Chapter 23: Cross-Border Data Flows and Digital Sovereignty

"When data crosses a border, it doesn't carry its passport. It carries its vulnerability." — Max Schrems, privacy activist

Chapter Overview

In January 2025, Vikram Chakravarti received an email from a prospective German hospital group interested in licensing VitraMed's EHR platform. The email was enthusiastic — the hospital group managed 14 facilities and 800,000 patient records, and VitraMed's predictive analytics capabilities were exactly what they sought.

Vikram forwarded the email to his legal counsel with a single question: "Can we do this?"

The answer, delivered three weeks later in a 42-page memo, began: "Yes, potentially, but..."

The "but" was cross-border data flows. VitraMed's infrastructure was hosted on AWS servers in Virginia. German patient data — among the most sensitive data categories under EU law — would need to cross the Atlantic, or VitraMed would need to establish European data processing infrastructure. The legal mechanisms governing that transfer had been invalidated by the Court of Justice of the European Union not once but twice, and the current replacement framework was already facing legal challenge.

This chapter examines the complex, politically charged, and practically consequential world of cross-border data flows. It is a domain where technology, law, geopolitics, and fundamental rights collide — where the architecture of the internet (designed for borderless information flow) meets the architecture of the nation-state (designed for territorial control).

In this chapter, you will learn to: - Map the technical and business reasons why data routinely crosses borders - Navigate the GDPR's legal mechanisms for cross-border data transfer - Analyze the dramatic Schrems saga and its ongoing implications - Evaluate data localization mandates and their costs and benefits - Assess the concept of digital sovereignty and its implications for the global internet

23.1 Why Data Crosses Borders

Before examining the legal and political frameworks, it's important to understand why data routinely moves across national boundaries. The reasons are structural, not incidental.

23.1.1 Cloud Computing Architecture

The global cloud computing market — dominated by Amazon Web Services, Microsoft Azure, and Google Cloud — operates through data centers distributed worldwide. When a European company stores data "in the cloud," that data may physically reside in Ireland, the Netherlands, Virginia, or Singapore — often replicated across multiple locations for redundancy and performance.

Cloud providers have responded to regulatory pressure by offering region-specific data residency options (e.g., AWS's "EU Sovereign Cloud"), but these are recent additions, not the default architecture. Many organizations — particularly smaller ones — do not configure regional restrictions, meaning their data flows wherever the cloud provider's infrastructure directs it.

23.1.2 Multinational Operations

Any organization operating across borders generates cross-border data flows. A European subsidiary's employee data may be processed by the US parent company's HR system. A global e-commerce platform processes customer data from dozens of countries in centralized systems. A hospital group using a US-based EHR platform (like VitraMed) sends patient data to US servers.

23.1.3 The Architecture of the Internet

The internet itself was designed for borderless data transmission. An email from Berlin to Munich may route through servers in Amsterdam and London. A website hosted in Frankfurt may use a content delivery network with nodes in twenty countries. DNS queries may be resolved by servers anywhere in the world.

This borderless architecture was, for decades, considered a feature — a guarantor of the internet's resilience and efficiency. It has increasingly become a governance challenge.

23.1.4 The Scale of Cross-Border Data Flows

Cross-border data flows increased roughly 45-fold between 2005 and 2025, growing faster than trade in goods or financial capital (McKinsey Global Institute, 2024). The digital economy depends on these flows. Restricting them carries real economic costs. But failing to govern them carries real rights costs.

Power Asymmetry: Cross-border data flows are asymmetric. Data overwhelmingly flows from the Global South to the Global North — from populations to the platform companies headquartered in the US and (to a lesser extent) China. This asymmetry means that data governance decisions made in Silicon Valley and Brussels affect billions of people who have no voice in those decisions. We will examine this dynamic further in Chapter 37.

23.2 The GDPR's Cross-Border Transfer Framework

The GDPR establishes a principle: personal data can only be transferred outside the European Economic Area (EEA) if the recipient country or organization provides an "adequate" level of data protection. This principle reflects the EU's conviction that data protection is a fundamental right that must travel with the data, regardless of where the data is physically located.

