Data Diplomacy: Rethinking Cross-Border Data Flows for a More Equitable Global Digital Economy

The free flow of electronic data across borders contributed $2.8 trillion to global GDP in 2023, a figure that exceeded the global trade in goods and is likely to grow to $11 trillion in 2025. Called the “lifeblood of the modern digital economy” by the World Economic Forum, cross-border data flows are indispensable in developing and deploying cutting-edge technologies like artificial intelligence (AI). 

This apparent free flow masks the fact that data is stored and controlled by a limited number of players in a limited group of countries. The United States houses the lion’s share of the world’s data centers: 5,381, or about 46 percent. Germany is a distant second with 521 (about 4 percent). India, home to the world’s largest population, has 152. The vast majority of the world’s countries, some 170-odd combined, hold a paltry 12 percent of the global total.

National efforts to restrict the flow of data across borders are a response to this reality. Data localization measures are rising rapidly: The OECD reports 100 such measures across 40 nations; over half of them arose in the past dozen years. Such measures, critics charge, are measurably reducing trade, slowing productivity, and, ominously, increasing national power to surveil citizens.

The implicit solution—restoring unbridled cross-border data flows—fails to account for the legitimate concerns of these nations, many of which are developing countries. Their growing focus on data sovereignty and data localization measures are expressions of anxieties about a global digital economy that does not work equitably at all times for all actors. If we want to restore the free flow of data across borders, we need to conceptualize systems and safeguards that address these anxieties.

This brief lays out the groundwork for doing so. Section II explores the arguments for or against cross-border transfers of data in an AI-driven economy. Section III proposes two potential policy solutions that enable states to retain control over data without compromising national security, undermining economic security, or violating privacy rights.

Data is multifaceted and political: The creation, collection, processing, and application of data are ultimately shaped by power asymmetries—between countries, corporations, communities, and individuals, who are all battling to preserve their agency and/or assert control over data. As nations seek to retain data generated in-country, they often address four different arenas that data affects in the life of a nation: public order, economic growth, individual rights, and national security.

Public order: Major tech companies store and control massive tracts of data outside their country of origin, with the lion’s share in the United States and Europe. World over, law enforcement authorities who need to access data to conduct investigations must grapple with a process (known as a mutual legal assistance treaty procedure) that reportedly takes at least ten months, significantly stymieing the pace of any investigation. When French authorities found their data requests, especially concerning a child sex abuse case, ignored by the online messaging service Telegram (based in the United Arab Emirates), they arrested founder Pavel Durov when he landed in Paris. Compelling such companies to store data locally and subsequently obtaining the required data sets under domestic law is an attractive alternative for many nations.

Economic value: Stark power asymmetries exist between the developed states that house much of the world’s financial power and data processing capabilities, and the majority developing world, whose citizens generate most of the world’s data but have little say in how their own data is used further up the value chain. Given the value of such data for the AI economy, this asymmetry places developing countries and their corporations at a significant disadvantage when they cannot access and use data created in-country.

Taking the view that private corporations’ exploitation of their citizens’ data amounts to data colonization, some nations seek to localize data to enable local companies to ascend the AI value chain. In practice, this approach yields varied outcomes: It relies on adequate in-country processing capacity and appropriate legal data sharing mechanisms, and usually pays more dividends for corporations in more populous countries like India or Indonesia than for smaller countries that lack the resources to compete. National governments also point to the benefits of job creation: Constructing a data center may create over 1,500 jobs. However, operating and maintaining a data center generates very few lasting jobs (around 100 or so) and also entails environmental costs.

Individual rights: Stored data may be breached by third parties or illegal or unwarranted surveillance by foreign state parties. The European Union’s General Data Protection Regulations only allows transfers to other countries with “adequate” protection of data privacy, as determined by the EU Commission. European courts have twice stopped transatlantic data transfers because they held that U.S. law and practice did not sufficiently protect European citizens’ data against bulk surveillance by intelligence agencies.

National security: The unrestricted free flow of data has raised national security concerns as geopolitical adversaries can utilize the borderless information space to steal trade secrets, conduct cyber espionage and surveillance, and launch offensive cyber operations. Restricting the free flow of data to geopolitical adversaries has therefore emerged as an attractive policy option. Cognizant of the risks to U.S. national security, President Biden issued an executive order directing agencies in the U.S. government to restrict sales and the flow of U.S. personal data to foreign entities linked to “countries of concern.” This directive was driven by fears of companies harvesting sensitive data of U.S. citizens, including the geolocation data of military personnel, and selling to, for example, intelligence agencies in Russia or China.

