The role of WTO law in governing cybersecurity: A comparative and qualitative legal analysis on whether the WTOs covered agreements could and should provide a potential legal framework for either justifying or regulatin

(1)

Georgia-Cristiana Cozac (12272760)

Master Thesis LLM: 12 ECTS 1

The role of WTO law in

governing cybersecurity:

A comparative and qualitative legal analysis on

whether the WTOs covered agreements could and

should provide a potential legal framework for

either justifying or regulating cybersecurity

measures and concerns

By: Georgia-Cristiana Cozac (12272760)

E-mail: georgia-cristiana.cozac@uzh.ch

Supervisor: Ms. Svetlana Yakovleva

Master Track: International Trade and Investment Law (LLM)

Date of Submission: 20/07/2020

(2)

ABSTRACT

With an increase in digital trade and a proliferation of diverse cybersecurity measures of WTO members, there are new unforeseen regulatory challenges to the existing international trading system. This leaves many unanswered questions, especially since cybersecurity is a broad umbrella term that covers a diverse range of issues. There are diverging views on the relationship between cybersecurity and international trade law (ITL). Some sustain that there is virtually no international trade agreement which deals directly with cybersecurity issues, while others argue that there is potential for cybersecurity to be regulated based on the provisions of existing WTO covered agreements. The WTO has been identified as being capable of providing one of the possible pathways for the development of a trade agenda that can address digital issues. The thesis explores whether the WTO’s existing covered agreements could provide a potential legal framework by either justifying or regulating cybersecurity measures and concerns (CMC’s) of WTO members, and based on these findings, whether these agreements should actually do so. To approach this research question, the thesis: i) employs an evolutionary method of treaty interpretation, ii) conducts a case-study to showcase CMCs taken by the USA, China and the EU and iii) evaluates these CMCs against the GATT, GATS and TBT Agreements (TBT). There are two substantial findings. Firstly, the GATT and GATS security provisions could theoretically provide a legal framework for justifying CMCs. Under certain conditions, these provisions may permit members to justify their CMCs if these infringe upon one of their substantive trade obligations. However, there are certain difficulties regarding the ease with which a member could invoke such provisions. This is due to the stringent requirements (as recently clarified by the Panel in Russia-Traffic in Transit) that must be fulfilled, the fact that these provisions are “not totally self-judging” and the narrow instances in which members could demonstrate that their CMCs satisfy all the criteria needed for members to rely upon these provisions. If members are actually able to prove that their respective CMCs fulfill these requirements, then they should be permitted to rely upon these provisions as a legal framework for justifying their CMCs because it is their right to rely on these provisions by virtue of their existence within the respective agreements. The original drafters intended to allow members to justify a breach of their WTO obligations under certain conditions by adopting security measures, which could include measures of a cybersecurity nature, if these provisions are read in an evolutionary manner while referring to the ordinary meaning of the text of the treaty. Secondly, the TBT could provide a legal framework for regulating CMCs. Some CMCs have the potential of being classified as technical regulations (TRs), when read in an evolutionary manner while referring to the ordinary meaning of the text

(3)

of the treaty, since the CMCs assessed could fulfill the respective requirements of the TBT. These must be maintained in a manner which is not “more trade restrictive than necessary” and is not applied in a manner which is “arbitrary” or “unjustifiable,” where the burden of proof rests on the complaining party. They may even potentially be qualified as standards if a recognized WTO international standardization body is created. Members can adopt CMCs within the ambit of the TBT only if they achieve “legitimate policy objectives,” which is where the “concerns” play an important role. The fulfillment of these TBT requirements would be ensured through a conformity assessment procedure (CAPs) guaranteed by the TBT. Since the CMCs could satisfy these requirements, this thesis concludes that the TBT should regulate CMCs in these specific forms (i.e. TRs, standards and CAPs) because these CMCs could fall within the scope of the agreement, which would give members more rights under the TBT such as access to the WTOs dispute settlement body (DSB).

(4)

TABLE OF CONTENT

I. INTRODUCTION ... 6

a. Motivation ... 6

b. Research gap ... 8

c. Structure of the thesis ... 9

II. METHODOLOGY ... 10

a. Step 1) Determining the correct interpretative approach of the treaties ... 10

b. Step 2) Determining the relevant aspects of CMCs of WTO members ... 10

c. Step 3) Evaluating the identified CMCs, using the identified method of treaty interpretation, against the selected WTOs covered agreements to determine the could part of the research question ... 11

d. Step 4) Based on the findings of the could part of the research question, determine the should part of the research question ... 12

III. RELEVANT METHOD OF TREATY INTERPRETATION ... 12

IV. CMCs OF SELECTED WTO MEMBERS ... 16

a. Cybersecurity laws and regulations ... 16

b. CMCs ... 19

V. FINDINGS: COULD THE SELECTED AGREEMENTS PROVIDE A POTENTIAL LEGAL FRAMEWORK? ... 22

a. GATT and GATS: “the security exceptions” ... 22

i) Requirement of a preliminary violation of a trade commitment ... 23

ii) Overview of applicable subparagraphs of security exception provisions ... 24

iii) Self-judging requirement ... 25

iv) Article XXI(a) GATT And Article XIVbis (a) GATS ... 27

v) Article XXI(b)(iii) GATT And Article XIVbis (b)(iii) GATS ... 28

b. TBT Agreement: “TRs, standards and CAPs” ... 33

i) TRs ... 33

ii) Standards ... 39

iii) CAPs ... 41

VI. BASED ON THESE FINDINGS, SHOULD THE SELECTED AGREEMENTS PROVIDE A POTENTIAL LEGAL FRAMEWORK? ... 43

VII. CONCLUSION ... 44

VII. LIST OF CASE LAW ... 45

VIII. LIST OF LEGISLATION ... 46

a. International instruments ... 46

b. National instruments ... 46

IX: BIBLIOGRAPHY ... 47

(5)

b. Journal articles ... 48

c. Online journal articles ... 50

d. Reports ... 51

e. Websites and online resources ... 52

X: APPENDIX ... 53

(6)

I. INTRODUCTION a. Motivation

Both cybersecurity and ITL are dynamic areas, becoming increasingly intertwined1_and

at the forefront of the “digitalization” 2_{of trade. With the transformation of international trade}

due to the digital revolution, there are new unforeseen regulatory challenges. 2019 was the worst hit year in terms of data breaches across various economic sectors,3_{with an estimated}

7089 breaches globally resulting in 15.1 billion records being exposed.4_{The revolution}

presents risks that could push Members in adopting protectionist measures that negatively affect imports and exports.5_{Consequently, there is an overlap of digital and trade issues. The}

pre-established rules which govern trade flows may conflict with newly adopted cybersecurity measures.6

