Regulating personal data: Linking different models to digital services trade

Martina F. Ferracane, Erik van der Marel 30 May 2021



Digital services and cross-border data flows are among the fastest growing components of globalisation and create great benefits for the global economy. The tradability of digital services relies heavily on the ability of companies to process and transfer data across borders, which, in turn, is affected by rules governing data. 

Among the different types of data, personal data are particularly sensitive because of concerns related to privacy and national security. At the same time, however, personal data are heavily used by businesses to offer their services. Therefore, countries are increasingly regulating this type of data, which has resulted in a fragmented landscape across the globe, and this is likely to distort markets (Peukert et al. 2020). 

Aaronson (2016) and Aaronson and Leblond (2018) illustrate how digital trade and data governance is shaped by three main players worldwide: the US, EU, and China. Gao (2018, 2019) also discusses the stark differences between China and the US in regulatory approaches in governing personal data. Other work also takes note of the differing global data governance models, such as Kimura (2020), Azmeh et al. (2019), Hodson (2018), Sen (2018), Mattoo and Meltzer (2018a, 2018b), and Meltzer (2019).  

None of these, however, try to define, measure, and classify the varying data models followed by countries across the globe, something we do based on their defining characteristics as presented in Ferracane and van der Marel (2021). In the study, we also show how some of these regulatory approaches to personal data can come at a cost for digital services trade.

Three data models

Regulations on personal data diverge widely between countries. Nonetheless, based on shared commonalities, it is possible to identify three main data models with distinctive features (Table 1). The first data model is characterised by open transfers and processing of data (open model); the second model relies on conditional transfers and data processing (conditional model); and the third model is based on controlled transfers and data processing (control model). 

Table 1 Main features of data models 


Source: Ferracane and van der Marel (2021).

The open model is distinguished by the absence of restrictions to cross-border movements of personal data, and countries applying this model tend to see privacy as a consumer right. Data transfers are either unregulated or rely on voluntary private sector standards and ex-post accountability. At the domestic level, countries implementing this model lack a comprehensive data protection framework and, therefore, data subjects have only limited rights when it comes to how their personal data is handled. 

In the conditional model, data transfers and processing are based on regulatory safeguards. Countries adopting this model take a comprehensive and fundamental rights approach to data protection with preventative regulation. For personal data transfers, certain conditions need to be fulfilled ex-ante. These include, among others, adequacy findings of the recipient country, the adoption of mandatory data protection protocols such as binding corporate rules, standard contract clauses, data subject consent requirements and codes of conduct. For data processing, this model is marked by a comprehensive regime for personal data protection with extensive data subject rights. 

The control model is more common among countries where the concept of the right to privacy is fairly recent. This model features strict conditions including bans to transfer data cross border, strong local processing requirements, and ad hoc government authorisation for data transfers. For domestic processing, this model comes with an extensive and systematic control over personal data to protect national security and public order, including indiscriminate government access to data.

Global patterns of data models

The three data models have become a reference for many other countries when defining their rules on the cross-border transfer and domestic processing of personal data. In our study, we rely on the above-described characteristics to review and systematically categorise 116 countries into one of the three models. For each country, we identify the data model followed for cross-border transfers (Figure 1) and domestic processing (Figure 2). 

Countries do not necessarily apply the same model across these two components. The majority of countries in the sample follow the same model for cross-border transfers and domestic processing, whilst around one quarter of the countries follows a different data model across the two components. For instance, Tunisia, Ivory Coast and Ukraine follow the control model for data transfers and the conditional model for domestic data processing. In a similar manner, Canada and Mexico apply the open model for data transfers and the conditional model for domestic data processing.

Figure 1 World map of data models for cross-border data flows, 2019


Figure 2 World map of data models for domestic data processing, 2019


Source: Ferracane and van der Marel (2021), WDR (2021).

For the data transfers component, 38 countries follow the open model, 66 countries follow the conditional model, and only 12 countries follow the control model. For the domestic component, the open model is followed by 29 countries, the conditional model by 75 countries, and the control model by 12 countries. Among the countries following the same framework for both data transfer and domestic data processing, the most common approach is the conditional model (61 countries), followed by the open model (26 countries), then the control model (5 countries).

Adopting a data model across countries is not necessarily linked to any development level or to technological capabilities. The three data realms are applied by countries of all sorts of income groups, except for countries following the control model for which Brunei is the only high-income country. Similarly, the three data models can be found in countries with varying technological abilities. Yet, it appears that the control model is more common among countries with a lower capacity of digital technology. 

Each data model is centred around a large economic market (Figure 3). Trade between countries sharing the open model takes place mainly across countries in North America, trade between countries sharing the conditional model is in great part driven by the EU, while trade between countries sharing the control model is guided by China. Our analysis shows that roughly 50% of digital services trade takes place between country-pairs sharing the same data model, most of which happens between countries sharing the conditional model.1

Figure 3 Bilateral trade in services and data models


Source: OECD-WTO BaTIS database. 
Note: The size of the bubble shows the level of digital services trade flows between country-pairs. Digital services are defined as telecom, computer, and information services. Only data for the largest exporters of digital services are shown. Countries are classified on the basis of the data model for cross-border data transfers. The light shaded blue bubble represents the EU area. Countries are indicated with their 3-digit ISO country code.

