A Legal Perspective On Cross-border Data Flow In International Law And Comparative Law

With the advent of new technologies,the global connection through the electronic channels changes the way people interact,communicate,and the way businesses function.The expanding of Internet has been one of the critical platforms providing people with access to one another.Therefore,the wide range of social and economic activities are being promoted online through mobile phones and Internet connections.However,it needs an environment of the open Internet and global free flow of data to investigate various sorts of potentially useful information,analyze previous knowledge and eventually turn it into new knowledge.It could say that the Internet has transformed the world,society and economy.The world economy is transforming into the information age driven by database-management technologies.Now this change leads to societies and governments facing the explosion of information.A large amount of data routinely flows across national borders.The open Internet and innovations give individuals a greater involvement in the transfer of their information beyond their own territories than ever before.Today,the sharing and transferring of information can via the Internet is unlocked not only new sources of knowledge,educational opportunity but also provide economic values.The cross-border data transfers,or global data flows,are no longer considered to be a niche issue of interest.The ability to move data across territories via the Internet has become an integral part of the development of a country’quality life and is now a part of international business activity.However,the cross-border flow of data and information creates challenges in the context of jurisdiction.With diverging global,regional and national regulatory frameworks,the number of national legislations in relation to data protection and cross-border data transmission has grown rapidly.However,there are different meanings in the context of applications and interpretations.For instance,some countries consider privacy protection as a fundamental right,while some countries protect the right to privacy in other governmental policies or in tort.Besides,with the rapid growth of IT-technologies,some data protection laws and related mechanisms are outdated and require review and amendments.Such differences and major gaps widely affect,not only individuals,but also businesses,especially those relating to international trade as the data transmission across boundaries may be subject to the different national legal systems.This research mainly focuses on cross-border data flows in the context of the meaning of data flow,the related data-driven innovation,the arguments on cross-border data flow,the regulatory frameworks on cross-border data flow at the international and national level,and the application of regulatory framework in the regional trade agreement(TPP/CPTPP)and the proposed mechanism for the connectivity between China and the ASEAN countries.The details in each chapter are as following:Chapter 1 The background and arguments on cross-border data flows.Firstly,the paper explains the definition and the stages of data lifecycle to understand the nature and background of data.Next part of this chapter defines the related data-driven innovations and the application of such innovations that may affect the data flowing across the border.This chapter also demonstrates the arguments and the rationale for the cross-border data flow.As digitalization and new technologies have impacted not only people’s lives,but have also changed the way traditional industries and business dealings are conducted.In the past,data collecting,storing,processing,and sharing had been difficult because of technological constraints.However,in the 21~stt century,the Internet and digital technologies support data moving freely across borders and also transforming the nature of businesses and services to trade globally.Therefore,the challenges are how to use,control and put the data to work.With the advent of the various technologies,the ways of creating and using data are changing dramatically.The policymakers and regulators must understand clearly the nature of data and data lifecycle in order for them to establish clear and practical frameworks.The data lifecycle can explain the sequence of stages that a particular data is processed from its initial step of data acquisition or data collection to data transfer and/or reuse at the end.There is a wide range of issues concerning innovations and regulatory measures on how to store data and control data transfer to improve productivity,ensure the security of data.In the digital age,data-driven innovations are perceived as the new normal for the near future in terms of the quality of economic growth,job creation and improvement of governance.Data-driven innovations have been valuable in areas of data evaluation and analysis of complex and large volumes of data.Those are including big data,Internet of Things(IoT),cloud computing,and blockchain.In the context of data transfer regulations,there are a number of definitional uncertainties that depend on types of data and mechanisms.The definitions differ between the various data protection regimes.In addition,there are different mechanisms under geographical and non-geographical base(such as the organizational basis)that are required for data transfer across borders.The governance of the data flowing across national frontiers date even further back to the mid-19~thh century.The legislation of cross-border data flows has initially been designed to provide the regulatory approaches and mechanisms necessary to facilitate cross-border data flows and,at the same time,protect national security and databases being processed in countries without appropriate legal safeguards.Currently,the frameworks and regulations of cross-border data flow derive from various legal traditions and cultures.The national laws have been enacted in nearly all regions of the world.On the one hand,governments recognize the growing significance of the flow of information across borders,particularly