Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
For more than a decade alongside the IAPP's Global Privacy Summit, I have brought together visiting officials with experts, stakeholders and U.S. officials for a series of private roundtables. The arc of these conversations reflected developments in the international privacy landscape and cross-border data transfers.
From the beginning, ongoing topics included developments in EU-U.S. data transfers and trans-Atlantic gaps in privacy legislation. But an early lesson was that there is much more to the world than the U.S. and EU, and the subjects and participation in the discussion became more global. The scope also changed in step with the increasing economic and social significance of digital information and governance.
This year, the issues and environment are very different.
There is, of course, the turmoil caused by tariffs and shifting alliances upsetting the geopolitical map, trading system and financial order. But, even without these earthquakes, the landscape of data governance and protection looks much more unsettled than in previous years.
Tremblors and aftershocks
Now, with a series of measures — restrictions on bulk transfers of sensitive data to countries of concern, parallel limits on exports of frontier AI models to many other countries than just those, and the on-and-offstatutory ban on TikTok — the U.S. has veered toward data localization. While similar policies may have been implicit in China's longstanding national security law and moves by India and others to require data localization, those were more expected and subsequently relaxed to some extent.
The U.S., on the other hand, has historically championed the free flow of data and opposed data localization.
The EU has contributed to the whiplash with its initiatives to revise the General Data Protection Regulation and harmonize other pillars of its digital legislation, including the AI Act and Digital Services Act, in the name of reducing regulatory burdens, enabling AI training data and increasing competitiveness. This has led to none other than Anu Bradford, of "Brussels Effect" fame, to question whether these steps mean the EU "is giving up its regulatory superpower."
Alongside these developments, the always delicate situation of EU-U.S. data transfers has become more fraught. Although the Biden executive order that is the foundation of the Data Privacy Framework for trans-Atlantic data transfers remains in force, it is one of many national orders under review.
I have received messages of alarm from Europeans due to the firing of the two Democratic members of the Privacy and Civil Liberties Oversight Board and the resignations of a Data Protection Review Court judge and one special advocate, expressing doubt about how effectively the DPF will be enforced.
In the background, the fissures in the trans-Atlantic alliance and hostility toward Europe that U.S. Vice President JD Vance expressed at Paris and Munich and in Signal texts with cabinet colleagues make it unlikely that EU bodies will grant the U.S. any benefit of the doubt when it comes to future adequacy decisions or Court of Justice of the European Union litigation.
Data is the new weapon
Anyone involved in privacy and data protection in the past decade-plus has heard ad nauseam that "data is the new oil," but now data has emerged as a geopolitical weapon. Although the sociopolitical importance of data has long been central to digital strategies, the peaking perception of AI as strategic has given data a geopolitical dimension. This has heightened the stakes in both cross-border transfers and digital policy more broadly.
I said this combination of developments would be unique even without broader turmoil. But, of course, the turmoil does exist and will not settle for some time. Amid a trade war and geopolitical shifts, cooperation on data transfers is likely to diminish and there will be temptations to deploy the data weapon. As yet, it's unclear when or how all this rumbling quiets down and what a new normal may look like.
Cameron Kerry is the Ann R. & Andrew H. Tisch Distinguished Visiting Fellow at The Brookings Institution and former General Counsel and acting Secretary at the U.S. Department of Commerce from 2009-13.
