This section examines how adoption of USMCA-like provisions on the four issues highlighted previously could affect attempts at regulation of the digital economy in five of the IPEF negotiating countries. By providing examples from India, Indonesia, Philippines, Singapore and Australia, the case is made that adopting “high standard” provisions such as in the USMCA could limit domestic attempts at regulating the digital economy in public interest.[10]

4.1.1. Free Flow of Data

One of the primary issues of concern to Big Tech companies is the implementation of measures restricting the foreign transfers of data. Such measures can take a variety of forms, ranging from conditional requirements – such as the need for a finding that the foreign country will adequately protect the data or for consent of the data subject prior to a transfer – to strict requirements that mandate local storage and processing of data. For instance:

1. The EU’s General Data Protection Regulation (GDPR) permits foreign transfers of personal data only if subject to an adequacy decision[11] or other appropriate safeguards that ensure effective rights and remedies for data subjects. Such safeguards may include the use of binding corporate rules, approved data protection clauses or certification mechanisms, etc.
2. A number of countries bar foreign transfers of data that is considered particularly sensitive, such as financial, health, or telecom data. For example, Germany restricts transfers of telecom metadata and tax accounting data, and South Korea restricts transfers of mapping data and certain types of financial data (card data of consumers).

Data localisation mandates can be used, amongst other reasons, to:[xxii]

1. Protect the privacy rights of users by limiting the ability of corporations to transfer data to foreign countries where privacy standards may be lower or where individuals may find it difficult to exercise their privacy rights. Restrictions on data transfers can also enhance the ability to audit and secure data flows.
2. Enhance administrative efficiency and improve domestic law enforcement by ensuring that foreign corporations comply with a variety of domestic regulations, including by making it easier for regulators and authorities to carry out their supervisory and enforcement functions.
3. Promote economic and strategic purposes by requiring the building of local computing and storage facilities and enhancing domestic capacity in this respect or implementing measures to create a level playing field in the digital ecosystem through taxation and other such measures.

However, free flow of data clauses can restrict the ability of States to implement such measures.

Article 19.11 of the USMCA provides that: “No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.” This provision is subject to exceptions that permit the implementation of localisation measures that are “necessary to achieve a legitimate public policy objective” and that are not (a) applied in a manner so as to constitute an arbitrary or unjustifiable discrimination or a disguised restriction on trade, and (b) do not impose restrictions on transfer of data greater than necessary to achieve the relevant public policy objective. Further, Article 19.12 of the USMCA restricts signatories from requiring computing facilities to be located domestically as a condition to conduct business in that territory. Together these provisions act to limit the ability of signatories to decide on whether and what barriers should be created to exports of data from their territories.[12]

The scope of the permissible derogations under the USMCA provisions mentioned above is relatively narrow, setting a high standard for any domestic measure to meet to pass muster. For instance, the provisions in the USMCA are far stricter that in free trade agreements (FTAs) such as the Regional Comprehensive Economic Partnership (RCEP) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).[13] The RCEP and CPTPP[14] recognise that: (a) parties may have their own regulatory requirements concerning the cross-border electronic transfer of information, and (b) parties may have their own regulatory requirements regarding the use of computing facilities, including requirements that seek to ensure the security and confidentiality of communications. These provisions provide a broader latitude for domestic measures to be adopted that may restrict cross-border data flows. Notably, Article 19.12 of the USMCA does not allow parties to invoke a legitimate public policy objective exception to impose hard localisation measures.[xxiii] The exceptions provided under the RCEP and CPTPP treaties are also broader – they explicitly permit measures to be adopted in the interests of national security, which may not be disputed by other parties to the treaty.

Under the USMCA, the cumulative impact of a domestic measure having to be both necessary and the least restrictive possible, reduces the space available to a signatory to adopt localisation-related measures.[xxiv] For instance, some have questioned whether requirements to take consent of data subjects prior to a cross-border data transfer could fall foul of these tests (in view of alternative, less restrictive measures available such as the creation of accountability mechanisms).[xxv] Indeed, these provisions could be said to favour a model of self-regulation, as such models are generally considered less restrictive that other more intrusive forms of regulation. There is also a lack of clarity on what constitutes a “legitimate public policy objective”.[xxvi] For instance, would measures to enhance supervisory access of regulators, or that seek to enhance domestic sovereignty over data in the form of measures to provide a level-playing field for domestic data businesses be covered under such a flexibility? Would such a provision hamper the effective implementation of high standards of privacy protection?

In this context, it is worth noting that the EU, which also implements conditional restrictions on foreign flows of data under the GDPR regime, has been wary of the inclusion of USMCA- style free flow of data clauses in the World Trade Organisation’s Joint Statement Initiative on E-Commerce, fearing that its domestic regulatory regime, which sets a high standard of data protection, may come under threat.[xxvii] The EU has instead sought to include provisions that specifically recognize the ability of countries to implement restrictions on cross-border transfers on grounds of protecting privacy.[xxviii]

Finally, it must be kept in mind that the provisions in the Digital Trade chapter of the USMCA are subject to certain general exceptions. These could, in theory, provide some flexibility to signatories to adopt contrary domestic measures. Thus, Article 19.2 (3) of the USMCA, excludes the applicability of the entire Digital Trade chapter to government procurement, or to information held or processed by or on behalf of a signatory. Further, Article 32.1(2) incorporates paragraphs (a), (b), and (c), of Article XIV of GATS into the agreement. These paragraphs provide for the application of domestic measures designed to: (a) protect public morals or public order, (b) protect human, animal, or plant life or health, and (c) enforce laws to protect safety of citizens or protect them from fraud or deceptive practices, or privacy harms. Such measures should not however be “arbitrary,” “discriminate unjustifiably” between countries, or take the form of a “disguised restriction” on trade in services.

