PETITIVENESS | TRADE, INVESTMENT AND COMPETITIVENESS | TRADE, INVESTMENT AND COMPETITIVENESS | MACROECON TRADE, INVESTMENT AND COMPETITIVENESS PETITIVENESS | TRADE, INVESTMENT AND COMPETITIVENESS | TRADE, INVESTMENT AND COMPETITIVENESS | MACROECON A Global Database Lillyana Sophia Daza Jaller READINESS REGULATORY Prosperity Insight Series DIGITAL TRADE Martín Molinuevo, Nigorakhon Sadikova, Alexandrea Schwind, MACROECON | TRADE, INVESTMENT AND COMPETITIVENESS DIGITAL TRADE | REGULATORY TRADE, INVESTMENT AND COMPETITIVENESS READINESS A Global Database Martín Molinuevo, Nigorakhon Sadikova, Alexandrea Schwind, Lillyana Sophia Daza Jaller | PETITIVENESS © 2025 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpre- tations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the infor- mation, or liability with respect to the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors, denominations, links/footnotes and other information shown in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. The citation of works authored by others does not mean the World Bank endorses the views expressed by those authors or the con- tent of their works. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Pub- lications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. Cover photo courtesy of the World Bank Group. All other photos courtesy of ShutterStock.com. TABLE OF CONTENTS Abbreviations vi Acknowledgements vii Executive Summary 1 1. Introduction 4 A.  Digital trade and regulation 5 B.  Existing databases 8 2. DTRR Regulatory Areas 12 A.  Policies and measures covered 14 i.  Regulatory solutions 15 B.  Regulation on electronic transactions 16 i.  Electronic documents 17 iii.  Paperless trade 18 C.  Trust building regulation 18 i.  Online consumer protection 18 ii.  Data protection 19 iii.  Artificial intelligence 19 iv.  Cybersecurity & cybercrime 19 iv DIGITAL TRADE REGULATORY READINESS A Global Database D.  Platform regulation 20 i.  Cross-border data 20 ii.  Intermediary liability 21 3. DTRR Database Methodology 24 A.  Data collection and review methodology 24 i.  Traceability to its original source 25 ii.  Scope of the data collection 25 iii. Interpretation 26 iv.  Deviations I: Restrictions on cross-border data flows 28 v.  Deviations II: Paperless Trade and Digital ID 28 B.  Geographical scope 29 C. Caveats 29 i.  Sub-set of regulation 30 ii.  Legal interpretation 31 iii.  Implementation / de facto Regulation 31 iii.  Different legal systems 31 v.  Presenting regulatory “Readiness” trends: quintiles 33 D.  Next steps 33 i.  Data update and validation 33 ii.  Expansion of data coverage 34 iii. Uses 34 iv.  Analytical and Quantitative work 34 v. Feedback 35 4. Looking Ahead 36 Bibliography 38 Annex I: List of Regulatory Solutions Captured in DTRR Database 40 vi DIGITAL TRADE REGULATORY READINESS A Global Database Abbreviations AI Artificial Intelligence ASEAN Association of Southeast Asian Nations B2B business-to-business B2C business-to-consumer BPO Business processing outsourcing C.A.R. Central African Republic CPTPP Comprehensive and Progressive Agreement for Trans-Pacific Partnership DEPA Digital Economy Partnership Agreement D.R.C. Democratic Republic of Congo DTRR Digital Trade Regulatory Readiness DTI Digital Trade Integration ECIPE European Center for International Political Economy EU European Union KPO Knowledge processing outsourcing ICT information and communications technology LDC Least Developed Country OECD Organization for Economic Co-operation and Development UAE United Arab Emirates WDR World Development Report UK United Kingdom UN United Nations UNCITRAL United Nations Commission on International Trade Law UNCTAD United Nations Conference on Trade and Development UNGCP UN Guidelines for Consumer Protection USITC US International Trade Commission US / USA United States of America USMCA United-States-Mexico-Canada Free Trade Agreement WB World Bank WIPO World Intellectual Property Organization WTO World Trade Organization DIGITAL TRADE REGULATORY READINESS vii A Global Database Acknowledgements This study has been prepared by a team of World Bank experts led by Martín Molinuevo (Senior Counsel, ETIRI) and including Nigorakhon Sadikova (ETC, ETIRI), Lillyana Sophia Daza Jaller, Alexandrea Schwind, Joseph Ashraf El-Cass- abgui, Philipp Hlatky, and Prakhar Bhardwaj under the guidance of Sebastien Dessus (Manager, ETIRI) and Mona Haddad (Director, TIC). The team is highly indebted to Javier López González (OECD), Torbjörn Fredriksson (UNCTAD), Melissa Metz (World Bank) and Adele Barzelay (World Bank) for com- ments as peer reviewers, as well as to Erik van der Marel (ECIPE), Mark Wu (Harvard law School), and Andrea Barone (World Bank) for comments in an earlier version of this report. The team is grateful to OECD experts Janos Ferencz, Chiara Del Giovane, and Karin Gourdon; UNCTAD expert Thomas Van Giffen; and World Bank colleagues Martha Martínez Licetti, Natalija Gelvanovska-Garcia, David Satola, Adele Barzelay, Pierre Sauvé, Elena Gasol-Ramos, Tania Begazo, Rocio Sanchez Vigueras, Hunt La Cascia, Cecilia Paradi-Guilford and Rong Chen for their comments and advice at various stages of the project. This study benefited from an editorial review by Chris Wellisz and website portal development by Marlon Amorim. The team gratefully acknowledges funding for this activity through the Umbrella Facility for Trade Trust Fund (UFT). The UFT is supported by development partners, including the Department of Foreign Affairs and Trade of Australia, the Foreign, Commonwealth & Development Office of the United Kingdom, the Norwegian Agency for Development Cooperation (NORAD), the Norwegian Ministry of Foreign Affairs, the Ministry of Foreign Affairs of the Netherlands, the State Secretariat for Economic Affairs of Switzerland (SECO), and the Swedish International Develop- ment Cooperation Agency (SIDA). viii DIGITAL TRADE REGULATORY READINESS A Global Database DIGITAL TRADE REGULATORY READINESS 1 A Global Database ES. EXECUTIVE SUMMARY The digital revolution is changing every aspect of our lives. International trade, as one of the main pillars of a globalized world, is at the center of this revolution, as cross-border transactions of goods and services become an integral, often invisi- ble, part of our daily digital routine. Digital trade benefits from a comprehensive, modern and non-discriminatory reg- ulatory framework. Regulation can provide the legal tools necessary for remote contracts, clarify the rights and obligations of the multiple actors involved in digi- tal transactions, and establish a framework that promotes trust in digital markets, even when the consumer does not know the merchant or that the merchant is in a different country. However, regulation can also further strengthen segmentation of digital trade, de facto restricting digital transactions. The report presents the Digital Trade Regulatory Readiness (DTRR) database compiled by a team of World Bank experts. The database offers novel informa- tion on laws and regulations on digital trade for 121 economies around the world, out of which 95 are developing countries. The database reflects countries’ regu- latory framework on specific matters directly relevant to digital trade, structure on nine “regulatory areas” (i.e., i) electronic documents; ii) electronic signature & digital ID; iii) paperless trade; iv) online consumer protection; v) data protection; vi) artificial Intelligence; vii) cybersecurity & cybercrime; viii) cross-border data; and ix) intermediary liability) distributed along three policy pillars, namely elec- tronic transactions, trust-building regulation, and platform regulation. Altogether, the DTRR offers more than 13,000 datapoints, including over 5,200 regulatory 2 DIGITAL TRADE REGULATORY READINESS A Global Database measures currently in effect. “Traceability,” a cen- ing how a country’s regulatory framework complies tral feature of the DTRR, ensures the quality of the with international obligations, such as digital trade information, so that each of positive datapoints can agreements or the plurilateral WTO e-commerce be traced back to the specific provision, paragraph, agreement. and/or section number that supports them. The DTRR database serves as an invaluable tool for The DTRR’s goal is to inform digital trade policy by policymakers and regulators in developing coun- identifying priorities for strengthening regulation. tries, offering access to a global repository of digital By readily assessing progress on digital regula- trade regulations from around the world. The data- tions, while also providing granular information base offers insights into current practices and on specific regulatory solutions (or lack therefore) regulatory frameworks that have been successfully within a country’s legal framework, the DTRR can implemented elsewhere. It can guide the develop- help policymakers, international experts, practi- ment and update of their own digital trade policies, tioners and academics identify regulatory priorities fostering an environment conducive to digital eco- for strengthening regulation on digital trade. The nomic growth and integration into the global digital database also serves as a starting point for assess- economy. 1. INTRODUCTION The digital revolution is changing every aspect of In a rapidly changing digital world, governments our lives. The COVID pandemic and its stay-at-home confront new challenges in the regulation of dig- measures demonstrated how communications tech- ital trade. Digital devices come alive with services nologies can help shrink distances. International from around the world—with software covering the trade, as one of the main pillars of a globalized world, whole spectrum from entertainment to productiv- is at the center of this revolution, as cross-border ity. Classic trade problems like expediting trade transactions of goods and services become an inte- procedures take on new resonance as shipments gral, often invisible, part of our daily digital routine. cross international borders in varied forms—indi- DIGITAL TRADE REGULATORY READINESS 5 A Global Database vidually packaged to consumers rather than in of information. Furthermore, the policy challenges palleted cargo to wholesalers. Obstacles to trade lie not only in fostering cross-border transactions, are taking new shapes: issues like cross-border but also in ensuring that benefits and opportuni- data flows and cybersecurity require international ties from digital trade are equitably distributed in coordination to ensure the efficient and timely flow society. A.  Digital trade and regulation Multiple regulatory areas are crucial to the Regulation plays three essential roles in digital development of digital trade. Digital trade, under- transactions: stood as the purchase and/or delivery of goods and services through digital means (see Box 1 for • Providing essential regulatory tools for a definition), benefits from a comprehensive, mod- remote digital transactions. One of the roles ern and non-discriminatory regulatory framework. of economic regulation is providing legal rec- Regulation can provide the legal tools necessary for ognition of innovative ways of making business remote contracts, clarify the rights and obligations interactions—while ensuring that the new of the multiple actors involved in digital transac- practices are not harmful to third parties or tions, and establish a framework that promotes can be otherwise deemed contrary to public trust in digital markets,1 even when the consumer interest. In the digital era, tools like electronic does not know the merchant or that the merchant documents and electronic signatures require a is in a different country. However, regulation can regulation that affords them legal recognition also reinforce the fragmentation of digital trade, to do business. Lack of electronic signatures effectively restricting digital transactions. may mean, for instance, that parties may need to physically travel or mail a hard copy to sign Rules affecting digital trade extends beyond mea- a document, increasing time and costs for the sures explicitly targeting foreign transactions. transaction. Further, the ability to complete As is often the case in services trade more broadly, paperless trade procedures is also a support- digital trade is typically governed by general laws ing element for cross-border B2B trade. and regulations that shape market conditions for • Enhancing trust in digital markets by ensur- a given activity—regardless of whether that activ- ing that consumers are protected and that ity is carried out by domestic or foreign providers. their information is safe and remains pri- In this context, what makes a regulation relevant to vate. Lack of trust in digital markets remains digital trade is the inherently cross-border nature the top reason for not engaging in online pur- of the activities it covers. For example, legal liabil- chases. In a 24-country survey, almost half the ity rules for intermediary platforms often apply to respondents said they never buy goods or ser- domestic and foreign services alike. However, due vices online because they do not trust online to the borderless nature of digital platforms, such transactions (CIGI-Ipsos, 2017). Important rules are more likely to affect foreign transactions limiting factors in both developed and devel- than purely domestic ones. oping economies are the perceptions that 1. We refer to “digital markets” as the ability to conduct commercial transactions over electronic channels, be it through the internet or peer-to-peer systems based on public telecommunications networks. A “digital transaction” is a transaction conducted through digital means where at least side of the transactions is fully automated and does not require direct human intervention. 6 DIGITAL TRADE REGULATORY READINESS A Global Database cross‑border online transactions and delivery Identifying regulatory approaches that minimize are less secure, and that no remedies exist for restrictions on digital trade while offering strong when something goes wrong (World Economic protections to individuals remains a key chal- Forum, 2019). Indeed, domestic regulations lenge. Essential aspects of digital trade regulation, often lack rules addressing the cross-border such as intermediary liability or data protection, elements of e-commerce. The limited juris- are new and still subject to trial-and-error exper- diction of regulators means that they cannot imentation. Other aspects of digital rules have impose their regulations on players outside been pioneered by high-income countries that can of their national territory. Regulations that are support those regulations with a vast and skilled particularly relevant to promoting citizens’ institutional apparatus, but whether those rules trust in digital markets include: are also suited to smaller or poorer administrations • A strong data protection regime, which and economies is uncertain. In addition, horizon- gives individuals control over their per- tal regulations need to be completed with modern sonal and financial information and fosters sector-specific regulations that address the chal- trust in how that data is collected, used, lenges faced in specific activities that disrupt and shared; new digital business models, such as online retail • An effective framework for online con- (e-commerce) ride hailing, lodging, among others. sumer protection, which helps users make informed decisions about goods, services, This report discusses the role of regulatory pol- and transaction terms—enhancing their icies in digital trade and presents how these confidence and understanding of digital regulations are being adopted around the around. exchanges; Following this introduction, Section 2 describes the • A robust cybersecurity framework, which key features of the Digital Trade Regulatory Read- improves trust by requiring firms to meet iness (DTRR) database. Section 3 presents the minimum technical standards for data regulatory areas by the DTRR and their connections protection and ensures that unauthorized with digital trade. Finally, Section 4 offers sugges- access is appropriately prosecuted and tions for further analysis. penalized; and • Clear rules on artificial intelligence, par- The DTRR database focuses on horizontal regu- ticularly those ensuring unbiased and lations that provide essential regulatory tools for transparent processes, which reassure cit- remote transactions, promotes trust among the izens that safeguards govern how machines parties to the transaction, and sets out rules on use the information they provide. online platforms. The data gathered helps inform • Regulating the operation of firms involved in global progress on digital governance by identifying the digital trade ecosystem, with a focus on regulatory regimes that lack elements essential to preventing market failures, especially infor- digital trade, thereby introducing costs in the form mation asymmetry in digital businesses (e.g., of legal uncertainty for consumers and providers. platforms, telecom services, electronic pay- ments). Regulations related to intellectual An enabling environment for digital trade property, specifically those focused on inter- requires coordination with multiple other reg- mediary liability are a key component of the ulatory policies. Regulation relevant to digital regulation of e-commerce platforms. Similarly, trade extends well beyond the current scope of the ability to transfer data across is an essen- the DTRR. For example, an effective regulatory tial element of digital trade, especially for and institutional framework for electronic pay- digital services ments is essential to cross-border transactions. DIGITAL TRADE REGULATORY READINESS 7 A Global Database Box 1: Defining digital trade There are four forms of digital trade: the Internet enables trade in “traditional” goods and services that are digitally ordered but delivered offline, and it also provides a platform for trading purely “digitally traded” goods and services that are not only ordered electronically but also produced and delivered online. Under most definitions of e-commerce, electronic transactions can entail the sale of either goods or services. For traditional goods and services, the Internet functions as a global e-commerce marketplace that enables remote transactions of goods and services that would otherwise be sold in brick-and-mortar stores. Digital technologies not only expand the possibilities for trade in existing goods and services but also offer a completely new environment for new “digital” goods and services to be developed—and traded. Figure B1 illustrates trade in digital goods and services in quadrants III and IV, respectively. Business reality, especially in the digital environment, however, often blurs these conceptual lines. Software, for example, has been historically traded as merchandise (embodied in the shipping of physical media such as floppy disks or CDs) but is now often provided as a service, based on a subscription fee, that includes the right to updates, technical support, and ancillary digital products. Similarly, some services such as ICT consumer support can blur the lines between “traditional” and “digitally traded” services, as reflected in quadrants I and IV. Finally, some business can be used by final consumers or by other businesses, making it a challenge to clearly distinguish between B2C and B2B activities. This approach is consistent with a similar classification offered by the OECD, WTO, and IMF that focuses on whether goods and services are digitally ordered and/or digitally delivered (Figure B2). Identifying the differences among the various types of digital trade is more than theoretically valuable. Rather, realizing these different phenomena as part of the broader digital trade or even digital economy analysis has practical implications. For instance, for statistical purposes, e-commerce goods transactions are normally captured by customs as they cross the border in the form of parcels and fall under the goods sections of the current account. Digital goods such as software or e-books should also, in principle, be captured as goods under the current account; however, because they are digitally delivered and do not cross physical borders, customs information will not be available, and such information should be sought elsewhere—for instance, in the international payments for goods and services as recorded by central banks. More importantly, the different expressions of digital trade also face different challenges and call for different policy responses: the logistical challenges of international parcel shipping faced by online retailers are not necessarily relevant to traders of digital goods and services, who, instead, may be much more concerned with intellectual property rights and contract enforcement. Figure B.1: Types of digital trade I GOODS SERVICES II Elance I TRADITIONAL E-COMMERCE Jumia Freelancer ebay Professional services Amazon (merchandise) BPO – KPO Alibaba E-banking News/information Paypal Google Ads DIGITALLY App stores (software, music, E-medicine TRADED video, mobile apps) IT outsourcing Amazon (e-books, video) Amazon Web Services 3-D printed goods? AI/data analytics Social media III IV Source: IMF, OECD, UNCTAD and WTO, 2023. 8 DIGITAL TRADE REGULATORY READINESS A Global Database Box 1: Defining digital trade Figure B.2: Types of digital trade II NATURE (How) PRODUCT (What) ACTORS (Who) Corporations Enabled Digitally • DIPs by DIPs ordered Digital Trade • E-tailers (included in • Other producers Digitally ordered only operating digitally conventional trade Services Goods and delivered • Other corporations statistics) Governments Digitally Households delivered Non-profit institutions serving households Production boundary Non-monetary Digital Flows Non-monetary (not included in information conventional and data trade statistics) Source: IMF, OECD, UNCTAD and WTO, 2023. Source: IMF, OECD, UNCTAD and WTO, 2023. Rules on transport and logistics are directly rele- review of policies and regulations that go beyond vant to e-commerce in merchandise. Competition the scope of the DTRR database may be necessary policies and regulations are also critical, partic- when conducting an in-depth review of the regula- ularly given the network effect associated with tory environment of a specific country. third-party platforms. As a result, a comprehensive B.  Existing databases The DTRR database complements existing data- ture regulatory restrictions on digital trade but bases on regulatory restrictions with information provide few details on the regulations governing on regulations that address regulatory challenges it. For instance, ECIPE’s pioneering Digital Trade inherent to digital trade. Existing databases cap- Restrictiveness Index (DTRI)2 and the OECD’s Dig- 2. ECIPE’s pioneering Digital Trade Restrictiveness Index (DTRI) builds on an underlying database of regulatory restrictions on digital trade for 64 countries. The DTRI assigns a score from zero (fully open) to 1 (virtually closed) based on the trade restrictiveness of digital trade policies (Ferracane, M. F., & van der Marel, E. (2018). The database provides as short description of the restriction, as taken from its source. DIGITAL TRADE REGULATORY READINESS 9 A Global Database ital Services Trade Restrictiveness Index (DSTRI)3 adoption of certain legislation relevant to e-com- provide relevant information on existing digital merce for 195  countries, in an effort to promote restrictions and allow an empirical assessment of a sound and comprehensive regulatory frame- the impacts of those restrictions on trade and other work for digital trade. UNCTAD’s database does not aspects of the economy. However, given their focus attempt to build an index or otherwise provide any on trade restrictions, they offer little information on assessment of the legislation. These datapoints the type of measures that can be considered legit- would help inform current indices on restrictive- imate safeguards that promote consumer trust in ness by identifying those regulatory regimes that digital markets—and where they do, these mea- lack essential pieces of regulation on digital trade, sures too are assessed as restrictions on trade, thereby introducing costs not in the form of regula- without taking into account the positive trade tory restrictions, but in the form of legal uncertainty effect they may have. OECD’s DSTRI does account for consumers and providers. for the positive effect of some measures by scor- ing the absence of regulations on policies like Additionally, the WB Data Governance database e-signature, e-contract, e-payment and privacy provides insights into both safeguards and regu- regulation as a restriction on digital trade. UNC- latory restrictions, covering 80 economies. Unlike TAD’s Cyberlaw Tracker4 instead monitors the indices that focus primarily on restrictions, this Table 1: Comparison of digital regulation databases WB Global UNCTAD Cyber- ECIPE Data Regula- OECD DSTRI law tracker DTRI DTI tion Survey DTRR # economies 93 195 64 130 80 121 covered # of policy 5 4 13 12 7 9 areas covered # total 3,780 776 6,400 13,130 6,480 13,794 datapoints captured Focus on Regulatory Existence of Regulatory Regulatory Safeguards Regulatory restrictions legislation restrictions restrictions + + regulatory restrictions + Safeguards restrictions Safeguards Methodology Survey + Surveys Web scraping Web Surveys + Regulatory Regulatory scraping Regulatory review Review Review Quantitative Yes No Yes Yes Yes No Index Includes Partial Yes Partial Partial No Yes sources / traceability 3. The OECD Digital STRI adds digital elements to the Services Trade Restrictiveness Index (STRI) to capture impediments to services traded digitally, and catalogues and quantifies barriers that affect trade in digitally enabled services across 93 countries. The database includes references and links to some of the underlying regulations. The indices take values between 0 to 1, where 0 is completely open and 1 is completely closed. https://goingdigital.oecd.org/en/indicator/73. 4. - e-commerce- https://unctad.org/topic/ecommerce-and-digital-economy/ecommerce-law-reform/summary-adoption​ legislation-worldwide. 10 DIGITAL TRADE REGULATORY READINESS A Global Database database evaluates regulatory safeguards that ulatory restrictions. Unlike databases that rely on contribute to fostering trust in digital trade. Fur- surveys or purely legal assessments, DTI employs thermore, the DTRR database, which covers 121 a web-scraping methodology, collecting real-time economies, distinguishes itself by capturing both regulatory data across multiple digital trade policy regulatory restrictions and safeguards while ensur- domains. With 12 policy areas covered, DTI provides ing traceability. The DTRR methodology relies a broader regulatory perspective compared to some on regulatory reviews, allowing for a structured other indices, making it a valuable resource for assessment of digital trade policies beyond just understanding the dynamic evolution of digital trade trade barriers. This approach ensures that not policies globally. By integrating these additional only restrictive measures but also policies that datasets into the analysis, we recognize the com- enable digital trade are captured, providing a more plementary nature of various regulatory databases. nuanced perspective compared to other databases. While some focus strictly on trade restrictions, others incorporate safeguards, and some, like The DTI (Digital Trade Integration)5 database, which the DTRR, provide a holistic view by bridging both covers 130 economies, is another key regulatory perspectives—offering a more comprehensive dataset that focuses on both safeguards and reg- understanding of digital trade regulations. 5. https://dti.eui.eu/. DIGITAL TRADE REGULATORY READINESS 11 A Global Database 2. DTRR REGULATORY AREAS A comprehensive and modern digital regu- online consumer protection, and cybersecurity latory framework is essential for supporting offer safeguards that enhance trust in digital mar- digital trade. Regulation plays three critical roles kets. Finally, regulations on the legal liability of for digital transactions. It provides the legal tools platforms for unlawful or harmful content and rules needed for concluding valid and enforceable elec- on the international transfers of data set out basic tronic contracts, such as rules giving effect to the rules that support a transparent and predictable electronic authentication of documents and e-sig- framework for digital markets. natures. Frameworks for personal data protection, DIGITAL TRADE REGULATORY READINESS 13 A Global Database Regulation can also introduce unwarranted supports them. The basic premise is that provid- limitations to digital trade. For instance, unnec- ing effective and transparent regulatory solutions essarily restrictive or overly cumbersome fosters digital trade by enhancing trust in digital requirements for cross-border data transfers limit markets and reducing costs related to uncertainty access to certain digitally delivered services. Lim- and ambiguity in the legal framework. itations on the types of goods and services offered online may be warranted by public policy goals The goal of the DTRR is to inform policymaking (e.g., restrictions on guns or controlled substances) by identifying priorities for strengthening regu- or may add costs and inefficiencies by segmenting lation on digital trade. Readily assessing progress markets (e.g., requiring the use of domestic cloud on digital regulations, while also providing granu- services). The central challenge for policymak- lar information on specific regulatory solutions (or ers and regulators is therefore to adopt balanced lack therefore) within a country’s legal framework, frameworks that minimize restrictions on digital the DTRR can help policymakers, international trade while offering a comprehensive framework experts, practitioners and academics to identify for digital transactions and sound safeguards for regulatory priorities for strengthening regula- users. By requiring that public policy measures tion on digital trade. The database also provides minimize unnecessary trade restrictions, trade a starting point for assessing compliance of a agreements help establish useful benchmarks for country’s regulatory framework with international setting regulatory boundaries. obligations, such as digital trade agreements or the plurilateral WTO e-commerce agreement. In The DTRR database focuses on horizontal reg- that sense, the DTRR focuses on offering quali- ulations that provide essential regulatory tools tative information for over 120 economies in the for remote transactions, promote trust in digital world in an accessible and user-friendly manner. markets, and define rules for online platforms. The data collection is based on laws and regula- The data gathered helps inform global progress tions related to digital trade, from which the DTRR on digital governance by identifying regulatory identifies the specific regulatory measures as set regimes that lack elements essential to digital out in formal legal instruments. As such, the infor- trade, thereby introducing costs in the form of legal mation presented in the DTRR reflects de jure uncertainty for consumers and providers. In this frameworks only. context, “readiness” is intended as the ability of the regulation to comprehensively address the The database captures regulations as they challenges presented by digital technologies in line apply to digital trade, even when they may have with international best practices. a broader scope. In an effort to zero in on digital trade, the regulation solutions covered address The database offers novel information on laws matters inherent to digital trade. In some instances, and regulations on digital trade around the world. however, matters relative to digital trade are cov- The database reflects countries’ regulatory frame- ered under general, non-digital-specific rules. This work on specific matters directly relevant to digital is particularly the case in consumer protection, trade, specifically in the areas of electronic trans- where broad, often dated, consumer-protection actions, trust-building regulation, and platform regimes also apply to digital transactions, even if regulation. The DTRR offers a total of over novel they were not designed to do so. The DTRR still rec- 13,000 datapoints, which includes over 5,000 reg- ognizes the regulation as applying to digital trade ulatory measures effectively in place with explicit and records it positively wherever the regulatory reference (“traced”) to the specific legal instru- solution is met, even if contained in a general law ment, including its section and paragraph, that or regulation that goes beyond digital trade. This 14 DIGITAL TRADE REGULATORY READINESS A Global Database methodological approach is understood to reflect such as the OECD Digital STRI, ECIPE’s DTRI, and more accurately the regulatory framework apply- the WB-WTO STRI—the DTRR does not provide ing to digital trade. In practice, however, general scores or indexes of the regulatory measures it col- frameworks generally fall short of good practices in lects. However, the data can be further processed digital regulation. to support econometric and other quantitative studies aimed at assessing the quality of regulatory The DTRR focuses on qualitative information but frameworks. To this end, the full dataset is avail- is designed to support further use in quantitative able for download, and the authors encourage its analyses. Unlike other databases in this space— use and further development. A.  