The Establishment of International Rules for Cross-Border Data Flow under Major Country Competition

As major country competition is becoming ever more intense， data has become a key strategic resource， making rules of cross-border data flow going beyond the business scope in a traditional sense and becoming a strategic issue concerning national development and security. Relevant parties compete against each other in three major areas of the collection of cross-border law enforcement data， cross-border flow of corporate data， and global cross-border privacy rules. In the future， the competition will become more intense， and the global cross-border data flow more complicated. But in the meantime， the practice and exploration by the international community also bode well for the establishment of international rules and order for cross-border data flow.

The major country competition behind the Establishment of International Rules for Cross-Border Data Flow

Data is just like air that no one in modern world can live without. At present， major global actors are competing against each other around cross-border data flow rules from three areas， slowing down the establishment of such rules which is in its infant stage.

The first is the competition between long-arm jurisdiction and blocking laws in the collection of cross-border data. Generally， people tend to pay attention to cross-border data flows when dealing with digital trade and services， but cross-border data collection in law enforcement is an issue of importance as well. In order to establish a collection mechanism that meets its own interests， the US has extended its long-arm jurisdiction practice from entity to data， allowing itself to arbitrarily collect any data stored abroad by US enterprises. In response， other countries have introduced blocking laws in order to safeguard their data sovereignty and security.

In March 2018， the US government issued the Clarifying Lawful Overseas Use of Data Act （CLOUD Act）， which stipulates that all US electronic communication service providers or foreign service providers operating within the US， regardless of their data storage in the US or not， have the obligation to save， backup， and provide data to the US government. That empowers US law enforcement agencies to access data stored on servers outside the US. CLOUD Act has become the legislative core of the long-arm collection of cross-border data for law enforcement and judicial purposes， breaking the original judicial assistance mechanism between countries. After its introduction， the EU， following the steps of the US， issued in no time the Electronic Evidence Regulation （Draft） in April 2018， to establish the mechanism of European Data Submission Order and European Data Storage Order with enforcement effect in criminal proceedings. By providing that the law enforcement or judicial authorities of EU members may directly command service providers in the EU or those with representative offices in the EU to submit or restore electronic data， regardless of the data storage within the EU or not， the Regulation constitutes long-arm jurisdiction for cross-border data collection by law enforcement in the EU.

To deal with the long-arm jurisdiction of data， many countries have adopted legislative measures to block the arbitrary access to their data. For example， Switzerland， Luxembourg， and Singapore have imposed restrictions on cross-border access to financial data and imposed strict obligations on banks to keep customer information confidential.

The second is the competition on security review of transnational enterprise data flow. At present， cross-border data flow is mainly related to scientific and technological innovation and economic competition in transnational business and technical service. Based on this， the US is prone to crack down on the digital industry of its rival countries under the pretense of data security， ratcheting up data security reviews by screening foreign investment and banning information and communication technology and service supply chain transactions， thus putting real limit on cross-border data flows. The first is to screen foreign investment. In August 2018， Trump signed the Foreign Investment Risk Review Modernization Act， ushering in a new round of legislative reforms on national security review by the Committee on Foreign Investment in the United States.The Act imposes mandatory reporting requirements on foreign investment transactions involving sensitive personal data held by US companies， with the aim of preventing foreign governments from involving in US companies’ operations through investment and obtaining US data. The second is to ban information and communications technology and services supply chain transactions. In May 2019， Trump signed the Executive Order on Securing the Information and Communications Technology and Services Supply Chain （Executive Order 13873）， which explicitly prohibits “persons” and “property” under the jurisdiction of the US from involving in transactions with information and communications technology and services designed， developed， manufactured， or supplied by persons or entities owned， controlled， regulated， or directed by a foreign adversary， as long as the deal could pose “an undue or unacceptable risk to the national security of the US or the safety of Americans”. On June 9， 2021， Biden signed the Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries， detailing the national emergency measures in Executive Order 13873 regarding information and communications technology and service supply chains， referring to “foreign adversaries” as “countries including China”.