Cybersecurity policies can have a strong influence over trade since they affect the demand and supply of digital goods and services.7_{Tariff and non-tariff barriers}8_{to international}

trade are governed by existing WTO multilateral covered agreements. 9_{However, there are}

1_{Joshua Meltzer, ‘Cybersecurity and digital trade: What role for international trade rules?’ [2019] Global}

Economy and Development at Brookings 1

2_{For example, through what has been described as the “Internet of Things” (IoT), where the interconnectedness} of devices may be subject to cyber-intrusion via these connections. The International Standards Organization has defined the idea of the “Internet of Things” as “an infrastructure of interconnected physical entities, systems and information resources together with the intelligent services which can process and react to information of both the physical world and the virtual world and can influence activities in the physical world,” see further: ISO/IEC JTC1, ‘Information Technology – Internet of Things Reference Architecture’ [2015] ISO/IEC CD 30141:20160910(E) 3; see further: Qusay Hassan, Attaur Rehman Khan & Sajjad Madani, Internet of Things:

Challenges, Advances and Applications (CRC Press, 2017) 5-6

3_{Identified areas, which are also included: healthcare, retail, public administration, finance & infrastructure,} information, education, manufacturing, transport & storage, mining, real estate, hospitality, arts and recreation, hospitality, wholesale, agriculture, etc. See further: Risk based security, ‘Number of Records Exposed in 2019 Hits 151 Billion’ (Riskbasedsecurity.com, 10 February 2020)

<https://www.riskbasedsecurity.com/2020/02/10/number-of-records-exposed-in-2019-hits-15-1-billion/> accessed 27 March 2020

4_Ibidem

5_{Joel Trachtman, “The Internet of Things Cybersecurity Challenge to Trade and Investment: Trust and Verify?”} [2019] SSRN 2

6_{Heath Benton, ‘The New National Security Challenge to the Economic Order’ 129 [2019] Yale Law Journal} 1020

7_{Shin-yi Peng, “Standards as a means to Technological Leadership? China’s ICT Standards in the Context of the} International Economic Order” in Lisa Tooney, Collin Picker & Jonathan Greenacre, China in the International

Economic Order: New Directions and Changing Paradigms (Cambridge University Press, 2015) 128

8_{Non-tariff barriers on bureaucratic or legal issues that could involve hindrances to trade are dealt with in a} number of agreements. Examples include import licensing, rules for the valuation of goods at customs, pre-shipment inspection: further checks on imports rules of origin and investment measures, see further: World trade organization, ‘Non-tariff barriers: red tape, etc’ (Wto.org, 24 March 2020)

<https://www.wto.org/english/thewto_e/whatis_e/tif_e/agrm9_e.htm> accessed 24 March 2020

9_{It should be noted that “the WTO was not established to achieve “free trade.” That goal is absent from the} Marrakesh Agreement,” see further: Steve Charnovitz, ‘The WTO and the Rights of the Individual’ [2001]

(7)

new regulatory and infrastructure challenges10_{which require ensuring a level of cybersecurity}

within international trade activities11_{from the perspective of digital trade conducted on the}

Internet. The recent promulgation of national laws regulating cybersecurity that apply to digital products prompted some WTO members in 2017 to express concerns.12_{These laws were}

criticized as negatively impacting trade in digital products because they may discriminate against foreign companies providing technological goods and services.13_{Such impacts may}

clash with the existing commitments to trade liberalization under the WTO agreements. This presents two separate problems, namely that: i) cybersecurity issues impacting digital trade may pose new challenges to existing trade agreements, leaving many unanswered questions and ii) cybersecurity is a broad umbrella term that covers many issues which leaves a great amount of ambiguity regarding its scope of applicability.

On a national level, cybersecurity is often not governed by a single set of rules;14_rather,

it is often regulated using a number of laws, regulations, ordinances, etc.15_{Alongside national}

cybersecurity laws, there are cybersecurity standards created by the private sector, which are arguably deemed as being more cost-efficient than governmental regulation.16_{However, the}

regulatory impacts of this fragmented “multistakeholder” approach remains unknown, especially when not all private and public entities ensure adherence to these standards and can overlap with existing laws from governments that attempt to regulate aspects of cybersecurity.17_{On an international level, besides the Budapest Convention on Cybercrime,}

there are no international cybersecurity laws.18_{Some argue that there is virtually no}

directed to the substantial reduction of tariffs and other barriers to trade” and the “elimination of discriminatory treatment in international trade relations,” see further: Preamble of the Agreement Establishing the World Trade Organization [1994]

10_{World Trade Organization, ‘Report of the meeting held on 2 March 2018: Note by the Secretariat’ [2018]} S/C/M/134 10

11_{World trade organization, ‘Members debate cyber security and chemicals at technical barriers to trade} committee’ (Wto.org, 15 June 2017)

<https://www.wto.org/english/news_e/news17_e/tbt_20jun17_e.htm> accessed 25 March 2020

12_{This idea was discussed at meeting of the Technical Barriers to Trade (TBT) Committee in 2017 where WTO} members raised concerns about cyber security regulations that apply to information and communication technology products and their impact on trade. See further: Ibidem

13_Ibidem

14_{World economic forum, ‘What cybersecurity means for global trade’ (Weforum.org, 15 September 2018)} <https://www.weforum.org/agenda/2015/09/what-cybersecurity-means-for-global-trade/> accessed 25 March 2020

15_{Judith Germano, ‘Cybersecurity Partnerships: A new era of public-private collaboration’ [2014] NYU Center}

for Law and Security 1-4

16_{Shin-yi Peng, ‘Private cybersecurity standards? Cyberspace Governance, Multistakeholderism and the} (Ir)relevance of the TBT Regime’ 2 [2018] Cornell International Law Journal 450

17_Ibidem

(8)

international trade agreement dealing directly with cybersecurity issues.19_{Conversely, others}

sustain there is potential for cybersecurity to be regulated within the existing WTO covered agreements, if these agreements are read using an evolutionary interpretation to include the regulation of cybersecurity.20_{The WTO has been identified as providing one of the possible}

pathways for the development of a trade agenda that can address digital issues.21_{The WTO}

Secretariat in 2013 was given a mandate to assess trade issues of a digital nature to determine how to revise or explain current commitments within the existing WTO agreements in light of these new issues.22

From the national and international legal perspectives, there are gaps in how cybersecurity should be regulated. Since there are pre-existing WTO agreements that contain provisions which could potentially regulate such policies, these will be the focus of the analysis.

b. Research gap

To derive a robust overview of the research area and identify the research gap, the thesis applies a literature review of the existing academic legal sources.23_{A summary of the review}

can be found in the Appendix.24_{The identified research gap is the debate on whether there are}

no provisions of WTO law that could govern CMCs, or whether, CMCs could fall within certain provisions of the existing WTO agreements. This thesis aims to address this gap by exploring existing provisions in light of selected CMCs of WTO members.

