The diffusion of a U.S. trade-based approach to international personal data transfers and its implications for national data privacy regulations

I. Background

As data emerge as the lifeblood of the global digital economy, the regulatory battles among great powers to establish rules for transborder personal data flows increasingly intensify. Given what is at stake, different great powers have been advancing distinct regimes, institutions, and rules to regulate this cross-cutting issue in ways aligned with their own preferences (ie, interests and values). Absent universal rules dedicated to regulating international personal data transfers,¹ competing legal and regulatory approaches, each advanced by a great power, have been vying to dominate the governance of this contentious issue, which has been characterized by increasingly crisscrossing rules and complex obligations.

These competing regimes and institutions primarily include: (i) a U.S.-style trade-based approach to secure unrestricted cross-border data flows by default, crystallized in new-generation preferential trade agreements (PTAs); (ii) a European Union (EU)-led regulatory approach that conditions transfers of personal data on whether a recipient jurisdiction ensures ‘adequate’ data privacy protection in principle, as required by EU data protection law (most notably, the General Data Protection Regulation (GDPR))²; and (iii) a security-oriented approach—exemplified by China’s domestic laws and regulations—that localizes the storage and processing of data as a general rule, subject to limited exceptions (such as the security assessments under relatively onerous requirements).³ In short, the U.S., the EU, and China have adopted different regulatory approaches that serve their prioritized interests, reflect their normative values, and utilize their institutional capacities.⁴

Among such rivalling norms, standards, and institutions, U.S.-formulated digital trade rules have been increasingly dominating the international trade regime over time, striving to set neo-liberal regulatory standards for cross-border data flows and data privacy protection. Focused on these rules, this article addresses two different, yet related, research questions. From an empirical perspective, it examines the spread of the U.S. regulatory template in other countries’ PTAs including dedicated digital trade agreements, mapping the ‘norm diffusion’ process that has substantially elevated the prominence of this model in the trade realm. In particular, it demonstrates how the U.S.-designed free data flow provisions have significantly shaped many third countries’ international trade rulemaking, eclipsing the influence of the EU model of digital trade rules in PTAs. Secondly, through a normative lens, this article analyses the implications of this trade-based approach for other countries’ data privacy laws, particularly their GDPR-style ‘adequacy’ standard to regulate outbound personal data transfers. More broadly, it compares the normative impacts of the U.S. approach and the EU approach to cross-border data flows and discusses the implications of their regulatory competition for other countries’ trade policies and privacy rulemaking.

Importantly, U.S.-designed rules on free data flows, data localization, and data privacy protection have been increasingly disseminated among PTAs of U.S. trading partners and beyond (except for the EU). With an increasing number of countries on board, this trade-based approach’s regulatory ‘sphere of influence’ has expanded over time, contributing to its increasing prominence in the global regulatory arena. Despite the sudden drastic shift in U.S. digital trade policy in October 2023,⁵ such digital trade rules remain in force in the underlying PTAs.⁶ They have been followed by key U.S. trade partners as a set of ‘boilerplate’ clauses in bilateral, regional, and plurilateral trade negotiations,⁷ evincing the lasting relevance and powerful influence of this regulatory template in global trade policymaking.

While the U.S. has successfully led many countries to adopt its strong commitments to free data flows and an instrumental approach to data privacy protection in their PTAs, EU data protection law has widely diffused among third countries worldwide, with its ‘adequacy’ standard increasingly accepted by many foreign governments as a common approach to cross-border personal data transfers.⁸ For countries following both the U.S. and EU models to regulate transborder data flows, they may face a legal dilemma due to the inherent legal tensions between these two regulatory approaches. In particular, U.S.-designed digital trade rules can be invoked to challenge third countries’ data privacy regulations restricting cross-border personal data transfers—most notably, the adequacy standard modelled on EU data protection law. In this way, the enforcement of this trade-based approach to cross-border data flows may significantly restrict third countries’ policy space for data privacy protection.

The remainder of this article unfolds as follows. The second section examines U.S.-designed digital trade rules to regulate cross-border data flows, data localization, and personal data protection, canvassing the normative underpinnings of this trade-based approach. The third section delves into the diffusion of this regulatory template in the international trade regime, offering a comprehensive survey of PTAs that have adopted or emulated US-formulated rules. Particularly, it details the norm diffusion process, summarizes its salient features, and compares the PTAs modelled after the U.S. approach with the EU model of PTA provisions. Through the case study of Japan, the fourth section proceeds to analyse how American-style free data flow provisions can scrutinize a third country’s cross-border data transfer regulation following the EU’s adequacy standard. The last section situates the discussion in the broader context of the U.S.–EU regulatory race to set international standard and draws concluding remarks.

II. U.S.-designed digital trade rules to regulate cross-border data flows in new-generation PTAs

Despite the regulatory restrictions on personal data transfers within its territory,⁹ the U.S. federal and state privacy laws generally do not restrict cross-border transfers of personal data to an overseas jurisdiction,¹⁰ which is quite different from the EU’s ‘adequacy’ approach to outbound personal data flows. Different from American data privacy laws, however, U.S. national security laws and regulations have recently imposed mounting restrictions on the export of information (including personal data) to identified ‘countries of concern’ or ‘foreign adversary countries’.¹¹ The Protecting Americans’ Data from Foreign Adversaries Act, effective in June 2024, generally prohibits data brokers from transferring personally identifiable sensitive data to foreign adversary countries (including China) and any entity controlled by them.¹² In stark contrast with this increasingly guarded domestic approach to outbound data transfers to targeted countries, the U.S. has long strongly supported free data flows at the international level,¹³ pushing and pulling its trade partners to commit to removing regulatory barriers to transnational data transfers.

Such efforts can be traced back to the establishment of the World Trade Organization (WTO),¹⁴ whose legal framework includes the General Agreement on Trade in Services (GATS), which has extended multilateral trade rules to govern trade in services and, by implication, international data flows.¹⁵ However, the GATS—drafted in a pre-Internet era—remains inadequate for regulating the digital trade activities that have rapidly evolved since its creation.¹⁶ Moreover, multilateral trade negotiations on rules for cross-border data flows have been at a standstill for a long time, due to the divergence between developed and developing countries and between the U.S. and the EU.¹⁷ To circumvent the stagnated WTO negotiations on this contentious issue, the U.S. has been shifting the focus of its trade lawmaking initiatives from the multilateral forum to bilateral, plurilateral, and regional PTAs,¹⁸ where it can better leverage asymmetrical power to push for its preferred norms and achieve group-wide consensus.

Pursuing its digital trade agenda (reflecting and serving the interests of American digital firms and service companies),¹⁹ the U.S. has played an indispensable role in the negotiations of the Trans-Pacific Partnership (TPP) Agreement, whose e-commerce chapter contained novel provisions to implement and enforce the ‘Digital Dozen principles’.²⁰ While former President Trump withdrew from the TPP in 2019, this treaty’s entire e-commerce chapter was incorporated almost verbatim into the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), another mega-regional trade treaty concluded among the remaining 11 TPP parties.²¹ In addition, the U.S. successfully negotiated the U.S.–Mexico–Canada Agreement (USMCA), whose digital trade chapter largely adopted the content of the TPP, though with certain modifications. Together, the TPP, CPTPP, and USMCA represent U.S.-designed new-generation PTAs that purport to establish an international benchmark to regulate digital trade and the digital economy.²²

To unpack the normative content of the U.S. trade-based approach, this section examines its rules to regulate sensitive issues of cross-border data transfers, data localization, and data privacy protection.

A. Binding and enforceable commitments for cross-border data flows and against data localization

Before delving into the rules of the TPP or CPTPP, it is worth noting two prior PTAs. The first PTA that contained an explicit provision to regulate cross-border data flows was the 2004 Dominican Republic–Central America Free Trade Agreement (CAFTA–DR), which was concluded by the U.S., Costa Rica, El Salvador, Guatemala, Honduras, Nicaragua, and Dominican Republic in 2004.²³ Under a provision titled ‘cooperation’ in the e-commerce chapter, the CAFTA–DR highlighted ‘the importance of working to maintain cross-border flows of information as an essential element in fostering a vibrant environment for electronic commerce’.²⁴ A stronger commitment was made in the 2007 Korean–U.S. free trade agreement (KORUS), which stated that ‘the Parties shall endeavor to refrain from imposing or maintaining unnecessary barriers to electronic information flows across border’.²⁵

Nevertheless, in both cases, these ‘soft-law’ provisions remain unenforceable through international adjudication, since their aspirational language does not strictly prohibit illegitimate barriers to international data flows.²⁶ This status quo has been effectively altered by U.S.-led PTAs, such as the TPP and USMCA.

(a) The treaty obligations of the Trans-Pacific Partnership Agreement

Different from prior PTAs, the e-commerce chapter of the TPP contains binding and enforceable commitments on free cross-border data flows, as well as a prohibition on data localization, reflecting the keen demands of U.S. Internet firms and service industry.²⁷

Article 14.11 of the treaty stipulates a ‘hard’ rule to ensure unrestricted cross-border information transfers by default: ‘[e]ach Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.’²⁸ The term ‘personal information’ is defined as ‘any information, including data, about an identified or identifiable natural person’.²⁹ As required by this ‘free data flow’ provision, cross-border transfers of personal data for business purposes must be unrestricted in general.