23.2.1 Adequacy Decisions

The most straightforward mechanism for cross-border transfers is an adequacy decision — a formal determination by the European Commission that a third country's data protection framework provides a level of protection "essentially equivalent" to that of the GDPR.

As of 2025, the Commission has issued adequacy decisions for: - Andorra, Argentina, Canada (commercial organizations subject to PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay - The United States (under the EU-US Data Privacy Framework, since July 2023)

An adequacy decision enables unrestricted data transfers to the recognized country — no additional safeguards required. Organizations can transfer data to an adequate country just as they would transfer data to another EU member state.

23.2.2 Standard Contractual Clauses (SCCs)

Where no adequacy decision exists, the most commonly used mechanism is Standard Contractual Clauses — pre-approved contractual templates adopted by the European Commission that impose GDPR-level data protection obligations on the data recipient.

SCCs require the data importer to: - Process data only for specified purposes - Implement appropriate technical and organizational security measures - Not further transfer data without equivalent protections - Allow data subjects to enforce the clauses as third-party beneficiaries - Cooperate with supervisory authorities

Since the Schrems II decision (Section 23.3), SCCs alone may not be sufficient. Organizations must also conduct a transfer impact assessment to evaluate whether the laws and practices of the recipient country might undermine the protections in the SCCs — particularly regarding government surveillance.

23.2.3 Binding Corporate Rules (BCRs)

Binding Corporate Rules are internal data protection policies adopted by multinational corporate groups, approved by EU supervisory authorities, that allow intra-group data transfers outside the EEA.

BCRs are more comprehensive than SCCs but far more expensive and time-consuming to implement — the approval process typically takes 1-3 years. They are primarily used by large multinationals with significant EU operations. As of 2025, approximately 180 companies have approved BCRs.

23.2.4 Derogations

In limited circumstances, transfers can occur without adequacy decisions, SCCs, or BCRs: - Explicit consent of the data subject, informed of the risks - Necessity for contract performance (e.g., booking a hotel in a third country) - Important public interest reasons - Legal claims - Vital interests of the data subject

These derogations are intended for occasional, non-systematic transfers — not for the kind of ongoing, large-scale data flows that characterize cloud computing and multinational operations.

23.3 The Schrems Saga: Invalidating Transatlantic Data Flows

No discussion of cross-border data flows is complete without the story of Max Schrems — an Austrian law student who, beginning in 2013, single-handedly dismantled two successive legal frameworks governing EU-US data transfers.

23.3.1 Schrems I: The Fall of Safe Harbor (2015)

Background: Since 2000, EU-US data transfers had been governed by the Safe Harbor framework — a self-certification program in which US companies voluntarily committed to data protection principles recognized by the EU as providing adequate protection. Approximately 4,500 US companies had self-certified under Safe Harbor.

The challenge: In 2013, Max Schrems, then a 25-year-old law student, filed a complaint with the Irish Data Protection Commissioner (Ireland being Facebook's EU headquarters). Schrems argued that, in light of the mass surveillance programs revealed by Edward Snowden, the US could not be considered to provide adequate protection for personal data.

The ruling: In October 2015, the Court of Justice of the European Union (CJEU) invalidated Safe Harbor entirely. The Court found that:

1. US intelligence agencies' access to personal data transferred under Safe Harbor was "not limited to what is strictly necessary" — violating the principle of proportionality
2. Data subjects had no effective legal remedies against US surveillance
3. Safe Harbor's self-certification model was insufficient to ensure adequate protection

Impact: Overnight, the legal basis for thousands of companies' EU-US data transfers evaporated. The business community scrambled to adopt SCCs as an alternative.

23.3.2 The Privacy Shield: A Quick Replacement (2016)

In response to Schrems I, the EU and US negotiated the EU-US Privacy Shield — a new framework that attempted to address the Court's concerns by including: - Stronger self-certification requirements for US companies - Written assurances from the US intelligence community regarding proportionality and necessity limitations on surveillance - An ombudsperson mechanism for EU citizens to raise complaints about US intelligence surveillance - Annual joint reviews of the framework's operation

Approximately 5,300 US companies certified under Privacy Shield.

23.3.3 Schrems II: The Fall of Privacy Shield (2020)

Max Schrems was not satisfied. He challenged Facebook Ireland's use of SCCs for data transfers to the US, arguing that US surveillance law (particularly Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333) rendered any transfer mechanism inadequate.

