Recent global developments offer a glimpse into the future of cross-border data regulation. Historically, such regulations have focused on restrictions of cross-border transfers of personal data to achieve public policy goals on individual privacy rights.
Today, cross-border data regulations are starting to cover a broader array of data, such as personal data, nonpersonal data and other company information, for a diversified range of public policy purposes — national security, artificial intelligence, antidiscrimination/fairness, competition and the like. Moreover, whereas historically the World Trade Organization and other multilateral treaty frameworks would limit the ability of countries to adopt regulations that impose unfair treatment on global businesses, such frameworks now have diminished effectiveness for various reasons.
Companies now face a variated landscape of divergent outbound data transfer restrictions, data localization requirements, data quality standards, compelled data disclosure obligations and other country-specific legal obligations.
U.S. outbound data transfer restrictions to countries of concern
For the first time, the U.S. is establishing outbound data transfer restrictions. One set of restrictions came into effect in June pursuant to the Protecting Americans' Data from Foreign Adversaries Act of 2024, which prohibits data brokers from transferring certain personally identifiable sensitive data of U.S. individuals to foreign adversary countries, including China, Iran, North Korea and Russia.
On a parallel track, pursuant to the International Emergency Economic Powers Act, the U.S. administration declared a national emergency with respect to the outbound transfer of sensitive personal information to foreign adversary countries. The U.S. Department of Justice and other agencies are actively engaged in rulemaking, including potential criminal penalties, that will transform the legal environment for U.S. companies on cross-border transfers, particularly with respect to cross-border vendor and third party contracting. A final version of the DOJ regulations is expected to be adopted before the end of the year.
China's data and cybersecurity regulations
China is currently engaged in regulatory implementation of its Cybersecurity Law, Data Security Law and Personal Information Protection Law. A sweeping set of regulations implementing these laws will come into force in January 2025. Significantly, the outbound transfer provisions of the implementing regulations focus on not only personal information but also "important data," which encompasses information China considers to be important from national security, critical infrastructure and cybersecurity perspectives. Such important data will be subject to effective data localization requirements, and outbound transfers of such data might be disallowed under approval procedures. Moreover, against a context of advanced persistent threats and related cybersecurity challenges, this trio of laws and implementing regulations confer authority on the Cybersecurity Agency of China and other agencies with broad powers to compel companies to provide information about their data security programs and information technology environments.
EU digital rulebook
The EU is engaged in an ambitious digital regulatory initiative aimed at strengthening its digital sovereignty and setting standards on data, technology and infrastructure. Several elements of these sweeping new regulations will compel disclosure of nonpersonal data and company information to help achieve public policy goals to foster innovation, competition and fairness.
Among other examples, the European Health Data Space regulations will require data holders to make electronic health data available to other researchers, including competitors. The EU Data Act will require the data generated by connected products, commonly referred to as the Internet of Things, to be directly accessible to users of such products and services, as well as to third parties in some cases. The EU Data Governance Act aims to establish frameworks for safely sharing and reusing personal and nonpersonal data held by private actors and government bodies by encouraging sharing data for altruistic purposes.
Emerging AI legislation
Perhaps the biggest wild card on the global scene is AI legislation, as this relatively new area of law could easily be adapted to meet various public policy goals, including national security. China is considering an AI Law, which explicitly states the legislative intent is to focus on national security considerations, including assuring AI is used to advance China's national security interests. The law also expressly provides that it is intended to have extraterritorial effect when AI development outside the country would impact China's national security interests.
The EU AI Act aims to regulate AI systems developed and/or deployed in the EU. The AI Act adopts a risk-based approach to AI systems, including outright prohibition of AI systems that carry what the regulatory authorities deem to be "unacceptable risk," such as social scoring, followed by high-risk AI systems and limited-risk AI systems. Such high-risk systems must be subject to a conformity assessment to demonstrate compliance with trustworthy AI requirements, including on issues such as data quality, documentation and traceability, and the like. On a yearly cadence, EU authorities will update the list of prohibited AI systems, such that companies developing and/or deploying AI systems in connection with products and services in the EU may one day find key products or services have been prohibited or severely restricted by regulation.
Implications for global companies
Global companies need to look around the corner and anticipate these changes on cross-border data regulation in planning and compliance activities. Several key areas of focus are as follows.
Assess applicability of cross-border data and AI regulations
Based on their business operations and geographic footprints, companies need to evaluate whether and how these new emerging cross-border data regulations apply to their global business. In general, the more a company's business operations and/or industry vertical relates to critical infrastructure, defense, sensitive personal data, AI and technology, the greater the likelihood it may come within the scope of these emerging laws.
Enhance data and AI governance
Companies need to sharpen the focus of their data governance efforts to confirm when they may be processing sensitive personal data, important data and other critical business information within the meaning of these new requirements. Companies also need to confirm data inputs and outputs of AI systems, as well as the geography of where such AI systems are deployed. Depending on the sensitivities and specifics of the data and use cases, companies should also consider whether regional or local data repositories and/or AI deployments may offer greater regulatory certainty over time.
Evaluate third-party contractual arrangements
Companies should evaluate whether or how data disclosures to third parties could create cross-border data regulatory risks. The geography and nature of the initial third-party recipients are key, as are onward transfer restrictions, which may give rise to data transit across additional borders and to new recipients, thereby potentially creating risk for the original disclosing company.
Address business continuity
Companies should also enhance business continuity planning to address the potential risk of enforcement actions restricting outbound data transfers, requiring data localization or involving other disruptive legal orders.
Strengthen cybersecurity controls
Given the national security interests expressed in data and AI regulation, and the increased blurring of the lines between advanced persistent threats and financially motivated cybercrime, global companies should continue to invest in and strengthen cybersecurity controls across the enterprise, conduct tabletops, and otherwise regularly test for significant cybersecurity and disruptive data incidents.
Outlook is challenging
We expect these cross-border data regulatory issues to become more challenging over time, as geopolitical tensions and risks are likely to continue to develop and change rapidly. Companies will need to remain attentive to regulatory changes and adapt to anticipated changes sooner rather than later, so they can better manage these new and emerging global risks.
Brian Hengesbaugh is a partner and chair of global data privacy and security at Baker McKenzie.
Elizabeth Denham is the chair of the Jersey Data Protection Authority and a consultant at Baker McKenzie.
