Digital transformation stands as a pivotal catalyst for growth and innovation in today's global economy. The rapid expansion of digital markets, encompassing new business models, underscores the urgent need to establish appropriate trade regulations and governance mechanisms to address their complexities and challenges effectively.

There is no doubt that collecting, processing, and sharing personal data have become indispensable for the modern data-driven digital economy. Starting from the premise that global data flows underpin cross-border digital trade, there is an increasing consideration of the need to strengthen data governance to address current data protection and consumer privacy issues.

It is becoming increasingly common to find chapters on digital trade in new trade agreements. These digital trade chapters often include rules governing transborder data flows. In this sense, new plurilateral trade agreements are shaping the regulatory environment for digital data.

Asia-Pacific countries have adopted some of the most advanced and developed agreements focused on digital trade, such as the United States-Japan Digital Trade Agreement, the Singapore-Australia Digital Economy Agreement (SADEA), and the Digital Economy Partnership Agreement (DEPA). The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), for its part, contains an e-commerce chapter that applies to measures that “affect trade by electronic means” (a concept not defined), including provisions on personal information protection and cross-border transfer of information by electronic means, among others.

The DEPA, signed in 2020 among Chile, New Zealand, and Singapore, is one of the first comprehensive international agreements on digital commerce. During the negotiation process, Parties constantly referred to their intention to delineate an adequate framework for the progressive, reliable, and safe implementation of emerging technologies, including the governance of certain activities that underpin them, such as cross-border data transfers. It is to be noted that DEPA Parties envisioned this instrument as a model for possible World Trade Organization (WTO) e-commerce initiatives, as well as digital economy efforts within the Asia-Pacific Economic Cooperation (APEC) and other international bodies. Nonetheless, many DEPA provisions refer to non-binding commitments, starting points, or preliminary roadmaps for future collaboration. In this sense, it is worth asking: Does DEPA present a new approach to these issues, or does it reflect continuity with previous agreements?

Although the United States (US) did not participate in the negotiation process, DEPA contains language similar to the cross-border data provisions advanced by the US in the negotiations of what would eventually become the CPTPP. Among other relevant aspects, Parties strongly commit to facilitating the transfer of data across borders, even affirming the Parties' previous levels of commitment contained in other agreements. On this basis, it can be argued that this digital trade-focused agreement follows the US model on transborder data flows.

The purpose of this report is to analyze how the DEPA approach can shape or guide future negotiations and international governance rules on cross-border data flows and to determine whether DEPA provisions constrain governments from adopting their own standards on personal data transfers, identifying the possible added value of DEPA provisions.

Concerning the governance of personal data flows, DEPA's provisions do not introduce anything significantly new; they are essentially identical to those found in the CPTPP, initially proposed by the United States. This circumstance could be somehow related to DEPA's short negotiation period and countries’ divergent views on personal data regulation, which ‘inevitably required drawing heavily on existing agreements’. In this sense, at least as far as cross-border data flows are concerned, DEPA does not represent a new path but rather the continuation of the one traced by the United States.

When contrasting specific provisions of the CPTPP with those found in the DEPA, there are some subtle differences. that seem to reveal the intention of DEPA signatories not only to maintain the commitments reached in the CPTPP but also to deepen data transfer obligations, setting some common ground on cross-border data standards. In this sense, DEPA seems to demand a more active involvement from the signatory countries to achieve the interoperability of their different legal approaches, for example, through a commitment to endeavor to mutually recognize the other parties' data protection trustmarks as a valid mechanism to facilitate cross-border information transfers. Nevertheless, while recognizing that DEPA’s personal information protection provisions are more detailed than CPTPP rules, it must be concluded that they ‘fail to set minimum standards’.

In a global context where consensus remains elusive due to varying and, in some cases, conflicting approaches to essential digital trade issues, the fact that one of the earliest comprehensive international digital commerce agreements has adopted the US model does not seem innocuous. If we consider that DEPA has been specially conceived and designed as a pathfinder to ‘influence and contribute to multilateral trade negotiations on digital trade’, by means of its flexible language and modular structure, it is not difficult to imagine that a wide accession and replication of its terms and provisions could end up producing a de facto harmonization under the US data governance model.

Additionally, this report will refer to how the DEPA has approached other emerging topics, in particular Artificial Intelligence governance, addressing, among other aspects, source code disclosure and access issues. In this regard, the real impact of the DEPA is notable for what it omits, i.e., commitments on non-disclosure of source code. Accordingly, it can be concluded that DEPA, unlike other new free trade or digital trade agreements, does not impose obstacles for parties to establish domestic measures in pursuit of algorithmic transparency, fairness, and accountability involving access to source codes or their algorithms.