This "2025 Global Comparative Study Report on Cross-Border Data Flow Policies" is released by the Data Working Group of the World Internet Conference. Its core is to analyze the current status, types, and trends of global cross-border data flow policies. The following is a detailed interpretation:
I. Importance and Current Status of Cross-Border Data Flow
- Significant economic contribution: In 2023, the scale of global digital services trade exceeded $4.25 trillion, with more than half coming from cross-border data flows; it is estimated that by 2025, cross-border data will contribute $11 trillion to global GDP.
- Policy fragmentation issue: Countries have significant policy differences regarding data sovereignty and security, resulting in high compliance costs and strong rule uncertainty for enterprises.
- China’s initiatives and actions: President Xi Jinping proposed the "Global Initiative on Cross-Border Data Flow Cooperation," calling for consensus on rules through consultation; China also released the report "Promoting Open, Collaborative, and Win-Win International Data Cooperation," advancing an open and inclusive governance framework.
II. Three Main Types of Global Cross-Border Data Policies
The report categorizes 194 policy texts from 136 countries (regions) into three types, ranked by proportion from high to low:
1. Prudential and Flexible Type (59.28%)
- Core features: Adopts an "assessment + tools" model, requiring enterprises to conduct "adequacy assessments" to confirm the recipient’s protection capability before cross-border data transfer, or use contractual clauses, internal corporate rules, etc., balancing flow and security.
- Representative policies: EU "General Data Protection Regulation" (GDPR), China "Regulations on Promoting and Regulating Cross-Border Data Flow."
- Applicable scenarios: Important high-value data (such as financial, medical data), relying on cooperation between countries with mature data industries.
2. Facilitated Within Framework Type (26.29%)
- Core features: Uses a "principle + accountability" mechanism, relying on corporate self-discipline and post-event accountability, simplifying cross-border processes and reducing initial costs.
- Representative policies: US "Federal Trade Commission Act," China "Cybersecurity Law."
- Applicable scenarios: High-frequency non-critical data (such as daily business data), suitable for regional cooperation or efficiency-driven scenarios.
3. Restrictive and Constrained Type (14.43%)
- Core features: Implements an "approval + flow restriction" strategy, strictly requiring prior approval or prohibiting data transfer to specific countries/regions, focusing on national security.
- Representative policies: US "Final Rule on Addressing Foreign Adversaries’ Access to Sensitive Personal Data of US Citizens," Russia "Approved List of Foreign Countries Ensuring Adequate Protection of Personal Data Subject Rights."
- Applicable scenarios: Data involving national security (such as military, biometric data), or early stages of domestic digital industry cultivation.
III. Policy Trends and Tools
- Trends:
- In 2018, the EU GDPR drove prudential and flexible policies to a peak, after which restrictive policies gradually increased (e.g., the US and Russia strengthened security supervision).
- Countries are paying more attention to data classification and grading (such as localization of important data storage) and protection of subject rights (such as right to know, right to erasure).
- Common tools:
- General tools: Data subject informed consent (involved in 71.79% of policies).
- Core tools for prudential and flexible type: Adequacy assessment (45.64%), contractual clauses (38.46%).
- Restrictive tools: Prior approval (8.72%), geographic restrictions (6.15%), less commonly applied.
IV. International Cooperation and Policy Recommendations
- International cooperation models:
- Multilateral arrangements (such as the United Nations, ASEAN): Focus on facilitated within framework or prudential and flexible types, emphasizing mutual recognition of standards and non-localized storage (e.g., "Global Digital Compact").
- Trade agreements (such as RCEP, CPTPP): Emphasize freer data flow, weaken process controls.
- Report recommendations:
- Lower policy barriers: Promote rule coordination, mutual recognition of standards, and establish dispute resolution mechanisms.
- Categorized policy implementation: Match different policy paradigms according to data types (such as high-frequency non-critical data, national security data).
- Strengthen technical governance: Use technologies such as blockchain and AI to improve regulatory efficiency, such as establishing automated approval platforms.
By comparing global cross-border data policies, the report reveals a pattern of "prudential flexibility as the mainstay, with facilitation and restriction coexisting," calling on countries to seek a balance between security and development, and to build a more inclusive global data governance system through international cooperation and technological innovation. For enterprises, it is necessary to adjust compliance strategies according to the policy types of different countries, with particular attention to classification and grading, assessment processes, and requirements for protection of subject rights.