Since the far-reaching consequences of CMCs have been criticized as possibly creating one of the most widespread barriers built for protectionist purposes,25_{more research on this topic}

is required. Addressing new policy areas does not pose profoundly novel challenges for ITL given its history of commitment balancing and ensuring non-discrimination given members’

19_{Alberto Oddenino, ‘Digital standardization, cybersecurity issues, and international trade law’ [2018] Questions}

of International law 37

20_Ibidem 21_Ibidem 22_Ibidem

23_{Fink, 2010 5 in Christopher Hart, Doing a Literature Review: Releasing the Social Science Research}

Imagination (Sage 1998); see further: Nurudeen Muhammad, ‘The Legal Critical Literature Review’ 6[2015] (1) UUMJLS 14

24_{The appendix will not be counted towards the overall wordcount of the paper, see further: Section X} 25_{Alberto Oddenino (n 19) 31 and 36}

(9)

rights to adopt measures addressing legitimate policy goals that don’t comprise of unnecessary, arbitrary or unjustifiable discrimination or disguised restrictions on international trade.26

The existing WTO legal framework in the form of covered agreements such as the GATT, GATS, or TBT agreements contain provisions under which cybersecurity could be potentially regulated, such as “security exceptions”27_{or as “TRs,” “standards,” or under “CAPs”.}28_These

WTO agreements were identified through the literature review as having provisions that could address cybersecurity. However, the existing agreements have been criticized as being outdated and obscure,29_{thereby being unable to adequately address cybersecurity. Moreover, given that}

there is no single source which comprehensively clarifies what are the CMCs of WTO members, determining whether these agreements could, and should, justify or regulate CMCs becomes even more difficult. To address the aforementioned research gap, and clarify the current status quo of cybersecurity within WTO law, this thesis will answer the following research question: whether the WTO’s existing covered agreements could provide a potential legal framework by either justifying or regulating CMCs of WTO members, and based on these findings, whether these agreements should actually do so?

c. Structure of the thesis

To address the research question, the thesis is structured in the following manner. Section II addresses methodology which explains how the research was conducted, followed by Section III, which provides an overview of the methods of treaty interpretation. Section IV showcases the national cybersecurity laws and regulations as well as CMCs of selected WTO Members. These are summarized in comparative tables. Based on these results, Section V contains the legal assessment of whether the selected agreements could provide a legal framework for either justifying or regulating CMCs. Section VI, in light of the findings in Section V, explains whether the selected agreements should provide a potential legal framework for either justifying or regulating CMCs. The conclusion, Section VII, contains a summary of the findings.

26_{International Centre for Trade and Sustainable Development and the World Economic Forum, The E15}

initiative: Strengthening the global trade and investment system for sustainable development (Overview Paper:

E15 Expert Group on the Digital Economy) Executive Summary 1

27_{GATT Article XXI: security exceptions, GATS Article XIV bis: security exceptions, see further: General} Agreement on Tariffs and Trade [1948] and General Agreement on Trade in Services [1995]

28_{Article 2 Technical Barriers to Trade Agreement [1995]}

29_{Ji Yeong Yoo & Dukgeun Ahn, ‘Security Exceptions in the WTO System: Bridge or Bottle-Neck for Trade and} Security?’ [2016] Journal of International Economic Law 418

(10)

II. METHODOLOGY

To answer the aforementioned research question in Section I (b), the research is divided into three main steps.

a. Step 1) Determining the correct interpretative approach of the treaties

Before being able to assess the identified CMCs, it is necessary to determine how the covered agreements should be interpreted. The methods of interpretation relevant for this thesis are considered in light of Articles 31 to 33 of the Vienna Convention on the Law of the Treaties (VCLT) on treaty interpretation. There are two such methods, which are used in WTO jurisprudence:30_{original and evolutionary treaty interpretation. This section provides an}

overview of treaty interpretation to determine how these older WTO agreements could be read in light of existing present-day issues (i.e. CMCs), which may not have been initially envisaged by drafters.

b. Step 2) Determining the relevant aspects of CMCs of WTO members

CMCs are adopted to regulate areas of “concern,” which include, for example, data protection. The concerns are addressed using specific “measures” taken by members, such as, data localization requirements. Concerns are the reasons why a member adopts a measure to address their concerns that are of a cybersecurity nature. It is pertinent to draw this distinction because members may take measures that are more divergent from these initial goals, even though they may collectively agree on similar concerns.

To establish the concerns and show examples of measures adopted under the scope of these concerns, this section includes a comparative case-study using three WTO members’ cybersecurity laws. The thesis relied directly on the definitions of the CMCs provided for by the members themselves. The findings are summarized in a brief comparative table. This case-study does not include all the measures, just a sample of the most prominent ones to be used as examples. The most significant concerns are chosen for each selected member by: i) identifying what each country intends to protect, ii) isolating their cybersecurity laws and

30_{For example, when deciding upon the meaning of the phrase “exhaustible natural resources,” the Appellate} Body in US- Shrimp had to pick between the prevailing meaning in 1947 (when the GATT was promulgated) or that in 1998 (the time of the dispute). See further: Appellate Body Report, US-Shrimp, paras 130-131. See further: the WTOs Analytical Index: DSU Article 3 – Jurisprudence: World trade organization, ‘WTO Analytical Index: DSU Article 3 – Jurisprudence’ (Wto.org, 26 March 2020)

(11)

regulations and iii) examining other sources such as their national cybersecurity strategies, journal articles and official websites.

The selected members are the USA, China and the EU due to their economic influence within the realm of international trade and differing approaches to cybersecurity governance. Moreover, these members were the most vocal and active during the TBT Committee Meeting in 2017. Their input is used in the analysis of the CMCs against the covered agreements, in a comparative and qualitative manner. The perspective being analyzed is from the perspective of the state. Given that ITL functions on an inter-state level and since member governments of the WTO are the only actors that have access to the dispute settlement system of the WTO,31

private stakeholders were excluded.32

c. Step 3) Evaluating the identified CMCs, using the identified method of treaty interpretation, against the selected WTOs covered agreements to determine the could part of the research question

The thesis examines the identified CMCs of the selected members from the perspective of selected WTO agreements, based on the identified method of treaty interpretation (evolutionary interpretation). The provisions stem from: 1) GATT and GATS and the 2) TBT. A descriptive overview is provided, followed by an assessment of whether the identified CMCs could be correctly regulated under the respective approaches. These agreements are selected because the GATT and GATS are examples of approaches where CMCs could be justified under the “security exceptions” (worded in the same manner except the former refers to goods while the latter refers to services) while under the TBT, CMCs could be classified, and therefore regulated, as TRs, standards, or CAPs. The TRIPS is excluded because its security exception provision (Article 73 TRIPS) employs a similarly worded framework of exceptions like the GATT and GATS security exception provisions, rendering the similar results. 33_This

avoids the scope of the research from being too broad. The TBT is selected because it does not have a separate exceptions clause and therefore provides a different legal framework under