in the issues of education,international trade,healthcare,and innovation.On the other hand,these governments have to achieve their other relevant legal and policy goals such as cybersecurity,moral reasons,healthcare information,privacy,protection of domestic industries.Therefore,there are two arguments on regulatory approaches of cross-border data flow,those are the restriction of cross-border data flows,and the free-flowing of cross-border data flows.Chapter 2 The regulatory frameworks of cross-border data transfer at the international level.This chapter starts with the introduction of the significant initiatives and the agreements at the international level.The background and related regulatory frameworks are provided in details.This chapter also points out the importance of extraterritorial effect and the implication at the international level.The international norm relating to cross-border data transmission has been developing,especially in the context of the economy.There are a variety of regulatory frameworks which involve cross-border data flows at the international level,including the Guidelines on the Protection of Privacy and Transborder Flows and Personal Data(the OECD Guideline),the Privacy Framework adopted by APEC,the General Data Protection Regulation(GDPR)adopted by the European Union and the Free Trade Agreement between the U.S.and South Korea(KORUS).The aforementioned guidelines and treaties mainly aim to reduce the legal barrier to the free flow of data across boundaries and,at the same time,balance the global data flow and the protection of personal data and public interest of the Member States or the Parties.The significant initiative in the early 1980s was the Organization for Economic Co-operation and Development(OECD).The OECD developed the Guidelines on the Protection of Privacy and Transborder Flows and Personal Data(the OECD Guideline)in 1980,which was aimed at balancing privacy protection and the rights and freedoms of individuals to transfer their personal data across boundaries.The Guidelines also sought harmonization of data protection laws between countries.They were not legally binding;rather,they consisted of legislation guidance for OECD member states that had no data protection legislation.The Guideline was remarkably adaptable to the varying legal structures and technological environments among countries.The Guidelines contained provisions for the Member States to harmonize their national privacy legislation and,at the same time,avoid impeding cross-border data flows.APEC member economies agreed on the APEC Privacy Framework in 2005.The provision was modeled upon the 1980 OECD Guidelines.However,the updated Privacy Framework in 2015 were drawn upon the key concepts mentioned in the OECD 2013 Guidelines.The APEC Privacy Framework has promoted a flexible approach to protect data privacy in the APEC region and,at the same time,avoiding the unnecessary barriers to the data flow.It mainly aims to improve customer trust and confidence in the privacy and the security of online-information operation.In Europe,the Council of European Convention is another international legal instrument dealing with data protection,and cross-border data flow issues.The European Commission became aware of the different data protection legislation that existed among the EU countries,and that these disparities were creating the barriers to the free flow of data within the EU.Therefore,the EU Data Protection Directive on the protection of individuals with regard to the processing of personal data and the free movement of such data(Directive 95/46/EC),was enacted by European Parliament and the Council of Europe Union in 1995.However,the General Data Protection Regulation(GDPR)has replaced the 1995 Data Protection Directive(the Directive)in 2016.The GDPR becomes binding automatically throughout the EU as of May 25th,2018.The principal objective of the GDPR is to give the EU citizens back the control of personal data,as well as,strengthen and harmonize the regulatory framework of data protection within the region for international business.The GDPR is arguably the most significant change to the regulatory framework of data privacy with the extended jurisdiction.Although the critical principles for data protection remain unchanged,however,the GDPR proposes some new rules that will impact businesses and organizations across the globe such as the expansion of territorial reach,data breach notification,data subjects’explicitly consent,and sanctions.The U.S.-EU Privacy Shield is an agreement between the United States and Europe Union to enable the U.S.-based companies to join this framework,as well as make a commitment of complying with the framework requirements.The participating companies are required to self-certify on a voluntary basis.Once commitment becomes enforceable under the U.S.law,those companies are allowed to transfer data outside the EU.The U.S.-EU Privacy Shield is a replacement for the Safe Harbor Agreement which was invalid,decided by the European Court of Justice(ECJ)on October 6,2015.The U.S.-EU Privacy Shield reflects the stronger obligations of the U.S.-based companies to protect the EU personal data.The legal obligations imposed by the Privacy Shield on the protection of the EU personal data in the U.S.-based companies mainly include the obligations of companies in receiving data,safeguards on the access to data,the protection and redress for individuals,and annual joint review mechanism.The U.S.