The IT Law Wiki


Rachel F. Fefer, Data Flows, Online Privacy, and Trade Policy (CRS Report R45584) (updated Mar. 26, 2020) (full-text).


Ensuring open cross-border data flows has been an objective of Congress in recent trade agreements and in broader U.S. international trade policy. The free flow of personal data, however, has raised security and privacy concerns. U.S. trade policy has traditionally sought to balance the need for cross-border data flows, which often include personal data, with online privacy and security. Some stakeholders, including some Members of Congress, believe that U.S. policy should better protect personal data privacy and security, and have introduced legislation to set a national policy. Other policymakers and analysts are concerned about increasing foreign barriers to U.S. digital trade, including data flows.

Recent incidents of private information being shared or exposed have heightened public awareness of the risks posed to personal data stored online. Consumers' personal online data is valued by organizations for a variety of reasons, such as analyzing marketing information and easing the efficiency of transactions. Concerns are likely to grow with expansion of both the amount of online data organizations collect and the level of global data flows. As Congress assesses policy options, it may further explore the link between cross-border data flows, online privacy, and trade policy; the trade implications of a comprehensive data privacy policy; and the U.S. role in establishing best practices and binding trade rules that seek to balance public policy priorities.

There is no globally accepted standard or definition of data privacy in the online world, and there are no comprehensive binding multilateral rules specifically about cross-border data flows and privacy. Several international organizations, including the Organisation for Economic Co-operation and Development (OECD), G-20, and Asia-Pacific Economic Cooperation (APEC) forum, have sought to develop best practice guidelines or principles related to privacy and cross-border data flows, although none are legally binding. Recent U.S. and other trade agreements are establishing new enforceable trade rules and disciplines among subsets of trading partners.

Countries vary in their data policies and laws; some focus on limiting access to online information by restricting the flow of data beyond a country's borders, aiming to protect domestic interests (e.g., constituents' privacy). However, these policies can also act as protectionist measures. The EU and China, two top U.S. trading partners, have established prescriptive rules on cross-border data flows and personal data from different perspectives. The EU General Data Protection Regulation (GDPR) is driven by privacy concerns; China is focused on security. Their policies affect U.S. firms seeking to do business in those regions, as well as in other markets that emulate the EU and Chinese approaches. Unlike the EU or China, the United States does not broadly restrict cross-border data flows and has traditionally regulated privacy at a sectoral level to cover different types of data, such as health records.

U.S. trade policy has sought to balance the goals of consumer privacy, security, and open commerce. The United States-Mexico-Canada Agreement (USMCA) is the first U.S. trade agreement to include rules and disciplines on privacy, cross-border data flows, and security. While the United States and other countries work to define their respective national privacy strategies, many stakeholders seek a more global approach that would allow interoperability between differing national regimes to facilitate and remove discriminatory trade barriers to cross-border data flows; this could offer an opportunity for the United States to lead the global conversation.

Although Congress has examined issues surrounding online privacy and multiple Members and committees have proposed bills, there is not yet consensus on a comprehensive U.S. online data privacy policy. Congress may weigh in as the Administration seeks to define U.S. policy on data privacy and engages in international negotiations on cross-border data flows.