In parallel, Article 14.13 provides that ‘[n]o Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory’.³⁰ Nonetheless, both Articles 14.11 and 14.13 recognize a party’s sovereign autonomy to maintain ‘its own regulatory requirements’ on cross-border transfers of information and the use of computing facilities (‘right to regulate’).³¹

Unlike the sector-specific commitments of the GATS, such horizontal provisions of the TPP are broad and comprehensive in scope, creating robust protection for cross-border data flows across various economic sectors (except for financial services).³² In particular, under Article 14.11, the commitments to free cross-border data transfers protect against de jure and de facto data localization measures. Different from mandatory (de jure) localization requirements, de facto localization measures typically implement stringent data transfer restrictions to pressure or incentivize foreign firms to store and process data within a state.³³ By imposing restrictive regulatory conditions on outbound data transfers to protect public policy goals or interests (such as data privacy or cybersecurity), such a measure can make data exports costly, risky, and burdensome in practice, potentially rendering them unwise for data-reliant businesses.³⁴

As safety valves to depart from the aforementioned default rules, Articles 14.11 and 14.13 of the TPP stipulate legitimate public policy exceptions for states to restrict cross-border data flows or to localize computing facilities, though subject to relatively stringent conditions.³⁵ Largely modelled on WTO general exceptions (that set a high hurdle for respondent states to successfully invoke),³⁶ these requirements include a ‘chapeau’ and a ‘necessity’ test. Under the ‘chapeau’ test, an impugned measure must not be ‘applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade’, reflecting the language of the chapeau (introductory clause) of GATT/GATS general exceptions.³⁷ As required by the ‘necessity’ test, restrictions on cross-border data transfers (or the location or use of computing facilities) must not be ‘greater than are required to achieve the objective’.³⁸ In other words, the regulatory restrictions imposed should be necessary to attain the relevant public policy goal(s).

While an in-depth doctrinal analysis of the ‘chapeau’ and ‘necessity’ criteria will be detailed in the fourth section, it bears noting here that WTO general exceptions (in GATT and GATS) were formulated in relatively stringent terms: they were successfully invoked in only two cases over thirty years, and trade adjudicators have consistently interpreted such clauses narrowly.³⁹

(b) The treaty obligations of the US–Mexico–Canada Agreement

Building on the template of the TPP, the USMCA introduces several modifications to strengthen the rules for free data flows and against data localization. First, the USMCA deletes the TPP’s language that recognizes a state’s sovereign right to regulate cross-border data flows and the use of computing facilities,⁴⁰ apparently making such commitments more absolute. Secondly, in the provision to ban ‘computer localization’, the USMCA removes the public policy exceptions altogether.⁴¹ This modification has further sharpened this rule by substantially restricting states’ regulatory autonomy to depart from this default setting. Thirdly, while largely adopting TPP’s free data flow provision, USMCA adds a footnote to explain the ‘necessity’ test under the public policy exceptions.⁴² It clarifies that a domestic measure would fail the necessity assessment, if ‘it accords different treatment to data transfers solely on the basis that they are cross-border in a matter that modifies the conditions of competition to the detriment of service suppliers of another Party.’⁴³

Consistent with the prevailing interpretation of WTO general exceptions, this clarification emphasizes the objective nature of the necessity test, and does not recognize regulatory intent as a relevant factor in the assessment.⁴⁴ Instead, adjudicators should review the objective economic impacts of the measure on the competitive conditions of foreign service suppliers. In addition, this footnote can be construed as imposing a non-discrimination condition, requiring data transfer restrictive measures not to discriminate solely based on the cross-border nature of the transfers.⁴⁵ In other words, it rejects the presumption that international transfers of data, in and of themselves, create greater risks to states’ legitimate public policy objectives than do domestic data flows.⁴⁶ Instead, the respondent state should show how its policy goals or interests may be compromised with concrete evidence.

B. The data protection provisions of the U.S. regulatory template

Another pillar of the U.S. template to regulate cross-border data flows is the provisions on data privacy protection. The following analysis delves into key components of such rules.

(a) The data protection provision of the Trans-Pacific Partnership Agreement

The TPP’s provision on personal data protection commences with the recognition of ‘the economic and social benefits of protecting the personal information of users of electronic commerce and the contribution that this makes to enhancing consumer confidence in electronic commerce’.⁴⁷ As noted by commentators, this language aligns with and reflects the U.S. data privacy paradigm’s dominant conceptualization, which frames individuals’ information privacy as a consumer right or interest in the marketplace.⁴⁸

Different from prior PTAs, the TPP stipulates stronger data protection obligations. Article 14.8.2 requires states to ‘adopt or maintain a legal framework’ to protect the personal information of e-commerce users, taking into consideration ‘principles and guidelines of relevant international bodies’.⁴⁹ This obligation was regarded as a means to alleviate concerns about the risks to data privacy protection posed by liberalizing data flows among TPP parties.⁵⁰

Nevertheless, the TPP only requires the existence of such a legal framework as sufficient, without examining the merits of domestic data privacy systems. For that purpose, the TPP allows states to take different approaches to protecting personal data.⁵¹ As clarified by a footnote that was ‘clearly drafted by U.S. negotiators’,⁵² states can satisfy the obligation to implement a data protection framework by taking different legal approaches, including sector-specific privacy laws or laws providing for the enforcement of voluntary privacy commitments by companies (as an institutional alternative to comprehensive data privacy laws).⁵³

This permissive stance on personal data protection is starkly different from the TPP’s strong protection of free data flows, which requires privacy-based data transfer restrictions to be strictly justified.⁵⁴ While recognizing the importance of personal data protection, the TPP limits and constrains national data privacy regulations from unduly restricting international trade.⁵⁵ This position demonstrates a prominent feature of the U.S. model to regulate cross-border data transfers and data privacy protection: establishing the ‘primacy of trade over privacy’.⁵⁶

Furthermore, the TPP’s data protection provision allows substantial policy space for states to maintain different data privacy regimes. An outlier in its national legal system for data privacy, the U.S. takes a sectoral, patchwork approach to protecting information privacy, relying on a mix of narrowly targeted, sector-specific laws, and regulations as well as business self-regulation.⁵⁷ Under this sectoral approach, industry self-regulation has long been the primary source for setting the terms and conditions for consumers’ data privacy.⁵⁸ This explains why the U.S. inserted the said footnote to ensure that its domestic data privacy law is permitted under the TPP.⁵⁹

As such, the TPP has redefined data privacy rules as instrumental ‘tools of international trade’, manifesting an economic approach to protecting personal data.⁶⁰ Rather than fundamental rights or human rights, data privacy protection is normalized under the TPP as an ancillary value that is subordinated to international trade, and which plays an instrumental role in building trust in e-commerce and facilitating global economic flows.⁶¹ As argued by Svetlana Yakovleva, even if data privacy can be accurately quantified in the wealth maximization calculus (which can be difficult to do), the ‘optimal’ level of protection under this economic approach to data privacy protection would be lower than that determined by the EU’s fundamental rights-rooted approach, since the former approach does not factor in the intrinsic value of data protection and privacy as fundamental rights.⁶²

Finally, recognizing that divergent national data privacy laws can create trade barriers for digital firms, the TPP points to some preliminary solutions. In addition to imposing non-discriminatory and transparency requirements,⁶³ the TPP provides that ‘each Party should encourage the development of mechanisms to promote compatibility between these different regimes’.⁶⁴ As noted by Anupam Chander and Paul Schwartz, the quoted language mirrors US corporate interests’ project in the early 2000s to ‘reorient international data privacy law around concepts of “interoperability” and “accountability”’.⁶⁵ Likewise, the Obama administration’s 2012 report (‘Consumer Data Privacy in a Networked World’) committed to increasing ‘interoperability in privacy laws by pursuing mutual recognition, the development of codes of conduct through multistakeholder processes, and enforcement cooperation’, in order to reduce regulatory barriers to cross-border data flows.⁶⁶

(b) The data protection provision of the U.S.–Mexico–Canada Agreement

The USMCA adopts the TPP’s provision on personal data protection, but adds three new features to further consolidate and refine the economic approach to data privacy protection.

First, the USMCA adds a clarification: ‘any restrictions on cross-border flows of personal data (must be) necessary and proportionate to the risks presented.’⁶⁷ Focused on preventing regulatory overkill, this clause can provide context for trade adjudicators to interpret the ‘necessity’ condition under the aforementioned public policy exceptions, suggesting a cost–benefit assessment to examine the proportionality of a measure to associated risks. While desirable in general, national data privacy regulations should refrain from creating ‘unnecessary’ barriers to free data flows, with the “necessity” determined by a balancing test that weighs the benefits and costs of a measure against the risks concerned.

Secondly, as examples of ‘principles and guidelines of relevant international bodies’ that a state should consider when developing a domestic data protection framework, the USMCA explicitly refers to soft law instruments of the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (2013) (‘OECD Guidelines’), as well as certain key principles of data protection (ie, ‘limitation on collection; choice; data quality; purpose specification; use limitation; security safeguards; transparency; individual participation; and accountability’).⁶⁸

Thirdly, unlike the TPP, which does not propose a specific mechanism to promote ‘compatibility’, the USMCA expressly recognizes the APEC Cross-Border Privacy Rules (CBPR) system as ‘a valid mechanism to facilitate cross-border information transfers while protecting personal information’.⁶⁹

(c) The OECD Guidelines and APEC Privacy Framework: an economic approach to data privacy protection

While the USMCA’s enumerated ‘key principles of data protection’ reflect some of EU data protection principles,⁷⁰ the OECD Guidelines and APEC Privacy Framework manifest an economically driven and instrumental approach to data privacy protection, rather than the European human rights approach.⁷¹ While data privacy concerns are present in these instruments, the economic rationale is predominant. Substantively, these instruments establish a lower set of data privacy standards than EU data privacy law.

