GATS security exception: What if it were to be invoked to justify restrictions on data flows?
By Martina Francesca Ferracane
Research Associate & DTE Project Manager European Centre for International Political Economy, Policy Leaders Fellow at European University Institute
Under the World Trade Organisation (WTO) system, countries are not allowed to introduce new tariffs or to impose other trade restrictions on bound goods and services. However, a country can deviate from its free trade obligations to achieve important non-economic objectives such as data privacy, public morals and national security. The security exception is the widest among the exceptions listed in the WTO texts and has only rarely been invoked by World Trade Organisation (WTO) members. This has been partly because members did not wish to open a Pandora’s box that could be abused as a cover for new protectionist measures.
Yet, several countries have recently mentioned the security rationale when imposing restrictions on data transfers. The most recent case is Vietnam’s Cybersecurity Law, passed in June 2018. Vietnam’s lawmakers have justified the new measure under the security exception in WTO texts and other free trade agreements (Nguyen, 2018).
The uncertainty surrounding national security and the digital economy increases the policy space of countries to impose protectionist measures disguised as restrictions needed to protect national security. This can impact the capacity of companies to conduct business and opens the possibility of future trade disputes.
This policy brief explores the national security implications of a potential WTO dispute on data flow restrictions. It summarizes a more detailed analysis recently published by Ferracane (2018). This analysis aims to increase clarity on a contested issue which has implications that could run deep into the future of the internet.
Art. XIV bis of the General Agreement on Trade in Services (GATS) is the most relevant article when looking at restrictions on data flows and their impact on trade. The provision (b)(iii) of the GATS security exception states that nothing in the agreement should be construed to “prevent any Member from taking any action which it considers necessary for the protection of its security interests [...] taken in time of war or other emergency in international relations”. A country invoking this exception could justify restrictions on movement of data by claiming that it is taking actions “it considers necessary” to protect its “essential security interests” in the context of an “emergency in international relations” caused, for example, by threats of cyber espionage or a cyberattack that could destabilize the country.
Given the lack of WTO jurisprudence on the security exception, the degree of uncertainty on the interpretation of this clause remains significant. However, some points can be mentioned. First, the word “essential” indicates that general security is not sufficient and therefore the “security interests should meet a higher standard that can be distinguished from other normal security interests” (Peng, 2015). Second, the instances pertaining to the security exception should be different in quality than those related to “public order” that fall instead under the general exceptions. Finally, it is also important that the threat to the essential security interest is credible and especially imminent (Panos and Cottier, 2008). This is clear from the reference to a “war or other emergency in international relations”. Measures that are implemented on a long-term basis, for example the establishment of a national-only cloud, could hardly be justified under a temporary condition of emergency.
Ultimately, it is likely to remain under the discretion of the WTO member to identify what is considered a national security interest. Yet, arbitral panels have still a role to play to assess the relevance of the measure to achieve the government’s objective. A good-faith review would need to consider whether security interests are manifestly absent and whether the measure is not intentionally serving protectionist interests.
The fact that, in the digital era, access to the Internet is necessary for the ordinary functioning of a country cannot be, per se, a justification for a requirement to process all data locally. Forcing companies to process data locally does not ensure that the network would still be fully functional in case of an attack nor does it make the communication system more resilient in case of an attack. A weak security system remains weak no matter where the data is stored. To ensure the more general stability and resilience of the network, the country could rather focus on a detailed analysis of the risk scenario specific to the country to identify idiosyncratic vulnerabilities and to secure the internet infrastructure. Important points are, among others, the necessity to build internet exchange points and a recovery system. Such a general claim therefore would hardly be brought into a dispute.
There are however other concerns that a country could bring up in a dispute to defend data restrictions under the security exception. In particular, there are three instances that are likely to concern the majority of countries today in relation to the movement of data and could likely be brought up in a dispute. These are:
• Cyber espionage: Restricting the flow of data from leaving the country makes it harder for other countries to surveil certain communications considered of national security interest;
• Cyberattacks on critical infrastructure: By restricting the flow of data, the critical infrastructure is better protected from and more resilient to cyberattacks;
• Terrorist threats: Keeping data locally improves the capacity of a government to conduct surveillance at home with the objective to identify possible threats and prevent terrorist attacks.
Given the technicality of the issue, the panel should assess whether the measure actually makes a contribution to reducing cyber risks connected to national security (as defined by the member). This might entail finding at least a minimum degree of proportionality between the protection of national security interests and the overall impact on trade resulting from the measure. Such an analysis should take into account both legal and technical arguments. That is, it should be assessed whether processing data within the national borders legally makes the country better protected from cyber espionage and cyber attacks on the critical infrastructure, and/or makes it easier to access data to prevent terrorist threats. In addition, a similar analysis should be conducted from a technical perspective in the sense that it should be assessed whether keeping data locally has an impact on the technical capability of a country to protect its national security.
The main legal and technical arguments that a country might bring up in WTO dispute in order to justify a certain restriction on data flows under the security exception are presented in Ferracane (2018). The paper concludes that ultimately each measure would need to be assessed on a case by case basis according to each country’s threat scenario. Restrictions on data flows can impact countries in different ways depending on their legal environment, other cyber security policies in place, and their telecom infrastructure, among other issues. It emerges clearly that, in most cases, keeping data locally increases the costs of certain attacks, but does not lead to a substantial improvement in the legal and technical capacity of a country to defend itself from cyber espionage, cyber attacks and terrorist threats. It therefore seems unlikely that a country could successfully justify such measures under the GATS security exception.
Nevertheless, the decision of a country to start a dispute on data flow restrictions remains a political one as its impact would go well beyond trade. The problems arising in negotiation of digital trade commitments reflect the uncertainty on whether the current structure of the WTO is well suited to judge on issues of privacy, security and, ultimately, internet governance. The WTO members might want to refrain from bringing claims on digital issues which are not explicitly covered by current WTO language until this uncertainty is settled.
Yet, regardless of whether a claim is brought under the WTO, a discussion on whether restrictions on data flows can effectively improve a country’s capacity to protect its security interests should be encouraged. In a time of digital transformation, it is crucial to delve deep into what measures actually contribute to the national security of the country in the digital age and which instead are actually implemented with protectionist motives or to suppress freedom of expression. When restricting data flows across borders, a country should have a full picture of the consequences of these measures not only on the national security of the country, but also on the functioning of the internet and on the capacity of its citizens to express themselves freely online.
Ferracane, M. F. (2018) "Data flows and national security: a conceptual framework to assess restrictions on data flows under GATS security exception", Digital Policy, Regulation and Governance,
Nguyen, M. (2018), “Vietnam lawmakers approve cyber law clamping down on tech firms, dissent”, Reuters, 12 June 2018, available at:
Panos, D. and Cottier, T. (2008), “Article XIV bis GATS: security exceptions”, available at:
Peng, S. (2015), “Cybersecurity threats and the WTO national security exceptions”, Journal of International Economic Law, Vol. 18 No. 2, pp. 449-478, available at: