Table of Contents

As demand for digital services grows, some proposals for data localization, often motivated by governments’ desire to protect citizens’ privacy or to enable law enforcement surveillance, could hinder the free flow of data. In South Korea (hereafter Korea), calls for localization have become more frequent and more forceful in recent years, culminating in the 2018 server localization bill, which requires all online service providers above a certain size to place their servers within the country so as to provide “stable services.”1

Yet there are other approaches, including the assimilation of international arrangements and instruments, that could enable Korean policymakers to realize their policy goals without mandating such data localization. For instance, if their goal is to facilitate law enforcement access to citizens’ data that may lie outside the jurisdiction of the Korean government, the Budapest Convention may provide an alternative to the time-consuming mutual legal aid treaty (MLAT) processes that require law enforcement agencies to request help from their foreign counterparts. Similarly, if addressing concerns about citizens’ privacy is the policy goal, then the European Union’s (EU) General Data Protection Regulation’s (GDPR) adequacy process or the certification process of the Asia-Pacific Economic Cooperation (APEC) forum’s Cross-Border Privacy Rules may provide the needed level of protection, no matter where the data may be stored and processed.2 If the goal is to counter the market dominance of foreign online services, then any measures will need to be assessed in light of World Trade Organization (WTO) trade rules that deal with state parties’ mercantilist aspirations to nurture domestic industries. Although such legal analysis on trade may not assuage calls to prevent “digital colonialism,”3 the trade rules are a constraint that could bind policymakers in designing sustainable ways to meet their goals without requiring data localization.

Kyung Sin “KS” Park
Kyung Sin “KS” Park is a professor of law at Korea University. He served as a commissioner at the Korea Communication Standards Commission, a presidentially appointed internet content regulation body (2011–2014), and as a member of the National Media Commission, an advisory body to the National Assembly set up to examine the bills allowing media cross ownership and other media and internet regulations.

This analysis assesses Korea’s data localization discourse, examines the different justifications for data localization initiatives, and explores a range of legal instruments that might help address those policy concerns. It first explores Korea’s own data localization initiatives. It then dives deeply into the Budapest Convention and its implications for Seoul, before turning to questions of competing against foreign dominant players according to the trade regimes and international approaches that Korean policy can and should assimilate. Whichever of these international alternatives to localization is adopted, a key concern is that such alternatives address what Korean commentators call regulatory “reverse discrimination,” an issue originating from the thicket of unusual and specific online service regulations often unique to the country.4 In addition, the prospect of the Budapest Convention serving as an alternative to data localization is resisted by locals due to their desire for more privacy by having the option of communicating through foreign platforms that are supposedly more compliant with human rights. This aspect of Korea’s localization discourse calls for a concerted focus on human rights.

The Context of Korea’s Data Localization

Data localization measures are one of the many ways governments try to assert digital sovereignty or strategic autonomy (however those terms are defined). Anupam Chander of the Georgetown University Law School and Haochen Sun of the University of Hong Kong Faculty of Law attribute such efforts to governments’ desires to protect their citizens, build their domestic digital economies, and control their own citizens.5

But one challenge with this classification is that it is difficult to distinguish between measures designed for protection and those designed for control. For instance, if a nation requires all content providers to locate their main servers domestically so that the police or other censorship bodies can directly order content to be blocked, their stated motivation is to control bad actors who upload dangerous online content and protect the public who may suffer harm. One example is China. But given how its state-centric approaches to cyberspace are derived from Communist ideology, it can be difficult to distinguish the Chinese government’s measures of controlling the public from its efforts to protect the public.6 In addition to China’s Cybersecurity Law (enacted in 2017), the country has a firewall that filters internet traffic into and out of the country, ostensibly for the purpose of protecting Chinese people’s data, but this approach also enables internal surveillance and censorship.7 Instead of distinguishing protection from control, both kinds of measures can be motivated by a desire for sovereign control of data.

The Korean government also seeks sovereign control of data, but Seoul’s justification varies depending on the type of data. Much like the EU, Korea has strict data protection laws for personally identifiable information. These laws, like the adequacy scheme in the EU’s GDPR, have a single aim—to protect citizens’ data, or equivalently data protection—but they do so without requiring that personally identifiable information remain within the reach of domestic surveillance and censorship. One side effect of these laws is that they limit governments’ power over citizens, the opposite of enhancing sovereign control of data.

Moreover, some data localization rules are not for the purpose of protecting personal data. For instance, Korea still prohibits map data of precision above a certain level from physically leaving the country to protect national security.8 Other laws, such as India’s requirement that financial data remain within the country, are meant to ensure effective regulatory oversight.

Ultimately, Korean arguments for data localization can be grouped by the following five motivations: national security, sovereign control of data, data protection, fair taxation, and fair competition.

National Security

After U.S. national security contractor Edward Snowden revealed that various domestic U.S. government surveillance programs had an extraterritorial impact because much of the world’s internet traffic goes through servers located in the United States, several countries, including Brazil and Germany, sought to keep their domestic online traffic safely out of the reach of the American surveillance program. After the Snowden revelations, Germany’s data protection authorities also requested that Deutsche Telekom keep internet traffic within Germany as much as possible and proposed creating a Bundescloud, a cloud infrastructure for all data held by German government agencies (to be established by 2022). The German authorities further proposed a data network restricted only to EU users.9 Ironically, had such proposals been implemented, German users would today be more vulnerable to surveillance by German government agencies. Brazil attempted something similar. Its proposed data localization law was a clear response to concerns about foreign surveillance, but in the final version of the country’s Civil Rights Framework for the Internet (better known as Marco Civil da Internet), the data localization requirements were removed.10

Sovereign Control of Data

Independently, Russia and China have been on course to enhance sovereign control over their citizens’ data for purposes of both censorship and surveillance. While these data localization laws reflect a desire for digital sovereignty, it is clear that both regimes (and several governments in the Middle East and elsewhere) view freedom of speech and truly private, encrypted communications as threats to national and regime security. In other countries, data localization is justified by a desire to harness the utility of locally generated, nonpersonal data for a range of business and governmental purposes.

Data Protection

Meanwhile, GDPR aims to protect EU citizens’ privacy by ensuring that their data are not transferred into jurisdictions with what are deemed inadequate levels of data protection. But defining what is considered adequate has proven challenging, as evidenced by the years of negotiations over the U.S.-EU Safe Harbor Framework and the EU-U.S. Privacy Shield Framework, which have governed data transfers between the United States and the EU. Unlike other types of data localization measures, which are designed to meet a government’s needs, GDPR (and similar Korean laws governing personally identifiable information) protect and empower citizens. These laws do not block data transfers if data subjects give consent, regardless of the adequacy level of the destination jurisdiction. The goal is self-determination rather than state control.

Fair Taxation

Many governments want companies to host their content and services on domestic servers to ensure they can tax foreign content providers that otherwise could make money there without establishing a physical presence.11 But taxing remote servers is against general rules of taxation, so foreign internet companies are taxed at a much lower rate than domestic companies. While the EU Commission has decided to address this discrepancy by bending tax rules (through tax base erosion and profit shifting),12 several Southeast Asian countries have required that relevant servers remain within their borders.13

Fair Competition

Martin Schulz, who formerly was president of the European Parliament, warned that the market power of “digital giants” poses not just economic problems but also social problems.14 GDPR’s data portability provisions were an attempt to counter such dominance by allowing internet users to more easily shift from one online service to another when the EU’s Data Retention Directive was declared invalid by the Court of Justice of the EU in 2014.15 Other European politicians have been more direct and vocal in their calls to protect and promote domestic companies.16 It is not clear, however, whether GDPR’s adequacy scheme, the only comprehensive data localization for Europe, is an appropriate or effective vehicle for such data mercantilism.

