Regulating cross-border data flows around the world 15 November 21 Javier Morales Fhon

According to new Global Trends research by Cullen International on the regulation of data flows, in most of the surveyed countries, even if there are no data localisation restrictions, cross-border personal data flows are restricted unless certain conditions are met.

Among the researched countries, the law in Australia, China, Korea and Russia sets data localisation requirements. Data localisation has also been proposed in India and South Africa.

Political discussions have been carried out in trade agreements such as the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system and the EU General Data Protection Regulation (GDPR) adequacy decision framework, among others.

The research found very few examples of fines being imposed in practice for breaches of the rules on data localisation or data transfers (e.g. WhatsApp, Facebook, and Twitter were fined in Russia). However, other sanctions have also been applied (e.g. American Express, Diners Club and Mastercard were restricted from adding new customers in India).

The research shows that data sharing and re-use to drive innovation has been mandated in several countries, mostly for open banking. In addition, in some cases a standardised application programming interface (API) has either been mandated (e.g. Australia, Korea, Russia and the UK) or developed voluntarily (e.g. the US).

The research covers Australia, Brazil, China, the EU, India, Japan, Korea, Russia, Singapore, South Africa, the UK and the US.

For more information on the report, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our Global Trends service.


Stay in touch

Subscribe to our newsletter for a free weekly summary of the latest regulatory news and analysis from the communications world.