Journal of Cyber Policy

ISSN: (Print) (Online) Journal homepage: www.tandfonline.com/journals/rcyb20

Data free flow with trust: current landscape,

challenges and opportunities

Theodore Christakis

To cite this article: Theodore Christakis (2024) Data free flow with trust: current
landscape, challenges and opportunities, Journal of Cyber Policy, 9:1, 95-120, DOI:
10.1080/23738871.2024.2421838

To link to this article: https://doi.org/10.1080/23738871.2024.2421838

© 2024 The Author(s). Published by Informa

UK Limited, trading as Taylor & Francis
Group

Published online: 20 Nov 2024.

Submit your article to this journal

Article views: 585

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=rcyb20
JOURNAL OF CYBER POLICY
2024, VOL. 9, NO. 1, 95–120
https://doi.org/10.1080/23738871.2024.2421838

Data free flow with trust: current landscape, challenges and

opportunities
Theodore Christakis
Law, Université Grenoble Alpes, France

ABSTRACT ARTICLE HISTORY

This article explores the efforts to achieve ‘data free flow with trust’, Received 17 March 2024
highlighting concerns around foreign government access to Revised 17 September 2024
personal data for national security and law enforcement. Accepted 13 October 2024
Governments increasingly seek data held by private firms, raising
KEYWORDS
significant data protection challenges and leading to mistrust GDPR; Data Free Flow with
among jurisdictions and the implementation of data localization Trust; National Security; Data
mandates. The article analyzes three key legal initiatives: First, the Protection; Law Enforcement
EU adequacy model, which permits data transfers to countries
with adequate data protection. While important and influential in
setting global standards, its effectiveness is limited outside the EU,
especially when countries with extensive surveillance laws adopt it
without meeting European standards. The model’s reliance on
unilateral decisions can also create legal uncertainties. Second,
multilateral initiatives like the G7’s DFFT and OECD’s Declaration
aim to build trust, though their impact is weakened by their non-
binding nature. Lastly, binding agreements, such as the projected
EU-U.S. e-evidence/cloud Act agreement, seek to balance lawful
data access with human rights but remain few and focused on law
enforcement access. The article concludes that rebuilding trust
among democracies is essential and calls for enhanced multilateral
cooperation, transparency, bilateral agreements, and a balance
between security and privacy to support global data flows vital to
the digital economy.

In today’s digital world, private companies, ranging from cloud service providers to social
media to other companies that store data in local servers, hold a tremendous amount of
personal data. The different forms of personal data, including subscriber information,1
traffic data2 or content data3, may be valuable for a number of purposes that the govern­
ment may be pursuing, the most important being national security and law enforcement.
However, rapidly increasing efforts by governments to access data for national security
and law enforcement purposes, have raised a number of important human rights4 and
data protection issues5 and have prompted mistrust and hostile reactions from other jur­
isdictions.6 One response has been to adopt rules and practices that require data to be
retained locally. Data localisation mandates, however, are not always fully protective7

CONTACT Theodore Christakis [email protected]

© 2024 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/
licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly
cited. The terms on which this article has been published allow the posting of the Accepted Manuscript in a repository by the author(s)
or with their consent.
96 T. CHRISTAKIS

and are harmful for international trade and cooperation.8 The case for such mandates ‘is
weaker where equivalent privacy protections apply in the other jurisdiction’ (Christakis,
Propp, and Swire 2021) or when international instruments set conditions for government
access to data and provide for necessary protections and safeguards for human rights.
Indeed, States seem ready to authorise free flows of data towards those counterparts
that offer appropriate regimes, rules, and protections for data as they flow across national
borders, including effective protection of individual rights.
Efforts to allow for free flow of data with trust have revolved until now around three
types of legal initiatives and instruments.
The first is the ‘adequacy model’ which has been particularly successful until now, but
which is a model ultimately based on unilateral legal instruments. (1)
The second is a series of multilateral efforts to establish instruments that involve ‘free
data flow with trust’, but which are essentially of a soft law nature. (2)
The third is a few initiatives that consist of negotiating ‘hard law’, i.e. binding inter­
national instruments but which, for the time being, are limited and only concern the
field of law enforcement. (3)

1. The adequacy model

The ‘model of adequacy’ was invented by the European Union (EU) but, as we will see, it is
only since the Snowden revelations and Schrems I (Schrems I case 2015) that it has started
to include government access to data considerations (1.1.). This model has seduced a
number of other countries, but also contains certain limitations (1.2.).