Korea’s Data Localization Discourse

Korea’s debate over data localization is unusual because of its central focus on fair competition, or to be more specific, the eradication of discrimination against domestic online services. This trend is evident from the ubiquity of the term “reverse discrimination” in news articles reporting on the country’s 2018 server localization bill.17 Similar sentiments have been heard in India and a few other countries where domestic companies have a sizable share of the local market for online services.18

Yet Korea’s data localization discourse on fair competition is more heated than elsewhere because of the long list of parochial regulations applicable only to Korean online services ranging from its internet real-name law, game shutdown laws, upload filter requirements, and more.

The underlying idea in Korean discourse is that these regulations place domestic providers at a disadvantage compared to foreign providers because the regulations apply only to providers that are located domestically, so (the thinking goes) forcing foreign providers to localize by placing servers within Korean territory will ensure equality of regulation and hence fair competition. However, this approach begs the question of whether international economic law allows mandatory data localization rules as a tool for fostering such claims of fair competition. What is more, if the answer to that question is no, then it begs a secondary question of what the best practices are for achieving fair competition. In addition, as is the case in Brazil, there are few (if any) calls in Korea for data localization stemming from law enforcement’s inability to access overseas data concerning domestic persons in Korea. In this respect, Korea is very different from India, where law enforcement access is a primary concern.

In Korea, both of these themes, fair competition and sovereign control of data, have been advanced as main justifications for data localization, but the country’s current approaches to data localization do not reflect best practices for achieving these goals. Firstly, accession to the Budapest Convention would protect a workable version of data sovereignty but would obviate the need for data localization. Secondly, the WTO’s trade rules, which Korea has agreed to, prohibit data localization motivated by desires to protect domestic providers. However, that is not the end of the story. The sections below explore these themes through legal analysis and consider how the general public might view such legal analysis.

The Budapest Convention and Extraterritorial Data Access for Law Enforcement

Korea can and should look to the Budapest Convention as an alternative way to secure its interests.

The Budapest Convention

The Budapest Convention facilitates information sharing among law enforcement agencies in different countries, including nearly all of the forty-six member states of the Council of Europe and some nonmember states.19 The convention is the first binding multinational treaty to comprehensively address not only cyber crimes but also the gathering of electronic evidence of noncyber-related criminal activity.

The Council of Europe’s first work on computer-related crime began in the 1970s.20 This led to the 1989 recommendations for national legislatures and the “Report on Computer-Related Crime” for developing the necessary substantive criminal law to deter electronic crimes.21 In addition, a recommendation on criminal procedural laws dealing with information technology was adopted in 1995.22 These recommendations led to a draft of the Convention on Cybercrime (another name for the Budapest Convention), and the convention was opened for signatures at a November 2001 conference in Budapest, Hungary. Since then, the Protocol and Guidance Notes were created to support the convention’s implementation.23

The Budapest Convention was initially intended to harmonize substantive criminal laws concerning computer systems and data, namely for cyber crimes; provide national criminal justice authorities with the necessary means for investigating and prosecuting such criminal offenses; and to establish an effective mechanism of international cooperation in combating these offenses. Chapter 2 of the convention specifies the following nine offenses: illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related forgery, computer-related fraud, offenses related to child pornography, and offenses involving infringements of copyright and related rights.

What is important for Korea is that this same chapter of the convention also provides for investigative means, including expedited preservation of stored computer data, production orders, search and seizure of stored computer data, and real-time collection of computer data. Moreover, these provisions apply to any other criminal offenses committed by means of a computer system and finally to the collection of evidence in electronic form of any criminal offense. In addition, Chapter 3 of the convention on international cooperation contains general principles and procedures relating to extradition and to traditional and mutual legal assistance for computer-related crimes. 

Korea’s Position on the Budapest Convention

Many Korean commentators have called for the country’s accession to the convention, citing the need for cross-border cooperation on fighting cyber crime, which spans national borders.24 Existing bilateral mutual aid treaties between Korea and other countries enable cooperation between law enforcement agencies, but this can be a slow process and varies from country to country.25 These problems were documented in a recent and unprecedented empirical study of the efficacy of the Budapest Convention in facilitating cross-border cyber crime investigations.26 If Seoul were to sign on to the convention, it would not replace MLATs among the countries that already have such a treaty with Korea, but such a move would help facilitate such collaboration.

However, many Korean privacy advocates are concerned that the convention (in Article 20) mandates real-time collection of metadata.27 Still, the current Korean wiretapping law, the Protection of Communications Secrecy Act, regulates metadata acquisition in Article 13, even though technically the textual scope of the law is limited to “data confirming that communication has taken place,” which does not include real-time metadata acquisition.28 Indeed, for years, real-time metadata acquisition has taken place under these existing provisions. As a result, in 2018, Korea’s Constitutional Court commented on the lax standard in a ruling related to real-time location tracking.29 In response to the decision, the law was amended in a way that implied that metadata acquisition by definition includes real-time acquisition.30 Overall, it seems that these privacy concerns that have repeatedly stymied efforts to get Korea to sign onto the convention can be addressed.

Other Korean skeptics point out that accession would necessitate several legislative changes to meet the convention’s harmonizing requirement. Article 16 of the convention (on the expedited preservation of stored computer data) also lacks an explicit counterpart under Korean law.31 However, the country’s existing search-and-seizure system could be easily adapted to meet the convention’s requirements.32 Article 17 (on expedited preservation and partial disclosure of traffic data), designed to clarify Article 16’s scope over multiple service providers involved in one instance of communication and allow expedited disclosure of each service provider’s traffic data to identify other service providers involved, also lacks an explicit counterpart in Korean law, but, again, it seems that the country’s existing search-and-seizure measures could also be adapted for this purpose.33

Some critics point to Article 18 (on production orders), which requires an alternative to Article 19 (on search and seizure of stored computer data) that would allow service providers a legal basis to voluntarily cooperate on such government requests.34 The need for this alternative arises from the legal difference between a warrant, which merely permits law enforcement to obtain access, and an (affirmative) order that compels private parties to produce the data. However, the Protection of Communications Secrets Act is already crafted in light of service providers’ duty to cooperate and therefore already provides the legal structure necessary for a production order to be issued instead of a warrant.35

Others point to the portion of Article 18 on production orders as applied to “subscriber information,” a point of contention that has created many privacy-related controversies in Korea because subscriber data is accessible without a warrant in the country under the Telecommunication Business Act (Article 83, Paragraph 3).36 However, the convention simply requires the existence of a production order and is silent on whether subscriber data can be obtained without a warrant. Also, due to the aforementioned controversies, Korean courts have already used search-and-seizure warrants to authorize law enforcement access to subscriber information since early 2013.37 It is true that Korean law needs be changed to create a system for production orders, as opposed to one for search-and-seizure warrants. The previously mentioned orders under the Protection of Communications Secrets Act apply only to metadata related to specific communications and therefore will not cover subscriber information, which is often not related to specific communications.