31_{World trade organization, 'Introduction to the WTO dispute settlement system' (Wto.org, 2020)}

<https://www.wto.org/english/tratop_e/dispu_e/disp_settlement_cbt_e/c1s4p1_e.htm> accessed 16 February 2020

32_{“Since only WTO member governments can bring disputes, it follows that private individuals or companies do} not have direct access to the dispute settlement system, even if they may often be the ones (as exporters or importers) most directly and adversely affected by the measures violating the WTO agreement,” see further: Ibidem

(12)

which CMCs could be addressed.34_{The GATT, and specifically its general exception provision}

(Article XX), is also excluded because this thesis will focus on exploring whether cybersecurity could be framed as a non-trade related issue within the scope of “national security,” which relates directly to the security exception provisions. This choice falls in line with the DSB’s increasing trend and recent decision in Saudi Arabia – Measures Concerning the Protection of Intellectual Property Rights to treat non-trade related issues (specifically the protection of intellectual property rights under Article 73 TRIPS) as national security.35

The analysis is comparative since different legal approaches are examined, and evaluative, since the approaches are assessed against the identified CMCs. This thesis employs a traditional legal dogmatic methodology, which consists of a methodological explanation of principles, rules and concepts that govern a certain legal field which resolves the gaps within the understanding of existing law.36_{This methodology has been used in academic legal}

scholarship to describe existing law in a certain field.37

d. Step 4) Based on the findings of the could part of the research question, determine the should part of the research question

The should part of the research question is the normative goal of the thesis. The findings in the analysis of the could part of the research question, which forms the main and larger part of the thesis, is used as a basis to answer the should part of the research question. Based on whether or not the findings reveal that CMCs could be either justified or regulated by one or more of the selected agreements, the thesis can then derive either positively or negatively whether the selected agreements should provide a potential legal framework.

III. RELEVANT METHOD OF TREATY INTERPRETATION

Before assessing the existing WTO provisions, it is necessary to determine the correct method of treaty interpretation for assessing the selected provisions from the covered WTO agreements. This thesis basis its selected method of interpretation on the methods used

34_{“Although the term “essential security interests” or “national security” has consistently appeared in the} Preamble, Articles 2.2, 2.10, 5.4 and 10.8.3 of the TBT Agreement, this article does not consider TBT relevant provisions as “typical” security exceptions,” see further: footnote 41 in Shin-yi Peng (n 4) 475

35_{Panel Report, Saudi Arabia-Measures Concerning the Protection of Intellectual Property Rights, WT/DS567/R} [2006] para. 7.251

36_{Jan M Smits, ‘What is legal doctrine? On the aims and methods of legal-dogmatic research’ [2015] Maastricht}

University M-EPLI 5

37_{The other two main reasons are (ii) to “search for practical solutions that fit the existing system best” and (iii)} to “justify the existing law whereby if a rule does not fit into a system, it is not law,” see further: Ibidem

(13)

previously by the WTOs DSB. There are two key considerations determined in this section: i) the relevant approach of treaty interpretation based on the VCLT and ii) the relevant temporal scope of interpretation (original or evolutionary).

Firstly, the VCLT provides a general framework of treaty interpretation from Articles 31- 33. Within this framework, the WTOs DSB has a certain degree of discretion.38_Variance

can be seen over time with the methods of interpretation adopted by the WTOs DSB when early decisions are compared to more recent decisions. Article 3 (2) of the Dispute Settlement Understanding (DSU) states that, “members recognize that it serves to preserve the rights and obligations of Members under the covered agreements, and to clarify the existing provisions of those agreements in accordance with customary rules of interpretation of public international law. Recommendations and rulings of the DSB cannot add to or diminish the rights and obligations provided in the covered agreements.”39_{Article 3 (2) brings in the rules of}

interpretation established under the VCLT within the dispute settlement system of the WTO. There are three main interpretative approaches used by the WTOs DSB, which are based primarily on Article 31 (1) VLCT, which states that, “a treaty shall be interpreted in good faith and in accordance with the ordinary meaning to be given to the terms of the treaty in their context and in the light of its object and purpose.”40_{A subsidiary means of interpretation is}

Article 32 VCLT, which states that “recourse may be had to supplementary means of interpretation, including the preparatory work of the treaty and the circumstances of its conclusion.”41_{These three approaches are: i) the ordinary meaning of the text of the treaty, ii)}

the intention of the parties to the treaty, or iii) the underlying objective a that the treaty seeks to attain.42_{Each of the following means of interpretation is subsidiary to the application of the}

preceding one meaning that adjudicators will not look at supplementary means before the ordinary meaning in light of the object and context. 43_{According to the first approach, the most}

38_{Joost Paulwelyn & Manfred Elsig, ‘The politics of treaty interpretation: variations and explanations across} tribunals’ [2011] SSRN 7

39_{Article 3 (2) Dispute Settlement Understanding [1995]}

40_{Article 31 (1) Vienna Convention on the Law of the Treaties [1969]} 41_{Ibid Article 32}

42_{Joost Paulwelyn & Manfred Elsig (n 38) 8}

43_{It should be noted that even though adjudicators won’t look at supplementary means before the ordinary} meaning in light of the object and context, they sometimes do so in practice. For example, “In EC-Bananas III...the Appellate Body assigned some interpretative value to the statements at DSB meetings in the event that the text of the treaty to which the statements relate is unclear.” However, the Appellate Body in that case added that “in any such event, such statements could only have ‘limited relevance’ or ‘at best, slight evidentiary value.’” See further: Appellate Body Report, EC-Bananas III, WT/DS27/98 [2012] para. 16 and Isabelle van Damme, Treaty

Interpretation by the WTO Appellate Body: International Economic Law Series (Oxford University Press, 2009)