-Korea Free Trade Agreement(KORUS)is an agreement that has not only led to tariff cuts on imports of goods from the U.S.to South Korea,but also promotes the exports of goods and services.The rapid growth of personal-computer usage and current rate of Internet access in South Korea is considered to be among the highest in the world.In addition,South Korea has a relatively advanced information technology infrastructure and adopts one of the most comprehensive policy frameworks relating to e-commerce in Asia.The KORUS is perceived as a clear message towards cross-border data flows,as both parties not only realize the importance of cross-border data flow,but also take efforts to avoid imposing unnecessary barriers to data flows.The Trans-Pacific Partnership(TPP)was a regional free trade agreement signed in 2016 among 12 countries that played a key role to re-shape the cross-border data flow mechanism among the member countries covering 800 million people.TPP accounted for 40 percent of world gross product and one-third of the global trade volume.As compared to other bilateral or multilateral trade deals,the TPP had spurred the development of mega free trade agreements and offered another stage to advance the trade agenda.The TPP E-commerce chapter provided a legal framework for governments to permit the free flow of data with the protection of personal information,prohibited localization of data centers in its territory and limited opening software source code.As the legal frameworks and technologies are different among TPP countries,this paper points out some concerns relating to cross-border data flow in the provision of TPP such as the different legal obligation requirements and the policies among countries,the proposed self-regulation mechanism in the provision of the TPP,the implication of prohibition of source code disclosure.Chapter 3 The GDPR and Multilateral Free Trade Agreement,TPP,and CPTPP,as a case of re-shaping on cross-border data flow mechanism at the international level.The Chapter starts with the explanation of the background and the importance of the GDPR and multilateral free trade agreement(TPP)in the context of trade and geopolitics.Next part of this chapter will focus on the provision of the GDPR and the provision of E-commerce in the TPP in relation to the cross-border data flow and the implication of such regulation.In addition,the paper will provide the details of the implication caused by the GDPR and the establishment of CPTPP after the U.S.President Donald Trump withdrew the U.S.from the TPP trade pact,as well as the cooperation with other regional initiatives.In the digital age,the complexity of“borderless”cyberspace challenges the state’s sovereignty in the dimension of the territory principle.The unilaterally extraterritorial jurisdiction in the General Data Protection Regulation(GDPR)adopted by the European Parliament and the Council of European Union is intended to address the complex issues of data protection regimes at the international level.The GDPR with extraterritorial effect poses a new challenge to international trade mechanism.This chapter also discusses the implication of the extraterritorial effect of the GDPR to Asian and African countries which are the trade partners of the EU.Although governments can adopt the policies or measures to restrict the ability to access the Internet and limit free flow of data across boundaries,the regional free trade agreements(RTA)are considered as a significant mechanism for regulatory harmonization on cross-border data flow.The TPP mainly focused on the point of trade and geopolitics.It was also claimed as a U.S.strategic rebalancing toward the Asia-Pacific region.Although some countries have considered taking back control of data protection and cross-border data flows and even calling on the state to put these issues into the political arena.Nonetheless,the U.S.has supported personal data protection with the free flow of data across international borders.Therefore,the U.S.has tried to penetrate and dominate the economies of the region through RTAs mechanism with the reasons for full market opening,regulatory harmonization,trade liberalization and overcoming the unnecessary barriers.TPP was expected to link and enable TPP countries to use digital platforms progressively in reaching new customers and to rely increasingly on cross-border data flows to monitor their businesses.The TPP member countries focused on streamlining and regulatory harmonization.The legal framework with consistent principles across national and international borders was claimed that it could lead to predictable consequences.Although the U.S.President Donald Trump withdrew the U.S.from the trade pact,the high-standard requirements including cross-border data flow regulation in the TPP framework have not dropped out of sight.The remaining 11 TPP countries have agreed in principle to a revised TPP trade agreement,called CPTPP(the Comprehensive and Progressive Agreement for Trans-Pacific Partnership).Currently,seven countries have already ratified the CPTPP agreement,including Australia,Canada,Japan,Mexico,New Zealand,Singapore,and Vietnam.Concerning the context of the CPTPP electronic commerce chapter,the CPTPP requires all parties to allow the free flow of data across borders with the protection of personal data of the e-commerce users,and prohibits maintaining the computer servers in specific geographical locations.These legal frameworks are similar to the original TPP agreement.Since the 12 TPP member countries are members of the APEC,the CPTPP framework is expected to affect future negotiations in the APEC forum in the three areas of data privacy,data localization and the free flow of data.Besides,the CPTPP has also expressed an interest in building a cooperative partnership with the RCEP,because most of CPTPP countries—except Canada,Chile,Mexico and Peru—are also joining the RCEP trade pact.Moreover,the RCEP includes the economic giants of China and India.The remaining countries of the TPP are pushing for the implementation of the deal and are hoping that the high-standards of the CPTPP framework might become a model for other multilateral trade negotiation,most notably the ASEAN-led Regional Comprehensive Economic Partnership(RCEP)agreement.The CPTPP has significant policy implications to the U.S.because the absence from the two major RTA,the RCEP and CPTPP,could affect the influence of the U.S.in the Asia-Pacific region,particularly in establishing the international frameworks and taking advantage of trade and investment.In addition,the growing networks of trade agreements will make the member countries increasingly attractive for trade and investments.Recently,South Korea,Thailand,the United Kingdom,and Colombia have expressed interest