Cybersecurity & Tech Foreign Relations & International Law

Trusted Cross-Border Data Flows: A National Security Priority

Alex Joel
Monday, November 13, 2023, 2:42 PM

To avoid a fragmented world divided by digital barriers, the U.S. government must press ahead to develop a trusted framework for cross-border data flows.

ECMWF data center, Bologna, Italy, September 2021. (ECMWF, https://tinyurl.com/4fjjjehm; CC BY-NC-ND 2.0 DEED, https://creativecommons.org/licenses/by-nc-nd/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Imagine a fragmented world, with countries retreating behind barriers they have erected in both the physical and cyber realms. In such a world, “[i]nformation flows within separate cyber-sovereign enclaves, supply chains are reoriented, and international trade is disrupted. Vulnerable developing countries are caught in the middle with some on the verge of becoming failed states. Global problems, notably climate change, are spottily addressed, if at all.” Authoritarian regimes would thrive in a siloed world characterized by “[f]urther weakening of Western-origin norms, particularly on human rights, open commerce, and collective defense.” This is not the stuff of dystopian fiction. Rather, it is a grim scenario painted by the National Intelligence Council (NIC) in its Global Trends 2040 Report; it is, according to the NIC, a very real possibility based on existing trends. 

Keep that possible future in mind when evaluating the world of today. Huge and ever-growing volumes of digital data are processed by companies for business purposes, and that data flows around the world in ways that bring both benefits and risks. For private-sector entities, cross-border data flows underpin daily business operations, logistics, supply chains, and international communication. In addition, responsible cross-border data flows can promote human rights, cybersecurity, economic development, financial inclusion, health, sustainability, and other legitimate government objectives. At the same time, such flows raise concerns about data privacy and security and appropriate uses of such data once it leaves the originating country’s borders. How will companies protect privacy in the recipient country? How will governments seek access to that data for national security and law enforcement purposes? Governments have made progress in answering these questions, and it is now realistic to envision a global framework open to democracies operating under the rule of law, that is rights-protective, practicable, and scalable.

Even with the progress made, failure remains a real possibility. And that failure portends a world of greater fragmentation, with countries seeking to enact cross-border data flow restrictions and prohibitions out of concern for how that data will be exploited by untrusted actors, or out of a desire to exercise direct control over data for both legitimate and problematic purposes. A world divided by digital siloes favors authoritarian regimes that seek greater control of and access to data to solidify and expand their power. Recognizing this risk, the United States has joined with other democracies in seeking shared norms and mechanisms that would enable data to continue to flow across borders while also addressing the security and privacy risks such flows can pose. A recent U.S. Trade Representative (USTR) decision to reverse the U.S. position on data localization in free trade discussions is a rare outlier in the government’s otherwise unified effort to pursue a trusted framework for cross-border data flows as a national security priority.

Digital Repression

The intelligence community has been ringing alarm bells about the growing threat of “digital repression” by authoritarian regimes. The intelligence community’s 2023 Annual Threat Assessment finds that “[m]any foreign governments have become adept at the tools of digital repression, employing censorship, misinformation and disinformation, mass surveillance, and invasive spyware to suppress freedom.” A 2022 declassified NIC Assessment provides more detail, warning that “foreign governments are increasingly using digital information and communication technologies to monitor and suppress political debate domestically as well as in their expatriate and diaspora communities abroad.” According to President Biden’s 2022 National Security Strategy, “[t]he most pressing strategic challenge facing our vision is from powers that layer authoritarian governance with a revisionist foreign policy. It is their behavior that poses a challenge to international peace and stability—especially ... leveraging technology and supply chains for coercion and repression." 

Given that prospect, it should not be surprising that U.S. policy has been to promote the free flow of information as a national security priority. The vision set forth in the National Security Strategy is to “achieve a better future of a free, open, secure, and prosperous world.” According to that document, the United States is “rallying like-minded actors to advance an international technology ecosystem that … promotes the free flow of data and ideas with trust, while protecting our security, privacy, and human rights, and enhancing our competitiveness” (emphasis added). In April 2022, the Biden administration joined more than 60 countries in issuing the Declaration for the Future of the Internet to

affirm our commitment to promote and sustain an Internet that: is an open, free, global, interoperable, reliable, and secure and to ensure that the Internet reinforces democratic principles and human rights and fundamental freedoms [and] that can deliver on the promise of connecting humankind and helping societies and democracies to thrive.

As stated in the NIC assessment on digital repression, “[m]itigating against the growth of digital repression probably would require the establishment of unified international norms and protecting the Internet’s architecture through coalitions with likeminded governments, civil society, and technology corporations” (emphasis added).