Another consideration is that Article 19, Paragraph 2 of the Budapest Convention (on search and seizure of stored computer data) requires an intraterritorial remote search-and-seizure procedure. However, the Korean Supreme Court already has recognized the validity of such remote search and seizure even for extraterritorial access.38 Although the remote search and seizure in that case was executed by obtaining the access credentials directly from the owner of the email account, instead of executing the warrant on the service provider, on whom it could not be executed anyway because the company did not reside in Korea, the ruling in this case would easily justify such remote search and seizure through a warrant executed upon the service provider within the country. Some still argue that remote search and seizure must be authorized explicitly by the statute.39

Besides privacy issues, some critics are concerned about the increased compliance costs on digital intermediaries.40 Others are concerned that making domestic surveillance easier could increase the risk of security breaches arising out of foreign actors’ access to domestic data.41 Article 6 of the convention (on the misuse of devices) requires criminalizing the production and sale of devices, programs, and credentials for the purpose of committing the data-related offenses defined in the convention; there are no similar provisions in Korean law. Meanwhile, Article 12 (on corporate liability) establishes dual criminality including for both perpetrators and the corporations hiring them, and Korean law lacks such provisions.42

In sum, the statutory hurdles to Korean accession to the Budapest Convention do not seem insurmountable. The necessary changes could be made to existing Korean law by making minor revisions or interpreting statutes more broadly. However, resistance to such a move stems from the possibility of erosions of freedom from surveillance or simply privacy concerns.

What Korean Critics Miss

Overall, while it seems that legal hurdles to or privacy concerns about the Budapest Convention can be overcome relatively easily, support for Korea’s data localization rules or for the country’s accession to the convention will depend very much on public opinion regarding domestic surveillance, rather than on the political will of law enforcement leaders.

Korean law enforcement has not been vocal in its support for accession to the Budapest Convention. Not until 2020 did the National Police Agency commission its first study on the subject, and this study aimed not to persuade the government to accede but only to find out what domestic laws would need to be changed in the wake of accession.43 It was feminist organizations in Korean civil society that first advocated for the country’s accession to facilitate investigations of digital sex crimes.44

One reason there has been so little progress toward accession so far may be that the Korean police often rely on confessions as much as on evidence (whether physical or digital) when conducting investigations. The value of surveillance for Korean law enforcement has been more for identifying suspects than for proving guilt. For these reasons, the number of interceptions conducted by general law enforcement (as opposed to the National Intelligence Service with its mandate to conduct externally focused intelligence activities) has been very small.45 The mass surveillance type of data access, designed to identify suspects from large customer databases, has been much more intensive in Korea. The number of Korean “phone numbers, email addresses, and other accounts” affected by metadata acquisition has reached 37 million per year, a significant figure in a country of 50 million people.46 Of course, metadata acquisition was originally designed to prove guilt of a preidentified suspect. In Korea, that metadata acquisition takes place mostly for the purpose of finding suspects, just as the U.S. National Security Agency did after the 9/11 terrorist attacks (as Snowden revealed). What complements metadata acquisition has been the warrantless acquisition of subscriber information, through which Korean authorities could scan huge volumes of metadata to find a few suspects.47 In any case, Korean law enforcement has not actively sought out the deep extraterritorial surveillance capabilities afforded by the convention. Notably, these high volumes of surveillance have raised Korean people’s sensitivity about privacy or freedom from sovereign surveillance.

Finally, the Korean public clearly prefer to have foreign communications platforms available for them so they can store data beyond the reach of domestic prosecutors. Whenever the media reports on the overreaching surveillance practices of Korean law enforcement, there has been a massive “cyber exodus,” a migration of users of online services from Korean providers to foreign ones.48 Ironically, the Budapest Convention itself may not be welcomed by Korean citizens who want offshore locations for storing their data lest their data would be more easily available to Korean authorities under the convention. Having said that, these savvy users would prefer to have no data localization measures so they can move their data where they please, and they also would prefer to not have a convention that makes it easier for Korean law enforcement to retrieve their data from a foreign service provider. So the very reasons for opposition to the Budapest Convention have operated behind the scenes to practically preempt calls in Korea for sovereignty-based localization: the reasons explaining Korean law enforcement’s disinterest in the convention also easily explain their reasons for disinterest in data localization.

That said, there really is no human rights norm, international or municipal, stating that people should be guaranteed access to communication platforms beyond the reach of domestic prosecutors, though the availability of such platforms does reduce the risk of surveillance. The push for data localization can originate from different motives, not just from sovereign control of data. It is possible that the threat landscape could change in Korea (as it did in the United States after the 9/11 attacks) causing national security agencies and law enforcement agencies to want better access to data located overseas. If that happens, Korean people who choose overseas communication platforms will be better off with the convention than they would be if their data was stored domestically.

Promoting Fair Competition Under International Economic Law

Korea also has another path to better practices when it comes to facilitating fair competition for Korean companies vis-à-vis foreign rivals in terms of regulations applicable to internet content providers.

Korea-Specific Regulations of Online Services

There are several Korean laws that put local providers of online services at a disadvantage compared to foreign providers used by Korean consumers. For one, under the Telecommunication Business Act,49 all domestic providers of online services with more capital than the equivalent of about $100,000 must maintain registration as a “value-added service provider.”50 Such registration can be canceled by the relevant government ministry in charge if the providers disobey various ministerial corrective orders.51 These orders can be issued to online service providers that cause “significant damage to consumers’ interest” or violate a wide range of content moderation and data protection obligations.52

The Korean politicians sponsoring these measures argued for the need to protect users (and particularly children) and effectively paralyzed the lobbying arms of online service operators, leading to a number of unprecedented laws being adopted. These include mandatory identification laws that obligate online services to collect identity verification information from users, forcing the providers to amass huge amounts of personal data and make themselves the target of cyber attacks. While Korea’s most infamous identification mandates were struck down as unconstitutional in 2012 (for general comments platforms) and in 2021 (for election-related comments platforms),53 they still remain in effect for using mobile phone services, playing internet games, and leaving comments on public agencies’ websites.54

The means of identity verification are not popular because they are limited to methods predetermined by the government, which tend to be expensive and cumbersome and which often require more personal data than needed.55 It is no surprise that the Youth Protection Commission and other Korean agencies routinely highlight certain online material (and other material online or offline) as harmful to youth. Also, it is no surprise that online service providers serving content labeled as harmful to children are required to conduct age verification to comply with the rating rules. However, uniquely in Korea, online service providers are required to conduct age verification in ways that endanger privacy and data protections and therefore increase compliance costs for domestic providers.

