If you take a photo of your dog, create a meme, and post it to social media, who has control over that data? Many jurisdictions could be involved: the software was likely created by a foreign company, as well as the social media platform. The data has been shared across borders and is now stored in the cloud, hosted by another company in a foreign land.
Nation states have long sought to protect their physical borders, but in the digital economy – where data proliferates – the boundaries are more difficult to define. Along with the rise of digital technologies, there has been a push towards digital sovereignty where nation states are seeking to put a fence around the production, storage and flow of data to assert their economic interests and bolster their cybersecurity.
The issue has implications for treasurers: cash and liquidity management, for example, is essentially data that is travelling across borders. And so are emails and Zoom calls where digital tools are facilitating the flow of data to other jurisdictions. Depending on how countries take action, the push for digital sovereignty could have implications for taxation, as well as an additional legal and compliance burden that comes with more data governance rules.
Simona Autolitano, a researcher and expert on the European Union’s digital sovereignty at the Centre for Advanced Security, Strategic and Integration Studies (CASSIS) at the University of Bonn, comments that the understanding of digital sovereignty varies from country to country. In the EU, for example, it broadly covers how different member states want to control digital data on their territory, she explains. “It’s not just about the flow of data, it’s about creating and keeping the data on their territory,” she adds.
Data is often described as the ‘new oil’, and Autolitano points out that data will be at the core of business in the future. Right now, however, many countries are missing out on the opportunities that the digital economy brings because other countries are benefitting from the flow of that data.
The EU’s economic security
According to the World Economic Forum, as of 2021, 92% of data from the West is hosted in the United States, and there are no European companies among the world’s Top 20 technology brands. Not surprisingly, the EU has taken issue with this and wants to do something about it. Back in 2021, the leaders of Denmark, Estonia, Finland and Germany wrote in an open letter, “Now is the time to be digitally sovereign. We have to foster the Digital Single Market in all its dimensions where innovation can thrive and data flow freely. We need to effectively safeguard competition and market access in a data-driven world. Critical infrastructures and technologies need to become resilient and secure.”
There are two main aspects to digital sovereignty, explains Autolitano: economic progress and security. Given the shift to the digital economy, the EU needs to ensure that it is not missing out on the opportunities of the data-driven world. For example, European companies may want to compete with US companies in cloud technology and host some of the data that Europe produces themselves. By some estimates, Amazon Web Services currently hosts about one-third of the world’s corporate data, with Microsoft and Google not far behind. In a paper by the Atlantic Council, entitled ‘Digital Sovereignty in Practice: The EU’s Push to Shape the New Global Economy’, academics Kenneth Propp and Frances Burwell explain that under the leadership of Ursula von der Leyen, the EU has been boosting its support for homegrown technology, creating various regulations for the digital economy, as well as addressing the EU’s vulnerabilities and threats from other countries.
A paper by the European Parliament states: “With a worldwide market for new digital technologies expected to reach €2.2trn by 2025, a large part of Europe’s growth potential resides in digital markets.” In line with this, the EU is asserting its digital independence and addressing concerns about the competition from other countries with innovations such as 5G, artificial intelligence, cloud computing and the internet of things, and how they are now major strategic assets for the EU economy. The EU has already invested heavily into research and development – to the tune of €80bn over seven years to 2020 – to keep the region at the forefront of such innovations.
Big Tech’s threat to sovereignty
The European Parliament paper notes that the pandemic – when reliance on digital tools grew – accelerated the issues around digital sovereignty. The topic, however, has been rumbling in the background for a number of years. One of the drivers has been the rising dominance of Big Tech – both US and Chinese companies – whose influence extends beyond national borders and the efforts of governments to claw back control over their data.
One interviewee who works in government affairs, who wished to remain anonymous, told Treasury Today that many countries have felt aggrieved to be missing out on the tax revenue while technology companies have been profiting from the data that its citizens have been producing. France is one such country that took action with a digital services tax, which was targeted at the likes of Facebook. The French government’s position was that the social media company, as an example, had been able to capture the attention of French citizens – and collect data on its user’s behaviour and preferences – and then sell those insights to multinationals, and other companies, for the purposes of advertising. However, the French government had not been benefitting from the tax revenue from this economic transaction that involved its citizens. Now that economic activity is occurring beyond the traditional national boundaries, many countries around the world have taken action to ensure their economies are structured in a way that is relevant for the digital economy.
Tax in the digital world
Collecting taxes in the old-world economy was much easier when goods and services were traded within physical borders. Now things are much more complicated. Take digital nomads, who may be a national of one country, tax resident of another, yet are working on their laptop from a beach in Thailand, selling services to another country, and receiving the income into a bank account somewhere else. This is just one of the issues of the digital economy that national governments are now grappling with.
In theory every digital transaction could be taxed, but this taken to the extreme could cripple the global economy. For example, if every time data crosses a national border it is subject to tax, imagine what would happen if nation states took protectionism to the extreme and made all emails, or Zoom calls taxable or subject to tariffs. And for treasurers, given that moving money is essentially the transfer of data, if this was subject to taxation every time it occurred across national boundaries, this could be very difficult to manage. For now, however, there has been a moratorium on e-transaction data that crosses borders, according to a digital trade expert who spoke to Treasury Today. For now, while digital trade agreements are being negotiated, it doesn’t look like that agreement will be broken, but if it is – it could wreak havoc on the way that the digital economy currently operates.