An updated version of the 1980 Guidelines, the 2013 OECD Guidelines retain the dominant economic rationale underlying its predecessor, primarily focused on promoting cross-border personal data flows and minimizing regulatory restrictions thereon.⁷² With respect to data privacy protection, the 2013 OECD Guidelines incorporate the eight core principles of the original Guidelines, which were written at a high level and not very prescriptive.⁷³

Similarly, the APEC Privacy Framework, largely modelled on the OECD Guidelines, is ‘a voluntary set of standards designed to protect personal data transferred outside the APEC member States by use of the principle of “accountability”’.⁷⁴ As stated in its preamble, this Framework, though reaffirming the value of individuals’ data privacy, ‘aims at promoting electronic commerce’.⁷⁵ Rather than intrinsic human rights, data privacy protection is conceptualized as an instrumental tool to address commercially harmful regulatory barriers to cross-border data flows, bolster consumer confidence, and develop digital trade.⁷⁶ Thus, the APEC Privacy Framework is designed to facilitate cross-border data flows, aligned with the overarching goal of promoting trade among APEC members.⁷⁷

While consistent with the OECD Guidelines’ core principles, the Framework’s data privacy standards are generally lower than those of European data privacy law, and come ‘with a mild prescriptive bite’.⁷⁸ As a principles-based model, the Framework also leaves member economies with considerable flexibility to implement it in ways that reflect their social, economic, legal, and cultural differences.⁷⁹ Rather than prescribing how it should be implemented in a specific way, the Framework allows numerous approaches to implementation, ranging from legislation to business self-regulation.⁸⁰ Finally, many principles of the Framework are subject to extensive derogations, which are permitted under more lenient conditions compared to EU data protection law.⁸¹

Furthermore, aligned with the TPP/CPTPP’s free data flow provisions, the OECD Guidelines and APEC Framework establish the default rules for the free transborder flows of personal data. Meanwhile, they primarily rely on the accountability principle to protect data privacy.

In this regard, the OECD Guidelines generally permit international transfers of personal data, while allowing national regulators to restrict data flows under limited conditions.⁸² Under the 2013 Guidelines, a Member State ‘should refrain from restricting transborder flows of personal data’, where (i) the recipient country ‘substantially observes these Guidelines’ or (ii) a data controller maintains ‘sufficient safeguards’ (including ‘effective enforcement mechanisms and appropriate measures’) ‘to ensure a continuing level of protection consistent with these Guidelines’.⁸³ Relatedly, the Guidelines require data controllers to remain accountable for personal data under their control, even when the data are transferred abroad.⁸⁴

Likewise, the APEC Privacy Framework does not expressly permit Member States to restrict or ban cross-border personal data flows to jurisdictions with insufficient levels of data protection. Rather, it relies on the principle of ‘accountability’ to protect consumers’ data privacy.⁸⁵ As an organisation-based approach to regulating cross-border data transfers, the ‘accountability’ standard makes data exporters accountable for ensuring the continued protection of personal data transferred to another organization based on the APEC Privacy Framework, regardless of the recipient’s location.⁸⁶

(d) The APEC CBPR system—a voluntary accountability mechanism to facilitate cross-border personal data flows

Established by the APEC in 2011, the CBPR system is a regional accountability mechanism to regulate cross-border personal data transfers among APEC member economies.⁸⁷ By design, it is a government-backed data privacy certification mechanism in which companies (ie, data controllers) can opt-in to demonstrate their compliance with the APEC Privacy Framework’s data privacy standards.⁸⁸ Through the CBPR system, certified firms and governments of the participating economies work together to ensure that personal data flowing across borders are protected by the privacy standards prescribed thereunder, and are legally enforceable across these jurisdictions.⁸⁹

Specifically, following a government’s participation in the CBPR system, an applicant company should implement privacy policies and practices (for personal data collected or received by them and subject to transfers to another participatory economy) and apply for certification from an APEC-recognized independent accountability agent (which can be a private actor).⁹⁰ Once certified as compliant with CBPR programme requirements,⁹¹ these privacy policies and practices become binding and enforceable against the company in that APEC economy.⁹² For oversight and enforcement purposes, an accountability agent would monitor certified companies’ compliance and handle data subjects’ complaints; and a privacy enforcement authority (a designated public body) should review complaints and issues that cannot be resolved by the accountability agent and take enforcement actions when appropriate.⁹³

Among the GDPR’s various accountability mechanisms for personal data transfers, the CBPR system is perhaps most similar in structure to the EU–U.S. Data Privacy Framework.⁹⁴ Designed to implement the APEC Privacy Framework, the CBPR mechanism essentially imposes a minimum set of data privacy standards on certified data controllers, creating a voluntary opt-in mechanism overseen by accountability agents and public authorities.⁹⁵ In addition to its basic opt-in structure, the CBPR system allows third-party private organisations to certify companies’ privacy policies and practices and to monitor their compliance, largely featuring a self-regulation model of data privacy protection.⁹⁶

Through the CBPR system, certified firms are entitled to transfer personal data to overseas recipients (whether a foreign affiliate or another company) in participatory economies.⁹⁷ For instance, certified Japanese companies can transfer personal data to CBPR-compliant US firms without a decision from Japanese authorities that US data privacy law is adequate or sufficient.

While CBPR can establish a privacy floor consistent with the APEC Privacy Framework, whether this level of data protection is sufficient is controversial. As noted earlier, a ‘principles-based’ model, the data privacy standards of the APEC Privacy Framework (which CBPR aims to implement) are generally lower and less prescriptive than European data privacy law and are subject to broad derogations under more lenient criteria.⁹⁸ Accordingly, the level of data protection provided by CBPR is in many ways weaker than that of the GDPR.⁹⁹ Compared with the GDPR, the CBPR system imposes laxer conditions for cross-border personal data transfers and does not require notification to supervisory authorities or data subjects in case of data breaches.¹⁰⁰

In particular, as an alternative to obtaining the consent of data subjects for cross-border data transfers, CBPR permits data controllers to ‘exercise due diligence and take reasonable steps’ to ensure that the data recipient will protect the transferred data in accordance with the APEC Privacy Framework’s principles.¹⁰¹ But it is unclear what legal standards (if any) should apply to determine ‘due diligence’ or ‘reasonable steps’, as both the CBPR system and APEC Privacy Framework are principles-based.¹⁰² In contrast, absent data subjects’ explicit consent, the GDPR allows cross-border transfers of personal data only where the recipient jurisdiction or party provides a level of data protection that is equivalent to EU standards, unless other narrowly formulated grounds of derogations are satisfied.¹⁰³

In addition, it is unclear how CBPR may be enforced in practice. In the U.S., the Federal Trade Commission (FTC) is the designated privacy enforcement authority. Thus far, the FTC’s enforcement of CBPR appears to be infrequent, compared with European data privacy authorities’ vigorous enforcement of EU data privacy law.¹⁰⁴

III. The policy diffusion of the U.S. model to expand its regulatory ‘sphere of influence’

At the international level, U.S.-formulated digital trade rules regarding free data flows, data localisation, and personal data protection have increasingly diffused among third countries, influencing a growing number of foreign governments’ international trade rulemaking.

A. The U.S.-designed provisions on free data flows and data localization

While existing PTAs feature heterogeneous data-related provisions with varying formulations, U.S.-designed provisions have been acting as a widely adopted template of boilerplate clauses for other PTAs to follow, thus significantly shaping the international regulatory environment.¹⁰⁵ This regulatory template’s normative influence is most evident in the global diffusion of the free data flow provisions and, to a lesser extent, the rules on data localisation.

(a) The norm diffusion of the U.S. template

Even before the advent of binding PTA provisions on this matter, the CAFTA–DR’s ‘soft law’ approach to cross-border data flows was widely emulated in other countries’ PTAs in the e-commerce chapters.¹⁰⁶ As noted by commentators, the CAFTA–DR’s aspirational formulation—recognizing the importance of free data flows and encouraging inter-governmental cooperation—dominated international trade rulemaking until 2014, as this provision was replicated in at least 14 subsequent PTAs signed before 2016.¹⁰⁷

These PTAs include the 2006 Singapore–Panama PTA, 2006 Taiwan–Nicaragua PTA, 2007 US–Panama PTA, 2008 Canada–Peru PTA, 2008 Canada–Colombia PTA, 2011 Korea–Peru PTA, 2011 Central America–Mexico PTA, 2013 Columbia–Costa Rica PTA, 2013 Canada–Honduras PTA, 2014 Pacific Alliance Additional Protocol (PAAP) between Colombia, Peru, Mexico, and Chile, 2014 Mexico–Panama PTA, 2014 Canada–Korea PTA, 2015 PAAP (amended), and 2015 Japan–Mongolia PTA.¹⁰⁸ As such, the diffusion occurred when key US trade partners (eg, Singapore, Canada, Korea, Japan) adopted the norm in bilateral trade lawmaking, or when parties to the CAFTA–DR (such as Costa Rica, Honduras, and Nicaragua) incorporated the provision in new PTAs.¹⁰⁹

Among these PTAs, the 2014 Mexico–Panama PTA was the first treaty to adopt a new, binding obligation on cross-border data flows.¹¹⁰ But its formulation remains an outlier in PTAs without gaining much traction in diffusing their formulations.¹¹¹

After 2014, new binding PTA provisions emerged to liberalize cross-border transfers of information and to remove the relevant domestic regulatory barriers, with the most widely used template formulated during TPP negotiations.¹¹² The first PTA in this category was the 2015 PAAP concluded by Colombia, Peru, Mexico, and Chile.¹¹³ With its negotiations occurring concurrently with the 2016 TPP (to which Peru, Mexico, and Chile were also parties), the 2015 PAAP contained a provision essentially modelled on the TPP’s negotiated text on free data flows.¹¹⁴

Despite the U.S.’s withdrawal, the TPP’s free data flow provision was subsequently adopted without changes by the remaining 11 Asia-Pacific negotiating partners into the 2018 CPTPP.¹¹⁵ Furthermore, such rules have been extensively incorporated into numerous PTAs including dedicated digital trade agreements as boilerplate clauses to regulate cross-border data flows.¹¹⁶ Notwithstanding the nuances in the specific formulations of such treaties, these neo-liberal rules have been acting as a highly influential regulatory template in the international trade regime.

