Exercises: Cross-Border Data Flows and Digital Sovereignty
These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.
Difficulty Guide: - ⭐ Foundational (5-10 min each) - ⭐⭐ Intermediate (10-20 min each) - ⭐⭐⭐ Challenging (20-40 min each) - ⭐⭐⭐⭐ Advanced/Research (40+ min each)
Part A: Conceptual Understanding ⭐
Test your grasp of core concepts from Chapter 23.
A.1. List at least four structural reasons why personal data routinely crosses national borders (Section 23.1). For each, explain why the cross-border flow is a consequence of technical or business architecture rather than a deliberate policy choice.
A.2. Explain the GDPR's three primary mechanisms for lawful cross-border data transfers (Section 23.2): adequacy decisions, standard contractual clauses (SCCs), and binding corporate rules (BCRs). For each, describe what it is, who uses it, and its primary limitation.
A.3. Summarize the Schrems I decision (Section 23.3.1). What was the Safe Harbor framework, why did the CJEU invalidate it, and what principle did the court establish about the adequacy of US data protection?
A.4. Summarize the Schrems II decision (Section 23.3.2). How did it differ from Schrems I? What was its impact on standard contractual clauses, and why did it create uncertainty for thousands of organizations?
A.5. Define "data localization" as described in Section 23.4. Distinguish between "hard" localization (data must remain within the country) and "soft" localization (a copy must remain, but data can also be processed elsewhere).
A.6. Define "digital sovereignty" (Section 23.5). Why has this concept gained traction in recent years, and how does it relate to concerns about the dominance of US-based cloud computing providers?
A.7. Explain the CLOUD Act (Section 23.4) and why it is relevant to cross-border data governance. How does it interact with — and potentially conflict with — the GDPR's transfer mechanisms?
Part B: Applied Analysis ⭐⭐
Analyze scenarios, arguments, and real-world situations using concepts from Chapter 23.
B.1. VitraMed's legal counsel produced a 42-page memo in response to Vikram's question "Can we do this?" about expanding to Germany (Chapter Opening). Based on the mechanisms described in this chapter, outline the key legal options available to VitraMed for transferring German patient data to its US-based infrastructure. For each option, assess its feasibility and identify the risks.
B.2. Mira argues that VitraMed should establish European data processing infrastructure rather than relying on transfer mechanisms. Vikram argues that the cost is prohibitive for a company VitraMed's size. Construct arguments for both positions, considering: (a) legal certainty, (b) cost, (c) operational complexity, (d) client trust, and (e) long-term strategic positioning.
B.3. A European social media company uses AWS servers in Frankfurt for its EU operations. Amazon, as a US-headquartered company, is subject to the CLOUD Act, which could compel it to produce data stored abroad in response to a US law enforcement request. Analyze whether the European company's data is adequately protected from US government access, even though it is physically stored in the EU. What governance measures could the company implement to mitigate this risk?
B.4. Section 23.5 discusses the concept of a "splinternet" — the fragmentation of the global internet into national or regional networks. Evaluate this concept: Is the internet already fragmenting? Identify at least three examples of existing internet fragmentation and assess whether the trend is accelerating, stabilizing, or reversing.
B.5. Eli discovers that Detroit's Smart City sensor vendor stores data on servers located in Canada. He asks whether this creates cross-border data flow issues under US law. Research whether the US has data localization requirements for municipal government data. How does the US approach to cross-border flows differ from the EU approach, and what governance implications does this have for Detroit's ordinance?
B.6. The EU-US Data Privacy Framework (DPF), adopted in 2023 as a replacement for Privacy Shield, faces the same fundamental challenge that doomed its predecessors: US surveillance law. Assess whether the DPF is likely to survive a legal challenge before the CJEU. What reforms would the DPF need to include to address the concerns raised in Schrems II?
Part C: Real-World Application Challenges ⭐⭐-⭐⭐⭐
These exercises ask you to investigate real-world cross-border data issues.
C.1. ⭐⭐ Cloud Provider Analysis. Select one major cloud computing provider (AWS, Microsoft Azure, or Google Cloud). Research its data residency options — which regions are available, what guarantees are provided about data location, and what transfer mechanisms it offers for EU customers. Write a one-page assessment of whether the provider's offerings would satisfy the requirements for VitraMed's EU expansion.
