Cross-Border Data Flows in International Law

Introduction

Cross-Border Data Flows are now a structural feature of economic life, public administration, and social interaction. Data moves across borders when businesses process payroll in foreign cloud environments, when banks clear international payments, when hospitals rely on remote data storage, when social media platforms route user content through distributed server networks, and when law-enforcement authorities seek electronic evidence held abroad.

The legal significance of these movements no longer lies only in their volume or speed. It lies in the fact that a single transfer of data may activate several bodies of law at once: privacy law, trade law, jurisdictional rules, cybercrime cooperation, investment regulation, and human rights guarantees. Cross-border data governance has therefore become a serious problem of public international law rather than a narrow technical issue of digital regulation (UNCTAD, 2021; Ashutosh, 2024).

The first analytical difficulty is conceptual. “Data flow” is often used as if it described a single and easily identifiable legal act. It does not. In practice, the term may cover the sending of data from one entity to another, the remote access of data stored abroad, the mirroring of datasets across jurisdictions, the onward transfer of information to third parties, or the compelled disclosure of data by private intermediaries to foreign authorities. These distinctions matter because legal consequences differ according to the nature of the act in question.

A company that stores customer information in a foreign server environment raises different legal issues from a prosecutor demanding subscriber data from a provider in another jurisdiction. The first scenario may turn primarily on data-protection safeguards, contractual mechanisms, and commercial regulation. The second may trigger questions of sovereignty, due process, mutual legal assistance, and the limits of extraterritorial enforcement. Any serious article on the subject must therefore begin by rejecting the assumption that all cross-border data movement raises the same legal problem (Klabbers, 2024; Aust, 2005).

A second difficulty is doctrinal fragmentation. There is no universal treaty that comprehensively regulates cross-border data flows as a distinct branch of international law. What exists instead is a dense but uneven legal architecture composed of partly overlapping regimes. International human rights law supplies a normative baseline through the protection of privacy and correspondence, most clearly expressed in Article 17 of the International Covenant on Civil and Political Rights. Regional and transnational data-protection regimes add more detailed transfer mechanisms and safeguard structures. Trade law addresses the relationship between data mobility, digital services, localization requirements, and regulatory exceptions.

Cybercrime instruments and mutual-assistance frameworks govern access to data for investigative purposes. National-security law adds a further layer of complexity, because foreign surveillance powers may affect the legality of transfers even where private-sector safeguards appear robust. The legal problem, then, is not an absence of law. It is the coexistence of multiple legal regimes that do not share a single hierarchy, vocabulary, or institutional logic (ICCPR, 1966, Art. 17; UNCTAD, 2021; Ashutosh, 2024).

This fragmentation is not merely theoretical. It produces real conflicts in practice. A State may defend free movement of data in trade negotiations while simultaneously imposing strict restrictions on transfers of health, financial, or security-related information. A privacy regulator may regard a transfer as unlawful because the receiving jurisdiction permits disproportionate public access to personal data, even while commercial actors treat the same transfer as indispensable to digital trade.

A criminal-investigation authority may seek direct access to subscriber information stored abroad in the name of efficiency, while another State views such conduct as an intrusion into its regulatory sphere. These examples show that cross-border data flows cannot be explained adequately by a simple opposition between openness and restriction. The central issue is how law allocates authority, risk, and responsibility when data, unlike many physical goods, can be copied, accessed, processed, and disclosed in several places at once.

The international legal dimension of the problem is sharpened by the weakness of purely territorial reasoning. Traditional public international law was developed around concepts that presupposed a relatively stable relationship between territory, authority, and regulated activity. Data infrastructures destabilize that relationship. A dataset may be generated in one State, routed through another, stored in several others, accessed by a processor elsewhere, and later disclosed to a public authority in yet another jurisdiction. This does not make sovereignty irrelevant. On the contrary, it produces more frequent and more intense assertions of sovereign authority.

States respond by extending the reach of domestic regulation, by requiring local storage or local copies of certain categories of data, by conditioning transfers on adequacy or equivalent safeguards, and by demanding disclosure powers over data held by foreign service providers. The result is a field marked by overlapping jurisdictional claims rather than by the disappearance of state power (Klabbers, 2024; González Hauck and Milas, 2024).

Human rights law is especially important in this setting because it supplies a normative limit on both public and private power. A transfer regime that ignores the risk of arbitrary surveillance, indiscriminate interception, or opaque algorithmic profiling is not legally neutral. It may facilitate violations of privacy, equality, procedural fairness, and freedom of expression. The point is not that every cross-border transfer threatens rights, but that the conditions under which transfers occur determine whether rights remain meaningful in digital environments. This is one reason why cross-border data flows must be examined through the lens of public international law and not left to technical standards or private contracts alone. If personal data is transferred into a legal environment that permits broad intelligence access without sufficient safeguards or remedies, the legality of the transfer itself becomes doubtful. That problem cannot be solved simply by invoking economic efficiency or innovation.

At the same time, a rights-based account alone is not sufficient. Cross-border data flows are also tied to global distributional inequalities. Data-driven business models, cloud infrastructure, computational capacity, and platform control are concentrated in a limited number of jurisdictions and corporate actors. This concentration affects who captures value from digitalization, who sets standards, and who bears regulatory dependence. UNCTAD has been particularly clear on this point: the governance of cross-border data flows is inseparable from questions of development, policy space, and unequal value capture in the digital economy (UNCTAD, 2021).

For many developing countries, the legal debate is not simply how to permit more transfers, but how to avoid a regulatory structure in which local data are extracted, processed, and monetized elsewhere while domestic authorities remain dependent on foreign infrastructure and foreign legal frameworks. Any account that treats data mobility as an uncomplicated public good misses that structural reality.

The attached literature usefully identifies jurisdictional complexity, conflicting privacy standards, and the growing role of multinational corporations as key features of the field (Ashutosh, 2024). That diagnosis is broadly correct, but it remains too general if not pushed further. The stronger doctrinal claim is that cross-border data flows are governed through a layered legal order in which different regimes pursue different public purposes. Human rights law seeks protection against arbitrary interference and abuse. Trade law seeks openness, predictability, and non-discrimination, subject to exceptions. Cybercrime cooperation seeks timely access to evidence and operational effectiveness. Data-protection law seeks lawful processing, accountability, and equivalent safeguards in outbound transfers.

National security frameworks seek intelligence access and risk management. Development-oriented approaches seek policy autonomy, infrastructure capacity, and fairer distribution of digital gains. These objectives do not naturally align. The law of cross-border data flows is therefore best understood as a field of managed tension rather than harmonized consensus.

This article proceeds from that premise. It argues that cross-border data flows are not regulated by a self-contained and autonomous body of international law. They are governed by an increasingly dense but fragmented legal architecture in which sovereignty, privacy, trade, security, and development claims intersect and often collide. The main task is not to identify a single master regime, because none exists. The task is to explain how these regimes relate to each other, where conflicts arise, and what doctrinal tools are available to resolve them without collapsing the analysis into either digital laissez-faire or indiscriminate data nationalism.

The discussion that follows, therefore, treats cross-border data flows as a foundational problem of contemporary international law: one that reveals the limits of older territorial assumptions, the enduring force of sovereignty, the centrality of human rights, and the increasingly contested distribution of authority in the digital age (Aust, 2005; Klabbers, 2024; UNCTAD, 2021).

1. Cross-Border Data Flows as a Legal Concept

The expression Cross-Border Data Flows looks simple, but legally it is much wider than the movement of a file from one country to another. In digital practice, data may be routed through foreign servers, mirrored in cloud systems, processed by a platform operating across several jurisdictions, accessed by an affiliate in another State, or disclosed to a foreign public authority. A single dataset can therefore generate several different legal events at the same time. For that reason, the concept must be treated as a legal category covering multiple forms of cross-jurisdictional data movement, storage, access, processing, and disclosure rather than a single technical act (UNCTAD, 2021; Ashutosh, 2024).

This broader understanding matters because international law does not regulate “flow” in the abstract. It regulates concrete acts that affect rights, obligations, and jurisdiction. Cross-Border Data Flows raise questions of sovereignty, privacy, trade, security, and international cooperation because the same data operation may fall under more than one legal regime. The legal meaning of the concept depends on what exactly happens to the data, who controls them, where they are accessible, and which authority claims the power to regulate or obtain them.

1.1 The term and its limits

A legally serious definition of Cross-Border Data Flows must begin with the point that a flow is not only a transfer. It may also include remote access, foreign storage, cloud replication, platform processing, onward disclosure, or compelled production to a foreign authority. This distinction is essential because the law often attaches different consequences to each act. A company sending customer data to a foreign cloud provider does not raise exactly the same issues as a foreign prosecutor demanding access to subscriber records stored abroad.

The legal analysis changes according to whether the relevant act is transfer, storage, access, disclosure, or onward transfer. Storage directs attention to the hosting location, replication, and vulnerability to foreign state access. Access focuses on who can retrieve or use the data, including affiliates or public authorities outside the original jurisdiction. Disclosure and onward transfer raise additional concerns because data may move beyond the initial recipient and enter a new legal environment with weaker safeguards or broader surveillance powers. The concept is therefore useful only if these acts are separated rather than collapsed into a vague idea of international data movement (Council of Europe, 2001; Council of Europe, 2022).

At the same time, the concept has limits. Not every digital activity with some international dimension should automatically count as a cross-border data flow. The category is most useful when the foreign element changes control, protection, access, regulatory exposure, or legal risk. If it is stretched too far, it loses precision and becomes analytically weak.

1.2 Why classification matters

The legal treatment of Cross-Border Data Flows depends heavily on the type of data involved. Personal data usually receives the strongest protection because they relate to an identified or identifiable individual. Non-personal data may be regulated more lightly, but that does not mean they are legally insignificant. Many commercially important datasets are mixed, containing both personal and non-personal elements, which makes classification more difficult and more important at the same time (European Union, 2016; European Union, 2018).

The difference between anonymized and pseudonymized data is also crucial. Properly anonymized data often falls outside data-protection regimes because the individual can no longer be identified. Pseudonymized data do not enjoy that status if re-identification remains possible through additional information. This means that two datasets may look similar in practice but attract different legal consequences because one still carries a realistic link to an individual and the other does not.

