As digital trade barriers rise throughout the world, so do swings at knocking them down. In the past two months, the US Trade Representative released two reports on China and Russia’s World Trade Organization compliance. Just last week, the European Union opened its landmark General Data Protection Regulation to public comments, many of which will surely attack perceived trade barriers.

“Barriers to digital trade,” reads a recent USTR fact sheet, “threaten the ability of all firms—including small businesses—to benefit from the advantages of the digital economy.” Everything from source code inspections to data localization can fall into this bucket.



Justin Sherman (@jshermcyber) is an op-ed contributor at WIRED and a fellow at the Atlantic Council’s Cyber Statecraft Initiative.

But as Washington maintains its distaste for digital trade barriers abroad, it must also recognize other states’ unrelenting conviction in “cyber sovereignty”—and grapple with certain data-protection measures increasingly cropping up in democracies.

The USTR report on Russia locks onto the Trump administration’s issues with current Moscow trade practices, many of them digital. “Russia maintains a cumbersome and opaque import licensing regime on products with cryptographic capabilities,” one complaint reads. “It has begun to introduce a ‘track and trace’ regime that will require an encrypted label on every product.”

Other issues raised range from inadequacy of Russian patent protections to the mandated installation of Russian software on certain smartphones, computers, and other consumer electronics (a law adopted last winter). The US is right to call these out; Vladimir Putin and his Kremlin circles are putting more work into stifling the influence of foreign technology within Russian borders. Paranoia drives much of this thinking.

Yet that’s precisely why US diplomats and trade officials should expect continued roadblocks—for Moscow’s conviction in expanding “cyber sovereignty” and raising digital barriers is unlikely to let up anytime soon. Russian courts continue to fine American social media companies for not storing their data locally, for example, and the fines keep increasing even though many firms have kept complaining and continued to ignore the rules. Engagement on modifying digital trade barriers, therefore, will be beyond challenging, if not impossible.

The 192-page report on China, over three times longer than the jeremiad on Russia, notes that the People’s Republic “has continued to embrace a state-led, mercantilist approach to the economy and trade, despite WTO members’ expectations.” The report’s litany of trade impediments includes state industrial policy, source code inspections, and inadequate intellectual property protections. The report’s stance certainly reflects Beijing’s increasing digital protectionism—but also the Trump administration’s increasingly hard (and frequently zero-sum) line on China.

Many of the digital complaints center on the WTO’s General Agreement on Trade in Services, or GATS. For years now, countries have argued on whether policies like data localization requirements, privacy rules, and source code inspections (as Beijing implements) violate GATS, which require WTO members to, well, limit limitations that affect trade and investment in services. The US is not alone here; Japan, for example, has criticized China’s limits on data flows under GATS obligations.

The US Trade Representative’s document on China takes a similar stance. Going forward, though, rapidly deteriorating US-China relations (especially disastrous amidst the Covid-19 pandemic) will prove a barricade for the Trump administration to push its digital trade agenda. Beijing’s conviction in “cyber sovereignty” will similarly be part of that challenge, as the government continues to spread and deepen state control of cyberspace within the country.

While not designated its own report, a third country has been a frequent pit-stop in America’s anti-digital trade barrier tour: India. Lately, the US has zeroed in on the subcontinent’s questionable data localization policies.

Data localization requirements already on the books—like mandated local storage of Indian citizen payment data—had previously received blowback from industries uninterested in the compliance costs. Mastercard, American Express, Visa, and other companies, for instance, campaigned against the Reserve Bank of India’s requirement. It was, though, to no avail.