C.2. ⭐⭐⭐ Transfer Impact Assessment. The EDPB has published guidance on conducting "transfer impact assessments" (TIAs) — evaluations of whether the legal framework of the destination country provides adequate protection. Design a TIA template that an organization could use when evaluating a transfer to any country. Your template should include: (a) the legal framework of the destination country, (b) government access provisions, (c) independent oversight, (d) individual rights and remedies, and (e) supplementary measures.
C.3. ⭐⭐ Data Localization Map. Research data localization requirements in five countries (beyond those covered in the chapter). For each, identify: (a) what types of data are subject to localization, (b) whether the requirement is "hard" or "soft," (c) the stated justification (national security, sovereignty, economic development, etc.), and (d) any exemptions or exceptions. Present your findings in a comparative table.
C.4. ⭐⭐⭐ Adequacy Decision Research. The European Commission has granted adequacy decisions to a specific list of countries. Research the current list and select one country whose adequacy decision is relatively recent (post-2020). Write a 500-word analysis of: (a) what factors the Commission assessed, (b) what concerns were raised during the assessment, (c) what conditions or limitations were imposed, and (d) whether the adequacy decision appears stable or vulnerable to challenge.
Part D: Synthesis & Critical Thinking ⭐⭐⭐
These questions require integration of multiple concepts and thinking beyond the material presented.
D.1. The chapter describes a fundamental tension between the internet's borderless architecture and the nation-state's territorial authority. Is this tension resolvable? Propose a governance framework that would allow data to flow freely while still providing meaningful protection for individuals. What compromises would your framework require, and from whom?
D.2. Dr. Adeyemi argues that digital sovereignty is "the new nationalism — dressed in the language of data protection, but driven by the same impulses: control, competition, and the desire to project power." Evaluate this claim. To what extent are data localization requirements genuinely motivated by privacy protection, and to what extent are they motivated by economic protectionism and political control?
D.3. The Schrems decisions invalidated transfer mechanisms used by thousands of organizations, creating legal uncertainty that persisted for years. Evaluate whether this disruption was justified. Was the CJEU correct to prioritize the principle that EU citizens' data must receive "essentially equivalent" protection, even at the cost of significant economic disruption? Or should the court have given greater weight to the practical challenges of unwinding existing data flows?
D.4. Sofia Reyes argues from the DataRights Alliance that cross-border data flows are not just a legal or economic issue but a justice issue — that the flow of data from the Global South to the Global North replicates historical patterns of resource extraction. Develop Sofia's argument. How do cross-border data flows relate to digital colonialism? What governance mechanisms could ensure that data flows benefit the communities from which data originates?
D.5. Compare the GDPR's adequacy mechanism with the concept of "mutual recognition" used in international trade. In trade, mutual recognition means that Country A accepts Country B's product safety standards as equivalent to its own, even if they differ in detail. Could a mutual recognition approach work for data protection? What would be the benefits and risks?
Part E: Research & Extension ⭐⭐⭐⭐
These are open-ended projects for students seeking deeper engagement.
E.1. The Schrems III Question. The EU-US Data Privacy Framework faces the possibility of a third legal challenge. Research the current status of the DPF and any pending or anticipated legal challenges. Write a 1,000-word analysis predicting the likely outcome of a "Schrems III" case, based on the pattern established by the previous decisions and any changes in US surveillance law.
E.2. Digital Sovereignty in Practice. Research the European cloud sovereignty initiatives — including Gaia-X (a Franco-German project), the European Cloud Federation, and individual member state cloud strategies. Write a 1,000-word analysis of whether these initiatives can reduce European dependence on US cloud providers and what trade-offs they involve.
E.3. Data Localization: Economic Impact. Research the economic impact of data localization requirements. Drawing on at least three sources, write a 1,000-word analysis covering: (a) the estimated costs of data localization for businesses, (b) the impact on cross-border trade and investment, (c) the impact on innovation and competition, and (d) whether localization achieves its stated goals (improved privacy, enhanced sovereignty, economic development).
Solutions
Selected solutions are available in appendices/answers-to-selected.md.