Sectoral classification matters as well. Health data are often subject to stricter safeguards because they reveal intimate details of physical and mental condition. Financial data may engage prudential supervision, anti-fraud rules, and regulatory reporting duties. Metadata can also be highly sensitive because they reveal patterns of movement, communication, and association even without exposing message content. Critical infrastructure data, such as information concerning energy, telecommunications, transport, or public security systems, may trigger restrictions based on resilience and national security rather than privacy alone.

These classifications are not academic details. They determine which transfer rules apply, which safeguards are required, and which exceptions may be invoked. A legal framework that ignores classification risks, treating very different regulatory problems as if they were the same. In Cross-Border Data Flows, that would produce weak analysis and weak legal conclusions.

1.3 The fiction of pure territorial location

A common assumption in legal and policy debate is that data sit in one territory and can therefore be governed by locating them in the same way one locates goods in a warehouse. That assumption is increasingly misleading. Data are often replicated, partitioned, cached, backed up, and accessed remotely across several jurisdictions at once. A single dataset may be collected in one State, stored in another, mirrored in a third, and accessed from a fourth (UNCTAD, 2021).

This does not mean territory has become irrelevant. Territorial location still matters for infrastructure control, regulatory competence, and enforcement possibilities. The problem is that it no longer provides a complete answer. A server may be physically located in one country while controlled by a company incorporated elsewhere, used by individuals in several States, and exposed to access demands from foreign authorities. In that setting, physical location is only one connecting factor among several.

The fiction of pure territorial location complicates jurisdiction because multiple States may claim authority over the same data. One may rely on the place of collection, another on the establishment of the controller, another on the residence of the affected individuals, and another on security interests linked to infrastructure or public order. Cross-Border Data Flows, therefore, weaken any legal model built on the assumption that one dataset belongs neatly to one territory and one sovereign. The more accurate approach is relational: the legal analysis must follow data pathways, points of control, and possibilities of access across several jurisdictions rather than searching for one exclusive territorial anchor.

2. Why is there no single law of data flows

The legal governance of Cross-Border Data Flows does not rest on one universal and comprehensive regime. That is the basic point that must be established at the outset. The field is composed of several legal layers that were developed for different purposes and under different institutional settings. Some rules were designed to protect privacy and other rights, some to facilitate trade and digital services, some to enable criminal cooperation, and some to guide technical interoperability or public policy coordination (UNCTAD, 2021; Klabbers, 2024).

This structure produces legal plurality rather than legal unity. A transfer that appears acceptable under one framework may still be challenged under another. Trade disciplines may favour openness and non-discrimination, while privacy and human rights regimes may insist on legality, safeguards, and proportionality. Cybercrime and law-enforcement frameworks may emphasize rapid access to electronic evidence, even where data-protection systems impose stricter transfer conditions. The result is not a lack of law, but a field shaped by overlapping norms with different priorities (Ashutosh, 2024; Aust, 2005).

2.1 Fragmentation as the starting point

There is no universal treaty that comprehensively governs cross-border data flows as a distinct branch of international law. What exists instead is a composite framework assembled from international human rights law, trade law, cybercrime cooperation, regional data-protection instruments, bilateral arrangements, and soft-law processes. UNCTAD has described the global governance of data as fragmented, with States adopting different approaches to definitions, restrictions, safeguards, and regulatory objectives. That diagnosis remains central to any serious doctrinal analysis (UNCTAD, 2021).

Human rights law supplies one foundational layer, especially through privacy protections and limits on arbitrary interference. Trade law adds another layer through rules concerning digitally delivered services, e-commerce, localization measures, and public-policy exceptions. Cybercrime instruments address access to electronic evidence and cross-border cooperation. Regional data-protection frameworks, including Convention 108 and its modernized form, provide more detailed safeguards for transfers, but they do not create a universal model binding all States. Bilateral and regional arrangements then add further diversity rather than removing it (Council of Europe, 1981; Council of Europe, 2018; Council of Europe, 2001).

The attached materials reinforce this fragmented picture. UNCTAD’s survey of G20 members shows that rules affecting cross-border data flows appear across areas such as health, telecommunications, finance, child protection, competition, and public administration. That matters because it shows that data governance is not confined to one field of law or one institutional logic. It is distributed across several sectors, each bringing its own legal language and regulatory concerns (UNCTAD, 2023; Ashutosh, 2024).

2.2 Hard law, soft law, and hybrid governance

A second reason why there is no single law of data flows is that the field is governed through a mixture of hard law and soft law. Hard law includes treaties, binding regional instruments, legislation implementing treaty obligations, and institutional acts that produce formal legal effects within a given legal order. In this field, examples include human rights treaties, cybercrime conventions, and regional data-protection instruments that regulate transfer conditions and supervisory mechanisms (ICCPR, 1966; Council of Europe, 2001; Council of Europe, 1981).

Soft law is equally important. Political declarations, OECD instruments, G20 principles, regulatory guidance, technical standards, certification systems, interoperability frameworks, and model contractual clauses often shape practice long before a binding universal rule emerges. These instruments may not have the same formal status as treaties, but they structure expectations, influence domestic regulation, and often become the practical basis on which transfers are assessed and managed. Soft law is therefore not peripheral in this field. It frequently organizes conduct before hard law catches up, and sometimes it remains the dominant mechanism of coordination even after binding rules appear (OECD, 2022; UNCTAD, 2021).

Hybrid governance follows from that coexistence. A transfer regime may depend at the same time on a treaty-based privacy norm, a regional adequacy decision, standard contractual clauses, technical security standards, and regulator-issued guidance on risk assessment. No single instrument controls the whole process. Legality is often produced through the interaction of binding norms and operational tools that are formally softer but practically decisive. That is one reason why the governance of Cross-Border Data Flows cannot be reduced to treaty law alone (Aust, 2005; Klabbers, 2024).

2.3 Public and private norm production

The absence of a single law of data flows is also explained by the strong role of private actors in shaping the conditions under which data actually move. Platforms, cloud providers, telecommunications operators, payment intermediaries, software vendors, and infrastructure firms determine where data are stored, how they are routed, what security architecture is used, and how access requests are processed. Their operational choices often influence legal outcomes as much as public rules do (UNCTAD, 2021).

Contractual frameworks are especially important here. Standard terms, data-processing agreements, intra-group transfer arrangements, and corporate compliance systems frequently act as the immediate instruments through which transfer rules are implemented. These are not substitutes for public law, but they often determine how public-law obligations are translated into practice. A formal legal right to protect data is weakened if the contractual and technical environment through which the data moves is poorly designed or structurally opaque.

Standards bodies and certification mechanisms also play a growing role. Technical standards on cybersecurity, interoperability, encryption, identity management, and auditability may not look like classic sources of international law, yet they heavily influence what counts in practice as an adequate or trustworthy transfer environment. Private infrastructure operators, therefore, do not merely comply with legal rules; they help shape the practical meaning of legality. In the field of Cross-Border Data Flows, norm production is public and private at once, which is another reason why the field resists reduction to a single and unified legal regime (OECD, 2022; González Hauck et al., 2024).

3. Human rights foundations

Human rights law must appear early in any serious analysis of Cross-Border Data Flows because it supplies the article’s normative floor. If data move across borders in ways that expose individuals to arbitrary surveillance, unlawful disclosure, profiling, or denial of remedy, the legal problem cannot be evaluated only through efficiency, interoperability, or trade facilitation. The core issue is not simply whether data move easily, but whether they move under conditions consistent with the protection of persons. That is why privacy, and especially Article 17 of the ICCPR, must be treated as foundational rather than peripheral (ICCPR, 1966, Art. 17; Human Rights Committee, 1988).

A rights-based starting point also corrects a common analytical error. Discussions on cross-border transfers often assume that the legal problem is balancing economic openness against regulatory restriction. That framing is too narrow. The movement of data may affect dignity, autonomy, security, equality, and political participation. Human rights law, therefore, does more than limit state interference. It also shapes the conditions under which lawful data governance can be regarded as legitimate.

3.1 Privacy under Article 17 ICCPR

Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with privacy, family, home, or correspondence, and that everyone has the right to the protection of the law against such interference or attacks. This provision gives Cross-Border Data Flows their basic normative floor. It establishes that privacy is not a policy preference that can be traded away whenever greater data mobility seems economically useful. It is a protected legal interest that constrains how States and other actors may collect, transfer, access, and disclose information about persons (ICCPR, 1966, Art. 17).

The Human Rights Committee made clear in General Comment No. 16 that the prohibition covers both unlawful and arbitrary interference. That distinction matters. A measure may be formally authorized by domestic law and still be arbitrary if it is unreasonable, disproportionate, or insufficiently safeguarded. For cross-border data governance, this means that legality cannot be reduced to the existence of a statute or administrative rule permitting transfer or access. The quality of the legal framework matters, including necessity, proportionality, precision, and protection against abuse (Human Rights Committee, 1988).

This point has immediate consequences for transfer rules. A data-transfer mechanism cannot be judged only by whether it promotes commerce, reduces transaction costs, or supports digital services. It must also be assessed in light of the legal environment into which the data move. If the receiving framework permits excessive public access, weak oversight, or ineffective remedies, the transfer raises a human rights problem. Privacy protection under Article 17 therefore reaches beyond domestic collection and storage. It affects how cross-border disclosure and access should be structured as a matter of legality and legitimacy.

3.2 Privacy in the digital age

Privacy doctrine can no longer be treated as if it were confined to old concerns about physical searches, postal correspondence, or domestic record-keeping. In digital environments, privacy is affected by mass interception, bulk data retention, unlawful hacking, metadata analysis, automated profiling, facial recognition, and large-scale data aggregation across public and private systems. The international legal importance of Cross-Border Data Flows is tied directly to these developments because many of them depend on the capacity to move, replicate, access, and combine data across jurisdictions (OHCHR, 2022).

The privacy problem is not limited to misuse by private companies. State access is equally central, often more so. Domestic authorities may compel providers to disclose stored data, while foreign authorities may seek direct or indirect access to information held outside their territory. Intelligence agencies may rely on transnational infrastructures to conduct interception or bulk collection. As a result, the legality of a transfer cannot be assessed only by looking at the contractual relationship between private actors. One must also ask what forms of state access become possible once the data are stored, processed, or mirrored in another legal environment (Council of Europe, 2022; OHCHR, 2022).