In July 2020, the CJEU delivered its Schrems II ruling, which:

1. Invalidated the Privacy Shield — finding that the framework failed to provide protection "essentially equivalent" to EU law, for the same fundamental reasons as Safe Harbor: US surveillance law gave intelligence agencies access to transferred data without adequate proportionality limits or judicial oversight
2. Upheld the validity of SCCs in principle — but imposed new conditions: organizations using SCCs must assess, on a case-by-case basis, whether the recipient country's law provides adequate protection, and must implement "supplementary measures" (technical, contractual, or organizational) if it does not
3. Created massive legal uncertainty — because the ruling applied to all third-country transfers, not just those to the US, and the meaning of "supplementary measures" was initially unclear

Accountability Gap: The Schrems saga illustrates the Accountability Gap in international data governance. For nearly two decades, companies transferred EU personal data to the US under frameworks that the CJEU ultimately found inadequate. During that time, companies assumed the frameworks were valid, regulators provided limited guidance on alternatives, and individuals had no practical means to protect their data from US surveillance. The gap between the legal fiction of "adequate protection" and the reality of mass surveillance harmed millions of people whose data was transferred without meaningful safeguards.

Eli followed the Schrems developments from his distinctly American perspective: "So the EU Court said that US surveillance law is fundamentally incompatible with data protection. Think about what that means for Americans. If our government's surveillance powers are too extreme for Europeans, what are they doing to us — the people who are subject to even fewer legal protections than EU data subjects?"

23.3.4 The Aftermath

Schrems II created what many described as a "legal earthquake" in transatlantic data flows. Companies that had relied on Privacy Shield needed alternative mechanisms immediately. Companies using SCCs needed to conduct transfer impact assessments — a complex, resource-intensive process with no clear standards.

European data protection authorities (DPAs) began enforcement actions: - The Austrian DPA found that Google Analytics violated GDPR because data transfers to Google's US servers lacked adequate supplementary measures - The French DPA (CNIL) reached a similar conclusion - The Belgian DPA fined a company for transferring employee data to the US without adequate safeguards

These enforcement actions sent shockwaves through the technology industry. If even Google Analytics — used by millions of European websites — was potentially unlawful, the scope of the problem was enormous.

23.4 The EU-US Data Privacy Framework

23.4.1 A Third Attempt

In response to Schrems II, the US and EU negotiated a third framework: the EU-US Data Privacy Framework (DPF), which the European Commission granted an adequacy decision in July 2023.

The DPF's key innovations, designed to address the Schrems II ruling:

Executive Order 14086. Signed by President Biden in October 2022, this Executive Order imposed new limitations on US intelligence surveillance: - Signals intelligence activities must be "necessary" and "proportionate" to validated intelligence priorities - Bulk collection may only be used when information cannot reasonably be obtained through targeted means - A new list of legitimate intelligence objectives replaces the previously open-ended authorization

Data Protection Review Court (DPRC). A new independent redress mechanism for EU individuals who believe their data was unlawfully collected through US surveillance. The DPRC consists of judges appointed from outside the US government, with the authority to investigate complaints, access classified information, and issue binding remedial decisions.

23.4.2 Will It Survive?

The DPF faces the same fundamental challenge as its predecessors: US surveillance law has not changed. FISA Section 702 remains in force (and was reauthorized by Congress in 2024). The improvements are executive in nature — Executive Orders can be modified or revoked by future presidents, and the DPRC's independence has been questioned because its members are appointed by the Attorney General.

Max Schrems himself has signaled that he will challenge the DPF — a potential "Schrems III." Privacy advocates note several concerns:

• The Executive Order's proportionality standards are less stringent than EU standards
• The DPRC process is opaque, with no public hearings or published decisions
• A future administration could weaken or revoke the Executive Order
• The adequacy decision itself was adopted over the objections of the European Parliament's resolution calling for additional safeguards

Consent Fiction: The successive invalidation and replacement of EU-US data transfer frameworks illustrates the Consent Fiction at a geopolitical level. For over twenty years, individuals and organizations have been told that legal frameworks exist to protect transferred data. Those frameworks have been invalidated twice. The current framework faces legal challenge. Throughout, data has continued to flow across the Atlantic — the protection has been largely fictional, the consent largely meaningless.