Policies and measures covered The Digital Trade Regulatory Readiness data the first binding international rules on cross-bor- cover nine key regulatory areas for digital trade, der data flows are found in trade agreements, grouped into three broader regulatory pillars as cap- namely the Comprehensive and Progressive Agree- tured in Table 2. These areas were selected by the ment for Trans-Pacific Partnership (CPTPP) and authors based on consultations with WB and exter- the United-States-Mexico-Canada Free Trade nal experts and informed by specialized literature: Agreement (USMCA). Furthermore, “digital trade agreements” focusing exclusively on digital trade These topics also reflect the regulatory areas rules are emerging as a new trend in regulation of commonly mentioned in digital trade/e-com- global trade. The US and Japan concluded a Digi- merce chapters in trade agreements. As global tal Trade Agreement on October 2019; Singapore, trade in both goods and services increasingly incor- Chile, and New Zealand signed (electronically) their porates digital technologies, regulations aimed Digital Economy Partnership Agreement (DEPA) in at fostering digital trade are also becoming a cen- June  2020; and ASEAN countries concluded the tral component of trade agreements. For instance, “ASEAN Agreement on Electronic Commerce” in Table 2: Regulatory pillars and areas covered by DTRR database Policy pillar Regulatory area # of regulatory solutions assessed Regulation on electronic transactions Electronic documents 4 Electronic signature & Digital ID 6 Paperless Trade 3 Trust-building regulation Online consumer protection 19 Data protection 19 Artificial Intelligence 4 Cybersecurity & Cybercrime 11 Platform regulation Cross-border data 34a Intermediary liability 14 TOTAL 114 a Includes 15 enabling and 19 restrictive regulatory solutions. DIGITAL TRADE REGULATORY READINESS 15 A Global Database January 2019. Digital trade rules are also being dis- a right to individuals to request the deletion of their cussed at the multilateral level. Under the umbrella personal information. While the database builds of the WTO, the current draft plurilateral agreement on the assumptions that adopting these regula- on e-commerce seeks to adopt a universal set of tory solutions acts as an enabler for digital trade, principles and rules on key aspects of digital trade, the section on cross-border data rules also identi- such as rules on electronic contracts, online con- fies measures that are in fact restrictions on digital sumer protection, and paperless trade. trade. These few “negative” regulatory solutions are treated separately from the bulk of the data in These nine regulatory areas are further dis- most analyses—see section 3.a.iv for details. aggregated into 114 “regulatory solutions.” The specific solutions (i.e., individual variables) The focus on regulatory solutions allows us to were selected with a view to providing a progres- assess how comprehensive and modern the regu- sive understanding of the digital trade regulatory lation is. Regulations can range from basic laws that framework. In that sense, countries with limited provide solutions to a few aspects of a given policy and/or outdated regulations are likely to answer area, to frameworks that seek to provide a compre- positively only to the basic questions of each area, hensive response to various new challenges brought while countries with a comprehensive and up-to- about by digital trade. Consumer trust in remote, date framework will tend to answer positively to digital transactions, for example, is lower than in most of the questions. An effort was made to select face-to-face interactions, as the consumer has often broadly uncontroversial questions that indicate a little information about its counterpart. Explicitly progressive degree of depth and complexity, and recognizing that online transactions are covered by to represent the comprehensiveness of the regu- consumer protection and requiring online vendors latory framework independently, even where those to provide certain information are simple regulatory regulations may not be in line with the global “best solutions featured in virtually all effective consumer practices.” Annex I lists all the regulatory solutions protection framework; more advanced regulations, reviewed and offers example and additional back- however, include rules against the use of “dark ground on their importance for digital trade. patterns” (i.e., user interface designs intended to manipulate behavior—for examples making very easy to sign up for a service, but very difficult to can- i.  Regulatory solutions cel it) or rules against spam. By identifying which The DTRR focuses on the “regulatory solutions” regulatory solutions are in place, the DTRR allows featured in a country’s legal framework. The users to assess how comprehensive and modern the main information offered by the DTRR is whether regulation actually is with greater certainty than ver- a country has adopted specific statutory actions or ifying the mere existence (or lack thereof) of a legal safeguards (“regulatory solutions”) meant to over- instrument on any given area. come policy challenges related to digital trade. Going beyond the title or general context of the leg- Based on legal texts, the database cap- islation, the DTRR digs into the content of laws and tures whether a specific regulatory solution is regulation to identify whether such regulatory solu- addressed in the regulation. In the collection tions are in place. Regulatory solutions can take the stage, the database shows in a binary manner form of statutory requirements, like the mandate whether each of 114 regulatory solutions is effec- to disclose information certain about the vendor tively covered in the legal framework of the country in e-commerce platforms or that electronic docu- under review. Table 3 lists the regulatory solutions ments have the same legal value as physical one, assessed under Intermediary Liability, and portrays or the adoption of certain safeguards, like granting the data as captured in the DTRR database for the 16 DIGITAL TRADE REGULATORY READINESS A Global Database Table 3: Regulatory solutions on intermediary liability. Selected countries Singapore Chile U.S. Framework explicitly addresses online intermediary liability    Online intermediaries are not required to routinely monitor content uploaded by third    parties Safe harbor provisions exist to shield online platforms/hosting providers from liability  —  for: • Unlawful activity generally • Infringements related to intellectual property    Notice and take down procedures required for:  — — • Unlawful activity generally Intermediary liability • Infringements related to intellectual property    Content providers’ right to counter notice    Online platforms’/Hosting providers’ right to counter notice/appeal — — — Online platforms/Hosting providers are not liable for wrong deletion if they conduct  –  deletion by following a takedown notice Complainants are liable for wrong deletion following a takedown notice    Online platforms/Hosting providers are required to disclose the identity of infringers to — — — the extent it is available to them If online platforms/hosting providers are required to disclose the identity of infringers, — — — they are not liable for the failure to do so Online platforms/Hosting providers may not disclose their users’ identity information to — — — third parties without court orders An order from a judicial court or competent authority is required to require content   — restriction Source: DTRR. three countries with the most comprehensive reg- The following sections offer brief reviews of the ulatory solutions in that category. In its raw form, regulations covered by the DTRR and how they the dataset is a matrix of zeros and ones (or their relate to digital trade. graphical equivalent) with regulatory solutions and countries on each of its axes. B.  Regulation on electronic transactions Providing legal recognition to the tools necessary nesses engaged in digital trade also expand their for remote, electronic transactions is a neces- network of clients and suppliers across borders. sary initial step toward an enabling framework A regulatory framework that is conducive to digi- for digital trade. As communication technolo- tal trade should therefore guarantee that contracts gies connect people and businesses around the concluded remotely through electronic channels world with increasing ease and convenience, busi- are just as valid and legally enforceable as those DIGITAL TRADE REGULATORY READINESS 17 A Global Database concluded in person. Ensuring that electronic doc- However, B2B transactions that entail customiza- uments and signatures are fully recognized and tion of products and services provided over time, enforceable—while providing citizens with ade- such as those that allow suppliers to connect to quate tools—is therefore essential to underpinning global value chains or that require peripatetic deliv- the legal validity and practical use of remote elec- ery over extended periods, the ability to conclude tronic contracts and transactions. or amend contracts across borders in a secure and reliable way is essential for reducing costs and facil- itating cross-border business operations. i.  Electronic documents A strong and reliable framework for e-documents is particularly important for business-to-business ii.  Electronic signatures & digital authen- (B2B) transactions. Transactions with final con- tication sumers, such as those on e-commerce platforms The ability to conclude legally binding contracts like Amazon.com, Lazada.com, or MercadoLibre. remotely depends heavily on capturing the parties’ com, and app-based services like Airbnb, do not agreement in a secure and reliable manner. Elec- typically entail major documentation exchanges tronic signatures contribute to remote transactions and can be concluded even without a specific reg- by providing a legal and technological mechanism ulatory framework for electronic transactions. that ensure the parties that their identities and Box 2: The EU’s eIDAS Regulation: A framework for cross border E-ID and Trust Services The European Union enacted Regulation No. 910/2014 on ‘electronic identification and trust services for electronic transactions in the internal market’ (“eIDAS”) to remove barriers to the cross-border use of electronic identification means for public services used in the EU Member States. The eIDAS sought to meet this goal by prescribing conditions under which Member States must recognize electronic identification schemes of another EU Member State, laying down rules for trust services for electronic transactions, and by establishing a legal framework for, amongst others, electronic signatures, and documents. The eIDAS regulation requires that mandatory electronic identification schemes to be notified to the Commission along with the appropriate assurance level: either low, substantial and/or high. These assurance levels correspond to minimum technical specifications, standards, and procedures notified by the Commission. Each of the notified electronic identification schemes are required to be interoperable, such that there is no discrimination between any specific national technical solutions for electronic identification. In practice, this has enabled citizens with smartcards and mobile-phone-based digital identification systems issued in one EU Member State to access online services provided in other European countries. By virtue of the Agreement on the European Economic Area, the eIDAS has also been adopted as law in Norway, Iceland, and the Principality of Liechtenstein. The eIDAS regulation may have also helped countries in establishing electronic identification systems through the legal framework of qualified trust service providers. The eIDAS defines a ‘trust service’ as an electronic service relating to the creation, verification, preservation, and validation of electronic signatures, electronic seals, and certificates for website authentication. Trust service providers that successfully fulfill the accreditation requirements of the conformity assessment body are listed as ‘qualified trust service providers’ by each EU Member State. The reliability and credibility associated with being a qualified trust service provider under eIDAS has also made it easier for EU Member States to engage qualified trust service providers to establish digital identity solutions. For instance, the Republic of North Macedonia engaged Evrotrust, a qualified trust service provider of the Mastercard group, to launch the country’s first remote digital identity services system. Source: Authors based on Regulation(EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. 18 DIGITAL TRADE REGULATORY READINESS A Global Database expressions of will be secure and reliable, even in instead of paper documents to fulfill customs pro- contracts concluded at a distance or across countries. cedures. Digital customs procedures are a valuable Digital identities entail a collection of electronically complement not only to traditional, containerized, captured and stored attributes that uniquely describe bulk trade that moves thousands of products at a person within a given context and are used for elec- once but also to international e-commerce, where tronic transactions (World Bank, 2016), which allow goods are often sold and shipped in individual par- for digital IDs that can be used to prove real-life iden- cels directly to the final consumer. Bottlenecks in tity online, and thereby grant access to a range of customs clearance and regulatory documentation public and private services in a safe and secure way. can be particularly challenging for smaller busi- nesses and digital traders with less experience and resources. (UNECE and WEF, 2017). iii.  Paperless trade In paperless trade, digital information is used C.  Trust building regulation A robust regulatory framework that prevents As a result, one important limiting factor in both the misuse of data while facilitating its use and developed and developing economies is the per- sharing is essential for building trust in data trans- ception that cross-border online transactions actions. Despite many recent important advances and delivery are less secure, and that remedies regarding personal data, legal frameworks for data do not exist when something goes wrong (World governance across much of the developing world Economic Forum, 2019). remain inconsistent, raising concerns about the ability of lower-income countries to benefit from the Trust-building regulation for digital markets development opportunities emerging from the bur- focuses on three goals: overcoming information geoning global data economy (World Bank, 2021). asymmetries, strengthening individuals’ rights and remedies, and making online transactions Regulation plays an essential role in bolster- secure. Under this “trust building” category, the ing digital markets by promoting trust. Because database captures policies on consumer protec- digital markets are still in their infancy, lack of tion, data protection, cybersecurity and AI. Overall, trust in remote electronic transactions remains by ensuring that such data is adequately protected the primary reason consumers avoid online pur- and may not be used for purposes other than the chases—especially across borders (Figure 7). specific issue at hand, these regulations seek The very nature of remote electronic transac- to provide online users a sense of security in the tions means that consumers have no face-to-face transaction and control over their own information,. contact with vendors, meaning that there are no “visual cues,” such as location, facilities, and per- sonalized interaction, that help consumers gauge i.  Online consumer protection a retailer or supplier’s professionalism. In this Rules governing online consumer protection are environment, consumers are asked to disclose needed to overcome information asymmetries sensitive information and personal data either to between vendors and consumers of online trans- a retailer, online intermediary, or digital platform. actions. Distance shopping presents challenges, DIGITAL TRADE REGULATORY READINESS 19 A Global Database such as the inability to assess products in person data protection regimes expand globally, a grow- before confirming a transaction. Online consumer ing number of countries now require that foreign protection laws aim to ensure “a level of protection partners offer comparable—or “adequate”—protec- not less than that afforded in offline commerce” tions before allowing cross-border data transfers. (UNCTAD, 2017). To that end, online consumer pro- This creates incentives to trade with countries that tection builds on the principles and mechanisms of maintain similar data protection standards. traditional consumer protection regimes, extending and adapting those protections to digital markets to reduce some of the challenges of buying and selling iii.  Artificial intelligence online (OECD, 2000). Similarly, the UN Guidelines Artificial intelligence (AI) has the potential to for Consumer Protection (UNGCP) emphasizes boost efficiency and productivity and opens that consumer protection in e-commerce should the door to new tradeable services. The abil- be equivalent to that in traditional commerce. ity of machines to “learn” by identifying patterns Online consumer protection provisions are typically of data—from a human face, to the risk associated designed for domestic markets; however, they play with certain activities, to the potential interests an especially important role in international digital of consumers—can deliver significant productiv- trade, where consumer trust tends to be lower— ity gains for businesses. For instance, employee particularly when procedures like cancellations and recruitment often involves the costly review of returns are unclear or poorly communicated. dozens of candidate profiles, a process that can be automated using AI solutions. Similarly, machine learning algorithms can parse large amounts of ii.  Data protection mobile-phone data to deliver instantaneous credit Consumers are increasingly aware of the implica- scores to users in developing countries (Stru- tions of unrestricted access to personal data. Lack sani and Houngbonon, 2019). Digital trade plays of trust in the way personal data is managed drives a critical double role in AI. As machine learning users away from electronic transactions, limiting feeds from, and is improved by, large amounts of the growth of digital markets. Safeguards govern- data, access to information around the world is ing when and how firms may collect, process and essential to a well-trained system. Furthermore, share personal data are essential for building digital because a handful of tech giants control big data markets in which users feel safe providing their per- and advanced algorithms, most AI users around sonal information, knowing it will only be used and the world are more likely to access AI services shared as necessary for the original purpose. through cross-border digital trade than by devel- oping domestic systems, at least in the short to Strong and consistent data protection regu- medium term. At  the same time, increasing con- lations are also essential from digital trade, cerns around data privacy, algorithmic bias, and especially for digital services. Some studies have automated decision making have led to growing found that Countries that share strong safeguards regulatory scrutiny of AI and data flows. These for personal data tend to trade more between each tensions underscore the importance of developing other (World Bank, 2021; Ferracane and van der international frameworks that enable digital trade Marel, 2021). Two factors may play a role in this while addressing legitimate governance concerns. phenomenon. On one hand, consumers are more likely to transact with vendors who, whether due to good practices or regulatory compliance, provide iv.  Cybersecurity & cybercrime clear assurances about how personal data is used While less visible to individual consumers, and with whom it may be shared. In parallel, as cybersecurity regulation is essential to pro- 20 DIGITAL TRADE REGULATORY READINESS A Global Database moting trust in digital trade. Cybersecurity rules sonal and non-personal data (World Bank and include a broad range of measures addressing United Nations, 2017). From a digital trade the security of network infrastructure and the perspective, however, the focus is narrower— elements over which data flow, as well as poli- individuals’ trust and measures to protect cies to secure the storage and the safe transfer personal data from unauthorized access. In that of data. From this perspective, cybersecurity pol- sense, major data breaches, like the one Yahoo! icies seek to bolster broad public confidence in witnessed in 2013 that affected 3 billion user the use of the internet and ICT by addressing the accounts, not only compromise people’s privacy risks that crime, and even armed conflicts may but can have a chilling effect on digital markets bring to the security of networks such as power as consumers realize how vulnerable their infor- grids and urban utilities; devices from consumer mation can be. phones to computer mainframes; and both per- D.  Platform regulation Online platforms play an essential role in dig- i.  Cross-border data ital trade by connecting individual consumers Cross-border data flows are an increasingly with retailers, manufacturers, and service pro- essential element of international trade. Data viders from around the world. The internet’s flows not only support trade in goods, making pro- unparalleled ability to connect billions of indi- duction and distribution more effective and less viduals worldwide has boosted business models costly, but such flows are in fact the vehicle for based on intermediation between vendors and trading digital services across borders. As trade in consumers. E-commerce platforms like Alibaba, global digital services has increased dramatically eBay, and Mercado Libre are based on offering in recent years, so have global data flows. Regu- consumers products from thousands of different lation of data flows, especially of personal data, providers rather than their own stock. “Gig econ- lies at the heart of digital trade governance. More omy” apps offer services such as rides, lodging, than 40 percent of US firms surveyed by the US or delivery of food or groceries from firms and International Trade Commission (USITC) consider individuals. Other services rely on content such data localization requirements and market access as video (YouTube, Vimeo), opinions and reviews regulations to be obstacles to trade, particularly of products or services (Yelp, Google), or infor- larger firms and those in the digital communica- mation (blogs) developed by thousands of users, tions, content, and retail services sectors (USITC, most of whom remain relatively unknown to the 2014). Assessing regulatory restrictions on dig- final consumer. The relationship between these ital trade, Ferracane and Van Der Marel (2021b) intermediaries (websites and apps) and the firms find that restrictive data policies, specifically those or individuals offering their own products or ser- related to the cross-border movement of data, vices is therefore essential to the functioning of result in lower imports of data-intense services for those digital transactions. These connections are the countries imposing them, which translates into also possible to the extent that businesses and lower levels of cross-border digital trade. consumers around the world can transmit the relevant information (i.e., data) in a timely and Restrictions on global data flows can also burden efficient manner. domestic companies using digital technologies, DIGITAL TRADE REGULATORY READINESS 21 A Global Database particularly in the context of global value chains tic processing instead, including Kenya which (World Bank, 2020). Swedish manufacturing firms features both. recently reported that data localization require- ments and restrictions on cross-border data flows, Non-personal data including for outward transfers, adversely affect Non-personal data flows are important for dig- the setup and operation of their global produc- ital trade, enhancing commercial benefits and tion networks (NBT, 2015). The challenge for policy technological innovation. Non-personal data makers is promoting the sharing and transfer of plays a key role in digital trade by enabling com- data in a manner that supports the economic ben- mercial benefits, driving technological innovation, efits of digital trade, while ensuring that sensitive and facilitating global data flows essential for inter- information remains secure and the relevant regu- national business operations. Unlike personal data, lations on personal data protection are respected. it is usually not subject to the same amount of pri- vacy restrictions—such as consent principles or Restrictions on data flows, commonly referred data minimization principles. This relative flexi- as “data localization” requirements, take multi- bility in handling and cross-border sharing makes ple forms. Limitations on the management of data non-personal data especially valuable for improv- are not limited to the explicit regime on cross-bor- ing trade efficiency, enhancing public services, and der transfers: provisions mandating that certain supporting competitive market strategies. Under- type of data be stored, processed, or accessed only standing and managing the flow of non-personal with the jurisdiction of the country—often referred data is key to maximizing the benefits of digital as “data localization” measures—are also critical trade while ensuring secure and efficient global in the management of information. Data storage trade exchanges. requirements entail the obligations to house certain data on servers physically located in the country. Local processing requirements, on the other hand, ii.  Intermediary liability mandate that all handling of such data—such as updating, anonymizing, or preparing for any spe- Rules on intermediary liability can make or break cific use—must take place within the country. Local business models based on digital platforms. access requirements require that certain informa- Intermediary liability rules are the set of provisions tion can only be retrieved from within the country. that distribute the liability between intermediaries While these rules do not prohibit cross-border data (website and apps) and actual vendors or content sharing or offshore storage of copies, they impose developers when things go wrong. In other words, significant costs by physically anchoring the data to intermediary liability is the responsibility that falls domestic infrastructure. upon online intermediaries, such as search engines, application platforms, social networks, and broad- Broad, economy-wide, data localization require- band companies, for third-party content featured ments are rare, but are not unusual in specific in, or products and services offered through, their sectors. No country in the DTRR features general websites or apps. Just as intermediation is not a data localizations for personal and non-personal novel business model, intermediary liability rules data, but 12 countries in the database have are not a new legal concept—most such rules can adopted data localization requirements for all be traced back to Roman law. Intermediary liabil- personal data—a requirement often considered a ity rules can, in fact, be broader rules that apply to major restriction to cross-border data flows. Ten online intermediaries (Gasser and Schulz 2015). countries from that group demand local storage of However, specific rules of digital intermediaries are all personal data, while two more mandate domes- more likely to adapt to the specific conditions of 22 DIGITAL TRADE REGULATORY READINESS A Global Database digital markets. Lack of provisions specifically ori- may impose harsh penalties for user-generated ented to digital platforms leads to courts’ decisions content or behavior. This regulatory uncertainty to fill the gaps with rules and principles not tailored also affects domestic start-ups, which may face to the digital context—often with odd or suboptimal prohibitive costs if held responsible for their users’ results. Even where judicial decisions reach opti- misconduct. mal outcomes, having explicit regulations in place increases transparency and predictability, thereby Regulations on intermediary liability typically reducing costs for digital business and strengthen- touch on two different policy areas: intellec- ing user rights. tual property and criminal law. Legal liability for digital platforms may arise from a user’s vendor Given the central role of digital platforms, clear infringement of intellectual property rights. This is rules on intermediary liability are essential to the case, for instance, when a vendor offers a coun- digital trade. Social media and e-commerce plat- terfeit product that is in violation of trademarks, forms are hallmarks of digital markets, whose or uploads a video, song or text in violation of the inherently global nature provides a natural envi- author’s copyright. More egregious conduct may ronment for connecting suppliers and consumers amount to violations of criminal law, for example, around worldwide. The network effects of digital if a user uploads a video calling for violence, pub- platforms tend to concentrate market power in a lishes a deep-fake nude image of a celebrity, or few massive global providers. However, the growth issues a threat to or otherwise harms another per- of these services can be hindered by outdated or son. A comprehensive framework on intermediary inadequate rules on intermediary liability, which liability would cover both types of rules. DIGITAL TRADE REGULATORY READINESS 23 A Global Database 3. DTRR DATABASE METHODOLOGY A.  Data collection and review methodology The DTRR data is based on the direct review of two exceptions identified below, the data featured laws and regulations. The DTRR reflects the regu- in the DTRR originates solely from the actual legal latory solutions as enshrined in laws, decrees, and framework of the country in question. In a handful of other major legal instruments. The strict application cases, third-party sources reported on the existence of the traceability principle implies that, with the of certain regulatory measures, yet no legal instru- DIGITAL TRADE REGULATORY READINESS 25 A Global Database ment could be found to review, confirm, and trace ments in the underlying regulatory framework. This back to that regulation; in those cases, no measure feature is oriented to facilitating informed policy- was recorded. Once collected, the legal instruments making and identifying specific needs to improve or were carefully reviewed by a team of WB staff and reform existing regulatory framework. consultants with legal expertise and background. Overall, the DTRR incorporated information from This feature sets the DTRR apart from sur- approximately 700 legal instruments and features vey-based and from web-scraping database. over 5,200 references to specific provisions. While some databases attempt to complement indicator-based information with qualitative infor- The data are current as of March 2024 and do not mation about their sources, the main survey-based reflect any changes to the legislation after that databases in the field focus on offering a quantita- date. Despite intensive efforts, there were some tive index that measures the regulatory framework’s countries where information could not be gathered. quality and offer little or no access information on On a few occasions, media or other sources sug- the sources of those values. Databases focused gested that legislation did exist, but it could not be on capturing information online (“web-scrap- found online. Because of these potential gaps, the ing,” whether in an automated or manual way) rely database records missing regulations as “no provi- instead on third party sources, such as news media, sion was identified” under the relevant regulatory other databases, and online reports, rather than solution, rather than “no provision exists.” Should actual interpretation of the legal instruments. This interested readers find gaps in the information, has the advantage of capturing a much broader they are welcome to contact the authors. range of information, including on how those reg- ulatory measures are applied in practice, but often misses the link to the underlying legal instruments i.  Traceability to its original source and forces the users to trust the cited third-party DTRR’s information is supported by direct ref- source without the ability to verify it directly. erence to the legal instruments where they are featured. With a view to ensuring the quality of the information, each datapoint can be traced ii.  Scope of the data collection back to the specific provision, paragraph, and/or Some procedural steps constrained the scope of section number that provides for that specific regu- data collection for the DTRR. Like the proverbial latory solution in the country’s legal framework. For needle, finding one specific measure that exists in example, the data point indicating that Argentina’s the whole regulatory haystack of a given country can framework provides that electronic signatures issued be a time-consuming exercise. To prevent an infinite abroad have the same legal effect as domestic elec- search, the team adopted a standardized procedure tronic signature stems from Article 16 of Argentina’s that delivered substantial results while keeping the Digital Signature Law of 2001. Traceability informa- data collection effort at a feasible scale. The first tion is readily available to interested parties through step of data collection entailed reviewing a num- the download of the main database file. ber of online databases, repositories, books, studies and similar services that offer legislative information “Traceability” ensures the accuracy of the infor- on areas covered by the DTRR. Broad databases like mation, and eases any corrections needed. UNCTAD Cyberlaw Tracker, OneTrust DataGuidance, Identifying the specific legal source of the infor- ECIPE’s Digital Trade Restrictiveness database and mation not only ensures the accuracy of the the Digital Trade Integration database were partic- information but also allows for it to be quickly ularly helpful in finding and accessing regulations. amended it in case of reforms or new develop- Over 20 other databases, some of them specific to 26 DIGITAL TRADE REGULATORY READINESS A Global Database certain topics, like the UN Global Survey on Digital 3. Mandatory regulatory: All instruments are and Sustainable Trade Facilitation the World or Inter- laws or regulations of mandatory nature. Indi- mediary Liability Map of Stanford University were vidual provisions, guidance instruments, or consulted in order to identify the country-specific call for certain best practices that are only vol- regulations. Further, where no relevant regulation untary compliance were not included in the was identified through those selected databases, database. An exception to this rule was made the team conducted thorough online research, start- for certain Japanese instruments, such as ing with the official websites of the government as the “Guidelines for Operational Standards for well as broad online searches for third-party infor- Bandwidth Control” that are broadly consid- mation. In many cases, national news media, local ered mandatory instruments even though they law firms, or specialized blogs or articles contained do not feature specific sanctions. information about whether certain legislation had been adopted, which then facilitated a more gran- The search was limited to certain types of laws ular search. Ultimately, all instruments were taken that had been identified as generally featuring from publicly available official online sources, mostly the relevant regulatory solutions. Table 4 pro- government websites such as official gazettes or vides an example for some of the laws that were repositories from specialized government agencies typically reviewed for each regulatory area. In a such as sectoral Ministries, data protection authori- handful of situations, certain loosely identified ties, or consumer protection agencies. legislation in the media or government websites could not be found. As a result, and given the strict Several substantive boundaries were set for the requirement for traceability guiding the data col- data collection and review. To keep the research lection, it cannot be ruled out that some relevant feasible, the team applies specific criteria to limit the pieces of legislation may have been missed, espe- types of legislation included. These rules comprised: cially for middle- or low-income economies. On the other hand, the regulatory solutions that are men- 1. National / Federal disciplines: except for the tioned are certainly in effect or would have become cases of three US states, California, New York effective by June 30, 2024. and Texas, all legislation featured in the data- base are disciplines adopted at the national (federal) level. International agreements were iii. Interpretation not considered,6 nor were private industry The regulatory reviews were guided by a few standards and draft or proposed legislation. principles focused on the intent behind the rules. 