Note: This analysis is part of our series on geopolitical tensions in digital policy. The series starts by dissecting a recent US memorandum that scrutinises different types of foreign digital policy. Topical pieces, including this, then distill the global state of affairs and explain the cause of geopolitical tensions in one type of digital policy.

Cross-border data flows are the bloodline of the digital economy and their regulation is a recurring subject of geopolitical tensions. The recent US memorandum lists foreign regimes that limit cross-border data flows as an example of foreign digital policy that violates US sovereignty and reduces US companies' global competitiveness. Below, we outline how governments are restricting cross-border data flows and why this contributes to tensions, based on the Digital Policy Alert dataset. 

Governments apply a spectrum of restrictions to data flows, with the aim of protecting data abroad. Few governments do not impose any restrictions, aiming to foster “free data flow.” More often, governments establish conditions for data transfers to be lawful, typically demanding an equivalent level of protection for data that crosses their borders (“data transfer conditions”). Finally, some governments require certain data, or a copy thereof, to be stored within their national territory (“data localisation obligations”). As of 7 April 2025, the Digital Policy Alert has documented 332 developments related to the restriction of data flows at the national and EU level 

Data transfer conditions totalled 251, providing the following findings:

• Developments were mainly binding executive regulations (94) and laws (57), non-binding guidelines (56), as well as enforcement action (44).

• The most active jurisdictions were China (35), the EU (31), the US (15), the UK (15) and Turkey (13). 

• Over half of the developments were adopted or in force (187), while fewer were under deliberation (61), and only singular developments were rejected or revoked (3). 

• A large majority of data transfer conditions applied across the digital economy (206). Few developments affected specific sectors, such as user-generated content platforms (7). 

Data localisation obligations mandates were less common, totalling 81 developments:

• Developments were mostly binding executive regulations (40). Less frequently, we documented laws (14), enforcement action (16), as well as non-binding guidelines (10).

• The most active jurisdictions were Russia (14), India (12), China (8), and Turkey (7). 

• Most data localisation obligations applied across the digital economy (30), although several developments affected only specific sectors of the digital economy. In particular, infrastructure providers (23) and digital payment providers (9) were targeted most often.

• Over half of the developments were adopted or in force (64), while fewer were under deliberation (11), and fewer still were rejected or revoked (6).

The most prominent example of restrictions on data flows relates to personal data flows from the EU to the US. The EU General Data Protection Regulation (GDPR) sets out several mechanisms for the lawful transfer of personal data to non-EU countries:

• “Adequacy decisions” by the European Commission designate countries with adequate levels of data protection, to which transfers are allowed. 

• In the absence of adequacy, the EU requires safeguards for transfers to be lawful, including binding corporate rules, standard contractual clauses, and certification. 

• In the absence of both adequacy and safeguards, the EU allows transfers only through specific derogations, for example a data subject’s explicit consent. 

Adequacy decisions are beneficial for the digital economy because the EU guarantees the level of data protection and no further safeguards are needed. The EU has recently issued renewed adequacy decisions for a group of 11 countries, comprising Argentina and Canada. Previously, it issued new adequacy decisions for countries including South Korea and the UK. 

While the EU currently also has an adequacy decision for the US, the two previous adequacy decisions were invalidated. The core issue is US government authorities’ access to EU citizens’ personal data, mainly under the US Foreign Intelligence Surveillance Act. Given the importance of transatlantic data flows, the EU and the US have negotiated frameworks that provide additional protection and serve as the basis for adequacy decisions. In 2015, however, the Court of Justice of the EU (CJEU) invalidated the first EU-US adequacy decision (issued in 2000 under a previous data protection regime), because the “Safe Harbor” framework provided insufficient protection (Schrems I ruling). The EU and the US then negotiated the “Privacy Shield” framework, but the subsequent adequacy decision, issued in 2016 under the GDPR, was again invalidated by the CJEU in 2020 (Schrems II ruling). Notably, the Irish Data Protection Commission fined Meta EUR 1.2 billion for unlawfully transferring data to the US after the invalidation of the Privacy Shield (under appeal).

The current adequacy decision was issued in July 2023, after the EU and the US negotiated the Transatlantic Data Privacy Framework (DPF). In particular, the DPF contains the following commitments from the US, enshrined in the Executive Order On Enhancing Safeguards For US Signals Intelligence Activities:

• A mechanism for individuals from "qualifying states" to obtain redress. To this end, the US established a dedicated Data Protection Review Court, while the Privacy and Civil Liberties Oversight Board, among others, is responsible for independent oversight.