1.1. EU: the invention of adequacy and the big switch towards government
access to data
The ‘model of adequacy’ was invented in 1995, by means of the European Data Protection
Directive (Directive 95/46/EC 1995), which enabled the European Commission to deter­
mine whether a country outside the EU offers a high enough level of data protection
for European personal data to be transferred to that country according to this legal frame­
work. The General Data Protection Regulation (GDPR) maintained and expanded this
mechanism via article 45 (Regulation EU GDPR 2018). The effect of an adequacy decision
adopted by the Commission is that personal data can flow from the EU (and Norway,
Liechtenstein and Iceland) to the third country without any further safeguard being
necessary. In the event of the adoption of an adequacy decision, transfers to the
country in question are assimilated into intra-EU transmissions of data.
As highlighted by the European Commission’s website, ‘the European Commission has
so far recognized Andorra, Argentina, Canada (commercial organizations), the Faroe
Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of
Korea, Switzerland, the United Kingdom under the GDPR and the LED, the United
States (commercial organizations participating in the EU-US Data Privacy Framework)
and Uruguay as providing adequate protection’ (European Commission 2024d).
When one looks closer at these adequacy decisions, we realise that a major shift
occurred at the time of the Snowden revelations (2013) and the subsequent Schrems I
judgment of the Court of Justice of the European Union (2015), invalidating the first
 JOURNAL OF CYBER POLICY 97

adequacy decision with the United States based on the Safe Harbor arrangement. As a
matter of fact, the adequacy decisions adopted up until 2013, such as that concerning
Switzerland (2000), Canada (2001), Argentina (2003), Israel (2011) and New Zealand
(2013) are extremely brief (two to three pages each) and only focus on commercial
privacy issues. In other words, the main focus of the Commission at that time was
whether the legal framework in these countries offered protections equivalent to those
introduced by the 1995 European Data Protection Directive so that data importers
respect European personal data in a similar way to the obligations that exist at the EU
level. Government access to data for law enforcement and national security purposes
was barely an issue at that time.
Following Schrems I, however, things have dramatically changed. The Schrems II judg­
ment of the CJEU in 2020, which invalidated the second adequacy decision concerning
the US (based on the Privacy Shield arrangement), and which also contained the strict
condition that data transfers based on other mechanisms, such as Standard Contractual
Clauses (SCCs), require that the ‘adequacy’ of foreign countries surveillance laws be eval­
uated, undoubtably accentuated this major shift.
The adequacy decisions concerning Japan (2019), South Korea (2021), the UK (2021) or
the recent EU/US adequacy decision (2023), include a very long and substantive analysis
of the issue of government access to data, which assesses whether the laws concerning
both surveillance for national security purposes and law enforcement agencies’ access to
data offer protections equivalent to those required by EU law.
Furthermore, the European Commission undertook a major review of the pre-GDPR
adequacy decisions, focusing this time on rules concerning government access to data.
Its report was published on January 2014 and found that personal data transferred
from the European Union to these 11 countries and territories (Andorra, Argentina,
Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland
and Uruguay) continue to benefit from adequate data protection safeguards. The review
has concluded that ‘public authorities in the 11 jurisdictions are subject to appropriate
safeguards in the area of access to data by public authorities, notably for law enforcement
or national security purposes. This includes effective oversight and redress mechanisms’
(European Commission 2024a).
At the same time, the Schrems II judgment created a great deal of uncertainty about
transatlantic data transfers but also uncertainty about the future of data transfers from
the EU in general. And it initiated a major international debate about the issue of govern­
ment access to data held by the private sector.

