Skip to Main Navigation
Download the report

Crossing borders

Cross-border data flows are an increasingly essential element of international trade. Data flows not only support trade in goods, making production and distribution more effective and less costly, but such flows are in fact the vehicle for trading digital services across borders. As trade in global digital services has increased dramatically in recent years, so have global data flows.

How big are global data flows?

In 2020, global internet traffic was estimated to be more than 3 zettabytes, or 3,000,000,000,000 gigabytes (GB). This is an unimaginable big and abstract number, but it translates roughly into the equivalent of:

  • 32 GB for each person on the planet per month, or 1 GB per person per day
  • 100,000 gigabytes per second
  • 325 million households watching Netflix simultaneously, at all times.

By 2022, yearly total internet traffic is projected to increase by about 50 percent from 2020 levels, reaching 4.8 zettabytes, equal to 150,000 GB per second. The growth in global internet traffic is as dazzling as the volume. Personal data are expected to represent a significant share of the total volume of data being transferred cross-border.

Growth of global internet traffic in the past 30 years

1992200220122022050,000100,000150,0000.0019315616,800153,000 GB/s50,000100,000
By 2022, traffic is expected to reach 150,000 GB of traffic per second, a 1,000-fold increase compared to the 156 GB in 2002, 20 years earlier. Ten years before that, in 1992, global internet traffic was 100 GB per day, which roughly equates to just 10 households binge watching a Netflix series for 10 hours.

Source: WDR 2021 team calculations and Cisco Visual Networking Index: Forecast and Trends, 2017–2022.

How do data flows relate to trade in digital services?

Together with improved internet infrastructure, data flows in the form of greater bandwidth are strong drivers of trade in services provided over digital networks: so-called data-related or digital services. Such services cover, for instance, computer network maintenance, entertainment, and broadcasting, as well as financial management. In 2018, these digital services amounted to US$2,700 billion globally. Their corresponding share in global services trade has increased significantly over the years, from 20 percent two decades ago to 50 percent today.

Change in the growth and composition of trade in services over four decades

Computer, communications and other services
Transport services
Travel services
Other (unclassified)
198819982008201802,000,000,000,0004,000,000,000,0006,000,000,000,0002,0004,0006,000billionUS$

Source: WDR 2021 team calculations based on WITS (World Integrated Trade Solution) database.

How can cross-border transfers of personal data be regulated?

While high-income countries dominate the global digital services trade, developing countries can also profit from digital trade driven by data. Yet, several countries are restricting data transfers, especially for personal data. These restrictions are usually driven by noneconomic concerns such as privacy and national security, but can have economic effects. Flexible regimes for cross-border data flows would allow businesses from developing countries not only to benefit from offering services to global markets, but also from receiving competitive digital services in return.

For instance, a Bangladeshi firm, Augmedix, offers remote assistance to medical doctors in the United States. These doctors wear smart glasses allowing their Bangladesh-based assistants to “witness” patient consultations and create associated medical records. This two-way exchange of data, and the associated high value added services Bangladeshi assistants provide, are possible only because both countries—the United States and Bangladesh—allow for such sensitive and personal data to move across borders.

However, because of privacy and other wider noneconomic concerns, not all countries allow personal data to cross borders, and in fact some have adopted conditions for cross-border data transfers. Strict regulations on cross-border data flows could outlaw business models like that of Augmedix. Yet, some of these regulations aim to protect personal data and can in fact promote trade in digital services by strengthening consumer trust in digital markets.

Regulating flows of cross-border personal data typically comes with upfront costs: companies, as well as other organizations, need to invest in resources to comply with regulations, and governments need to install authorities to enforce these regulations.

How do countries handle cross-border transfers of personal data?

Many countries are currently regulating cross-border transfers of personal data. While regulations of personal data diverge widely, countries around the world are pursuing three broad approaches : (1) open transfers of data; (2) conditional transfers; and (3) limited transfers. These three data models have become a reference for many other countries when defining their rules on personal data.

Open transfer
Conditional transfer
Limited transfer
Outside sample

Source: Ferracane, Martina Francesca, and Erik van der Marel. Forthcoming. “Regulations on Personal Data: Differing Data Realms and Digital Services Trade.” WDR 2021 background paper, World Bank, Washington, DC.

The model of open transfers is characterized by the absence of any restrictions on cross-border transfers of personal data. In addition, countries following this model usually rely on a baseline set of privacy principles and leave to companies the flexibility to self-regulate on a voluntary basis. Moreover, under this model, firms usually remain accountable for how personal data are treated, and when they may be transferred to a recipient in a third country. 39 of 116 countries surveyed for the WDR have adopted this model.

However, several countries are classified into this model by default, given that they have not (yet) adopted a general framework for personal data transfers or imposed any regulatory rules regarding data protection. This is the case, for instance, in Bolivia, Cambodia, Pakistan, and Saudi Arabia.

The second data model is based on conditional transfers. This model seeks to strike a balance between imperatives to protect personal data and the need for openness of data transfers. This involves a country setting out a series of mandatory regulatory safeguards that its trading partners need to fulfil, so as to allow for the free flow of personal data between firms on either side. Once met, such safeguards enable data to be shared with jurisdictions while meeting certain adequacy standards for data protection, or with firms that have adopted mandatory data protection protocols, such as binding corporate rules or contractual clauses.

66 of 116 countries surveyed have adopted the conditional transfers model, including the European Union (EU), with its General Data Protection Regulation (GDPR). Many countries outside the EU, including some lower-income-countries, have also adopted this model, including Argentina, Colombia, Korea, Malaysia, Senegal, and South Africa.