In addition, Korea does not give online service providers a safe harbor for undesirable material posted by their customers. Instead, mandatory notice-and-takedown rules require online service providers to remove rights-infringing comments immediately after receiving notice from the affected party, forcing them to err on the side of deleting comments they are unsure of.56 Although there is no statutory penalty, a 2009 Supreme Court decision affirmed the strict liability nature of the overall intermediary liability scheme.57 In this case, the court held that Naver, a Korean online platform that debuted in 1999, was liable for failure to take down comments accusing the supposed victim of having impregnated a woman and then persuading her to get an abortion though Naver had no way of checking the defamatory substance of the comments. The Korean Communication Standards Commission, a national administrative body, issues takedown orders “as necessary for nurturing communications ethics.”58 More than 200,000 webpages or websites are taken down every year, some of which are not even accused of violating any legal prohibition.59

As for online gaming, until January 1, 2022, all internet games played by players under sixteen years old had to be shut down between 12:00 a.m. and 6:00 a.m.60 Although the mandatory shutdown was abolished, all internet game providers still must implement features allowing young users or their legal guardians to control how much time they spend gaming.61 The latter law necessitates and justifies the identity verification law for internet games mentioned earlier.

Meanwhile, all platforms capable of uploading videos and images for public viewing must be equipped with an upload filter that compares all files being uploaded against a precurated database of nonconsensually created or distributed sexual material, sexually defamatory deep fakes, and child sexual abuse material.62 As a result, currently, any video being uploaded on major platforms in Korea suffers from a latency of around five to ten seconds depending on the video size, a duration that is likely to lengthen as the database of forbidden material grows larger.63

Another burden on all online service providers based in Korea is that they must pay transit fees (or equivalent internet access fees) to local internet service providers in amounts that widely surpass the costs of internet access in all other major cities in the world.64 This is because Korea has the world’s only mandatory rule based on the Sending Party Network Pays principle.65

Domestic online service providers have long complained about the regulatory burden they face, causing the Korean government, in turn, to repeatedly commission studies to assess the situation.66 However, these problems persist, fueling aspirations for localizing foreign services and putting them under the same regulations.67

Trade-Based Rules on Data Localization

On a related note, data localization is a major consideration when it comes to digital trade in services. When people use YouTube, for instance, the data is often provided remotely from servers overseas. In addition, when local businesses purchase advertising time on YouTube, it may be local residents viewing those ads, but the ad content they are watching is provided remotely from servers overseas. In either case, such usage constitutes a trade in services from the locus of the YouTube servers to those of the advertisers.

Such trade in services, through cross-border supply via the internet, is increasing rapidly. Data localization requirements that remote servers providing such content, or the services themselves, be located within the country are justified as a way of leveling the playing field between foreign service providers and domestic ones, but these regulations bend or break trade rules that Korea and most developed countries have agreed to follow.

The most contentious obligations of WTO members are market access and national treatment under the General Agreement on Trade in Services (GATS). Members are prohibited, for example, from violating these two obligations listed in their respective schedules of specific commitments under GATS. According to the GATS classification of services, data localization requirements would affect the services falling under “value-added services” and “computer and related services.”68 A majority of WTO members have made liberalizing commitments on both of those services.

Although these commitments were made during the Uruguay Round of multilateral trade negotiations in the late 1980s and early 1990s before the internet became pervasive and popular, these liberalization commitments should be deemed still effective with respect to the internet, according to the decision in a case known by the shorthand U.S.—Gambling, in which a WTO panel announced intramodal technological neutrality in cross-border supply mode.69 This conclusion also stems from the WTO Appellate Body’s decision on a case called China—Publications and Audiovisual Products, which interpreted Beijing’s liberalizing commitment on sound recording distribution services to include online as well as offline services.70

First, in terms of market access, Article XVI:2 of the GATS provides an exhaustive list of quantitative restrictions that can be sustained only by explicitly itemizing them in a country’s Schedule of Commitments.71 On the surface, data localization is a quantitative restriction, not a qualitative one. But just as the U.S.—Gambling decision deemed a nationality requirement as a “zero quota” imposed on overseas service providers, data localization can be deemed a quantitative restriction.72 Indeed, data localization effectively bans the cross-border supply of services as a mode of service trade and forces foreign service providers to move into the commercial presence mode,73 and it is likely to be considered a zero quota in violation of Article XVI.

Secondly, the national treatment norm governed by Article XVII of the GATS also bans both de jure discrimination and de facto discrimination based on nationality. Data localization applies equally to all online service providers, but (formally) equal treatment may be discriminatory in a de facto sense.74 The WTO adjudication bodies have consistently held that the “aims” of a certain measure do not cure the discrimination in several cases, beginning with the Appellate Body’s EC—Bananas III decision and later in its Argentina—Financial Services decision.75 For instance, even if some measures have such purposes of privacy protection or national security, the key question is whether measures end up treating foreign service providers less favorably.

Korean critics may well argue that foreign online content providers are not like domestic content providers to begin with because their content is transmitted from remote locations. However, in the U.S.—Gambling decision, the government of Antigua argued that services should not be considered “unlike” merely because they are provided through different modes of supply.76 Notably, Antigua’s argument prevailed in the decision.77 Other cases have since solidified this trend: for instance, in its Canada—Autos decision, a WTO panel also found “likeness” between, on the one hand, the services provided on Canadian soil through a commercial presence and movement of natural persons and, on the other hand, the services provided remotely through cross-border supply and consumption abroad.78 Thus, data localization can be said to be applicable to two like services, namely content provided remotely and content provided domestically through local servers. With that in mind, one rejoinder to critics is to ask whether Korea’s current approaches violate the national treatment norm of international trade law to which the Korean government has committed itself.

To be sure, Article XIV lit. a) of the GATS does allow the adoption of measures considering the protection of public morals and the maintenance of public order, while Article XIV bis allows for security exceptions.79 The right to adopt exceptional measures is subject to certain conditions in the chapeau to Article XIV of the GATS, which requires that they be “applied in a manner that does not constitute ‘arbitrary’ or ‘unjustifiable’ discrimination, or a ‘disguised restriction on trade in services.’”80 Just take the precedents set by U.S.—Gambling as an illustration: the prohibition of online gambling services from Antigua and Barbuda was held to violate the chapeau because it allowed domestic U.S. internet operators to provide the same services.81 Since then, scholars have tried to figure out what satisfies the exception in the context of restrictions on the free flow of data but without much success.82

Trade Practices on Data Localization

Korea faces the same dilemma that many other countries do, namely, the conflict between its domestic practices and the international obligations it has agreed to. As with other trade issues, the possibility that data localization may violate WTO rules has not dissuaded various countries, including Korea, from engaging in or contemplating data localization. And because this is an area of international trade law where WTO cases are few and far between (limited mostly, for example, to U.S—Gambling and China—Publications and Audiovisual Products), rules on data localization tend to be hashed out during trade talks, not in arbitration rulings.

In 2013, U.S. trade negotiators began including “data localization” on a list of digital protectionist measures that Washington intended to oppose, alongside censorship, filtering, privacy regulations, and sometimes even lax intellectual property enforcement.83 Starting in 2015, the EU, too, criticized Russia’s and China’s data localization requirements as disproportionate to “national security” concerns and, therefore, as examples of out-and-out digital protectionism.84

After much deliberation, the EU announced in 2018 its trade strategy toward digital protectionism taking into account these data protection concerns. Brussels proposed the following three pillars: free flow of data, a ban on data localization, and language that excludes data protection regulations from the list of barriers to trade.85

By 2016, the United States and the EU had been able to agree on identifying three measures as being clearly protectionist, including data localization as well as taxes on digital flows and forced technology transfers.86 Together, Washington and Brussels have argued that these measures can lead to unanticipated side effects, including reduced internet stability, generativity, and access to information.87

The fact is, however, that trade law (as opposed to trade practice) does not provide a broad general normative context for evaluating various cases of data localization. No trade agreement discussing cross-border data flows, including the ones to which Korea is a party, mentions other supposedly protectionist measures such as censorship, filtering, or internet shutdowns as impermissible barriers to trade.88 So these constitute an insufficient normative basis for discouraging other countries from enacting data localization even if they wanted to follow the leadership of the United States and the EU on the definition of data protectionism.