1.2. Influence of the model and limitations

The European Data Protection Directive and, later, the GDPR, have had a major impact on
a number of other countries, which have adopted data protection laws that have been
influenced, to varying degrees, by European data protection law.
Some of these data protection laws have espoused the adequacy model, in which the
originating country determines whether a third country meets its ‘data privacy standards’
for cross-border data transfers. In an article published in 2022 Anupam Chander and Paul
Schwartz found that ‘more than sixty countries outside the European Union are now eval­
uating whether foreign countries have privacy laws that are adequate to receive personal
98 T. CHRISTAKIS

data’ (Chander and Schwartz 2023). In an IAPP infographic published in April 2023, Joe
Jones showed that ‘the proliferation of new or updated data privacy laws around the
world has resulted in a marked rise in the number of centralized data “adequacy” capa­
bilities’. Indeed, according to Jones, ‘74 jurisdictions vest powers in either a data
privacy regulator or government authority to designate other jurisdictions as having “ade­
quate” data privacy standards’ (Jones 2023a).
A number of observations can be made about the proliferation of the ‘adequacy
model’:
On the one hand, the fact that countries permit data flows to take place provided they
are satisfied that data will be processed in ways that meet their legal requirements for pro­
tecting data and privacy seems to be a positive development. The efforts of many countries
to receive an adequacy decision from the European Union, which is encouraging them to at
least adopt some of the high standards of protection that exist in European Law in relation
to government access to data, also seems to be a positive development. This certainly con­
tributes to improving human rights safeguards worldwide.
On March 4, 2024, the European Commission hosted its first ever international high-
level meeting on safe data flows, convening ministers and heads of data protection auth­
orities of the 15 countries for which the EU has adopted an adequacy decision. In his intro­
ductory comments Didier Reynders, Commissioner for Justice, made strong comments
about the ‘unprecedented level of convergence’ achieved by the EU and these 15
countries and territories. ‘Protecting privacy and facilitating safe data flows […] are a
central component of our like-mindedness’ stressed Reynders, adding that the EU
forms ‘together with 15 other countries, the world’s broadest networks for safe and
free data flows’. Reynders also mentioned that ‘we noticed recent and very interesting
developments that aim at “bridging” or connecting different transfer mechanisms. This
has concerned, among others, mutual adequacy arrangements or model contractual
clauses that are used by an increasing number of jurisdictions within and outside our
group’ (European Commission 2024b). At the same time, Vice-President for Values and
Transparency, Věra Jourová, stressed that ‘in a digital era where the innovation is often
powered by personal data we are facing similar challenges across the globe, this is why
it would be mutually beneficial to work towards a “network effect”’ (European Commis­
sion 2024c). All this seems to indicate the importance that EU officials seem to attach
to the adequacy model and its eventual proliferation.
On the other hand, one should not neglect the fact that the model of adequacy has
certain limitations.
Firstly, when one reads the IAPP infographic, one notices that many countries that have
adopted, in some form or other, the ‘adequacy model’ are known for having surveillance
laws which are far reaching and certainly some distance away from European standards.
What would be, for instance, the advantage of the ‘model of adequacy’ when it comes to
countries like China or Russia, which appear in the IAPP list? As a matter of fact, the Euro­
pean Data Protection Board (EDPB) adopted in November 2020 its ‘Recommendations on
the European Essential Guarantees for surveillance measures’ (EDPB 2020). The objective
of these Recommendations was to provide data exporters with a guide, based on the two
European Courts’ jurisprudence, in order to determine whether foreign countries surveil­
lance laws meet the European human rights requirements and could therefore be con­
sidered as offering an ‘essentially equivalent protection’. It is almost certain that
 JOURNAL OF CYBER POLICY 99