Recent human rights work has treated privacy as a live digital-rights issue rather than an old analogue guarantee. That is the correct approach. Digital surveillance can alter freedom of communication, chill political participation, and reproduce structural inequalities through automated systems. The same is true of discriminatory data practices, where individuals are profiled, ranked, or excluded through opaque decision-making systems trained on biased or incomplete data. Privacy, in this context, is not only about secrecy. It is about protection against unjustified exposure, manipulation, inference, and control.

3.3 Related rights beyond privacy

Privacy is foundational, but it is not the only right affected by Cross-Border Data Flows. Freedom of expression is closely linked to data governance because surveillance, monitoring, and profiling may discourage people from communicating, accessing information, or participating in public debate. Human Rights Committee General Comment No. 34 stresses that restrictions affecting information flows and communication systems must be compatible with the guarantees of Article 19 ICCPR. A transfer regime that facilitates broad monitoring of online activity may therefore undermine expression even when it is formally presented as a neutral technical arrangement (Human Rights Committee, 2011).

Equality and non-discrimination are also central. Data systems can intensify discrimination when automated processing reproduces biased assumptions or when certain groups are exposed to disproportionate surveillance and risk scoring. Cross-border transfers may amplify that problem by placing sensitive data into systems that lack adequate accountability or that operate with weak protections against discriminatory treatment. The rights issue is therefore not confined to privacy in a narrow sense. It extends to the unequal social effects of how data are classified, inferred, and used.

Due process and effective remedy must also be brought into the analysis. Individuals whose data are transferred or accessed across borders often face serious practical barriers when seeking explanation, correction, deletion, or redress. Jurisdictional complexity, private intermediation, and secrecy around state access can leave affected persons without a meaningful remedy. That weakens the effectiveness of rights protection even where formal safeguards exist on paper. A lawful system of Cross-Border Data Flows, therefore, requires more than substantive rights. It requires accessible procedures, oversight, and realistic avenues for challenge and redress (OHCHR, 2022).

This broader rights framework also helps distinguish justified from unjustified restrictions. Some limits on cross-border data movement may protect rights, for example, where they reduce exposure to unlawful surveillance, prevent abusive processing of health data, or safeguard vulnerable groups against exploitation. Other restrictions may do the opposite. Data-localization mandates or digital-sovereignty measures can be used to entrench censorship, isolate users from information, strengthen state control over communications, or centralize discriminatory surveillance.

The human rights question is therefore not whether restriction is always good or always bad. It is whether the legal measure protects persons under conditions of necessity, proportionality, and accountability rather than serving repression or arbitrary control (UNCTAD, 2021; OHCHR, 2022).

4. Sovereignty, jurisdiction, and extraterritoriality

Questions of sovereignty and jurisdiction sit at the core of Cross-Border Data Flows. Data governance becomes difficult not because States have lost authority, but because several States may claim authority over the same dataset, the same processing operation, or the same disclosure request at the same time. A company may be established in one State, store data in another, provide services in many others, and receive access demands from public authorities elsewhere. In that setting, the central problem is not the disappearance of territorial power. It is the multiplication of overlapping claims to regulate, adjudicate, and enforce (Klabbers, 2024; Aust, 2005).

Classical public international law still provides the basic analytical structure. The law of jurisdiction distinguishes between the power to prescribe rules, the power to adjudicate disputes, and the power to enforce decisions. Cross-Border Data Flows expose the tensions between these functions more sharply than many older fields of law because the relevant conduct is diffuse, technically distributed, and often mediated by private infrastructure. The same cross-border data operation may therefore be lawful under one jurisdictional claim and unlawful under another.

4.1 Prescriptive, adjudicative, and enforcement jurisdiction

Prescriptive jurisdiction concerns the authority of a State to regulate conduct by legislation or other binding norms. In the context of Cross-Border Data Flows, this includes rules on transfer conditions, data-localization requirements, disclosure obligations, cybersecurity duties, and restrictions on foreign access. States often justify such rules through territorial links, nationality, establishment, effects, or public-order interests. The key issue is not only whether a State has some connection to the data operation, but whether that connection is strong enough to support a legitimate regulatory claim under international law (Klabbers, 2024).

Adjudicative jurisdiction concerns the authority of courts or tribunals to decide disputes. In data cases, this may involve regulatory enforcement, civil claims, administrative review, or criminal proceedings linked to access and disclosure. A court may claim competence because the data subject resides in the forum, because the company operates there, because harm was felt there, or because the relevant processing or disclosure had substantial effects within the territory. These grounds may overlap, which means several courts may appear competent at once. That is one reason why cross-border data disputes often raise forum conflicts and uncertainty for both firms and individuals (Aust, 2005).

Enforcement jurisdiction is narrower and more sensitive. It concerns the power of a State to compel compliance, seize evidence, execute warrants, or otherwise enforce its rules. Public international law has long treated enforcement in another State’s territory as highly restricted unless consent, treaty authorization, or another clear legal basis exists. This distinction matters greatly in Cross-Border Data Flows. A State may have a plausible claim to regulate a transfer or to adjudicate a dispute, but that does not automatically give it the right to carry out investigative or coercive acts abroad. The doctrinal separation between prescribing, adjudicating, and enforcing must therefore be kept clear.

4.2 Extraterritorial regulation

Data law regularly projects outward. States do not limit themselves to regulating conduct that occurs wholly within their borders. They often extend their rules to foreign entities processing data about persons within the regulating State, to companies offering services in that market, or to foreign providers whose conduct has substantial domestic effects. This outward reach is now a routine feature of data governance rather than an unusual exception (European Union, 2016; González Hauck and Milas, 2024).

The real doctrinal issue is not whether extraterritoriality exists. It plainly does. The harder question is how far such regulation may extend before it generates incompatible obligations. A firm may be required by one legal order to disclose data to public authorities while another legal order prohibits that disclosure without judicial review, treaty cooperation, or equivalent safeguards. A provider may be ordered to localize data in one jurisdiction while remaining subject to disclosure duties elsewhere because of corporate establishment or nationality. For firms and individuals, these conflicts are not theoretical. They shape compliance choices, risk exposure, and access to remedies.

Extraterritorial data regulation is often defended as necessary because digital activity cannot be governed effectively through a narrow territorial model. That argument is partly correct. Yet effectiveness does not remove legal limits. If multiple States regulate the same data operation aggressively and without coordination, the result can be legal contradiction rather than legal order. Cross-Border Data Flows, therefore, require not only recognition that extraterritorial regulation is unavoidable, but also clearer attention to reasonableness, proportionality, and comity in the exercise of jurisdiction (Aust, 2005; Klabbers, 2024).

4.3 Access to data stored abroad

Access to data stored abroad is where the abstract jurisdictional problem becomes concrete. Public authorities increasingly seek subscriber data, traffic data, content data, and cloud-stored records held outside their territory. These requests arise most visibly in criminal investigations and national-security contexts, where speed and secrecy are often treated as operational necessities. The legal difficulty is that data may be technically reachable without being legally available. A foreign server can sometimes be queried instantly, but that does not answer whether the access is lawful (Council of Europe, 2001; Council of Europe, 2022).

Three broad models appear in practice. The first is direct access, where an authority seeks to obtain data from a foreign system or foreign service provider without going through the territorial State. The second is compelled production, where a provider subject to the requesting State’s jurisdiction is ordered to produce data held abroad. The third is indirect cooperation, where the requesting State relies on mutual legal assistance, treaty mechanisms, or other forms of inter-state cooperation. Each model raises different sovereignty and rights concerns.

Direct access is the most controversial because it risks bypassing the territorial State and undermining the traditional limits on enforcement jurisdiction. Compelled production is more complex. It may appear less intrusive because the order is served on a provider already subject to the requesting State’s law, yet it still creates conflict if compliance would violate the law of the place where the data are stored or of the persons whose rights are affected. Indirect cooperation through treaty channels is usually more respectful of sovereignty, but it is often criticized as too slow for contemporary investigations. This tension explains why recent legal developments have tried to accelerate cooperation without fully abandoning procedural safeguards (Council of Europe, 2022).

The legality of cross-border access cannot, therefore, be reduced to technical capability or investigative convenience. The decisive questions are whether there is a valid jurisdictional basis, whether the method used respects the sovereignty of other States, whether the measure is proportionate, and whether affected persons have any meaningful protection against abuse. In criminal and national-security contexts, these questions are especially important because secrecy, urgency, and asymmetries of power can easily weaken oversight. Cross-Border Data Flows make those risks more acute, not less, because the same data may be subject to several competing legal orders while the individual concerned may struggle to identify which authority acted and under what law.

5. Trade law and digital economic governance

Trade law matters to Cross-Border Data Flows, but it does not control the field by itself. Digital services, cloud computing, online payments, data analytics, and platform-based intermediation all depend on the ability to move information across borders. That gives trade law a clear stake in the subject. At the same time, trade law was not designed as a complete framework for privacy, surveillance control, or data justice. Its role is important but limited. A serious legal analysis must therefore treat trade law as one layer of governance rather than as the single master regime (WTO, 1994a; OECD, 2021).

This point matters because trade-based arguments are often overstated. Restrictions on data mobility may indeed affect the supply of services, increase business costs, and alter market access conditions. It is not true that trade law therefore mandates unrestricted circulation of data. Trade rules operate through commitments, exclusions, and exceptions. They also coexist with human rights law, data-protection law, financial regulation, and national-security frameworks. The real doctrinal question is how trade disciplines interact with those other regimes, not whether they displace them.

5.1 GATS and digitally delivered services

The General Agreement on Trade in Services (GATS) was drafted before cloud platforms, large-scale data analytics, and continuous cross-border data traffic became central to the global economy. Even so, it remains relevant because many digitally enabled services fall within its framework. GATS governs measures affecting trade in services and distinguishes between four modes of supply, including cross-border supply and commercial presence. A large share of data-dependent services, such as software delivery, financial intermediation, telecommunications, professional services, and online business support, can therefore engage GATS disciplines where a Member has undertaken relevant commitments (WTO, 1994a; WTO, 1994b).

