It has been 40 years since the world was treated to one of the best anti-war songs of all time, "99 Red Balloons." At a time when the prospect of a catastrophic nuclear war seemed like a real possibility, the German band Nena told us how global conflict could escalate out of hot air to cause entirely unintended devastation.
Today, we live in a far more interconnected world than in the '80s, but the current direction of travel risks creating a level of digital fragmentation of truly devastating consequences. While it should be obvious by now that global data flows play a vital role in our digital — and not-so-digital — lives, current policy and regulatory developments are chipping away at some of the elements that have made international data transfers part of our everyday reality.
It could be argued that the global instability we are witnessing justifies the drastic measures being deployed to prevent personal information from flowing freely across national borders. However, the way in which legal restrictions on international data transfers have evolved in recent times — from mainly privacy and data protection-related reasons to economic sovereignty and national security ones — shows the stakes are higher than ever before, precisely at a time when data globalization is most indispensable.
Limits on data transfers are not new, but some of today's interventions are unprecedented and, in some cases, downright questionable due to impracticable interpretations of data protection law.
Data sovereignty and national security
Even in the current climate of toughening foreign policies, last year's White House executive order targeting data brokers and restricting the bulk transfer of Americans' sensitive personal data to certain countries that are deemed to pose "an unacceptable risk to the national security of the United States" was a striking change of direction.
In a move that broke with a long-established way of thinking around free flows of data from the U.S., the Biden administration directed the U.S. Department of Justice and other federal agencies to issue regulations restricting U.S. companies from transferring large datasets of Americans' sensitive personal data to "countries of concern," which a DOJ press release separately identified as China, Cuba, Iran, North Korea, Russia and Venezuela.
While this does not amount to a blanket prohibition — as there are some limitations in terms of the type of personal data and the volume of the transfers affected, and some carve-outs for financial services, payment processing and regulatory compliance and other data transactions within multinational companies, such as payroll and HR — it is still a severe measure.
This was followed by the Protecting Americans' Data from Foreign Adversaries Act, which in a similar fashion seeks to prevent data brokers from transferring personally identifiable sensitive data of U.S. individuals to certain jurisdictions categorized as foreign adversaries or to entities controlled by foreign adversaries. The act treats violations as "unfair or deceptive" acts or practices subject to U.S. Federal Trade Commission enforcement authority.
If predictions about the Trump administration's stance on this front are to be guided by the future president's current narrative, data flows from the U.S. are certainly not going to get any easier. The promotion of domestic interests will likely work in tandem with the perception that limiting data sharing with other jurisdictions will protect national security, creating a fertile ground for data protectionism.
Looking from the other direction, since the adoption of its Personal Information Protection Law, China has also sought to place legal limitations on transfers of personal data, in a way that mirrors the European approach but is more administrative-heavy. Yet, despite some of the more onerous measures to legitimize personal data flows from China being softened in 2024, greater restrictions have been placed on most exports of sensitive personal data, of personal data relating to significant numbers of individuals, and on exports of other — personal and nonpersonal — data types that are designated by the local authorities as "important" or otherwise having a nexus to China's national security.
There is clearly something of a trend here, which is spreading to countries with very different legal traditions and systems of government but that share a similar perspective when it comes to data. The value of data as an asset — both economically and strategically — is certainly not lost to many countries' governments, which are increasingly approaching data sovereignty as a policy priority, often for national security reasons. The question is whether such a policy is truly an advantage for businesses and citizens within their jurisdictions seeking to operate globally.
The toughening of the EU approach
An equally concerning trend from a data globalization perspective is the regulatory approach to international data transfers that has emerged in Europe following the "Schrems II" decision by the Court of Justice of the European Union. The "Schrems II" decision sought to find a reasonable way of enabling the protection of personal data beyond Europe while calling out the excessive powers of certain U.S. government agencies to access such data.
Importantly that decision requires consideration of all the circumstances surrounding the transfers of personal data outside the European Economic Area. But even though the legal framework in the U.S. has now changed to curb the power of the state to access European data, the interpretation of the CJEU decision has led to an absolutist approach to data protection, which is only satisfied if the potential for government access to data is nil.
From the use of Google Analytics to Microsoft 365, the default stance by some European regulators is that the transfers of personal data to the U.S. and other jurisdictions involved in the use of these products do not meet the necessary level of protection established by the EU General Data Protection Regulation because of the possibility of access to such data by law enforcement or intelligence agencies.
This line of thought leaves no room for a balanced assessment of the circumstances of the transfer in practice. It ignores the types of information involved, the risks individuals are exposed to by sharing that data internationally, the historic objective trends of government access and the recent changes in U.S. law protecting European data subjects. If taken to the extreme, it would lead to the conclusion that no matter what protections may be regarded as proportional to the risk, all transfers anywhere are unlawful.
In search of a solution for the future
We live in a truly uncertain world. Conflict and polarization are contributing to today's policies of data sovereignty and zero-risk international data transfers demands. Yet, the very same world has become more digital, technology is more universal, and people are keener to communicate across geographical borders. The solution to uncertainty cannot be isolation.
Digital isolationism is the ultimate oxymoron because data flows globally by default. The solution to international data transfers is about finding mechanisms of protection that acknowledge that a zero-risk reality does not exist, that are adapted to the nature of the risk, and that accept that safeguards are compatible with openness.
Isolation, if anything, heightens uncertainty, breeds distrust and creates barriers. Communication across borders and regions helps Americans understand Europeans, understand Chinese, understand the world at large. Not sharing across borders and regions, means not communicating and most worryingly, not being able to understand each other.
It is possible to share and communicate globally without creating credible threats to personal data. Protecting personal data across borders is essentially about combining responsibility for effective and realistic safeguards that address real risks, rather than theoretical ones, with tolerance for other approaches and standards.
The emphasis should be on the outcome and ensuring that such an outcome is a beneficial one balancing everyone's interests. Unlike in Nena's "99 Red Balloons," the future of global data flows does not need to end with a cataclysm. It just needs to be approached with realism and the confidence that if we focus on deploying safeguards instead of barriers, in the end — as the last balloon in the song — it will fly.
Eduardo Ustaran, AIGP, CIPP/E, is a partner at Hogan Lovells.