Among these PTAs, the 2016 Singapore–Australia FTA (SAFTA), 2020 Singapore–Australia Digital Economy Agreement (SADEA), 2020 Digital Economy Partnership Agreement (DEPA) between Chile, New Zealand, and Singapore, 2021 Australia–UK FTA, 2022 Pacific Alliance–Singapore FTA, 2022 New Zealand–UK FTA, 2022 UK—Singapore Digital Economy Agreement (UKSDEA), 2022 Korea—Singapore Digital Partnership Agreement (KSDPA), and 2023 UK—Ukraine Digital Trade Agreement (UKUDTA) repeated almost verbatim the free data flow provisions of the TPP/CPTPP.¹¹⁷

A variation of the formulation exists among the 2016 Chile–Uruguay FTA, 2017 Argentina–Chile FTA, 2018 Singapore–Sri Lanka FTA, 2018 Australia–Peru FTA, 2018 Brazil–Chile FTA, 2019 Australia–Hong Kong FTA, 2020 Chile–Ecuador FTA, and 2021 Chile–Paraguay FTA. While these PTAs’ free data flow provisions were built on the TPP/CPTPP template, their public policy exceptions specified only the ‘chapeau’ requirements, without imposing the necessity test.¹¹⁸ Another variation was the 2019 Australia–Indonesia Comprehensive Economic Partnership Agreement (CEPA): though retaining the public policy exceptions with only a chapeau test, it added a security-based exception to carve out ‘any measure that (a Party) considers necessary for protection of its essential security interests’.¹¹⁹

A final variation of the template emerged among U.S.-led PTAs and their subsequent emulators, as their free data flow provisions were further strengthened on the basis of the TPP/CPTPP template. As noted earlier, the UMSCA’s free data flow provision omitted the reference to a state’s sovereign right to regulate cross-border data flows and added a clarification footnote to sharpen the necessity requirements under the public policy exceptions.¹²⁰ The US–Japan Digital Trade Agreement (DTA) adopted USMCA’s free data flow provision without much modification.¹²¹ Likewise, the 2020 UK–Japan CEPA and 2023 Canada–Ukraine FTA followed this formulation, though removing the aforementioned footnote.¹²²

In parallel with their free data flow provisions, the TPP/CPTPP’s rules on data localization have also been disseminated among other PTAs, though with more variations and nuances.

In addition to the CPTPP, the TPP’s provision on data localization has been closely replicated in the 2016 SAFTA, 2020 SADEA, 2020 DEPA, 2021 Australia–UK FTA, 2022 Singapore–Pacific Alliance FTA, 2022 New Zealand–UK FTA, 2022 UKSDEA, 2022 KSDPA, and 2023 UKUDTA.¹²³ On top of the TPP/CPTPP template, 2018 USMCA and 2019 US–Japan DEA reinforced the protection against data localization, as they removed the public policy exceptions and the reference to a state’s right to regulate.¹²⁴ Representing a middle ground, 2020 UK–Japan CEPA and 2023 Canada–Ukraine FTA adopted the TPP/CPTPP ban on data localization, and retained the public policy exceptions, but deleted the recognition of states’ right to regulate.¹²⁵

Another group of TPP/CPTPP-inspired PTAs are the 2016 Chile–Uruguay FTA, 2018 Singapore–Sri Lanka FTA, 2018 Australia–Peru FTA, 2018 Brazil–Chile FTA, 2019 Australia–Hong Kong FTA, 2020 Chile–Ecuador FTA, and 2021 Chile–Paraguay FTA. While following the TPP/CPTPP provision on data localization, these PTAs slightly deviated from its formulation by removing the necessity test in the public policy exceptions, instead retaining only the chapeau requirements thereunder.¹²⁶ Among this group, a variation was the 2019 Australia–Indonesia CEPA. Although adopting the TPP/CPTPP rules on data localization, this treaty exempted existing localization measures from the prohibition.¹²⁷ In addition to the public policy exceptions (with only the chapeau condition), it added a self-judging ‘essential security’ exception.¹²⁸ Besides, a variant was the 2017 Argentina–Chile FTA: while modelled on the TPP/CPTPP template, its provision on data localization was formulated in a non-binding fashion.¹²⁹

Aside from the aforementioned PTAs, there has been an exceptional outlier—the Regional Comprehensive Economic Partnership (RCEP) between ASEAN members (including Singapore), China, Japan, Korea, Australia, and New Zealand. While its e-commerce chapter adopted the TPP/CPTPP template’s binding rules for free data flows and against data localization,¹³⁰ the RCEP substantially deviated from that model by making such commitments unenforceable. Under the public policy exceptions, the RCEP retained the chapeau requirements but replaced the objective necessity condition with a self-judging test.¹³¹ In addition, the RCEP inserted a self-judging ‘essential security’ exception to prevent ‘any measure that (a Party) considers necessary for the protection of its essential security interests’ from being disputed.¹³² Furthermore, the treaty’s e-commerce chapter was wholly shielded from international dispute settlement.¹³³

Though apparently paradoxical, these ‘binding-yet-unenforceable’ rules were the result of a compromise, which was struck between Japan-led negotiating parties (that pushed for the adoption of the TPP/CPTPP template) and China (which insisted on self-judging exceptions and objected to using international adjudication to enforce the e-commerce chapter’s provisions).¹³⁴ By successfully leveraging its immense bargaining power, China has selectively reshaped the TPP/CPTPP template based on its preferences and vision. Aligned with its security-oriented domestic data governance regime, China has secured sufficient policy space to maintain stringent control over outbound data flows, while repurposing U.S.-designed rules to facilitate inbound data flows to its territory.¹³⁵ By and large, these provisions reflect China’s broader trade approach to cross-border data flows, and China has submitted the self-judging “essential security” exception to WTO e-commerce negotiations.¹³⁶ After the RCEP, these provisions were closely emulated by the 2023 ASEAN–Australia–New Zealand FTA (AANZFTA) (updated),¹³⁷ reflecting the normative influence of this approach on many ASEAN countries.

As shown in these instances, the diffusion of the TPP/CPTPP template has been concentrated in America and Asia. In the norm diffusion process, the U.S. and its key trade partners and allies (eg, Singapore, Australia, Japan, the UK, Canada) have acted as major drivers for disseminating this regulatory model to other countries.¹³⁸ After the TPP was finalized (although not formally ratified), its parties (including advanced and developing economies) have adopted or emulated its rules on free data flows and data localization in their PTAs with other trade partners over time, though with some variations in the formulations.

Given the absence of the U.S. as a negotiating party to most of such PTAs, the causal mechanism of ‘coercion’ cannot adequately explain the phenomenon of norm diffusion. Rather, these governments tend to perceive US-designed digital trade rules as an ‘advanced’ model (if not the ‘gold standard’) to regulate digital trade and develop the digital economy, reflecting the prevailing normative influence of neo-liberal trade discourse (eg, liberalized trade ‘lifts all the boats’) in global digital trade policymaking.¹³⁹ Additionally, when a direct competitor, such as a neighbouring country with similar market conditions or policy goals, has adopted such rules, a state may come under pressure to follow suit in order to secure a competitive edge in regional or global markets.¹⁴⁰

Moreover, among the TPP/CPTPP-inspired provisions on free data flows and data localisation, the depth of commitments and extent of legalisation are not uniform. North–North PTAs, where the U.S. is not a party, tend to most closely follow the TPP/CPTPP template.¹⁴¹ Building on that model, North–South PTAs often adapt the public policy exceptions to afford states more leeway for taking data transfer restrictive measures, with the RCEP at the far end of the spectrum.¹⁴² The U.S.-led PTAs (the USMCA and U.S.–Japan DTA) and the UK–Japan CEPA are the treaties that promise to liberalize data flows and remove regulatory barriers to the greatest extent.¹⁴³

Notwithstanding their variations and nuances, these TPP/CPTPP-style free data flow provisions (except for the RCEP and AANZFTA as outliers) have established the default rules to ensure unrestricted cross-border transfers of information (including personal data). In so doing, these PTAs require domestic data transfer restrictive measures (including national data privacy laws) to be justified as legitimate exceptions under the chapeau test and/or the necessity condition. Modelled on the TPP/CPTPP template, these PTA provisions sharply diverge from the EU’s trade approach to cross-border data transfers.

(b) The EU model of digital trade rules as a competing template

With a much more cautious general approach to digital trade, the EU has not concluded treaties with binding horizontal provisions on cross-border data flows until recently.¹⁴⁴ Rather, cross-border transfers of personal data have long been channelled through the European Commission’s adequacy decisions, which have been deployed to ensure an essentially equivalent level of data protection in third countries.¹⁴⁵ But since 2018, the EU has repositioned itself towards a new regulatory template in PTAs. In that year, the EU promulgated its model provisions to regulate cross-border data flows and personal data protection (‘EU model provisions’),¹⁴⁶ which have crystallized the EU’s new approach to promote commercial data flows in ways aligned with its high-standard data protection rules.