Dr. Adeyemi presented the history to her class with characteristic directness: "We are on our third attempt at a legal framework for EU-US data transfers. The first two were invalidated by the EU's highest court. The third faces challenge. If you were a European patient considering whether to trust your health data to a US-based platform, what would you conclude about the reliability of legal protections?"

23.5 Data Localization

23.5.1 What Is Data Localization?

Data localization refers to laws or policies that require data — or certain categories of data — to be stored or processed within the borders of a specific country. Data localization exists on a spectrum:

23.5.2 Countries with Data Localization Requirements

23.5.3 The Arguments For Data Localization

Law enforcement access. Governments argue that they need data within their jurisdiction to conduct law enforcement and national security operations. If data is stored on servers in another country, obtaining access may require slow and complex mutual legal assistance treaties (MLATs).

Sovereignty. Data localization is an assertion of sovereignty — the claim that a nation should have control over data generated within its borders by its citizens. This argument has particular resonance in countries that experienced colonialism and view data extraction by foreign tech companies as a new form of exploitation.

Privacy protection. If data stays within a country with strong data protection laws, it remains subject to those laws. Cross-border transfers create the risk that data will be processed under weaker protections abroad.

Economic development. Requiring local data storage can drive investment in domestic data center infrastructure, creating jobs and building local technical capacity.

23.5.4 The Arguments Against Data Localization

Economic cost. Data localization increases costs for businesses — particularly small ones — that must maintain local infrastructure rather than using global cloud services. The European Centre for International Political Economy (ECIPE) estimated that strict data localization could reduce GDP by 0.5-1.0% in countries that adopt it.

Security risks. Concentrating data within a single jurisdiction can create security vulnerabilities. Distributed storage across multiple jurisdictions provides resilience against localized disasters, attacks, or political interference.

Internet fragmentation. Widespread data localization contributes to the fragmentation of the global internet — the "splinternet" phenomenon — potentially undermining the internet's role as a platform for global communication and commerce.

Authoritarian abuse. Data localization can serve authoritarian purposes. When Russia required personal data to be stored domestically, the practical effect was to make that data more easily accessible to Russian intelligence agencies — not to protect Russian citizens' privacy.

Sofia Reyes articulated the tension at a DataRights Alliance panel that Dr. Adeyemi shared with the class: "Data localization is a tool. Like any tool, its value depends on who wields it and for what purpose. When the EU requires health data to stay within the EEA, that's protecting patient rights. When Russia requires personal data to stay within Russia, that's facilitating state surveillance. The mechanism is similar; the governance context is entirely different."

23.6 The CLOUD Act and Law Enforcement Access

23.6.1 The Problem

Law enforcement agencies increasingly need access to electronic evidence — emails, messages, transaction records — stored by technology companies. When that data is stored in servers located in another country, traditional mechanisms for cross-border evidence requests (Mutual Legal Assistance Treaties, or MLATs) are slow — often taking months or years to process.

23.6.2 The US CLOUD Act (2018)

The Clarifying Lawful Overseas Use of Data (CLOUD) Act was enacted in response to a specific case: United States v. Microsoft, in which the US government sought a warrant compelling Microsoft to produce email data stored on servers in Ireland. Microsoft resisted, arguing that US warrants did not extend to data stored abroad. The case reached the Supreme Court, which dismissed it as moot after the CLOUD Act was enacted.

The CLOUD Act: - Clarifies that US law enforcement can compel US-based providers to produce data regardless of where the data is physically stored - Creates a framework for "executive agreements" between the US and foreign governments, allowing each country's law enforcement to directly request data from providers in the other country, bypassing the MLAT process

23.6.3 Implications

The CLOUD Act has profound implications for cross-border data governance:

For privacy. A US warrant can now reach data stored in the EU — potentially conflicting with GDPR protections. EU data protection authorities have warned that CLOUD Act requests may force companies into a conflict-of-laws situation: comply with the US warrant and violate the GDPR, or comply with the GDPR and face contempt charges in the US.

For sovereignty. The Act effectively asserts US jurisdiction over data held by US-based companies anywhere in the world. Other countries — particularly the EU — view this as an infringement of sovereignty.