Other general exceptions under the USMCA include:

1. Article 32.2 which allows for measures to be taken to protect security interests.
2. Article 32.4 which allows for measures to ensure integrity and stability of financial systems.
3. Article 32.8 which requires adoption of appropriate legal frameworks concerning privacy in signatory countries.

Based on the measure at hand, these exceptions could be used to justify the imposition of domestic regulation concerning any of the four issues under study in this report. For instance, the GATS exception for privacy protection could be used to justify the imposition of domestic measures that restrict cross-border data transfers of particularly sensitive personal data such as health or payments data.

However, it is worth noting that despite the presence of the general exceptions, the successful use of these to defend domestic regulatory measures is extremely rare. Notably, only two out of the 48 attempts to use the general exceptions under the GATT/GATS agreements have been successful over the past two+ decades.[xxix]  Further, the usefulness of these exceptions has been questioned in the context of the internet economy. For instance, while the GATS agreement uses fairly broad terms (such as “public morals,” “public order,” or the ability to impose regulations to protect health, etc.), [xxx] these are said to be “limited in scope and do not facilitate consideration of Internet trust issues holistically”.[xxxi] Thus, the exceptions provided for in the USMCA may not offer much policy flexibility for domestic regulation.[xxxii] Further, there is also a lack of clarity concerning the scope of the exemption created for the government. It is unclear to what extent the exemption applies to data held by regional/local governments, as well as public authorities. Norms concerning localisation of data held by state instrumentalities may therefore come under question.[xxxiii]

Among the countries under study, only Australia, Indonesia, and India apply any form of hard localisation norms:

1. Australia requires the localisation of health data under the My Health Records system.[xxxiv]  Service providers are required to store data only within Australia or face civil or criminal penalties.
2. Indonesia requires all public sector data to be stored locally.[xxxv] Private electronic systems operators are permitted to transfer personal data abroad, provided the data is made available to relevant regulatory authorities to carry out their supervisory functions.
3. India requires the localisation of government data, as well as digital payments data, corporate accounting data, certain types of health data, and telecom data.[xxxvi]

Each of the countries under study, however, does implement conditional restrictions on cross-border transfers of personal data, as explained below:

1. The Philippines’ Data Privacy Act 2012 and Implementing Rules[xxxvii] permit foreign transfers of personal data subject to the transferring entity retaining responsibility for ensuring security of the data. The data controller is required to ensure contractual arrangements or other reasonable means to provide a comparable level of data protection to data that is transferred to a third party.
2. Singapore’s Personal Data Protection Act 2012 and Personal Data Protection Regulations 2021[xxxviii] prohibit cross-border personal data transfers unless the data will be comparably protected outside of Singapore.[15]
3. Australia’s Privacy Act 1998 requires a data controller to take reasonable steps to ensure that a foreign recipient of data will not breach Australian privacy principles in handling the data.[16]
4. Indonesia’s Personal Data Protection Law 2022 permits foreign personal data transfers subject to the data recipient’s country having a legal framework that provides equivalent or greater protection as provided under the domestic law.[17]
5. Interestingly, the 2022 law does not revoke earlier regulations on data protection unless they are contrary to provisions of the new law. Thus, conditions provided in the Law on Protection of Personal Data in an Electronic System 2016 on foreign transfers of personal data could still apply.[xxxix] This law requires transfers of personal data outside Indonesia to be coordinated with the relevant government ministry or institution, implying that relevant authorities must be informed of the proposed data transfer, including by providing details of the destination country, name of the recipient, date of transfer, and reason/purpose for the transfer.
6. India’s Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 permits cross-border data transfers of sensitive personal data if the foreign jurisdiction has a similar level of data protection as provided for under the Rules. Such a transfer “may be allowed only if it is necessary” for the performance of a contract between the person to whom the information relates and the body corporate, or if the person has consented to the transfer.

Each of the countries under study allows cross-border transfers of personal data, subject to equivalent protection being afforded to the data in the foreign jurisdiction, which is usually to be enforced through the presence of binding contractual clauses or similar instruments.

However, conversations around the implementation of hard localisation norms continue. Notably, India’s recently tabled Digital Personal Data Protection Bill 2023 would permit the Central Government to notify countries to which Data Fiduciaries (data controllers) may not transfer personal data. The provision is extremely broad in that it gives the government a general power, that can be exercised for unstated reasons, to blacklist entire countries from processing Indian data.

