Article by W. Gregory Voss
Abstract: Today, cross-border data flows are an important component of international trade and an element of digital service models. However, they are impeded by restrictions on cross-border personal data transfers and data localization legislation. This Article focuses primarily on these complexities and on the impact of the new European Union (“EU”) legislation on personal data protection—the GDPR.
First, this Article introduces its discussion of these flows by placing them in their economic and geopolitical setting, including a discussion of the results of a lack of international harmonization of law in the area. In this framework, rule overlap and rival standards are relevant.
Once this situation is established, this Article turns to an analysis of the legal measures that have filled the gap left by the lack of international regulation and the failure to harmonize law: extraterritorial laws in the European Union (regional legislation) and the United States (state legislation); and data localization laws in China and Russia. Specific provisions restricting cross-border personal data transfers are detailed under EU legislation, as are the international agreements that have been invaluable in allowing flows between the United States and the European Union to continue—first the Safe Harbor, and now the Privacy Shield.
Finally, in this context, the role of data governance is investigated, both in the context of data controllers’ accountability for the actions of other actors in global supply chains under EU law and under the Privacy Shield. Thus, this Article goes beyond the law itself, to place requirements in the context of the globalized business world of data flows, and to suggest ways that companies may improve their compliance position worldwide.