(14)

objective method of finding intent would be to focus on the treaty text itself.44_{The second}

approach goes beyond the text, touching upon the substantive intentions of the parties by look at the travaux préparatoires.45_{The third approach centers on the underlying objectives of the}

drafters of the treaty, which is also known as the teleological approach.46

It is essential to determine which of these is most appropriately used by the WTOs DSB to guide this thesis in a similar manner. The first approach will usually look at the “ordinary meaning” of the words by referring to dictionary definitions and common understandings of words. The Appellate Body held in EC-Chicken Cuts that, “dictionaries are a useful starting point” for the analysis of the “ordinary meaning” of a treaty term, but they are not necessarily dispositive. The ordinary meaning of a treaty term must be seen in light of the intention of the parties “as expressed in the words used by them against the light of the surrounding circumstances.”47_{In the recent Appellate Body report of PM v Australia, the WTOs DSB}

supported a text-based interpretation. It concerns a provision of an agreement (the Doha Declaration) which constituted a “’subsequent agreement’ of members within the meaning of Article 31(1)(a)” VCLT. The Appellate Body recalled that the Panels correctly stated that “this agreement (the Doha Declaration) …confirms the manner in which ‘each provision’ of the TRIPS Agreement must be interpreted.”48_{Hence, additional agreements can also assist in}

interpreting provisions of the WTO covered agreements. The second approach is narrower because it focuses on the group of drafters actually involved in the treaty-making process. There is an element of subjectivity, based on the shared expectations and values of the drafters.49_{This has been criticized as allowing adjudicators to interpret the text in light of the}

preferences of the most powerful actors.50_{The third approach goes beyond what was included}

by the original state parties to the treaty to include value-based ideas.51_{Such a value-based}

normative approach risks the most fragmentation. The Appellate Body in US-Shrimp stated, “a treaty interpreter must begin with, and focus upon, the text of the particular provision to be interpreted. It is in the words constituting that provision, read in their context, that the object

44_{Alexander Fachiri, ‘Interpretation of Treaties’ [1929] 23 American Journal of Law 819; see further: Ibid ft 43} 45_{Hersch Lauterpacht, ‘De l’interprétation des traités’ 43 [1950] 43 Annuaire de l’Institut de Droit international} 366; see further : Ibid ft 42

46_{Luigi Crema, ‘Disappearance and New Sightings of Restrictive Interpretation (s)’ [2010] 21 European Journal}

of International Law 618; see further: Ibid ft 42

47_{Appellate Body Report, EC-Chicken Cuts, WT/DS269/16 [2006] paras. 175–176} 48_{Appellate Body Report, PM v Australia, WT/DS435/AB/R [2020] para. 6.626} 49_{Ibid ft 42}

50_{“For example, relying on the negotiating history of the Marrakesh Agreement has been said to yield more} statements by the United States, the EU or Canada than Malawi, Oman or Taiwan who only joined after 1948 when the WTO was established,” see further: Ibidem

(15)

and purpose of the parties to the treaty must first be sought. Where the meaning imparted by the text itself is equivocal or inconclusive, or where confirmation of the correctness of the reading of the text itself is desired, light from the object and purpose of the treaty as a whole may usefully be sought.”52_{Hence, the WTOs DSB, when interpreting the GATT, employs a}

more objective text-based interpretation53_{rather than relying heavily on the travaux}

préparatoires. For example, the Appellate Body stated in EC-Fasteners (China) that, “we…do not need to have recourse to supplementary means of interpretation under Article 32 of the Vienna Convention.”54_{This thesis similarly employs a text-based interpretation of the selected}

provisions, referring to the ordinary meaning of the text of the treaty.

Secondly, another interpretive issue concerns timing. Since the VCLT is silent on the issue of timing, previous decisions of the WTOs DSB will be consulted. In more recent cases, the WTOs DSB have employed an evolutionary method of interpretation, meaning that they interpreted certain words within the provisions of the existing WTO covered agreements at the present time the dispute is addressed by the judicial body. In US-Shrimp, the Appellate Body concluded that the meaning of “exhaustible natural resources” in Article XX(g) GATT is not confined to non-living resources when determining whether sea turtles could qualify under this definition. It stated that, “from the perspective embodied in the preamble of the WTO Agreement, we note that the generic term 'natural resources' in Article XX(g) is not 'static' in its content or reference but is rather 'by definition, evolutionary” and further added that “given the recent acknowledgement by the international community of the importance of…action to protect living natural resources…may be read as referring only to the conservation of exhaustible mineral or other non-living natural resources.”55_{The Appellate Body in this case}

adopted an evolutionary approach because it expanded the definition of “exhaustible natural resource” to encompass a resource that is of concern to WTO members in the present day. In China – Publications and Audiovisual Products, the Appellate Body rejected China's argument that the Panel should have relied on the meaning of "sound recording" and "distribution" at the time of China's accession to the WTO in 2001 and was not persuaded that the meaning of the terms had changed between 2001 and the time of the dispute (2009).56_{The Panel in India-Solar}

52_{Appellate Body Report, US-Shrimp, WT/DS343/16 [2008] para. 114} 53_{Joost Paulwelyn & Manfred Elsig (n 38) 10}

54_{EC-Fasteners (China), paras. 352 - 353} 55_{US-Shrimp (n 52) para. 130-131}

56_{Appellate Body Report, China-Publications and Audiovisual Products, WT/DS363/19 [2010] para. 396; see} further the WTOs Analytical Index: DSU Article 3 – Jurisprudence: World trade organization, ‘WTO Analytical Index: DSU Article 3 – Jurisprudence’ (Wto.org, 26 March 2020)

(16)

Cells distinguished between permissible and impermissible forms of evolutionary interpretation with respect to the terms “short supply” in Article XX(j) GATT and stated that, “it would not be open to a treaty interpreter to change the applicable legal standard for what it means to be a 'product in general or local short supply' in the name of 'evolutionary interpretation' or ensuring that there would continue to be factual circumstances triggering the application of this provision.”57_{The Panel rejected changing the original meaning of the words}

“short supply” because it had not evolved enough in light of present-day factors such as globalization.

Hence, this thesis employs a text-based interpretation of the selected provisions, referring to the ordinary meaning of the text of the treaty and assesses the selected articles of the agreements in an evolutionary manner. This is due to CMCs being a phenomenon not envisaged by the original drafters of the GATT, GATS and TBT.

IV. CMCs OF SELECTED WTO MEMBERS a. Cybersecurity laws and regulations

Cybersecurity is a broad term that encompasses many different technical aspects, stretching from the mathematical definition of a cryptographic algorithm to the specification of security features in a web browser.58_{The ambiguity of the term is exacerbated by the lack}

of international laws which map out the meaning of cybersecurity. So-called “international fragmentation” was identified as one of the most significant challenges which makes it difficult for the public sector to effectively address cybersecurity issues.59_{Differences in policies, and}

legal enforcement across jurisdictional boundaries renders it problematic to effectively prevent, investigate and prosecute cybersecurity incidents.60_{To shed light on these differences, Table 1}

below maps out the national laws and cybersecurity approaches of the USA, China and the EU.