The third data model uses a limited transfers approach. This model imposes strict requirements on cross-border flows of personal data for companies and other organizations, which may include ex ante authorization by the government following a security assessment. It often includes a condition for storing and sometimes processing of personal data within the country of origin. 11 countries follow this model of limited transfers.

China mandates strict conditions and requirements on the transfers of personal and other important data for operators of “critical information infrastructure,” which includes a broad scope of sectors ranging from financial information and telecommunications to health and medical activities and mapping services, as well as online publishing. Operators are required to store and process certain personal data in China. In addition, foreign companies may have to apply for permission before transferring personal data out of the country.

Russia’s Personal Data Law mandates that all personal data about Russian citizens must be stored and processed using databases physically located in Russia, while allowing for cross-border transfers of copies of the data once this requirement is met. In Vietnam, both domestic and foreign companies providing telecommunications, internet, and value added services must store related personal data in the country.

In summary, the open transfers model minimizes the regulatory burden on service providers at both ends of the transfer of data. It maximizes the freedom companies have in sharing data for doing business, but provides few safeguards to boost trust in such data transfers. The limited transfers model places a central focus on security concerns, such as cybersecurity, entailing additional restrictions on data transfers. The conditional transfers model provides a halfway house: it allows for international transfers while requiring additional guarantees for the protection of personal data in the destination market. It thereby adds somewhat to the cost of trading digital services.

How do personal data models relate to trade in digital services?

How do differences between the distinct features of each personal data model relate to digital services trade? To what extent do countries with a particular personal data model trade digital services with one another ? The following visualization helps answer these questions. The matrix shows the relationship between pairs that share the same data model and the extent to which they export digital services with each other. The colors in the scheme represent the three different data models as described.

Bilateral trade in digital services

USAUnitedStatesCANCanadaPHLPhilippinesAUSAustraliaAREUnitedArabEmiratesTWNTaiwan,ChinaHKGHong KongSAR, ChinaOtherOtherEUEuropeanUnionINDIndiaCHESwitzerlandISRIsraelSGPSingaporeNORNorwayUKRUkraineKORKorea, Rep.JPNJapanMYSMalaysiaBRABrazilCHNChinaRUSRussiaExporterImporter

Source: OECD-WTO BaTIS database.

Note: Only data for the 20 biggest exporters of digital services are visualized. Other economies are grouped into the "other" category.

Economies sharing the open transfer model with each other represent 5 percent of trade.

The conditional transfers model is the dominant approach. More than 53 percent of all global trade in digital services is conducted between economies sharing this model (this figure drops to 40 percent when trade within the European Union is excluded).

Obviously, given that the EU has been at the forefront in developing the conditional transfers model, the biggest share of trade in digital services covered by this model takes place between EU countries, and therefore is classified as intra-EU trade.

Trade between countries that apply the limited transfers model represent less than 1 percent of global trade in digital services.

42 percent of trade is between countries having different data models in place.

The matrix provides a useful visualization of global patterns of data trade. However, this does not tell us whether adopting any of the three data models actually generates higher or lower digital services trade between the sharing pairs, compared to others. In other words, is sharing a similar model associated with greater levels of trade in digital services? And if so, which models?

How the three models correlate with levels of trade in digital services

Associated withmore tradeless tradeOpen transfersConditionaltransfersLimited transfers

Source: Ferracane, Martina Francesca, and Erik van der Marel. Forthcoming. “Regulations on Personal Data: Differing Data Realms and Digital Services Trade.” WDR 2021 background paper, World Bank, Washington, DC.

Our analysis shows that after accounting for standard factors typically found to be important for explaining trade between countries, such as distance and historical ties, countries sharing the open transfer model generally exhibit greater levels of digital services trade.

Trade outcomes for the conditional transfers model are mixed: for digital services, the model is associated with increased trade, but for some digital-enabled sectors such as business services, the model is associated with lower trade.

Countries adopting the limited transfer model consistently generate lower levels of digital services trade.

How are cross-border data flows governed at the international level?

Trade agreements have been at the forefront of international data governance, and have incorporated the first binding international rules on data flows. World Trade Organization ( WTO) rules cover measures affecting trade in services, including measures relating to cross-border data transfers and personal data. Some of the latest generation of preferential trade agreements feature substantial disciplines supporting cross-border data flows. Digital trade agreements, focusing exclusively on digital trade, have emerged as a new trend in the regulation of data flows.

Despite these initiatives, the future of global trade rules on data flows remains uncertain, particularly at the global level. Multilateral discussions on digital trade are proceeding among a group of 85 WTO members, but potential disciplines on cross-border data flows are among the most contentious issues. Furthermore, low-income countries remain underrepresented in digital trade talks. Only one low-income country (Burkina Faso) has so far joined the Joint Statement discussions on rules for digital trade under the WTO.

Global rules should expand to provide a solid framework for cross-border data flows, both in setting principles and promoting standards. Global trade rules should center on promoting cross-border data flows and the free choice of data storage locations, grounded in adequate data protection standards. Multilateral negotiations should not be limited to replicating existing models or be bound by fictitious deadlines, but should strive to adopt an innovative, forward-looking framework for global data flows, affording adequate technical assistance and time to those least able to implement agreed rules.

Trade negotiations have traditionally focused on removing restrictions to international trade, but are not suitable for addressing issues of regulatory convergence. Progress toward harmonization around the necessary regulatory safeguards for data rights, or common data standards and architectures that enable the exchange of information, could benefit from more cooperative, and perhaps nonbinding, approaches offered by other international instruments. International efforts to promote technical standards for data protection and cybersecurity are essential to ensure interoperability and must align with global trade rules on data flows.

Limited