Most importantly, neither the EU nor the United States have a general theory as to when trade restrictions on information are protectionist, even when evaluating their own trade-restrictive policies and practices.89 Some complain that it is not even clear whether and when privacy regulations can be exempted under the exceptions that GATS furnishes on public order or national security grounds.90

Given the lack of robust normative grounds, state parties can fall into a vicious cycle of digital protectionism begetting further digital protectionism, which forces countries to face the thorny question of whether a targeted data localization measure designed to address specific risks posed by overseas data breaches constitutes protectionism.91 One recent example of this is the Clean Apps initiative during former U.S. president Donald Trump’s tenure, which was an attempt to keep U.S. TikTok users’ data on American soil and safe from potential surveillance by the Chinese Communist Party.92

Resolving this question requires examining the differences between data and other commodities, but it is not clear how those differences translate into a stable theory of what is protectionist, since the question of what constitutes a GATS violation is itself unclear.93 Some have tried to square this circle by filtering the trade discussion through the question of rights: any restriction to data-based services would also, this argument runs, interfere with people’s freedom of speech. This argument is particularly salient in the United States, as the State Department has advocated the “free flow of information” for decades.94 However, some scholars conclude that trade talks focusing on “free flow of information vs. data protectionism” are ineffective and sometimes hypocritical.95

What Korean Critics Miss

In the end, despite the limits and difficulty of applying digital trade rules and practices, Korean policymakers have not stopped arguing for data localization rules aimed at subsidizing domestic companies that are suffering from “reverse discrimination” due to Korea’s unprecedented and interventionist internet regulations.

Although trade rules allow countries like Korea to engage in various internet regulations for the purpose of protecting people’s health, property, and lives, their ability to compensate in a sense for the regulatory costs that domestic companies face by forcing offshore providers to change the mode of supply has never been accepted as complying with existing trade rules.

And all of Korea’s domestic internet rules can be enforced on foreign services by, for instance, blocking websites that do not meet the domestic requirements.96 Although Korean policymakers could directly address the perceived discrimination in this way, the government simply chooses not to apply those rules,97 probably in order to satisfy the domestic populace’s desire to use foreign companies’ services and to avoid the difficulties associated with requiring foreign companies to keep data in-country. There is no cause for condoning the practice of blocking the noncomplying foreign websites, but artificially created claims of discrimination should not be used to justify data localization. Furthermore, such a forthcoming approach may serendipitously bring to the fore the real problems with Korea’s domestic internet rules: human rights.

A Better Focus for Korea

Data localization initiatives are known to interfere with the free flow of information. They can be motivated anywhere by security, sovereignty, privacy, taxation, or competition concerns. But in Korea, the most pronounced data localization initiatives have arisen, first, from a desire to promote fair competition between domestic Korean firms and foreign companies and, second, from the need to investigate cross-border cyber crimes.

But the Budapest Convention and a new approach to fair competition would provide a better way forward. In assessing the likelihood that Korea will accede to the Budapest Convention to assuage the need for cross-border investigations, it seems clear that the country’s domestic investigatory regime could easily be updated and harmonized as required for accession to the convention. Of course, the public’s concerns about privacy may generate some friction if Korea were to do so. But in the final analysis, given the Korean public’s desire to migrate to foreign communication platforms whenever the privacy-infringing nature of domestic surveillance has been highlighted in the media, data localization of foreign services will likely be resisted more strongly by the Korean public than accession to the convention.

Meanwhile, even as Korea’s decision on the Budapest Convention remains in limbo, Korean politicians desire for data localization is growing in another respect. They argue that foreign companies can compete and beat domestic companies because only the latter are subject to Korea’s intricate internet regulations.

WTO trade rules allow exceptions for public interest purposes and therefore may be neutral to data localization initiatives. However, the WTO rules do not seem to allow data localization initiatives, including ones in Korea, that are motivated not by the public interest but by a desire to enhance the application of local laws to foreign companies. Because local laws can always be applied to foreign services (as in the case of blocking the noncomplying websites), the public interest can be preserved, so the requirement that foreign firms establish and maintain a local presence is an unnecessary restriction on the cross-border provision of services.

Unfortunately, as long as perceptions of regulatory “reverse-discrimination” against domestic Korean companies remain, the calls in Korea for data localization will not subside. Ultimately, there is no readily available, instrument-based argument against Korea’s widespread and deepening aspiration for data localization. Neither WTO trade rules nor the Budapest Convention will answer either local law enforcement’s needs or local internet companies’ calls for fair competition over the long term.

To push back on the fair competition argument, a solution cannot simply rely on legal principles but would need to dismantle Korea’s parochial internet regulations, which provide a never-ending stream of arguments used by supporters of data localization in the name of fair competition. To do so, skeptics of data localization need to leverage concerns about human rights.

In addition, the resistance in Seoul to the Budapest Convention will weaken if Koreans realize that domestic surveillance is not any more intrusive than what is allowed in most other democracies. At that point, the convention would provide a more sustainable, instrument-based counterweight to calls in Korea for data localization. Enhanced cross-border data access under the convention would not necessarily abolish a safe haven for secret communications, while data localization would definitely do so. In this case, too, arguments and practices based on human rights could play an important role in shifting public attitudes and exerting pressure on the country’s political and regulatory class.

Many data localization rules are motivated by a desire for sovereign control. They originate from an idea that data is safer, more secure, or more useful, either from a control-hungry sovereign’s perspective or from that of privacy-hungry subjects, when it is located in a certain jurisdiction rather than another. However, data reflects a sentient being’s perceptions of the world. The transferring of data is arguably akin to speech, and data collection is a form of knowledge. Most norms on free expression distinguish speech from physical activities and also distinguish data from physical objects. Cross-border transfers or collection of data is essentially cross-border speech or knowledge. These principles on free speech (and access to knowledge) should create exceptions to the sovereign’s Westphalian control within its territory and provide ample reasons for why data localization is not a sustainable governance tool and why human rights should figure prominently in the discourse on data localization.

Even data localization for economic purposes at least in the case of Korea originates from parochial internet regulations that put domestic companies at a disadvantage vis-à-vis foreign firms, and many of these regulations depart from international standards of human rights. Instead of restricting remote modes of supply and thereby causing friction with international economic law and treaties, Korea would be better off finding a much more efficient way to balance these competing interests while upholding its commitments to international norms and human rights standards.


