Data Flows in a Modern World
Data flows are the lifeblood of trade in digital services. Despite this, a growing number of jurisdictions are restricting cross-border data flows and implementing localisation requirements, often in the name of data sovereignty. There are two facets to this issue: data localisation and data transfer regimes, which we consider below.
Data localisation means the legal requirement to keep a copy (and, in some cases, all copies) of certain types of data within jurisdiction. It is not a new concept. For example, Russia has long required Russians' personal data to be located within Russia's borders, and China has a variety of data localisation laws (both sector specific and general) depending on the sensitivity of the data in question. Earlier this year, the Australian Government introduced a consultation on data security and localisation proposals, again on the grounds of sovereignty and business need.
The drivers for data localisation are generally considered to fall into three groups: (i) security and oversight – ensuring local data (particularly sensitive types of data) is: (a) subject to local laws; (b) available to domestic authorities; and (c) in some cases, not available to foreign authorities; (ii) economic – stimulating the local digital-economy, in some instances applied in a protectionist manner; and (iii) political – using localisation requirements to support political objectives.
However, as with arguments against trade liberalisation going back centuries, the benefits are debatable. Often, laws with other explicit objectives are de facto data localisation laws because of their practical effect. In such cases, laws can have an adverse impact on international trade, which relies on access to data.
On the horizon, upcoming data protection laws in India, the Kingdom of Saudi Arabia and Vietnam all contemplate data localisation provisions, although it is not yet clear how strict the approach will be.
Cross-border data flows
Whilst it is legitimate for one country to seek to ensure the protection of personal data exported to other countries, this can create challenges for the global trade, which is heavily reliant upon cross-border data flows.
Historically, states have attempted to mitigate the perceived inherent conflict between these two objectives through legal frameworks, such as the EU-U.S. Safe Harbor and Privacy Shield frameworks, but these have been subject to legal challenge which, although not altogether prohibiting the cross-border flow of personal data, has subjected such flows to stringent conditions. The recent Schrems II ruling by the Court of Justice of the European Union confirmed that, subject to a few limited exceptions, transfers of personal data to non-"adequate" jurisdictions may only be undertaken if the data "exporter" conducts an assessment which concludes that the laws and practices in the destination country provide essentially equivalent protection of personal data to what would exist in the EU. This requirement introduces a significant administrative and cost burden on data flows To try and restore a better balance, the U.S. federal government has recently issued an Executive Order on enhancing safeguards in relation to intelligence activities in order to give effect to its agreement in principle with the European Commission on a new Trans-Atlantic Data Privacy Framework as a 'replacement' to the invalidated EU-US Privacy Shield.
The G7 countries also continue to discuss how they can strengthen their cooperation around data protection and freedom of information, including through trustworthy transfer instruments suitable to business needs, such as certification mechanisms. These are welcome developments for digital trade.
As we can see, the regulatory landscape for data transfers is complex. The OECD categorises the existing data transfer instruments and mechanisms into four categories: (i) unilateral mechanisms; (ii) plurilateral arrangements; (iii) trade agreements and partnerships; and (iv) standard setting, private sector or technology driven initiatives.
This multitude of data transfer frameworks affects digital trade in two important ways. Firstly, compliance requires resource-intensive and costly measures to be taken in order to operate across global markets. Secondly, the current patchwork of data privacy regimes governing international data transfers creates legal complexity uncertainty.
Ultimately, the impact on the digital economy of increased data localisation and restrictions of data transfers cannot be understated. Data is an intangible asset, but it is an incredibly valuable one and governments must carefully balance the need for international flow of data with domestic drivers. Enhanced global cooperation between countries is needed to determine consistent solutions that foster trust and unlock data for digital trade.