Strategic dimension of regulating cross-border data transfers

Why is it strategically important for companies how cross-border data transfers are being regulated?

Lothar: All globalized industries depend on cross-border data flows—whether for customer data (e.g., purchase histories, demographics), supplier information (e.g., contact details), or employee records (e.g., payroll, health data).

Editorial Comment:  “Borders” are not always country borders. For example, data can flow freely among EEA countries but moving the same data from the EEA to the U.S. counts as crossing a border. In other cases, a country border itself is the dividing line (e.g., India), and sometimes there can even be internal "borders" within a single country (e.g., between China’s free-trade zones and the mainland).

Many Software-as-a-Service (SaaS) and other cloud-based services rely heavily on these data flows and would not exist—or would be restricted to local operations—if such transfers were prohibited.

Some data remains unregulated and can be transferred freely. However, personal data, large volumes of sensitive information, or economically significant data (e.g., from Internet-of-Things devices) is increasingly subject to regulation.

In extreme cases, these rules limit market access by preventing certain providers from accessing the data required to deliver their services.

Examples: Executive Order 14117 and related laws and regulations¹ establish a regulatory framework to protect U.S. sensitive personal and government-related data from foreign adversaries. It directs the Department of Justice to issue rules prohibiting or restricting transactions involving bulk sensitive data—such as personal identifiers, health data, financial information, and genomic data—with "countries of concern," including China, Russia, and others.

In less severe cases, these rules increase costs (e.g., storage infrastructure; fines and penalties for non-compliance, monitoring and logging systems, operational redundancy for backups). Some providers, e.g., smaller ones, may not be able to bear these additional costs) for some providers, which are covered by the scope of the law, while leaving other providers, which are exempted, unaffected.  

In all instances, they impact competition among providers.

What are the key policies regulating cross-border data transfers?

Lothar: Various policies regulate data transfers, each with own objectives and impacts on cross-border data flows:

1. Data Protection Standards: Regulations like the EU GDPR² restrict transferring personal data (e.g., names, age, email) to countries with inadequate data protection standards. Their objective is to protect an individual’s privacy and control over personal data. Such transfers require a legal basis or the individual's consent.

2. Data Residency: Data residency and localization laws require (copies of) certain data to remain within the country. These laws are often misunderstood as protecting individual rights and banning all international transfers. In fact, these rules are imposed for national security or law enforcement purposes. In some cases, they may also seek to incentivize local investment in information technology and data centre infrastructure. Some policies are aimed to protect local industries from foreign competition.

3. Data Sharing: Upcoming legislation, such as the EU Data Act and the EU Data Governance Act seeks to encourage – through legislative means – data sharing to boost competition and interoperability. However, they add bureaucratic hurdles and risk interfering with corporate and innovation strategy by pre-defining do’s and don’ts.

These policies have distinct objectives (e.g., privacy and data protection, national security, economic / industrial policy) but their shared focus on data can lead to overlapping obligations for importers and exporters of data.

Transfer of personal data

What is the legal basis for transferring personal data?

Lothar: For personal data, regulations like the GDPR in the EU regulate transfers. Transfers require a legal basis, such as valid consent, from the data subject (i.e., the individual whose data is being processed).  

To simplify compliance, regulators like the European Commission provide Standard Contractual Clauses (SCCs) as templates. While using SCCs offers some legal assurance, risks remain if the data recipient cannot meet their obligations under the SCC.

Editorial Comment:  For example, Article 14 SCC requires conducting a Transfer Impact Assessment (TIA) to evaluate the legal landscape in the recipient country, which often demands regular monitoring of local laws. This is not just paperwork—it requires significant resources and expertise of the country’s legal framework.

A safer option is to transfer data to countries with an “adequacy decision” or to entities participating in programmes such as the EU-U.S. Data Privacy Framework.  

Editorial Comment:  Some major cloud providers use a dual approach, relying on adequacy decisions first and SCCs as a fallback, as adequacy decisions can be quickly revoked during geopolitical shifts.