Market-access and national-treatment rules are especially important here. If a State has made commitments in a relevant service sector, measures that condition foreign participation, discriminate against foreign suppliers, or restrict the way services may be supplied may raise GATS issues. Data-localization requirements, restrictions on remote processing, or discriminatory barriers to cloud-based service delivery may therefore become trade-law questions. That does not mean GATS directly regulates all cross-border data movements. It means that data restrictions can affect the conditions under which services are traded and may therefore be reviewed through existing services disciplines (Burri, 2017; OECD, 2021).

Still, GATS is not sufficient as a complete legal framework for Cross-Border Data Flows. It was not drafted to resolve modern questions about privacy safeguards, algorithmic discrimination, state surveillance, or the transfer of sensitive personal data. It can capture some trade effects of data restrictions, but it cannot fully answer whether a transfer is lawful from a human-rights or data-protection perspective. For that reason, GATS remains relevant but partial. It frames part of the problem without exhausting it.

5.2 Digital trade clauses in treaties

More recent treaty practice addresses data mobility more directly. Preferential trade agreements and digital economy agreements increasingly include provisions on cross-border transfer of information, data-localization prohibitions, paperless trading, electronic authentication, electronic contracts, and related digital trade issues. These clauses reflect a broader shift in treaty drafting: data mobility is increasingly treated as an element of trade liberalization rather than as a purely domestic regulatory matter (OECD, 2022).

Cross-border transfer provisions usually establish a general commitment to permit data movement for business purposes, subject to exceptions. Data-localization provisions often prohibit requiring the use or location of domestic computing facilities as a condition for doing business in a territory. These rules do not create an unlimited right to move data freely. They are typically tied to public-policy exceptions and to the continued ability of States to protect privacy, security, or other legitimate interests. Their practical significance lies in shifting the legal burden. Instead of assuming States may localize or restrict by default, such clauses require justification for restrictive measures (OECD, 2022).

Other treaty clauses work more indirectly. Paperless trading provisions seek to reduce administrative friction by allowing forms and trade documents to be submitted and accepted electronically. Rules on electronic authentication and signatures aim to ensure that digital transactions are not denied legal effect merely because they are electronic. Electronic invoicing, interoperability, and single-window provisions serve a similar function. These obligations do not regulate data protection in a comprehensive way, but they normalize cross-border digital trade as a legally recognized mode of economic activity. In doing so, they make data mobility part of the practical infrastructure of trade governance (WTO, 2024).

Source code provisions are more contested. In some trade agreements, they limit forced transfer or disclosure of source code as a condition of market access, subject to regulatory exceptions. These clauses are usually framed as innovation or investment protections, but they also affect data governance because algorithmic systems, digital platforms, and software-dependent services increasingly structure how data is collected and processed. The legal significance of these provisions lies less in privacy than in the balance between regulatory oversight and commercial protection.

5.3 The WTO electronic commerce track

The WTO’s current position deserves direct treatment because it marks an important development, but not a decisive legal unification of the field. In July 2024, participants in the Joint Statement Initiative on Electronic Commerce published a stabilized text for an Agreement on Electronic Commerce. According to the WTO’s own explanation, it is presented as the first set of global baseline rules on e-commerce among participating Members and is designed to facilitate electronic commerce, support an open digital environment, and promote trust in digital trade (WTO, 2024).

That development is significant, but it must be described accurately. The 2024 stabilized text is a trade instrument, not a general constitution for Cross-Border Data Flows. It is economy-wide and covers goods, services, and information, but it does not create obligations for non-participating WTO Members. It also does not alter existing market-access rights under other WTO agreements. The WTO itself states that the Agreement excludes government procurement, government services, and government-held information, and that it includes exceptions for prudential measures, personal data protection, and security. That structure confirms its limited but important role: it is a baseline digital trade framework among participants, not a universal settlement of global data governance (WTO, 2024).

The content of the stabilized text also supports that more restrained view. It includes provisions on electronic transactions, electronic authentication and signatures, electronic contracts, e-invoicing, paperless trading, single windows, electronic payments, customs duties on electronic transmissions, and telecommunications. These are substantial trade-facilitation and digital-enabling rules. At the same time, the WTO’s own summary notes that some of the most contested issues, including cross-border data flows and source code, remain subjects for future review and negotiation. That confirms the doctrinal point: the WTO e-commerce track is a serious attempt to organize parts of digital trade, but it does not settle the hardest legal conflicts surrounding cross-border data governance (WTO, 2024).

5.4 Trade exceptions and regulatory autonomy

The doctrinal heart of trade law in this field lies in the exceptions architecture. No serious reading of trade law supports the claim that States must permit unrestricted data mobility regardless of privacy, security, or public-order concerns. Trade agreements operate through commitments, but they also preserve regulatory autonomy through general exceptions, security exceptions, prudential carve-outs, and sector-specific limitations. These exceptions are not marginal. They are central to understanding how trade law actually functions in relation to Cross-Border Data Flows (WTO, 1994a; OECD, 2022).

Privacy is especially important here. Recent treaty practice commonly combines data-transfer commitments with language preserving the right to adopt measures for legitimate public-policy objectives, including protection of personal data. The OECD has noted that trade agreements increasingly treat cross-border data movement and domestic privacy legislation as mutually necessary rather than mutually exclusive. That is a legally important shift. It rejects the idea that privacy protection is merely an obstacle to trade. Instead, it presents privacy safeguards as part of the conditions under which trusted digital trade can occur (OECD, 2022).

Security and prudential regulation also matter. Financial regulation may require local access, auditability, or control over certain data for supervisory purposes. National-security exceptions preserve room for States to act where infrastructure, sensitive sectors, or intelligence risks are involved. Public-order exceptions may support restrictions in areas such as cybersecurity or fraud prevention. Of course, exceptions are not blank cheques. Measures adopted under them still raise questions of necessity, proportionality, and non-discrimination. Even so, their existence prevents any credible claim that trade law creates a simple legal obligation to keep data flowing under all circumstances.

The better conclusion is that trade law encourages openness in digitally enabled commerce while preserving significant regulatory space. That space is sometimes contested, and its limits are often uncertain, but it is real. Cross-Border Data Flows, therefore, sit within trade law as an object of facilitation subject to justified restriction, not as an unconditional freedom. That is why trade law remains relevant to the subject without becoming its sole or dominant legal foundation.

6. Data protection and transfer mechanisms

Data-protection law gives Cross-Border Data Flows one of its most developed legal structures. Unlike trade law, which treats data mobility mainly through the movement of services and digital transactions, data-protection law asks a different question: under what conditions may personal data leave one legal environment and enter another without undermining the rights of the individual concerned? That question turns transfer law into a discipline of conditional openness rather than unrestricted circulation. The basic idea is not to stop all transfers, but to permit them only where protection travels with the data or is replaced by functionally equivalent safeguards (Council of Europe, 1981; Council of Europe, 2018; European Union, 2016).

This body of law matters because it shows that transborder data governance has long been understood as a human-rights issue, not merely a matter of trade efficiency. Transfer mechanisms are designed to manage legal discontinuity between different jurisdictions. They are therefore conflict-management devices in a fragmented international environment. Their purpose is to reduce the risk that data protection ends at the border while data processing continues beyond it.

6.1 Convention 108 and transborder safeguards

Convention 108 is the core international treaty reference for data protection. Opened for signature in 1981, it was the first legally binding international instrument in this field and established that the processing of personal data engages fundamental rights rather than only administrative convenience or market coordination. Its modernized version, commonly known as Convention 108+, reinforces that orientation by applying to processing in both the public and private sectors and by linking transfer rules to broader duties of lawful and secure processing (Council of Europe, 1981; Council of Europe, 2018).

Its transborder dimension is especially important. Convention 108+ contains a specific chapter on transboundary flows of personal data. Article 14 makes clear that transfers between Parties should not be prohibited or subjected to special authorization solely for reasons of personal-data protection, but it also allows restrictions where there is a real and serious risk that the transfer would lead to circumvention of the Convention’s protections. This is a significant doctrinal move. It rejects both extremes: neither blanket prohibition nor blind permissiveness. Instead, it ties transfer permissibility to protection standards and to the broader supervisory architecture that supports effective compliance (Council of Europe, 2018).

The treaty’s structure is important for the article’s larger argument. It shows that Cross-Border Data Flows were recognized as a legal problem of rights protection long before current debates about digital trade or platform governance became dominant. Convention 108 does not treat transboundary flows simply as obstacles to be removed. It treats them as legally permissible only within a framework that preserves protection, accountability, and review. That remains one of the clearest treaty expressions of the principle that data may move across borders, but rights must not disappear when they do.

6.2 Adequacy, standard clauses, and binding rules

Modern transfer law operationalizes this principle through several techniques. The first is adequacy. Under this approach, transfers are permitted where the legal order of the receiving country is considered to provide a level of protection that is sufficiently comparable to that of the sending system. Adequacy does not require identical rules, but it does require a legal environment that protects the individual in a meaningful and enforceable way. In practice, adequacy findings are attractive because they allow transfers to proceed without individualized authorization in every case (European Union, 2016).

Where adequacy is absent, legal systems often rely on alternative safeguards. Standard contractual clauses are one of the best-known examples. These are pre-formulated contractual commitments designed to bind the exporter and importer of data to basic protection obligations. Binding corporate rules serve a similar function within multinational groups by creating an internal framework for transfers among related entities. Certification mechanisms and codes of conduct may also support transfers, though generally only where they are backed by enforceable commitments and supervision. Consent is another route, but it is narrower than often assumed and is usually treated as an exception rather than a full structural solution for routine or large-scale transfers (European Union, 2016; Council of Europe, 2022).

These mechanisms should not be misunderstood as purely technical compliance tools. They are conflict-management devices designed for a fragmented legal world. They do not remove differences between jurisdictions. They attempt to manage those differences by exporting obligations contractually, organizationally, or procedurally. That is why transfer-impact assessments have become so important. A transfer-impact assessment asks whether the legal environment in the destination country allows the chosen safeguard, such as standard clauses, to function in practice. If the recipient’s legal order permits broad state access without sufficient limits, contractual language alone may not solve the problem.

