO e-commerce negotiation.” Also, existing bilateral or regional FTAs contain a chapter on digital trade, such as the CPTPP (Comprehensive and Progressive Agreement for Trans-Pacific Partnership), USMCA (US-Mexico-Canada Agreement), and RCEP (Regional Comprehensive Economic Partnership). Furthermore, agreements specialized only in digital trade have been concluded like the US-Japan Digital Trade Agreement, ROK-Singapore Digital Partnership Agreement, and DEPA (Digital Economy Partnership Agreement). Such bilateral or regional rules on digital trade normally include provisions on: the prohibition of restriction on cross-border data flow; the prohibition of data localization; non-discrimination treatment of digital products;[2] cryptograph.[3]
Domestic regulations that countries shape in pursuit of cybersecurity can influence the cross-border flow of data. Simultaneously, such regulations can discriminate between local digital products and foreign digital products or among foreign digital products. For instance, requiring local data storage or use of indigenous encryption algorithms as security conditions for providing cloud computing services in a country can create barriers to foreign service providers. Opaque and arbitrary review processes to assess the security of digital products to be used by critical infrastructure operators can also play as a trade barrier. Being aware that their cybersecurity policies can be potentially incompatible with the obligations under applicable trade agreements, policymakers are frequently reliant on security exceptions.
Security Exceptions Not Fitting into Cybersecurity Measures
WTO members reserve the legal right to restrict trade to protect their “essential security interests.” The key aspects of security exceptions are contained in article XXI of the GATT and article XIV bis of the GATS, among other agreements. Such provisions are frequently applied, mutatis mutandis, in the matters covered by numerous bilateral or regional FTAs. Circumstances where security exceptions can be invoked under those provisions are largely similar. Unfortunately, security exceptions are not suitable to rely upon for justification of cybersecurity measures since the circumstances where a country can invoke security exceptions are too limited or too broad.[4] States can exceptionally take actions for cybersecurity in prima facie violation of rules under applicable trade agreements in the following circumstances.
First, a country can take cybersecurity measures if the measures are to comply with its obligation under the UN Charter for the maintenance of international peace and security.[5] A classic paradigm of this case is when a country should impose sanctions according to the UN Security Council’s resolutions. However, it is highly unlikely that the UN Security Council would adopt a resolution to enforce a specific cybersecurity measure. Even if so, this circumstance is not sufficient to justify a wide range of cybersecurity policies of a country.
Second, a country is allowed to refuse to furnish information when the country considers the disclosure of such information is contrary to its essential security interests.[6] It is possible to too broadly and arbitrarily interpret the term “information,” thereby leading to abusive invocation of security exceptions. This circumstance originated in 1947, when the GATT 1947 was concluded.[7] Accordingly, the current technological developments of the digital era where digital information functions as a key were not fully reflected in this provision.
Third, country can take cybersecurity measures in contravention of its obligations under applicable trade rules if the country considers that the measures are necessary for the protection of its essential security interests. Yet, the third circumstance is limited to three specific situations: relating to provisioning a military establishment; relating to fissionable and fusionable materials; or taken in times of war or other emergency in international relations.[8] Cybersecurity threats are not posed only in time of armed conflicts or other emergency in international relations. Rather, low-intensity cyber operations below the level of use of force are real threats to countries. Moreover, to be resilient from such threats, States have been designing policies to ensure cybersecurity in daily life, such as policies for the cybersecurity of supply chains of digital products.
In sum, security exceptions do not fit into cybersecurity measures. The crux of security exceptions in trade agreements in force had been formed during the GATT 1947 negotiations. The clauses drafted in the pre-digital era or the inception of the digital era barely reflected security threats to a nation caused by malicious use of cyberspace. Therefore, it is more prudent that policymakers seeking to introduce domestic regulations for cybersecurity rely on general exceptions or other individual exception clauses such as exceptions for legitimate public policy objectives allowed in some of the digital trade agreements.[9]
* The views expressed in this paper are only those of the author and do not reflect the views of the author’s affiliation, NSR.
[1] The WTO serves common institutional framework for the trade relations among members (Marrakesh Agreement establishing the WTO, Article II). Currently, the WTO has 164 members. WTO membership is open to not only States but also separate customs territory possessing full autonomy in the conduct of its external commercial relations (Marrakesh Agreement establishing the WTO, Article XII).
[2] RCEP dose not set forth a provision on non-discrimination treatment of digital products.
[3] RCEP does not contain a provision on cryptograph.
[4] For similar arguments, see Shin-yi Peng, “Digital Economy and National Security: Contextualizing Cybersecurity-related Exceptions,” American Journal of International Law, vol 117, 122-127, 2023; Neha Mishra, “The Trade: (Cyber) Security Dilemma and Its Impact on Global Cybersecurity Governance,” Journal of World Trade, Vol. 54, Issue 4, 567-590, 2020; Joohui Park, “Governing Cybersecurity Measures in the Digital Trade Agreements,” Korean Journal of International Economic Law, Vol.19, Issue 2, 75-114, 2019.
[5] GATS, Article XIV bis (1)(c).
[6] GATS, Article XIV bis (1)(a).
[7] In 1994, The WTO Marrakesh Agreement was signed, which establishes the WTO, incorporates the GATT 1947, and covers not only trade in goods but also service in trade and trade-related aspects of intellectual property.
[8] GATS, Article XIV bis (1)(b).
[9] Exceptions of legitimate public policy objectives (LPPO) are found in the chapters on digital trade. Specifically, LPPO exceptions are articulated in the provisions on prohibition of restriction on cross-border data flow and prohibition of data localization. CPTPP, Article 14.11 and Article 14.13; RCEP, Article 12.14 and Article 12.15; DEPA Article 4.3 and Article 4.4; USMCA, Article 19.11.
[10] Javier Lopez Gonzales and Janos Ferencz, “Digital Trade and Market Openness,” OECD Trade Policy Papers No.217, 2018, p. 11.
[11] See ROK-Singapore Digital Partnership Agreement, Article 14.22; USMCA, Article 19.15; US-Japan Digital Trade Agreement, Article 19; DEPA, Article 5.1.
Dr. Joohui Park is a researcher working at the National Security Research Institute. She has been actively working on developing cybersecurity policies and strategies for the Republic of Korea, especially from her area of expertise, international law. Before this, she was a post-doctoral fellow at the Electronics and Telecommunications Research Institute. She received a Ph.D. in international law at Korea University. One of her papers is "Developing a Collective Retorsion Framework Against Malicious Cyber Operations: Opportunities and Steps for EU-South Korea Cybersecurity Cooperation" (in Boulet, G., Reiterer, M., Pardo, R.P. (eds) Cybersecurity Policy in the EU and South Korea from Consultation to Action. New Security Challenges, Palgrave Macmillan).