Data Free Flow with Trust 

Without safeguards, data can be exploited in ways that harm individual rights and freedoms. That is why the current focus of many stakeholders has been to find practicable ways for data to flow in a manner that protects privacy and other fundamental rights. This aspiration is what undergirds the aptly named Data Free Flow with Trust (DFFT) initiative, originated by Japan’s late Prime Minister Shinzo Abe in 2019. With Japan’s strong leadership and support, the DFFT initiative seeks ways to promote the free flow of data while ensuring trust that privacy and other rights will be protected. Earlier this year, the G7 Data Protection and Privacy Authorities announced that “we will continue to further deepen and strengthen our cooperative relationship to ensure a high level of protection of personal data as an enabler of economic and social development of G7 members.” The G7 leaders affirmed in May that they 

reiterate the importance of facilitating Data Free Flow with Trust (DFFT) to enable trustworthy cross-border data flows and invigorate the digital economy as a whole, while preserving governments’ ability to address legitimate public interests. ... We emphasize our opposition to internet fragmentation and the use of digital technologies to infringe on human rights. ... We seek to increase trust across our digital ecosystem and to counter the influence of authoritarian approaches.

For data to flow freely between democracies, countries must trust that the recipient governments are appropriately safeguarding personal data. Thus, pursuing data free flow with trust necessarily entails a framework that ensures that countries have fundamental protections in place for individual rights. In this way, DFFT can be thought of as a rising tide that lifts all boats. That is, in any event, the aspiration.

The United States presented a dramatic example of how a country can enhance privacy protections in a manner that sustains vital data flows. After many months of intensive negotiations, the U.S. and the European Commission announced the new EU-U.S. Data Privacy Framework, and in July, the European Commission officially approved that framework when it issued its adequacy decision. As part of that framework, the United States articulated new privacy protections for its signals intelligence activities based on concepts of “necessity and proportionality” that are cornerstones of how European countries constrain surveillance activities. (I analyze this in detail in “Necessity, Proportionality, and Executive Order 14086.”) What’s more, the framework created an independent Data Protection Review Court, with binding powers, to adjudicate complaints submitted by individuals alleging noncompliance with applicable signals intelligence privacy safeguards with respect to their data. 

Until recently, the U.S. government has presented a remarkably unified front in pursuing a trusted framework for cross-border data flows. Beyond backing data free flow with trust at the G7, the U.S. played a key role in the adoption by the 38 member countries of the Organization for Economic Cooperation and Development of the groundbreaking “Declaration on Government Access to Personal Data Held by Private Sector Entities.” The declaration reaffirms members’ “commitment to data free flow with trust” and regards the agreed-upon principles for government access to data for law enforcement and national security purposes 

as an important expression of our shared democratic values and commitment to the rule of law, which distinguishes our countries from other countries whose law enforcement or national security access to personal data are inconsistent with democratic values and the rule of law, are unconstrained, unreasonable, arbitrary or disproportionate, or amount to violations of human rights.

On the commercial privacy front, the United States joined with Canada, Japan, the Republic of Korea, the Philippines, Singapore, and Chinese Taipei to create the Global Cross-Border Privacy Rules Forum. Their goal is to “facilitate data protection and free flow of data” by “promot[ing] expansion and uptake” of a certification-based system known as “Global CBPR.” Although it remains unclear how this approach will be reconciled with that established by the EU’s General Data Protection Regulation (GDPR), the Global CBPR Forum has been actively working to expand its reach by adding new country members to the forum and new companies to commit to its certification framework.

The USTR’s Withdrawal Decision

The effort to develop a trusted framework for cross-border data flows is complicated by the central role played by commercial entities. After all, it is their technology, their services, their computers and telecommunications links that are responsible for where and how data is being collected, processed, and transmitted. In light of the private sector’s outsized interest in data flows, it should not be surprising that some observers perceive efforts to preserve the viability of cross-border data transfers as a way of favoring Big Tech. This may have been a factor in a recent action by the USTR, who, according to a report by Reuters, decided that the United States “is withdrawing proposals . . .  insisting that [World Trade Organization (WTO)] e-commerce rules allow free cross-border data flows and prohibit national requirements for data localization and software source code.” The USTR explained that it was doing so  “[i]n order to provide enough policy space for [domestic policy] debates to unfold.” This is a reversal of the position the United States had pursued as part of the WTO’s Joint Statement on Electronic Commerce Initiative. In a submission in March 2019, the U.S. averred that “[t]rade rules that guarantee the ability to move data in the most economically and technically efficient manner—subject to reasonable safeguards like the protection of consumer data when it is exported—can support growth across all sectors of the economy.” According to a USTR spokesman, those data flow proposals “might prejudice or hinder” countries from taking into account “domestic policy considerations.” 

Further details on the recent USTR withdrawal decision do not appear to be publicly available, but prior congressional correspondence with the USTR highlights concerns that trade agreement provisions limiting the ability of countries to impose data localization requirements could be used by U.S. companies to evade the reach of federal and state regulatory and law enforcement agencies. For those who have been enmeshed in cross-border data discussions over the years, this concern seems to miss the mark. 

To be clear, I support efforts to update the U.S. legal and regulatory approach to technology, and I join many commentators and stakeholders in hoping that Congress will soon enact long-overdue comprehensive privacy legislation as a foundational step along that path. But I am not concerned about the ability of such laws to reach U.S. companies, regardless of where those companies choose to process and store their data. Indeed, the United States has shown no hesitance in going after data held by U.S. companies in facilities abroad, as demonstrated vividly by the Microsoft Ireland case, which prompted Congress to enact the CLOUD Act. Under that act, the United States can compel a company to provide data to the government so long as the company has “possession, custody, or control” of the data, regardless of where in the world the data happens to be stored.