Table 1. Cybersecurity Laws of selected WTO Members

Selected WTO

member state Selected national laws Description Approaches to cybersecurity

United States of America

Most comprehensive and newest:

- The Cybersecurity and Infrastructure Security Agency Act 2018

-The Clarifying Lawful Overseas Use of Data Act 2018

Other relevant laws:

- US Cybersecurity Enhancement Act 2014 The Counterfeit Access Device and Computer Fraud and Abuse Act 1984

The USA has several laws on both a federal and state level which impose security requirements. From a federal perspective, there are around 50 statutes addressing various aspects of cybersecurity directly or indirectly, but there is no overarching framework legislation in place. From a federal level, the most prominent and recent law adopted was that establishing Cybersecurity and Infrastructure Security Agency (CISA), which has been established to defend the national security of the USA against cyberattacks and is designed to work with the federal government to provide cybersecurity

Fragmented approach of federal and state laws

57_{Panel Report, India-Solar Cells, WT/DS456/20 [2018] paras. 7.232-7.233}

58_{William Stallings, ‘Standards for Information Security Management’, [2007] 10 Internet Protocol Journal 10} 59_{World Economic Forum, ‘Global Agenda Council on Cybersecurity’ [2016] White paper 4}

(17)

- The Electronic Communications Privacy Act 1986

- The Computer Security Act 1987 - The Paperwork Reduction Act1995 - The Clinger-Cohen Act 1996 - The Homeland Security Act 2002

- The Cyber Security Research and Development Act 2002

- The E-Government Act 2002

- The Federal Information Security Management Act 2002

-Presidential Policy Directive 21: Critical Infrastructure Security and Resilience 2013 - National Cybersecurity Strategy 2018

tools. The most notable acts were listed based on a study conducted by the Congressional Research Service for Congress; however some have been revised or are in the process of being updated

China Most comprehensive:

Cybersecurity Law of the Peoples Republic of China 2017

Other relevant laws (newest):

Encryption Law of the Peoples Republic of China 2019

China is one of the first countries to adopt a fully-fledged cybersecurity law which reflects the broader global trend to regulate cyber activities and counter threats which may affect public security. Its purpose was to bring China in line with global best practices for security. However, there are growing “western” concerns since this law has also been designed to exert jurisdictional control over data and content generated in China meaning that “within Chinese territory, the Internet is under the sovereignty of China.” Moreover, as of 1 January 2020, China has adopted a new encryption (or cryptography) law, which encourages commercial development of encryption, but not to be done in a way that harms the state security and public interest.

Uniform overarching approach through the cybersecurity law

European Union

Most comprehensive:

Directive on security of network and information systems (NIS Directive)

Other EU initiatives:

EU Cybersecurity Act (Regulation (EU) 2019/881 of April 17, 2019)

EU Cybersecurity Strategy

General Regulation on Data Protection (GDPR) 2018

The EU has recently in mid 2019 adopted a new Cybersecurity Act. This regulation maps out the mandate for the EU Agency for cybersecurity (ENISA) and establishes an EU-wide cybersecurity certification framework for digital products, services and processes. The GDPR is a separate piece of EU legislation which establishes a privacy and data protection regime in the EU.

Cohesive supranational EU-wide approach to ensure the Digital Single Market

The identified cybersecurity laws exemplify that each Member has a different cybersecurity governance approach. The USA has a fragmented approach because of the federal and national level. The federal regulator’s task is complex since it must secure both federal systems and fulfill the appropriate federal role in protecting the individual states themselves.61_{The USA’s federal government is currently not structured in a way which would}

adequately address this growing problem effectively since responsibilities are distributed across a wide array of federal departments and agencies, with overlapping authorities resulting in discrepancies.62_{This issue stems from the US’s system of federalized governance itself,}

which results in complexity and overlap between jurisdictions and competences of states and the federal government.63_{Since numerous areas of public law governance overlap with state}

and federal governments, there is no unitary system containing a clear set of policies and social priorities, also likely with respect to cybersecurity governance.

However, this may change with the US’s newly established Cybersecurity and Infrastructure Security Agency (CISA), which is the nation’s risk advisor that builds national 61_{Ibid ft 54}

62_{International Business Publications USA, US National Cyber Security and Programs Handbook Volume 1}

Strategic Information and Developments (Lulu, 2013) 125

(18)

capacity to defend against cyber incidents,64_{as well as with the increasing trend of classifying}

cybersecurity as being a policy area that is part of national security.65_{China has a uniform}

overarching approach to cybersecurity due to its fully-fledged cybersecurity law. However, compliance with this act is not straightforward since the Chinese legislative enforcement style creates confusion and misunderstandings.66_{Foreign businesses in particular believe that this}

law may erode internet freedom in China and may not effectively enhance China’s current level of cybersecurity because it instead facilitates government censorship and surveillance.67

Moreover, the manner in which protection of personal information is guaranteed has also been criticized because even though individuals enjoy some degree of human rights protection regarding the treatment of personal information, those rights do not effectively protect them from government action.68_{The EU on a supranational level governs cybersecurity through a}

directive that aims to ensure the security of network and information systems69_{alongside the}

General Data Protection Regulation (GDPR), which regulates the protection of personal data.70

With the updated mandate for ENISA, fulfilment of requirements under the Directive on Security of Network and Information Systems (NIS Directive) could be better ensured, especially since it assists EU member states to address common cybersecurity issues with implementing common approaches and procedures.71_{However, there are hurdles that have to}

be overcome during the implementation of the directive’s obligations into national law, especially since there are holistically 27 different methods of regulating the protection of critical infrastructures (CI).72_{National security remains a sole responsibility of each member}

state,73_{which adds to the further fragmentation of cybersecurity governance in the EU.}

Transnational operators of CI who comply simultaneously with several divergent national

64_{US department of homeland security, ‘About CISA’ (Cisa.gov, 28 March 2020)} <https://www.cisa.gov/about-cisa> accessed 28 March 2020

65_{See further the USA’s National Cyber Strategy of September 2018} 66_{Reed Smith, ‘China’s Cybersecurity Law’ [2019] 1}

67_{Emilio Iasiello, ‘China’s Cyber Initiatives Counter International Pressure’ 10 [2017] 1 Strategic Security 8} 68_{Jyh-An Lee, ‘Hacking into China’s Cybersecurity Law’ [2018] 53 Wake Forest Law Review 57}

69_{European commission, ‘The Directive on security of network and information systems (NIS} Directive)’ (Ec.europa.eu, 15 July 2019)

<https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive> accessed 28 March 2020

70_{The GDPR is a regulation which, pursuant to Article 1 (1) and (2) “lays down rules relating to the protection of} natural persons with regard to the processing of personal data and rules relating to the free movement of personal data” and which “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data,” see further: General Data Protection Regulation [2018] OJ 2 119/1

71_{European union agency for cybersecurity, ‘NIS Directive’ (Enisa.europa.eu, 28 March 2020)} <https://www.enisa.europa.eu/topics/nis-directive> accessed 28 March 2020

72_{KPMG, ‘Complying with the European NIS Directive: Cybersecurity for critical infrastructures’ [2019] 3} 73_{Article 4 Treaty on the European Union [1992] OJ 1 326/13/4}

(19)

cybersecurity frameworks, can also present challenges.74_{These different approaches to}

cybersecurity should be kept in mind when assessing the CMCs (see Section IV (b) below) against the existing agreements in Section V.

b. CMCs

Based on the findings in Table 1, Table 2 summarizes the CMCs based on an inquiry into the respective national policies of the selected members, displaying their cybersecurity concerns (rationales) and the specific measures (actions) taken to ensure the fulfilment of these concerns. The national laws and regulations used to compile this table are based on the primary sources identified in Table 1 (see Section IV (a)).

