There is no doubt that data has become a critical production factor, alongside the other usual factors such as labor, capital, and land. However, data has several unique characteristics. For instance, it’s non-rivalrous, meaning it can be used by multiple entities simultaneously without diminishing its value. Also, data is non-excludable, meaning it is difficult to restrict access to it. Once data is generated, it can be shared and replicated easily. Such a characteristic calls for regulations to balance business needs with privacy protection at the personal level, and with security and other public interests, at the national level.

In the webinar on “Cross-Border Data Flows: Understanding the Evolving Policy Landscape”, we dive into cross-border data flow regulations by examining the case of the EU and China in the context of a rapidly evolving global policy landscape. Joined by distinguished panelists from both the academic and policy-making spheres, the webinar gathered discussions on challenging issues such as the future uncertainty associated with different jurisdictions rolling out different — and sometimes contradictory — models managing cross-border data transfers, driven by the diverse needs of promoting business growth, protecting privacy, and defending national security.     

Key Highlights

1. The Emergence of Diverging Data Regulation Models

• Generally, on a global scale, we can see the emergence of three different models or approaches to regulating cross-border data flows: the open model, the conditional model, and the control model.

• EU’s General Data Protection Regulation (GDPR) is one of the best examples of the conditional model. Its approach is to primarily emphasize individual’s rights and their data protection while keeping the regulatory environment as free as possible for businesses. This model is also employed by countries like Singapore, Japan, and most South American countries.

• On the freest side of the policy spectrum would be the open model. This model is employed by countries like the US, Canada, Australia, and New Zealand. It prioritizes business needs and therefore free cross-border data flows, while individual data protection is only a secondary concern.

• On the least free side of the policy spectrum be the control model, which is employed by countries like China, Russia, or Vietnam. This model prioritizes national security over both individual data rights and business needs. The requirements are more stringent for cross-border data transfers. 

• Under China’s Personal Information Protection Law (PIPL), local storage of data is required for critical information infrastructure operators, data processors handling “important data”, and data processors whose processing of personal information exceeds an amount determined by Cyberspace Administration of China (CAC).

• A country’s laws are usually shaped by its historical, political, cultural, economic, and social contexts, as well as certain harms to be addressed that arise in the particular country.

2. Striking Balance Between Economic Growth and Privacy Protection

• Data is a key production factor like land and human capital. The smooth flow of data within and across firms facilitates the seamless provision of digital services and goods, and positively contributes to the production of the economy.

• Frictions to smooth data transfers may therefore delay the provision of goods and services, and negatively affect economic output.

• Policymakers face the trade-off of safeguarding individual rights and national security while not hampering innovation and economic growth.

• As firms lack the incentive to protect consumers’ privacy, governments may need to intervene to correct the negative externality to consumers arising from firms’ over-using and over-sharing consumer data without adequate data protection procedures in place.

• However, the optimal level of governance is difficult to pin down in practice. There might be a case for a data market where consumers decide on the amount of data to be shared with businesses.  

• A negotiation among different stakeholders to find a common ground may help when designing the data regulation policy in practice.

3. Looking Ahead: Balkanization or Unified Framework?

• Beyond the legislations that individual jurisdictions put in place, international agreements must also be considered to understand the global policy landscape.

• Nowadays, it has become quite common to include clauses relating to data protection, cross-border data transfers and data localization in trade agreements.

• These can either take the form of mandatory commitments to reducing barriers to data flows such as in the CPTPP and to a lesser extent in RCEP, or of voluntary business-to-business certification or contract schemes that allow businesses to transfer data between each other – like ASEAN model contractual clauses or APEC cross-border rules.

• To facilitate data flows, it might be better to look at how bridges can be built between the different systems, instead of solely focusing on the differences/chasms between them.

By LIU, Jingting, SENGSTSCHMID, Ulrike, XIE, Taojun

View and download the presentation materials below:

1. The European Data Protection Regulation and Global Policy Landscape
2. Navigating China’s Cross-Border Data Transfer Policies