How important were the, now defunct, U.S. Safe Harbor³ and EU-U.S. Privacy Shield⁴ and for global data exchange, and will we see another attempt with the EU-U.S. Data Privacy Framework?

Lothar: These programs were, in my view, brilliant efforts to allow for interoperability between EU and U.S. data regulations. By allowing U.S. companies to voluntarily adopt EU principles, they served as a model for international cooperation. I helped hundreds of companies prepare for these regimes through self-assessments and compliance adjustments. In my experience, these proved far more effective than the standard contractual clauses (SCCs) many sign and forget.

The invalidations of the EU Commission decisions recognizing the Safe Harbor and Privacy Shield programs by Europe’s highest court, the Court of Justice of the European Union (CJEU), were based on concerns about U.S. national security practices, particularly surveillance activities by the U.S. intelligence agencies.  

U.S. intelligence operations serve national security interests of EU member states and will be conducted regardless of EU data protection laws or international data transfer frameworks. Companies have no control over U.S. intelligence operations but were adversely impacted by the disruption of the international data transfer frameworks. This was, in my opinion, counterproductive and a missed opportunity to establish interoperability. These frameworks were well-received by the industry and had the potential to become global standards.

The new EU-U.S. Data Privacy Framework⁵ seeks to address the gap, but lingering legal uncertainty has left many companies hesitant to participate. As a result, there are now more companies on the inactive list than the active one.⁶ ‍

Without these programmes, there may be an increased willingness to store data in Europe…

Lothar:…but data still moves internationally—that is how the internet, cloud computing, SaaS, and IT support operate. I do not see a clear causal link between invalidating these programmes and economic benefits for European companies. Instead, it has forced all businesses to spend more on legal advice and compliance efforts, such as undertaking data transfer impact assessments, which waste time, money, and resources.  

In fact, these efforts stifle European companies, leaving them with less capacity to focus on innovation.  

Data residency and localisation laws

When data residency or localisation laws apply, do they completely prohibit international transfers?

Lothar: No, that’s a common misconception. Data residency laws generally require specific data to be stored locally, to be available to local government authorities. Data residency laws do not prohibit transfers of data. In most cases, maintaining a local copy is sufficient to comply.

The real challenge lies in the associated costs. Replicating data across multiple locations is highly resource intensive. Establishing local data centres adds tax obligations, increases cybersecurity vulnerabilities, and creates additional compliance hurdles. Alternatives, such as storing personal data locally while processing pseudonymized data abroad, require sophisticated IT infrastructure and may still be subject to government scrutiny or rejection.⁷

Editorial Comment:  This approach may also not be suitable for use cases involving encryption-in-use technologies, such as resource-intensive confidential computing. Also, data localization rules pose risks when countries demand extensive data access or impose strict obligations on foreign importers.

How do data residency requirements impact the SaaS and cloud services markets?

Lothar: Ultimately, only the largest providers can support a multi-location strategy. Smaller providers often conclude that entering markets with strict data residency laws is not worth the investment.

This is not only a challenge for the providers but also for the domestic industries.

Countries such as China, Indonesia, Russia, and Kazakhstan enforce broad data residency mandates. While China’s market size allows it to maintain some independence from foreign technologies and services, smaller economies face significant difficulties. Companies in these countries risk losing access to advanced cloud and machine learning technologies, which forces them to rely on less efficient local systems. This reliance hampers innovation and reduces global competitiveness.

In Europe, attempts to enforce data residency requirements have largely failed. For example, Germany’s 2008–2010 data retention laws were challenged as breaching privacy rights, and the EU Data Retention Directive was struck down by the CJEU in 2014.

Impacts of geopolitics

If data is the “new oil,” how will geopolitics shape the rules of its flow?

