A brief published by the Software & Information Industry Association (SIIA) titled “Data Flow Promotion in International Agreements and National Laws” shows that while some countries are proposing data localization laws and regulations, there is also a strong countervailing trend by countries in Asia, Europe, and the Americas to protect and support the cross-border transfer of information. The Brief provides examples of trade agreements and national laws that permit cross-border data flows while also protecting security, privacy, and other national priorities.
One country that currently stands at the crossroads of these trends is India, which is a pivotal player on the global stage with respect to data flows. Indian Prime Minister Modi is considering the letter from Senators Cornyn and Warner that asks him to reconsider the country’s impending data localization requirements, as well as recent engagement from European Commission Vice President Andrus Ansip. The country’s sheer size and economic dynamism certainly warrant a careful approach to data governance issues as Nandan Nilekani, co-founder of InfoSys, wrote recently. But there is room to achieve India’s strong policy goals while having interoperability mechanisms that permit data to flow safely across borders.
Asia shows how this can be done. Although the United States opted not to join the Trans-Pacific Partnership (TPP), Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam concluded the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). This agreement kept the TPP’s Electronic Commerce Chapter 14 which provides for a cross-border data flow obligation and prohibition against data localization. Significantly, it also required signatories to have a privacy system without mandating whether it should be a U.S.-style “sectoral” framework or a European-style “general” framework.
There is also the Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system established with the intent to facilitate cross-border data flows while creating meaningful privacy protections at the same time. In order for APEC countries and companies to accede to the system, they must adhere to the APEC Privacy Framework. So far, the United States, Mexico, Japan, Canada, Singapore, and Korea have acceded to the CBPR system.
The APEC system is noteworthy because it provides for robust privacy protections while at the same time being sensitive to the public policy rationale for allowing companies to use public records that contain personal information. The APEC rules say that: “It may not be appropriate for personal information controllers to provide notice [to consumers] regarding the collection and use of publicly available information.” This is constructive in that the use of publicly available information is often needed for companies to be able to provide, for example, know-your-customer (KYC), anti-money laundering, anti-corruption, anti-terrorism finance, and other important services. This is crucial both for complying with national laws and international agreements such as Financial Action Task Force (FATF) recommendations.
The United States Mexico Canada Agreement (USMCA) is the most recent and most ambitious agreement with respect to digital trade. The USMCA’s Chapter 19 on digital trade provides for a binding cross-border data flow obligation and prohibition against data localization. Like the TPP and CPTPP, there is also a requirement for the Parties to have a privacy system with “key principles” for such systems specified for the first time in a trade agreement. The principles are “limitation on collection; choice; data quality; purpose specification; use limitation; security safeguards; transparency; individual participation; and, accountability.”
The USMCA includes standard trade law safeguards so that Parties do not use privacy laws for discriminatory purposes or as a disguised means of restricting trade. Importantly, it recognizes the APEC CBPR system as a valid personal data transfer mechanism.
Additionally, the USMCA’s Chapter 17 permits the free flow of financial data, while providing safeguards for regulatory access to the data. As the Indian Finance Ministry and the Reserve Bank of India consider data localization requirements for financial data, they may wish to draw from USMCA to find a way to permit cross-border data flows and maintain access to data.
The EU’s General Data Protection Regulation (GDPR), Japan’s Amended Act on the Protection of Personal Information (APPI), and Brazil’s Lei Geral de Protecao de Dados (LGPD) provide for means of transferring data, while still complying with these laws. It is worthwhile emphasizing this point because these laws are generally considered “strict” with respect to data privacy requirements. They are, but they still permit cross-border data flows.
The bottom line is that data localization is not necessarily destined to become the global default norm. This is partly because countries recognize the economic, cybersecurity, cultural, and freedom of expression value of permitting cross-border data flows. Perhaps most importantly though, it is because it is possible to adopt distinct approaches to privacy and also permit data to flow.