1 Young-tae Oh, “Rep. Jae-il Byun Proposes a Bill to Resolve Discrimination Against Global IT Companies,” News Prime, September 4, 2018,

2 Asia-Pacific Economic Cooperation, “What Is the Cross-Border Privay Rules System,” Asia-Pacific Economic Cooperation, October 2021,

3 Michael Kwet, “Digital Colonialism Is Threatening the Global South,” Al Jazeera, March 13, 2019,

4 Park Ji-sung, “[Issue Analysis] Global CP - Resolving Reverse Discrimination Against Domestic Companies, Remaining Tasks,” ET News, May 8, 2020,

5 Anupam Chander and Haochen Sun, “Sovereignty 2.0,” Georgetown Law Faculty Publications and Other Works, August 10, 2021, 8,

6 For an objective genealogy of China’s conceptions of data sovereignty, see Chander and Sun, “Sovereignty 2.0.”

7 Adrian Shabaz, Allie Funk, and Andrea Hackl, “User Privacy or Cyber Sovereignty: Assessing the Human Rights Implications of Data Localization,” Freedom House, 2020,

8 Julia Yoon, “South Korean Data Localization: Shaped by Conflict,” University of Washington’s Henry M. Jackson School of International Studies, February 28, 2018,

9 Rich Miller, “Germany’s Merkel Calls for Separate European Internet,”, February 14, 2017,; and Albright Stonebridge Group, “Data Localization: A Challenge to Global Commerce and the Free Flow of Information,” September 2015, 8,

10 Law360, “Brazil Nixes Data Localization Mandate From Internet Bill,” Law360, March 20, 2014,

11 Surabhi Agarwal and Megha Mandavia, “Local Servers of Tech Giants Like Facebook, Google May Help Indian Govt Debit Taxes, Economic Times, December 17, 2018,

12 Jennifer Rankin, “EU to Find Ways to Make Google, Facebook and Amazon Pay More Tax, Guardian, September 21, 2017,

13 “Indonesia May Force Web Giants to Build Local Data Centers,” Asia Sentinel, January 17, 2014,

14 Martin Schulz, “Keynote Speech at CPDP2016 on Technological, Totalitarianism, Politics and Democracy,” Lexxion 2 (2016): 11–14

15 Philippe Bradley and Mark Young, “EU Data Retention Directive Declared Invalid by Court of Justice of the EU,” Inside Privacy, April 8, 2014,

16 Chander and Sun, “Sovereignty 2.0,” 24–25.

17 Lee Kyung-min, “‘Google Tax’ Emerges as Korea-US Trade Issue,” Korea Times, December 10, 2018,; Oh, “Rep. Jae-il Byun Proposes a Bill to Resolve Discrimination Against Global IT Companies”; Minji Choi, “Global CP Reverse Discrimination Relief Act, A Record of the Day,” Digital Daily, May 17, 2020,; Lee Doo-hyun, “Will the ‘Google Tax,’ Problem Be Solved? Rep. Jae-il Byun Proposes a Bill to Resolve Reverse Discrimination,” Inven, September 5, 2018,; Kwon Min-soo, “Reverse Discrimination Between Google, Facebook, Netflix, and Korean IT Companies Will Decrease,” Daily Impact,; and Park, “[Issue Analysis] Global CP - Resolving Reverse Discrimination Against Domestic Companies, Remaining Tasks.”

18 Lalitesh Kathragadda and Arghya Sengupta, “A Digital Dandi March: Push Data Localisation to Preserve Sovereignty and Enable Fair Competition,” Times of India, December 3, 2018,

19 Ireland is the only Council of Europe member that is not a party to the Budapest Convention. Dublin has signed the convention but has not yet ratified it. See Council of Europe, “Parties/Observers to the Budapest Convention and Observer Organisations to the T-CY,” Council of Europe,

20 U.S. Department of Justice Office of Justice Programs, “Criminological Aspects of Economic Crime – Conference of Directors of Criminalogical Research Institutes, 12th, Strasbourg, 15–18 November 1976,” U.S. Department of Justice Office of Justice Programs, 1976,

21 Council of Europe Committee of Ministers, “Recommendation No. R (89) 9 of the Committee of Ministers to Member States on Computer-Related Crime,” Council of Europe Committee of Ministers, September 13, 1989,; and European Committee on Crime Problems, “Report on Computer-related Crime,” European Committee on Crime Problems, 1990, (Strasbourg).

22 Council of Europe Committee of Ministers, “Recommendation No. R (95) 13 of the Committee of Ministers to Member States Concerning Problems of Criminal Procedural Law Connected with Information Technology,” Council of Europe Committee of Ministers, September 11, 1995,

23 Council of Europe, “Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems,” Council of Europe, European Treaty Series No.189, 2003,; and Council of Europe Cybercrime Convention Committee, “Guidance Notes,” Council of Europe Cybercrime Convention Committee, December 2012,

24 Taejin Chung and Guangmeen Lee, “A Study on Accession by South Korea to the Budapest Convention on Cybercrime and International Cooperation Against Cybercrime,” National Police University Institute of Public Security Policy 14, no. 2 (2019): 65–84,

25 Jaejoon Jung, “Plan For Reactions Against International Cyber Crime - Budapest Convention on Cyber Crime Ten Years After Its Adoption,” Contemporary Review of Criminal Law 39 (June 2013) 6,

26 Kwang-hyun Ra and Hea-Sung Yoon, “An Empirical Review of the Performance of the Council of Europe Convention against Cybercrime,” Criminal Investigation Studies 8 (2019) Also see Council of Europe Cybercrime Convention Committee, “T-CY Assessment Report: The Mutual Legal Assistance Provisions of the Budapest Convention on Cybercrime,” Europe Cybercrime Convention Committee, December 3, 2014,; and UN Office on Drugs and Crime, “Comprehensive Study on Cybercrime” UN Office on Drugs and Crime, February 2013,

27 Heeyoung Park, Hojin Choe, and Sungjin Choe, “Laws Implementing the Cybercrime Treaty,” Supreme Prosecutors’ Office, 2015, 2–3.

28 Park, Choe, and Choe, “Laws Implementing the Cybercrime Treaty,” 129.

29 Korean Constitutional Court, “Case on Location Tracing Data Under Protection of Communications Secrets Act,” Korean Constitutional Court, June 28, 2018,

30 Korean Legislation Research Institute’s Korea Law Translation Center, “Protection of Communications Secrets Act,” Korean Legislation Research Institute’s Korea Law Translation Center, See Article 13, Paragraph 2.

31 Park, Choe, and Choe, “Laws Implementing the Cybercrime Treaty,” 79, 232–236.

32 Hyuk-doo Choi, “A Review on Implementing Legislation for the Adoption of the Cybercrime Convention,” National Police University Institute of Public Security Policy 32, no. 3 (December 2018): 387,

33 Chung and Lee, “A Study on Accession by South Korea to the Budapest Convention on Cybercrime and International Cooperation Against Cybercrime”; and Choi, A Review on Implementing Legislation for the Adoption of the Cybercrime Convention,” 387.

34 Shin-woo Shin and Do-hee Kim, “Status of Ratification of the Convention on Cybercrime and Korea’s Legislative and Policy Responses,” National Assembly Research Services, December 2012, 6,

35 Korean Legislation Research Institute’s Korea Law Translation Center, “Protection of Communications Secrets Act.” See Article 15-2, Paragraph 1.