In Australia, the National Data Security Action Plan 2021, a discussion paper issued by the government, has sought public comments on whether Australia needs to implement more explicit data localisation measures in view of the possible security risks to data when stored abroad.[xl] The paper recognises the need to balance free flows of data with protection of sensitive information, noting that “while data localisation laws may be justified in some instances, widespread storage requirements can represent significant barriers to trade and economic cost.” The release of the paper has apparently spurred much debate in Australia, with Big Tech companies arguing no benefit to such measures, while others have either taken more nuanced positions, or as in the case of one Australian cloud service provider, have suggested “full data sovereignty”.[xli]

From the above, it is clear that while most of the jurisdictions under study employ conditional restrictions on data transfers, certain sectoral rules and regulations require localisation of specific forms of data considered particularly sensitive (such as health or payments data). While these may arguably fall under the scope of general exemptions provided for in trade law, this is subject to contestation, which would lead to legal uncertainty. In any event, as mentioned previously, the poor record of general exceptions protecting public interest-based domestic regulatory measures does not inspire confidence in the use of such measures in the context of the digital economy.

Further, measures such as those proposed in India’s Digital Personal Data Protection Act 2023 could fall foul of requirements of proportionality and necessity included in free flow of data clauses due to the broad nature of the localisation requirement. Even provisions in domestic law that permit conditional transfers of personal data could be subject to question under free flow of data clauses in trade agreements, due to the high bar required to meet the necessity and least restrictive measure tests, as well as ambiguity over the scope of permissible derogations on grounds of pressing public policy concerns. For instance, some have pointed to how the imposition of consent requirements for cross-border transfers of personal data “could be regarded as imposing restrictions greater than required to achieve the objective of privacy protection…”.[xlii] Thus, a number of the cross-border data transfer measures discussed above could be subject to contestation on the grounds of being unnecessary and disproportionate. This could take on added importance as more and more sectors of the economy become data driven. Measures aimed at ensuring security/privacy of the data, as well as appropriate regulatory access to the data, may be hampered by inclusion of broad free flow of data provisions in FTAs.

4.1.2. Disclosure of Algorithms and Source Code

Software plays an increasingly integral part of our lives today, with the growth of the AI ecosystem in particular implying that algorithms and the software (or source code underlying the software)[18] will be used in virtually every area of our lives, from the judiciary and policing to consumer products. However, software can be programmed to serve illicit purposes or can have unintended consequences ranging from promoting/enhancing discriminatory treatment to misappropriating and misusing user data.[xliii]

Ensuring that software “does what it says” or acts within acceptable legal and ethical bounds, can be important to prevent harms ranging from a loss of life and property to illegal surveillance and discrimination.[xliv]

While regulatory responses to risks arising from deployment of AI systems are still being developed, an increasing number of international and domestic regulatory policies have sought to implement measures to enhance the transparency of AI-related products.

For example:

1. The OECD’s AI Principles recognise the need for transparency, explainability, accountability, robustness, security and safety of AI tools.[xlv]
2. In the U.S., the Blueprint for an AI Bill of Rights calls for pre-deployment testing, risk identification and mitigation, and ongoing monitoring to ensure that AI systems are not unsafe, discriminatory, or inaccurate, as confirmed by independent evaluation.[xlvi]
3. A number of proposed data protection and other laws seek to ensure that software is safe to use by requiring pre- and post-deployment algorithmic impact assessments and algorithmic audits.[19]

However, clauses in free trade agreements can limit the ability of regulators and independent entities to conduct a priori investigations of the source code/algorithms used in software.

Article 19.16 of the USMCA limits the ability of signatories to require disclosure or access to the source code of software/algorithms as a condition precedent to the import, sale, use or distribution of the relevant software or products containing the software. The agreement provides a limited exception that permits disclosure of source code to a regulatory or judicial body for the purposes of a specific investigation or proceeding, and subject to implementation of safeguards against unauthorised disclosure. The limitation of disclosure only to instances where a specific investigation has been launched can be extremely restrictive. It may be difficult to establish bona fide grounds for an investigation without access to the source code or algorithm itself. This also limits the ability for external or independent audit of algorithms and software systems, which could be critical in jurisdictions with low regulatory capacity.

While such clauses have been included in trade agreements ostensibly on the basis that corporations need to protect their intellectual property from disclosure (and copying), provisions that bar scrutiny of source code/algorithms prior to deployment can enhance the “black box” nature of AI and software tools, thereby enhancing risks associated with such systems. Ex-ante evaluations of algorithms/source code – whether by regulators or independent entities – can highlight problems with AI and software systems before harm occurs. The ability to access to algorithms appears to be of particular interest in the context of competition and consumer protection, with several competition authorities the world over increasingly seeking to examine the anti-competitive harms caused by algorithms used by big digital platforms. As noted by the UK‘s Competition Markets Authority, “Having access to the data and/or the code means it is possible to audit a decision-making system through a comprehensive regulatory inspection in a more thorough manner than a ‘black-box’ approach.”[xlvii]  The OECD, citing several instances of competition authorities examining algorithms for anti-competitive outcomes, also recognises the importance of algorithmic auditability to protect consumer interests.[xlviii]

In any event, it is worth noting that the RCEP does not contain an analogous clause (restricting the disclosure of source code or algorithms), while Article 14.17 of the CPTPP applies only to source code and not algorithms. Further, the provision in the CPTPP does not specifically limit access to source code to instances where an investigation has been initiated. Indeed, the provision recognises that parties may require the modification of source code to enable compliance with domestic regulation. The power to require correction/modification of source code is done away with the in the USMCA, thereby limiting the ability of parties to require changes to algorithms/source code that could be found to be biased or otherwise harm individuals.[xlix]

The extension of treaty provisions to restrict access to algorithms is particularly worrying given that very few states, if any, have reached consensus on whether and how to regulate the AI ecosystem. While jurisdictions such as the EU and the U.S. have proposed various regulatory interventions in this space, in the countries under study, only Singapore appears to have a reasonably advanced policy framework pertaining to AI.