We pulled this thread further in our paper “Data Localization and Government Access to Data Stored Abroad,” in which we examined the notion that a company can elude the reach of U.S. law by localizing data in another country. Not surprisingly to those who follow these issues, we found that any such effort would likely fail. The key questions under U.S. legal norms—and, indeed, the legal norms of other countries we researched—is not the physical location of the data but, rather, whether the company has certain “minimum contacts” with the United States, and whether the U.S. entity has the legal and/or physical ability to produce the data. Indeed, the EU’s General Data Protection Regulation has a famously far-reaching scope provision that imposes GDPR obligations on entities based almost entirely outside the EU, so long as they offer goods and services to EU data subjects (for example, via a website) or are monitoring the “behaviour” of data subjects in the EU (for example, via digital means).

Far from being a liability escape hatch for companies, a framework for trusted cross-border data flows should lead to more cohesive, consistent, and robust safeguards for personal data around the world. As companies pursue global business opportunities, they will be able to freely transfer data across borders only if key stakeholders have assurances that the data will be protected. Countries may need to update and expand protections, fill gaps in the law, and make other changes so that they can form part of the trusted framework. 

Trade Agreements

To further appreciate the implications of the USTR’s decision, it is important to understand the role trade agreements have played in the issue of cross-border data flows. For years, the United States has insisted on provisions in agreements that guard against discriminatory practices relating to data flows. The United States-Mexico-Canada Agreement (USMCA), for example, provides that “[n]o party shall restrict the cross-border transfer of information, including personal information, by electronic means” (Article 19.11). It goes on to lay out an important exception, 

[for] a measure … that is necessary to achieve a legitimate public policy objective, provided that the measure: (a) is not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (b) does not impose restrictions on transfers of information greater than are necessary to achieve the objective.

Unsurprisingly, G7 pronouncements on data free flow with trust echo these principles. As stated by G7 leaders in May, “[W]e should counter unjustified obstacles to the free flow of data, lacking transparency, and arbitrarily operated, which should be distinguished from our measures implemented to achieve the legitimate public policy interests of each country” (emphasis added). This position is intended to leave room for legitimate regulatory and public policy measures. Its focus is on preventing the arbitrary or discriminatory application of such measures and to require that they be no “greater than necessary.” 

By contrast, China has sought to use trade agreements to promote the ability of countries to impose data localization mandates or, in other words, to erect digital barriers to the free flow of information. China negotiated the Regional Comprehensive Partnership Agreement with several countries in the Asia-Pacific region. Article 12.14 of the agreement includes a data localization prohibition that echoes some concepts from the USMCA but then includes a breathtakingly broad security exception for “any measures that [a Party] considers necessary for the protection of its essential security interests. Such measures shall not be disputed by other Parties.” Such a provision gives a country sole discretion in determining when to put in place data localization measures for security purposes, including ones that could facilitate repressive measures. 

Trusted Cross-Border Data Flows and National Security

On the day of the USTR decision, Sen. Ron Wyden (D-Ore.) issued a statement in which he asserted that 

[the] USTR is leaving a vacuum that China—an active participant in these negotiations—will be more than pleased to fill. USTR’s action today is a win for the Chinese government’s efforts to have unlimited access to U.S. data, a win for Chinese tech giants who want to bully smaller countries into following the Chinese model of internet censorship, and a win for China’s Great Firewall, which locks out American companies and locks Chinese citizens into a repressive regime of government surveillance.

Wyden’s warning echoes those in the National Security Strategy, which reads, “[China] is using its technological capacity and increasing influence over international institutions to create more permissive conditions for its own authoritarian model, and to mold global technology use and norms to privilege its interests and values.”

I began this piece with a grim scenario of a world characterized by physical and digital barriers, where countries had retreated into separate siloes. There is an alternative scenario in the Global Trends 2040 Report. Imagine a world “in the midst of a resurgence of open democracies led by the United States and its allies.” In that world, advancements fostered by public-private partnerships are raising incomes, improving the quality of life around the globe, enabling responses to global challenges. “In contrast, years of increasing societal controls and monitoring in China and Russia have stifled innovation” and weakened their regimes.

Which scenario is more likely? As President Biden says in the National Security Strategy, the world is at an inflection point: “We are in the midst of a strategic competition to shape the future of the international order.” The time is now for democracies to move closer together, to build on shared values under the rule of law, to ensure the digital lines of communication that bind them are based on a trusted framework for cross-border data flows. That future is now within reach, so long as key stakeholders—including those within the U.S. government—keep moving forward together. 


Alex Joel is a scholar-in-residence and adjunct professor with the Technology, Law & Security Program at the American University Washington College of Law. He previously served as the Civil Liberties Protection Officer for the Office of the Director of National Intelligence.

Subscribe to Lawfare