2. Primary and secondary legislation: the broad While the database builds on the notion that cer- regulatory research and collection effort tain key measures are at the basis of digital trade focused on acts by Parliament / Congress regulation worldwide, how those laws are drafted and general decrees by the Executive branch. and incorporated into the regulatory framework Ministerial-level regulations were not part of can vary greatly. A same provision may be found systematic review, but some instruments were featured as a mandate (“shall” [“Trust services considered if they were referred to by either provided by trust service providers established in a other legal instruments or third-party sources. third country shall be recognised as legally equiva- Court decisions were not considered as legal lent to qualified trust services provided by qualified sources for data collection. trust service providers established in the Union 6. OECD’s Index of Digital Trade Integration and Openness (INDIGO) tracks progress in international arrangements that matter for digital trade. DIGITAL TRADE REGULATORY READINESS 27 A Global Database Table 4: Common legislative sources e-document/ Online consumer Data protection/ Intermediary e-signature protection Cybersecurity liability Law on electronic commerce/ transactions/     trade/exchanges Digital economy law   Law on electronic communications   Law on electronic documents  Law on electronic signature  Law on consumer protection   Law on personal data protection  Law on cybersecurity   Digital security act   Law on information technology crimes  Cyber/computer crimes act   Copyright act  Information and communications act   Law on information society services   Civil code  Commerce code   Evidence Act  Criminal code  where …”]7) or as a prohibition (“A data message, or even neutral language but associated to a sanc- electronic document, electronic record or other tion. Reviewing thousands of regulatory measures communication must not be denied legal protec- from around the world in order to decide whether tion, effect, validity, or enforceability on the ground or not they meet one specific definition necessar- that it is in electronic form”8). Even a prohibition can ily entails a cautious interpretative effort. Even a be expressed through positive language (“It shall meticulous reading, however, cannot eliminate be unlawful for any person to use a bot to commu- occasional doubts and some level of judgement nicate or interact with another person in California value. Further, to limit the impact of such uncer- online, with the intent to mislead the other per- tainties and to make sure that all regulations were son about its artificial identity…”9), or negative being assess through the same lens, some teleolog- language (“Processing of personal data revealing ical principles were defined to help the reviewers in racial or ethnic origin, political opinions, religious the interpretation, namely: or philosophical beliefs … shall be prohibited.10 ”), 7. Article 14, Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC 8. Article 5, Fiji Electronic Transactions Act 2008 (No. 26 of 2008). 9. Section 17941(a), Chapter 6, Part 3, Division 7, California Business and Professions Code. 10. Article 9, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 28 DIGITAL TRADE REGULATORY READINESS A Global Database 1. Context: when the language of the provi- data are therefore the effective equivalent to direct sion(s) was not clear enough to determine the restrictions on international trade on digital services. answer to our question, context was taken into consideration. This includes the goal of the leg- Deviating from its own philosophy, the DTRR islation, whether the legislation was following includes a set of restrictive regulatory solutions a given instrument (model law, other country’s to cross-border data flows. Given the critical role regulation, etc.). In addition, the position of the that data flows play in digital trade, it was decided provision was considered, for example, what that regulatory restrictions on cross-border data provisions are adjacent, what title and section flows, in particular limitations to cross-border the provision is housed under, among others. transfers and data localization requirements, was 2. Governing Ministry/Agency: the authority over inherent to a database focused on digital trade the law will commonly have layman’s explana- regulation. The DTRR section on cross-border regu- tions on their website via Q&As, blog posts, lations therefore deviates from other DTRR sections news reports, or short explanatory guides. as it features both “positive” regulatory solutions 3. Legal blogs and regulatory research web- that contribute to an enabling environment to digi- sites: big law firms and domestic specialty tal trade, as well as “negative” regulatory solutions firms generally post short blogs regarding that entail limitations to cross-border data flows, recent legislation as well as articles analyzing or thus hampering the ability to engage in services describing legal developments. In addition, reg- trade. Nineteen of the 34 regulatory measures col- ulatory research websites (DTI, WIPO, Library lected under the section capture different types of of Congress) may have final conclusory data limitations to cross-border data flows. on regulations or links to explanatory texts. 4. Pro-measure: when, despite all other inter- Regulatory restrictions on cross-border data are pretative efforts, a provision (or combination sandboxed for the purposes of analysis and visu- thereof) left doubts about whether it in fact alizations of the regulatory environment. When featured a specific measure, it was recorded assessing the progress and “readiness” of the reg- as they regulation being in place—the most ulatory framework for digital trade, restrictions on favorable interpretation for the country. The cross-border data were considered separately from opposite is true for the handful of “negative” all other data points in the data. Since the DTRR measures included in the database, particu- builds on the notion that a comprehensive and larly those related to cross-border data flows. modern regulatory framework acts as an enabler for digital trade, broad analyses and descriptions based iv.  Deviations I: Restrictions on cross- on the DTRR, especially aggregate comparative fig- border data flows ures that describe the “readiness” to digital trade, International flows of machine-readable data effectively exclude all 19 datapoints on data restric- are essential for digital trade, especially for trade tions from the visualizations and analysis. However, in services (WDR2021). Specifically, cross-bor- these data are brought to light when looking specif- der trade in services relies on information traveling ically at regulations on cross-border data flows, and through telecommunications networks (i.e., digital wherever reference to data limitations is warranted. data) to deliver the services from suppliers to con- sumers located around the world. Digital data plays a role digital services much like shipping containers do v.  Deviations II: Paperless Trade and in merchandise trade: it serves as the medium for the Digital ID content of the transaction to reach its consumer. Reg- Digitalization of border procedures play an essen- ulatory restrictions on the cross-border movement of tial role in facilitating cross-border trade, including DIGITAL TRADE REGULATORY READINESS 29 A Global Database goods traded through e-commerce. Paperless apoints to actual legal instruments, which is the rule trade refers to the digitalization of information flows for the database. Similarly, many digital ID systems required to support the international movement of may have been implemented through public-private goods, especially during custom procedures (WTO, partnerships, or contractual arrangements where a 2022). Such procedures include the establishment government may have hired a trust services provider of “single windows,” recognizing the electronic sub- to establish the digital identification system. Rules missions of documents such as customs declaration, relating to whether national digital ID systems are certificates of origin, and sanitary and phytosanitary accessible by private services providers may have certificates, as well as accepting electronic payments been codified at a departmental level, either as a of custom duties and other fees. For e-commerce, departmental directive or internal rules of the gov- this also includes adopting expedited channels ernmental agency. Considering these challenges in and simplified procedures for processing parcels. data collection, and taking into account the impor- tance of paperless trade for trade in goods, including Regulations for paperless trade and digital ID those traded through e-commerce, it was decided to span multiple regulatory levels, which required deviate from the DTRR “traceability” approach with an exception in the DTRR methodology. While regard to two regulatory solutions (out of the three some disciplines relevant to paperless trade are covered in that section). Two questions on paperless often adopted as laws or decrees it is also often the trade have therefore been answered based on infor- case that those rules are adopted at lower levels of mation provided in the UN Global Survey Digital and government, including ministerial declarations or Sustainable Trade database, in cases without iden- directives from customs or other specialized agen- tifying the specific regulations that supports those cies. Access to these lower-level regulations has results. Future revisions of the DTRR database are proven particularly elusive, limiting the ability to expected to improve this methodology to be able to review those regulations and “trace” the DTRR’s dat- trace regulations in this section. B.  Geographical scope The DTRR database covers 121 economies, regulatory differences that are the result of the US including 118 countries and 3 sub-federal states. federal system, which grants states jurisdiction Countries were selected to ensure broad coverage to regulate various areas relevant to digital trade, across all world regions and levels of development, such as data governance and consumer protec- as shown in Table 5 below. The 121 economies tion. The three US states were selected given their include three states of the United States, Califor- size and influence of tech firms (California, Texas) nia, New York, and Texas. These three states were and their global role as a dispute resolution hub for included in the regulatory review to capture the international contracts (New York). C. Caveats When using the DTRR database, it is important regulations from across the globe required cer- to be aware of its limitations. Reviewing laws and tain compromises to make the data suitable for 30 DIGITAL TRADE REGULATORY READINESS A Global Database Table 5: Economies covered in DTRR databasea Lower-middle Low income income Upper-middle income High income Totals East Asia Cambodia, Lao China, Indonesia, Fiji, Australia, Japan, 20 and Pacific PDR, Myanmar, Malaysia, Mongolia, Korea, New Zealand, Papua New Guinea, Thailand Singapore Philippines, Samoa, Solomon Islands, Vanuatu, Viet Nam Europe and Kyrgyz, Rep., Albania, Armenia, Croatia, Czechia, 30 Central Asia Tajikistan, Azerbaijan, Belarus, Bosnia Estonia, France, Uzbekistan and Herzegovina, Georgia, Iceland, Latvia, Kazakhstan, Kosovo, Lithuania, Norway, Moldova, Montenegro, Russia, Slovenia, North Macedonia, Serbia, Switzerland, U.K. Türkiye, Turkmenistan, Ukraine Latin Bolivia, Haiti, Argentina, Belize, Brazil, Chile, Panama, 17 America Honduras, Nicaragua Colombia, Costa Rica, Uruguay & the Dominican Republic, El Caribbean Salvador,Jamaica, Mexico, Peru Middle East Egypt, Morocco, Algeria, Iran, Iraq, Jordan, Bahrain, Israel, 15 & North Tunisia Lebanon Kuwait, Oman, Africa Qatar, Saudi Arabia, UAE North Canada, 5 America United States, U.S. – California, U.S. – New York, U.S. – Texas South Asia Afghanistan Bangladesh, Bhutan Maldives 8 India, Nepal, Pakistan, Sri Lanka Sub-Saharan Burkina Faso, C.A.R., Angola, Benin, Botswana, Gabon, 26 Africa Chad, D.R.C., Ethiopia, Cameroon, Congo Mauritius, South Africa Liberia, Madagascar, Rep., Cote d’Ivoire, Rwanda, Sierra Leone, Ghana, Kenya, Somalia, South Sudan, Nigeria, Senegal, Uganda Tanzania, Totals 15 36 38 32 121 a Categories are based on World Bank regional and income and classification for 2025–2026. Available at https://datahelpdesk.worldbank. org/knowledgebase/articles/906519-world-bank-country-and-lending-gr​oups tabulation and user-friendly comparison. These laws and regulations enacted by all covered compromises affect how the information is col- countries. Collecting and reading every legal lected, reviewed, and presented, and should be instrument in the world would make for a very considered when interpreting the database. accurate, but unfortunately not a cost-efficient database. The data collection was thus based on a specific procedure and sub-set of regula- i.  Sub-set of regulation tions likely to deliver comprehensive and reliable The exercise did not review the entirety of results within a reasonable effort and budget—as DIGITAL TRADE REGULATORY READINESS 31 A Global Database explained in Section 3. This means that there may iii.  Implementation / de facto Regulation be some regulatory measures in place that have The dataset does not account for the implemen- not been recorded in the database. In fact, in a tation or enforcement of existing legislation. The few cases (less than a handful) there were third- information reflected in the database focuses on de party reports indicating that some measures were jure regulatory solutions as captured in mandatory in place, but no legal instruments could be found legal instruments. The data does not capture whether to support that information. Users of the DTRR or how those measures are being implemented, or be aware that different methodological decisions whether other informal de facto measures apply. carry certain implications. This limits the understanding of the effective regu- latory framework applying to digital trade, especially Regulatory solutions may exist beyond those fea- in middle- and low-income countries with weak gov- tured in the DTRR. This may be the case especially ernance practices, where the gaps between written for low-income countries who have not digitalized rules and actual enforcement and monitoring prac- their legal information. Further, some regulatory tices by government agencies is often substantial. areas, like paperless trade, consumer protection, Some studies have focused on assessing implemen- and questions on digital ID, are often governed by tation and enforcement of regulations on specific decrees or ministerial directive or guidelines that policy areas, such as on consumer protection (OECD, are less likely to be made available online. How- 2018), based on surveys or questionnaires answered ever, given the breadth of the review, it is possible by policymakers or practitioners. On  the contrary, that specific regulatory measures were missed, but this “weakness” of the DTRR of capturing only de unlikely that instruments governing entire regula- jure information is the result of its methodological tory areas were omitted. approach to strictly feature data directly referenced to formal regulatory instruments, ensuring “trace- ability” of the information. ii.  Legal interpretation Interpreting regulations, especially from for- eign legal instruments, is not an exact science. iii.  Different legal systems The interpretations of regulations, especially when It is important to note that the DTRR does not read directly from legal instruments, invariably account for differences in legal systems or the involves a degree of subjectivity. As a result, it is various sources of law they may recognize. possible that the reviewers misread, and thereby Instead, it focuses exclusively on written laws misclassified the information. The reviewing team and regulations adopted by legislative or execu- sought to mitigate this risk by ensuring that their tive bodies. Legal systems around the world differ reading was in line with other literature as well as in the sources they recognize for establishing gen- the classification in other databases. In particular, eral rules. One key distinction is between civil law the team collaborated closely with the authors of and common law traditions. Civil law systems rely the Digital Trade Integration Project11—the online primarily on written instruments—laws and regu- database most closely related to DTRR—to ensure lations enacted by legislatures or, in some cases, that interpretations were aligned. However, some adopted by the executive branch under specific regulatory measures may be interpreted differently conditions. In contrast, common law systems, across databases, or in comparison to how they are while also recognizing written legislation, give intended in the source country. legal weight to judicial decisions. These decisions, 11. https://dti.eui.eu/. 32 DIGITAL TRADE REGULATORY READINESS A Global Database particularly those issued or affirmed by higher regulations on digital trade did not yield major differ- courts, contribute to a body of jurisprudence that ences between countries featuring these different evolves through precedent. legal systems. Economic regulations, specifically those focused on digital transactions, are only mar- Another layer of variation arises from how power ginally affected by customary or religious rules, is distributed within a country. In federal systems, which tend to govern more traditional legislative legal authority is shared across multiple levels of aspects, like the criminal and civil justice—in fact, government—such as federal, state, or provin- countries based on a customary or religious system cial—whereas unitary systems centralize power also tend to adopt written rules on more modern at the national level. Additionally, some jurisdic- and complex aspects of legislation, including digi- tions incorporate customary law, which derives tal trade. Indeed, the review did not find significant from long-standing local traditions or the author- differences between common-law and civil-law ity of local or religious leaders. Given the diversity systems. Granular matters related to market regula- of legal traditions globally, the DTRR standardizes tions are rarely regulated through judicial decisions, its approach by focusing exclusively on written especially in technical issues like electronic trans- laws and regulations—typically those adopted by actions, cybersecurity, or data protection. In fact, the legislative or executive branches—rather than comprehensive regulations were found in all reg- attempting to account for all possible sources of ulatory areas in the common law countries under legal authority. review. However, in common law systems, certain regulatory solutions may not be explicitly written into In practice, few differences exist when it comes legislation if they are already established through to technical economic regulations. The  review of judicial decisions. As a result, the DTRR may under- Box 3: Federalism versus unitary systems of government When gathering laws, the issue of federalist countries commonly gets brought up. This is because most countries in the world subscribe to a unitary form of government, which means that there is one central legal framework that rules over the country. Gathering laws on unitary forms of government is, therefore, much simpler than the alternative—countries that subscribe to federalism. Federalism breaks apart the single system of government into a tiered system, which is usually a state or provincial level and a federal level. In a federal system, both state and national governments hold legal authority. Because states can pass their own laws, a single country may have legal differences across jurisdictions. However, state laws cannot conflict federal laws, which take precedence. To ensure that a uniform application of the laws was applied when gathering data on the countries, the review did not include data below the federal level. Including laws from state or provincial levels could result in conflicting rules across jurisdictions or inconsistent legal coverage, as not all subnational entities adopt similar legislation. Thus, only federal legal rules were counted: national laws, national regulations, executive/legislative/federal agency decrees, and binding federal agency rules. However, a case study on the United States was performed to better understand the impact of federalism in a large digital economy. Three states were studied based on the size of their large economies: California, New York, and Texas. All three states include data from both federal and state-level laws, offering a more robust picture of how federal systems function in practice. The findings only significantly differed over new legislation, such as data protection, AI, and cybersecurity. Logically, these findings match with predictions likely because state governments tend to move faster than federal governments that have more competing interests. DIGITAL TRADE REGULATORY READINESS 33 A Global Database count some areas of regulation in these systems. uting to the overarching policy goal. For example, This is particularly relevant for consumer protec- multiple regulatory measures can act as safeguards tion and intermediary liability, which is often shaped for personal privacy, including explicit limitations by long-standing case law on commercial matters, on the legal basis for data collection and process- even outside of digital contexts. Still, the decision to ing, ensuring a right to access such information by adopt comprehensive online consumer protection data subjects, the “right for be forgotten,” and spe- regulation appears to reflect policy choices more cialized and stricter rules on biometric data; while than legal tradition, as some common law coun- all these measures contribute to the same, the tries—such as the United Kingdom—have introduced absence of one or some of them does not neces- extensive statutory frameworks in this area. sarily make it a poor framework. As a result, when assessing the “readiness” of given regulatory area it is important to consider the regulation as a whole v.  Presenting regulatory “Readiness” trends: quintiles rather than the presence or absence of a specific safeguard.12 Regulatory “readiness” to digital trade hinges on a comprehensive and modern legal frame- Graphs based on categories, rather than specific work, more than specific regulatory solutions. An enabling legal environment for digital trade values, help visualize this approach. To reflect depends on providing effective measures to tackle the importance of looking at regulations broadly, the novel challenges of digital, international mar- rather than merely counting regulatory solutions, kets. These challenges are addressed by specific it is advisable that analyses based on the DTRR regulatory solutions like the ones captured in the data be best featured in stepped categories of reg- DTRR. However, few regulatory measures are by ulatory progress. The DTRR website, for example, themselves determinants of an enabling environ- portrays regulatory readiness in five categories ment for digital trade; instead overcoming the chal- (quintiles) depending on the percentage of positive lenges of digital markets typically require a set of answers to the regulatory solutions considered in various interrelated regulatory measures contrib- each regulatory area. D.  Next steps i.  Data update and validation will involve collaboration with international trade The DTRR database will maintain accuracy and experts, stakeholders and regulatory authorities relevance through structured updates, expert to continuously source and verify new data. In line collaborations, and community feedback. Ensur- with the latest development of technologies, a com- ing the accuracy and timelessness of the DTRR bination of automated data scraping techniques database is important for its efficacy and reliabil- and expert review panels may be adopted to keep ity. A structured strategy will be implemented for the database comprehensive and up to date. Addi- data update and validation, including periodic tionally, a user-feedback system will be introduced, data audits and real-time updates. This strategy allowing users to report discrepancies or outdated 12. When assessing restrictions on digital trade, rather than enabling regulatory solutions, the opposite is true. A comprehensive “enabling” framework may be effectively spoiled by the presence of just one regulatory restriction, particularly if it entails a major limitation, such as pre-approval requirements for cross-border data transfers. 34 DIGITAL TRADE REGULATORY READINESS A Global Database information, thereby creating a community-driven The DTRR database serves as an invaluable verification process that enhances the database’s tool for policymakers and regulatory bodies in integrity and utility. developing countries by providing access to a com- prehensive repository of digital trade regulations from around the world, including various level of ii.  Expansion of data coverage income group regions. The database offers insights To further enhance the value of the DTRR data- into current practices and regulatory frameworks base, strategic expansion of data coverage will that have been successfully implemented else- be crucial. This expansion will seek to include where. It can guide the formulation and refinement newer areas of digital trade that gain prominence, of their own digital trade policies, fostering an envi- such as regulations around electronic payments, ronment conducive to digital economic growth and digital taxation, competition between online plat- integration into the global digital economy. forms, e-commerce logistics, paperless trade, customs regulations and the implications of arti- Researchers and scholars may find the DTRR ficial intelligence. By integrating these emerging to be a valuable resource for comparative legal sectors, the database will offer insights into the studies, policy analysis, and socio-economic fast-evolving landscape of digital trade. research related to digital trade. Its broad cov- erage of regulatory approaches offers an empirical Moreover, the database will expand to include foundation for academic work, policy development, additional countries, focusing on those in emerg- and teaching materials. The database also supports ing markets which are increasingly influential in the the exploration of trends, patterns, and regulatory global digital economy. Broadening the coverage of outcomes across jurisdictions. these regions will provide a more comprehensive global perspective on digital trade regulations. Other stakeholders—including legal practi- tioners, international trade organizations, and Additionally, the questionnaire within the topic consumer advocacy groups—can use the DTRR areas will also be extended to address these new to monitor regulatory developments, anticipate topics, incorporating additional questions that changes in legal frameworks, and engage more reflect the latest technological developments. This effectively in policy discussions. Its detailed will ensure the database not only captures a wide insights may also support advocacy efforts by pro- range of regulations but also remains at the fore- viding evidence to inform digital regulation that front of digital trade issues. balances trade facilitation, consumer protection, and innovation. iii. Uses The DTRR database is a dynamic platform iv.  Analytical and Quantitative work that provides stakeholders from various sec- The database offers comprehensive regula- tors with critical insights and data to shape and tory data and analytical resources, assisting enhance digital trade policies globally—support- stakeholders in effectively developing and imple- ing legal, economic, and policy development. The menting informed digital trade policies. The DTRR DTRR database is designed to be an instrumental database serves as both a comprehensive reposi- resource for a diverse array of stakeholders, includ- tory of global digital trade regulations and a robust ing developing countries, academic researchers, analytical tool that transforms raw data into action- digital trade companies, and others engaged in the able insights. This dual functionality makes the realm of digital trade. DTRR database an indispensable resource for pol- DIGITAL TRADE REGULATORY READINESS 35 A Global Database icymakers, industry experts, and researchers users can develop strong business strategies and focused on the intricacies of digital trade. In prac- policy frameworks that proactively address market tical terms, the database supports detailed analysis developments. of digital trade practices by providing users with access to extensive regulatory information from Access to comprehensive regulatory data various countries and sectors. This enables users to allows policymakers to compare their national conduct comparative analyses, identify regulatory frameworks with those of other countries, trends, and benchmark against global standards. facilitating insights into areas of strength and Companies engaged in cross-border e-commerce, potential improvement. This capability supports for example, can analyze entry requirements, con- evidence-based policymaking and aids in the devel- sumer protection laws, and data privacy regulations opment of policies that promote a competitive and across multiple jurisdictions to effectively strate- efficient digital trade environment. It also enables gize their market expansion plans. policymakers to align their regulations with global best practices and international standards, ensur- Based on the previous work done for WDR2021, ing that their legal frameworks support digital trade a deeper analysis of cross-border data transfer while safeguarding consumer rights and promoting regimes can be effectively conducted using the data security. DTRR database. The comprehensive insights and foundational frameworks established in WDR2021 provide a solid groundwork for further explora- v. Feedback tion. By leveraging the extensive data and detailed Recognizing the importance of user input in the regulatory information within the DTRR database, continuous development and refinement of the researchers and policymakers can gain a nuanced DTRR database, a comprehensive feedback sys- understanding of how different regulatory regimes tem will be implemented. This system will include impact the flow of non-personal data across bor- regular user surveys and an open channel for ongo- ders. This analysis is crucial for identifying best ing comments and suggestions. Feedback collected practices, potential barriers, and opportunities to through these mechanisms will be systematically enhance global digital trade and data governance. reviewed and used to guide updates and enhance- ments to the database, ensuring it remains relevant Additionally, the DTRR database enables users and useful. The goal is to establish a development to model and predict the effects of regula- process centered around users, involving them tory changes on their economies or businesses. directly in the evolution of the database. This strat- This functionality supports scenario analysis, risk egy not only enhances the accuracy and relevance assessment, and economic impact studies, which of the database but also builds a sense of com- are crucial for making informed decisions. By quan- munity and ownership among users, ultimately tifying the potential effects of new regulations, improving their experience and satisfaction. 