countries such as Russia or China do not meet the ‘EEG’ requirements. What is then the
value of the proliferation of the ‘adequacy model’ under these circumstances?
Secondly, one should not forget that ‘adequacy’ is a data transfer model based on uni­
lateral instruments. This is extraordinary because, as shown by the recent EU/US nego­
tiations, which lasted for more than two years and led to the adoption of the
Transatlantic Data Privacy Framework (TADPF) and the new EU/US adequacy decision
published in July 2023, the adoption of an adequacy decision can be preceded by long
and elaborated negotiations. Nevertheless, the final outcome of these international nego­
tiations is not a bilateral treaty or a binding international law instrument. Instead, the
outcome is a unilateral decision by which one country declares that the legal system of
the other offers ‘equivalent protections’ that permit data exports to this country
without any additional safeguards. As shown by the Schrems I and Schrems II decisions,
such a unilateral decision can be invalidated anytime by the CJEU at the EU level, or by
similar supreme courts in non-EU countries. This is a source of legal uncertainty.9
Furthermore, taking into consideration the fact that the ‘adequacy model’ is based on
unilateral decisions, we would need, theoretically, several thousand unilateral adequacy
decisions to enable the free flow of data with trust with no additional safeguards
between every country. Indeed, if any of the 193 Member States of the UN had to
adopt a unilateral decision concerning the 192 other States in order to be able to have
free flow of data between every country based on the adequacy model, we would
need something like 37056 adequacy decisions (193X192 = 37056).10
One may then be entitled to ask whether there is any way of resolving the problem of
free data flow with trust using multilateral solutions.

2. Multilateral efforts on government access to data held by the private

sector
Over the last three years there have been several attempts to address the issue of trusted
government access to data in order to permit international data flows. We will examine
the four most important among them which directly focus on the issue of government
access to data – as opposed to more general initiatives focusing mostly on commercial
privacy considerations such as the Global Cross-Border Privacy Rules (CBPR)11, or develop­
ments under the APEC Privacy Framework (APEC 2005), which will not be discussed here.

2.1. G7 and ‘data free flow with trust’

The late Prime Minister of Japan, Shinzo Abe introduced the concept of ‘data free flow
with trust’ (DFFT) to the global arena during the World Economic Forum Annual
Meeting in Davos Klosters in 2019 (WEF 2020). The concept was based on the idea that
good governance schemes, appropriate regimes, rules, and protections for data, as well
as accountability, could create legal certainty and trust and promote the free flow of data.
Since Prime Minister Abe’s first use of ‘DFFT’, the G7 have adopted this terminology.
The concept has also been adopted by the leaders of G20, in their Osaka declaration of
June 2019 (G20 2019) and has ultimately led to the important work of the OECD, which
will be presented below, and the adoption of the December 2022 OECD Ministerial
Declaration on Government Access to Personal Data Held by Private Sector Entities.
100 T. CHRISTAKIS

The G7 welcomed the OECD Declaration during its Hiroshima meeting in May 2023
where G7 leaders: ‘stress[ed] [their] intention to operationalize this concept and [their]
support for cooperation within the G7 and beyond to work towards identifying common­
alities, complementarities and elements of convergence between existing regulatory
approaches and instruments enabling data to flow with trust … ’ (G7 2023a). At the
same time the G7 Leaders endorsed the G7 Digital and Tech Ministers’ ‘Vision for Opera­
tionalizing DFFT and its Priorities’ (G7 2023b) including Japan’s proposal to create a new
‘Institutional Arrangement for Partnership’ (IAP) to operationalise ‘data free flow with
trust’ and to promote international cooperation and trust on digital governance issues.
The establishment of the IAP should permit a number of issues to be addressed,
such as trusted government access to data, regulatory cooperation, data localisation
and data sharing. The ‘Vision for Operationalizing DFFT’ states, as a matter of fact,
the following:
‘Data localization: The ability to move and protect data across borders is important for econ­
omic growth and innovation. To operationalize our commitment in the 2021 G7 Roadmap for
Cooperation on DFFT and the 2022 G7 Action Plan for Promoting DFFT, we should deliver
tangible progress in understanding the economic and societal impact of data localization
measures, while taking into account our varied approaches to data governance and legiti­
mate public policy objectives.

Regulatory cooperation: Differences in domestic approaches can impact cross-border data

flows, creating uncertainty (including legal uncertainty) for governments, businesses and
individuals. We should promote work to identify commonalities in regulatory approaches
to cross-border data transfers and data protection requirements as well as facilitate
cooperation on privacy-enhancing technologies (PETs), approaches, such as model contrac­
tual clauses certification, and accessibility to regulatory information and good regulatory
practices, such as enhancing transparency.