As part of its AI Strategy, 2019, Singapore recognises the need for a “progressive and trusted” environment to be created for the deployment of AI systems. To this end, it has adopted a largely self-regulatory/voluntary framework consisting of:

1. Principles to Promote Fairness, Ethics, Accountability and Transparency in the Use of Artificial Intelligence and Data Analytics in the Financial Sector 2018: This document contains a set of principles that seek to promote fairness, ethics, accountability and transparency in the use of AI in financial systems. The document seeks to provide guidance to firms on ethical uses of AI and how to strengthen internal processes around data management and use. The document, however, does not refer to the need for any external testing or audit of AI systems.
2. Model AI Governance Framework 2020: This voluntary code is intended to provide guidance to the private sector on deployment of AI systems. The document stresses that human well-being and safety should be a primary consideration in designing, developing, and deploying AI systems, and it recognises the need for organisations using AI in decision making processes to ensure that those processes are explainable, transparent, and fair. It highlights the importance of auditability, explainability, accountability, and fairness in the AI ecosystem, noting that evaluation of an AI product by internal or external auditors can contribute to the trustworthiness of an AI system and demonstrate the responsibility of design and justify outcomes. However, the document also notes that auditability does not entail making information about business models of intellectual property related to the AI system publicly available. The document therefore recommends a risk-based approach to auditability, with such practices to be adopted where necessary or where required for an organisation to align itself with regulatory requirements or industry practice.[20]
3. An AI governance testing framework known as AI Verify: Launched in 2022 by the Infocomm Media Development Authority, the project seeks to enable AI developers to demonstrate their claims about performance of their systems by enabling voluntary self-assessment of their systems. The system is designed to preclude organizations from unintentionally divulging sensitive information from their AI systems (such as their underlying code or training data).[l]

Singapore, therefore, does not explicitly require any disclosure or audit of source code in its AI regulatory framework.[21]

The other countries under study—Australia, India, Indonesia and the Philippines—do not implement any specific AI-related regulations, though each has in place high-level AI-related policies and ethics-related guidelines.

For instance:

1. Australia has developed an AI Ethics Framework, released in 2019, which consists of 8 principles which AI developers may use (voluntarily) to ensure their products/systems are safe, secure, and reliable.[li] These principles include those of transparency and explainability, which require responsible disclosure so people can understand when they are being impacted by AI and can find out when they are using an AI system. The principle of accountability recognises the need for human oversight of AI.
2. The National AI Strategy of the Philippines recognises a variety of harms that could be caused by the unrestricted development and use of AI systems and therefore recognises the need for regulation of AI systems, noting in particular that AI-driven platforms may need to be audited to ensure that biases are not amplified or further propagated. [lii] The policy also recognises the need for proper appraisal of algorithms in cases where interpretability may be critical such as where decisions of AI systems impact humans.
3. In India, the government’s apex think tank, the Niti Aayog, has released a National Strategy for AI 2018, which identifies key opportunities and challenges for AI development and lays down a high-level roadmap for AI development.[liii] It has also developed Principles for Responsible AI, which lay down broad ethical guidelines and considerations for regulating the AI ecosystem.[liv] In addition to recognising the need for ethical uses of AI, and the possibility of various harms such as bias and discrimination arising from the unregulated use of AI, the document recognises seven principles to guide the adoption of AI in a responsible manner. While recognising that AI systems should be based on principles of equality, safety, reliability, inclusivity, non-discrimination, privacy, and security, the document highlights two vital principles: transparency and accountability. The principle of transparency implies that the design and function of AI systems should be recorded and made available for scrutiny and audit, to the  extent possible, so as to ensure that deployment of a system is fair, honest, impartial, and guarantees accountability. The principle of accountability, amongst other things, requires stakeholders involved in design, development and deployment of AI systems to set up auditing processes, either internal or external, to oversee adherence to relevant AI principles.
4. In Indonesia, the government’s National AI Strategy, the Stranas KA, recognises the need for development of ethics-based regulatory frameworks as a key focus area. The document therefore includes plans for “national standards, regulations and an ethics board to ensure that usage of AI is in accordance with the country’s Pancasila values system”.[lv]

While each of these countries has not yet implemented regulatory frameworks concerning the use of AI, the conversations around regulation of this space are growing. For instance, the Australian government released a discussion paper in June 2023 seeking public comment on the need for and methods of regulation within the AI ecosystem.[22] Separately, a  report by the former House of Representatives Select Committee on Social Media and Online Safety makes various recommendations on the use of algorithms by digital platforms, which include greater examination of the harms caused by the use of algorithms as well as potential mechanisms to require platforms to report on their use of algorithms.[lvi] In its response, the Government of Australia has broadly agreed with the need for better understanding of how digital platforms use algorithms in their operations. It has also noted that various government departments are looking into various regulatory options concerning AI.[lvii]

India’s proposed Digital India Act is likely to implement regulation over the AI ecosystem, in particular rules pertaining to quality testing, algorithmic accountability, and vulnerability assessment.[lviii] While the draft law is not yet available to the public, it is possible that it may require some measure of ex-ante disclosure to, or assessment of, algorithms/source code by the government/regulators.