6.3 Schrems II and the limits of transfer law

The leading case here is Schrems II. Its importance is doctrinal, not merely political. The Court of Justice did not hold that transfers to third countries are inherently unlawful. Nor did it reject the use of standard contractual clauses as such. What it made clear was that transfer law depends on the legal environment in the destination State. If that legal environment permits disproportionate access by public authorities and fails to provide protection essentially equivalent to the required standard, transfer mechanisms break down regardless of their formal wording (Court of Justice of the European Union, 2020).

That insight is decisive for the law of Cross-Border Data Flows. Standard clauses bind private parties, but they do not bind foreign intelligence or law-enforcement authorities. If the importing country’s law allows surveillance practices that override contractual safeguards, the transfer cannot be treated as legally safe simply because the contract looks compliant on paper. The case, therefore, showed the limits of private ordering in transfer law. Contracts matter, but they do not neutralize structural deficiencies in the destination legal order.

Schrems II also clarified the role of supervisory authorities. Data-protection authorities cannot treat transfer tools as self-executing guarantees. They must examine whether, in light of all the circumstances, the data importer can in fact comply with the required level of protection. This moved the transfer law away from formal box-ticking and toward a more contextual and legally demanding assessment. The destination legal system became part of the transfer analysis itself, not a background issue outside the scope of review (Court of Justice of the European Union, 2020).

6.4 The EU-US framework after 2023

The EU-US Data Privacy Framework, established through the European Commission’s 2023 adequacy decision, is the clearest recent example of both the resilience and fragility of transfer law. The Commission concluded that the United States, for participating organizations under the new framework, ensured an adequate level of protection. That conclusion relied heavily on changes introduced in the United States, including Executive Order 14086 and the creation of the Data Protection Review Court as part of the new redress architecture (European Commission, 2023).

The first periodic review in 2024 confirmed the Commission’s view that the framework’s commercial and public-authority safeguards were operating and that the adequacy decision should remain in place. Yet that did not settle the doctrinal controversy. The arrangement still depends on whether the safeguards governing intelligence access and redress are considered strong enough to satisfy the requirement of essentially equivalent protection. The structure remains legally vulnerable because its core problem is the same one identified in Schrems II: how to reconcile transatlantic data transfers with contested surveillance powers in the destination State (European Commission, 2024).

That vulnerability was illustrated by the 2025 General Court litigation in Latombe v Commission. The General Court dismissed the annulment action and held that, on the date of the adequacy decision, the United States ensured an adequate level of protection under the new framework. The Court accepted that the revised redress system and ex post oversight mechanisms were sufficient to meet the applicable standard. Even so, the broader lesson is not that the matter is definitively closed. The better reading is that EU-US transfer arrangements remain continuously exposed to judicial review whenever surveillance safeguards, independence of redress bodies, or effective oversight are contested (General Court, 2025).

For the law of Cross-Border Data Flows, that is the real significance of the post-2023 framework. Transfer regimes are not stable simply because they exist in an adequacy decision or a political agreement. Their durability depends on whether courts remain persuaded that the destination legal order provides safeguards that are operational, reviewable, and genuinely protective in substance rather than in form. That makes data-transfer law one of the clearest examples of how cross-border governance now depends on the interaction between domestic surveillance law, regional rights protection, and international digital interdependence.

7. Security, cybercrime, and electronic evidence

Security and criminal-investigation concerns are now central to the law of Cross-Border Data Flows. States do not seek access to data only for regulatory or commercial reasons. They also seek access for criminal investigations, intelligence collection, counterterrorism, and public-order purposes. This creates one of the hardest tensions in the field. Cross-border flows depend on trust, yet broad government-access powers can weaken that trust if they appear opaque, disproportionate, or weakly supervised (Council of Europe, 2001; OECD, 2022).

This area matters because it shifts the debate away from private compliance alone. A transfer may look lawful under data-protection rules and still become problematic if the destination legal order allows excessive law enforcement or national-security access. Government-access frameworks have therefore moved to the center of the legality of Cross-Border Data Flows. The issue is no longer only how firms transfer data, but under what conditions States can reach that data once it is transferred, stored, or made accessible abroad.

7.1 The Budapest Convention framework

The Budapest Convention is the leading treaty framework for cybercrime cooperation and electronic evidence. Opened for signature in 2001, it combines substantive criminal-law provisions with procedural powers and international cooperation mechanisms. Its importance extends beyond classic cybercrime offences. The Convention also applies to criminal investigations involving evidence in electronic form more generally, which makes it directly relevant to cross-border access to data (Council of Europe, 2001; Council of Europe, 2001 Explanatory Report).

The Convention matters for Cross-Border Data Flows because it creates legal pathways for preservation, production, search, seizure, and international cooperation. These tools were developed in response to the speed and volatility of electronic evidence. Traditional mutual legal assistance was often too slow for data that could be deleted, altered, or moved rapidly. The Budapest framework, therefore, sought to make criminal cooperation more effective in digital environments without abandoning legal safeguards altogether (Council of Europe, 2001; Svantesson, 2020).

Its practical significance lies in that combination of procedural reach and cooperative structure. The Convention does not remove sovereignty concerns, but it provides a common grammar for how States investigate offences involving electronic evidence. In that way, it has become a major reference point for the intersection of cybercrime law, criminal procedure, and international cooperation.

7.2 The Second Additional Protocol

The Second Additional Protocol is a major contemporary development in this field. It responds to a problem that had become impossible to ignore: electronic evidence is often held by service providers in other jurisdictions, while the older cooperation channels were too slow and too formal to meet operational needs. The Protocol addresses that gap by creating enhanced forms of cooperation for the disclosure of electronic evidence and by facilitating faster cross-border procedures (Council of Europe, 2022; Council of Europe, 2022 Explanatory Report).

Its innovations are substantial. The Protocol provides for direct cooperation with domain-name registrars and registries for registration information, direct cooperation with service providers for subscriber information, stronger mechanisms for emergency mutual assistance, and procedures for obtaining stored computer data through accelerated cooperation. These tools are designed to reduce delay and to avoid overreliance on slower traditional assistance channels in routine cases (Council of Europe, 2022).

At the same time, the Protocol does not treat speed as the only value. Its structure expressly ties enhanced cooperation to conditions and safeguards, including protections linked to human rights, proportionality, data protection, and rule-of-law requirements. That is legally important. The Protocol does not simply expand access; it attempts to do so within a framework that preserves legitimacy. For the law of Cross-Border Data Flows, this confirms that faster access to data is now a central policy objective, but it cannot be detached from rights-based constraints.

7.3 National security and law-enforcement access

National security and law enforcement present the hard case that this article cannot avoid. States claim that access to data held by private entities is essential for preventing crime, responding to cyber incidents, and addressing security threats. That claim is not legally trivial. Governments do have legitimate responsibilities in these fields. The problem arises when access regimes become so broad, opaque, or weakly supervised that they undermine confidence in cross-border transfers and weaken the protection of individuals whose data are involved (OECD, 2022).

This is why government-access rules now sit at the center of the legality of Cross-Border Data Flows. A transfer mechanism is only as credible as the legal environment into which the data move. If the destination legal order allows disproportionate access by intelligence or law-enforcement agencies, then contractual or organizational safeguards may not be enough. The legal issue is no longer merely one of private compliance. It becomes a question about the compatibility of the destination system with privacy, due process, and effective oversight.

The problem is sharpened by the asymmetry of knowledge and power in this area. Individuals rarely know when their data are accessed, by which authority, and under what legal basis. Providers may face conflicting obligations between disclosure duties in one jurisdiction and data-protection restrictions in another. Governments, meanwhile, tend to emphasize necessity and urgency. The result is that national security and law enforcement access have become the decisive test of whether a cross-border transfer framework can genuinely sustain trust.

7.4 OECD and interoperable safeguards

The OECD Declaration on Government Access to Personal Data Held by Private Sector Entities marks an important governance turn. Adopted in 2022, it does not create a universal treaty regime. What it does instead is articulate a shared set of principles among OECD members and the European Union concerning government access for law enforcement and national security purposes. Its practical importance lies in promoting trust through common safeguards rather than through full legal harmonization (OECD, 2022).

The Declaration is explicit on the core problem. It recognizes that governments need lawful access to personal data held by private-sector entities, but it rejects approaches that are unconstrained, unreasonable, arbitrary, or disproportionate. It sets out principles including legal basis, legitimate aims, approvals, data handling, oversight, transparency, and redress. Those principles are not identical to domestic constitutional standards in every State, but they reflect a shared attempt to identify what rule-of-law access should look like in practice (OECD, 2022).

For Cross-Border Data Flows, the significance of the Declaration is doctrinal as well as political. It reflects a move away from the idea that trust requires complete similarity between legal systems. The emerging approach is instead one of interoperable safeguards: different legal systems may remain different, but they must still converge on certain minimum protections if data are to move across borders with legitimacy. That does not solve every conflict, especially outside the OECD space, but it shows clearly where current governance is heading.

8. Data localization, sovereignty, and policy space

Data localization is one of the most disputed issues in the law of Cross-Border Data Flows, but it is often described too crudely. It is frequently treated either as a legitimate assertion of sovereignty or as disguised protectionism. That binary is too weak for serious legal analysis. The better question is not whether localization is inherently desirable or inherently harmful. The real issue is why a State adopts it, what kind of data it covers, and whether the measure is tailored to a legitimate public purpose (UNCTAD, 2021; Burri, 2017).

This matters because localization rules appear in very different legal and regulatory contexts. Some are directed at national security and critical infrastructure. Others focus on privacy, financial supervision, health governance, evidentiary control, or public procurement. In some settings, localization is framed as a way to preserve domestic oversight and reduce exposure to foreign access. In others, it becomes part of a broader industrial policy aimed at supporting local data centers, cloud services, and digital industries. A serious public international law account must therefore separate narrow and justified measures from overbroad rules that function mainly as barriers or instruments of control (UNCTAD, 2023; OECD, 2021).

8.1 Localization beyond caricature

Localization should not be reduced to a single policy type. States use localization measures for different reasons, and the legal analysis changes accordingly. A requirement that certain public-sector records remain under domestic control raises a different issue from a blanket obligation that all commercial data generated in the territory be stored locally. The first may be linked to evidentiary access, continuity of public administration, or national security. The second may be harder to justify unless the State can show why broader restrictions are necessary and proportionate (UNCTAD, 2023).