Trusted government access to data: We welcome the OECD Declaration on Government

Access to Personal Data Held by Private Sector Entities, which seeks to address key impedi­
ments and challenges to data flows by identifying common privacy safeguards applicable
when national security and law enforcement agencies access personal data. Awareness of
the declaration by private entities should be promoted and other nations encouraged to
sign up to its principles. The IAP should seek to further develop shared understandings on
appropriate risk-based approaches for preventing any government access to personal data
that is inconsistent with democratic values and the rule of law, and is unconstrained, unrea­
sonable, arbitrary or disproportionate.

Data sharing: The COVID-19 crisis and current global situation has demonstrated the value
and need for like-minded partners to find consensus on approaches to data sharing in priority
sectors such as healthcare, green/climate and mobility (e.g. geospatial information platform
for autonomous mobilities) to foster innovation and economic growth. We uphold the role of
technology and use cases thereof such as digital credentials and identities in facilitating data
sharing as a part of our efforts to operationalize DFFT. Improved data use is also a major stra­
tegic opportunity for economic growth’ (G7 2023b).

The G7 Digital and Tech Ministers Declaration further stated that ‘the attributes of the
OECD and its existing work in the areas of data governance, privacy, DFFT and digital
economy make it well-suited to advance this international effort’ [of developing the
IAP] (G7 2023b). We will come back to this below.
 JOURNAL OF CYBER POLICY 101

2.2. Resolution of the global privacy assembly (GPA)

The Global Privacy Assembly (GPA), comprising national data protection authorities from
across the globe, adopted a resolution in October 2021 on ‘Government Access to Data,
Privacy and the Rule of Law: Principles for Governmental Access to Personal Data held by
the Private Sector for National Security and Public Safety Purposes’ (GPA 2021).
The resolution proclaims the following eight principles:

(1) legal basis;

(2) clear and precise legislation applying to government access;
(3) general principle of necessity and proportionality;
(4) transparency;
(5) data subject rights;
(6) independent oversight;
(7) statutory limitation on government’s use of data acquired;
(8) effective remedies and redress available to the individuals affected.

As explained elsewhere (Christakis, Propp, and Swire 2021), the resolution, drafted solely
by privacy regulators, unsurprisingly places greater emphasis on individuals’ privacy rights
than did the OECD declaration, which was prepared by States’ delegations comprising
mostly security service representatives. For example, the resolution recommends that gov­
ernments demonstrate the necessity and proportionality of data demands by surveillance
authorities. Another GPA principle calls for statutory limits on secondary uses or onward
transfers of collected data. A further difference is that the GPA resolution seems to
express a preference for advance judicial authorisation when resorting to foreign surveil­
lance, while the OECD draft adopts a more flexible approach, stating that ‘prior approval
requirements for government access are established in the legal framework […] [which
specifies] the […] entity providing the approval’, while also mentioning that ‘stricter
approval requirements are in place for cases of more serious interference, and may
include seeking approval from judicial or impartial non-judicial authorities’ (OECD 2022).
The Global Privacy Assembly also called ‘on governments and international organiz­
ations to observe’ these principles and ‘to work towards the development of multilateral
instruments ensuring adherence to key data protection and privacy principles in relation
to government access to personal data.’

2.3. OECD and the trusted government access declaration

In December 2020, governments that belong to the Organisation for Economic
Cooperation and Development (OECD) ‘quietly embarked on an unprecedented exercise
to formulate common principles governing their access, for national security and law
enforcement purposes, to personal data held by the private sector’ (Christakis, Propp,
and Swire 2021).
The project was based on the premise that these democratic governments, despite
divergences in their legal systems, share many commonalities in this area, and that articu­
lating them can help restore trust in data flows between countries and highlight how they
differ from authoritarian regimes that indiscriminately access individuals’ data.
102 T. CHRISTAKIS