For the EU's response. The EU has proposed its own legislation — the e-Evidence Regulation — to create a comparable framework for EU law enforcement access to data held by providers regardless of storage location. The EU-US negotiations on a CLOUD Act executive agreement have been ongoing, with the goal of creating a reciprocal framework that respects both jurisdictions' legal requirements.

Power Asymmetry: The CLOUD Act embodies the Power Asymmetry in geopolitical form. Because the world's largest cloud providers and technology companies are predominantly American, the Act effectively gives US law enforcement a reach that no other country can match. The data of a German patient stored by an American health-tech company is simultaneously subject to GDPR protection and CLOUD Act compulsion — and the patient has no say in how that conflict is resolved.

23.7 Digital Sovereignty and the Splinternet

23.7.1 The Concept of Digital Sovereignty

Digital sovereignty is the assertion that a nation — or a region — should have authority over data, digital infrastructure, and technology systems within its borders and affecting its citizens. The concept has gained traction across the political spectrum and across the globe, driven by:

• Revelations about US mass surveillance (Snowden, 2013)
• The dominance of US and Chinese technology platforms
• The COVID-19 pandemic, which highlighted dependence on foreign digital infrastructure
• Increasing use of technology sanctions and platform decisions (e.g., Apple and Google removing apps in Russia) as geopolitical instruments

23.7.2 European Digital Sovereignty

The EU has articulated a vision of "technological sovereignty" that includes:

• Infrastructure: Investment in European cloud infrastructure (GAIA-X project), semiconductor manufacturing (European Chips Act), and quantum computing capabilities
• Standards: Setting global standards through the Brussels Effect (GDPR, AI Act)
• Industrial policy: Supporting European technology companies to reduce dependence on US and Chinese providers
• Data governance: The EU Data Governance Act and Data Act, which create frameworks for data sharing within the EU while maintaining control over cross-border flows

23.7.3 The Splinternet Concern

"Splinternet" refers to the potential fragmentation of the global internet into nationally or regionally controlled segments, each with its own rules, standards, and restrictions.

Elements of the splinternet already exist: - China's Great Firewall blocks access to most Western social media, search engines, and news sites, creating a separate Chinese internet ecosystem - Russia's Sovereign Internet law (2019) provides technical infrastructure for isolating the Russian internet from the global network - Iran periodically shuts down internet access entirely during protests - The EU's regulatory framework creates compliance barriers that may lead US companies to offer different services (or no service) in Europe

The splinternet raises fundamental questions about the future of the internet as a global commons. Is the borderless internet a norm worth preserving, or was it always an anomaly — a temporary artifact of US hegemony over internet infrastructure that is now giving way to a more naturally fragmented landscape?

Eli and Mira debated this in Dr. Adeyemi's class:

"The 'open internet' was never truly open," Eli argued. "It was open for American companies to extract data from everyone else. Digital sovereignty is countries saying 'no, our data is ours.'"

"But if every country builds its own walled garden, we lose the internet's greatest strength — the ability to communicate and collaborate globally without borders," Mira countered. "Researchers sharing health data across borders saves lives. Fragments that."

"Both of your concerns are legitimate," Dr. Adeyemi said. "The question is whether we can design governance frameworks that protect sovereignty and rights without destroying interoperability. That's the challenge of the next decade."

23.8 VitraMed: When EU Patient Data Must Stay in the EU

VitraMed's European expansion forced a concrete confrontation with every issue in this chapter.

23.8.1 The Options

Vikram's legal team presented three options:

Option A: Transfer data to US servers using the EU-US Data Privacy Framework. - Pros: Lowest cost, uses existing infrastructure - Cons: DPF may be invalidated by "Schrems III"; health data is particularly sensitive; German DPAs are among the strictest in the EU - Risk assessment: HIGH

Option B: Establish EU-based data processing infrastructure (AWS Frankfurt region) with strict data residency controls. - Pros: Data stays in the EU, eliminating transfer risk; aligns with GDPR principles and German hospital group expectations; competitive advantage with privacy-conscious clients - Cons: Significant cost ($800,000 setup, $250,000 annual); requires engineering to partition EU and US data flows; requires hiring EU-based technical staff - Risk assessment: LOW