4. LOOKING AHEAD One day, people will wonder how global trade was experience. While some areas of regulation evolve even possible before goods and services were quickly in response to new technologies, others seamlessly bought and sold in global digital mar- lag behind or struggle to adjust to the pace and kets without regard to or even knowledge of where complexity of digital change. And, for the most vendors were located. We are not there yet. For part, digital trade is smooth and effective until the time being, digital trade offers a mixed picture something goes wrong, and then it becomes cha- across countries and sectors. In some countries it otic and hopeless as entailing strong reputational is thriving, and in others it is still a new, unusual damages. DIGITAL TRADE REGULATORY READINESS 37 A Global Database The DTRR and similar tools contribute to building a • What digital trade regulations and institutions global enabling framework for digital trade by help- fit best given the limited capacity (human and ing to identify regulatory gaps, good practices, and financial) of many developing countries and regulatory restrictions. For  example, DTRR data LDCs? can help identify regulatory gaps in a given country, • How may private sector initiatives such as provide visual summaries of digital trade policies, codes of conduct complement, or even replace, and identify where domestic storage and process- binding rules like the ones covered in the DTRR ing requirements exist—and for which sectors. database? Some policy areas, such as artificial intelligence or As digital technologies continue to advance and aspects of paperless trade, are still in early stages expand, there is little doubt that digital trade will of regulatory development. Tools like the DTRR can follow—and so will regulation. Regulation on digi- support these emerging areas by offering a clearer tal trade will continue to play catch-up with reality, picture of current practices and helping guide more one hopes in a way that fosters integration at a consistent and informed policymaking. global level and inclusion and growth at the local level. Understanding how to achieve those goals, This new data also gives rise to further analyt- especially in the developing world, cannot wait. ical questions. The regulatory research prompts additional questions that can help expand the under- The DTRR and similar tools help advance a global standing of regulations and their relationship with enabling framework for digital trade by identifying international trade. Some of these questions can be regulatory gaps, good practices, and restrictions. addressed through economic empirical analysis: However, the lack of policy coordination across countries poses a risk of regulatory fragmentation. • How do these regulations affect the digital trade If countries develop isolated digital trade frame- ecosystem? works, this could lead to marginalization of certain • Which of these regulatory areas are more rel- economies and the formation of suboptimal reg- evant for digital trade in goods, services, etc.? ulatory blocs that hinder seamless cross-border • Does a comprehensive and modern digital trade digital transactions. regulatory framework foster investment in digi- tal business and innovation? To avoid this, fostering international regulatory cooperation is essential. Alignment with global Other research may build upon the DTRR data to best practices—through multilateral agreements further understanding of the enabling legal and (e.g., WTO e-commerce negotiations), regional ini- institutional environment for digital trade. Some tiatives, or bilateral dialogues—can help ensure relevant questions to be explored in that sense a cohesive and inclusive digital trade ecosystem. include: Such coordination is crucial in preventing trade inefficiencies, reducing compliance burdens, and • What are the institutional capacity needs enabling all economies to fully benefit from the dig- behind digital trade regulation? ital economy. 38 DIGITAL TRADE REGULATORY READINESS A Global Database Bibliography CIGI-Ipsos Global Survey on Internet Security and Trust 2017. IMF, OECD, UNCTAD and WTO (2023), Handbook on Measuring Digital Trade, Second Edition, OECD Publishing, Paris/International Monetary Fund/UNCTAD, Geneva 10/WTO, Geneva, https://doi.org/10.1787/ac99e6d3-en. Ferracane, M. F., & van der Marel, E. (2018). Do data policy restrictions inhibit trade in services? ECIPE DTE Working Paper Series No. 2. European Centre for International Political Economy. https://ecipe.org/publications/do-data-pol- -restrictions-inhibit-trade-in-services/Ferracane, Martina Francesca and Erik icy​ van der Marel. 2021. Regulating Personal Data: Data Models and Digital Services Trade. Policy Research Working Paper; No. 9596. © World Bank, Washington, DC. http://hdl.handle.net/10986/35308 License: CC BY 3.0 IGO.” Ferracane, Martina and Erik van Der Marel 2021b. Do data policy restrictions inhibit trade in services?. Rev World Econ 157, 727–776 (2021). https://doi. org/10.1007/s10290-021-00417-2. Gasser, Urs and Schulz, Wolfgang, Governance of Online Intermediaries: Obser- vations from a Series of National Case Studies (February 18, 2015). Berkman Center Research Publication No. 2015-5, Available at SSRN: https://ssrn.com/ act=2566364 or http://dx.doi.org/10.2139/ssrn.2566364. abstr​ National Board of Trade (NBT), 2015, “No Transfer, No Production—a Report on Cross-border Data Transfers, Global Value Chains, and the Production of Goods”. DIGITAL TRADE REGULATORY READINESS 39 A Global Database OECD, 2018, “Consumer protection enforcement World Bank, 2016. “Digital Identity: Towards in a global digital marketplace”, OECD Digital Econ- Shared Principles for Public and Private Sector omy Papers, No. 266, OECD Publishing, Paris, Cooperation”, available at https://openknowledge. http://dx.doi.org/10.1787/f041eead-en. worldbank.org/bitstream/handle/10986/24920/ Digital0identi0e0sector0cooperation.pdf. OECD, 2000. Guidelines for Consumer Protection in the Context of Electronic Commerce. Paris: OECD. Word Bank, 2020. “Payment Systems Worldwide – A Snapshot: Summary Outcomes of the Fifth Global Strusani, Davide, and Georges Vivien Houngbonon, Payment Systems Survey”. 2019, The Role of Artificial Intelligence in Sup- porting Development in Emerging Markets, FCI, World Bank, 2021. World Development Report Encompass nº 69, July 2019. 2021: Data for Better Lives. Washington, DC: World Bank. doi:10.1596​ /978-1-4648-1600-0. License: UNCTAD, 2017. Consumer Protection in Electronic Creative Commons Attribution CC BY 3.0 IGO. Commerce: A Note by the UNCTAD Secretariat. Geneva: United Nations. World Bank and United Nations. 2017. Combat- ting Cybercrime: Tools and Capacity Building for UNECE and WEF 2017: Paperless Trading: How Emerging Economies, Washington, DC: World Bank Does It Impact the Trade System?. License: Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO). USITC, 2014, “Digital Trade in the U.S. and Global Economies”, available at https://www.usitc.gov/ World Economic Forum, 2019. The Global Gov- try_econ_analysis_332/2013/ publications/indus​ ernance of Online Consumer Protection and digital_trade_us_and_global_economies_part_1. E-Commerce. Retrieved from World Economic htm. Forum: http://www3.weforum.org/docs/WEF_con- sumer_protection.pdf. 40 DIGITAL TRADE REGULATORY READINESS A Global Database Annex I: List of Regulatory Solutions Captured in DTRR Database # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example ELECTRONIC DOCUMENTS 1. Electronic Information shall Communications can • Electronic “7. An electronic “84(1). In any proceeding communications are not be denied legal mean a variety of Transactions Act communication shall not be a statement contained in a legally valid. effect, validity or things. Specifically, • Evidence Act denied legal effect, validity, document produced by a enforceability solely for this question, admissibility or enforceability computer shall be admissible on the grounds that the purpose is to solely on the ground that as evidence of any fact stated in it is in the form of find whether the law it is– (a) rendered or made it of which direct oral evidence a data message. specifically recognizes available in electronic form; would be admissible, if it is shown The form in which data messages. or (b) not contained in the that the conditions in subsection certain information is electronic communication (2) of this section are satisfied presented or purporting to give rise to in relation to the statement and retained cannot be such legal effect, but is computer in question.” used as the only referred to in that electronic • Nigeria Evidence Act 2011, reason for which that communication.” Section 84(1) information would • Belize Electronic The provision only applies to be denied legal Transactions Act 2021, electronic evidence that would effectiveness, validity Section 7 transcribe or record oral evidence. or enforceability.1 The provision clearly states Because of its limited scope, the the validity of electronic provision does not apply. communication, and thus applies to the question at hand. 2. Electronic contracts Where a data The purpose is to find • Electronic “Where a data message is “Automated Transactions. have the same legal message is used a provision which Transactions Act used in the formation of a A contract formed by the effect as paper- in the formation specifically states • Law on E-Commerce contract, such interaction of an automated based documents of a contract, that that contracts can be contract shall not be denied message system and a natural contract shall not formed by electronic validity or enforceability on person, or by the interaction of be denied validity messages, i.e., the the sole ground that a legal automated message systems, or enforceability on offer and acceptance stamp has not been affixed shall not be denied validity or the sole ground that can be expressed or has not been attested by enforceability on the sole ground a data message was electronically. witnesses.” that no natural person reviewed used for that purpose. • Bhutan Information each of the individual actions This is a key step in Communications and carried out by the automated facilitating electronic Media Act 2018, Art. 284 message systems or the resulting transactions, as contract.” The provision applies parties to this type of because the contract transaction are usually formation over electronic at different locations. means is legally valid. This also boosts the efficiency of ports and customs borders.2 (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 41 42 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example “Formation and validity of • Afghanistan Law On Electronic contracts Transactions and Signatures 15 (1) In the context of 2020, Art 20 the formation of contracts, The provision merely applies unless otherwise agreed by to automated transactions and the parties, an offer and the message systems, and is thus too A Global Database acceptance of an offer may narrow to apply to the question be expressed by means of at hand. electronic records. (2) As between the originator and the addressee of an electronic record, a declaration of intention or other statement or delivery DIGITAL TRADE REGULATORY READINESS of a deed is not to be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record.” • Republic of Vanuatu, Electronic Transactions Act No. 24 of 2000, Section 15 Here, the provision specifically states the formation of a contract may occur via electronic means, and thus applies. 3. Specific provision The provision A mere statement • Law on Electronic “1. An electronic document “ARTICLE 11. – Original. provides detail on should stipulate of admissibility is Documents that meets the criteria of Electronic documents signed the admissibility that information insufficient. The • Law on Electronic Article 6 of this Law shall be digitally and those reproduced of e-documents as in the form of a document must outline Signatures used as proof. 2. The body in digital format digitally signed evidence data message clear instructions or receiving the electronic from first-generation originals shall be given due criteria for a court to document as proof shall in any other medium, will also evidential weight. determine its legal determine its validity, taking be considered originals and, as A provision which validity. into account the data on a consequence, have probative prescribes validity Instructions may take the preparation, storage, value as such, according to the for admissibility of the form of limiting transmission, security and procedures determined by the e-documents as the grounds on which authenticity of its electronic regulations.” evidence prohibits the probative value signature and / or electronic • Argentina Digital Signatures judicial authorities of data messages can stamp , as well as the rules Law 2001, Art. 11 from demanding be questioned, such laid down by the legislation original physical as, reliability of the in force.” copies of e-documents manner in which the • Albania Law on Electronic or treating data message was Documents 2010, Art. 12 electronic records as being intrinsically unreliable.3 (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example generated, stored This example works because While the text does give the ability or communicated, Art. 12(2) specifies what the to admit an electronic document, to the reliability of court must take into account it does not provide detail on how the manner in which to permit admissibility. to admit electronic documents the integrity of the and thus does not answer the information was question at hand. maintained, to the manner in which its originator was identified, and to any other relevant factor. 4. The law should It is not appropriate The provision sets out • Electronic “Article 8: Requirements to “Article 14. Information storage remain technology to require that technology-neutral Transactions Act retain information in original 1. The service provider, who neutral with respect information be criteria, which, if • Law on E-Commerce form protects the information provided to the storage of stored in its original satisfied, are deemed A legal requirement to retain by the recipient at the request e-documents unaltered form, as to fulfill the legal information that was not of the service recipient, shall messages are often obligation to retain made electronic form may not be liable for it if: 1 ) does not decoded, compressed documents. be fulfilled by the retention have factual information about or converted in order of such information in the recipient’s illegal activities or to be stored.4 electronic form if: that the information provided by 1. Such electronic form the recipient has been obtained, is a reliable means created, modified or used in an to determine the illegal manner and, when claiming completeness of the damages, is not aware of the facts information; and circumstances indicating and the recipient’s illegal activities or 2. Such information is easily that the recipient of the service retrievable for subsequent provides information obtained, use.” created, modified or used in • Cambodia Law on an unlawful manner; 2 ) upon Electronic Commerce learning or receiving knowledge Art. 8 about the illegal activities of the service recipient or about the fact The provision is sufficient that the information provided by to establish technologically the service recipient has been neutral principles. acquired, created, modified or used in an illegal manner, take immediate action to eliminate the possibility of accessing such information.” (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 43 44 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example • Lithuanian Republic of Information Society Services Law 2006, Section 14 A Global Database The provision here applies to service provider liability and, thus, does not create rules on neutrality. ELECTRONIC SIGNATURE & DIGITAL ID 5. Electronic signatures Countries may provide This question is aimed • Electronic “Section 5. Subject to the “Section 2: For the purposes of are legally valid certain functional at finding explicit Transactions Law provisions of this Act, an this law and its implementing DIGITAL TRADE REGULATORY READINESS criteria for the and direct language • Electronic Signatures electronic signature shall instruments, the following terms legal recognition of within the law which Law not be denied legal effect, shall mean: electronic signatures states that electronic • Digital Signatures validity or enforcement solely “Electronic Signature: Signature irrespective of the signatures are Law on the grounds that it is in obtained by an asymmetrical technology used. This accepted regardless electronic form.” encryption algorithm that helps is also known as the of the technology [Read with] to authenticate the sender of a minimalist/permissive utilized. However, “Section 25. (1) An message and verify the integrity approach. Laws that although all digital/ electronic signature shall thereof;” require the use of advanced signatures be considered to be reliable • Cameroon Law No. 2010/021 specific technologies are electronic for the purpose of satisfying of 21 December 2010 on such as encryption signatures, not all the requirements of this Act Electronic Commerce, Section to recognize the electronic signatures where - 2 validity of the are digital signatures. (a) the signature creation The definition of an electronic signature (prescriptive Therefore, the purpose data is, within the context in signature is the definition of a approach) would of the question is which it is digital signature. As this creates not meet this to see if the basic used, linked to the signatory a higher standard of encryption, requirement.5 tenet of recognizing and to no other person; the provision does not apply to electronic signatures is (b) the signature creation the question regarding basic in place. data was, at the time of electronic signatures. Please note that signing, under the control of different regulations the signatory and of no other use definitions person; of “digital” and (c) any alteration to the “electronic” signatures electronic signature, made to prescribe different after the time of signing, is levels of reliability of detectable; and different electronic/ digital signature. The definition of “digital” and “electronic” signatures is only one of the factors to be considered while answering the question. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example (d) the purpose of a legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable. (2) Subsection (1) shall not limit the ability of any person - (a) to establish in any other way, for the purpose of satisfying the requirement referred to in section 6, the reliability of an electronic signature; or (b) to adduce evidence of the non-reliability of an electronic signature.” • Botswana Electronic Communications and Transactions Act, 2014, Sections 5, 25 The two provisions, when read together, create legal validity for electronic signatures. 6. Certificates issued This provision creates This question may • Electronic “Article 8. Scope of the “10. Signature Requirement for by a qualified a benefit in favor of be answered in Transactions Law concept. A digital signature signature certification certain techniques two ways: that a • Electronic Signatures is understood as any set of (1) If, under a law of the authority (CA) involving certificates qualified authority’s Law data attached or logically Commonwealth, the signature or using specific issued by qualified certification gives the • Digital Signatures associated with an electronic of a person is required, that technology have the certification authorities, same legal status as a Law document, which allows requirement is taken to have been same legal status which are recognized handwritten signature, its integrity to be verified, met in relation to an electronic as handwritten as particularly reliable, or that a specific as well as to univocally communication if: signature irrespective of the technology gives the identify and legally link the (a) in all cases—a method is used circumstances in which same legal status as a author with the electronic to identify the person and to they are used. This handwritten signature. document. A digital signature indicate the person’s intention ensures that, where The purpose of this will be considered certified in respect of the information any legal consequence question is to discover when it is issued under the communicated; and would have flowed if advanced/digital protection of a valid digital (b) in all cases—the method used from the use of a signatures are legally certificate, issued by a was either: handwritten signature, recognized to be registered certifier. (i) as reliable as appropriate the same consequence secure. for the purpose for which the A Global Database DIGITAL TRADE REGULATORY READINESS should flow from electronic communication was the use of a reliable generated electronic signature. (continued on next page) 45 46 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example E-signatures that don’t Provisions that treat all Article 9. Equivalent or communicated, in the light of meet this requirement verification techniques value. Documents and all the circumstances, including are recognized as the same—without communications signed by any relevant agreement; or A Global Database valid, but not given distinguishing among digital signature will have the (ii) proven in fact to have fulfilled additional probative them—do not qualify same value and probative the functions described in value (hybrid/tiered as an affirmative value as their equivalent paragraph (a), by itself or together approach).6 response to this signed in manuscript. In any with further evidence; and question. legal regulation that requires (c) if the signature is required the presence of a to be given to a Commonwealth signature, both digital and entity, or to a person acting on handwritten signatures will behalf of a Commonwealth entity, DIGITAL TRADE REGULATORY READINESS be recognized in the same and the entity requires that the way. Electronic public method used as mentioned in documents must bear a paragraph (a) be in accordance certified digital signature.” with particular • Costa Rica, Decree No. information technology 8454, Law of Certificates, requirements—the entity’s Digital Signatures, and requirement has been met; and Electronic Documents, (d) if the signature is required 2005, Articles 8,9 to be given to a person who is neither a Commonwealth entity Article 8 sets out the nor a person acting on behalf requirements for a digital of a Commonwealth entity—the signature that match with person to whom the signature the higher encryption is required to be given consents standards of one, and Article to that requirement being met 9 specifically provides a by way of the use of the method digital signatures equivalency mentioned in paragraph (a).” to handwritten signatures. • Australia, Electronic These provisions sufficiently Transactions Act, 2009, answer the question. Section 10 Although the provision provides that signatures via electronic communications are sufficient to conclude contracts, the provision does not specifically apply to digital signatures as the language of the text is too broad. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 7. Digital signatures The presumption This question first • Electronic “Article 28. Qualified “Signature. 14(1) If, under with a valid provides legal seeks to know Transactions Law certificates for electronic any written law in Fiji, the certificate certainty that a whether digital • Electronic Signatures signatures signature of a person is required, are afforded recognized digital signature certificates Law 1. Qualified certificates for or if a written law provides a rebuttable signature method— get a presumption • Digital Signatures electronic signatures shall consequences for the absence of presumption, when supported by of their validity. The Law meet the requirements laid a signature, that requirement is regardless of a valid certificate— “regardless” part down in Annex I. 2. Qualified taken to have been met in relation certification provider carries the same of this question certificates for electronic to an electronic communication, or technology used legal effect as means that the type signatures shall not be where – a handwritten of acquisition of the subject to any mandatory a. a method involving an signature. Without digital certificate does requirement exceeding the electronic signature is used such a provision, not matter; there still requirements laid down in by or with the authority of the courts may require needs to be some Annex I. person to identify the person signatures to meet a sort of certification 3. Qualified certificates for and to indicate the person’s subjective standard of provider or technology electronic signatures may intention in respect of the being “as reliable as used to get the include non-mandatory information communicated; appropriate,” creating classification of a valid additional specific attributes. b. the person to whom the unpredictability digital signature. Those attributes shall not signature is required to in enforcement. affect the interoperability be given consent to that A rebuttable and recognition of qualified requirement being met by presumption ensures electronic signatures. way of the use of the method that, in the absence of 4. If a qualified certificate mentioned in paragraph (a); a dispute over identity for electronic signatures c. the method – (i) having or intent, the signature has been revoked after regard to all the relevant is deemed valid. initial activation, it shall circumstances including Legislation may allow lose its validity from the any relevant agreement, as parties to use any moment of its revocation, reliable as appropriate for technology of their and its status shall not in any the purposes for which the choice (permissive circumstances be reverted.” information was generated or approach) or offer • EU Regulation No. communicated; or additional liberties 910/2014 of the European proven in fact to have (ii)  for parties to adopt Parliament and of the fulfilled the functions technologies or Council of 23 July 2014 on described in paragraph (a), certification providers Electronic Identification by itself or together further beyond those officially and Trust Services for evidence; and prescribed (hybrid + Electronic Transactions in d. any further requirements approach).7 the Internal Market Art. 28 prescribed by regulations have been met.” The provision creates a • Fiji Electronic Transactions Act, presumption of validity when 2008, Article 14 the text states that no further measures of investigation The provision applies to electronic shall be taken for a qualified signatures and does not indicate certificate. the need for a higher standard of encryption. Thus, as the A Global Database DIGITAL TRADE REGULATORY READINESS presumption applies to electronic signatures, the provision does not apply to the question at hand. (continued on next page) 47 (continued) 48 # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 8. Foreign digital While many This provision • Electronic “Foreign Electronic N/A signatures are countries digital establishes a Transactions Law Certificates granted the same signature certificates mechanism for • Electronic Signatures Article 14 –The legal effects legal effect as to be issued by recognizing foreign- Law of electronic certificates domestic signatures licensed domestic issued digital • Digital Signatures issued by any Electronic authorities, cross- certificates, allowing Law Certificate Service Provider border commerce domestic authorities established in a foreign A Global Database demands broader to accept them as country shall be recognized recognition. To legally valid for digital under international support international signatures. agreements. transactions, In case that electronic legislation should certificates issued by recognize digital any Electronic Certificate signatures based on Service Provider established certificates issued by in a foreign country are DIGITAL TRADE REGULATORY READINESS foreign certification recognized by an Electronic providers, even if Certificate Service Provider those providers are established in Turkey, such licensed elsewhere.8 electronic certificates are deemed to be Qualified Electronic Certificates. The Electronic Certificate Service Provider established in Turkey shall be liable for any damages arising from use of those electronic certificates.” • Turkey Electronic Signature Law, 2004, Article 14 The provision uses language that answers the question directly and thus applies. 9. The national Digital services This question can be • National Identity “8. (1) The Authority shall N/A digital ID system is providers can benefit answered in two ways: Registration Act perform authentication of accessible by private from accessing the (i) a provision which • Text from the official the Aadhaar number of an services providers. national digital ID indicates or implies websites of National Aadhaar number holder systems to validate that private service Digital ID systems submitted by any requesting the identity of their suppliers have access entity, in relation to his consumers. Many to the national digital biometric information or well-functioning digital ID system; (ii) text demographic information, ID systems only share from the website of subject to such conditions information between the national digital and on payment of such fees the government and ID system which and in such manner as may the citizen. However, indicates the same. access by private service (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 9. providers to national be specified by regulations.” digital ID systems can • India, The Aadhaar benefit customers by (Targeted Delivery of enabling access to key Financial and other services which usually Subsidies, Benefits, and require identity Services) Act, 2016, validation, such as Section 8 banking or telecom The provision directly services.9 answers the question by giving private entities the ability to authenticate an ID by requesting authentication from the authority. 10. Restrictions exist Governments may This question applies • National Identity “8. (2) A requesting entity on the numbers and wish to regulate to any provision which Registration Act shall— types of services the types of service seeks to limit the • Text from the official (a) unless otherwise that may use of providers who have number and types websites of National provided in this Act, obtain the national digital access to the personal of service providers Digital ID systems the consent of an individual ID system for data of its citizens which can access the before collecting his identity authentication. in the interest of national digital ID information for the purposes public safety, national system. of authentication in such security and integrity manner as may be specified of national databases. by regulations; and If every website (b) ensure that the identity and any service can information of an individual subscribe to the digital is only used for submission identity system, there to the Central Identities is a risk of watering Data Repository for down the value of authentication. the identity, and this (3) A requesting entity can lead to a higher shall inform, in such incidence of identity manner as may be fraud or identity specified by regulations, theft.10 the individual submitting his identity information for authentication, the following details with respect to authentication, namely: (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 49 50 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example (a) the nature of information N/A that may be shared upon authentication; A Global Database (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity. DIGITAL TRADE REGULATORY READINESS (4) The Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information.” • India, The Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits, and Services) Act, 2016, Section 8 The provision applies because it creates a barrier between private entities and the exact details of personal information on the citizen. Thus, the provision applies to the question at hand. PAPERLESS TRADE 11. Electronic Single An electronic single The question may • Electronic Single N/A N/A Window policy window system be answered by Window websites, exists for customs can decrease referencing the • UNESCAP database procedures search times, UNESCAP database. reduce capability dependencies and lower transaction costs for parties to a cross-border transaction.11 (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 12. Electronic Certain commercial The question may be • Electronic “An electronic transferable N/A transferable records documents are answered when the Transferable record may not be denied are functionally transferable, i.e., text of the provision Records Law legal effect, validity or equivalent to paper- they incorporate the directly states • Customs Law enforceability on the sole based transferable entitlement to the equivalency exists for • Law Establishing ground that it is in electronic document or delivery of goods electronic transferable Single Window form.” instruments that they describe records. Systems Bahrain Electronic (e.g., bills of lading, • Electronic Transferable Records Law warehouse receipt) Commerce Act Art. 15 or the payment of • Electronic The provision applies money (e.g., checks, Transactions Act because the text of the law promissory notes). explicitly gives equivalency Bills of lading are to electronic transferable particularly relevant records. for paperless trade facilitation and for logistics. Other transferable documents relate to financing and are relevant for national trade platforms.12 13. Foreign origin This aims to eliminate The provision must • Electronic “An electronic transferable N/A or use abroad obstacles to cross- explicitly state the Transferable record is not to be denied of an electronic border recognition recognition of foreign Records Law legal effect, validity or transferable record of an electronic electronic transferable • Customs Law enforceability solely on the is permitted transferable record records. • Law Establishing ground that it was issued or arising exclusively Single Window used outside Singapore.” from the place of Systems • Singapore Electronic origin or use of the • Electronic Transactions Act Art. electronic transferable Commerce Act 16P(1) record.13 • Electronic The provision explicitly states Transactions Act the answer to the question and thus applies. ONLINE CONSUMER PROTECTION 14. Framework explicitly Relevant laws for This question may be • Consumer Protection addresses online online consumer answered when there Law consumer protection protection are crucial is at least one form • Electronic to enhance consumer of protection over an Commerce Law trust in e-commerce.14 online transaction. Note that distance contracts and remote contracts are A Global Database DIGITAL TRADE REGULATORY READINESS considered online transactions for many countries. (continued on next page) 51 52 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example “Sec. 3. Scope and Coverage. “Article 3 (Definitions and scope): – This Act shall apply to 1. Consumer is any natural or all business-to-business legal person to whom goods and A Global Database and business-to-consumer services are supplied or any rights internet transactions transferred and who use them within the mandate of the as the final recipient, by whom Department of Trade and carries out an economic activity Industry (DTI), where one (1) aimed at obtaining profits. of the parties is situated in 2. Supplier is any natural or the Philippines or where the legal person. public or private, digital platform, e-retailer, or national or foreign, as well as DIGITAL TRADE REGULATORY READINESS online merchant is availing depersonalized entities that of the Philippine market carry out activities of production, and has minimum contacts assembly, creation, construction, therein: Provided, That transport, import, export, online media content, and distribution or commercialization consumer-to-consumer of goods or provision of (C2C) transactions shall not services…. be covered under this Act.” 4. Service is any activity provided • Philippines Internet in the consumer market, for Transactions Act Sec. 3 remuneration, including those of a banking, financial, credit The scope of the law explicitly and insurance nature, except states that the regulation those arising from employment covers electronic transactions relationships.” to consumers. • Angola Consumer Protection Law Art. 3 Nowhere in the scope of the law or in other provisions does the law specifically address online protections via electronic goods/ services, internet-based goods/ services, remote goods/services, or distance contracts. After reviewing the scope and the rest of the text, the question cannot be answered with the laws at hand. 15. Online information Informed decision- Multiple choices • Consumer Protection See examples for specific See examples for specific disclosure making relies on possible. Law questions below. questions below. requirements prior knowledge about the With every question, • Electronic to conclusion of the merchant, about the ensure first that the Commerce Law contract. product or service, requirement occurs (continued on next page) and about the parties’ prior to the conclusion rights after purchase.15 of the contract. (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 15a. Online information Having an offline Explicitly find the • Consumer Protection “Article 16. Requirements for “31. Disclosure of information on disclosure means to contact an requirement for an Law offer in electronic commerce. internet agreement – (1) requirements prior online business can address. • Electronic The offer in electronic Before a consumer enters into an to conclusion of the give customers the Note that laws Commerce Law commerce must contain: internet agreement, the supplier contract: stability and trust to commonly create full name of the electronic shall disclose the prescribed Full business move forward with the different rules for commerce participant information to the consumer.” address of merchant transaction.16 off-premises versus making the offer….” • Kenya Consumer Protection distance contracts. Uzbekistan Law on Electronic Law Art. 31 When reading the law, Commerce Art. 16 The information provided is not ensure the correct The provision applies to the sufficient or specific enough to provision has been question because an offer answer the question. chosen. comes before the conclusion of the contract. 