In the modern digital economy, data is stored and controlled by a limited number of countries, particularly the United States. The control they assert over the data stored in their territory offers advantages, but in response, other countries will continue to turn off the taps and further restrict the free flow of data, negatively impacting the global digital economy, including the most advanced economies.

Any policy solution must meaningfully address this power asymmetry. Two policy options in particular have the potential to enable the free flow of data and equitable data access across borders while accounting for the concerns raised in the previous section. 

1. Bilateral negotiation of treaties for law enforcement data access

To access data housed in the United States or Europe, an external country must either be approved as having adequate privacy protection under the EU General Data Protection Regulation or sign an executive data-sharing agreement under the U.S. Clarifying Lawful Overseas Uses of Data (CLOUD) Act. So far, the European Union has recognized only fifteen jurisdictions, largely in the developed world, as having adequate privacy protections, while the United States has concluded data-sharing agreements only with the United Kingdom and Australia, both treaty allies.

Many majority world nations currently lack adequate legislation that would genuinely protect user rights against state or corporate surveillance. Such countries face the reality that passing comprehensive rights-respecting legislation takes time, especially in democracies with multiple competing interests.

If they want to restore free and equitable data flows, countries storing a lion’s share of the world’s data need to bear these complex realities of the majority world in mind and carve out exceptions into data-sharing treaties, including: 

• Fast-tracking access to critical data during criminal investigations, if the requesting state can demonstrate effective legal protection of the requested data.
• Defining exceptions for sharing certain types of data, such as financial data, that are essential to law enforcement investigations.
• Appointing regular points of contact to ensure continuous communication between authorities of the requesting state, the state hosting the data, and any private company storing or processing the data.
• Establishing annual review mechanisms to ensure that legitimate law enforcement interests and individual privacy rights are guaranteed. 

1. Plurilateral sector-specific data-sharing arrangements for research and innovation

Countries can enter into formal (legally binding) or informal (non-binding) arrangements to share data among stakeholders in specific sectors, regardless of where the data is hosted. For example, research data on epidemics can be shared among stakeholders, such as academics, industry researchers, and hospitals in participating countries. Countries and other stakeholders participating in the arrangement would need to comply with mutually-agreed standards of privacy protection, and data would be shared only after seeking the consent of the data creator.

No international data-sharing agreement of this nature exists: Brokering one would be a key push towards multilateral cooperation on the digital economy. The Common European Data Spaces—where  EU member states make data available for reuse among European stakeholders—can serve as a possible model, although the implementation process would differ as all countries participating in plurilateral data sharing agreements will have different domestic regulatory requirements. Global export control arrangements such as the Wassenaar Arrangement, which enables access to and diffusion of sensitive technologies, could provide other models. These arrangements require participating countries to comply with baseline domestic policy requirements and restrict the export of these sensitive technologies to non-participating countries. 

An agreement for sharing sectoral data transnationally could draw on similar principles and operating guidelines, including:

• Clear delineation of the sector for which data is being shared, such as health, finance, or agriculture.
• Common baseline standards of privacy and security protection for the data, agreed upon in advance by the participating countries.
• Guarantees that the data will be limited to participating countries.
• Annual notification and updating of the list of other stakeholders (industry, civil society, and researchers) that can access the data through the agreement. 
• A coordination body for smoothing communications between parties, along with a separate and independent dispute resolution body. 

Since 2013, restrictions to cross-border data flows have proliferated, leading to strenuous objections from industry and civil society alike. The sovereign restrictions on data flows stem from anxieties around the loss of control over data. States assert territorial controls in order to discharge public functions, protect the rights and security of their citizens, or grow their local economy, but in each of these cases, restricting data flows is far from the ideal solution. Instead, this brief proposes two solutions that address anxieties with present power global digital asymmetries while enabling the free-flow of data. This is essential, not just for growing the global digital economy but also for ensuring that a range of actors attempts to develop and deploy AI-based solutions. If we want to reduce data localization measures, we need to tackle the power asymmetries that stem from territorial power and construct a fairer digital economy that respects the agency of all states and their citizens, not just a powerful few.