Different from the U.S. template, the EU model provisions oblige the parties to ensure cross-border data flows by prohibiting an enumerated list of de jure ‘data localization’ measures.¹⁴⁷ These prohibited measures include the requirements to localize the storage and processing of data, the mandatory use of local computing facilities or network elements for data processing (as such, or as a precondition for cross-border data transfers), and a ban on storing or processing data abroad.¹⁴⁸

Falling short of setting a general rule for unrestricted data flows (as the TPP/CPTPP provisions do), the EU template’s commitments to facilitating data flows are, by design, conditioned by a ‘negative list’ of specific prohibited measures, which has carved out ex ante the EU’s and its Member States’ data protection laws that may restrict cross-border personal data transfers.¹⁴⁹

Further, EU model provisions not only explicitly recognize the fundamental right nature of personal data protection and privacy, but also contain a broadly framed ‘self-judging’ exception for domestic data privacy rules, regardless of their restrictions on cross-border personal data transfers.¹⁵⁰ This exception states that ‘(e)ach Party may adopt and maintain the safeguards it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this agreement shall affect the protection of personal data and privacy afforded by the Parties’ respective safeguards.’¹⁵¹

Conceptually, this exception explicitly recognizes data privacy rules to regulate cross-border personal data flows as a legitimate regulatory tool to safeguard individuals’ fundamental rights, rather than as potential trade-restrictive measures in need of justification by states under an objective necessity test.¹⁵² Instead, with a subjective necessity test in place, the EU template has exempted such rules from international adjudication under trade treaties a priori.

Combined, the EU adopts this approach to remove specific barriers to data flows that it perceives as particularly problematic, while securing sufficient regulatory autonomy to protect the fundamental rights to privacy and data protection. While also addressing ‘digital protectionism’, this model sets the limits for the liberalization of transborder data flows, as it precludes the invocation of trade rules to challenge or undermine high-standard data protection laws, including the Commission’s adequacy decisions and cross-border personal data transfer mechanisms.¹⁵³

This EU template has been incorporated into the 2023 EU–New Zealand FTA, 2023 EU–Chile FTA, and 2023 European Free Trade Association–Moldova FTA.¹⁵⁴ Moreover, these EU model provisions have also been closely followed by the 2020 EU–UK Trade and Cooperation Agreement (TCA), 2021 Iceland–Liechtenstein–Norway–UK FTA, and 2024 Protocol Amending the EU–Japan Economic Partnership Agreement, though with some modifications.¹⁵⁵ Meanwhile, the EU has included such model provisions in its proposals for currently negotiated PTAs with Australia, Indonesia, and Tunisia, as well as in its submission to WTO e-commerce negotiations.¹⁵⁶ Given that the UK, New Zealand, Chile, and Japan have already signed up to American-style digital trade rules, it is noteworthy that they have adapted their approaches to accept EU horizontal provisions when entering into PTAs with the EU.

In addition to showing the normative influence of this model, such developments evince the EU’s efforts to shape international trade agreements in ways that are aligned with its strong commitments to high-standard data privacy protection, while countering the increasing diffusion of the U.S.-designed template among its trade partners.

B. The U.S.-designed provisions on personal data protection

Compared with the rules on free data flows and data localisation, the diffusion of U.S.-formulated data protection provisions is more of a mixed bag.

(a) The norm diffusion of the U.S. template

Recall that the data protection provisions of the TPP and CPTPP contain the following norms: the recognition of the economic benefits of personal data protection, the requirements to implement a domestic legal framework to protect personal data (without regard to the level of protection provided), the non-discriminatory and transparency requirements, the recognition that states may take different data protection approaches, and the desirability to promote compatibility among different legal regimes.¹⁵⁷ These normative elements have been closely emulated by the 2016 SAFTA, 2018 Australia–Peru FTA, 2019 Australia–HK FTA, 2020 SADEA, 2020 DEPA, 2020 UK–Japan CEPA, 2021 Australia–UK FTA, 2022 New Zealand–UK FTA, 2022 UKSDEA, 2022 KSDPA, 2023 UKUDTA, and 2023 Canada–Ukraine FTA.¹⁵⁸ Some of these PTAs have also adopted or emulated the USMCA’s key principles of data protection.¹⁵⁹

Again, North–North PTAs generally have more closely followed the data protection provisions of the TPP/CPTPP template. In comparison, many North–South PTAs incorporated some, but not all, of their core elements, with some treaties adopting adaptations or new features.¹⁶⁰

Building on the TPP/CPTPP model, the 2018 USMCA and 2019 U.S.–Japan DTA attempted to constrain a state’s regulatory autonomy to the utmost, as they added a clause to recognize the importance of ‘ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented’.¹⁶¹

Relatively, the integration of the CBPR mechanism into PTAs has met with the least success. Among TPP/CPTPP-inspired PTAs, only the 2018 USMCA, 2020 SADEA, and 2022 KSDPA explicitly recognized the CBPR system as ‘a valid mechanism to facilitate cross-border information transfers while protecting personal information’.¹⁶² The SADEA also referred to the APEC CBPR system, alongside the OECD Guidelines, as part of the international standards that a state should consider when developing its data protection framework.¹⁶³ In addition, this treaty went a step further by asking the parties to jointly promote the CBPR system to improve its visibility and industry participation.¹⁶⁴

While the U.S.–Japan DTA does not mention it, Japan’s amended national data protection law has explicitly recognized the APEC CBPR system as a valid mechanism for cross-border transfers of personal information.¹⁶⁵ Likewise, in June 2020, Singapore amended its personal data protection law to recognize the APEC CBPR and Privacy Recognition for Processors (PRP) systems as valid mechanisms to transfer personal data abroad.¹⁶⁶

Realizing the relative lack of momentum during trade negotiations, the U.S. has taken new initiatives to advance the CBPR system. In April 2022, the USA, along with other Asia-Pacific economies, created the Global CBPR Forum (the ‘Forum’) to develop an international certification system (consisting of the ‘Global CBPR and PRP systems’, and modelled on the APEC CBPR and PRP systems), in order to ‘promote interoperability and help bridge different regulatory approaches to data protection and privacy’.¹⁶⁷ In April 2023, the Forum established the Global CBPR Framework—based on the APEC Privacy Framework and aligned with the OECD Guidelines’ core principles—in an effort to lay the groundwork for a global approach to cross-border personal data transfers.¹⁶⁸

(b) Strategic objectives behind the norm diffusion and promotion

Overall, the diffusion of TPP/CPTPP-style data protection provisions and U.S.-led initiatives to promote CBPR could advance important strategic goals for the U.S. as follows.

First, the data protection provisions shaped by the TPP/CPTPP template have crystallized the latter’s economic approach to data privacy protection, prompting the relevant treaty parties to treat data privacy as an ancillary trade value and an instrumental tool to boost digital trade.¹⁶⁹ For instance, among PTAs modelled on the TPP/CPTPP template, most of their data protection provisions have closely copied the language that recognizes ‘the economic and social benefits of protecting the personal information of users of electronic commerce and the contribution that this makes to enhancing consumer confidence in digital trade’.¹⁷⁰ While there is nothing inherently wrong with such language, this formulation implicitly borrows the U.S. data privacy regime’s conceptual framing of data privacy as a matter of consumer protection.¹⁷¹ In so doing, the treaty parties are distanced from the prevailing discourses of the EU rights-based paradigm that conceptualizes privacy and data protection as fundamental rights.

Moreover, combined with the spread of American-style free data flow provisions that subject national data privacy measures restricting personal data transfers to strict trade law disciplines, the adoption of the TPP/CPTPP’s data protection provisions (which merely require a data protection framework in place, without regard to its effectiveness) can implicitly lead third countries to further prioritize trade liberalization over data privacy protection.¹⁷²

Secondly, the diffusion of TPP/CPTPP-style data protection provisions can function to preserve and safeguard the legitimacy of the U.S. data privacy regime in global data governance discourses, while countering the EU’s lead in establishing data protection standards worldwide.

As will be detailed later, nowadays, many countries’ data privacy laws have been increasingly followed the EU model, making the U.S. data privacy regime a glaring exception.¹⁷³ While the extensive dissemination of EU data privacy norms heightens Europe’s influence in setting global privacy standards,¹⁷⁴ the spread of TPP/CPTPP-style data protection provisions makes a growing number of treaty parties recognize a sectoral data privacy regime (exemplified by the U.S. approach) as a valid and legitimate alternative to comprehensive data protection laws. This can help to foster a more positive perception of the U.S. data privacy paradigm and enhance its credibility as a minority approach at least in the trade realm.

In this regard, the 2016 SAFTA, 2018 USMCA, 2019 US–Japan DTA, 2020 SADEA, 2020 UK–Japan CEPA, 2020 DEPA, and 2022 KSDPA have replicated almost verbatim the U.S.-drafted footnote, recognizing that a data protection framework can be implemented through sectoral privacy laws or laws that provide for business self-regulation (as with a comprehensive data privacy regime).¹⁷⁵ With more treaty parties endorsing the U.S. data privacy approach, its legitimacy can be solidified and boosted in the international regulatory arena, thus helping to mitigate or neutralize the EU’s influence as a global rule-maker on data privacy protection.

Thirdly, in tandem with the diffusion of these data protection provisions, the U.S. strived to use the CBPR system as a model to establish a global accountability mechanism to bridge divergent national data privacy regimes, while shifting the focus of international data privacy governance towards the notions of ‘interoperability’ and ‘accountability’.¹⁷⁶

Through the implementation of CBPR, the U.S. can create an institutional interface between its data privacy regime and EU-style national data protection laws, enabling free data flows under relatively lax data protection standards. As will be detailed later, with the global diffusion of EU data protection norms, many national data protection laws have adopted the ‘adequacy’ principle, which permits unrestricted outbound transfers of personal data only when a third country’s level of data protection is considered as equivalent to that of the original country.¹⁷⁷ Absent a widely accepted substantive definition of ‘adequacy’ or a uniform process to determine it, however, different countries may interpret and apply the ‘adequacy’ principle differently, reflecting their own national agendas.¹⁷⁸ From a trade-oriented perspective, the splintering of ‘adequacy’ decisions among different countries can significantly limit cross-border personal data transfers and result in a complex regulatory environment for transnational companies to navigate, creating considerable trade barriers and compliance costs.¹⁷⁹

In particular, the U.S. is not known for high-standard data privacy laws. From the perspective of the EU, the American data privacy regime has long been insufficient due to its primary reliance on a sector-by-sector approach to protect data privacy, the lack of independent data protection authorities, and the implementation of pervasive intelligence surveillance programmes (as revealed by the Snowden leaks).¹⁸⁰ Had these EU-inspired countries followed suit in their own ‘adequacy’ assessments, cross-border data flows to the U.S. market would be imperilled.