From the above, it is clear that while each of the countries under study has recently recognised the need for development of AI systems based on sound ethics, regulatory frameworks in this regard are still to be fully developed. While many of the high-level policy documents in these countries recognise the need for greater transparency and auditability of AI systems, they remain unclear about the mechanisms to achieve these ends. While self-regulatory models are unlikely to fall foul of USMCA-style provisions, the use of more intrusive regulatory options that mandate disclosure or audit of source code/algorithms is likely to be problematic despite the presence of general exceptions (as discussed previously).

At the same time, there is growing public disquiet around the use and deployment of AI products and the lack of transparency over algorithms. For instance, in Indonesia, Gojek, a popular ride-sharing app, has faced calls for scrutiny over its algorithms from drivers who allege that the app’s algorithms have “increasingly squeezed and exploited” their working conditions.[lix] Similar protests have been seen in India in the context of Zomato—a food delivery app—tweaking its algorithms to unilaterally impose more onerous working conditions on riders.[lx] In Australia, the “robo-debt” scandal demonstrated the need for greater transparency and oversight of the use of AI and algorithmic systems, particularly where this could have significant impacts on people’s lives.[23]

In other contexts, such as Europe’s AI Act, similar interventionist regulatory approaches have faced significant pushback from Big Tech and industry lobbies.[lxi] The establishment of international rules that mandate deregulation in the AI space only aids such efforts. Under these circumstances, signing up to IPEF provisions that limit the ability of regulators or external experts to audit AI systems (through access to source code or underlying algorithms) would be, at the very least, premature.

4.1.3. Safe Harbour

The concept of “safe harbour” was first seen in the American Communications Decency Act, 1996 (“CDA”). Section 230 of CDA provides that “interactive computer services”[24] cannot be treated as the publisher or speaker of third-party information carried on their platforms.[25] Thus, the provision provides immunity from prosecution to platforms for carrying/distributing potentially harmful third-party content, and in the process seeks to encourage self-regulation (content moderation) by digital platforms. Crucially, the provision protects platforms from liability in circumstances where they have knowledge of harmful content being circulated.

A number of countries across the world have introduced laws that borrow from the CDA in insulating digital platforms from claims that could arise as a result of carrying illicit/illegal content. However, the safe harbour frameworks in many jurisdictions do not extend as far as the protection afforded by Section 230 CDA. Instead, many jurisdictions implement a functional differentiation between different types of intermediaries and only protect intermediaries from liability from third-party content if they are acting as passive transmitters (or distributors) of content. This entails that if knowledge of illegal content can be ascribed to the intermediary, it cannot avail of safe harbour. Thus, the safe harbour provided under these laws is of a far more limited nature than under American law under the CDA. For instance, the European Union’s E-Commerce Directive distinguishes between intermediaries providing caching, hosting, and conduit services, with different obligations imposed on each type of intermediary.[26]

While many point to how a safe harbour provision is essential to protect online speech, others argue that limiting the liability of platforms has resulted in the creation of an online ecosystem where harmful acts (ranging from the spread of disinformation to cyber bullying as well as terrorist and other extremely dangerous content) are rife, given that platforms have no incentive to moderate content.[lxii] Some have viewed safe harbour as a subsidy, which seeks to enable growth of platforms by insulating them from large damage claims.[lxiii]

In view of the significant harms seen in the online ecosystem, often occasioned by the platforms themselves, a number of countries have imposed or are considering imposing obligations on various types of intermediaries to ensure the digital ecosystem is safe.

For example:

1. The UK’s Online Safety Bill seeks to create a new “duty of care” for online platforms that would require them to take action against illegal/harmful online content or face significant fines (and in some cases criminal action).
2. The German Network Enforcement Act in Germany requires large social media platforms to put in place processes to disable or block access to content that is manifestly unlawful within a stated time period.[lxiv] The law also requires platforms to maintain robust grievance redress processes and imposes various reporting/transparency requirements.
3. A number of jurisdictions, notably Japan and the U.S. (in the context of copyright content), only exempt intermediaries from liability for third-party content in the event they do not have knowledge thereof. These countries apply the general concepts behind distributors’ liability to the Internet, implying that should any illegal/illicit content be brought to the attention of the platform concerned, and they fail to take appropriate remedial action, they could be held liable for the spread of the content.[lxv]
4. The Digital Services Act in the EU establishes requirements for platforms to improve their content moderation practices. The law maintains immunity from prosecution to intermediaries (for carrying illegal third-party content) but establishes a variety of obligations that intermediaries are required to follow, which include the establishment of grievance redress mechanisms, and obligations aimed at enhancing the transparency of platforms towards users.