15b. Online information Informed decision- This question may • Consumer Protection “Sec. 21. Obligations of “31. Disclosure of information on disclosure making must balance be answered with a Law E-marketplaces. – Except internet agreement – (1) requirements prior the need to provide main description of • Electronic as otherwise provided in Before a consumer enters into an to conclusion of the sufficient information the product or service. Commerce Law this Act, e-marketplaces internet agreement, the supplier contract: to the consumer Countries generally shall: … (g) Require all online shall disclose the prescribed Full description to make a decision do not require a full merchants to clearly indicate information to the consumer.” of the product or on the product or description. the following in their product • Kenya Consumer Protection service service while not Note that laws offers online, regardless of Law Art. 31 overwhelming the commonly create the nature of the goods and The information provided is not consumer so as to different rules for services: sufficient or specific enough to decrease the rate of off-premises versus (3) Description;” answer the question. understanding that distance contracts. • Philippines Internet can occur when too When reading the law, Transactions Act Sec. much information ensure the correct 21(g)(3) is presented. This provision has been The provision requires makes regulated chosen. e-marketplaces to ensure descriptions important that merchants provide a for consumer trust.17 description of the goods/ services. This description is sufficient to answer the question because any requirement of the description of the goods/services is sufficient. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 53 54 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 15c. Online information Quick and accessibly Any provision that • Consumer Protection “Sec. 21. Obligations of “31. Disclosure of information on disclosure easy information on supplies information Law E-marketplaces. – Except internet agreement – (1) requirements prior costs and delivery on the price or delivery • Electronic as otherwise provided in Before a consumer enters into an A Global Database to conclusion of the leads to better times is acceptable. Commerce Law this Act, e-marketplaces internet agreement, the supplier contract: decision-making The information about shall: … (g) Require all online shall disclose the prescribed Information about by the consumers payment or delivery merchants to clearly indicate information to the consumer.” delivery and/or and less cost for the methods is also the following in their product • Kenya Consumer Protection payment sellers.18 acceptable, if needed. offers online, regardless of Law Art. 31 Note that laws the nature of the goods and The information provided is not commonly create services: sufficient or specific enough to different rules for (2) Price;” DIGITAL TRADE REGULATORY READINESS answer the question. off-premises versus • Philippines Internet distance contracts. Transactions Act Sec. When reading the law, 21(g)(2) ensure the correct The provision requires provision has been information about the price of chosen. the goods/services. As either price or delivery information must be offered, the provision sufficiently answers the question at hand. 15d. Online information Giving consumers This may be provided • Consumer Protection “(2) A mail order distributor “The e-supplier must present the disclosure access to merchants by a requirement in Law shall indicate, advertise, or electronic commercial offer . . . requirements prior to gain options for the offer stage. • Electronic notify the following … [to] include, but not be limited to conclusion of the redress or to address Next, the information Commerce Law 8. Matters concerning to, the following information: . . . contract: issues is useful for about complaint compensation for damage, the conditions for terminating the -Information about establishing a stronger handling does not settlement of complaints contract, if applicable.” complaint handling client base and trust need to be a detailed against the goods, etc., • Algeria E-Commerce Law Art. for new customers.19 description, but it and resolution of disputes 11 must be more than between consumers and The provision does not require the conditions for business operators; …” enough information to include terminating the • Republic of Korea Act on various types of complaint contract. The purpose Consumer Protection in handling. of the question is to Electronic Commerce Art. discover if supports 13(2)(8) for the consumer exist The provision here applies at the very beginning, to the question because leading to a larger it specifies various types sentiment than only of complaint-handling termination. mechanisms, and all of which are mandatory to discuss. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 16. Explicit Businesses should This question seeks • Consumer Protection “The order of a product “The seller in e-commerce, acknowledgement of ensure that the point to know if the country Law or service goes through before concluding a contract of obligation to pay for at which consumers requires a final and— • Electronic three mandatory steps: . . . sale, is obliged to provide the online transaction are asked to confirm somewhat—actionable Commerce Law verification of the details of consumer with information on the a transaction, after agreement to the the order by the e-consumer, procedure for paying for goods which time payment payment. The purpose in particular the products or and on their cost.” is due or they are behind this question services ordered, their total • Kazakstan Law on Protection of otherwise is to know the level and unit price, the quantities Consumer Rights Art. 24(12) contractually of safety over the ordered with a view to The provision can be interpreted bound, is clear and consumer’s purchase. modifying the order . . .” as merely giving the price of unambiguous, as Thus, this question • Algeria E-Commerce Law the goods in an advertisement. should the steps should be answered Art. 12 Further, there is no indication that needed to complete when the law requires The provision works the consumer must actionably the transaction, the consumer to see because, although the word agree to the price. especially for the final price just “acknowledgement” is new payment before paying, or some not specifically stated, the mechanisms.20 action that ensures consumer must actively agree understanding by the to the terms just before the consumer at the end of conclusion of the contract. the transaction. 17. Requirement to Businesses should Because the purpose/ • Consumer Protection “With respect to distance “Article 78 Reliable information provide online enable consumers justification of this Law contracts, the information in purchase transactions by transaction to retain a complete, question, there are two • Electronic provided for in Article 57, electronic means: When the information in accurate and ways to answer the Commerce Law paragraph (1) of this Act shall transactions are by electronic a format that is durable record of question: the language be appropriate to the means means, prior to the conclusion appropriate to the the transaction, in a almost precisely of distance communication of the transaction, the provider means of distance format compatible matches the language used, and given in plain and must provide the consumer with communication used with the device or of the question, or intelligible language and true and updated information platform that the the provision creates if provided on a durable about their physical address, consumers used a truly durable, medium, it shall be legible.” telephone numbers, electronic to complete the complete, and • Croatia Consumer address, and other means to transaction.21 accurate means to Protection Act Art. 66(1) which the consumer can go to provide the data in present their claims or request This provision is an example the exact way the clarifications. The information of a perfect match to the transaction occurred. about the goods and services question. Note that for the offered by suppliers via the latter, the law must be Internet or other electronic written so as to ensure means must be clear, complete that the transaction and accurate for potential can only occur in the consumers or users. Likewise, same way that the misleading commercial practices information is given, regarding the characteristics of meaning that this type the products that may lead to of answer should be fraud or confusion for consumers A Global Database DIGITAL TRADE REGULATORY READINESS exceedingly rare. or users are prohibited.” (continued on next page) 55 56 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example In addition, because “Art. 1 – In consumer • Nicaragua Consumer the question seeks relations carried out by Protection Law Art. 78 to understand if electronic commerce through A Global Database The provision is discussing the protections exist that the INTERNET… information that must be given require a durable Art. 3 – In addition to the prior to the contract. Because record, the provision information mentioned in the the provision does not address must discuss such previous article, the provider the conclusion of the contract a record after the must provide the consumer or a sustainable record of the transaction is on its INTERNET site, in a individual transaction, the concluded. clear, precise, and easily provision does not apply. accessible manner, at least DIGITAL TRADE REGULATORY READINESS the following information: (g) electronic copy of the contract.” • Argentina Resolution on the Consumer’s Right to Information in Commercial Transactions Carried Out over the Internet Art. 3(g) (referencing Art. 1) These provisions provide a good example of the inexact match. First, the resolution is entirely about electronic transactions over the internet. Second, the requirements mean that the supplier must keep the contract of the transaction on the same website the customer used. Thus, the law and articles read together can answer this question. 18. Existence of the Online customers The right to withdraw • Consumer Protection “In the sale and in any type “Article 41 An electronic offer right of withdrawal are unable to inspect must be stated to be a Law of contracting of goods and/ cannot be withdrawn again if a product before right of the consumer. • Electronic or provision of services that the offer has been electronically purchasing; the The right to withdraw Commerce Law are offered or performed accepted by another party, unless right of withdrawal can be stated in outside the supplier’s the cancellation of the electronic allows them to return relation to online establishment and those offer is also agreed upon by the the product within business contracts or for which means are used, party receiving the offer.” a certain period all contracts, which such as: … any means of data of time, escaping would logically include messages, internet, … the the contractual online contracts. obligation with no repercussions.22 (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example Further, the right provider is obliged … to: • Indonesia Regulation to withdraw can (g) Provide and allow the Concerning Trade Through be counted in the consumer a trial period seven Electronic Systems Art. 41 right to terminate a (7) business days minimum, The provision specifically contract—so long as prior to the return of the states that the offer may not be the right to terminate good or the suspension of the withdrawn upon acceptance. As does not preclude service provision contract.” the purpose of the question is to online contracts. • Dominican Republic understand whether customers This rule is needed General Consumer have the right to see the good/ because laws around Protection Law Art. 62(g) service in person and decide the world use the This provision applies to against it, the question cannot terms “termination,” the question because the be answered with the provision. “cancellation,” obligation to create a right Further, the right to withdraw and “withdraw” of withdraw is written within cannot hinge upon another interchangeably. In the distance contract rules. agreement, as the right must be a addition, translation Note that usually a possible standalone right by the customer tools may not reliably right of withdraw exists in to unilaterally withdraw. capture the nuanced these pre-contractual rules, distinctions among the not a definitive one like in the three terms. Dominican Republic. 19. No need to provide Absence of reason is The right to withdraw • Consumer Protection “30.-(1) Without prejudice “In the event of non-compliance a reason for essential for the right without reason may be Law to any other law, a consumer by the e-supplier…, the withdrawal of withdrawal to be explicitly stated or not • Electronic may, within seven days or e-consumer may request the effective.23 stated at all, so long Commerce Law longer period specified in the cancellation of the contract and as there is an explicit agreement, after receiving request compensation of the right to withdraw, the goods or conclusion damage suffered.” cancel, revoke, or of the agreement and the • Algeria E-Commerce Law Art. terminate. The reason consumer has not received 14 for the ability to count any material benefit from The provision cannot work this question with the the transaction, cancel because the cancellation is absence of the law is the agreement for supply dependent on non-compliance. to see when countries of goods or provision of explicitly regulate the services. (2) Where a reasons for withdraw. consumer has cancelled the agreement under subsection (1), he shall pay direct cost of returning the goods. … (5) This section shall not apply to electronic transactions – (a) for financial services; (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 57 (continued) 58 # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example This question may also (b) by way of an auction; (c) be answered “yes” for the supply of foodstuffs, when the loss of the beverages or other A Global Database right to withdraw is goods intended for daily stated, and this is consumption; …” usually for actions • Tanzania Electronic post-delivery. This is Transactions Act Art. 30 because a subsequent The provision does not state loss of rights does not that the consumer must strip the rights from provide reasoning or need to originally existing. DIGITAL TRADE REGULATORY READINESS meet certain requirements to However, if there is a cancel; rather, the provision reason to withdraw, gives a list of exclusions. like non-compliance, then the question must be answered “no”. 20. Rules against dark Dark patterns include Currently, the • Children’s Personal “Online interface design and N/A patterns encompass aspects regulation of dark Protection Acts organisation of design such as patterns is so new that 1. Providers of online the placement and the term dark patterns platforms shall not design, color of interfaces, is required. organise or operate their how text is worded, Otherwise, too many online interfaces in a way and more direct provisions regarding that deceives or manipulates interventions such as misrepresentation the recipients of their service putting pressure on could be counted or in a way that otherwise users by stating that towards the materially distorts or impairs the product or service question, throwing the ability of the recipients of they are looking is off the results by not their service to make free and about to be sold out.24 gathering data on the informed decisions.” Dark patterns are intended purpose of [read with] considered ethically the question. “(67) Dark patterns on online problematic, because interfaces of online platforms they mislead users are practices that materially into making choices distort or impair, either on that are not in their purpose or in effect, the interest and deprive ability of recipients of the them of their agency.25 service to make autonomous and informed choices or decisions….” (continued on next page) • EU Digital Services Act Art. 25 (read with recital para. 67) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example The provision bans designs that distort or impair services. As the recital paragraph uses the same language to show the purpose of the regulations and references these practices as dark patterns, the provision applies. 21. Sending unsolicited Spam, which began as This question may • Electronic “1. Unsolicited commercial “Article 8 – Data processing for electronic messages advertising be answered “yes” Transactions Law communications via email or direct marketing purposes commercial commercial products when the law states • Advertising Law sms are permitted only with 1. Data obtained from publicly communications is or services, grew that a prohibition • Electronic the prior approval of their available sources may be prohibited, subject exponentially. Simple exists or that the Communications recipient.” processed for direct marketing to conditions (SPAM) advertising messages communication Law • Albania Law on Electronic purposes. have evolved into is only permitted • Personal Data Commerce Art. 9(1) 2. Regardless of the purpose of messages that are under a certain Protection Law data collection, the following The provision here answers potentially dangerous, circumstance. This • Terms: unsolicited, data may be processed for direct the question because a as opposed to is because, logically, unauthorized, spam marketing purposes: name prohibition occurs whenever merely annoying. the prohibition exists (names), address, telephone the prior approval has not Spam messages except for that certain number, e-mail address, fax been given. nowadays have a instance. number. “Article 28 B. – All deceptive nature, 3. Any data may be processed for communication promotional may cause network direct marketing purposes on the or advertising message sent disruptions, and are basis of a written consent given by email must indicate the used as a vehicle for by a data subject as determined subject or topic it deals with, spreading viruses, by this Law. the identity of the sender thus undermining 4. A data subject shall have the and contain a valid address consumer confidence, right to require at any time that to which the recipient can which is a prerequisite a data controller stop to use of request the suspension of for the information his/her data for direct marketing shipments…” society and for purposes. • Chile Decree 3 of 2021 the success of 5. A data controller shall be Art. 28B e-commerce.26 obliged to stop data processing The provision does not for direct marketing purposes directly state that spam and/or ensure that a data messages are prohibited; processor stop data processing rather, the logic behind for direct marketing purposes not the provision is that spam later than 10 working days after messages that do not meet the request of a data subject is its requirements are not received. permitted. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 59 60 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 6. When data are processed for direct marketing purposes a data controller shall be obliged to A Global Database notify a data subject of the right under paragraph 4 of this article and to ensure the possibility to stop data processing for direct marketing purposes in the same form as the direct marketing is conducted, and/or to determine the available and adequate DIGITAL TRADE REGULATORY READINESS means to require discontinuation of data processing for direct marketing purposes.” • Georgia Law on Personal Data Protection Art. 8 The provision applies to the processing of personal data in relation to direct marketing. In fact, it does not explicitly state that commercial communications from the processing are regulated here. While small—and perhaps the law is regardless applied to these situations, as the provision does not explicitly extend the scope beyond processing, the provision cannot be read into further. Thus, the provision cannot apply. 22. Legal basis for Spam has a negative Multiple choices • Consumer Protection See examples for specific See examples for specific sending unsolicited impact on the digital possible. Law questions below. questions below. electronic economy, and results Ensure that the • Advertising Law commercial in important economic unwanted contact • Electronic communications and social costs.27 occurs for marketing Communications purposes. Law • Personal Data Protection Law (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 22a. Legal basis for Unless threats posed Consent may be found • Consumer Protection “Article 13 Unsolicited “The right of citizens to be sending unsolicited by unsolicited, in provisions where Law communications: 1. The use protected against abuses and electronic unwanted, and (i) consent is required • Advertising Law of automated calling systems violations of their rights is commercial harmful electronic for every commercial • Electronic without human recognized through the Internet communications: messages are communication, or Communications intervention (automatic and other electronic means, curtailed, they could (ii) consent is one Law calling machines), facsimile namely: (a)right to secrecy -Express consent erode users’ trust and of multiple ways to • Personal Data machines (fax) or electronic of communications; (b) right confidence.28 communicate. Protection Law mail for the purposes of to privacy of your personal direct marketing may only information, including the right be allowed in respect of of access, consultation and subscribers who have given rectification thereof and the their prior consent.” right to have that information • EU Directive on used in strict compliance Privacy and Electronic with constitutional principles Communications Art. and applicable legal rules; (c) 13(1) right to the security of your information, by improving the The provision requires quality, credibility and integrity consent to send unsolicited of the systems of information; communications. Thus, the (d) right to internet security of provision applies. minors; (e) right not to receive unsolicited electronic messages; (f) right to the protection and safeguard of their rights as consumers, namely, in the acquisition of goods and services through the Internet and in terms of advertising; (g) right to protect and safeguard their rights as users of electronic communications networks or services. • Angola Electronic Communications Law Art. 15(e) The provision merely creates the right to not receive unsolicited messages, and it does not create any further ways around the ban like consent. Thus, the provision does not apply. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 61 62 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 22b. Legal basis for The rationale for the This question seeks to • Consumer Protection “(3) Unsolicited Commercial “Article 86. Obligation not to sending unsolicited existing relationship understand the higher Law Communications. — The use user information without electronic exception is that the levels of requirements • Advertising Law transmission of commercial authorization. If the service A Global Database commercial consumer has already placed upon the legal • Electronic electronic communication recipient should provide their communications: indicated interest basis for spam. Thus, Communications with the use of computer email address during the -Existing both in this type of this question should Law system which seek to ordering process, hiring or relationship transaction and in *not* be answered • Personal Data advertise, sell, or offer for subscription to a service and this sender; thus, “yes” if the prior Protection Law sale products and services the provider intends to use it consent to receive existing relationship are prohibited unless: … later for sending commercial additional and similar is purely built on (ii) The primary intent of communications, it must inform communications is consent. the communication is for the client of its intention and DIGITAL TRADE REGULATORY READINESS implied.29 service and/or administrative request your consent to receive announcements from the such communications, before sender to its existing users, complete the recruitment subscribers or customers; …” process…” • Philippines Cybercrime • Panama Law 51 of 2008 Art. Prevention Act Sec. 4(c)(3) 86 The provision specifically The provision appears initially to states that unsolicited apply to an existing relationship, communications can occur but upon further reading, the when a relationship with the intention is actually about consumer and advertiser consent. Really, the provision currently exist. states that if attempting to create a commercial relationship, then the service must gain consent to create such a relationship for commercial communications. Thus, the provision does not apply. 23. Consumers may Businesses should This question may be • Consumer Protection “Article 55 – Suppliers shall “(2) Natural and legal persons opt out of receiving develop and answered when the Law provide the customers with may use the electronic contact unsolicited implement effective provision specifically • Advertising Law the required arrangements data for e-mail obtained from electronic and easy-to-use discusses unsolicited • Electronic that would enable them to consumers of their products commercial procedures that commercial Communications choose whether to receive and services, for direct communications allow consumers communications, when Law the advertisements at their marketing and sales only of their to choose whether the provision only • Personal Data mailing or e-mail address.” similar products and services, or not they wish to discusses electronic Protection Law • Iran E-Commerce Law provided they have given to receive unsolicited communications, Art. 55 those consumers a clear and commercial messages, and when the unambiguous option to object in a The provision sufficiently whether by e-mail provision discusses simple manner and free of charge answers whether a consumer or other electronic types of electronic to such use of the electronic may opt-out of any electronic means.30 communications. contact data when said data are advertisements, including being obtained and when each unsolicited advertisements. message (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example The reason for a is received, in case the consumer wider range on this have not refused in advance question than others the use of its electronic is to find out if the law contact data. (3) Unsolicited prescribes ways for the communications for the purpose consumer to terminate of direct marketing, differing advertisements being from those stated in paragraphs sent to their phone. (1) and (2) of this Article (for instance voice telephone calls), shall be permitted only when the subscribers or users have provided consent thereof, and shall be free of charge.” • North Macedonia Law on Electronic Communications Art. 174(2) The provision here creates a right to opt-out for existing relationships only. This creates a narrow opt-out law that is too narrow for the question at hand. The fact that the opt-out only applies in the certain instance can be further seen via the other sub- articles, like Art. 174(3). 24. Visible and When consumers The purpose of • Consumer Protection “…The recipient may revoke, “6. When processing data for functioning opt-out have, at any time, this question is to Law at any time, the consent direct marketing purposes, the process required for indicated that they do understand if the law • Advertising Law given for the reception of data processor is obliged to notify unsolicited not wish to receive specifically regulates • Electronic commercial communications the data subject of the right electronic such messages, that measures that make Communications with the simple notification provided for in paragraph 4 of commercial preference should unsubscribing to Law of your will to the sender. To this article and to ensure that the communications be respected, as advertising content • Personal Data this end, service providers data subject has the opportunity doing so reinforces easy. Look for Protection Law must enable simple and free to request the termination of data trust and supports provisions that give procedures processing for direct marketing a predictable, enough specification so that the recipients of purposes in the same form in consumer- for the process to be services can revoke the which direct marketing is carried centric regulatory apparent and useful consent they have given. out, and/or to determine An environment. to terminate the direct Likewise, they must provide accessible and adequate means marketing. accessible information on to request the termination of data Ensure the answer the Internet about said processing for direct marketing provided has language procedures.” purposes.” covering both • Panama Law 51 of 2008 • Georgia Data Protection Law “visible” processes Art. 86 Art. 8(6) and “functioning” A Global Database DIGITAL TRADE REGULATORY READINESS processes. (continued on next page) 63 (continued) 64 # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example The provision applies The law does not specify that because the language the processor must make the of the text states simple “unsubscribe button” particularly and free procedures that visible. Because the feature must are accessible, which is merely be accessible and the equivalent to a visible opt-out feature does not need to be in system. Further the beginning the same form as the marketing, A Global Database of the paragraph states that the provision does not meet the the recipient may revoke standards sought here. consent whenever, which is equivalent to requiring a functional system. Thus, the provision applies. 25. Sender must honor Having a specific The provision must • Consumer Protection “5. The data processor “Article 39: Any person may opt-out requests timeline for the either give a numerical Law is obliged to stop the notify a service provider directly DIGITAL TRADE REGULATORY READINESS within a specific opt-out procedures amount of days • Advertising Law processing of data for direct determined, without charge or period of time creates a more that the operator • Electronic marketing purposes and/ indication of reasons, his desire to reliable process.31 must comply to the Communications or ensure the termination of no longer receive advertisements request to opt-out, Law data processing for direct from him by means of automated or the provision • Personal Data marketing purposes by an calling machines, fax machines or must state that the Protection Law authorized person no later electronic mail. opt-out service will than 10 working days after To this end, the service provider: be complied with receiving the data subject’s • delivers, within a reasonable immediately. Both request.” time and by an appropriate are sufficient to give • Georgia Personal Data means, an acknowledgment a “specific period of Protection Law Art. 8(5) of receipt confirming to this time.” Note that the person the registration of their The law gives a specific provision requiring request; timeline sufficient to answer compliance within a • takes, within a reasonable the question. “reasonable period of time, all necessary measures time” is not sufficiently to respect the wishes of this specific to answer the person; question. • maintains lists of people who have notified their desire to no longer receive advertisements from us by email.” • Congo Rep. Electronic Transactions Law Art. 39 “Within a reasonable time” is not a sufficiently precise time period to apply to the question. The reason is that reasonability can vary greatly, which defeats the purpose of the question—to discover if a specific enough cut- off time exists to create a greater sense of trust in the system. Thus, the provision does not apply to the question as it is too vague. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 26. Consumer’s right to Merchants must Provisions giving • Consumer Protection “14. To return goods: (1) If “47. (1) The supplier offering a refund in case of provide redress for the right to a refund Law anyone wishes to return, goods or services for sale, hire goods of improper harm suffered as must be linked to being dissatisfied with, or exchange in an electronic quality a consequence of inadequate quality any goods purchased from transaction shall make available a product that is or dissatisfaction. the seller, he or she may to the consumer on the electronic defective, damaged, Further, ensure that return it to the seller within platform where the goods does not meet the the provision applies seven days or take other or services are offered the advertised quality to a full refund, not a similar goods equal to that following information related to criteria, or if there partial. price or the payment of the the supplier: … (m) the return, were delivery In addition, the right to amount which was paid while exchange and refund policy;…” problems.32 refund must be able to purchasing such goods.” • Ghana Electronic Transactions be a standalone right. • Nepal Consumer Act Art. 47(m) A provision will not Protection Act Art. 14(1) Beyond not having any apply when the right The provision answers specification about the right exists only after other the question by allowing coming from the consumer and options are exhausted, a consumer to return the the defected goods/services, the like the right of repair, goods for a full refund when provision does not state whether but it can be a right unsatisfied with the goods. the refund policy is mandatory. that the courts grant. Thus, for all these reasons, the example cannot apply. “Article 45 Goods with defects: Goods with a current guarantee that do not work properly for reasons attributable to the supplier or due to a product defect, must be repaired. If this is not possible, the supplier will proceed to replace the good with another of the same characteristics or return the sums paid.” • Nicaragua Consumer Protection Law Art. 45 The right to refund must stand alone, which it does not here. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 65 (continued) 66 # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 27. Alternatives for Having variations in Provisions giving • Consumer Protection “Article 21. Consumer “Article 26 Replacement redress in case of redress that are not the right to a refund Law rights in the case non- and return of the product of improper quality, solely monetary ways must be linked to conformity of the service appropriate quality (1) The such as repair, to redress improper inadequate quality or provided (2) The provider consumer has the right to ask the replacement, or goods/services dissatisfaction. ensures all the operations seller in the trade unit where it partial refund is important for and bears all the expenses was purchased, within 14 days, addressing the harm necessary to remedy the to replace a non-food product of A Global Database suffered.33 deficiencies found in the appropriate quality with a product services provided, to replace similar to the one purchased if the products used in the this product does not suit him respective services, including in terms of shape, dimensions , their transport, handling, model, size, color or if he cannot diagnosis, expertise, use it as intended for other disassembly, assembly and reasons, with the performance, in packaging, or to refund the the case of the price difference, of DIGITAL TRADE REGULATORY READINESS value of the inadequate the corresponding recalculation.” services within the warranty • Moldova Consumer Protection period.” Law Art. 26 • Moldova Consumer The provision specifically is titled Protection Law Art. 21(2) as pertaining to products of The provision applies to “appropriate quality.” This means goods/services of improper that the right to redress improper quality because the title of goods/services would not apply. the provision states that it applies to “non-conformity.” Further, at least one of the alternatives for redress is listed. 28. Penalties for The imposition of The provision cannot • Consumer Protection “51 (1) If, after hearing the “If the seller (producer, executor) noncompliance a financial penalty, merely state that laws Law application, the court is did not give a respond to the with online determined by of the republic will satisfied that one or more complaint or refuses to remove consumer protection reference to the create liability. The persons have contravened violations and compensate of provisions nature of the law must indicate any of the provisions referred inflicted loss (harm) in a voluntary contravention the penalties or to in the application …, the manner, the public association of and the trader’s directly link to a law court may order the person consumers, associations (unions) circumstances, is that indicates the or persons, as the case may shall have the right to go to likely to be cost- penalties. This is be, to pay the applicant… (b) court.” effective in inducing because the purpose a maximum of (i) in the case • Kazakstan Law on the compliance in many of the question is of a contravention of section Protection of Consumer Rights cases.34 to discover if trust- 6, $200 Art. 42 building measures The provision is too vague to exist in the law, and give penalties to the violators, measures that do but rather gives liability to their not give sufficient actions of non-compliance. information on what the penalties could entail will not build sufficient trust in the system. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example Further, the provision for each contravention of does not answer that provision, not exceeding the question when $1,000,000 for each day penalties occur on which a contravention only after the non- occurred,…” complying seller has • Canada Canadian not responded to a Radio-television and complaint, because Telecommunications the purpose of Commission Act, the the question is to Competition Act, the understand if there Personal Information are direct incentives to Protection and Electronic follow the law. Documents Act and the Telecommunications Act Art. 51(1)(b)(i) The provision references the anti-spam provisions. As these provisions are considered an online consumer protection provision, the provision stated can apply. Further, the provision explicitly states numerically what penalties occur. Thus, the provision applies. DATA PROTECTION 29. General personal Certainty about online This provision can • Law on Personal “The purpose of this law “Article 1 “ In order to protect the data protection law data use and handling be found in the Data Protection is to protect… the rights of rights and interests of personal explicitly addresses increases trust in scope of the law or individuals with regard to information, regulate personal data protection by digital trade.35 another general- the processing of personal information processing activities, private entities purpose provision that data, whatever the nature, and expresses governance method of execution or those promote the rational use of of data protection by responsible.” personal information, this law is private entities. • Burkina Faso Personal formulated in accordance with Data Protection Law Art. 1 the Constitution.” • China Personal Information The provision sufficiently Protection Law Art. 1 states the scope of the law as applying to personal data Although the provision discusses protection and sufficiently that the law applies to the data creates a broad enough scope of personal information, the as to cover private entities. provision does not work because it Thus, the provision applies.. does not specifically state that the A Global Database DIGITAL TRADE REGULATORY READINESS law applies to private entities. (continued on next page) 67 68 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 30. Special rules for Misuse or breach of This question can be • Law on Personal “Article 12. Specifics for the N/A the treatment of sensitive information, answered whenever Data Protection Processing of Personal Data sensitive personal such as political views sensitive personal for a Special Category: (1) A Global Database data during or sexual orientation, data is specifically The processing of personal processing usually leads to mentioned, or the data of a specific category greater consequences definition of certain without the consent of the for the data subject.36 types of data includes person shall be prohibited sensitive issues, like unless the processing of the political views, sexual data is expressly provided for orientation, health by law.” information, etc. • Armenia Personal Data DIGITAL TRADE REGULATORY READINESS Protection Law Art. 12(1) The provision applies because the term “special category” is defined as that of specialitive information. “Article 2 (Definitions) (3) ‘Sensitive personal information’ in this Act means personal information as to an identifiable person’s race, creed, social status, medical history, criminal record, the fact of having suffered damage by a crime, or other identifiers or their equivalent prescribed by Cabinet Order as those of requiring special care so as not to cause unjust discrimination, prejudice or other disadvantages to that person.” • Japan Act on the Protection of Personal Information Art. 2(3) The definition of the term is sufficient to answer the question presented. Thus, the provision applies. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 31. Special rules for Some laws don’t Any mention of • Law on Personal “Special categories of data’ What do you think? N/A or does the treatment of include biometric data biometric data in the Data Protection shall be understood to mean something fit? biometric data under the definition definitions section or any personal data revealing… of sensitive data. The in other provisions is biometric data.” ability for companies sufficient to answer • Bosnia and Herzegovina to extract biometric the question at hand. Personal Data Protection information, such as Law Art. 3(c) face prints, without The provision explicitly the user’s consent discusses biometric data and and sell it to third is, thus, sufficient to answer parties poses a risk to the question. personal privacy.37 32a-d. Legal basis for Common principles For these provisions, • Law on Personal “The personal information data collection and for the processing of more likely than not, Data Protection processor may collect processing: personal data include the provisions that personal information in any -The data subject’s the need to have a apply will use explicit of the following cases, and consent; legitimate reason language that matches use it within the scope of -Performance of a for any processing the question itself. the collection purposes: contract to which activity, obtained Legitimate interests 1. Where the consent is the customer is either through can be found when obtained from data subjects; party; consent or some other the term is explicitly 2. Where special provisions -Compliance with a justification designed stated and when laws exist in laws or it is legal obligation to to acknowledge reference serious unavoidable so as to observe which the controller competing private and public interests as a legal obligations… 4. Where it is subject; public interests.38 reason. is unavoidably necessary so -Legitimate interests as to execute and perform a pursued by the contract with data subjects… controller or by a 6. Where it is necessary to third party attain the justifiable interest of personal information processor, which is explicitly superior to that of data subjects…” Korea, Rep. Personal Information Protection Act Art. 15 33. The data controller The categories of data The provision will likely • Law on Personal “When personal data is N/A must only collect chosen for processing use the same language Data Protection collected, the owners must data for specified must be necessary to as the question or be informed in advance, purposes achieve the declared similar language. expressly, precisely and overall aim of the unequivocally of the processing operations, purpose for which they and a controller will be processed and who should strictly limit their recipients or class of A Global Database DIGITAL TRADE REGULATORY READINESS collection of data recipients may be.” (continued on next page) 69 70 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example to such information as • Uruguay Personal Data is directly relevant for Protection Law Art. 13 the specific purpose A Global Database The language of the text is pursued by the sufficiently synonymous with processing.39 “specified”, and thus applies. 34. Once data are Data processing shall • Law on Personal “The data may not be used collected, they be proportionate Data Protection for purposes other than or must not be further in relation to the incompatible with those that processed in a legitimate purpose motivated its collection.” way incompatible pursued and reflect Uruguay Personal Data DIGITAL TRADE REGULATORY READINESS with those purposes at all stages of the Protection Law Art. 8 processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.40 35. The data controller • Law on Personal The data must be deleted must only process Data Protection when they are no longer information that is necessary or pertinent to the necessary for the purposes for which they were specified purpose collected. • Uruguay Personal Data Protection Law Art. 8 36. Data subject’s right Data subjects must • Law on Personal The person who is the to electronic data have appropriate Data Protection subject of a “data message” access rights to access their shall have access to those personal data stored computer files containing online.41 his/her personal “data messages” and be able to remove or amend partial or incorrect “data messages. • Iran E-commerce Law Art. 59(d) 37. Data subject’s right • Law on Personal to electronic data Data Protection rectification (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 38a-c. Data subject may Providing data Multiple choices • Law on Personal A data subject may request ask for their data to subjects with a right possible. Data Protection a data controller or data be erased if certain to have their own data processor… to erase or conditions are met, erased is particularly destroy without undue delay such as: important for the personal data that the data • The data is no effective application controller or data processor longer needed of data protection is no longer authorised to for its original principles. This right retain, irrelevant, excessive purpose is not absolute; it or obtained unlawfully • There is no other needs to be balanced • Kenya Data Protection Act legal ground to with other rights Art. 40(b) keep processing it specifically the • it was being used interest and right of in a way that was the general public in against the law in having access to the the first place information.42 39. Data subject may The inclusion of • Law on Personal Consent to the processing of withdraw consent specific provisions Data Protection personal data can be revoked under certain and recitals on the by the subject of personal circumstances withdrawal of consent data. confirms that consent • Russia Personal Data Law should be a reversible Art. 9(2) decision and that there remains a degree of control on the side of the data subject.43 40. Data subject’s right Data portability • Law on Personal The data subject shall to demand that their provides restricted Data Protection have the right to receive personal data be access through which the personal data…in a transmitted directly data holders can structured, commonly used from one provider provide customer and machine-readable to another (personal data in a commonly format and have the right data portability) used, machine- to transmit those data to readable structured another controller without format, either to the hindrance from the controller customer or to a third • EU GDPR Art. 19 party chosen by the customer.44 (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 71 72 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 41. Rules for sharing Data sharing is • Law on Personal The display, publication, personal data with the disclosure of Data Protection transmission, dissemination third parties data from one or and/or access opening A Global Database more organizations of Personal Data in an to a third-party Electronic System may organization or only be conducted: a. upon organizations, Approval unless otherwise or the sharing determined by the provisions of data between of laws and regulations; and different parts of an b. after the accuracy and organization.45 suitability for the purpose DIGITAL TRADE REGULATORY READINESS of acquisition and collection of the Personal Data are verified. • Singapore MOCI Regulation 20/2016 Art. 21 42. A government Strong support exists • Law on Personal For the purpose of agency with a legal for establishing Data Protection supervising the lawfulness mandate to oversee a single central of the undertaken activities and enforce data regulator with while processing and protection a combination protecting personal data, of oversight a Directorate for personal and complaints data protection shall be management established on the territory functions and of the Republic of Macedonia powers.46 as an individual and independent state body with the capacity of legal entity. – North Macedonia Personal Data Protection Law Art. 37 ARTIFICIAL INTELLIGENCE 43. Prohibition against Aside from the many This question can • Data Protection Law N/A AI systems creating beneficial uses of AI, be answered by • Specific law/ discriminatory AI systems can also be provisions which regulation on impacts or its use for misused and provide prohibit automated artificial intelligence the exploitation of novel and powerful decision-making vulnerable people. tools for manipulative, processes on sensitive exploitative and social personal data such as control practices. racial profiling. Such practices are particularly harmful (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example and abusive and “Article 39. It is prohibited may be prohibited in to make a decision solely different countries on the basis of automated because they processing by the competent contradict values of authorities for special respect for human purposes, including profiling, dignity, freedom, if such a decision may equality, and have detrimental legal democracy.a consequences for the data subject or significantly affect the position of that person, unless decisions based on the law and if that law prescribes appropriate measures to protect the rights and freedoms of the data subject, and at least the right to ensure the participation of a natural person under the control of the controller in making the decision.” • Serbia, Law on Personal Data Protection 2018, Article 39 “Article 80(10) The use of automatic license plate recognition systems and systems that process biometric personal data is prohibited in public areas.” • Slovenia, Command on the promulgation of the Personal Data Protection Act 2022, Section 80(10) a Corrigendum to the Position of the European Parliament adopted at first reading on 13 March 2024 with a view to the adoption of Regulation (EU) 2024/ ...... of the European Parliament and of the Council laying down Harmonised rules on Artificial Intelligence, Recital 28, as available at: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0138-FNL-COR01_ EN.pdf. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 73 74 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 44. The law mandates Legislations may This question seeks • Data Protection Law “6. Requirements. The N/A transparency for mandate AI systems any provision which • Specific law/ Assistant Deputy Minister certain high-risk AI to release audits mandate AI systems to regulation on responsible for the program A Global Database systems by requiring and assessments to publicly release data artificial intelligence using the automated decision the release of data allow for appropriate or publish independent system, or any other person or publication of traceability and audits. named by the Deputy Head, independent audits explainability of is responsible for: of AI assessments. the outcomes of AI 6.1 Algorithmic Impact systems. Such data Assessment may also increase 6.1.1 Completing and user’s awareness, releasing the final results DIGITAL TRADE REGULATORY READINESS inform deployers of of an Algorithmic Impact the capabilities and Assessment prior to the limitations of that AI production of any automated system, and affected decision system. persons about their 6.1.2 Applying the relevant rights. requirements prescribed in Appendix C as determined by the Algorithmic Impact Assessment. 6.1.3 Reviewing and updating the Algorithmic Impact Assessment on a scheduled basis, including when the functionality or scope of the automated decision system changes. 6.1.4 Releasing the final results of the Algorithmic Impact Assessment in an accessible format via Government of Canada websites and any other services designated by the Treasury Board of Canada Secretariat pursuant to the Directive on Open Government.” • Canada, Directive on Automated Decision- Making 2021, Regulation 6 (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 45. Data subject must Automated decision- This question requires • Data Protection Law “Article 13(2). In addition to N/A be informed of making processes, a provision which the information referred to in the existence of especially in contexts obligates the data paragraph 1, the controller an automated- such as employment processor to inform shall, at the time when decision-making opportunities or the data subject personal data are obtained, process credit scores, about the existence of provide the data subject can significantly automated decision- with the following further impact the rights making processes. information necessary to of data subjects. ensure fair and transparent Being informed of processing: the existence of … automated decision- (f) the existence of making processes, automated decision-making, may enable the data including profiling, referred subject to oppose to in Article 22(1) and (4) or inquire about the and, at least in those cases, rationale behind the meaningful information decision. about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” • EU GDPR 2016, Article 13(2)(f) 46. Data subjects Automated decision- The question may • Data Protection Law “Art. 22. Automated N/A have the right, making processes, be answered in two individual decision-making, under certain especially in contexts ways: (i) a provision including profiling. circumstances, such as employment which either prohibits The data subject shall have to have a person opportunities or automated decision- the right not to be subject intervene in the credit scores, can making where to a decision based solely decision-making significantly impact there is no human on automated processing, process the rights of data intervention; or (ii) it including profiling, which subjects. Providing provides data subjects produces legal effects data subjects the the right to require concerning him or her or right to require human human intervention in similarly significantly affects intervention, may help the process him or her. mitigate the adverse Paragraph 1 shall not apply if consequences of the decision: automated decision- making processes. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 75 76 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example is necessary for entering into, or performance of, a contract between the A Global Database data subject and a data controller; is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and DIGITAL TRADE REGULATORY READINESS legitimate interests; or is based on the data subject’s explicit consent. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.” • EU GDPR 2016, Article 22 (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example CYBERSECURITY & CYBERCRIME 47. General requirement Whether physical, • Personal Data The bodies shall… take the for data controllers logical, or Protection Law appropriate measure to and/or processors organizational, • Cybersecurity protect the personal data to implement security measures Regulations and information referred measures to keep should protect against • Law on Cybercrime to in Article 32 against data secure deliberate acts of loss, damage, disclosure, misuse, as well as replacement with incorrect the accidental loss data or information, or destruction of or addition of untrue data. This can help information thereto. companies take full • Kuwait Law on Electronic advantage of the data Transactions Art. 35 collected without putting data subjects’ privacy at risk.47 48. Data encryption Encryption— the During the processing of required encoding of messages personal data, the developer under certain so that only intended shall use encryption circumstances recipients can access measures – protection their contents—is a of information systems key tool for insuring containing personal data security. It is data from accidental widely recognized loss, unlawful access to as essential to the information systems, illegal digital economy and use, recording, deletion, to the protection of transformation, blocking, fundamental rights, copying, distribution and including privacy sharing of personal data. and freedom of – Armenia Personal Data expression.48 Protection Law Art. 19 49. Requirement The appointment of The personal information to designate a a Data Protection processor shall designate person responsible Officer (DPO) can the privacy officer who for overseeing facilitate compliance comprehensively takes compliance with the and further, become a charge of the personal data protection law competitive advantage information processing for businesses.49 • Korea Personal Information Protection Act Art. 31 (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 77 78 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 50. Risk assessment Risk assessment If, given its nature, extent, procedures required helps organizations circumstances or purpose, classify processing a particular type of personal A Global Database activities by their data processing is likely risks to individuals, to lead to a high risk of prioritize compliance, unauthorized interference and implement with the rights and freedoms appropriate of data subjects, the mitigations. As a Management Authority shall core element of draw up an assessment of accountability, a risk- the personal data protection DIGITAL TRADE REGULATORY READINESS based approach helps impact of such processing maximize the potential • Czech, Rep. Personal Data benefits of data use, Processing Act Art. 37 while minimizing potential harm to individuals.50 51. Employee training Cybersecurity training Organizations shall and awareness equips employees implement policies and program required to protect both practices to give effect to themselves and the the principles, including. company against . . training staff and cyber threats. It communicating to staff provides up-to- information about the date knowledge organization’s policies and on recognizing and practices responding to attacks, • Canada Personal including social Information Protection engineering. Well- and Electronic Documents trained employees Act Schedule 1 (4.1.4) (c) are essential to safeguarding critical business assets and ensuring secure, seamless interactions with customers.51 (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 52a-b. Controllers are When notifying the Multiple choices The Controller shall required to report supervisory authority, possible. inform the Individual and data breaches: controllers can obtain Competent Department of -To authority advice on whether the the occurrence of any breach -To data subject(s) affected individuals of the precautions provided need to be informed. for in the preceding Article, Communicating a and if such breach may cause breach to individuals serious damage to Personal allows the controller Data or individual privacy. to provide information • Qatar Personal Data on the risks resulting Protection Law Art. 14 from the breach and the steps the affected individuals can take to protect themselves from its potential consequences.52 53. Specific timelines A key element of The manager is obliged to for data breach any data security inform about the breach … notifications policy is being able, the Commissioner without where possible, to undue delay, or, if possible, prevent a breach and, within 72 hours of finding out where it nevertheless about the injury occurs, to react to it • Serbia Personal Data in a timely manner. Protection Law Art. 52 Timely communication will help individuals to take steps to protect themselves from any negative consequences of the breach.53 (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 79 (continued) 80 # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 54. Unauthorized Legal frameworks (1) Unlawful access to access, alteration, should establish information kept in computer interference, or clear and enforceable system, net, or machine misuse of systems penalties—including bearers, along with a or databases holding criminal sanctions—for violation of the protection personal data is unauthorized access, system is punishable by a criminalized use, or alteration fine of 200 to 400 times the A Global Database of personal data by minimum monthly wage or data controllers or up to 2 years of restriction third parties, to deter of liberty. (2) The same violations and support actions, if they caused the identification changing, destroying, or and mitigation of blocking of information cyberthreats.54 due to carelessness, as well as disabling computer DIGITAL TRADE REGULATORY READINESS equipment, or substantial damage are punishable by a fine of 300 to 500 times the minimum monthly wage or up to 2 years of correctional labor, or imprisonment for the same period of time. • Tajikistan Criminal Code Art. 298 55. A law, regulation, In a constantly • Cybersecurity For the purpose of or policy provides changing cyber Strategy implementation and use for the creation of threat environment, in all spheres of social and a cyber-security countries need to economic and cultural strategy have flexible and life of society of modern dynamic cybersecurity information technologies, strategies to meet the computer equipment and new, global threats. A telecommunications, more national cybersecurity complete satisfaction of the strategy (NCSS) is growing information needs a coordinated plan of citizens, I … Approve the of action aimed State strategy “Information at enhancing of a and communication country’s critical technologies for infrastructures, development of the Republic digital services, and of Tajikistan” it (is applied). information systems. • Tajikistan Presidential It is a high-level Decree “About the state top-down approach strategy “Information to cybersecurity that and communication establishes a range technologies for of national objectives development of the and priorities that Republic of Tajikistan” should be achieved in Art.1 a specific timeframe.55 (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 56. A law, regulation The creation of clearly • Cybersecurity According to Item 8.2 of N/A or policy provides defined organizational Strategy the State strategy “It is for the creation of structures—such • National CSERT information – communication an institution to as computer website technologies for identify, investigate, incident response development of the Republic and address cyber- teams for banking, of Tajikistan”… I decide: security threats telecommunications, Form Council for information (CERTs) and other and communication critical service technologies in case of the infrastructures, President of the Republic of monitoring as Tajikistan in the enclosed well as cyber structure on position. threat monitoring • Tajikistan Presidential response centers— Decree “About formation is fundamental of Council for information ensuring national and communication cybersecurity.56 technologies in case of the President of the Republic of Tajikistan Art.1 CROSS BORDER 57. Explicit rules on These rules increase This question seeks to • Personal Data “A transfer of personal data “4.1.3 An organization is cross-border general transparency and identify whether the Protection Act to a third country or an responsible for personal personal data require some security country has a provision • Personal Information international organization information in its possession or transfers. over personal data.57 or law that clearly Protection Act may take place where the custody, including information regulates personal • Electronic Commission has decided that has been transferred to a data transfers. This Transactions Act that the third country . . . third party for processing. The question cannot be ensures an adequate level of organization shall use contractual answered “yes” unless protection.” or other means to provide a the law or provision EU GDPR Art. 45(1) comparable level of protection applies to personal • “General Data Protection while the information is being data generally, not Regulation” processed by a third party.” personal data in a • Canada PIPEDA Sched. 1 Prin. Any mention of rules over specific act pertaining 4.1.3 personal information will to a different area of work, but try to choose the Here, there are only regulations law. beginning of the law. The governing 3rd party data transfers. reference to an entire law While this incidentally impacts pertaining to the question CBDTs, it does not explicitly also is acceptable. regulate CBDTs. Thus, rules regarding 3rd parties do not apply to this question, even though other questions in the section may be answered by rules that govern 3rd party data transfers. A Global Database DIGITAL TRADE REGULATORY READINESS (continued on next page) 81 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 82 “During or after the service is provided, the service provider shall collect and process the data in accordance with the following conditions: 10) Notify the data owner in case the service provider intends to transfer his personal data out of Kuwait in accordance A Global Database with the data classification policy issued by CITRA.” • Kuwait Data Protection Regulation Art. 6(1) This one rule does not give enough regulatory guidance to answer our question as it’s a small provision DIGITAL TRADE REGULATORY READINESS about processing—not CBDT—in general and the notification has no real bearing on the rights of the data subject. 