Table 2. Identified Cybersecurity Concerns and Measures Selected WTO

Member

Identified Concern Identified measures for fulfilling the concern

1. United States of America

1.1 National security

protection - cyberattacks and collaborate with the federal government to provide cybersecurity tools, incident Ensured through the creation of CISA which builds the national capacity to defend against response services and assessment capabilities to safeguard “.gov” networks

1.2. Protecting Critical

Infrastructure (CI) - CI is classified into sectors where each sector has a designated sector specific agency (some with cross-sector responsibilities). These include chemical, commercial facilities, communication, critical manufacturing, energy, defense industrial base, food and agriculture, etc.

- Framework process: 1) identify, protect, detect, and respond 2) create a profile which describes an entity’s current and target cybersecurity status 3) implementation tiers

- CISA facilitates Critical Infrastructure Vulnerability Assessments

- The National Infrastructure Protection Plan provides for an integrated collaboration between the government and private sector participants in the CI community to manage risks

1.3. Data breaches and data security (both private sector and government agencies)

- No federal level measures available yet for the use and collection of personal information but congress has held hearings to examine individual instances of breaches and encourage the breached entities to assist those whose data has been compromised

- Some states have introduced legislation certain elements on data breaches, such as securing sensitive data, data breach notification requirements and what responsibilities entities have with respect to those whose data has been breached

- The federal level has regulated aspects of overseas use of data where there should be mandatory disclosure of data regardless of its location

- Communication service providers (CSPs) must i) exercise possession, custody or control over data and ii) the concerned data requested by the US law enforcement authorities must be linked to a serious crime

1.4. Education and training _{- National Initiative for Cybersecurity Education (NICE) is a federal coordinating body for regional}

cybersecurity education, training and workforce development and which also provides a standard vocabulary.

- The federal effort in cybersecurity education, training and workforce development has not been comprehensively inventoried

- Activities include cybersecurity awareness, summer camps, student competitions and professional development for federal personnel in specialized cybersecurity positions

- CISA provides training such as independent study courses, sector specific, interagency security, counter improvised explosive device training and awareness, active shooter preparedness workshops, etc.

1.5. Encryption _{- Technological companies could be held liable for illegal content uploaded by their users which may}

weaken end-to-end encryption - No known general encryption laws

1.6. Information sharing _-CISA supports information sharing, which is a vital resource for CI security. It takes steps to facilitate public-private sector sharing of information including procedures for sharing classified information, protections for security, privacy, non-disclosure, exemptions from liability and anti-trust actions for covered activities and limitations on the uses of shared information by both public and private entities

- There are various frameworks which assist with the sharing of information between the federal government and the private sector such as the Critical Infrastructure Information Sharing Network

1.7. Cyber insurance _{- Business tax credits are available for the purchase of “data breach insurance”}

(20)

- Compliance with the National Institute of Standards and Technology is necessary in order to be eligible for such tax credit

1.8. International trade _-_{Dialogues with bilateral partners (China, India, EU) with a focus on cybersecurity by creating treaties}

with contain and clarify digital trade rules and barriers more explicitly (e.g. the Trans-Pacific Partnership – which contained enforceable commitments to combat cyber theft of trade secrets and localization barriers)

- There is currently no specific national legislation on US trade policy that aligns digital trade and cybersecurity from with global norms. Proposed ideas for measures include the imposition of sanctions in order to respond to cybersecurity threats to US trade and businesses

1.9. The Internet of Things

(IoT) -develop a list of Federal agencies with jurisdiction over entities in the industry with a description of Proposed measures on regulating the IoT such as: 1) conducting a study on the IoT in order to such entities and 2) the creation of a voluntary labelling and grading system for IoT devices where products may be given grades that display the extent to which a product meets industry cyber and data security benchmarks

1.10. Oversight of federal agency information technology security (FISMA)

-Federal agencies shall be responsible for providing security protections with the risk resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information collected by or behalf of the agency and information systems used or operated by an agency

- Specific roles and bodies: 1) senior officials must oversee the management and security of agency information security 2) Chief Information Security Officer (CIO) in the financial management of planning, programming and execution of IT acquisitions 3) Office of Management and Budget to report to congress on the net performance of capital investments and provide additional reports to congress on the adoption of security technologies by federal agencies

1.11. Incident Response _{- There are certain responsibilities and requirements of coordination between federal agencies}

whereby: 1) response is a shared responsibility among the victims, private sector and government 2) responses must be risk-based to determine the necessary resources 3) any response must respect the affected entities and require effort across federal agencies and 4) any response should be done in a manner that enables restoration and recovery of operations to the victim, not just retaliation against the hacker (hence, the response should be aimed at both the victim and the hacker)

2. China 2.1. National security

protection - CI operators purchasing network products and services that may impact national security shall undergo a national security review organized by the state to ensure these are secure and controllable - Network Operators ensure national security by providing technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law

2.2. Critical information

infrastructure (CII) - may capture any companies providing services or operating business through a computer network Operators of critical information infrastructure (including owners and service providers of networks) -Scope of CII is broad, including companies in critical sectors such as radio, television, energy, transport, water conservancy, finance and public service and CII that will result in serious damage to state security, the national economy and the people’s livelihood and public interest if destroyed, loses function or encounters data leakage.