Security is one common justification. Governments may require local storage or local copies of data related to energy systems, telecommunications, transport networks, or defence-related infrastructures. The concern here is not primarily privacy. It is operational resilience, continuity of essential services, and protection against external disruption or coercive dependency. Similar reasoning appears in financial regulation, where supervisory authorities may require domestic availability of certain records for audit, risk control, and crisis management (UNCTAD, 2023; OECD, 2022).

Privacy is another major justification, but it must be handled carefully. Some States argue that keeping personal data within the jurisdiction reduces exposure to foreign surveillance or weak overseas protection. That argument has force in some circumstances, especially where the relevant data are highly sensitive, and the external legal environment is weak. Yet local storage by itself does not automatically guarantee privacy. If domestic safeguards are poor, or if foreign access remains possible through corporate control or remote disclosure, localization may create only an illusion of protection. The legal value of the measure, therefore, depends on the wider framework of oversight, remedies, and enforceable rights (Greenleaf, 2018; OHCHR, 2022).

Industrial policy also belongs in this discussion. Some States promote localization to support domestic digital infrastructure, stimulate investment in data centers, or retain more value within the national economy. This objective should not be dismissed as illegitimate merely because it has an economic dimension. Public international law does not require States to remain passive in the face of digital dependence. At the same time, industrial policy cannot be treated as a blanket justification for any restriction on data mobility. The stronger legal position is that such measures should be evaluated in relation to their scope, transparency, and actual connection to the developmental objective invoked (UNCTAD, 2021).

8.2 Sovereignty claims and digital dependence

Claims of digital sovereignty often arise because control over digital infrastructure is highly uneven. Many States rely on foreign cloud providers, payment systems, submarine cables, software environments, and dominant online platforms to run essential parts of their economy and administration. Under those conditions, localization measures are often less about rhetorical nationalism than about dependence. The argument is that when essential data are stored, processed, or routed through infrastructures controlled abroad, domestic regulatory autonomy becomes more fragile (UNCTAD, 2021; Klabbers, 2024).

This asymmetry is central to the legal debate. A State that lacks domestic cloud capacity or depends almost entirely on foreign payment rails may see cross-border data openness very differently from a State that hosts the leading platforms and infrastructure providers. Sovereignty arguments become stronger where infrastructural dependence creates exposure to foreign regulatory pressure, foreign intelligence access, or private control over public functions. In that setting, localization may be presented as a way to recover a measure of control over essential systems rather than as a simple rejection of global data exchange (UNCTAD, 2023).

The dependence problem is not confined to storage. It also concerns routing, processing, interoperability, and the practical ability to access data when needed. A government may formally retain jurisdiction over data generated in its territory while lacking the technical or legal means to obtain timely access if those data are held through foreign-controlled systems. Sovereignty claims, therefore, often emerge at the point where legal authority and infrastructural reality diverge. Cross-Border Data Flows make that divergence more visible because data can remain economically vital to one State while being operationally controlled elsewhere.

That does not mean sovereignty should be used without limits. Public international law still requires that assertions of control be tied to legitimate aims and exercised in ways that do not become arbitrary, discriminatory, or unnecessarily restrictive. Yet sovereignty cannot be treated as an outdated concept in digital governance. It remains one of the central legal languages through which States explain why some data should remain accessible, reviewable, or controllable within their own regulatory space.

8.3 Development and unequal value capture

The development dimension is one of the most important parts of the debate and is often underestimated. UNCTAD has repeatedly argued that Cross-Border Data Flows are connected to unequal development outcomes. Data may move globally, but the capacity to capture value from data does not. Infrastructure, cloud capacity, computational power, platform ownership, and advanced analytics are concentrated in a small number of jurisdictions and firms. As a result, countries with weaker digital capacity may generate valuable data while much of the processing, monetization, and strategic control occur elsewhere (UNCTAD, 2021).

This turns data governance into a problem of distributive order, not merely one of market efficiency. If a legal framework treats unrestricted data mobility as the default ideal without addressing asymmetries of infrastructure and bargaining power, it may reinforce existing inequalities. Countries with advanced digital ecosystems benefit from scale, capital, and technological control. Countries with weaker capacity may become suppliers of raw data while remaining dependent on external providers for storage, processing, and value extraction. That is not just an economic concern. It is a public international law issue because it bears on equality between States, regulatory autonomy, and the material conditions under which sovereignty is exercised (UNCTAD, 2021; Pahuja, 2011).

Policy space is therefore essential. States at different levels of digital development do not enter the global data economy on equal terms. Some need flexibility to build domestic infrastructure, regulate strategic sectors, protect sensitive public functions, and negotiate a less dependent position in transnational digital markets. UNCTAD’s work is especially clear on this point: governance frameworks for data and transborder flows must leave room for countries to pursue national priorities and development objectives while addressing risks created by digitalization (UNCTAD, 2021; UNCTAD, 2023).

That does not mean every localization measure should be accepted in the name of development. The stronger position is more disciplined. Development-oriented restrictions must still be assessed critically, especially where they are vague, overbroad, or disconnected from any realistic strategy for capacity building. Even so, public international law cannot ignore the fact that openness operates differently in a structurally unequal digital economy. A rule that appears neutral at the level of doctrine may entrench dependence at the level of material consequence. For that reason, development and unequal value capture should be treated as central legal concerns in the governance of Cross-Border Data Flows, not as marginal policy afterthoughts.

9. Corporate power and private infrastructure

The legal analysis of Cross-Border Data Flows is incomplete if it focuses only on States and formal legal rules. Data move through infrastructures that are overwhelmingly designed, owned, and operated by private firms. Cloud providers host and replicate data across jurisdictions. Platforms organize communication, advertising, payments, and content circulation. Telecommunications operators and cable systems carry traffic across borders. This gives private actors enormous practical influence over where data travels, how they are stored, which legal orders become relevant, and how requests for disclosure are handled (UNCTAD, 2021; OECD, 2022).

This private role matters because legality in practice often depends on infrastructure design and contractual architecture. A State may adopt strict transfer rules, but if the relevant service is routed through a handful of global providers, those providers shape the real conditions of compliance. The law of Cross-Border Data Flows is therefore not only a matter of public norms. It is also a matter of private control over the pathways through which digital activity becomes possible.

9.1 Cloud, platforms, and cables

A small number of firms mediate much of the infrastructure through which cross-border data moves. In cloud computing, competition authorities and policy institutions have repeatedly noted high concentration among a limited group of very large technology companies. OECD work on cloud services identifies concentration, barriers to entry, and interoperability problems as structural concerns, not marginal issues. That matters legally because cloud concentration affects where data is stored, how easily firms can switch providers, and how much bargaining power users or regulators actually possess (OECD, 2024).

Platform concentration raises similar issues. Large platforms do not merely host content or transactions. They structure how data is collected, combined, monetized, and transferred across jurisdictions. Their systems often determine the applicable contractual terms, the location of processing, and the procedures used when public authorities seek access. UNCTAD’s recent work on digital multinational enterprises shows growing concentration at the top of the digital economy. According to its 2025 analysis, the combined share of sales held by the top five digital MNEs more than doubled between 2017 and 2025, rising from 21 per cent to 48 per cent (UNCTAD, 2025).

Cables and network backbones are equally important, even if they are discussed less often in legal writing. Cross-Border Data Flows depend on physical transmission systems, above all, submarine cables and telecommunications infrastructure. These are not neutral pipes. Control over network routes, landing points, and traffic carriage can affect resilience, surveillance exposure, and the practical ability of States to regulate or secure communications. The key legal point is that private infrastructure ownership shapes the geography of jurisdiction in practice. Data may be formally subject to one legal order while travelling through systems controlled elsewhere.

9.2 Contract as transnational regulation

A contract is one of the main tools through which cross-border data governance is operationalized. Standard terms, processor agreements, intra-group transfer arrangements, cloud service contracts, and platform rules do far more than allocate commercial risk. They define where data may be processed, which entities may access them, how security is structured, what happens in case of disclosure requests, and which legal mechanisms will govern disputes. In practice, contracts often become the immediate instrument through which public-law obligations are translated into operational rules (European Union, 2016; Council of Europe, 2022).

This is why formal public law alone cannot explain the field. A data-protection regime may require safeguards for transfers, but those safeguards are frequently implemented through standard contractual clauses, processor terms, or internal corporate rules. The same is true for cross-border service delivery more broadly. Cloud and platform providers often require users to accept predefined global conditions that allocate liability, determine audit rights, and specify how data may be moved across infrastructures controlled by affiliated entities in several jurisdictions. The result is a form of transnational ordering in which private contracts become part of the legal architecture of Cross-Border Data Flows.

Platform governance rules push this even further. Terms of service, content policies, account controls, technical interoperability rules, and private procedures for responding to law-enforcement requests all shape what data can be moved, retained, disclosed, or contested. These rules are not treaties, yet they often have more immediate practical force than treaties for individuals and smaller firms. They determine the everyday conditions under which cross-border legality is experienced.

9.3 Concentration and accountability

The concentration of private infrastructure creates an accountability gap. Public authorities increasingly depend on privately controlled systems to deliver services, investigate crime, supervise markets, and manage digital economies. Yet those systems are often spread across several jurisdictions and governed through corporate structures that make responsibility difficult to trace. When something goes wrong, a breach, an unlawful disclosure, a denial of access, or a failure to comply with local law, it may be unclear which entity is responsible and which authority can realistically enforce accountability (UNCTAD, 2021; OECD, 2022).

This gap is especially visible where public power depends on private intermediaries. Law enforcement access to electronic evidence often runs through platform or cloud providers. Cross-border regulatory compliance frequently depends on what those firms disclose about storage, routing, subcontracting, and onward transfers. If the provider’s internal systems are opaque, the State’s formal authority may exceed its practical knowledge and control. Accountability then becomes fragmented across contracts, regulators, and jurisdictions, with no single actor clearly answerable for the overall outcome.

