Governing cross-border data flows, trade agreements & limits

Event report

Given its importance for the digital economy, cross-border data flow is one of the main topics discussed within the framework of international free trade agreements. 

The approaches adopted by China, the USA, India, ASEAN, and the EU towards cross-border data flow differ, both in their degree of stringency and in their priorities (e.g. cybersecurity, data localisation, privacy, etc.). And while this fragmentation increases barriers to trade, harmonising them would bring risks of not respecting national interests and the different degrees of development.

The approaches towards cross-border data flow differ around the world. In China, data is classified according to its degree of importance to national interests and concepts (e.g. sovereignty, personal data protection, and security). Although China recognises the importance of the free flow of data for the digital economy, security remains an issue of concern, mainly related to outbreak data (the transfer of data from China to overseas).

There are two Chinese laws that govern cross-border data flow:

• Personal Information Protection Law, which establishes the requirements for exporting personal data overseas (security assessment, protection certification, standard contract, and other conditions stipulated by law)
• Data Security Law, which establishes a security assessment for cross-border data transfer

Such a restrictive approach is justified by China’s focus on traditional trade in goods rather than digital services. Yet, Chinese authorities are trying to strike a balance between safeguarding national security and engaging in international trade. For example, China participates in regional trade agreements such as the Regional Comprehensive Economic Partnership (RCEP), which limits data localisation requirements and provides the free flow of data, with exceptions. 

The USA, on the other hand, advocates for a free flow of data regime with limited state intervention, a position that aims to favour its strong digital services sector. The EU considers privacy a fundamental right that must permeate cross-border data flows as far as personal data is concerned. The European Court of Justice has a very strict view on this, having decided that precautionary measures contained in legal documents would not be sufficient to allow cross-border data flow from the EU to the USA.

ASEAN countries, in turn, have different domestic laws governing cross-border data flows, as well as different levels of development and digital capacities, which makes it counterproductive to try to establish a single regulation for the group. However, there are legal (e.g. the ASEAN E-Commerce Agreement) and soft law (e.g. principles and the ASEAN Data Management Framework) instruments that facilitate the flow of data within the group. 

India has a more conservative approach, which is expressed in its bilateral and multilateral positions. India provides a series of data localisation requirements and does not have an international commitment to the free flow of data. There has been an attempt to ease these restrictions through the Digital Personal Data Protection Bill, but many sectors of the economy still retain the need to localise data. Digital colonialism, the promotion of domestic industry, and national security are some of the arguments used by the Indian government to justify its approach. This discussion highlighted that India is likely to be looking at a middle ground model, which prioritises extraterritorial jurisdiction over data, as expressed in its recent position at the UN Ad Hoc Committee.

Some of the challenges, considerations, and potential areas of collaboration and cooperation between the different approaches mentioned in the discussion are given below.

• Privacy and national security will be key issues in a future global approach on cross-border data flow.
• Business needs should be included in the debate (e.g. the ASEAN E-Commerce Agreement provides a stakeholder engagement provision).
• The concept of comparability could be a possible solution, but different degrees of development and digital capacities need to be brought into the equation.
• The cross-border flow of non-personal data must be facilitated.
• African countries need to come together to strengthen their position.
• Bilateral and regional agreements are important, but minimal global rules are needed to minimise costs to businesses.
• Different transitioning periods can be alternatives to addressing the digital divide. 

By Isabella Bassani

The session in keywords