in joining the CPTPP deal.Chapter 4 The comparison of national cross-border data flow regulation.This chapter firstly provides information of global internet usage,then,provides a brief overview of the national regulatory framework and mechanism of some countries,including the United States(U.S.),the European countries,some Asian countries,as well as provides checklists with key legal requirements on cross-border data flow in African countries.Next part of this chapter furthers to focus on the comparison of national regulation in the context of privacy protection,data protectionism,extraterritorial jurisdiction,and penalties.In addition,the chapter also raises some phenomena in the context of law enforcement at the international level and national level and the system level.Although the use and analysis of cross-border data can promote the economic growth of countries;however,at the policy level,governments need closely monitor data flows across boundaries.The cross-border flow of data and information creates challenges in the context of jurisdiction because the data transmission across boundaries may be subject to the different national legal systems.The different levels of data protection will give different results to society and businesses.The data protection laws which are too restrictive will consequently create trade barriers and adversely affect the process of business and business trust.The legislation and regulatory frameworks could reflect the realities of the countries’international politics and interests in a specific area.The paper mainly focuses on the comparison of the data protection laws among countries to understand the current differences of digital governance,as well as the existing challenges.Those countries include the United States,the European countries,the Asian countries(except the ASEAN countries),the African countries.The U.S.initiated the policy to work on the communication network with different purposes in the early stages of the widespread use of the Internet.The nature of the U.S.privacy and data protection regime is relatively flexible and relies on post hoc government enforcement and private litigation,rather than specific restrictions.There is an array of federal laws regulating the collection and use of personal data in the context of privacy protection.There are few restrictions on data transfer outside the territory at the state-law level.In the U.S.,the private sector plays a key role as a formal part of the policy-making process.In addition,the U.S.government supports the right of private sector to drive electronic commerce with minimal government intervention by encouraging industry self-regulation.The U.S.has also adopted the self-regulation mechanism for data protection regime.Since the U.S.also focuses on all functions that affect the adequacy of protection,including the systems,organizations,authorized agencies,hence,risk management is the critical measure to monitor and manage the associated risks with all processes.In European countries,data transfer mostly relies on EU data protection law.The primary target of the EU General Data Protection Regulation(GDPR)is to harmonize the data protection regulation throughout Europe.However,the Member States of the EU can enact their national legislation with exceptions provision to their other significant public policies such as freedom of expression,national security,criminal law enforcement.Currently,the EU Member States have been working in implementing the GDPR and their drafts of respective legislations.The paper also introduces Belgium’s implementation of the GDPR in practice as an example.In Asian countries,China,Russia,and Japan are one of the key countries in the context of the data-flowing mechanism.China adopted the first comprehensive legislation for data protection on June 1,2017.Known as the Cybersecurity Law,the legislation governs network and system security.In addition,the policymakers have established a series of regulations for cross-border transmission of personal data and important data.The provisions aim to regulate all aspects of data protection.The Russian government has imposed the Russian Federal Law No.242-FZ,which supplemented Federal Law No.152-FZ,is an unprecedented regulation in personal data protection.The Russian Federal Law No.242-FZ,also known as the data localization law.In Japan,with respect to the data protection on personal data,the Japanese government enacted a series of laws in relation to the protection of personal data in 2017.The main reason is that the globalization of data transfer across the borders creates a demand for ICT services which generates new opportunities of businesses in Japan.In addition,the government has adopted a new series of regulations binding and enforceable on the specific entities or agencies to bridge the differences of legal approaches.It is reported that there are 99 countries that have enacted legislation pertaining to data protection and privacy in order to limit the use and transfer of personal data or sensitive data.Most legal frameworks are primarily focused on the protection of the individuals’right to privacy and prevention of the misuse of personal data.However,different countries have different approaches to the issues of data protection and privacy.For instance,the U.S.and the EU sometimes formulate the same policies and arrive at the same conclusions;however,the U.S.and the European legal approaches,at their conceptual core,are comparably different.European countries focus on the omnibus approach of data protection while the U.S.has no comprehensive national law regulating the collection and transfer of data.The issues of national data localization regulation and restriction on the cross-border data flow have been debated increasingly.The data localization legislations among countries are different in nature and scope.The data localization policies typically involved requirements such as data processing within the territory,using locally provided equipment or storing data locally.In addition,data protectionism is adopted with some specific scopes such as digital sovereignty,data