The legal significance of this problem is substantial. Concentration not only raises competition concerns. It alters the distribution of regulatory power itself. A legal framework for Cross-Border Data Flows may look robust on paper, but its effectiveness depends on whether public institutions can supervise private infrastructures that operate transnationally and at scale. Where that supervision is weak, private power can shape jurisdiction, compliance, and remedy in ways that outpace the public norms meant to govern them. That is why corporate power and infrastructure control must be treated as central, not secondary, to the legal analysis of cross-border data governance (OECD, 2024; UNCTAD, 2025).

10. Emerging global governance

Global governance of Cross-Border Data Flows is becoming more visible, but it remains politically important and legally modest. What is emerging is not a universal treaty system with settled obligations. It is a loose framework of declarations, policy principles, surveys, and cooperative processes through which States and institutions are trying to organize a common vocabulary for digital governance. The significance of this shift is real because cross-border data governance is no longer treated as a narrow issue of trade facilitation alone. It is now discussed as a broader matter of rights protection, interoperability, inclusion, and institutional coordination (UNCTAD, 2023; United Nations, 2024).

That said, a shared vocabulary is not the same as a shared legal order. Expressions such as trusted flows, interoperability, and digital cooperation are useful politically, but they do not by themselves resolve the structural conflicts in this field. Surveillance law, development policy, market concentration, and sovereign control remain deeply contested. Emerging global governance is therefore best understood as a process of coordination and agenda formation rather than a settled framework of law.

10.1 G20 and data free flow with trust

G20 practice is one of the clearest signs that the policy language has shifted toward interoperability and trusted flows. UNCTAD’s survey of G20 members and invited guests notes that “data free flow with trust” and cross-border data flows have been under discussion since the Japanese Presidency in 2019 and continued through later presidencies. That continuity matters because it shows that the issue has remained central in a major economic governance forum and that cross-border data governance is now treated as a recurring subject of international policy coordination (UNCTAD, 2023).

The same UNCTAD report is important because it shows the limits of the slogan. Rules affecting cross-border data flows extend well beyond trade. They appear in health, competition, finance, telecommunications, law enforcement, public procurement, cybersecurity, and public administration. This is a critical point for the article. “Data free flow with trust” is not a complete legal formula. It does not determine how privacy, evidentiary access, development policy, or public-order concerns should be balanced. It signals a political preference for openness conditioned by safeguards, but it does not supply those safeguards in a detailed and universally accepted legal form (UNCTAD, 2023).

The G20 framework is therefore useful, but limited. It helps normalize the view that data governance requires both movement and trust. Yet it leaves unresolved the most difficult legal questions: what counts as sufficient trust, who defines the relevant safeguards, and how States with very different legal systems and digital capacities are expected to implement them. Its contribution is strongest at the level of policy framing rather than legal settlement.

10.2 The 2024 Global Digital Compact

The 2024 Global Digital Compact is politically significant but legally modest. Adopted within the United Nations framework, it confirms that digital governance, including data governance, has become a matter of general international concern rather than a niche subfield of trade policy. Its value lies less in creating binding rules and more in placing questions of digital inclusion, human rights, institutional capacity, and interoperable governance within a broader multilateral agenda (United Nations, 2024).

For this article, the Compact matters because it confirms a change in perspective. Cross-Border Data Flows are no longer presented only as a tool of economic efficiency or digital trade. They are treated as part of a wider governance problem involving safeguards, coordination, and inclusion. That is consistent with the broader doctrinal argument developed in this article: the law of cross-border data flows cannot be reduced to market integration.

At the same time, the Compact should not be presented as a universal legal solution. It does not establish a comprehensive treaty regime on data transfers. It does not settle the relationship between privacy and surveillance, nor does it resolve the tension between data mobility and development policy space. Its significance is therefore interpretive and political. It confirms that global institutions now recognize data governance as a general public issue, even though legal convergence remains limited.

10.3 Why consensus remains limited

Consensus remains limited because States approach cross-border data governance from different constitutional and regulatory traditions. Some legal systems place strong emphasis on privacy as a fundamental right and require close judicial control, proportionality, and redress. Others allow broader public access in the name of security, intelligence gathering, or administrative efficiency. These differences shape what each legal order considers lawful access, adequate protection, and legitimate state power (OHCHR, 2022; OECD, 2022).

Surveillance systems are another major source of divergence. Cross-border data governance depends heavily on whether the destination legal order permits broad intelligence or law-enforcement access and whether those powers are subject to meaningful oversight. This is one reason why transfer regimes remain fragile. States and courts may accept digital interdependence in principle, yet still resist unrestricted transfers where surveillance safeguards are considered insufficient. The conflict is therefore not only about trade or technology. It is also about different understandings of legality and restraint in the exercise of public power.

Development interests further limit convergence. Countries do not enter the digital economy on equal terms. Some possess strong cloud sectors, platforms, and data-processing capacity, while others depend heavily on foreign infrastructure and foreign firms. For the latter, governance debates are closely tied to policy space, industrial development, and unequal value capture. A framework that looks neutral to one State may appear structurally biased to another if it entrenches dependence or restricts domestic digital development (UNCTAD, 2021; UNCTAD, 2023).

Different models of market regulation deepen the problem. Some jurisdictions are more willing to tolerate concentration and rely heavily on private ordering, while others emphasize competition control, public supervision, and sector-specific regulation. Because Cross-Border Data Flows are mediated by concentrated private infrastructures, these differences matter directly. The result is that global governance has produced a stronger shared vocabulary, but not a strong shared legal consensus. Coordination is expanding, but convergence remains partial and contested.

Also read

• Jurisdictional Gaps in Subsea Data Cables

• Human Rights and the Global Digital Surveillance Infrastructure

• The Evolution of International Law in Cyberspace

• International Law on the Use of Cyber Espionage

• The Right to Connectivity under the ICCPR

• International Law and Municipal Law

• Global Governance of Artificial Intelligence

• Crisis of Multilateralism and Global Order

  
  

11. A doctrinal framework for analysis

The legal difficulty of Cross-Border Data Flows is not only that several norms apply at once. It is that they apply for different reasons and through different institutional logics. Human rights law focuses on the protection of persons, trade law on market openness and non-discrimination, cybercrime law on access to electronic evidence, data-protection law on continuity of safeguards, and domestic public law on security, administration, and sectoral regulation. A doctrinal framework is therefore necessary to prevent the analysis from becoming either impressionistic or excessively fragmented (Klabbers, 2024; Aust, 2005).

The framework proposed here is deliberately practical. It does not assume that one regime automatically prevails over all others. It begins by identifying the legal character of the data operation, then clarifies the protected interest at stake, maps the relevant legal regimes, and finally resolves conflicts through structured legal reasoning. The goal is not to eliminate complexity, but to discipline it.

11.1 Step one: identify the legal act

The first step is to identify the legal act under examination. Many disputes are framed too broadly as disputes about “data flows,” when the actual legal issue concerns something more specific. The relevant act may be transfer, access, disclosure, storage, processing, onward transfer, preservation, or compelled production. That distinction is decisive because different rules are triggered by different acts (Council of Europe, 2001; European Union, 2016).

A cross-border transfer by a private company to a foreign processor raises a different legal problem from a foreign authority demanding disclosure of subscriber data. Storage in a foreign cloud environment is not identical to remote access by an affiliate abroad. Processing by a multinational platform is not the same as compelled production in a criminal investigation. If the legal act is not identified with precision at the outset, the analysis risks collapsing distinct questions of privacy, jurisdiction, and enforcement into one undifferentiated category.

The first doctrinal discipline, then, is descriptive accuracy. Before asking what the law permits, one must ask what kind of act the law is being asked to regulate. In Cross-Border Data Flows, that basic clarification often determines most of the legal pathway that follows.

11.2 Step two: identify the protected interest

The second step is to identify the dominant protected interest. Not every cross-border data dispute is primarily about privacy, and not every data restriction is primarily about trade. The relevant concern may be privacy, trade facilitation, criminal enforcement, national security, consumer protection, competition, public health, evidentiary control, or development policy. Sometimes several interests appear together, but one of them usually structures the legal analysis more strongly than the others (UNCTAD, 2021; UNCTAD, 2023).

This step matters because legal reasoning changes according to the interest at stake. If the dominant concern is privacy, legality, proportionality, effective remedy, and safeguards against arbitrary access become central. If the concern is trade, attention shifts toward market access, non-discrimination, and exceptions. If the issue is criminal enforcement, the analysis must focus more closely on jurisdiction, due process, and cooperation mechanisms for access to electronic evidence. Where public health, finance, or critical infrastructure are involved, sector-specific supervision and resilience concerns may become decisive.

The framework, therefore, rejects one-size-fits-all reasoning. The fact that data crosses a border does not tell us which legal value is dominant. That value must be identified explicitly. Only then can the applicable doctrines be ordered coherently.

11.3 Step three: map the applicable regimes

The third step is to map the relevant legal regimes and to place them side by side rather than treating one of them as automatically exhaustive. In many cases, the applicable framework will include human rights law, domestic or regional data-protection law, trade commitments, cybercrime cooperation rules, sector-specific regulation, and contractual mechanisms. In some cases, national-security law and public international law on jurisdiction will also play a central role (ICCPR, 1966; Council of Europe, 2018; WTO, 1994a).

This mapping exercise is essential because conflicts in Cross-Border Data Flows often arise not from uncertainty about one rule, but from interaction between several rules. A transfer may satisfy a trade commitment but still fail under data-protection standards. A disclosure order may be lawful under domestic criminal procedure but still raise problems under international cooperation rules or foreign blocking restrictions. A localization measure may pursue a legitimate public aim and yet remain vulnerable if it is broader than necessary or discriminatory in application.

Contractual mechanisms must also be included in the map. Standard contractual clauses, processor agreements, intra-group rules, and platform governance frameworks do not replace public law, but they often determine how public-law obligations are implemented in practice. A doctrinal framework that ignores them will misdescribe how the field actually operates.

11.4 Step four: resolve conflict

The fourth step is structured conflict analysis. Once the act, the protected interest, and the relevant regimes have been identified, the next question is how the conflict should be resolved. The most defensible method is not to search for a single universal rule. It is to test the challenged measure or transfer arrangement against a core set of public-law standards: legality, necessity, proportionality, equivalent safeguards, due process, and non-discrimination (Human Rights Committee, 1988; Court of Justice of the European Union, 2020).