Most action has been taken in the form of digital services taxes, and there has been a shift in how governments treat companies that are selling digital goods and services from another jurisdiction. In a previous interview, Alan Lau, Partner and Head of Financial Services, Tax, KPMG in Singapore commented how there was a rising trend of seeking tax revenue for such transactions and various countries have been introducing additional taxes for foreign vendors. Singapore, for example, since 2020 has had a regime where such companies need to register under the Overseas Vendor Registration (OVR) and these rules were later extended to companies providing services from another jurisdiction whether they were digital or non-digital.
Digital sovereignty and cybersecurity
Taxation isn’t the only reason that nations have been moving to assert their independence in the digital economy. As Autolitano already noted, digital sovereignty is also about cybersecurity and there has been a growing unease that many companies, individuals and government agencies are relying on foreign companies to host their data.
Autolitano explains that government ministries – given the amount of data they have to handle – are now putting that data in the cloud, but that could be problematic if the data is held offshore. This creates vulnerabilities about who can retrieve that data and could potentially lead to national security issues if other foreign governments have access to it.
From a cybersecurity point of view, there is also the potential for criminals to access the data without a national government having any control over it. “As long as you produce digital data, it will be interesting for criminals,” says Autolitano. This is one of the reasons that many countries – such as China and Indonesia – have rules in place to store the data locally. Their moves towards data localisation on the one hand can be viewed as a prudent move for cybersecurity, although many observers criticise the approach as a form of economic protectionism.
Indonesia’s data rules
Amid the trend toward digital sovereignty, Indonesia is a notable example of a country that has taken action and moved the topic up the national agenda in recent months. For example, in August 2023, Minister of Communication and Information, Budi Arie Setiadi was quoted as saying that Indonesian data must be protected: “Financial data must be in Indonesia because our financial data is vital.” Later, in October 2023, President Joko Widodo spoke of the importance of Indonesia’s digital sovereignty: “We have to protect our digital sovereignty and really defend our local content and local goods,” he reportedly said.
Indonesia has also introduced a personal data protection (PDP) law that lays out how personal data should be handled. Gopul Shah, Director of Corporate Treasury and Structured Trade Finance at Golden Agri-Resources, which has a large presence in Indonesia, comments that the core of this law is about accountability and that organisations operating in Indonesia must be responsible for managing data. Organisations in both the public and the private sectors need to enhance their governance frameworks to ensure that personal data is protected, Shah explains. The PDP Law mostly aligns with the EU’s GDPR [General Data Protection Regulation], says Shah, which means that the transition to these rules should be less onerous for multinationals who are already compliant with the European data regulation. There will, however, be an extra legal and compliance burden to bear. For treasurers, Shah says, “Banking, financial services and treasury activities will not see much impact except enhanced cost of legal, compliance and additional processes.”
Range of trust issues
Historically, there has been a range of approaches from national governments regarding their digital trade, and how open they are to the free flow of data. While Indonesia has pushed for data localisation, there is a range of approaches that has been taken by the member countries in ASEAN [the Association of Southeast Asian Nations]. Anthony Toh Han Yang, Research Analyst at the S Rajaratnam School of International Studies, Nanyang Technical University in Singapore, previously told Treasury Today that countries like Singapore and the Philippines want a more liberalised cross-border data regime, whereas Malaysia, Vietnam, Indonesia and Cambodia have a more restrictive approach with their regulation.
When it comes to making digital trade agreements with other countries, one of the major issues is the degree to which data can flow with trust. This ‘Data Free Flow with Trust’ was a concept that was first introduced by the Japanese government, under the leadership of the then Prime Minister, Shinzo Abe. The idea is to facilitate the free flow of data while ensuring trust in privacy, security and intellectual property rights, and this has been taken up by the G7 member countries to turn the concept into reality, working on areas such as data localisation, regulatory cooperation, government access to data, and data sharing.
The European approach
The EU has already laid out its regulation for personal data with the GDPR, and is now taking the issue of digital sovereignty more seriously. In the past, it may have been correct to say that the EU was concerned with data from the perspective of human rights, and concerned about personal data and how it is handled – as is exemplified by the GDPR. Meanwhile other jurisdictions such as China were looking at data issues in terms of digital sovereignty. However, there has been a shift in the EU’s stance under the presidency of Von der Leyen. Now, many of the EU’s issues are framed in the context of geopolitics, explains Autolitano. There is a different concept of security – with a backdrop of conflicts in Ukraine and Israel, for example – and much of the EU’s narrative is framed in terms of geopolitics and the need for security.
In terms of digital sovereignty, the EU is trying to set the rules of the game, with thousands of pages of legislation, says Autolitano. One target of the rules has been the financial sector, with regulation put in place to protect the region’s financial infrastructure.
Treasury implications
Financial institutions are in the business of managing masses of sensitive data and so it is natural that they would be targeted with various rules and regulations, which will likely have an impact on the working lives of treasurers. This will become more apparent as treasuries become more and more digitalised, and treasury teams will increasingly rely on digital tools – likely produced by foreign companies – to manage their cash and liquidity. For those relying on fintech firms to assist with their digitalisation, this may create vulnerabilities if the data is not handled appropriately, points out Autolitano, and security will always be top of mind. Having said, the financial sector is well protected from cyber-attack because as an industry it has always been at the forefront of fighting cybercrime. “The financial sector is very well equipped – it has always been considered a critical sector,” says Autolitano.