2.3. Protection of personal

information - Personal data and important state data collected or generated by CII operators must be stored in China, including Network Operators (data localization requirements) -Security assessments by the Chinese authorities substantively would potentially include a 2 step test: 1) whether the transfer is lawful, legitimate and necessary 2) evaluate the risks associated with the transfer by examining the nature of the data being transferred and the likelihood of security breaches including the impact of such breaches

- Network operators must 1) maintain the confidentiality of collected information and establish user information protection systems, abiding by the rules of propriety, legality and necessity and 2) not disclose, tamper with or destroy personal information they gather without the owner’s consent - See further the “security of network operators”

2.4. Security of network

operators - appropriate technological measures 4) establish a complaint-reporting procedure Network Security: 1) designate security personnel 2) implement security protocols 3) adopt - Personal Data Protection: 1) obtain consent before collecting personal data 2) give notice by explicitly stating the purpose, means and scope of the collection and use of personal information 3) breach notification to affected individuals 4) data access in terms of deleting or amending data on user’s request

- Content Monitoring: 1) monitor content published by users 2) remove illegal user content 4) record and report unlawful content

2.5. Security requirements for

enterprises and institutions - Certification for critical cybersecurity products to ensure that they are sold only after receiving such a certificate - Risk assessments and testing of cybersecurity products

2.6. Encryption _{- When a cryptography product or technology qualifies as a state secret, the companies or institutions}

related to said products or technologies undergo very strict supervision

- Local authorities should include encryption in economic and social development plans and fiscal budgets

- Commercial encryption must pass checks and obtain certifications if they involve national security and public interest

2.7. Legal liabilities for

non-compliance - Enterprises and organizations which violate the obligations in the cybersecurity law may face fines of RMB 50 000 and 500 000 - Where the circumstances are serious there may be detention of between 5 and 15 days and may levy a fine of between 100 000 and 1 000 000 RMB

3. European Union

3.1. Achieve a common level of security of network and information systems

- Each member shall adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policies by 1) maintaining a high level of security 2) establishing a governance framework with the roles and responsibilities of governments 3) identifying measures for preparedness, response and recovery and cooperation between the public and private sectors 4) creating education, awareness-raising and training programs 5) creating research and development plans 6) establishing risk assessment plans for identifying risks 7) clarify the various actors involved for implementing the strategy

(21)

3.2. Cooperation between

Member States - ENISA works closely with other EU member states by providing advice and solutions related to cybersecurity, supports policy implementation, and coordinates standardization activities. - Ensure Member State’s preparedness by requiring them to be appropriately equipped by establishing a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority - Set up a cooperation group that supports and facilitates strategic cooperation and the exchange of information among Member States and a CSIRT Network to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information on risks

- Establish a culture of security across sectors that are vital for the economy and society which heavily rely on ICTs, such as energy, transport, water, banking, financial market infrastructures, etc. (In other words: CI). Businesses were identified by member states as operators of essential services and must comply with new security and notification measures

3.3. Security of the network and information systems of operators of essential services

- Operators of essential services shall undertake appropriate and proportionate technical and organizational measures to manage risks and minimize the impact of incidents

- Operators should notify the competent authority or CSIRT of incidents having a significant impact on the continuity of essential services and inform them of the number of users affected by the disruption service, the duration of the incident and the geographical area.

- Member should also ensure that the competent authorities have the means to require the competent authorities to provide 1) the information necessary to assess the security of their network and 2) evidence of the effective implementation of security policies through a security audit

3.4. Security of the network and information systems of digital service providers

- ENISA creates cybersecurity standards and establishes an EU-wide cybersecurity certification framework for digital products, services and processes

- Digital service providers should identify and take appropriate and proportionate technical and organizational measures to manage risks and minimize the impact of incidents, taking into account the security of systems and facilities, incident handling, business continuity management, monitoring, audit and testing and compliance with international standards

- Digital service providers should notify the competent authority or CSIRT of incidents having a significant impact on the continuity of essential services and inform them of the number of users affected by the disruption service, the duration of the incident and the geographical area.

3.5. Data protection _{- Generally, a controller or processor should implement appropriate technical and organizational}

measures to ensure a level of security appropriate to the risk such as: i) pseudonymization and encryption of personal data ii) ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, iii) ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and iv) a process for regularly testing, assessing and evaluating the effectiveness of these measures.

- To avoid personal data being compromised because of incidents, competent authorities and data protection authorities should cooperate and exchange information on all relevant matters to tackle any personal data breaches resulting from incidents

3.6. Safeguard national

security - to safeguard their essential state functions (specifically national security) including actions protection Measures applied through the directive are without prejudice to the actions taken by member states information where the disclosure of such information would be contrary to the essential interests of their security, maintaining law and order, and in allowing for investigations, detection and prosecutions of criminal offences

Each WTO member has some overlapping concerns, such as national security (concerns 1.1, 2.1 and 3.6), but which were addressed using different measures (see for example the measures in 1.1, 2.1 and 3.6). The differences in cybersecurity measures is likely a result of their different approaches to cybersecurity governance: fragmented, uniform and supranational respectively. On the one hand, both the USA and the EU have a similar challenge in that the US states and EU member states themselves have different approaches on a national level to cybersecurity governance, which the federal and supranational level attempts to harmonize. China on the other hand has a uniform approach because of its centralized government.

The diverse range of cybersecurity measures found in Table 2 illustrates the potential ways in which any WTO member could adopt discriminatory or trade restrictive measures, which go against the purpose of what the WTO intends to achieve, pursuant to the Preamble of the Agreement Establishing the WTO. 75_{The concerns which are found to be in common in}

all members are summarized below in Figure 1.

(22)

Figure 1: Common Identified Concerns

1) national security protection; 2) protecting CI;

3) data protection;

4) cooperation between authorities and the appropriate governmental entity.

Figure 1 highlights the fact that there are no overlapping concerns being addressed using similar measures. Rather, each was addressed using a range of different measures. For this reason, there is no summary included below of the common identified measures. There are some common trends in the measures taken to addressed different concerns, such as some members having an authority which regulates the management of cybersecurity activities on a state and federal/ EU level, such as CISA in the USA and the Computer Security Incident Response Team (CSIRT) in the EU. However, even though members may have similar concerns, they may address these using potentially controversial measures. For example, the data localization requirements in China (measure 2.3) to ensure the protection of personal information, was a source of contention for other WTO members, which will be seen in Section V. Based on the TBT Committee meetings on the topic of cybersecurity, certain members like the USA criticized aspects of China’s cybersecurity law and urged China to adopt relevant measures in a non-discriminatory manner.76_{The inquiry into these CMCs revealed a fairly}

diverse spectrum of concerns which were regulated on a national level using different measures, but which also illustrated some of the commonalities between the concerns and measures.

V. FINDINGS: COULD THE SELECTED AGREEMENTS PROVIDE A POTENTIAL LEGAL FRAMEWORK?

a. GATT and GATS: “the security exceptions”

The GATT aims to eliminate discrimination and reduce tariffs and other trade barriers with respect to the trade in goods.77_{It was originally and is today still primarily only concerned}

with the trade in goods.78_{The GATS is similarly inspired by the same objectives, such as}

ensuring non-discrimination and market access, but for trade in services. As seen in Section IV and Table 2, there are a wide range of CMCs. An evolutionary interpretation, while referring

76_{Ibid ft 11}

77_{United Nations Conference on Trade and Development, ‘Dispute Settlement: World Trade Organization’ [2003]} 3