58. Cross-border data Understanding the This question seeks • Data Protection Act “(a)Declaration of (1.) The personal data of protection depends level of security to understand if the unlawfulness; power to prohibit Vietnamese citizens may be on self-assesment over data subjects’ country does *not* unfair practices; inapplicability transferred abroad in case the and accountability information is valuable regulate or limit to foreign trade Cross-border data transferrer measures by to understanding the cross-border data (1) Unfair methods of has prepared a Dossier for data controllers system the country transfers (CBDT). By competition in or affecting assessment of the impact and processors has set up. not regulating CBDT, commerce, and unfair or of cross-border transfer of without government the private parties deceptive acts or practices in personal data and conducted the requirements, even conducting the deal or affecting commerce, are procedures specified in clauses 3, in the absence of must create their own hereby declared unlawful.” 4 and 5 of this Article… explicit regulation. privacy constraints. US Federal Trade (8.) The Ministry of Public Even when regulated, Commission Act Section 5 Security shall decide to request the government has the cross-border data transferrer Although a long a convoluted no say on what privacy to cease the cross-border transfer explanation, the FTCA gives restraints are decided of personal data in cases where: the FTC the power to ensure between the parties. …b) The cross-border data that companies uphold For example, this transferrer fails to comply with the international privacy means that a country the provisions of Clauses 5 and agreements they contract to. that *only* requires a 6 of this Article; c) The personal “4.1.3 An organization is binding corporate rule data of a Vietnamese citizen is responsible for personal before a CBDT would disclosed or lost. information in its possession qualify to answer • Viet Nam Protection of Personal or custody, including “yes” to this question Data Law Art. 25(1), (8) information that has been because the parties transferred to a third This incorrect answer is a good themselves decide the party for processing. The example of the law needing to be privacy protections. organization shall use read as a whole for this answer. Another important contractual or other means Here, the law does not specify the note is that this to provide a comparable privacy requirements needed to question is not a level of protection while transfer; rather, the law merely default question “yes”. the information is being states that an impact assessment processed by a third party.” must be sent upon a transfer. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example This question must • Canada PIPEDA Sched. 1 However, the impact assessment look at the law in its Prin. 4.1.3 can cause a revocation of the entirety to determine abilities to transfer at any time. This provision places the if parties will always Thus, the law heavily regulates burden on the domestic have the freedom CBDTs between the need for an transferer to uphold whatever to negotiate privacy impact assessment upon transfer data principles it contracts. protections. If there and that the government can This provision meets the is absolutely no law decree the protections insufficient. precise requirements or tie to answer this This means the answer must be that the question seeks to question, then this “no”. answer. Further, Principle answer will be a “no”. 4 is titled “Accountability”, An example of 62 which should help inform being a “no” and 63 the researcher that the law being a “yes” is that is applicable to the question the law regulates third when reading the Principle as parties but does not a whole. specifically mention CBDT. 59. Adequacy Single choice only. Requirements These questions seek Questions to understand what type of adequacy system the country subscribes to, if there is one. Please note, if 63 is a “yes”, then all “64” must be a “no”; and, if any in “64” is a “yes”, then the rest of “64” and “63” must be “no’s”. 59a. Who determines An adequacy “10.—(1) For the purposes adequacy or its requirement exists in of section 26 of the Act, a equivalent? the law, but whether transferring organisation must, Data controller on its the foreign country’s before transferring an individual’s own terms—with no adequacy is sufficient/ personal data to a country or specific guidance in accordance with territory outside Singapore ... take the domestic law is appropriate steps to ascertain entirely determined whether, and to ensure that, the by the private parties. recipient of the personal data There is *no* list is bound by legally enforceable that expresses what obligations ... to provide to the the private parties transferred personal data a must evaluate before standard of protection that is at A Global Database DIGITAL TRADE REGULATORY READINESS agreeing to a CBDT. least comparable to the (continued on next page) 83 (continued) 84 # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example protection under the Act.” Singapore Data Protection Regulations Art. 10(1) The provision uses the word “comparable” and not equivalent, which means that the data controller/processor has the full A Global Database authority to make a judgement call. This places the example in an evaluation standard (the previous question) rather than an adequacy standard. 59b. Who determines An adequacy adequacy or its requirement for the DIGITAL TRADE REGULATORY READINESS equivalent? foreign country exists Data controller and there are *explicit*, based on statutory mandatory safeguards requirements. the foreign country must meet before a domestic entity may agree to a CBDT with an entity residing in the foreign country. Usually, the domestic country will require the domestic entity to complete an evaluation of the foreign country’s laws/practices by using a list provided within the law. Thus, look for an adequacy requirement with a list. 59c. Who determines An adequacy adequacy or its requirement exists for equivalent? the foreign country to Government agency. meet and the domestic country’s government will determine if adequacy in the foreign country is met. The domestic country will publish which countries are acceptable, allowing the domestic entity to trade with a foreign entity residing in the approved foreign country. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 60. When adequacy Multiple choices or equivalent possible. declaration is not This question seeks to found, alternative understand what other options for options entities have personal data to trade data when a transfers include foreign country has (without additional not met an adequacy government standard. These approval): questions may only be answered “yes” when the regulation states that the safeguard is sufficient in the absence of adequacy. The safeguard alone cannot answer the question. 60a. When adequacy Governments, data “2. International transfer or equivalent protection agencies, of personal data with a declaration is not or other government state that does not have an found, alternative agencies may create adequate level of personal options for binding agreements data protection may be done personal data between each other to when: a) it is authorised by transfers include trade data. These legal international acts ratified by (without additional instruments allow the Republic of Albania and government for the appropriate are directly applicable; ....” approval): safeguards necessary • Albania Law on Personal Agreement between to navigate around the Data Protection Art. 8(2) government, adequacy requirement. The law is giving authority Data Protections Please note, a for international agreements Agencies (DPAs), or direct agreement to to be sufficient to allow other governmental erect and maintain transfers, if the agreement agencies. safeguards between stipulates to the transfers. governments is not “1. A data controller shall the same as the laws not transfer personal data creating protections to a country outside the sufficient for Federal Republic of Somalia adequacy, as adequacy or international organisation is determined unless one of the following by the laws and conditions is met: ...c) the practices legally recipient is subject to a mandated without law,...” an international A Global Database DIGITAL TRADE REGULATORY READINESS agreement. (continued on next page) 85 86 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example • Somalia Data Protection Act Art. 30(1)(c) A Global Database Some countries merely write “law” in the place where “international agreement” would normally be seen. Technically, this works because any citizen is beholden to a binding international agreement as DIGITAL TRADE REGULATORY READINESS a law. 60b. When adequacy Binding corporate “(Transfer of data to or equivalent rules (BCR) generally countries that do not declaration is not pertain to an guarantee an adequate level found, alternative enterprise that is of protection) options for spread between (3) In the case of personal data multiple countries. international data transfer transfers include The rules permit between companies of the (without additional data to transfer same business group, the government between the affiliates guarantee of compliance approval): without needing an with an adequate level of Intra-group adequacy decision. protection can be achieved transfers based on Often, a BCR will through the adoption of binding corporate be subject to a data uniform internal rules rules (reflecting protection authority’s regarding privacy and data mandatory approval. If the text protection whose compliance requirements listed says “BCR”, then is mandatory.” in data protection the provision would • Angola Personal Data law). answer this question. Protection Law Art. 34(3) If the text does not This provision applies but discusses a because BCR require the multinational company same business or its legal that needs its internal group to have internal rules rules approved by that bind the company/ the domestic data legal group to perform to the protection authority standards set forth. to transfer data, it is likely a BCR. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 60c. When adequacy Approved contractual “The international transfer of or equivalent clauses, also called data to a country that does declaration is not standard contractual not guarantee an adequate found, alternative clauses (SCCs), are level of protection is subject options for boilerplate terms to authorization from the Data personal data issued by a government Protection Agency, which can only transfers include for inclusion in cross- be granted in one of the following (without additional border data transfer circumstances . . . government (CBDT) agreements. (e)If the transfer of data is approval): They allow authorities necessary for the performance Use of government to mandate specific of a contract between the data approved safeguards without subject and the controller or for contractual clauses evaluating each steps taken prior to the formation between private agreement’s adequacy. of the contract decided at the parties (reflecting If a law allows the request of the data subject; mandatory government to draft (f)If the transfer of data is requirements listed clauses that must necessary for the performance in data protection be included in such or conclusion of a contract, in law). contracts, the provision the interest of the data subject, likely qualifies. between the controller and a third party;...” • Angola Personal Data Protection Law Art. 34(1)(e)-(f) Neither example works here because a simple contract does not meet the standards of an SCC that is a government-approved boiler plate addendum to private contracts. 60d. When adequacy Accountability in CBDT or equivalent refers to holding the declaration is not domestic entity liable found, alternative for any wrongdoing options for concerning personal personal data data misuse, even if transfers include the violation occurred (without additional abroad. This ensures government that someone is held approval): accountable for data Accountability protection. Because requirement, where assigning liability to domestic controller domestic actors for is liable for data foreign actions is misuse. politically sensitive, A Global Database DIGITAL TRADE REGULATORY READINESS (continued on next page) 87 88 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example provisions only meet this standard if they explicitly refer to A Global Database “accountability” as a safeguard or clearly assign liability to the domestic controller. 60e. When adequacy This safeguard allows “International transfer “Notwithstanding Regulation 1 or equivalent the government to of data that need to be [requiring adequacy], a database declaration is not authorize transfers authorized (1.) In cases other owner may transfer data or DIGITAL TRADE REGULATORY READINESS found, alternative without any adequacy than those provided for in enable the transfer of data from options for reasoning. Look for Article 8 herein [conditions his database in Israel abroad, personal data terms like “ad hoc” or for transfer], the international provided that one of the following transfers include language that granting transfer of personal data with conditions is met: (without additional the government a state that does not have (8) The data is transferred to a government discretion to approve an adequate level of data database in a country – (3) in approval): countries without protection, shall be carried relation to which the Registrar Ad hoc approval by assessing their data out upon an authorization of Databases announced, in an government agency. protections standards. from the Commissioner.” announcement published in the • Albania Law on Personal Official Data Protection Art. 9(1) This example works because the Commissioner is the head of a government agency that can approve transfers on a case-by-case basis. 61. Personal data is Single choice only. Gazette (“Reshumot”), that it has explicitly allowed This question seeks an authority for the protection to transfer across to know what level of privacy, after reaching an border based on of protections are arrangement for cooperation with consent from the required to use the said authority. data subject: consent as justification • Israel Privacy Protection for data transfers. (Transfer of Data to Databases Abroad) Regulations Art. 2(8) (3) Although the provision gives authority to the government agency to permit transfers of data to an inadequate country, there is nothing stated that shows domestic companies can request approval whenever. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 61a. Personal data is There are two ways “Article 39: When a personal explicitly allowed that consent pops up information processor provides to transfer across in CBDT: (a) alone as personal information outside the border based on an option to transfer, People’s Republic of China, it shall consent from the or (b) a way around inform the individual of the name data subject: adequacy. For both of or name of the overseas recipient, Data subject’s these, they lead to the contact information, processing approval alone is same conclusion: only purpose, processing method, sufficient. consent from the data types of personal information, subject is needed to and personal information to the transfer data abroad. overseas recipient. The methods Thus, we made the and procedures for exercising question separate the rights stipulated in this law from Q60 to cover [Art. 38: security assessment, both possibilities and certification, standard contract, or get any answer that other standard], and obtaining the allows for CBDT with individual’s individual consent.” consent. • China PIPL Art. 39 Importantly, no further The law here requires consent protections are offered to be given to transfer data to the data subject abroad, but consent alone is not after their approval. sufficient. Thus, because another The word “consent” requirement beyond consent must must be used to also be met, the answer is “no”. answer this question as a “yes”. If “66b” is a “yes”, then “66a” must be a “no”, and vice versa. 61b. Personal data is Look for any additional explicitly allowed safeguard required in to transfer across addition to the data border based on subject’s consent to consent from the transfer data abroad. If data subject: something more than Additional government approval, government please flag and bring approval is required. to supervisor. If “66a” is a “yes”, this answer should be a “no”. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 89 90 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 62. Government control Multiple choices questions possible. If a country has a system where government notification is required for adequate A Global Database countries and pre- approval is required for adequate countries, then mark the country as requiring notification alone because the authority is being notified in one way or DIGITAL TRADE REGULATORY READINESS another in every case, but the same cannot be said vice versa. 62a. Are the following This question requires “PIPL Art. 40: ... If it is “(Transfer of data to countries steps required for entities to get approval really necessary to provide that ensure an adequate level of cross-border data for each CBDT, or a it overseas, it shall pass protection): transfers: group of CBDTs to a the security assessment The international transfer of Government pre- single entity, regardless organized by the national data to countries that ensure an approval? of the country’s cybersecurity and adequate level of protection is safeguard protections. informatization department; subject to notification to the Data This question cannot if laws, administrative Protection Agency.” be answered as a regulations, and the • Angola Personal Data navigation around national cybersecurity and Protection Law Art. 33(1) adequacy. This question informatization department A mere notification is not sufficient can only be answered stipulate that the security to mark this answer as a “yes”. when transfers must assessment may not be Notifications do not necessarily be approved before the required, follow their slow the process of transfers and transfer can occur. provisions.” “DESAM Art. the point of the question is to Importantly, this 4(3): (3) A data processor discover if transfers are inefficient question will be that has provided personal or encumbered by requirements. answered “yes” even information of 100,000 when a threshold people or sensitive personal number of individuals’ information of 10,000 people information is required to overseas countries since to trigger the law, if the January 1 of the previous number will cause the year has provided personal authority to routinely information overseas;....” give approval. • China PIPL Art. 40 & In addition, this Data Export Security question will be Assessment Measures answered “no” if Art. 4 pre-approval is only needed in certain circumstances. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example Here, the law requires companies to submit a security assessment that must be reviewed and approved before transfer. The threshold of 100,000 people’s data is not so disproportionately high as to preclude it from answering this question, as many companies will be working with more data than that. 62b. Are the following This question can “(Preparing of Records on steps required for be answered when Provision of Personal Data cross-border data pre-authorization of a to Third Parties) Article 29 transfers: transfer is not required (1) When having provided Notification of but the government personal data to a third party ..., transfer without must be notified businesses handling personal authorization/pre- about the transfer. information must prepare a approval? The notification record pursuant to Order of the requirement can come Personal Information Protection before, during, or after Commission on the date of the the transfer—all that provision of the personal data, matters is that the the name of the third party, and government does not other matters prescribed by have to approve the Order of the Personal Information transfer. Protection Commission; .... (2) This question may also A business handling personal be answered when information must keep a record the government may under the preceding paragraph revoke the transfer for a period of time prescribed by upon finding an issue. Order of the Personal Information A mere requirement to Protection Commission from record the transaction the date when it prepared the does not sufficiently record.” answer the question • Japan Act on Protection of but should be marked Personal Information Art. 29 in the methodology tab The provision does not mandate of the dataset. that the notification must be sent to the Commission; rather, the record must merely be kept with the possibility that it will be given to the Commission upon request. A Global Database DIGITAL TRADE REGULATORY READINESS (continued on next page) 91 92 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 62c. Are the following This can create Security assessments “Article 4 If a data steps required for cumbersome are reviews done processor provides data cross-border data administrative by a domestic overseas under any of the A Global Database transfers: and operational entity to be given following circumstances, Submission burdens and pose to the government it shall apply to the of security unreasonable during authorization national cybersecurity and assessment? operational challenges approval procedures/ informatization department to both domestic applications. This for a data export security companies conducting question may only assessment through the local international be answered “yes” provincial cybersecurity and business or engaging when the security informatization department: DIGITAL TRADE REGULATORY READINESS in any dealing or assessment is a (1) Data processors provide communications general rule to acquire important data overseas; with overseas government approval. (2) Critical information counterparties and infrastructure operators and foreign-invested data processors that handle companies who would the personal information of inevitably share more than 1 million people personal information provide personal information with overseas parents overseas;” and affiliates on a • China Data Export Security daily basis.58 Assessment Measures Art. 4(2) The provision requires a full assessment sent to the authority for approval. The law will specify the requirements for the assessment also. 63. Data Localization Data localization Multiple choices questions requirements can possible. significant hinder These questions the economic seek to find the benefits enable by various types of data Internet of Things localization that might (IoT) technologies, be required. Data reducing potential localization is different gains to GDP, growth, from CBDT as it employment, trade focuses on where the and investment.59 data must be stored. Some countries can allow a CBDT but not storage in a (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example foreign country. This is because storage can be anywhere in the world, regardless of where the data is accessed. For example, VPNs and cloud storage can allow access to data in different locations than where the servers are. 68b through 68p accumulate points by marking each applicable on the different levels. 63a. *No* general Some personal data personal data protection laws localization require personal data requirement exists. to be stored in only the domestic country. Not finding an answer makes this question a “yes” to gain points. This question will be a “yes” for the majority of countries. 63b/g/l [Combined] Requirement to keep sector specific data stored/processed/ accessible within country: All personal and non-personal data. 63c/h/m [Combined] “11.1 An automated teller “3.2 A banking corporation shall Requirement to keep machine operator shall: j) not not store customer information sector specific data send any transaction outside or data on the cloud outside the stored/processed/ Ethiopia for the purpose of borders of the State of Israel, accessible within processing, authorization or unless it has ascertained that the country: switching (only applies for cloud service provider meets the Financial data. licensed automated teller level of protection in accordance machine operator). with the directive 95/46/EC on A Global Database DIGITAL TRADE REGULATORY READINESS (continued on next page) 93 94 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example • Ethiopia Licensing and the protection of individuals Authorization of Payment with regard to the processing Systems Operators Art. of personal data and the free A Global Database 11.1(j) movement of such data directive of the European Union.” Here, the provision applies • Israel Risk Management in to storage, processing, and Cloud Computing Environment accessibility because there Para. 3.2 is no way to transmit the information abroad, leaving Because there is a way around the the logical deduction that localization requirement, we count DIGITAL TRADE REGULATORY READINESS the information will only be this answer as a “no”. Note: mark accessible within Ethiopia. in blue in source tab to show it is a close call. 63d/i/n [Combined] Storage only. If “68i/n” Requirement to keep are a “yes”, this must sector specific data be a yes. stored/processed/ accessible within country: Health data. 63e/j/o [Combined] Storage only. If “68j/o” Requirement to keep are a “yes”, this must sector specific data be a yes. stored/processed/ accessible within country: National security related data. 63f/k/p [Combined] Storage only. If Requirement to keep “68k/p” are a “yes”, sector specific data this must be a yes. stored/processed/ accessible within country: Telecommunications data. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 64. Explicit framework Legal provisions are • Data Protection Law “Article 1 Subject matter This on non-personal narrowed into stating Regulation aims to ensure data cross-border “non-personal” data. the free flow of data other data transfers Currently, the rules on than personal data within the CBDT for non-personal Union by laying down rules data are so new that relating to data localisation the word will be used requirements, the availability when the meaning is of data to competent intended. authorities and the porting of data for professional users.” • EU Regulation on a Framework for the Free Flow of Non-Personal Data in the EU Art. 1 The provision expressly states that the entire regulation applies to non-personal data. 65. Explicit rules on The word “portability” • Data Protection Law “Article 6 Porting of data portability of non- will likely be used 1. The Commission shall personal data because of how new encourage and facilitate non-personal data the development of self- regulations are. regulatory codes of conduct Provisions that include at Union level (‘codes portability of all data of conduct’), in order to are not included contribute to a competitive because the purpose data economy, based on the of the question principles of transparency is to determine and interoperability and the countries that taking due account of open specifically regulate standards, (a) best practices non-personal data. for facilitating the switching of service providers...; (d) communication roadmaps taking a multi-disciplinary approach to raise awareness of the codes of conduct among relevant stakeholders.” • EU Regulation on a Framework for the Free Flow of Non-Personal Data in the EU Art. 6(1) The provision discusses the interoperability of non- A Global Database DIGITAL TRADE REGULATORY READINESS personal data. The further explanation in the sub- articles sufficiently provides the explicit rules necessary. 95 (continued on next page) 96 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 66. Rules on preventing Network neutrality is Because the definition • Telecommunications “3. Policy Directives on “3. Internet service providers network providers a principle of equal of net neutrality is Law Net Neutrality: 3.1 The limit access to the Internet or ISP from limiting treatment of data used differently all Government is committed resource based on: restricted A Global Database data flow in their on all platforms over the world, the to the fundamental list – organizations (except for systems (net and services. The question uses a broad principles and concepts the Ministry of Information, the neutrality) treatment must be definition. Provisions of Net Neutrality i.e.,keep Ministry of Communications and done in a way that that have open access, the Internet accessible Informatization, ...), does not discriminate anti-discrimination, and available to all without individuals, including individual in favor of certain or anti-limitation discrimination. Internet entrepreneurs, on a free basis...” services over others. 60 principles work to Access Services, therefore, • Belarus Resolution on the answer the question. need to be governed by Approval of the Regulations on DIGITAL TRADE REGULATORY READINESS a principle that restricts the Procedure for Restricting any form of discrimination, (Renewing) Access to an restriction or interference Internet Resource para. 3 in the treatment of content, The provision explicitly permits including practices like the limitation of access, which is blocking, degrading, slowing antithesis to the question. Thus, down or granting preferential the provision cannot apply. speeds or treatment to any content. To ensure that the regulatory framework on Net Neutrality adheres to the fundamental principles and concepts of Net Neutrality, the policy directives as mentioned in the succeeding paras are hereby issued....” • India DoT Letter on Net Neutrality Regulatory Framework para. 3 The paragraph above introduces the principles that the rest of the document seeks to apply. This is sufficient to answer the question at hand. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example INTERMEDIARY LIABILITY 67. Framework explicitly Rules on intermediary The provision does • Electronic “Article 24. Liability “27(2.3) It is an infringement addresses online liability are trending not need to limit Transactions Law of intermediaries and of copyright for a person, by intermediary liability in two different liability, but merely • Online Safety Law electronic commerce service means of the Internet or another manners currently: address liability for • Copyright Law providers...” digital network, to provide a either mandating intermediaries. This • Intellectual Property • Cambodia Law on service primarily for the purpose liability exists for answer can be broad Law Electronic Commerce of enabling acts of copyright intermediaries or narrow, and it • Telecommunications Art. 24 infringement if an actual or protecting can specifically give Law infringement of copyright occurs The provision or the chapter intermediaries liability to service • Internet Services Act by means of the Internet or [titled the same as the article] from liability. Clear providers. another digital network as a result on intermediaries both work rules are useful If any of the safe of the use of that service.” to show that Cambodia has for organizations harbor or notification “29.21 (1) It is not an a framework of laws that to understand the questions are infringement of copyright for an regulate online intermediary liability of allowing answered, this individual to use an existing work liability. Thus, the provision users to publicly question must also be or other subject-matter or copy is sufficient to answer the post information on answered, but that is of one, which has been published question. websites.61 not necessarily true or otherwise made available to vice versa. the public, in the creation of a new work or other subject-matter in which copyright subsists and for the individual — or, with the individual’s authorization, a member of their household — to use the new work or other subject-matter or to authorize an intermediary to disseminate it,....” • Canada Copyright Modernization Act Secs. 27(2.3), 29.21 Both of these provisions are good examples of incorrect frameworks for the question at hand. The first provision states that online infringements occur when the “service primarily” enables copyright infringement. That means that the regulation applies when the purpose of the online website is to infringe copyrighted material. As the question seeks to understand regulations for legal websites’ users’ illegal infringements, the provision does A Global Database DIGITAL TRADE REGULATORY READINESS not apply. The second provision is about publicly released work that has authorization for use. Thus, neither of these provisions apply 97 to answering the question at hand. (continued on next page) 98 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 68. Online This requirement may This question seeks to • Electronic “45. (1) A service provider “1 The provider of an internet intermediaries are impose too much understand if the law Transactions Law shall not ... be generally hosting service which stores not required to burden on hosting specifically carves out • Online Safety Law obliged to – (a) monitor the information entered by users is routinely monitor provider which will the need to monitor • Copyright Law data which it transmits or required to prevent a work or content uploaded by unreasonably curb content. Without the • Intellectual Property stores...” other protected subject matter third parties their freedom to specific carve-out, the Law • Botswana Electronic from being unlawfully remade A Global Database conduct business.62 law is unclear whether • Telecommunications Communications and available to third parties through or not monitoring Law Transactions Act Art. the use of its services, if the might be required. • Internet Services Act 45(1)(a) following requirements are Thus, the answer does fulfilled: ... The law explicitly states that not count unless the b. The provider has been notified the online service providers provision mentions of the infringement.” are not required to monitor monitoring or its • Switzerland Federal Law on the data. This provision, thus, equivalent. Copyrights and Related Rights applies. DIGITAL TRADE REGULATORY READINESS Arts. 39d(1)(b) The provision does not work because online service providers are subject to prior knowledge. At first glance, the chapeau seems to create a monitoring requirement with the phrase “prevent a work”, but the notification element eliminates a monitoring requirement. Thus, the provision does not apply. 69. Safe harbor An unreasonable Multiple choices provisions exist burden of enforcement possible. to shield online on intermediaries may platforms or hosting stifle their freedom providers from to operate and is liability likely to increase their business risks and legal expenses.63 69a. Safe harbor This relieves The provision must be • Electronic “Article 3(1)If the rights “Article 102 (Limitation on provisions exist intermediaries from housed within a non- Transactions Law of others are violated Liability of Online Service to shield online liability under certain IP law. • Online Safety Law due to dissemination of Providers) (1) Even if copyright or platforms / hosting circumstances, such • Telecommunications information through specified other rights protected pursuant providers from as where they did not Law telecommunications, to this Act are infringed in liability for: modify third party • Internet Services Act the specified relation to any of the following • Unlawful activity content before posting telecommunications service subparagraphs, an online service generally or transmitting it.64 provider that uses specified provider shall not be responsible telecommunications for such infringement...” facilities used for specified • Republic of Korea Copyright telecommunications ... will Act Art. 102(1) not be liable for damages The provision resides within an resulting from the violation, IP-based law and cannot apply to unless it is technically general unlawful activity. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example possible to take measures for preventing the information from being transmitted to unspecified persons and the violation falls under any of the following items; provided, however, that this does not apply if the related service provider is the sender of information violating the rights of others...” • Japan Act on the Limitation of Liability of Specified Telecommunications Service Providers for Damages and the Right to Demand Disclosure of Sender Identification Information Art. 3(1) The provision limits liability for other’s wrongs. 69b. Safe harbor While some The law must clearly • Copyright Law “Article 102 (Limitation on “Article 3(1)If the rights of others provisions exist countries have state that the • Intellectual Property Liability of Online Service are violated due to dissemination to shield hosting rules on the liability limitation applies to IP Law Providers) (1) Even if of information through specified providers from of intermediaries issues or the provision • Telecommunications copyright or other rights telecommunications, the liability for: regarding topics must be contained in Law protected pursuant to this specified telecommunications • Infringements such as hate an IP law. • Internet Services Act Act are infringed in relation service provider that uses related to speech, intellectual to any of the following specified telecommunications intellectual property rights— subparagraphs, an online facilities used for specified property which are crucial for service provider shall not telecommunications ... will not e-commerce—are be responsible for such be liable for damages resulting not usually covered. infringement...” from the violation, unless This is indicative of a • Republic of Korea it is technically possible to more comprehensive Copyright Act Art. 102(1) take measures for preventing regulatory the information from being The provision resides within framework.65 transmitted to unspecified an IP-based law and applies persons and the violation falls to IP-related infringements. under any of the following items; provided, however, that this does not apply if the related service provider is the sender of information violating the rights of others...” A Global Database DIGITAL TRADE REGULATORY READINESS (continued on next page) 99 100 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example • Japan Act on the Limitation of Liability of Specified Telecommunications Service A Global Database Providers for Damages and the Right to Demand Disclosure of Sender Identification Information Art. 3(1) The provision does not state anywhere that it specifically applies to intellectual property DIGITAL TRADE REGULATORY READINESS right infringements, and, therefore, does not apply to the question at hand. 70. Notice and take Once intermediaries Both the take-down • Electronic “Article 497. Liability of “20.—(1) Any Minister may down procedures are notified of requirement and Transactions Law online service providers: instruct the Competent Authority required for: infringing content the notification • Online Safety Law Online service providers to issue a Part 4 Direction... -Unlawful activity on their platform requirement must be • Telecommunications cannot be held civilly liable 22.—(1) A Disabling Direction generally or website, they triggered by the same Law ... if, from the moment they is one issued to the internet should have a act of infringement. • Internet Services Act became aware of it, they intermediary that provided the procedure to remove If only one—either acted promptly to remove internet intermediary service it expeditiously. This notification or take- this data or make access to it by means of which the subject mitigates risks posed down—is regulated in impossible.... material has been or is being by the infringing isolation, the provision Article 498. Notification of communicated in Singapore, content.66 does not meet the illicit content: Knowledge requiring it to disable access criteria. of the disputed facts is by end‑users in Singapore to Second, ensure presumed to have been the subject material provided that the removal acquired by the online on or through the service that procedures stem service provider when it consists of or contains the subject from the service is notified of the following statement, by the specified time.” provider, not the court elements: ... (4) the • Singapore Protection from system. The purpose description of the disputed Online Falsehoods and of this question is facts and, if possible, their Manipulation Act Arts. 20(1), to discover whether precise location, ....” 22(1) the law creates • Benin Digital Code Arts. The notification comes from the requirements for the 497-498 authority alone and the obligation service providers The two provisions can be to take down the material comes themselves. Note that linked to answer the question. from a written order. Thus, the if the notification and Importantly, the law creates a provision cannot apply as there is takedown procedure take-down requirement upon no procedure for a user to report comes solely from the notification. As the obligation issues. government, there is a stems from the entity itself good chance that the as well, the question can be law will answer Q79 on answered with the provision. judicial restrictions. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 71. Notice and take IP can be so widely First, ensure the law/ • Copyright Law “Article 103 (Suspension of “Article 5. Duty of enterprises down procedures distributed that provision specifically • Intellectual Property Reproduction or Interactive providing intermediary service. required for: notice and takedown applies to IP. Second, Law Transmission) (1) Any person ... 3. Removing and deleting -Infringements procedures can ensure that the • Telecommunications who claims that his or her content of digital information related to help online service removal procedures Law copyright and other rights which violates copyright and intellectual property providers find and stem from the service • Internet Services Act protected under this Act related rights, cutting, stopping stop IP infringements provider, not the court are infringed ... due to the and suspension of the Internet more efficiently.67 system. The purpose reproduction or interactive line, telecommunication line as of this question is transmission of works, receiving request in written of to discover whether etc. through the use of the inspector of the Ministry of the law creates services by an online service Information and Communications requirements for the provider ..., may demand the or inspector of the Ministry of service providers online service provider, ... Culture, Sports, and Tourism or themselves. Question suspend the reproduction or other competent State agencies 79 answers whether interactive transmission of as prescribed by law.” the courts/agencies the works, etc. ...” • Viet Nam Joint Circular are the sole authorities • Republic of Korea Regulating the Duty of for removal. Copyright Act Art. 103 Enterprises Providing Intermediary Service in The provision allows users Protection of Copyright and to notify service providers of Related Rights in the Internet infringement issues and have and Telecommunication those issues removed. Networks Environment Art. 5(3) The provision provided does create a notice-and-takedown requirement, but the requirement comes from notice from the government. As this does not apply to the average citizen wanting to notify an enterprise, the provision does not apply to the question at hand. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 101 102 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 72. Content providers’ Unless there Ensure that the • Electronic “(2)Exception.—Paragraph “Article 15.7. Extrajudicial right to counter are exceptional provision discusses Transactions Law (1) shall not apply with measures to terminate the notice circumstances, the the content provider’s • Online Safety Law respect to material residing violation of copyright and (or) providers of material right to counter • Copyright Law at the direction of a related rights in information and should be informed by notice. As the terms • Intellectual Property subscriber of the service telecommunication networks, the platforms of the can change for this Law provider on a system or including the Internet, taken A Global Database removal and have the from country to • Telecommunications network controlled or at the request of the copyright possibility to contest country, check the Law operated by or for the service holder. ... 7. If the owner of a site such removal with a definitions if needed • Internet Services Act provider that is removed, or on the Internet has evidence counter-notice, and the purpose of the to which access is disabled confirming the legality of posting then out-of-Court provision itself. by the service provider, on his site on the Internet, ... dispute resolution pursuant to a notice provided the owner of the Internet site mechanisms and, under subsection (c)(1)(C), has the right not to take the ultimately, before the unless the service provider— measures provided for ... and is DIGITAL TRADE REGULATORY READINESS judicial Courts.68,69 (A)takes reasonable obliged to send the applicant a steps promptly to notify corresponding notification with the subscriber that it has the specified evidence.” removed or disabled access • Russia Federal Law on to the material; Information, Information (B)upon receipt of a counter Technologies and Information notification described in Protection Art. 15.7(7) paragraph (3), promptly The example does not apply provides the person who because the notice of legality provided the notification comes from the service provider, under subsection (c)(1)(C) not the content provider. In this with a copy of the counter instance, there is no right for notification, and informs that the content provider to send a person that it will replace the counternotice. Rather, the right is removed material or cease that the service provider may keep disabling access to it in 10 the material online upon finding business days;.... Contents justification for its legal use. Thus, of counter notification.—To the provision does not apply. be effective under this subsection, a counter notification must be a written communication provided to the service provider’s designated agent that includes substantially the following:....” • United States 17 U.S.C. Sec. 512(g)(2)(B), 17 U.S.C. Sec. 512(g)(3) The provision creates the right and ability for the content provider to give a counternotice to the service provider. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 73. Online platforms’ / An adequate system This question may • Electronic “9. The website owner “Article 43: After receiving the Hosting providers’ for appealing requests be answered when Transactions Law has the right to apply forwarded notice, the operator of right to counter is an important aspect a higher authority • Online Safety Law to the hosting service the platform (user) may submit notice/appeal to a strong notice and decides that the • Copyright Law provider, from whom he a statement that there is no takedown mechanism. website controller • Intellectual Property received information about infringement to the operator This allows greater (online service Law the measures taken in of the e-commerce platform. safeguards against provider) has • Telecommunications accordance with part seven The statement should include abusive notices and incorrectly permitted Law of this article, with a notice preliminary evidence that there is avoids suppression of an infringement to • Internet Services Act of refusal in accordance no infringement. After receiving legitimate content.70 remain online, and with part five of this article, the statement, the e-commerce the website controller demanding the restoration of platform operator shall forward disagrees with the access to digital content...” the statement to the intellectual authority’s opinion. • Ukraine Law on Copyright property right holder who issued The authority could and Related Rights Art. the notice and inform him that he be a government 56(9) can lodge a complaint with the agency, the courts, relevant competent authority or The law here divides or a higher level of file a lawsuit with the people’s the website owners and authority over the court....” the hosting providers to telecommunications • China E-Commerce Law Art. 43 create a situation where system. This regulation a hosting provider can be Here, the online service provider is currently rare, so contacted for infringement is not appealing to a higher expect it to be difficult removal. Because of this authority when disagreeing with to find. situation, there is a right to the user’s argument, nor is the counternotice. service provider given the right to disagree in the provision. Thus, as the provision does not pertain to appeals or counternotices from a hosting provider or online platform, the provision does not apply. (continued on next page) A Global Database DIGITAL TRADE REGULATORY READINESS 103 104 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 74. Online platforms / Copyright owners The provisions that • Electronic “A service provider acting in “The intermediary or service Hosting providers tend to send notices have this answer Transactions Law compliance with subsection provider is liable for wrongful are not liable for without diligent provide the same or • Online Safety Law 43H(1) and in accordance takedown in response to a A Global Database wrong deletion investigation, and exceedingly similar • Copyright Law with this Part shall not be notification.” if the deletion is intermediaries are language as the • Intellectual Property subject to any liability in • Ghana Electronic Transactions conducted following highly likely to remove question. Law respect of an action taken in Act Art. 94(4) a takedown notice the material to reduce • Telecommunications good faith in relation to— The provision provides an the risk of litigation, Law a. The removal of an example of the opposite of the leading to wrong • Internet Services Act electronic copy of a work question’s intention. This provision deletion.70 from its primary network; shows that Ghana does not have or DIGITAL TRADE REGULATORY READINESS such a system and considered it. b. The disabling of access Thus, this question is marked as to an electronic copy of no and the answer is saved in blue a work on its primary on the source tab for any future network or another country-specific research. network. • Malaysia Copyright Act Art. 43F(1) The provision uses specific language that matches the question and, thus, answers the question. 75. Complainants are The provisions that • Electronic “A person who knowingly N/A liable for wrong have this answer Transactions Law makes a false statement on deletion following a provide the same or • Online Safety Law the notification in subsection takedown notice exceedingly similar • Copyright Law (1) is liable to the service language as the • Intellectual Property provider for the loss or question. Law damage suffered by the • Telecommunications service provider.” Law • Uganda Electronic • Internet Services Act Transactions Act Art. 31(2) The provision establishes liability for false notifications. (continued on next page) (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 76. Online platforms / Hosting providers This question seeks to • Electronic “... The service provider must “Article 85 S. The competent Hosting providers normally do not retain understand whether Transactions Law inform the competent state court, at the request of the rights are required to enough personal data an independent • Online Safety Law authority if he has reasonable holders who have initiated the disclose the identity to have suspected obligation exists for • Copyright Law grounds to suspect that: procedure established in the of infringers to the infringers successfully service providers to • Intellectual Property 1) by using its service, the preceding article, may order the extent it is available identified, so the report a user’s identity Law service user undertakes delivery of information that allows to them effectiveness of to authorities, without • Telecommunications illegal activities; 2) the the identification of the alleged identify disclosure is a previous order. Thus, Law user of his service provided infringer by the respective service in question.71 this question should • Internet Services Act inadmissible information. provider.” be answered “yes” The service provider is • Chile Law on Intellectual when a self-reporting obliged to present, on the Property Art. 85S structure exists. basis of an appropriate The provision here does not judicial or administrative act, apply to the question because all data on the basis of which the disclosure requirement only the detection or prosecution triggers upon a court order. of perpetrators of criminal acts, ie the protection of the rights of third parties can be undertaken....” • Serbia Law on E-Commerce Art. 20, para. 2 The provision creates the necessary obligation to report without a previous order. Thus, the provision applies to the question at hand. 77. If online platforms This question may be • Electronic / hosting providers answered whether or Transactions Law are required to not an independent • Online Safety Law disclose the identity self-reporting • Copyright Law of infringers (CQ=1), structure exists, unlike • Intellectual Property they are not liable the previous question. Law for the failure to do However, the law must • Telecommunications so (If CQ=0 à CR=0) clearly state that the Law failure to disclose • Internet Services Act the identity of the infringer would not cause liability. Likely, because failing to comply with a judicial order would create serious liability, this A Global Database DIGITAL TRADE REGULATORY READINESS question will only be answered when a self- reporting structure exists. 105 (continued on next page) 106 (continued) # Regulatory Solution Reason What is Captured Usually Found in Correct Example Incorrect Example 78. Online platforms / Because of privacy The provision will • Electronic “(5) An online content “Article 5(1)A person alleging Hosting providers concerns, hosting ISPs restrict sharing the Transactions Law host must not disclose any that their rights are violated may not disclose should be forbidden personal information • Online Safety Law personal information about due to dissemination of A Global Database their users’ identity to voluntarily of a user in the same • Copyright Law the complainant or author information through specified information to third disclose suspected section of the law as • Intellectual Property under information privacy telecommunications, may parties without court infringers’ identities the other provisions Law principle 11(1)(e)(iv) set out demand the disclosure of sender orders to copyright owners on intermediary • Telecommunications in section 22 of the Privacy identification information…” without orders from liability. Because Law Act 2020, except by order • Japan Act on the Limitation courts or competent this question seeks • Internet Services Act of a District Court Judge or of Liability of Specified authorities.72 to know whether the a High Court Judge made Telecommunications Service law addresses privacy on an application under this Providers for Damages and the DIGITAL TRADE REGULATORY READINESS rights in intermediary subsection.” Right to Demand Disclosure liability instances, the • New Zealand Harmful of Sender Identification provisions should be Digital Communications Information Art. 5(1) carefully taken from Act Sec. 24(5) The law contains multiple applicable law, not a The provision here directly provisions specifying how general privacy law. responds to the question at the victim may demand the hand. identification of the infringer and how the victim cannot use the information further. Thus, these provisions are the opposite answer to the question. 79. An order from a Such enforcement • Electronic judicial court or should be ensured by Transactions Law competent authority public authorities, in • Online Safety Law is required to require particular regulatory • Copyright Law content restriction authorities and • Intellectual Property judicial courts.73 Law • Telecommunications Law • Internet Services Act DIGITAL TRADE REGULATORY READINESS 107 A Global Database Endnotes org/10.1787/3902​ 6ff4-en. 1. UNCITRAL (1996) Model Law on Electronic 16. OECD (2018) «Improving Online Disclo- Commerce. sures with Behavioural Insights», https://doi. 2. UNCITRAL (1996) Model Law on Electronic org/10.1787/3902​ 6ff4-en. Commerce. 17. OECD (2018) «Improving Online Disclo- 3. UNCITRAL (1996) Model Law on Electronic sures with Behavioural Insights», https://doi. Commerce. org/10.1787/39026ff4-en. 4. UNCITRAL (1996) Model Law on Electronic 18. OECD (2018) «Improving Online Disclo- Commerce. sures with Behavioural Insights», https://doi. 5. UNCITRAL (1996) Model Law on Electronic org/10.1787/39026ff4-en. Commerce. 19. OECD (2018) «Improving Online Disclo- 6. UNCITRAL (1996) Model Law on Electronic sures with Behavioural Insights», https://doi. Commerce. org/10.1787/39026ff4-en. 7. UNCITRAL (2007) United Nations Convention 20. OECD (2016), «Consumer Protection in E-com- on the Use of Electronic Communications in merce: OECD Recommendation» https://www. Electronic Contracts; UNCITRAL (2001) Model oecd.org/sti/consumer/ECommerce-Recom- Law on Electronic Signatures. mendation-2016.pdf 8. UNCITRAL (2001) Model Law on Electronic 21. OECD (2016), «Consumer Protection in E-com- Signatures. merce: OECD Recommendation» https://www. 9. ITU (2018), “Powering the digital economy: oecd.org/sti/consumer/ECommerce-Recom- Regulatory approaches to securing consumer mendation-2016.pdf. privacy, trust and security”, https://digitalreg- 22. VON BAR Christian / CLIVE Eric (editors), ulation.org/wp-content/uploads/D-PREF-BB. Principles, Definitions and Model Rules of POW_ECO-2018-PDF-E.pdf. European Private Law: Draft Common Frame 10. ITU (2018), “Powering the digital economy: of Reference (DCFR) – Full Edition, Prepared Regulatory approaches to securing consumer by the Study Group on a European Civil Code privacy, trust and security”, https://digitalreg- and the Research Group on EC Private Law ulation.org/wp -content/uploads/D-PREF-BB. (Acquis Group), Vol. 1, Munich 2009, https:// POW_ECO-2018-PDF-E.pdf. www.law.kuleuven.be/personal/mstorme/ 11. International Trade Centre (2017), Inter- european-private-law_en.pdf. national Trade Forum: Trade for the 99%, 23. VON BAR Christian / CLIVE Eric (editors), https://intracen.org ​/news-and-events/news/ Principles, Definitions and Model Rules of making-trade-work-for-the-99. European Private Law: Draft Common Frame 12. ESCAP (2020) “Legal Readiness Assessment of Reference (DCFR) – Full Edition, Prepared Guide”, https://readiness.digitalizetrade.org/ by the Study Group on a European Civil Code files/documen​ t s/legal-readiness-assess- and the Research Group on EC Private Law ment-guide.pdf. (Acquis Group), Vol. 1, Munich 2009, https:// 13. UNCITRAL (2018) Model Law on Electronic www.law.kuleuven.be/personal/mstorme/ Transferable Records. european-private-law_en.pdf. 14. UNCTAD (2017), «Consumer Pro- 24. FORBRUKERRADET (2018), https://storage02. tection in Electronic Commerce», forbrukerradet.no/media/2018/06/2018-06- h t t p s : // u n c t a d . o r g / m e e t i n g s / e n / S e s s​ 27-deceived-by-design-final.pdf. ionalDocuments/cicplpd7_en.pdf. 25. UIE (2017) Dark Patterns and the Eth- 15. OECD (2018) «Improving Online Disclo- ics of Design, https://medium.com/ sures with Behavioural Insights», https://doi. adventures-in-ux-design/dark-patterns-and- 108 DIGITAL TRADE REGULATORY READINESS A Global Database the-ethics-of-design-31853436176b. Biden Administration”, https://www.eff.org/ 26. OECD (2005) Report of the OECD Task Force wp/eff-transition-memo-incoming-biden-ad- on SPAM: Anti-SPAM Toolkit of Recommended ministration#Contents. Policies and Measures, https://www.oecd.org/ 38. UNCTAD (2016), “Data protection regulations digital/consumer/36494147.pdf. and international data flows: Implications for 27. OECD (2005) Report of the OECD Task Force trade and development”, https://unctad.org/ on SPAM: Anti-SPAM Toolkit of Recommended en/PublicationsLibrary/dtlstict2016d1_en.pdf. Policies and Measures, https://www.oecd.org/ 39. European Union Agency for Fundamental digital/consumer/36494147.pdf. Rights (2018), “Handbook on European data 28. OECD (2005) Report of the OECD Task Force protection law”, https://fra.europa.eu/en/ on SPAM: Anti-SPAM Toolkit of Recommended publication/2018/handbook-european-da- Policies and Measures, https://www.oecd.org/ ta-protection-law-2018-edition. digital/consumer/36494147.pdf. 40. CoE (2018) Convention 108+: Convention 29. ITU (2005), «A Comparative Analysis of SPAM for the protection of individuals with regard Laws: The Quest for a Model Law”, https:// to the processing of personal data, https:// www.itu. int/osg/spu/cybersecurity/docs/ w w w. c o e. i n t /e n / w e b /d a t a - p r o t e c t i o n / Background_Paper_Comparative_Analysis_of_ convention108-and-protocol. Spam_Laws.pdf. 41. UNCTAD (2016), “Data protection regulations 30. OECD (2016), «Consumer Protection in E-com- and international data flows: Implications for merce: OECD Recommendation» https://www. trade and development”, https://unctad.org/ oecd.org/sti/consumer/ECommerce-Recom- en/PublicationsLibrary/dtlstict2016d1_en.pdf. mendation-2016.pdf. 42. European Union Agency for Fundamental 31. FCC (2024), “FCC Fact Sheet: Strengthen- Rights (2018), “Handbook on European data ing Consumer Protections Against Unwanted protection law”, https://fra.europa.eu/en/ Robocalls”, https://docs.fcc.gov/public/attach- publication/2018/handbook-european-da- ments/DOC-400039A1.pdf. ta-protection-law-2018-edition. 32. OECD (2016), «Consumer Protection in E-com- 43. Working Party Article 29 Guidelines on consent merce: OECD Recommendation», https://www. under Regulation 2016/679, https://ec.europa. oecd.org/sti/consumer/ECommerce-Recom- eu/newsroom/article29/items/623051. mendation-2016.pdf. 44. OECD (2020), “Mapping Approaches to Data 33. OECD (2016), «Consumer Protection in E-com- and Data Flows”, https://www.oecd.org/trade/ merce: OECD Recommendation», https://www. documents/mapping-approaches-to-data- oecd.org/sti/consumer/ECommerce-Recom- and-data-flows.pdf. mendation-2016.pdf. 45. ICO (2011), “Data sharing code of practice”, 34. OECD (2006), “Best Practices for Con- https://ico.org.uk/media/for-organisations/ sumer Policy: Report on the Effectiveness of documents/1068/data_sharing _code_of_ Enforcement Regimes”, https://one.oecd.org/ practice.pdf. document/DSTI/CP(2006)21/FINAL/en/pdf. 46. UNCTAD (2016), “Data protection regulations 35. UNCTAD (2016): Data protection regulations and international data flows: Implications for and international data flows: Implications for trade and development“, https://unctad.org/ trade and development https://unctad.org/en/ en/PublicationsLibrary/dtlstict2016d1_en.pdf. PublicationsLibrary/dtlstict2016d1_en.pdf. 47. UNCTAD (2016), “Data protection regulations 36. Opinion WP29 06/2014, http://www.datapro- and international data flows: Implications for tection.ro/servlet/ViewDocument?id=1086. trade and development”, https://unctad.org/ 37. EFF (2021), “EFF Transition Memo to Incoming en/PublicationsLibrary/dtlstict2016d1_en.pdf. DIGITAL TRADE REGULATORY READINESS 109 A Global Database 48. EDPS (2021), “Encryption”, https://www. Export of Personal Information“, https://www. edps.europa.eu/data-protection/our-work/ globalcompliancenews.com/2019/07/31/ subjects/encryption_en. china-proposes-more-stringent-rules-secu- 49. WP29 (2016), “Guidelines on Data Protec- rity-assessment-export-personal-informa - tion Officers (‘DPOs’)”, https://ec.europa.eu/ tion-20190703/. newsroom/article29/items/612048/en. 59. GSMA (2021), “Cross-Broder Data Flows: The 50. CIPL (2016), “Risk, High Risk, Risk Assess- impact of data localization on IoT”, https:// ments and Data Protection Impact www.gsma.com/publicpolicy/wp-content/ Assessments under the GDPR”, https://iapp. uploads/2021/01/Cross_border_data_flows_ org/media/pdf/resource_center/cipl_gdpr_ th e_impact_of_data_localisation_on_IoT_ risk_21_dec_2016.pdf. Full_Report.pdf. 51. Ramesh Ramachandran, “The Impor- 60. EFF (2024), “Net Neutrality” https://www. tance of Training: Cybersecurity Awareness eff.org /issues/net-neutrality#:~:text = - like a Human Firewall“, Entrepreneur India Network%20neutrality%20is%20the%20 (2019), https://www.entrepreneur.com/en-in/ idea,idea%20that%20ISPs%20could.... growth-strategies/the-importance-of-train- 61. EFF (2022), “Platform Liability Trends ing-cybersecurity-awareness-like-a/340838. Around the Globe: Taxonomy and Tools 52. Working Party Article 29 Guidelines on consent of Intermediary Liability”, https://www. under Regulation 2016/679, https://ec.europa. eff.org /deeplinks/2022/05/platform-li- eu/newsroom/article29/items/623051. ability-trends-around-globe-taxono- 53. Working Party Article 29 Guidelines on consent my-and-tools-intermediary-liability. under Regulation 2016/679, https://ec.europa. 62. Wang, Jie, “Regulating Hosting ISPs› Responsi- eu/newsroom/article29/items/623051. bilities for Copyright Infringement : The Freedom 54. World Bank (2019), “ID4D Practitioners Guide”, to Operate in the US, EU and China”, Springer https://documents1.worldbank.org/curated/ Singapore Pte. Limited, 2018. ProQuest Ebook en/248371559325561562/pdf/ID4D-Practi- Central, https://ebookcentral-proquest-com. tioner-s-Guide.pdf. libproxy-wb.imf.org/lib/jointlib-ebooks/detail. 55. European Union Agency For Cybersecurity action?docID=5358158. (2021), “ENISA›s work on National Cybersecu- 63. Wang, Jie, “Regulating Hosting ISPs› Respon- rity Strategies”, https://www.enisa.europa.eu/ sibilities for Copyright Infringement : The topics/national-cyber-security-strategies. Freedom to Operate in the US, EU and China”, 56. World Bank (2019), “Global Cybersecurity Springer Singapore Pte. Limited, 2018. Pro- Capacity Program Lessons Learned and Rec- Quest Ebook Central. ommendations towards Strengthening the 64. Manila Principles on Intermediary Liability Program”, https://documents1.worldbank. (2015), https://www.manilaprinciples.org. org/curated/en/947551561459590661/pdf/ 65. Beatrice Martinet & Reinhard J. Oertli, “Liabil- Global-Cybersecurity-Capacity-Program-Les- ity of E-Commerce Platforms for Copyright and sons-Learned-and-Recommendations-to- Trademark Infringement: A World Tour”, Amer- wards-Strengthening-the-Program.pdf. ican Bar Association (2015), https://www. 57. UNCTAD (2016), “Data protection regulations ameri canbar.org/groups/intellectual_prop - and international data flows: Implications for erty_law/publ ications/landslide/2014-15/ trade and development“, https://unctad.org/ may-june/liability-e-commerce-plat- en/PublicationsLibrary/dtlstict2016d1_en.pdf. f o r m s - c o p y r i g h t - t r a d e m a r k- i n f r i n g e - 58. Baker McKenzie (2019), “China Proposes More ment-world-tour/. Stringent Rules on Security Assessment of 66. EFF (2022), “Platform Liability Trends 110 DIGITAL TRADE REGULATORY READINESS A Global Database Around the Globe: Taxonomy and Tools Springer Singapore Pte. Limited, 2018. Pro- of Intermediary Liability”, https://www. Quest Ebook Central. eff.org /deeplinks/2022/05/platform-li- 72. Wang, Jie, Regulating Hosting ISPs› Respon- ability-trends-around-globe-taxono- sibilities for Copyright Infringement : The my-and-tools-intermediary-liability. Freedom to Operate in the US, EU and China, 67. CREATe (2021), ”21 for 2021: Springer Singapore Pte. Limited, 2018. Pro- Notice-and-Takedown in Copyright Interme- Quest Ebook Central. diary Liability”, https://www.create.ac.uk/ 73. De Streel, A. et al., Online Platforms› Moder- blog/2021/06/25/21-for-2021-notice-and- ation of Illegal Content Online, Study for the takedown-in-copyright-intermediary-liability/. committee on Internal Market and Consumer 68. CERRE (2018), “Liability of online hosting plat- Protection, Policy Department for Economic, forms: should exceptionalism end?”, https:// Scientific and Quality of Life Policies, European cerre.eu/publicatio ns/liability-online-host- Parliament, Luxembourg, 2020. ing-platforms-should-exceptionalism-end/. 69. CREATe (2021), ”21 for 2021: Notice-and-Takedown in Copyright Interme- diary Liability”, https://www.create.ac.uk/ blog/2021/06/25/21-for- 2021-notice-and- takedown-in-copyright-intermediary-liability/. 70. Wang, Jie, Regulating Hosting ISPs› Respon- sibilities for Copyright Infringement : The Freedom to Operate in the US, EU and China, Springer Singapore Pte. Limited, 2018. Pro- Quest Ebook Central. 71. Wang, Jie, Regulating Hosting ISPs› Respon- sibilities for Copyright Infringement : The Freedom to Operate in the US, EU and China, E, INVESTMENT AND COMPETITIVENESS | TRADE, INVESTMENT AND COMPETITIVENESS | TRADE, INVESTMENT AND COMPETITIVENESS