Lothar: “Oil” is generally not a good metaphor for data. Oil is a limited resource and its use as fuel inevitably creates harmful emissions. Data, on the other hand, is unlimited, can be replicated indefinitely, and can be used without negative consequences for our planet or anyone living on it.

Nonetheless it is true that the flow of both oil and data is subject to much geopolitical interest and interference. With respect to both oil and data, companies need to prepare for a more fragmented and politicized world.

To illustrate: While the GDPR has certainly shaped other data protection laws and influenced companies’ data protection policies, countries outside the EU are becoming increasingly cautious about adopting similarly rigid frameworks. This hesitation stems from concerns about stifling innovation.

For instance, many countries, including large parts of the U.S., do not regard the GDPR as a “gold standard.” Even where they do, they might view it more like the original “gold standard” for currencies (i.e., paying with precious metals rather than via online banking or crypto currencies: impractical for the fast-moving realities of modern business). I suspect that the so-called “Brussels Effect”⁸ is gradually diminishing.

Will data transfer regulations become more politicized?  

Lothar: Possibly, yes. However, that is not a new development. For example, the European Commission’s adequacy decisions—which allow the transfer of EU citizens’ personal data to countries like Argentina, Israel, Japan, South Korea and the United Kingdom —often reflect political compromises rather than strict compliance with GDPR standards.

Will it become harder to transfer data across borders?

Lothar: Yes, there are clear indications pointing in that direction. Traditionally, the United States has been less restrictive about transferring personal data abroad compared to Europe. However, even the U.S. is now strategically limiting access to personal information by countries it identifies as “strategic adversaries.” These measures initially target nations such as China, North Korea, and Russia, but could quickly also be expanded to Europe or other allied nations.

At the same time, counter-trends are emerging. After implementing strict data transfer regulations that placed heavy burdens on many multinational companies, China has recently relaxed some of these requirements. For example, personal data transfers involving fewer than one million individuals annually are now exempt from the rigorous reviews of the Cybersecurity Administration of China (CAC).⁹ Furthermore, in August 2024, the EU and China began discussions to establish a mechanism that would facilitate the flow of non-personal data.¹⁰

Are companies retreating from global markets due to complex and conflicting data regulations?

Lothar: I do not anticipate large multinationals retreating from global markets due to regulation. However, compliance with numerous and often conflicting regulations can become such a significant burden that smaller companies may choose to focus solely on their domestic markets. This could stifle competition.

Larger companies can afford to localise their operations, such as creating European subsidiaries with governance structures that prevent U.S. authorities from accessing data.  

Smaller companies, on the other hand, often lack these resources and face difficult decisions—either prioritise the most enforceable regulations while accepting the risk of penalties or forgo international expansion entirely.

That said, business decisions are ultimately driven more by demand than regulation. Customers, particularly in Europe, frequently expect global tech solutions with “follow-the-sun” support. While fragmented setups may ease compliance, they often fail to meet customer expectations. Both large and small suppliers must carefully balance these trade-offs when developing their strategies.

In today’s geopolitically charged environment, national security may often outweigh privacy considerations. Is personal data now at greater risk of being accessed by foreign governments?

Lothar: Concerns about foreign governments accessing personal data are long-standing and justified.

However, they do not always lead to the right conclusions. For example, the CJEU invalidated the EU-U.S. Privacy Shield over fears that U.S. authorities could access EU data in bulk for national security purposes without adequate proportionality safeguards.

What is often overlooked, though, is that data stored within Europe is not necessarily “safe.” Foreign intelligence agencies can still access data stored in the EU. The CJEU acknowledged that U.S. authorities, for instance, can intercept data when passing through undersea cables.

It is also worth noting that U.S. laws are, in fact, more permissive regarding intelligence access to foreign data compared to domestic data, which benefits from stricter protections.

This is yet another example of how data transfer regulations often fail to align with the practical realities of global data flows.

‍

Lothar Determann practises technology law as a partner at Baker McKenzie in Palo Alto and teaches law at the Freie Universität Berlin and Berkeley Law.