The OECD had the legacy to pursue this project in order to further develop and
clarify its ‘Guidelines Governing the Protection of Privacy and Transborder Flows of
Personal Data’, adopted by the OECD Council on 23 September 1980, and revised
on 11 July 2013. These OECD Privacy Guidelines represented the first internationally
agreed-upon set of privacy principles, developed to protect privacy and individual lib­
erties, which addressed concerns arising out of increased use of personal data, and the
resulting risk to global economies due to restrictions to the flow of personal data
across borders. They included exceptions for reasons of ‘national security and
public policy’ (OECD [1980] 2013) that the OECD undertook to clarify in December
2020.
To this end, an informal drafting group of experts, consisting of delegates from 33
OECD Members and the European Union, was convened. The drafting group met 18
times in the period 2021–2022. These sessions were extraordinary: for the first time
in history, government officials responsible for national security and law enforcement
from 33 countries met several times in order to discuss their domestic practices and
safeguards in relation to government access to data for national security and law enfor­
cement purposes. This was so unique that one could consider that the process and the
establishment of this new cooperation mechanism was even more impressive than the
outcome.
Despite a few initial difficulties (Christakis, Propp, and Swire 2021), the OECD and its
Member States were able to reach a consensus and the Declaration on Government
Access to Personal Data Held by Private Sector Entities (the ‘OECD TGA Declaration’)
was finally adopted by Ministers and high-level representatives of OECD Members and
the European Union on 14 December 2022. As the OECD states on its website, this is
‘the first intergovernmental agreement on common approaches to safeguard privacy
and other human rights and freedoms when accessing personal data for national security
and law enforcement purposes’, and seeks to promote trust in cross-border data flows, a
critical enabler of the global economy (OECD 2022).
Nonetheless, we should be under no illusions: the OECD TGA Declaration is not a
binding instrument of international law but a soft law instrument. Furthermore, its aspira­
tion is not to introduce new principles that OECD Members should follow, but instead to
identify commonalities among like-minded democracies, establishing a baseline of safe­
guards and accountability mechanisms that OECD member countries have already
implemented to varying degrees and in different ways.
The Declaration includes seven principles which could be summarized12 as follows:

(1) Legal basis – Access by government entities must be provided for and governed by
the country’s legal framework, enacted by democratically elected institutions operat­
ing under the rule of law.
(2) Legitimate aims – The purposes of government access must be for specific and legit­
imate aims, not be excessive in pursuit of those aims, and be necessary, proportionate
and reasonable with sufficient protections against abuse.
(3) Approvals – There must be prior approval of government access, as detailed by law,
with the stringency of requirements commensurate to the level of intrusion.
(4) Data handling – Government access must be restricted to authorised personnel, with
appropriate security measures in place.
 JOURNAL OF CYBER POLICY 103

(5) Transparency – The legal framework for government access is clear and easily acces­
sible by the public and enforcement bodies should publicly report on government
access.
(6) Oversight – There are mechanisms for effective and independent oversight.
(7) Redress – The legal framework provides individuals with effective judicial and non-
judicial redress.

The OECD TGA declaration has been hailed as ‘a notable accomplishment’ (Propp
2023). The big question that emerged then was how to build upon this important accom­
plishment in order to continue this process of ‘data free flow with trust’.
The G7’s call for an ‘Institutional Arrangement for Partnership (IAP)’, coupled by the
emphasis to the fact that the OECD is ‘well-suited to advance this international effort’,
is now about to lead to the next steps of these important efforts.
At the 91st Session of the OECD’s Committee on Digital Economy Policy (CDEP), held in
May 2023, delegates discussed an update on DFFT and expressed overall support for the
possibility of establishing an ‘expert community’ in order to continue the process initiated
by the OECD TGA declaration by focusing on good practice, holding discussions with all of
the stakeholders and further developing the TGA principles.
A ‘Concept Note’ (OECD 2023b) presented to delegation in December 2023
explained that this community would be an informal network of experts, from gov­
ernments, business, civil society, academia and the technical community, brought
together to help inform CDEP on topics related to cross-border data flows and
data free flow with trust, by providing expert input to the OECD’s analytical work,
identifying possible trends or new issues for consideration, and responding to
specific questions raised by the Committee. The Community’s role would thus be
advisory in nature.
The ‘Concept Note’ (OECD 2023b) proposed that the Community be organised as
expert groups around specific topics such as:

. building a global repository of policies and regulations on cross-border data transfers;

. mapping data protection requirements globally in specific sectors (e.g. cross-border
payments, finance, health, transportation) to identify challenges and advance
solutions;
. identification and documentation of use cases for emerging PETs in cross-border data
sharing in specific sectors (e.g. health, finance, AI);
. identifying trends related to the impact of the OECD Declaration on Government
Access to Personal Data Held by Private Sector Entities.