As an accountability mechanism that the U.S. has favoured the most thus far, the CBPR system (along with the associated PRP system) is a concretization of the mechanisms referenced by the TPP, CPTPP, and USMCA to promote ‘compatibility’ or ‘interoperability’ among different national data privacy regimes.¹⁸¹ Though CBPR by no means replaces or changes a state’s domestic laws or regulations,¹⁸² it can provide an institutional route to allow certified companies to transfer personal data among participatory jurisdictions under relatively loose standards of data protection. In this way, the CBPR system can circumvent the country-level ‘adequacy’ determinations, similar to the EU–U.S. Data Privacy framework (and its predecessors). With an economic approach to data protection featuring a prominent role for business self-regulation, CBPR aligns with the U.S. data privacy regime and can help to transplant the U.S. model of data governance to its trade partners and beyond.

To be clear, EU data protection law has also established its accountability mechanisms, including Standard Contractual Clauses, Binding Corporate Rules, and other institutional equivalents under the GDPR.¹⁸³ Designed to implement stringent and rigorous EU data protection standards at an organisational level,¹⁸⁴ these mechanisms, however, are relatively inflexible, complicated, and costly for companies to use.¹⁸⁵ In comparison, the CBPR system may lower transaction costs, alleviate administrative burdens, and smooth the process for businesses to export personal data.¹⁸⁶

These aspects explain why the U.S. has been consistently promoting CBPR in the international regulatory arena as a ‘model for global interoperability among privacy regimes’,¹⁸⁷ as well as a better approach to regulating transborder personal data flows than the GDPR.¹⁸⁸ As noted earlier, more recently, the Global CBPR Forum—led by the U.S.—sought to upgrade the APEC CBPR and PRP systems from a regional accountability mechanism to a global standard for cross-border personal data transfers. Allied with other like-minded countries, the U.S. has thus pushed for a multilateral accountability framework on its preferred terms¹⁸⁹ in order to enable global free flows of personal data in ways aligned with its data privacy regime.

That said, it remains to be seen how many governments and companies will join. Currently, 9 out of 21 APEC economies—the U.S., Canada, Japan, Korea, Singapore, the Philippines, Chinese Taipei, Mexico, and Australia—have participated in the APEC CBPR system, and only the U.S. and Singapore have joined the APEC PRP system.¹⁹⁰ These economies have also participated in the Global CBPR Forum, which is open to non-APEC jurisdictions that accept its goals and principles.¹⁹¹ In addition, the Bermuda Privacy Commissioner has recognized the APEC CBPR system as a valid certification mechanism to transfer personal data abroad, holding that this system provides an equivalent level of protection to its data protection law.¹⁹² Though its relatively slow adoption by firms has led to claims that it is ‘underperforming’ compared with the GDPR,¹⁹³ the CBPR system opens a door for certified companies to freely transfer personal data among participatory economies, providing an institutional alternative to facilitate regional commerce flows.

IV. Invoking the free data flow provisions to scrutinize national data protection laws that restrict cross-border personal data transfers

This section proceeds to analyse the inherent legal tensions between the TPP/CPTPP-style digital trade rules that numerous countries have adopted in their PTAs and the national data privacy regulations modelled on EU data protection law. These tensions are vividly demonstrated through the application of U.S.-designed free data flow provisions to scrutinize GDPR-inspired national data privacy regulations restricting cross-border personal data transfers.

A. National data protection laws that adopt the EU’s ‘adequacy’ standard to regulate cross-border transfers of personal data

While U.S.-formulated digital trade rules have become an influential set of international standards in the international trade regime, it is worth noting another important trend of norm diffusion, where third countries have been increasingly converging on a competing paradigm—the EU data protection regime. In the realm of privacy and data protection, the EU’s GDPR has established an international benchmark for most countries with data privacy laws.¹⁹⁴ This profound phenomenon is the result of several important causal mechanisms. These include the ‘Brussels Effect’ to cause ‘unilateral regulatory globalization’,¹⁹⁵ the EU’s strategic use of ‘adequacy’ negotiations (either independently or in parallel with PTA negotiations) and the normative appeal of EU standards.¹⁹⁶

According to a census by Graham Greenleaf, there were more than 160 data privacy laws in early 2023, the majority of which follow the EU model (featuring comprehensive, high-standard data protection rules and dedicated data protection authorities).¹⁹⁷ Dating back to the mid-1990s, when the Data Protection Directive 95/46/EC was adopted, the diffusion of EU data privacy law has persisted to the present and has been significantly accelerated more recently by the GDPR.¹⁹⁸ As EU-style data protection laws have widely spread among third countries and are increasingly accepted as the de facto international standard, many foreign governments have embraced the EU’s ‘adequacy’ standard to regulate cross-border data flows. As noted by Chander and Schwartz’s 2023 empirical data, 65 non-EU countries have adopted EU-style adequacy requirements to regulate outbound transfers of personal data, though with variations in implementation practices.¹⁹⁹ Questions arise as to whether, and to what extent, such third countries’ privacy-based regulatory restrictions on cross-border data flows (largely created by the adequacy standard) may conflict with their commitments to free data flows under the aforementioned PTAs.

For example, the data privacy laws of Japan, New Zealand, and Peru allow transfers of personal data to a third country only if the latter jurisdiction provides an ‘equivalent’, ‘comparable’, or ‘adequate’ level of data protection, unless other grounds of exceptions are met.²⁰⁰ Meanwhile, as parties to the CPTPP and/or TPP/CPTPP-inspired PTAs, they have also committed to ensuring unrestricted cross-border transfers of information (including personal data). As PTAs are often equipped with mandatory state-to-state adjudication mechanisms to enforce binding treaty obligations, such countries’ privacy-based data transfer restrictions may be challenged as violative of the free data flow provisions before an international trade tribunal.

In a hypothetical case, the analysis below focuses on Japan’s data protection law and examines the legality of a GDPR-style ‘adequacy’ standard under the digital trade rules of the CPTPP and US–Japan DTA.²⁰¹ As Japan is a representative jurisdiction that has adopted US-designed PTA provisions and an adequacy standard modelled on the GDPR, this case study can be instructive for understanding the legal tensions between the U.S. and EU models to regulate cross-border personal data transfers.

Under Japan’s amended Act on the Protection of Personal Information (APPI), cross-border transfers of personal data to an overseas third party are allowed only if the data operator obtains the data subject’s prior informed consent (separate from the consent required for processing personal data).²⁰² Nevertheless, there are three exceptions to this general rule. First, outbound transfers of personal data may occur if the recipient country provides a level of data protection that is recognized by the Personal Information Protection Commission (PPC) as equivalent to Japan’s standards (‘equivalency standard or assessment’).²⁰³ The second exception applies when the domestic data exporter and overseas importer implement measures to ensure an equivalent level of protection to that under Japanese law (‘equivalent measures’).²⁰⁴ As clarified by the PPC’s Guidelines for the APPI on cross-border personal data transfers, such equivalent measures include contracts (eg, data transfer agreements), other forms of binding agreements, and binding arrangements within a corporate group.²⁰⁵ Alternatively, this standard of protection can be met by a certification under the APEC CBPR system, which is a PPC-recognized mechanism of an international framework on personal data protection.²⁰⁶ This means that CBPR-certified companies are recognized by the PPC as having satisfied Japan’s data protection standards. When relying on these ‘equivalent measures’, the data exporter also must continuously ensure the overseas importer complies with its obligations.²⁰⁷ Thirdly, exports of personal data are also allowed if seven enumerated grounds of derogations are met.²⁰⁸

In essence, the country-wide ‘equivalency standard’ under the APPI is a functional counterpart of the GDPR’s adequacy standard. A pillar of EU data protection law, the adequacy principle purports to ensure that EU data protection standards are not compromised by outbound transfers of personal data.²⁰⁹ As a geographically based regulatory approach, the adequacy or equivalency standard regulates cross-border data flows based on the level of data protection in the recipient jurisdiction.²¹⁰ Currently, only countries in the European Economic Area (EEA) and the UK (a former EEA member) are on Japan’s whitelist of the equivalency assessments and, hence, can enjoy unrestricted flows of personal data from Japan without taking additional legal safeguards.²¹¹ Business operators (including data controllers and processors) from other countries must rely on alternative mechanisms (such as contractual safeguards or consent) to transfer personal data outside of Japan, and thus would incur additional compliance and administrative costs. Thus, such restrictions on personal data transfers to countries outside the EEA and the UK would contravene the free data flow provisions of the CPTPP and U.S.–Japan DTA, which require states to ensure unrestricted cross-border transfers of personal data ‘for the conduct of the business’.²¹² The question, then, becomes whether, and to what extent, such data transfer restrictions can be justified under the public policy exceptions of the treaty.

