Mapping commonalities in regulatory approaches to cross-border data transfers

Abstract: Data flows across border underpin today's digitalised and globally interconnected world, but have also given rise to a range of concerns, including about privacy protection, intellectual property protection, regulatory reach, competition, and industrial policy. This has led to the emergence of a patchwork of rules governing cross-border data flows, complicating both the enforcement of public policy goals and increasing the costs for firms of all sizes of operating on a global scale. In practice, countries are … Show more

“…Some consider more implicit measures, such as restrictions on cross-border data flows, to be a form of data localisation since they can lead to more data being stored or processed locally (see (Cory and Dascoli, 2021[4]) and (Svantesson, 2020[6]). However, others focus on more explicit measures which directly legislate on the location or processing of data (Casalini and López González, 2019 [1]). This paper focuses on the latter, more explicit requirements, with a view to avoiding discussions about what other measures might or might not lead to local storage or processing (including whether emerging privacy and data protection regulation could be classified as data localisation measures).…”

“…As a result of growing cross-border data flows, governments have been updating and adapting their data policies, leading to a rising number of cross-border data regulations (Casalini and López González, 2019 [1]). To date, much of the work in this area has focused on measures that condition the movement of data across borders, with less analysis on policies that mandate that data be stored locallyalso known as local storage requirements or data localisation.…”

“…The work aims to support ongoing discussions on approaches that can balance different policy objectives and enable what has come to be known as data free flows with trust (DFFT). This work draws on an updated database of data localisation measures (Casalini and López González, 2019 [1]) and focuses on measures that have an explicit requirement that data is stored or processed in specific locations.…”

A Preliminary Mapping of Data Localisation Measures

“…Some consider more implicit measures, such as restrictions on cross-border data flows, to be a form of data localisation since they can lead to more data being stored or processed locally (see (Cory and Dascoli, 2021[4]) and (Svantesson, 2020[6]). However, others focus on more explicit measures which directly legislate on the location or processing of data (Casalini and López González, 2019 [1]). This paper focuses on the latter, more explicit requirements, with a view to avoiding discussions about what other measures might or might not lead to local storage or processing (including whether emerging privacy and data protection regulation could be classified as data localisation measures).…”

“…As a result of growing cross-border data flows, governments have been updating and adapting their data policies, leading to a rising number of cross-border data regulations (Casalini and López González, 2019 [1]). To date, much of the work in this area has focused on measures that condition the movement of data across borders, with less analysis on policies that mandate that data be stored locallyalso known as local storage requirements or data localisation.…”

“…The work aims to support ongoing discussions on approaches that can balance different policy objectives and enable what has come to be known as data free flows with trust (DFFT). This work draws on an updated database of data localisation measures (Casalini and López González, 2019 [1]) and focuses on measures that have an explicit requirement that data is stored or processed in specific locations.…”

A Preliminary Mapping of Data Localisation Measures

“…Currently, an increasing number of jurisdictions have developed MCCs. This includes for instance: the European Union, which recently modernised its so-called "Standard Contractual Clauses" (European Commission [31]), New Zealand's newly adopted model contract clauses (Office of the Privacy Commissioner [32]), Argentina's data protection contractual clauses (Ministry of Justice and Human Rights, Argentina [33]), the standard data protection clauses recently adopted by the Dubai International Financial Centre (Dubai International Financial Centre [34]), or the ASEAN Model Contractual Clauses for Cross-Border Data Transfers that were recently published (see above for more information) (ASEAN, 2021 [23]). Model contract clauses are also a recognised instrument under the Council of Europe Convention 108 (see Article 14(3)(b) of the modernised Convention (Council of Europe, 2018 [35])).…”

“…The prevalence of NPS and their components were explored in the report on the implementation of the OECD Privacy Guidelines (OECD, 2021 [3]). The analysis based primarily on the replies to the privacy questionnaire for the 2017 edition of the Digital Economy Outlook (DEO) (OECD, 2017 [43]) and the May 2018 Roundtable identified five key features 33 of the process to develop a NPS, with one such feature being "The enhancement of international co-operation to foster 33 These being: 1) A definition of privacy and data protection policy objectives at the highest level of government and their alignment with other important strategic national objectives; 2) The adoption of a whole-of-society (holistic) approach that involves all relevant stakeholders to enhance privacy protection while providing the flexibility needed for all to benefit from digital innovation; 3) Assurance of coherence of policy and regulatory measures to protect privacy by improvement of intragovernmental and public-private co-ordination; 4)The enhancement of international co-operation to foster interoperability of privacy protection frameworks and lessen uncertainties in transborder data flows; and 5) The measurement of the implementation and impact of NPS to monitor their effectiveness.…”

Interoperability of privacy and data protection frameworks

Fostering cross-border data flows with trust