Cross-Border Data Flows, the GDPR, and Data Governance

Abstract

Today, cross-border data flows are an important component ofinternational trade and an element of digital service models. However, they are impededby restrictions on cross-border personal data transfers and data localization legislation. ThisArticle focuses primarily on these complexities and on the impact of the new EuropeanUnion (“EU”) legislation on personal data protection—the GDPR. First, this Articleintroduces its discussion of these flows by placing them in their economic and geopoliticalsetting, including a discussion of the results of a lack of international harmonization of lawin the area. In this framework, rule overlap and rival standards are relevant. Once thissituation is established, this Article turns to an analysis of the legal measures that havefilled the gap left by the lack of international regulation and the failure to harmonize law:extraterritorial laws in the European Union (regional legislation) and the United States(state legislation); and data localization laws in China and Russia. Specific provisionsrestricting cross-border personal data transfers are detailed under EU legislation, as are theinternational agreements that have been invaluable in allowing flows between the UnitedStates and the European Union to continue—first the Safe Harbor, and now the Privacy Shield. Finally, in this context, the role of data governance is investigated, both in thecontext of data controllers’ accountability for the actions of other actors in global supplychains under EU law and under the Privacy Shield. Thus, this Article goes beyond the lawitself, to place requirements in the context of the globalized business world of data flows,and to suggest ways that companies may improve their compliance position worldwide.