How (Not) to Regulate Cross-Border Data Flows

14 Oct 2022


Data is the lifeblood of digital trade.[1] For companies with global supply chains, the free flow of information facilitates communication between actors within the supply chain and ultimately determines whether physical items get from point A to point B on time. For consumers, data facilitates trade and opens a whole new online marketplace.[2] Clearly, countries need to have a uniform approach to how they regulate the flow of data across their domestic borders to support global economic activity in digital economies.

That said, not all countries regulate the flow of data equally. Some countries exhibit inconsistent approaches to ICT standards that are 'protectionist' in nature which only serves to make commerce more complicated for consumers and businesses alike. 

A rather prominent example of this is how data flows are regulated by countries who are parties to the Australia-New Zealand-ASEAN Free Trade Agreement ('AANZFTA') which includes countries such as Australia, New Zealand, Vietnam and Thailand.

Fig. 1.0: Countries in the ASEAN region. Source: Wikipedia.

While these countries have recognised that harmonised ICT standards are the foundation of a thriving digital economy because they support and facilitate digital trade,[3] the countries have achieved anything but a standardised and approach to regulating data flows within their own borders. Even more, the protections for data flows that do exist under the AANZFTA are limited in their scope and do not protect businesses from all sectors.

As such, the AANZFTA provides an example of how not to approach the regulation of cross-border data flows. 

Here's why. 

Inconsistencies in Regulating Cross-Border Flows

Scope of Legal Protection

The AANZFTA recognises the significance of cross-border data flows in its Annex on Financial Services.[4] Article 7 of the Annex prevents parties from imposing measures that inhibit the transfer of information provided that the information is necessary for financial service suppliers to conduct ordinary business.[5] 

Put simply, if you are a business that is using information to provide financial services to your consumers, the country where the data originates from cannot legally stop the flow of information to your country of origin if you need the data to simply do business. The exception to this rule is if parties need to restrict free cross-border data flows to protect personal data, privacy and confidentiality in accordance with its domestic laws and regulations.[6]

While this regime might sound reasonable at first glance, several issues arise with the scope of activities covered and reverting to domestic laws to inform policy. 

Problems with the AANZFTA's Regulatory Approach

The most obvious issue is that these protections against countries inhibiting cross-border data flows only apply to services that fall within the scope of ‘financial services’, with other sectors not being protected.[7] In a digital economy, data is used in many other sectors apart from the financial industry or service industries generally. A common example of this is behavioural data. Behavioural data is heavily used by businesses of all kinds for targeted online advertising regardless of whether they are selling goods, services or e-products.[8] Under the AANZFTA, you may face issues as a social media company or a business selling physical products, not because your use of data isn't any less 'genuine' than that of a financial services company, but simply because the AANZFTA does not afford any protection to you. 

And secondly, justifying data restrictions on the grounds of privacy in accordance with domestic laws and policies rather than binding multi-lateral privacy standards is conflicting and trade restrictive.[9] Data protection measures may be erected for purely protectionist reasons absent any multi-lateral consensus on appropriate privacy standards.[10] 

A rather common example of this in the ASEAN context concerns the implementation of data location measures. These measures prevent businesses from exporting data outside of the jurisdiction in which the data was collected. Unfortunately, data localisation measures have been on the rise with countries such as Vietnam nearly tripling their data localisation measures between 2006-2016.[11]

The issue of data localisation is particularly problematic in an AANZFTA context because parties to the agreement are from a collage of economies that are at different stages in their economic development.[12] Therefore, parties take inconsistent approaches to matters such as privacy so they can serve their own unique economies. This has only induced a situation where there is a lack of consensus as to what constitutes 'best practice' for data protection across jurisdictions.[13] 

Parties to the AANZFTA have somewhat attempted to remedy these inconsistencies by incorporating international digital standards into their legal treaty obligations, [14] with the AANZFTA heavily relying upon parties adopting standards developed by the International Electrotechnical Commission ('IEC').[15] However, this approach is flawed because the extent to which less developed nations can participate in developing IEC standards depends on their membership.[16] Since most developing nations within the AANZFTA are not full members, they cannot fully participate in developing these standards.[17] As a result, the IEC develops data standards without accounting for the unique economic and regulatory needs of developing nations within the ASEAN region, thereby making the standards unsuitable for some parties.[18]


Although data is everywhere, consistent approaches to legal regulation are lacking. The AANZFTA is only one of many examples of where the regulation of cross-border data flows could do with some re-thinking and a consensus on what constitutes best domestic practice. After all, a lack of harmony only hurts businesses and consumers. 


[1] [1] Organisation for Economic Co-operation and Development, ‘Trade in the Digital Era’ (Digital Policy Note, March 2019) 2.
[2] ICC Commission on Trade and Investment Policy and ICC Commission on the Digital Economy, ‘Trade in the Digital Economy: A Primer on Global Data Flows for Policymakers’ (Publication No 103/330, 373/560) 2.
[3] Standards Australia, ‘Accelerating Digital Trade: Prospects for Closer ASEAN and Australia Standards Cooperation and Collaboration’ (Issues Paper, September 2018) 7.
[4] Agreement Establishing the ASEAN-Australia-New Zealand Free Trade Area, signed 27th February 2009, 2672 UNTS 3 (entered into force 1st January 2010) ch 8 annex of Financial Services (‘AANZFTA’). 
[5] Ibid art 7.1.1.
[6] Ibid art 7.2.1.
[7] Andrew D. Mitchell and Neha Mishra, ‘Data at the Docks: Modernizing International Trade Law for the Digital Economy’ (Research Paper No. 19/08, National University of Singapore Centre for International Law, 2nd November 2017) 1092.
[8] Organisation for Economic Co-operation and Development, ‘Exploring the Economics of Personal Data: A Survey of Methodologies for Measuring Monetary Value’ (Research Paper No 220, DSTI/ICCP/IE/REG, 2nd April 2013) 14.
[9] Standards Australia (n 3) 15.
[10] Graham Greenleaf, ‘The TPP & Other Free Trade Agreements: Faustian Bargains for Privacy?’ (Research Paper No 2016-08, UNSW, 15th February 2016) 6.
[11] Business Council of Australia, ‘Response to the Future of Digital Trade Rules Discussion Paper’ (Submission, July 2018) 8 (“BCoA”).
[12] Standards Australia (n 3) 11.
[13] BCoA (n 12) 9.
[14] AANZFTA (n 4) art 7.3.
[15] Standards Australia (n 3) 15.
[16] Ibid.
[17] Ibid.
[18] Ibid.

1 Comment

No comments yet.