In the exception clauses of the free data flow provisions, the term ‘legitimate public policy objectives’ remains undefined and seems ambiguous. But privacy and personal data protection should fall within the scope of this notion. This is because (i) these interests or values are among the public policy goals most affected by cross-border data flows;²¹³ (ii) the data protection provisions of the TPP and CPTPP recognize the importance of personal data protection for e-commerce flows and require a state to adopt a data protection framework;²¹⁴ and (iii) Article XIV(c)(ii) of GATS (on which the TPP/CPTPP public policy exceptions are based) has explicitly referred to data privacy protection.²¹⁵ Nevertheless, Japan’s equivalency standard may fail to satisfy the stringent chapeau and necessity requirements of the public policy exceptions.

B. The chapeau requirements

As noted earlier, the wording of the public policy exceptions of the free data flow provisions bears a strong resemblance to that of Article XIV(a)–(c) of the GATS.²¹⁶ Given that the free data flow provisions have yet to be tested in practice, the well-established WTO jurisprudence that has extensively interpreted GATS general exceptions can shed light on the meaning of the public policy exceptions and guide international trade adjudicators’ decision-making.

As construed by WTO adjudicators, the chapeau test requires a challenged measure to be applied consistently in practice so as to prevent abuse or misuse of the general exceptions to undermine the WTO’s substantive rules.²¹⁷ As construed by commentators, a party must not ‘single out one state or another for tougher application of extraterritorial provisions found in its data privacy law’ where like circumstances prevail.²¹⁸ Neither can it maintain exceptions to its disputed measures for particular countries (but not for others) or establish standards that ‘are not applied consistently to each country from day to day’.²¹⁹ When inconsistency in the application of a measure is found, WTO adjudicators have focused primarily on whether the discrimination has a legitimate cause or rationale, in light of the objectives listed in the general exceptions, in order to analyse if the discrimination is arbitrary or unjustifiable.²²⁰

For instance, in the US—Shrimp case, the WTO Appellate Body assessed the following factors when analysing the cause or rationale of the discrimination, and found that, inconsistent with the chapeau requirements, the U.S. import ban on shrimp and shrimp products conditioned market access on exporting countries’ adoption of ‘essentially the same’ policies and practices as the U.S. counterpart.²²¹ According to the adjudicators, the contested measure contained a ‘rigid and unbending’ standard that constituted ‘arbitrary discrimination’, since it required other exporting countries to adopt a comprehensive regulatory programme on shrimp harvesting that was ‘essentially the same’ as the US domestic programme (rather than ‘comparable in effectiveness’ to it), without examining the ‘appropriateness of that program for the conditions prevailing in (those) countries’.²²² In addition, the Appellate Body also emphasized the fact that the U.S. negotiated with some WTO members (but not with others) over a bilateral or multilateral regulatory solution before imposing the import ban, despite the challenged measure directing it to do so immediately.²²³ As held by the adjudicators, this failure of the U.S. to negotiate seriously with other shrimp-exporting WTO members evinced the unilateral character of the application of the measure, further confirming its discriminatory and unjustifiable nature.²²⁴

When assessed against these criteria, Japan’s equivalency standard may fall short of the chapeau requirements. First, while country-based equivalency assessments, appropriate safeguards (including the CBPR system), and data subjects’ consent are all treated by Article 24 of APPI as providing sufficient protection for cross-border personal data flows, the levels of protection afforded by each mechanism are different, which can signal inconsistency in the application of Japan’s regulatory framework.²²⁵ Comparatively speaking, GDPR-style equivalency assessments may be the most stringent standard applied to safeguard personal data, but the CBPR system implements a lower level of data protection. The consent mechanism, while indicating an individual’s willingness to transfer data, does not inherently enhance the level of data protection in a recipient country, thus casting doubt on its effectiveness in protecting personal data in practice.²²⁶ Thus, though aimed at affording a high level of protection to transborder data flows, the APPI arguably has not consistently applied data protection standards across different data transfer mechanisms.

Moreover, in the eyes of trade adjudicators, Japan’s equivalency requirements that condition free data flows on a third country’s provision of ‘essentially the same’ level of data protection as that of Japan may be ‘rigid and unbending’.²²⁷ While the availability of alternative transfer mechanisms (eg, contractual safeguards, consent) makes the equivalency standard appear more flexible and less rigid,²²⁸ the fact that only EEA countries and the UK have satisfied the equivalency requirements may suggest that the level of protection required by Japan is too demanding to achieve for most other countries, many of which have also followed the European model of data privacy law. The starkly unbalanced ratio between the ‘adequate’ and ‘inadequate’ countries also seems at odds with the PTA provisions on data protection, which permit states to adopt different regulatory approaches to protect personal data (including sector-specific privacy laws and business self-regulation).²²⁹ Following the analytical guidance of the US-Shrimp case, adjudicators may consider this rigidity and inflexibility of Japan’s equivalency requirements as constituting ‘arbitrary discrimination’.

Further, Japan arguably did not seriously negotiate restrictions on cross-border personal data transfers with most of its trade partners, but rather unilaterally adopted such restrictions on these countries in domestic law.²³⁰ While Japan reached a mutual adequacy decision with the EU (which covered the UK) in January 2019 following their bilateral negotiations, there is no indication that Japan has negotiated with other trade partners on the equivalency determinations.²³¹ Though initiating negotiations does not guarantee an equivalency decision, Japan—when launching the process to determine whitelist countries exempted from data transfer restrictions—arguably has maintained exceptions or more favourable treatment for EEA countries and the UK, but not for the rest of its trade partners (including many countries with an EU-style comprehensive data privacy regime, particularly those recognized as ‘adequate’ by the EU). This inconsistency in applying the equivalency standard can be seen as difficult to reconcile with the acclaimed goal of high-standard personal data protection. In light of the reasoning in the US-Shrimp decision, such discrimination is likely to be regarded as arbitrary or unjustified.

C. The necessity requirements

In WTO adjudication, the determination on the ‘necessity’ condition generally requires a ‘weighing and balancing’ (ie, a proportionality test) of the contribution of the contested measure to the objective pursued with the trade-restrictiveness of the measure, in light of the relative importance of the said policy goal.²³² On a continuum between ‘making a contribution to’ and ‘indispensable’, ‘necessity’ is understood as being significantly closer to the latter.²³³ To satisfy the ‘necessity’ requirements, an impugned measure’s contribution to its stated objective should be sufficiently strong, while minimising restrictions on international trade.²³⁴ In addition, the more important the pursued interest or value is, the heavier it weighs in the overall assessment.²³⁵

When determining the ‘necessity’ requirements, WTO adjudicators also consider if a less trade-restrictive alternative measure is ‘reasonably available’ (ie, the ‘less trade restrictive’ test)²³⁶ by comparing the contested measure with possible alternatives in light of the importance of the interests or values at stake.²³⁷ A ‘reasonably available’ alternative measure should be capable of achieving the respondent state’s desired level of protection on the stated objective, without imposing prohibitive costs or substantial technical difficulties.²³⁸ A finding of such an alternative measure would rebut a case for ‘necessity’.

Evaluated under these legal criteria, Japan’s equivalency requirements may impose greater restrictions on cross-border personal data transfers than necessary for data privacy protection.

(a) The proportionality test

Under the proportionality test, the equivalency standard’s contribution to the policy goal of data privacy protection would be significantly undermined by two important factors.

First, the relative strength of the equivalency assessments (as a higher protection standard) in contributing to data privacy protection may be weakened by the consent mechanism and CBPR system (each of which yields a lower level of protection), since data operators can easily circumvent the equivalency standard by utilizing the latter two options to transfer personal data abroad.²³⁹ In fact, the divergent levels of protection afforded by different data transfer mechanisms (each recognized by the APPI as sufficient) undercut the claim that a particular mechanism (ie, the equivalency standard) is ‘indispensable’ to achieving high-standard data privacy protection; rather, they suggest that the nexus between this measure and the objective pursued is closer to ‘making a contribution to’ than otherwise.

In addition, it bears noting that even the EU’s adequacy standard has long been criticized for several flaws. For instance, an adequacy determination often takes a lengthy and cumbersome process; in case of data breaches abroad, the enforcement of EU data subjects’ rights by European data protection authorities can be difficult and burdensome; adequacy decisions, in themselves, typically do not provide strong protection for onward transfers of EU personal data to other countries; and political factors may occasionally play a role in the EU’s adequacy determination.²⁴⁰ To the extent that Japan’s equivalency process manifests similar inadequacies, the relative strength of this standard in achieving a high level of data protection would be further compromised.

Secondly, though capable of evaluating a third country’s data protection framework at a given time, it is unclear whether Japan’s equivalency standard, as it currently stands, has effective mechanisms to ensure that a whitelisted country will maintain the same level of protection for the duration of an equivalency decision.²⁴¹ In that regard, even the GDPR’s requirements to conduct periodic reviews of adequacy decisions at least every 4 years are criticized as ‘simply not frequent enough in the fast-paced environment of the digital age’.²⁴² For Japan, this weakness in the institutional design can make it difficult for the PPC to continuously assess a whitelisted country’s level of data protection and to adjust protective measures accordingly where circumstances change, thus undermining the contribution of the equivalency process to a purported high level of protection.

While the importance of the public policy interests or values at issue can make it easier for the contested measure to satisfy the ‘necessity’ criterion, the weight of this factor in the proportionality assessment can be substantially qualified and mitigated by the CPTPP’s instrumental approach to data privacy protection. To be clear, trade adjudicators may recognize privacy and data protection as an important ‘legitimate public policy objective’ for cross-border data flows.²⁴³ Nevertheless, under an economic approach to personal data protection, data privacy is conceptualized as an ancillary value subordinated to the primary interests of trade, and data subjects are framed essentially as consumers in the marketplace.²⁴⁴ Such implicit cognitive assumptions inherent in the CPTPP data protection provision would make the interests of privacy and data protection less important than they are under EU model provisions (that frame them as fundamental rights), thus significantly curtailing the relative weight of this factor in the proportionality assessment.