The OECD is actually about to constitute this ‘expert community’.

2.4. Convention 108+: interpreting national security exceptions

Another important multilateral effort is still a work in progress and concerns Convention
108 + of the Council of Europe.
In 1981 the Council of Europe adopted the Convention for the Protection of Individ­
uals with regard to Automatic Processing of Personal Data, better known as
104 T. CHRISTAKIS

‘Convention 108’. This was the first legally binding international instrument in the data
protection field. It requires that parties take the necessary steps in their domestic legis­
lation to apply the principles it lays down including data subject rights, requirements
concerning the quality of data, and controller and processor obligations (Council of
Europe 1981).
With the passage of time, the Council of Europe considered it necessary to moder­
nise this landmark instrument in order to adapt it to the new realities of the online
world, to introduce new principles in order to deal with challenges resulting from
the use of new information and communication technologies, and to strengthen the
implementation of the Convention. The principles of transparency, proportionality,
accountability, data minimisation, privacy by design, etc. are now acknowledged as
key elements of the protection mechanism and have been integrated into the moder­
nised instrument.13 Convention 108+, as this instrument has been called, is not yet in
force as it requires 38 ratifications for its entry into force and has only been ratified, as
of March 2024, by 31 Member States.
Convention 108 + includes several exceptions in Article 11 that allow State Parties to
restrict some of the data processing principles and rights it proclaims under certain con­
ditions. Article 11 starts in the following way:
Article 11 – Exceptions and restrictions

1. No exception to the provisions set out in this Chapter shall be allowed except to the pro­
visions of Article 5 paragraph 4, Article 7 paragraph 2, Article 8 paragraph 1 and Article 9,
when such an exception is provided for by law, respects the essence of the fundamental
rights and freedoms and constitutes a necessary and proportionate measure in a democratic
society for:

a. the protection of national security, defence, public safety, […]

In 2020, the Chair of the Committee on Convention 108 and the Data Protection Com­
missioner of the Council of Europe publicly declared that ‘while Convention 108 + pro­
vides a robust international legal framework for the protection of personal data, it does
not fully and explicitly address some of the challenges posed in our digital era by
unprecedented surveillance capacities. For years, calls for a comprehensive inter­
national human rights law instrument framing the operations of intelligence services
have intensified, and the need for strong safeguards at international level, comple­
menting and specifying those of Convention 108+, can no longer be ignored’
(Council of Europe 2021, art. 5).
As a result of these demands, the Council of Europe currently envisions developing
interpretative guidance on Article 11 of this convention, in order, among other things,
to explain when and under which conditions States can restrict data protection principles
for national security, defence, and public safety reasons. It is expected that the guidance
will be influenced by the protective principles established over the years by the European
Court of Human Rights (ECtHR) which has developed extensive case law on surveillance
issues and which is focusing, in its latest judgments, on the importance of a series of ‘end-
to-end safeguards’.14
This work is still ongoing and will be of great value but, once again, it will not be a
game changer: the outcome of this process, if approved by States, will not be new
 JOURNAL OF CYBER POLICY 105

rules, just interpretative guidance that builds on the safeguards that appear in the case
law of the ECtHR. These safeguards are already binding upon the 46 Member States of
the Council of Europe, but their acceptance by non-Member States (nine of which are
parties to the original convention 108) may permit these European standards to be pro­
gressively ‘universalized’.

3. Negotiating international agreements on law enforcement agents’

access to data
The multilateral efforts described in the previous section focus on the issue of govern­
ment access to data for both national security and law enforcement purposes. As we
have seen they have not led to the creation of any ‘new’ rules, but rather to soft law instru­
ments that identify ‘commonalities’ in domestic systems, or to ongoing efforts to develop
interpretative guidance concerning national security exceptions.
Progress has been more notable, however, in the field of law enforcement agencies’
access to data and digital evidence. In this field, States have been able to adopt an
important multilateral instrument, the Protocol to the Budapest Convention on Cyber­
crime, while the first bilateral ‘hard law’ agreements are about to emerge or be
negotiated.

