It is a significant benefit that the world is connected the way it is, with the potential for even greater interconnectivity. However, this has come at huge costs, too, considering the rise in the direct involvement of state actors engaged in cyber warfare. Against this background, nations have a more acute awareness of digital vulnerabilities, which has radiated into regulatory frameworks concerning cross-border data compliance. Beyond security, privacy, freedom of information, and other legal and ethical factors are also important considerations.
How National Security Concerns Have Shaped Data Governance
National security concerns have fundamentally altered the way governments and businesses approach data compliance, forcing a shift from an almost exclusive focus on individual privacy rights to a more complex balancing act with national security imperatives.
- Expansion of Government Access: In the wake of the 9/11 attacks, US national security priorities inspired legislation such as the Patriot Act. The Act dramatically expanded law enforcement’s authority to access data held by private companies. One can trace the line from such actions to recent US actions to restrict cross-border transfers of bulk sensitive data to adversary nations like China, Russia, and Iran.
- Data Localization: Beyond the US, several countries have been driven to adopt data localization policies; governments are tightening their hold on data generated within their national borders. For instance, China’s Personal Information Protection Law requires data generated on their soil to be stored domestically. Similarly, the provisions of the EU’s GDPR have extraterritorial applications.
- National Security Exemptions: Frameworks like the GDPR were originally designed to protect personal privacy but eventually included broad exemptions for national security purposes. Expectedly, these exemptions also vary by country. This has caused businesses to design processes that account for potential governmental access under security exemptions. This creates an atmosphere of legal uncertainty.
- International Regulatory Negotiations: Amidst divergent national approaches, countries are increasingly engaging in bilateral and multilateral negotiations to reconcile their differences and facilitate legal data flows without compromising security. A notable example is the 2024 initiative between the European Union and China, which launched discussions under a new mechanism aimed at streamlining industrial data flows.
- Regulation of Emerging Technologies: National security concerns have spilled over into the regulation of emerging technologies such as artificial intelligence, blockchain, and connected vehicles. For instance, the EU AI Act, which went into effect last year is expected to make an impact on cross-border data flows.
Global Regulatory Landscape for Cross-Border Data Flows
The EU GDPR remains a cornerstone framework for understanding the global landscape of cross-border data-sharing regulation. Since GDPR emphasizes user consent and data minimization, organizations must inform users about the potential sharing of their data and the possible purposes for which it should be used.
Critically, GDPR’s reach extends beyond the EU’s borders and applies to organizations operating within Europe that share data with entities outside the EU. Such transfers require a legitimate ground, such as an international agreement. The EU Data Protection Board (EUDP) recently provided further guidance on GDPR Article 48, which addresses data transfers to non-EU entities.
In contrast to the comprehensive nature of the GDPR, the United States still lacks a general federal data protection law, and efforts toward creating one have stalled. However, a major state law from the US is the California Consumer Privacy Act (CCPA) alongside the California Privacy Rights Act (CPRA).
As state laws, the CCPA and CPRA can’t directly regulate international data transfers in the same way as GDPR. However, they impose obligations on companies holding personal data and even, to some extent, require conformity with GDPR provisions.
Moving across the globe, the Asia-Pacific region and Latin America are developing regulatory frameworks in this domain. In Africa, the African Union Data Policy Framework is an effort in this regard, but national policies often prioritize domestic interests, which sometimes conflict with broader continental goals. The tension arises from differences in political ideologies and socio-economic conditions, among others, across African nations.
Zeroing in on the Challenge of Data Sovereignty
Data sovereignty can be considered a classic example of a seemingly necessary legal safeguard that ends up harming the digital ecosystem it was designed to protect. On the one hand, governments do indeed need to shield their citizens’ data, enforcing domestic laws on data collection, storage, and processing is a matter of national security. On the other hand, this same approach fragments the digital landscape of cross-border innovation. It is somewhat of a paradox that while technology has enabled us to live increasingly globalized lives, innovative progress may soon be threatened by the way nations approach compliance.
As of 2023, about 40 countries had effected nearly 100 data localization policies, of which more than 50 were implemented within the previous decade. For businesses, this is not the most profitable approach since it increases data management between 15% and 55%.
To be clear, every nation has the right to set its laws, but often, data sovereignty goes beyond citizens’ privacy and national security. It has extended into a tool to assert geopolitical influence and stifle competition between countries. Arguably, not every move toward data sovereignty is well-intentioned.
As such, it is time for policymakers to stop viewing data sovereignty as a one-size-fits-all solution. There needs to be a more nuanced approach that involves international frameworks and digital trade agreements, like the EU-Singapore deal, which seeks to harmonize rules and reduce fragmentation.
Conclusion
The path to effective cross-border data compliance is not straightforward. What’s certain is that it requires a lot of collaboration between various stakeholders: nations and governments, policymakers, the private sector, and the masses.
About the Author:
Michael Usiagwu is an Entrepreneur, Tech Pr Expert and CEO of Visible Links Pro. He assists various organizations to stay abreast of the latest technology. Some of his insightful content can be seen in Readwrite, InfoSecurity Magazine, Hackernoon, and lots more. He’s very much open to assist organizations to increase their latest technology development.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
