Cross-border data flows are becoming increasingly important in the modern economy. In response, many countries have introduced regulations to control data transfers. This column discusses the firm-level response to such regulations using a recent survey of Japanese firms. Firms react by changing the location of data storage and processing, as well as by tightening data protection. However, these responses vary significantly depending on where the regulations originate.
The rapid development of artificial intelligence (AI), combined with the accumulation of Big Data, is accelerating the expansion of business activities in many countries around the globe. We have long monitored trade data to understand international trade in goods and services, but now are required to expand our scope to trade in data to capture cross-border economic activities in the digital age. As new data-driven business often requires consumers to hand over their personal data to oligopolistic global firms, some governments have begun to regulate data transfers to protect privacy. The EU's General Data Protection Regulation (GDPR) is one example of such regulation.
Beyond the EU, a number of other countries intervene in cross-border data flows for national security or other unspecified purposes. As firms increasingly depend on data flows, we need to evaluate the impact of such regulations on cross-border data flows (Note 1). The OECD has examined this issue, for example, by collecting information on related regulations across several countries and conducting a survey (OECD 2018). The investigations of firms' activities in cross-border data transmissions have mainly been constrained by the paucity of economic data on data flows. To fill in part of this gap, we conducted a survey of Japanese firms (Tomiura et al. 2019). In this column, we briefly report some findings from the survey and discuss policy implications and other remaining issues.
Despite its importance in economic analyses, it is practically impossible for an academic researcher to collect direct data on cross-border data transmissions by individual firms, especially in terms of economic values (Note 2). E-commerce transaction volume may be a useful measure, but firms transmit data across national borders for many other purposes including contracting with outsourcing suppliers or sharing personnel data with offshore affiliates established through foreign direct investment (FDI). We distributed a questionnaire in 2019 on data transfers and data-related activities to essentially all Japanese medium-sized or large firms in manufacturing, wholesale and information-related service industries, and collected responses from more than twenty percent of them, with the total exceeding 4,000 firms (Note 3).
We first asked firms about the impacts of regulations on cross-border data transfers. Under GDPR, Japan has been declared ‘adequate’ by the EU, indicating that the transmission of personal data to Japan occurs under a comparable treatment with that within the EU. In our sample, less than 5% of the surveyed firms report impacts of GDPR.
Some countries outside of Europe impose tight regulations on data flows, especially those across national borders, not necessarily limited to personal data. Cyber security regulations in China and Russia are prime examples, but other countries such as Vietnam and India have followed suit. These countries require firms to locate certain categories of data (categories wider than personal data) within the host countries. Goldfarb and Trefler (2019) argue that "data localisation is a privacy policy that could favour domestic firms" (p. 486). Data localisation measures could be labelled as a new form of protectionism in the era of AI and Big Data, or digital protectionism.
The share of firms affected by the regulations imposed by China and other emerging countries is nearly twice as high as that affected by GDPR, exceeding 8% in our sample. This finding might be an indirect indication that these firms transfer vast amounts of (sensitive) data across national borders. Furthermore, especially among the firms actively collecting data overseas through the Internet of Things (IoT), as shown in Figure 1, the number of affected firms exceeds the number of firms reporting no impact. Although the share of firms recognising these impacts is not found to be overwhelming among our sample (which omits small-sized firms that tend to operate domestically), many firms that are active in digital data activities, through means such as IoT, are affected by the regulations.
Our survey also asked firms about their responses to such regulations. The first point to note in the results relates to locations and boundaries. Around 30% of the firms that reported impacts of the regulations have changed the location of data storage and/or data processing in response to regulations by EU and emerging countries, indicating a non-negligible impact on the geography of data-related activities. On the other hand, as shown in Figure 2, more than half of the firms engaged in cross-border data transfers are also transmitting data to/from their own offshore affiliates within a multinational enterprise group (Note 4). In other words, some of these data flows are international but intra-firm.
Second, we find that the firms' responses to regulations vary substantially. More than 40% of the respondents have tightened data protection to meet the EU's requirement in response to GDPR. In contrast, more than half of the surveyed firms have not taken any measures against the cyber security regulations of China and other emerging countries, despite their recognition of the impacts of these regulations. Their inaction could possibly be due to the uncertainty associated with new regulations based on the lack of transparency in the rules created by these emerging countries. Our survey also finds that only a limited fraction of firms changed the persons responsible for cross-border data transfers within their corporate hierarchy (from lower-level staff to managers, or from managers to executives including the Chief Information Officer). Additionally, we find that less than 8% of the surveyed firms have increased spending on data security in response to the new regulations. All these findings could be consistent with the interpretation that these firms had sufficiently prepared for the regulations in advance, but they might indicate that firms have not yet adapted to regulations despite their potential impacts.
While we have not yet tested it econometrically, firms actively transmitting data across borders are likely to be globalised. Accumulated studies of theories of heterogeneous firm trade since the turn of the century in international economics have established that globalised firms tend to be large, productive, capital-intensive, innovative, and to possess many other characteristics distinct from domestic firms (Note 5). If this is the case, we should not underestimate the impact of new regulations on data flows as it would spill over to a wide range of firms and consumers through their transactions with global firms. We are currently working on a project linking these survey results with firm-level longitudinal data derived from official mandatory statistics. Such data linkage will help us not only evaluate the impact of regulations but also explore how cross-border data flows shape our economies.
Editors' note: The main research on which this column is based first appeared as a RIETI Discussion Paper.
This article first appeared on www.VoxEU.org on March 14, 2020. Reproduced with permission.