Compared with the CPTPP, the U.S.–Japan DTA may lead trade adjudicators to accord even less weight to the importance of data privacy protection, resulting in a more stringent cost–benefit analysis to closely balance the contribution of a measure against its trade-restrictiveness. Though modelled on the TPP/CPTPP template, this treaty’s data protection provision omitted the recognition of the ‘economic and societal interests’ of personal data protection,²⁴⁵ arguably suggesting that the parties intended to downplay the importance of data privacy protection.²⁴⁶ Additionally, the data protection provision also added a recognition that any restrictions on cross-border personal data flows must be ‘necessary and proportionate to the risks presented’.²⁴⁷ Aimed at preventing regulations that unduly restrict trade, this new clause may suggest a more searching examination of the nexus between the measure and its goal(s), arguably leaving less leeway for a state to regulate data privacy.²⁴⁸ Also, this treaty’s free data flow provision removed the reference to a state’s sovereign right to regulate cross-border data flows.²⁴⁹ Combined, these textual differences may necessitate a more exacting and rigid proportionality assessment, making it more difficult to justify Japan’s data transfer restrictions than under the CPTPP.

In addition to offering less weight to the interests or values of data privacy protection, this more stringent proportionality test may require a more granular, risk-based regulatory approach that carefully calibrates trade restrictiveness in accordance with the severity of the risks involved (which can vary based on the specifics about the data or data transfers). Nevertheless, the country-based equivalency standard may fail to satisfy the latter requirements, since it typically makes a blanket decision as to whether a recipient country’s data protection is sufficient or not and applies the same restrictive approach to any ‘personal data’ to be transferred to that jurisdiction (without regard to the sensitivity of the data or the context of the transfers).²⁵⁰ Therefore, trade adjudicators applying the U.S.–Japan DTA are more likely to conclude that the trade restrictions imposed by Japan’s equivalency assessments exceed what is necessary or required to protect data privacy, thus declining the affirmative defence based on the public policy exceptions.

(b) The ‘less trade restrictive’ test

In addition to potentially failing the proportionality assessment, Japan’s equivalency standard may also not fulfil the requirements of the ‘less trade restrictive’ test. This is because adjudicators could consider the APEC Privacy Framework and CBPR system as a ‘reasonable available’ alternative to achieve the same level of protection for personal data.

While the CPTPP’s e-commerce chapter does not explicitly refer to the APEC Privacy Framework, all 21 APEC economies (including all parties to the CPTPP) have endorsed this Framework since November 2004.²⁵¹ In addition, Japan’s Guidelines for the APPI have explicitly recognized the APEC CBPR system as an acceptable international framework for firms to rely on for cross-border personal data transfers.²⁵² These facts may indicate that the CBPR mechanism and APEC Privacy Framework (that CBPR seeks to implement) are regarded by the PPC as providing an equivalent level of data protection to that under Japanese law. As detailed earlier, the APEC Privacy Framework and CBPR system, representing an instrumental approach to data protection and primarily focused on minimizing restrictions on cross-border data flows, may incur lesser compliance costs and administrative burdens for companies to transfer personal data abroad compared to EU standards.²⁵³ In the view of trade adjudicators, the APEC Privacy Framework and CBPR system may thus constitute a ‘reasonable available’ alternative that can achieve the same level of protection and is ‘less trade restrictive’ than the more burdensome and costly equivalency assessments.²⁵⁴

As a counter-argument, it can be asserted that if a respondent state (that had neither joined the CBPR system nor incorporated it into domestic law) committed to a high level of data protection, then the APEC Privacy Framework or CBPR would be unable to achieve the desired level of protection under the ‘less trade restrictive’ test. Nevertheless, the CPTPP’s instrumental approach to data privacy protection can, again, significantly diminish the importance of privacy and data protection in the eyes of trade adjudicators. Additionally, since the TPP/CPTPP template permits parties to take different legal approaches to protecting personal data,²⁵⁵ trade adjudicators may infer that self-regulatory frameworks are capable of achieving an equivalent level of data protection to EU-style comprehensive data protection laws. In that regard, they may also find support in Christopher Kuner’s argument that an accountability approach can be more efficient and provide more effective protection for cross-border data flows than the EU’s adequacy standard.²⁵⁶ This position can be further bolstered by Kenneth A Bamberger and Deirdre K Mulligan’s empirical study, arguing that the U.S. data privacy regime actually operated much more effectively ‘on the ground’ than it was typically assumed—despite not being very comprehensive ‘on the books’.²⁵⁷ Accordingly, adjudicators may conclude that self-regulatory mechanisms and the accountability approach can, similar to the EU-style adequacy standard, achieve a state’s aspired level of protection for personal data flowing across borders.

V. Conclusions

With starkly different data privacy regimes, the U.S. and the EU have long been unable to reach an international trade agreement to regulate cross-border data flows.²⁵⁸ While they have concluded sui generis agreements (ie, the Safe Harbour, Privacy Shield, and Data Privacy Framework) to bridge their internal data privacy regimes and ensure transatlantic personal data flows,²⁵⁹ neither has negotiated a similar institution with the vast majority of other countries.²⁶⁰ Rather, in a bid to shape the global regulatory landscape in their own images, the U.S. and the EU have been engaged in a race to establish their preferred regulatory approaches as the international standard for other countries to follow.

Driven by its digital trade agenda, the U.S. has been deploying new-generation PTAs to shape digital trade rulemaking processes on its preferred terms (at least until very recently), thus anchoring and refining the governance of cross-border data flows in the international trade regime. This trade-based regulatory approach consists of three major normative components: (i) strong protection of transborder data flows through binding and enforceable trade rules, (ii) public policy exceptions to justify national data transfer restrictive measures under relatively stringent conditions, and (iii) an instrumental approach to personal data protection (featuring a prominent role for business self-regulation and a lower level of protection than EU data protection law). Largely formulated by the U.S. as a template to regulate digital trade and beyond, such prescriptive norms and regulatory solutions have crystallized in the TPP, CPTPP, and USMCA. Widely viewed as an advanced model to regulate the digital economy, U.S.-designed digital trade rules have been increasingly adopted or emulated in other PTAs, demonstrating a prominent ‘norm diffusion’ effect. In this way, the U.S. has managed to use PTAs to reshape international trade law, while exporting these rules to expand its regulatory sphere of influence.

For all its prominent influence on international trade rulemaking, this ‘neo-liberal’ approach to regulating cross-border data flows is far from the only model in the trade realm. Most notably, the EU has developed its own model of trade rules to promote transborder data flows in ways aligned with its high-standard GDPR, while pushing and pulling its trade partners to incorporate this template into new-generation trade pacts.

While the number of TPP/CPTPP-inspired trade agreements far exceeds that of PTAs incorporating EU model provisions thus far, the EU template still constitutes a minority trade approach to cross-border data flows and provides an alternative to the U.S. model of digital trade rules. More importantly, as EU data protection norms have widely diffused among third countries, many foreign governments have adopted or emulated EU-style adequacy standards to regulate cross-border personal data transfers. As a notable example of the ‘Brussels Effect’, EU data privacy law has long played an indispensable role in shaping other countries’ regulatory environments for personal data protection and transborder data flows, a fait accompli that appears difficult to reverse solely through the spread of U.S.-designed digital trade rules.

Nevertheless, for countries that have adopted both American-style digital trade rules and GDPR-inspired adequacy standards, they may be caught between trade law obligations that prioritize free data flows and a data protection principle designed to prevent unrestricted data exports from undermining high-standard data privacy rules. In the eyes of international trade adjudicators, national data privacy regulations modelled on the GDPR’s adequacy standard are likely to violate U.S.-designed free data flow provisions, and it can be difficult to justify their legitimacy under the public policy exceptions. If this scenario unfolds, a third country’s trade law commitments can substantially restrict its sovereign autonomy to regulate data privacy and choose a desired level of protection for exported personal data, demonstrating the ‘bounded rationality’ in trade rulemaking. Although this article’s case study focuses on Japan, the same conclusion may also apply to other countries embracing both the TPP/CPTPP template and EU-style data protection law.

Overall, it seems that the U.S. and the EU have met their own match when attempting to set international standards to regulate transborder personal data flows, as neither holds uncontested dominance in attaining that goal, largely due to challenges posed by the other’s competing approach. While EU-style adequacy standards (along with substantive data protection principles) have been increasingly followed by national data privacy laws, U.S.-designed digital trade rules have played a prominent role in shaping the international trade regime, with multiple countries falling into their regulatory spheres of influence concurrently. For many third countries, just as the diffusion of the U.S. template of liberalized trade rules has not precluded them from following EU data privacy law as a regulatory model, their GDPR-inspired adequacy standards fail to hold back their adoption of American-style free data flow provisions that prioritize trade over privacy, and which can be invoked to challenge their data privacy regulations restricting cross-border data flows.

In the global regulatory arena, the reconciliation between U.S.-designed digital trade rules and GDPR-style data privacy laws may present considerable challenges and difficulties, and the emerging legal standards to regulate transborder personal data flows are increasingly caught between these two different regulatory models, with many countries signing up to both approaches without fully contemplating the legal risks involved. In essence, the co-existence of the U.S. and EU models and the inherent legal tensions arising between them reflect the ongoing U.S.–EU regulatory contest to shape global data governance based on their interests and values, while expanding their respective regulatory spheres of influence by attracting other countries to adopt their approaches. In this context, treaty negotiators, legislators, and regulatory authorities of third countries should better align their trade and data privacy approaches, carefully examine the legal risks generated by norm diffusion or legal transplant, and develop a more integrated approach to coordinate and reconcile their trade rules and data protection laws.

Footnotes