Such laws, while subject to criticism (usually on grounds of disproportionately restricting speech) pose a significant threat to the business models of large digital platforms, who can currently not just evade responsibility for harmful activities but are often alleged to actively enhance the spread of harmful content. Implementation of greater duties of care on platforms could lead to greater economic costs (in terms of operating costs occasioned by the need to implement content moderation practices or purchasing liability insurance) for platforms. It could also reduce online engagement, thereby reducing revenues.[27]

Accordingly, Big Tech is pushing for the introduction of USMCA-like provisions in the IPEF, aiming to extend the broad protection afforded by U.S. law on intermediaries to other countries.

Article 19.17 of the USMCA mandates that signatories should not adopt measures that treat “a supplier or user of an interactive computer service as an information content provider in determining liability for harms related to information stored, processed, transmitted, distributed, or made available by the service, except to the extent the supplier or user has, in whole or in part, created, or developed the information.” Parties are barred from imposing liability on suppliers of interactive computer services for taking action to moderate content on their platforms in good faith.[28]

This provision therefore replicates the CDA position under which platforms are (a) not to be held liable for third party content on their platforms (even if the platform is aware of the harmful content), and (b) encouraged to self-regulate. Notably, both the RCEP and CPTPP do not contain an analogous provision.

Inclusion of a USMCA-like provision in the IPEF could significantly affect the ability of signatories to implement duties on platforms to make the online ecosystem safer and more secure.[29] As with the previously discussed provisions, deregulation of the platform economy would largely benefit incumbent players in the ecosystem.

This would also threaten a number of domestic policy initiatives in countries that are negotiating the IPEF. For instance, Australia, India, the Philippines, and Singapore all confer safe harbour on intermediaries in the event they do not have “actual knowledge” of the offending third-party content. Each of these countries, together with Indonesia, requires intermediaries to take down illicit content once informed of the same. Indeed, many jurisdictions are seeking to increase the scope of the obligation on platforms to not just take down content once it is notified, but also to proactively filter their platforms for illegal content.

While requirements for proactive filtering of content have been criticized by many due to possible negative effects on civil liberties, the spread of a various types of harmful content on digital platforms—ranging from fake news to terrorist and other extreme forms of violent content—have created a situation where all the jurisdictions under study are looking at implementing greater state control over the social media space.

Some of the initiatives in this regard are:

1. The Australian Online Safety Act 2021, which requires intermediaries to establish grievance redress mechanisms for users, ensuring proactive filtering to reduce access to illicit content and empowering the e-safety commissioner to issue notices directing removal, blocking, or link-deletion notices. A failure to comply with a notice can lead to fines being imposed on the intermediary.
2. The Australian Criminal Code Amendment (Sharing of Abhorrent Violent Materials) Act 2019 requires intermediaries to expeditiously remove certain types of illegal content, failing which they can face civil or criminal punishment. Similarly, the Enhancing Online Safety Act 2015 establishes the office of the eSafety Commissioner, which is responsible for ensuring safety of the online ecosystem. The authority can issue removal notices for various types of illicit online content (cyber bullying, cyber abuse, non-consensual intimate images, Class 1 and Class 2 content under the Broadcasting Services Act).
3. The proposed Digital India Act in India is expected to cast obligations on intermediaries to prevent various harms to users, such as the spread of revenge porn, cyber-bullying, etc.
4. The Indian Information Technology Act 2000 and rules issued thereunder require intermediaries to “make reasonable efforts” to prevent users from publishing illicit content. They also require intermediaries to establish grievance redress processes that are overseen by a government-appointed committee. Significant social media intermediaries are also required to “endeavor to deploy technology-based measures” to proactively identify particularly egregious types of illicit content.
5. Indonesia’s Ministerial Regulation 5/2020 requires electronic service operators to proactively monitor and take down prohibited information and/or documents, as well as any information that could “inform ways or provide access” to such documents.
6. Singapore has proposed two codes of practice for online social media services that require platforms to take various ex-ante measures to regulate content, including through proactive filtering of content, providing users tools to report illegal content, and implementing grievance redress mechanisms. The Protection from Online Falsehoods and Manipulation Act 2019 enables a regulator to issue various directions to intermediaries to fact-check and disable access to false information. The regulator can also issue codes of practice that can require intermediaries to carry out certain forms of due diligence, identify locations from where false information is being spread, and prevent the use of bots from circulating such information.

While the content and effects of these regulations could be debated, what is clear is that each of the jurisdictions under study is attempting to put in place measures that cast greater obligations on intermediaries (particularly platforms) to make the online ecosystem safer and more transparent towards users. This represents a clear move away from the position adopted in the CDA. It is to be noted that the utility of the safe harbour provision in the CDA is increasingly being questioned, even in the U.S.[lxvi] The growing use and impact of social media in particular has brought about a realization that self-regulation of platforms is insufficient to promote a safe and trustworthy online ecosystem. Implementation of retrograde safe harbour provisions in the IPEF could therefore scuttle any such attempts at regulation. While such measures could possibly be defended using general exemptions that permit domestic measures to protect public morals, health and safety, etc., as discussed previously, the use of such exceptions has proven difficult in practice. Given the significantly different legal regimes used by the countries under study (and the pushback against S 230, CDA in the U.S.), it appears unlikely that, despite the wishes of Big Tech, that the IPEF will include a safe harbour provision modelled on Section 230 of the CDA.