36 Shin and Do-hee Kim, “Status of Ratification of the Convention on Cybercrime and Korea’s Legislative and Policy Responses”; and Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act,” Korean Legislation Research Institute’s Korea Law Translation Center,

37 Seon-sik Kim, “User Data No Longer Provided to Investigatory Authorities,” Hankyoreh, November 1, 2012,

38 Korean Supreme Court, “Violation of the National Security Act (Praise, Encouragement, etc.), Violation of the National Security Act (Meetings, Communication, etc.),” Korean Supreme Court, Judgment, 2017 Do 9747, November 29, 2017,

39 Kyung-lyul Lee and Gunwoo Ha, “A Study on the Implementation of the Budapest Convention on Cybercrime,” Korean Journal of Comparative Criminal Law 19, no. 4 (2018): 501–534, See pages 524–525.

40 Kim Hankyun, Sung Eun-kim, and Seung Hyun-lee, “International Cooperation for Prevention of Cybercrimes With a Focus on the European Cybercrime Prevention Treaty,” Supreme Prosecutors’ Office, December 2008, 8–139.

41 Chung and Lee, “A Study on Accession by South Korea to the Budapest Convention on Cybercrime and International Cooperation Against Cybercrime,” 78.

42 Lee and Ha, “A Study on the Implementation of the Budapest Convention on Cybercrime,” 523.

43 Taehee Han, “[Exclusive] Police Strengthen International Cooperation on Cybercrime . . . Start of Joining the ‘Budapest Convention,’” NewsPim, June 24, 2020,

44 Park Ji-eun, “International Cooperation Is Essential to Track ‘Nth Room . . . ‘You Must Join the Budapest Convention,” Women News, April 4, 2020,

45 Kyung Sin “KS” Park, “Communication Surveillance in Korea” Korea University Law Review 16–17 (May 2015), 53–72,

46 Ibid.

47 Ibid.

48 Se Young Lee and Sohee Kim, “South Korea Tries to Ease Cyber Surveillance Fears,” Reuters, October 16, 2014,; Song Ho-kyun and Jung Hwan-bong, “More and More S. Koreans Going Into ‘Cyber Exile,’” Hankyoreh, October 7, 2014,; “Cyber Exodus, Korea Herald, October 6, 2014,; and Kim Hyo-jin, “Somebody May Be Watching,” Korea Times, January 1, 2015,

49 Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act.” See Enforcement Decree and Article 30.

50 Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act.” See Article 22, Paragraph 1.

51 Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act.” See Article 27.

52 Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act.” See Article 92, Paragraph 1; and Korean Legislation Research Institute’s Korea Law Translation Center, “Act on Promotion of Information and Communications Network Utilization and Information Protection,” Korean Legislation Research Institute’s Korea Law Translation Center, See Article 64, Paragraph 4. Also see Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act.” See Article 92, Paragraph 1.

53 Kelly Kim, “The Court Held the System Unconstitutional for ‘Infringement on the Freedom of Anonymous Expression’ in the Constitutional Complaint Filed by Open Net,” Open Net Korea, February 1, 2021,

54 Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act.” See Article 32-4, Paragraph 2; Korean Legislation Research Institute’s Korea Law Translation Center, “Game Industry Promotion Act,” Korean Legislation Research Institute’s Korea Law Translation Center, See Article 12-3, Paragraph 1, Item 1; and Korean Legislation Research Institute’s Korea Law Translation Center, “Act on Promotion of Information and Communications Network Utilization and Information Protection.” See Article 44-5.

55 Korean Legislation Research Institute’s Korea Law Translation Center, “Act on Promotion of Information and Communications Network Utilization and Information Protection.” See Article 23-3. See also Jihwan Park, “Stop Telecoms From Collecting Resident Registration Numbers! Abolish the ‘Designated’ Identity Verification Agencies!,” Open Net Korea, March 7, 2014, For more information, see Jang Gyehyun and Lim Jong-In “Technologies of Trust: Online Authentication and Data Access Control in Korea,” Carnegie Endowment for International Peace, August 17, 2021,

56 Korean Legislation Research Institute’s Korea Law Translation Center, “Act on Promotion of Information and Communications Network Utilization and Information Protection.” See Article 44-2. Also see Kyung Sin “KS” Park, “From Liability Trap to the World’s Safest Harbour: Lessons from China, India, Japan, South Korea, Indonesia, and Malaysia,” Oxford Handbook of Online Intermediary Liability, August 2020,'s_Safest_Harbour_Lessons_from_China_India_Japan_South_Korea_Indonesia_and_Malaysia_published_in_Oxford_Handbook_of_Online_Intermediary_Liability.

57 Korean Supreme Court, “Compensation (Miscellaneous), etc.,” Korean Supreme Court, Judgment, 2009 Da 53812, April 16, 2008,

58 Korean Legislation Research Institute’s Korea Law Translation Center, “Act on the Establishment and Operation of Korea Communications Commission,” Korean Legislation Research Institute’s Korea Law Translation Center, See Article 21, Item 4.

59 Kyung Sin “KS” Park, “Administrative Internet Censorship by Korea Communication Standards Commission,” Soongsil Law Review 33 (January 2015): 91–115,; and “S. Korea Censored Over 200,000 Pieces of Online Data Last Year: Report,” Yonhap News Agency, September 25, 2020,

60 Korean Legislation Research Institute’s Korea Law Translation Center, “Youth Protection Act,” Korean Legislation Research Institute’s Korea Law Translation Center, See Article 26. (This law has since been abolished.)

61 Korean Legislation Research Institute’s Korea Law Translation Center, “Game Industry Promotion Act.” See Article 12-3, Paragraph 1, Item 3.

62 Korean Legislation Research Institute’s Korea Law Translation Center, “Telecommunications Business Act.” See Article 22-5.

63 Jimin Goo, “Is the Group Chat Video Also a Temple? . . . Examining the Censorship Controversy Over the ‘Nth Method,’” Dong-a Ilbo, December 14, 2021,

64 Telegeography, “Transit Price Research Report in Major Cities Around the World,” Korea Internet Companies Association, November 2021,

65 Michael R. Nelson and Kyung Sin “KS” Park, “Afterword: Korea’s Challenge to the Standard Internet Interconnection Model,” Carnegie Endowment for International Peace, August 17, 2021,

66 Business Korea, “Government to Ease Internet Regulations to Prevent Reverse Discrimination Against Local Firms,” Business Korea, January 1, 2014 ,; and Business Korea, “Korean Gov’t Plans to Address Reverse Discrimination in Using Internet Network,” Business Korea, November 11, 2017,

67 Lim Young-shin, Hwang Soon-min, and Cho Jeehyun, “Naver, Kakao Chiefs Call for Actions to Address Reverse Discrimination Vs. Foreign Players,” Pulse News, October 22, 2021,; and “KCC to Require Foreign Internet Companies to Follow Domestic Regulations,” Hankyoreh, December 13, 2018,

68 General Agreement on Tariffs and Trade, “Services Sectoral Classification List,” General Agreement on Tariffs and Trade, MTN.GNS/W/120, July 10, 1991, Value-added services means, according to W/120, electronic mail, voicemail, online information and database retrieval, electronic data interchange, enhanced facsimile services, code and protocol conversion, and online information and/or data processing services. Meanwhile, computer and related services consist of, according to W/120, consultancy services, software implementation services, data processing services, database services, and others.