Option C: Hybrid model — primary processing in the EU, with limited transfer to the US for specific purposes (model training, analytics) under SCCs with supplementary measures. - Pros: Balances cost and compliance; allows centralized analytics - Cons: Requires ongoing transfer impact assessments; supplementary measures may be insufficient if Schrems III succeeds; complex to manage - Risk assessment: MEDIUM

23.8.2 The Decision

After extensive deliberation, Vikram chose Option B. "If we're going to serve European hospitals, we need to be able to look them in the eye and say 'your patient data never leaves the EU.' That's not just a legal requirement — it's a trust requirement. And in healthcare, trust is everything."

Mira, who had been advocating for Option B since the beginning, recognized the significance: "Dad just made a decision based on trust, not just compliance. That's growth."

The decision had cascading implications: - VitraMed's engineering team had to redesign the data architecture to support geo-partitioned data flows - The company hired a Data Protection Officer based in Berlin - Patient data from EU operations would be physically separated from US data - ML models would be trained on EU data within the EU, with only aggregate, non-personal model parameters shared across regions

VitraMed Thread: This decision marks VitraMed's transition from reactive compliance to proactive data governance. The company is no longer asking "what's the minimum we need to do?" but "what's the right thing to do for our patients?" This evolution — from compliance minimalism to genuine stewardship — is the arc that Part 5 will develop further.

23.9 Chapter Summary

Key Concepts

• Cross-border data flows are a structural feature of the digital economy, driven by cloud computing, multinational operations, and internet architecture.
• The GDPR's transfer framework requires adequacy decisions, SCCs, BCRs, or derogations for transfers outside the EEA.
• Schrems I invalidated Safe Harbor; Schrems II invalidated Privacy Shield and imposed supplementary measure requirements on SCCs — both due to US surveillance law.
• The EU-US Data Privacy Framework is the third attempt at a transatlantic data transfer framework, supported by Executive Order 14086 and the new Data Protection Review Court.
• Data localization requirements exist on a spectrum from storage requirements to full data residency mandates, with significant variation across jurisdictions.
• The CLOUD Act asserts US law enforcement jurisdiction over data held by US companies regardless of storage location, creating potential conflicts with other countries' data protection laws.
• Digital sovereignty is the assertion of national or regional control over data and digital infrastructure, driven by security, economic, and political concerns.
• The splinternet — fragmentation of the global internet — is a growing concern as more countries implement digital sovereignty measures.

Key Debates

• Is the EU-US Data Privacy Framework durable, or will it fall to a "Schrems III" challenge?
• Does data localization protect citizens' rights or serve authoritarian control?
• Is the fragmentation of the global internet an inevitable consequence of digital sovereignty, or can governance frameworks preserve interoperability?
• Should the US reform its surveillance laws to achieve genuine adequacy with the EU, or are transatlantic values too divergent?

Applied Framework

When evaluating a cross-border data transfer: 1. Identify the data: What personal data is being transferred? How sensitive is it? 2. Identify the destination: What country is receiving the data? Is there an adequacy decision? 3. Identify the mechanism: What legal basis is being used (adequacy, SCCs, BCRs, derogation)? 4. Assess the risks: Does the recipient country's law (particularly surveillance law) undermine the protections? 5. Implement safeguards: What supplementary measures are in place (encryption, pseudonymization, contractual restrictions)? 6. Document and monitor: Is the transfer impact assessment documented? Is it reviewed regularly?

What's Next

In Chapter 24: Sector-Specific Governance: Finance, Health, Education, we examine how different sectors have developed specialized data governance frameworks — from PCI-DSS and open banking in finance to HIPAA and the European Health Data Space in health to FERPA and learning analytics in education. We'll explore what sector-specific governance reveals about general principles, and we'll return to VitraMed's health-sector compliance challenges in detail.

Before moving on, complete the exercises and quiz to solidify your understanding of cross-border data flows and digital sovereignty.

Chapter 23 Exercises → exercises.md

Chapter 23 Quiz → quiz.md

Case Study: Schrems II and Its Aftermath → case-study-01.md

Case Study: Data Localization: Russia's Sovereign Internet → case-study-02.md