A descriptive examination provides a first illustration of how each data framework relates to digital services trade, but it does not tell us yet whether sharing any of the three data models between trading partners also generates higher or lower digital services flows. In other words, is sharing a similar data model associated with higher or lower levels of digital services trade, in contrast to countries following different data models? And if so, which data model accounts for higher or lower services trade correlations?

Linking digital services trade

Guided by these preliminary findings, we use a gravity model to answer these questions. Covering a large group of countries that capture the vast majority of global trade in digital services, our econometric assessment examines whether countries sharing the same data model exhibit higher or lower digital services trade compared to countries with different regulatory data models. Our conclusions are summarised in Figure 4, which plots the average coefficient results of the correlations found between sharing a specific data model and digital services trade. 

We find that sharing the open model for cross-border data transfers is positively associated with trade in digital services, whereas sharing the conditional model for domestic data processing is also positively correlated. The relation between the conditional model for cross-border transfers and trade in digital services is mixed: for digital services there is a negative correlation, whereas for digital business services the relationship turns positive. Country-pairs sharing the control model, instead, exhibit a double whammy: they show negative correlations throughout the two components of data regulation.

Figure 4 Coefficient results from the gravity model for data models and digital services trade


Source: Ferracane and van der Marel (2021). 
Notes: The dependent variable is bilateral digital services exports using the underlying gross trade data from the TiVA database. The definition for digital services trade and other details of the econometric specification and methodology can be found in Annex Table A2 of the paper.

In conclusion, therefore, regulatory fragmentation is likely to result in additional costs for firms, given that business activities need to be aligned across multiple regulatory frameworks (OECD 2021). 

Our analysis provides insights on the trade costs associated with different models for regulating personal data. Those countries that are in the process of defining their regulatory framework for personal data might want to consider how each model correlates with trade in digital services and in turn their export ability. The findings are especially relevant for developing countries, given their potential to benefit from global digital services trade thanks to the nature of the internet, which reduces the burden of distance.

The analysis shows that data models combining an open regime for cross-border data transfers with strong regulatory safeguards for domestic processing of personal data appear to be the most conducive to digital services trade. These models enable data to flow freely across border, while at the same time creating trust through safeguards on domestic processing. 

The ongoing plurilateral discussions at the WTO on electronic commerce provide an invaluable opportunity to progress towards the adoption of common standards that enable the exchange of data while protecting the privacy of citizens. The negotiators should strive to adopt an innovative, forward-looking framework for global data flows, affording adequate technical assistance and time to the countries least able to implement the rules agreed.


Aaronson, S (2016), “Solutions to the Digital Trade Imbalance”,, 7 March.

Aaronson, S and P Leblong (2018), “Another Digital Divide: The Rise of Data Realms and its Implications for the WTO”, Journal of International Economic Law 21(2): 245-272. 

Azmeh, S, C Foster and J Echavarri (2019), “The International Trade Regime and the Quest for Free Digital Trade”, International Studies Review 22(1): 1-22. 

Ferracane, M F and E van der Marel (2021), “Regulating Personal Data: Data Models and Digital Services Trade”, World Bank Policy Research Working Paper No. 9596, World Development Report 2021 Background Paper.

Gao, H S (2019), “Data Regulation with Chinese Characteristics”, SMU Centre for AI & Data Governance Research Paper No. 2019/04; Singapore Management University School of Law Research Paper No. 28/2019.

Gao, H S (2018), “Digital or Trade? The Contrasting Approaches of China and US to Digital Trade”, Journal of International Economic Law 21(2): 297-312.

Kimura, F (2020), “Developing a Policy Regime to Support the Free Flow of Data: A proposal by the T20 Task Force on Trade, Investment and Globalization”,, 7 January.

Mattoo, A and J Meltzer (2018a), “International Data Flows and Privacy: The Conflict and Its Resolution”, Journal of International Economic Law 21(4): 769-789

Mattoo, A and J Meltzer (2018b), “Resolving the Conflict between Privacy and Digital Trade”, , 23 May.

Meltzer, J (2019), “Governing Digital Trade”, World Trade Review 18(S1): S23-S48.

OECD (2021), OECD Services Trade Restrictiveness Index: Policy Trends up to 2021, OECD, Paris.  

Peukert, C, S Bechtold, M Batikas and T Kretschmer (2020), “Regulatory export and spillovers: How GDPR affects global markets for data”,, 30 September.

Sen, N (2018), “Understanding the Role of the WTO in International Data Flows: Taking the Liberalization or the Regulatory Autonomy Path?”, Journal of International Economic Law 21(2): 323-348.  

Wang, Z. (2012) “Systematic Government Access to Private-Sector Data in China”, International Data Privacy Law 2(4): 220-229.

WDR (2021), “World Development Report 2021: Data for Better Lives”, Washington DC, World Bank.


1 When looking at domestic processing, however, this picture looks more mixed for at least the open model as this component is more dominated by the conditional model across the world. 



Topics:  Industrial organisation International trade

Tags:  data, international trade, Data regulations, digital services

Max Weber Fellow, European University Institute

Senior Economist at ECIPE & Université Libre de Bruxelles (ULB)


CEPR Policy Research