—

1. These five countries have been selected for study based on their size and economic heft. The regulatory frameworks concerning the digital ecosystem in each of these countries is also at different stages, with Australia and Singapore having the most advanced regulatory systems. For instance, data protection legislation in these countries was passed in 1988 and 2012 respectively. In comparison, India, the Philippines, and Indonesia have far more underdeveloped regulatory frameworks pertaining to the digital ecosystem. India, for instance, has yet to enact a comprehensive data protection law, while Indonesia passed such a law in 2022.
2. That is, pursuant to a decision by the European Commission that a foreign jurisdiction ensures an adequate level of protection to the data, taking into consideration a variety of factors such as the relevant legislation, the presence of independent supervisory authorities, rule of law, and respect for human rights among others.
3. Separately, Article 17.18 of the USMCA, allows localisation measures to be implemented regarding financial payments in certain circumstances where sectoral regulators are not provided immediate, ongoing, and direct access to financial data required for their regulatory and supervisory roles and such failure is not remedied. This provision was apparently included in view of the difficulties of the U.S. financial regulators to access offshore financial data following the collapse of Lehman Brothers and the global financial crisis in 2008. However, one may question whether regulatory needs are met by this provision, given that a remedial process may take time, thereby delaying access to any important financial data.  Jane Kelsey, John Bush, Manuel Montes, and Joy Ndubai, How Digital Trade Rules Would Impede Taxation of the Digitalised Economy in the Global South, Third World Network, https://www.twn.my/title2/latestwto/general/News/Digital%20Tax.pdf
4. Article 12.15 and Article 14.11 of the RCEP and CPTPP recognise that parties may have their own regulatory requirements concerning the electronic transfer of information. The agreements require parties to allow cross-border transfers of information when this activity is for the conduct of the business of a covered person. Derogations from the provision are permissible in order to achieve a legitimate public policy objective, when such a measure is not arbitrary or a disguised restriction on trade, and where the measure is proportionate to the objective sought to be achieved. In addition, the RCEP permits derogations on national security grounds, which may not be disputed by other parties. Articles 12.14 and 14.13 of the RCEP and CPTPP recognise that parties may have their own regulatory requirements regarding the use of computing facilities, including requirements that seek to ensure the secrecy and confidentiality of communications. Further, no party shall require a covered person to use or locate computing facilities within that party’s territory as a condition for conducting business within that territory. However, parties are permitted to adopt measures to achieve legitimate public policy goals subject to such measures being non-arbitrary/a disguised restriction on trade and proportionate. In addition, the RCEP permits derogations on national security grounds, which may not be disputed by other parties.
5. Amongst the countries under study in this report, the Philippines, Indonesia, Australia, and Singapore are parties to RCEP, while Australia and Singapore are parties to the CPTPP.
6. Specific entities may be exempt from this requirement by the data protection authority upon request. For the purpose of a foreign transfer, the transferers of data must ensure that the recipient of the data is subject to legally enforceable obligations requiring protection of the data. This can occur through the presence of a law that protects the data, contractual provisions requiring a comparative standard of data protection, the use of binding corporate rules or similar legally binding instruments, or if the recipient holds certifications recognising that it provides a comparable degree of protection to the data. In any event, foreign transfers of personal data can also take place subsequent to consent of the individual concerned, in contexts where consent is deemed to have been provided, where the transfer is necessary to protect the vital interests of the individual and consent cannot be obtained in a timely manner and would not reasonably be withheld or if the transfer is in the national interest, the personal data is in transit through Singapore or if the personal data is publicly available in Singapore.
7. This requirement is not applicable if certain conditions are met, including explicit consent of the data subject, where the transfer is required by law or an international agreement to which Australia is a party, or if the transferring entity reasonably believes that the recipient is subject to a law or binding scheme that protects the data in a way that is substantially similar to how the data is protected by the Australian Privacy Principles, and the individual concerned has the ability to access mechanisms to enforce the law or binding scheme.
8. In the alternative, i.e. where the recipient’s country does not provide a sufficiently high standard of data protection, the controller must “ensure that there is adequate and binding personal data protection.” Hunter Dorwart et al., Indonesia’s Data Protection Bill: Overview, Key Takeaways and Context, Future of Privacy Forum, October 19, 2022 https://fpf.org/blog/indonesias-personal-data-protection-bill-overview-key-takeaways-and-context/. Specifics of how this is to be achieved will be laid down in regulations to be notified subsequently. If the above two conditions are not met, personal data may be transferred abroad subsequent to consent of the data subject.
