Regulatory activity in cross-border data transfer and data localisation is ticking up

A short primer and outlook for 2022.


Johannes Fritz


24 Aug 2022

Report Image

When the APEC’s Digital Economy Steering Group meets in Thailand this week, deliberations on how to secure the free flow of information are certainly on the agenda. The latest data from the Digital Policy Alert (DPA) confirms that attention to free data flows as a prerequisite for digital trade is warranted. Since the publication of our report on Emergent Digital Fragmentation earlier this year, the activity in cross-border data transfers and data localisation has ticked up. A quick primer on recent events and upcoming activity.

Cross-border data transfer conditions and data localisation requirements are on the rise in 2022

According to the Digital Policy Alert database, the second quarter of 2022 brought a new high of 26 binding transfer conditions or localisation measures under deliberation or adopted. While the activity in cross-border transfer and data localisation has been generally creeping upwards over the past 18 months, the decisive uptick in part reflects enforcement actions by the US Security and Exchange Commission (SEC) over access to corporate audit records. To prevent oversight gaps due to foreign cross-border data transfer restrictions, the Holding Foreign Companies Accountable Act (HFCAA) of 2020 requires broad data access to the auditors of US-listed foreign firms. If data access is insufficient for a complete inspection, US-listed foreign companies audited by such an accounting firm must provide proof that they are not owned or controlled by a foreign government entity. Since March 2022, the SEC has notified 160 Chinese companies subject to a Chinese cross-border data transfer restriction on corporate records that they must provide such proof. The notified companies include technology giants such as Weibo, Baidu and Didi. Without a remedy, the situation may come to a head when these companies will be delisted at the end of the year.

As welcome news for the free flow of information, a series of bi- or multilateral agreements advanced recently. The United Kingdom and New Zealand signed a Free Trade Agreement including a digital chapter and the formal accession request from Canada and the UK-Singapore Digital Economy Agreement went into effect. Furthermore, the United Kingdom and the Republic of Korea announced they had reached an agreement in principle regarding the mutual recognition of their data protection rules. Finally, the Digital Economic Partnership Agreement (DEPA) continues to grow its international standing with a formal accession request from Canada and the establishment of a formal accession working group for China.

Looking into the DPA database for what’s ahead suggests cross-border data transfer and localisation will remain active for the rest of the year. Already in the pipeline is the enforcement of a Vietnamese data localisation requirement including e-commerce and social media providers, scheduled to go into force in October 2022. A month before, in September 2022, the Chinese Measures for Security Assessment of Data Exports will go into effect and require security assessments for certain international data transfers. If recently concluded public consultations are an early indicator, we may also see Chinese standard contractual clauses for personal data transfers and similar regulations from Brazil. Also, the European Commission is processing its consultation on the EU Data Act which may regulate cross-border transfers of non-personal data.