• A certification mechanism for companies to join the DPF by committing to comply with data protection requirements, becoming eligible to receive data from the EU lawfully. 

• Limitations on signals intelligence activities, including upholding the principles of necessity, proportionality, and respect for fundamental rights.

The longevity of the DPF, and thus the adequacy decision, was uncertain from the beginning. During negotiations, concerns about the DPF were raised by the European Data Protection Board and the European Parliament, among others. Once the EU issued the adequacy decision, a French parliamentarian sued to annul it, partly because the Data Protection Review Court lacked independence, since it was part of the executive branch. The General Court of the EU heard the case in early April 2025, after dismissing a request for an emergency suspension. In addition, the activist who led the cases against the previous adequacy decisions promptly announced a challenge to the DPF. In October 2024, however, the EU’s own review of the framework found that the US had implemented all the necessary DPF components.

The new US administration’s recent actions have aggravated concerns. 

• In January 2025, the President required several members of the Privacy and Civil Liberties Oversight Board to resign or be fired, leaving the Board without a quorum. Although this action is being challenged in court, several governments in the EU reacted promptly, highlighting the importance of independent oversight by the Privacy and Civil Liberties Oversight Board for the DPF and the adequacy decision. 

• Also in January 2025, the US government started reviewing Executive Orders from the previous administrations that should be rescinded, potentially including the Executive Order underlying the DPF. 

The adequacy decision will not be directly impacted by developments in the US. It would have to be invalidated by the CJEU or suspended by the European Commission. Notably, the Commission has already stated that it will closely monitor vacancies and appointments to the Privacy and Civil Liberties Oversight Board, given its importance for the DPF.

When restricting data flows, governments strike a balance between ensuring data protection and enabling digital trade. Different types of restrictions on data flows are differently onerous for companies engaging in digital trade. Data localisation obligations require companies to invest in local infrastructure, by building or renting local data centres. Data transfer conditions are generally less burdensome, but can also be strenuous – especially if government approval is required. 

Most governments are still finding this balance, including China. In March 2024, the Cyberspace Administration of China issued regulations on promoting and regulating data flows. The regulations aim to loosen China’s strict data regime, which generally demands data localisation. Data transfers are allowed only based on three mechanisms: security assessments, certifications, and standard contracts. Among others, the regulations empowered local Free Trade Zones to create “negative lists,” allowing transfers of non-listed data without one of the three mechanisms.

For decades, the US government argued that restrictions to data flows hinder digital trade and aimed to counter them, including through trade agreements. For instance, the first Trump administration negotiated the US-Mexico-Canada Agreement, which prohibits data localisation without exceptions and sets boundaries regarding data transfer conditions. 

During the Biden administration, however, the US started to restrict data transfers and reduced its pushback against foreign restrictions on data flows. Despite the absence of a comprehensive federal privacy law, a 2024 Executive Order restricted transfers of “bulk sensitive personal data and government-related data” to six “countries of concern,” including China and Russia. The Department of Justice Rule implementing these restrictions starts to apply in April 2025. Furthermore, in October 2023, the US withdrew its support for plurilateral commitments regarding data transfers and data localisation under negotiation at the World Trade Organization. Time will tell whether the Trump administration maintains these shifts.

Although the memorandum does not mandate specific action regarding restrictions to cross-border data flows, they are likely to be scrutinised by several authorities analysing foreign regulatory practices deemed to be discriminatory. Specifically, the Treasury Secretary, the Commerce Secretary, and the US Trade Representative will jointly identify practices that “discriminate against, disproportionately affect, or otherwise undermine the global competitiveness or intended operation” of US companies. The authorities will also recommend actions to counter such practices. The results will be provided by the US Trade Representative in April 2025.

To prepare for these next steps, governments should analyse their restrictions on data flows, considering three perspectives. First, the memorandum does not distinguish between data localisation obligations and data transfer conditions. Second, the novel US restrictions on data flows are motivated by a security rationale. Third, significant international cooperation efforts regarding data flows are underway. Thorough preparation enables governments to provide a nuanced explanation of their regimes, outline potential overlap with the motives of the novel US data flow restrictions, and signal cooperative intentions on the international level – potentially reducing tensions.