69 World Trade Organization Appellate Body Report, “United States-Measures Affecting the Cross-border Supply of Gambling and Betting Services,” (“US—Gambling”), 227-33, WTO Doc. WT/DS285/AB/R, March 23, 2005,

70 World Trade Organization Appellate Body Report, “China–Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products,” (“China–Publications and Audiovisual Products”), 412, WTO Doc. WT/DS363/AB/R, January 19, 2010,

71 World Trade Organization, “General Agreement on Trade in Services,” World Trade Organization, April 15, 1994, See Article XVI on market access: “In sectors where market-access commitments are undertaken, the measures which a Member shall not maintain or adopt either on the basis of a regional subdivision or on the basis of its entire territory, unless otherwise specified in its Schedule, are defined as: (a) limitations on the number of service suppliers whether in the form of numerical quotas, monopolies, exclusive service suppliers or the requirements of an economic needs test; (b) limitations on the total value of service transactions or assets in the form of numerical quotas or the requirement of an economic needs test; (c) limitations on the total number of service operations or on the total quantity of service output expressed in terms of designated numerical units in the form of quotas or the requirement of an economic needs test; (d) limitations on the total number of natural persons that may be employed in a particular service sector or that a service supplier may employ and who are necessary for, and directly related to, the supply of a specific service in the form of numerical quotas or the requirement of an economic needs test; (e) measures which restrict or require specific types of legal entity or joint venture through which a service supplier may supply a service; and (f) limitations on the participation of foreign capital in terms of maximum percentage limit on foreign shareholding or the total value of individual or aggregate foreign investment.”

72 World Trade Organization Appellate Body Report, “US—Gambling.” Also see Markus Krajewski, National Regulation and Trade Liberalization in Services: The Legal Impact of the General Agreement on Trade in Services (GATS) on National Regulatory Autonomy,” (Amsterdam: Kluwer Law International, 2003), 86,,+NATIONAL+REGULATION+AND+TRADE+LIBERALIZATION+IN+SERVICES-+THE+LEGAL+IMPACT+OF+THE+GENERAL+AGREEMENT+ON+TRADE+IN+SERVICES+(GATS)+ON+NATIONAL+REGULATORY+AUTONOMY+86&pg=PT172&printsec=frontcover.

73 The two other available modes are consumption abroad and natural persons. For instance, in the U.S.-Korea Free Trade Agreement, the mode of commercial presence belongs to the investment chapter while the three other modes belong to the cross-border trade chapter. Relevantly, this trade agreement prohibits state parties from requiring service providers to shift into the commercial presence mode. Article 12.5 states, “Neither Party may require a service supplier of the other Party to establish or maintain a representative office or any form of enterprise, or to be resident, in its territory as a condition for the cross-border supply of a service.” See Office of the U.S. Trade Representative, “U.S.-Korea Free Trade Agreement: Final Text (as of January 1, 2019,” Office of the U.S. Trade Representative, January 1, 2019,

74 World Trade Organization Panel Report, “China—Certain Measures Affecting Electronic Payment Services,” (“China—Electronic Payment Services”), 7.687, WTO Doc. WT/DS413/R and Add.1, August 31, 2012,; and World Trade Organization Appellate Body Report, “Argentina—Measures Relating to Trade in Goods and Services” (“Argentina—Financial Services”), 6.34, WTO Doc. WT/DS453/AB/R, April 14, 2016,

75 World Trade Organization Appellate Body Report, “European Communities—Regime for the Importation, Sale and Distribution of Bananas” (“EC—Bananas III”), 241, WTO Doc. WT/DS27/AB/R, September 25, 1997,; and World Trade Organization Appellate Body Report, “Argentina—Financial Services”, 6.106.

76 World Trade Organization Appellate Body Report, “US—Gambling,” 3.150.

77 Ibid. 6.287.

78 World Trade Organization Panel Report, “Canada—Certain Measures Affecting the Automotive Industry” (“Canada—Autos,”) 10.307, WTO Doc. WT/DS139/R, WT/DS142/R, February 11, 2000,

79 World Trade Organization, “General Agreement on Trade in Services”; and World Trade Organization, “Marrakesh Agreement Establishing the World Trade Organization,” Annex 1B, 1869 U.N.T.S. 183, 33 I.L.M. 1167, 1994,

80 World Trade Organization, “WTO Analytical Index: GATS – Article XIV (Jurisprudence),” World Trade Organization, Also see World Trade Organization Appellate Body Report, “US—Gambling,” Paragraph 339.

81 Sacha Wunsch-Vincent, “The Internet, Cross-Border Trade in Services, and the GATS: Lessons from US—Gambling,” World Trade Review 5 (2006): 319, 320–322,

82 Rolf H. Weber and Rainer Baisch, “Revisiting the Public Moral/Order and the Security Exceptions Under the GATS,” Asian Journal of WTO and International Health Law and Policy 13, no. 2 (2018), 375,

83 U.S. International Trade Commission, Digital Trade in the U.S. and Global Economies, Part 1, U.S. International Trade Commission Publication 4415, (Washington, DC: U.S. International Trade Commission, 2013),; and Rachel F. Fefer, Shayerah I. Akhtar, and Michael D. Sutherland, “Digital Trade and U.S. Trade Policy,” Congressional Research Service, December 9, 2021,

84 European Commission, “Report From the Commission to the European Council: Trade and Investment Barriers Report 2015,” European Commission, March 17, 2015,

85 European Commission, “Horizontal Provisions for Cross-Border Data Dlows and for Personal Data Protection (in US Trade and Investment Agreements,” in EU Trade and Investment Agreements, May 2018,

86 Office of the U.S. Trade Representative, “The Trans-Pacific Partnership: Promoting Digital Trade,” Office of the U.S. Trade Representative, 2015,

87 Jonah Force Hill, “The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Industry Leaders,” Lawfare Research Paper Series 2, no. 3 (July 21, 2014),

88 Susan Ariel Aaronson, “Data Is Different: Why the World Needs a New Approach to Governing Cross-Border Data Flows,” Centre for International Governance Innovation Paper No. 197, November 14, 2018,

89 Susan Aaronson, “Why Trade Agreements Are Not Setting Information Free: The Lost History and Reinvigorated Debate Over Cross-Border Data Flows, Human Rights, and National Security,” World Trade Review 14, no. 4 (October 2015): 671–700,

90 Aaronson, “Why Trade Agreements Are Not Setting Information Free,” 19.

91 Sarah Box, “Internet Openness and Fragmentation: Toward Measuring the Economic Effects,” Global Commission on Internet Governance (Center for International Governance Innovation and Chatham House), Paper Series No. 36, 2016,; and Sarah Box and Jeremy K. West, “Economic and Social Benefits of Internet Openness,” Organisation for Economic Co-operation and Development (OECD), OECD Digital Economy Series No. 257, 2016,

92 U.S. Department of State, “The Clean Network,” U.S. Department of State, 2021,

93 Aaronson, “Data Is Different: Why the World Needs a New Approach to Governing Cross-Border Data Flows.”

94 U.S. Department of State, “Declaration for the Future of the Internet,” U.S. Department of State,

95 Aaronson, “Why Trade Agreements Are Not Setting Information Free.”

96 Kelly Kim, “Open Net Filed a Lawsuit Against KCSC to Restore a P2P,” Open Net Korea, March 11, 2015,

97 Kate Jee-hyung Kim, “Lessons Learned From South Korea’s Real-Name Policy,” Korea Industry and Technology Times, January 15, 2012,