9. A simple way of understanding source code is that this is the series of instructions that a computer program uses to perform a particular task. In more complex systems, based on machine learning and other newer forms of computing, the source code may provide guidance on how the program is to go about ‘learning.’ Algorithms are a set of instructions that are used to perform a specific task. Cosmina Dorobantu, Florian Ostmann, and Christina Hitrova, Source Code Disclosure: A Primer for Trade Negotiators, Chapter 4 in Addressing Impediments to International Trade, Alan Turing Institute, 2021, https://www.turing.ac.uk/sites/default/files/2021-06/dorobantu_ostmann_hitrova_2021_1.pdf
10. See for instance, the American Data Privacy and Protection Act (HR 8152), the Facial Recognition Act, 2022 (HR 9061), the Justice in Forensic Algorithms Act, 2021 (HR 2438), Platform Accountability and Transparency Act (S 5339), and the Facial Recognition and Biometric Technology Moratorium Act, 2021 (HR 3907/S 2052), cf. Daniel Rangel and Lori Wallach, International Pre-emption by “Trade” Agreement: Big Tech’s Ploy to Undermine Privacy, AI Accountability, and Anti-Monopoly Practices, Rethink Trade, March 2023, https://rethinktrade.org/wp-content/uploads/2023/03/International-Preemption-by-Trade-Agreement.pdf.
11. Annexure B to the document notes that algorithmic audits would have to be carried out at the request of a regulator. Carrying out an audit may require engaging external experts. The document notes that an algorithmic audit can be an expensive tool, and therefore recommends only carrying out such an assessment when it is clear that such an exercise will yield a “clear benefit” for an investigation.
12. Its privacy law too does not specifically require auditing of algorithms in the form of privacy impact assessments, though organisations are required to develop and implement policies and practices that are necessary for the organisation to comply with the PDPA. Organisations are therefore “encouraged” to conduct privacy impact assessments. Personal Data Protection Commission Singapore, Guide to Data Protection Impact Assessments, 2021, https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/DPIA/Guide-to-Data-Protection-Impact-Assessments-14-Sep-2021.pdf
13. The document notes the various harms that are made possible due to the use of AI systems (ranging from the spread of misinformation to discrimination) and lays down various options for regulation of the AI ecosystem (ranging from self-regulatory models such as that employed in Singapore to more interventionist regulation such as in the form of the EUs proposed AI Act). Department of Industry, Science and Resources, Safe and Responsible AI in Australia: Discussion paper, Government of Australia, June 2023, https://storage.googleapis.com/converlens-au-industry/industry/p/prj2452c8e24d7a400c72429/public_assets/Safe-and-responsible-AI-in-Australia.pdf
14. The “robo debt” scandal arose out of the use of AI-based systems to calculate and recover welfare overpayments, thereby defeating welfare fraud. The system was however shown to use faulty data and was barred by the Australian Federal Courts in 2019. Mark Brogan and Mark Arratoon, Robodebt, algorithmic accountability and the law of averages, The Mandarin, January 19, 2023, https://www.themandarin.com.au/209861-robodebt-algorithmic-accountability-and-the-law-of-averages/; Peter Whiteford, Debt by Design: The anatomy of a social policy fiasco – or was it something worse?, AJPA Volume 80, Issue 2, June 2021, pp 340-360, https://onlinelibrary.wiley.com/doi/10.1111/1467-8500.12479; Centre for Responsible Technology, I, Robodebt, Submission to the Australian human Rights Commission discussion paper on human rights and technology, March 2020, https://humanrights.gov.au/sites/default/files/2020-07/50_-_the_australia_institutes_centre_for_responsible_technology_1.pdf
15. Defined as “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.”
16. The provision is subject to certain exceptions created for enforcement of (a) federal criminal laws, (b) intellectual property laws, (c) certain state laws, (d) electronic communication related privacy laws, and (e) knowingly hosting content that promotes sex trafficking.
17. In order to avail of the safe harbour, mere conduit intermediaries must not initiate the transmission, select the receiver of the transmission, and select or modify the information contained in the transmission. Cache providers must not modify the information, must comply with conditions on access to the information, must comply with rules regarding the updating of the information, must not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information, and they must act to expeditiously remove or to disable access to the information it has stored upon obtaining actual knowledge that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement. Finally, in order to claim safe harbour, hosts should not have actual knowledge of the illegal act and, as regards claims for damages, should not be aware of facts or circumstances from which the illegal activity or information is apparent; and upon obtaining such knowledge or awareness, must act expeditiously to remove or to disable access to the information.
18. It is commonly stated that social media platforms for example, profit from hateful content by promoting such content in order to garner engagement. Tom Bateman, Facebook profits off hate and that’s why it won’t change, says whistleblower Frances Haugen, EuroNews, October 4, 2021, https://www.euronews.com/next/2021/10/04/facebook-profits-off-hate-and-that-s-why-it-won-t-change-says-whistleblower-frances-haugen; Kris Shaffer, The Business of Hate Media, Medium.com, April 24, 2017, https://medium.com/data-for-democracy/the-business-of-hate-media-47603a5de5f4
19. Exceptions to the provision are provided for enforcement of intellectual property and criminal law.
20. One may note that various members of the U.S. Congress sought to have Article 19.17 of the USMCA removed, as it was felt this may limit the ability of the U.S. legislature to amend Section 230 of the CDA at a subsequent point of time.