protectionism in the contractual mechanism.The current situations of data protection and privacy have encouraged governments and businesses to reform their frameworks or regulations to meet the rapid growth of technologies and user requirements.The EU GDPR and the U.S.CLOUD Act,for instance,provide a new concept of geographical scope of the data protection regime that expands the territorial reach.The paper demonstrates the legal requirements and the concerns in term of conflicting obligations between these provisions.Among the existing legislation on data privacy and data protection,it is based on the need to build coherent data protection principle with strong enforcement among different countries.In this respect,there is a need for standardized or harmonized common rules to ensure data protection and privacy,and to facilitate cross-border data flow in economic areas that have been highlighted.The harmonized framework based on bridging the differences is mainly meant to ensure that the policies are not applied in a manner that creates arbitrary discrimination or imposes limitations that are greater than what is needed to achieve legitimate interests.Chapter 5 China-ASEAN as a case of connectivity under the difference of national mechanisms at national level.The paper will start with the establishment of the ASEAN,and the critical project of Chinese One Belt,One Road(OBOR)and the ASEAN’s the Master Plan on ASEAN Connectivity 2025(MPAC 2025).The paper also clarifies the related regulations on cross-border data flow in details.It is intended to point out the difference of legal requirements and policies to shape questions and lead to the proposed solutions on how to harmonize the regulatory framework and mechanism to achieve the goal of China-ASEAN connectivity.The ASEAN countries recognize the importance of leveraging opportunities in the digital age and the need to promote cross-border trade in the region.Therefore,the ASEAN has developed the ASEAN Single Window(ASW),aimed at the connectivity and integration of the ASEAN Member States into a single window to accelerate the exchange of online information on trade and customs documents.In addition,the ASEAN countries are making an effort to negotiate an ASEAN Agreement on Electronic Commerce under the ASEAN Work Program on E-Commerce 2017-2025.Currently,the ASEAN Economic Community(AEC)has worked more on the broader trade agreements which promote the free flow of goods,services,and the data in the region.Among these agreements are the Comprehensive and Progressive Agreement for Trans-Pacific Partnership(CPTPP)and the Regional Comprehensive Economic Partnership(RCEP).Although the ASEAN nations are becoming important participants in the digital revolution;however,the ASEAN countries are moving at different speeds toward the digital economy because of certain critical factors,such as Internet usage.Therefore,the ASEAN implemented its Master Plan on ASEAN Connectivity 2025(MPAC 2025)to increase connectivity in the region.The main objective of MPAC 2025 is to create a seamlessly and comprehensively connected and integrated ASEAN community.With the diverse and complexity of culture and society,the greater connectivity will promote a sense of community under the three main pillars of political-security,economic and socio-cultural dimensions.In China,the Belt and Road Initiative,also known as the One Belt,One Road(OBOR)is an economic and diplomatic policy project initiated by Chinese President Xi Jinping.The name of the OBOR came from China’s important export product—silk–and the road of the silk trade.The OBOR project is viewed as the key to China’s future economic vitality.Despite the globalization of digitalization,China and the ASEAN countries still adopt the various legal requirements for data transfers across their territories.These requirements have led to gap in data protection regulation in various international policy processes.It is necessary to understand the existing legal mechanisms on data protection and cross-border data transfers in China and the ASEAN countries,and the gaps that occur in practice,so that the governments and organizations can adopt the harmonized frameworks.The multinational companies and organizations are obliged to comply with legislation and regulation of involved countries.Therefore,the obligations create difficulties caused by the different legal norms and policies between countries.In the meantime,the lack of sufficient infrastructure and differences in rates of development of the digital economy are still the main concerns.In addition,the language and culture barriers can become significant obstacles.The formation of cooperative task forces or task groups between the ASEAN countries and China should be the key approach.In addition,different legal requirements and frameworks are needed to interpret matters in a way that will be consistent with the laws that are in force;otherwise,both data processing and data transfers will be subject to a wide range of disputes among the various countries.There is no one-fits-all resolution to solving the differences among the countries in the region.The development of the regional digital norm could consider implementing the proposed harmonized legal mechanisms.Chapter 6 Conclusion.This chapter summarizes the key issues and the implications arising from chapter 1 to chapter 5.The key message is to point out the importance and application of data in the digital age,the regulatory frameworks adopted at the international level and national level,as well as the implication and concerns raised regarding those related regulations.In addition,the paper provides the case of law enforcement at the international level in the context of trade and geopolitics.At the national level,the cross-border data flows among different jurisdictions which do not offer the comparable level of data protection becomes concerns increasingly both in public sector and the private sector.Therefore,the paper is intended to shape the question of different legal requirements through the comparison of related regulations and propose the solutions for legal harmonization.