Legality asks whether the measure is clearly grounded in law and whether the law is sufficiently accessible and precise. Necessity asks whether the measure responds to a genuine and relevant public aim rather than to convenience, speculation, or generalized distrust. Proportionality asks whether the degree of interference matches the seriousness of the risk. Equivalent safeguards ask whether the protective environment in the receiving jurisdiction or under the applicable mechanism meaningfully preserves the rights or interests at stake. Due process asks whether those affected can challenge the measure or seek review. Non-discrimination asks whether the rule or restriction is being applied in a targeted and legitimate manner rather than as an arbitrary burden on foreign actors or vulnerable groups.

This structured method gives the article its main doctrinal payoff. It provides a way to reason across fragmented regimes without pretending that fragmentation has disappeared. It also makes clear that not every conflict is resolved by giving automatic priority to openness or to restriction. The better approach is to test the justification and architecture of the measure against standards that can travel across several legal contexts.

11.5 Proposed test

A cross-border data-flow restriction or transfer mechanism is strongest, doctrinally, when five conditions are met. First, it must pursue a legitimate public aim, such as privacy protection, evidentiary access, public health, financial supervision, security, or development policy. Second, it must be clearly grounded in law, with rules that are accessible, reviewable, and not excessively vague. Third, it must be functionally linked to the specific risk it claims to address, rather than resting on broad generalizations about all foreign processing or all domestic control.

Fourth, it must contain reviewable safeguards. These may include judicial authorization, independent oversight, transfer-impact assessment, audit rights, complaints mechanisms, or enforceable redress. Fifth, it must not impose broader restraints than necessary. A restriction that captures all data where only a small subset presents the real risk is legally weaker than a narrower, more tailored rule. A transfer mechanism that depends entirely on formal contractual language without regard to the destination legal environment is also weaker than one supported by realistic and enforceable protections (Court of Justice of the European Union, 2020; OECD, 2022).

This test does not eliminate disagreement, but it does provide a disciplined way of evaluating Cross-Border Data Flows across different factual settings. Its value lies in forcing the analysis to move beyond slogans such as trusted flows, digital sovereignty, or free movement of data. Those phrases may describe policy aspirations, but they are not enough to decide hard cases. Hard cases require a legal method. This framework is proposed as that method.

12. Conclusion

The law of Cross-Border Data Flows cannot be reduced to a single treaty, a single institutional forum, or a single doctrinal principle. The field is governed through a layered and fragmented legal structure in which human rights law, data-protection law, trade law, cybercrime cooperation, domestic public law, and private contractual ordering all interact. That fragmentation is often presented as a weakness. In reality, it reflects the fact that cross-border data governance serves several different legal purposes at once: protection of privacy, facilitation of trade, preservation of evidence, protection of security, maintenance of regulatory autonomy, and management of digital interdependence (UNCTAD, 2021; Klabbers, 2024).

For that reason, two weak conclusions should be rejected. The first is that unrestricted data mobility is the natural legal ideal, and that barriers to movement are presumptively suspect. That view ignores the role of privacy, due process, equality, and public accountability. Data do not become legally harmless merely because they are economically useful. Cross-border transfers can expose individuals and institutions to unlawful surveillance, opaque profiling, and regulatory dependence. A legal order committed only to frictionless movement would fail to protect the very interests international law is meant to secure (ICCPR, 1966; OHCHR, 2022).

The second weak conclusion is that digital sovereignty, understood as keeping data within territorial borders or maximizing unilateral control, solves the problem. It does not. Localization and sovereign control may be justified in some contexts, especially where critical infrastructure, sensitive public functions, or severe asymmetries of access are involved. Yet sovereignty alone does not guarantee rights protection, accountability, or fair development outcomes. A State may centralize data domestically and still permit arbitrary surveillance, weak oversight, or exclusionary governance. Digital sovereignty is therefore an important legal language, but not a complete legal answer (UNCTAD, 2023; Aust, 2005).

The stronger conclusion is that international law is moving, unevenly and incompletely, toward a model of conditional openness. Under this model, data may move across borders, but only under legal conditions capable of protecting rights, preserving legitimate regulatory autonomy, and distributing the gains of digitalization more fairly. This does not require full harmonization. It requires functionally credible safeguards, reviewable state-access frameworks, meaningful remedies, and room for States at different levels of digital capacity to pursue legitimate policy goals without being locked into dependence (Council of Europe, 2018; OECD, 2022; UNCTAD, 2021).

That is the central doctrinal lesson of the field. The future of Cross-Border Data Flows will not be governed by a choice between absolute openness and absolute control. It will be governed by how convincingly legal systems can build institutions of trust that are not empty slogans: trust grounded in law, safeguards, oversight, and fairer distribution of digital power. International law has not yet produced a complete settlement of that challenge. It has, however, already moved far enough to show the shape of the emerging answer.

References

1. Ashutosh. (2024) 'Cross-Border Data Flows and International Law: Navigating Jurisdictional Complexities in the Digital Age', Indian Journal of Law, 2(1), pp. 15–23.

2. Aust, A. (2005) Handbook of International Law. Cambridge: Cambridge University Press.

3. Burri, M. (2017) 'The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation', UC Davis Law Review, 51(1), pp. 65–132.

4. Council of Europe. (1981) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) [online]. Available at: https://rm.coe.int/1680078b37 (Accessed: 30 March 2026).

5. Council of Europe. (2001a) Convention on Cybercrime (ETS No. 185) [online]. Available at: https://rm.coe.int/1680081561 (Accessed: 30 March 2026).

6. Council of Europe. (2001b) Explanatory Report to the Convention on Cybercrime (ETS No. 185) [online]. Available at: https://www.oas.org/juridico/english/cyb_pry_explanatory.pdf (Accessed: 30 March 2026).

7. Council of Europe. (2018) Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (CETS No. 223) [online]. Available at: https://rm.coe.int/16808ac918 (Accessed: 30 March 2026).

8. Council of Europe. (2022a) Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence (CETS No. 224) [online]. Available at: https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=224 (Accessed: 30 March 2026).

9. Council of Europe. (2022b) Explanatory Report to the Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence [online]. Available at: https://rm.coe.int/1680a49c9d (Accessed: 30 March 2026).

10. Court of Justice of the European Union. (2020) Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18), Judgment of 16 July 2020, ECLI:EU:C:2020:559.

11. European Commission. (2023) Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework [online]. Available at: https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj/eng (Accessed: 30 March 2026).

12. European Commission. (2024) Report from the Commission to the European Parliament and the Council on the first periodic review of the functioning of the adequacy decision on the EU-US Data Privacy Framework [online]. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52024DC0451 (Accessed: 30 March 2026).

13. European Union. (2016) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Official Journal of the European Union, L 119, pp. 1–88.

14. European Union. (2018) Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, Official Journal of the European Union, L 303, pp. 59–68.

15. General Court of the European Union. (2025) Philippe Latombe v European Commission (Case T-553/23), Judgment of 3 September 2025, ECLI:EU:T:2025:831.

16. González Hauck, S., Kunz, R. and Milas, M. (eds.) (2024) Public International Law: A Multi-Perspective Approach. Abingdon: Routledge.

17. Greenleaf, G. (2017) 'Global Data Privacy Laws 2017: 120 National Data Privacy Laws, Including Indonesia and Turkey', Privacy Laws & Business International Report, 145, pp. 10–13.

18. Human Rights Committee. (1988) General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation [online]. Available at: https://www.refworld.org/legal/general/hrc/1988/27539 (Accessed: 30 March 2026).

19. Human Rights Committee. (2011) General Comment No. 34: Article 19, Freedoms of Opinion and Expression [online]. Available at: https://www.ohchr.org/sites/default/files/english/bodies/hrc/docs/gc34.pdf (Accessed: 30 March 2026).

20. Klabbers, J. (2024) International Law. 4th edn. Cambridge: Cambridge University Press.

21. OECD. (2021) Mapping Commonalities in Regulatory Approaches to Cross-Border Data Transfers. Paris: OECD Publishing.

22. OECD. (2022) Declaration on Government Access to Personal Data Held by Private Sector Entities [online]. Available at: https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0487 (Accessed: 30 March 2026).

23. OECD. (2024) OECD Digital Economy Outlook 2024 (Volume 1): Embracing the Technology Frontier. Paris: OECD Publishing.

24. OECD. (2025) Competition in the Provision of Cloud Computing Services. Paris: OECD Publishing.

25. Office of the United Nations High Commissioner for Human Rights. (2022) The Right to Privacy in the Digital Age: Report of the Office of the United Nations High Commissioner for Human Rights, A/HRC/51/17 [online]. Available at: https://docs.un.org/en/A/HRC/51/17 (Accessed: 30 March 2026).

26. Pahuja, S. (2011) Decolonising International Law: Development, Economic Growth and the Politics of Universality. Cambridge: Cambridge University Press.

27. Svantesson, D.J.B. (2020) Data Access and Fundamental Rights: A Comparative Perspective. Oxford: Oxford University Press.

28. United Nations. (1966) International Covenant on Civil and Political Rights, United Nations Treaty Series, 999, p. 171.

29. United Nations. (2024) The Pact for the Future, Global Digital Compact and Declaration on Future Generations (A/RES/79/1) [online]. Available at: https://docs.un.org/en/A/RES/79/1 (Accessed: 30 March 2026).

30. UNCTAD. (2021) Digital Economy Report 2021: Cross-Border Data Flows and Development. Geneva: United Nations.

31. UNCTAD. (2023) G20 Members’ Regulations of Cross-Border Data Flows. Geneva: United Nations.

32. UNCTAD. (2025) World Investment Report 2025: International Investment in the Digital Economy. Geneva: United Nations.

33. World Trade Organization. (1994a) General Agreement on Trade in Services, in Marrakesh Agreement Establishing the World Trade Organization, Annex 1B. Geneva: World Trade Organization.

34. World Trade Organization. (1994b) Marrakesh Agreement Establishing the World Trade Organization, United Nations Treaty Series, 1867, p. 154.

35. World Trade Organization. (2024) Information on the Agreement on Electronic Commerce [online]. Available at: https://www.wto.org/english/tratop_e/ecom_e/information_on_agreement_ecom.pdf (Accessed: 30 March 2026).