3.1. Protocol to the Budapest convention on cybercrime

The Council of Europe Convention on Cybercrime (the ‘Budapest Convention’), adopted in
2001, is the main agreement that concerns tackling cybercrime internationally. It requires
Parties to the Convention to have appropriate laws and procedures to tackle cybercrimes,
and to be able to provide assistance to other countries, such as the provision of evidence.
The Budapest Convention has been ratified by 69 States, including all Council of Europe
Members (apart from Ireland) – and non-Member States such as the United States, Aus­
tralia, Canada and Japan.
However, the Member States of the Council of Europe have realised over the last few
years that the Budapest Convention is not well fitted to deal with the crucial issue of
access to digital evidence by law enforcement agencies. As the Council noted: ‘While
cybercrime is escalating and the complexity of obtaining electronic evidence that may
be stored in foreign, multiple, shifting or unknown jurisdictions is increasing, the
powers of law enforcement are limited by territorial boundaries’ (Council of Europe 2022).
In order to respond to this challenge, after four years of negotiation, States adopted the
Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation
and disclosure of electronic evidence in May 2022. The Protocol is intended to provide a
legal basis for enhancing the speed that digital evidence is shared and to deepen
cooperation on trans-border investigation of all internet-enabled crimes. It provides
tools for enhanced cooperation and disclosure of electronic evidence – in particular
through requiring Parties to permit competent authorities from another Party to
request subscriber information and traffic data directly from service providers; and
more immediate cooperation in emergency situations, underpinned by personal data pro­
tection safeguards and subject to a system of human rights and the rule of law (Council of
Europe 2022).
106 T. CHRISTAKIS

As of May 2024, the Protocol is not yet in force as only two States have ratified it and
five ratifications are required for its entry into force (44 States have signed it).

3.2. Negotiations for a UN convention on cybercrime

On February 28, 2022, the UN embarked on the very ambitious project of adopting (over
only a period of two years) a global convention against cybercrime, under the project
‘Strengthening international cooperation for combating certain crimes committed by
means of information and communications technology systems and for the sharing of evi­
dence in electronic form of serious crimes.’
As Karine Bannelier explained (Bannelier 2023), negotiations for this Draft United
Nations convention against cybercrime have been marked by disagreements and contro­
versies in relation to a very broad range of topics. States did not share the same view con­
cerning the objectives and the scope of the Convention and even disagreed about what
‘cybercrime’ means. All States agreed that the UN Convention should include ‘cyber-
dependent’ crimes: crimes which, to put it simply, would not exist at all without ICT
systems (an example of such a crime would be illegal access to a computer system).
However, Russia, China and other States, also wished to include a long series of ‘cyber-
enabled’ crimes in the UN Convention: crimes that can be committed without ICT, but
which can also be enabled by ICT. ‘While all States agree that certain well-established
“cyber-enabled” crimes, especially those related to Child Sexual Abuse Material, should
be included in the convention, most of the proposed “cyber-enabled” crimes raised
huge concerns in view of the significant impact that they pose to human rights’ (Bannelier
2023). Several other disagreements marked the negotiations, including in relation to the
powers public authorities are given to access personal data.
Despite marathon negotiations, the so-called ‘concluding’ 6th Round of negotiation
sessions, which took place in New York between January 29-February 9, 2024, was not
able to produce a final document. There was substantial progress made, however, and
a final agreement seemed within reach for August 2024. Among the issues of interest
for this article it can be noted that the Chair’s compromise included a variant on a Cana­
dian proposal that had gathered wide support (nearly 70 countries). It would clarify that
nothing in the Convention imposes a mutual legal assistance (MLA) obligation if the
requested State Party has substantial grounds for believing that the request has been
made to prosecute or punish a person on account of sex, race, religion, nationality or pol­
itical opinions.
Ultimately the round ended inconclusively, and will resume for another session in late
summer. It remains to be seen how exactly the final provisions concerning government
access to data in order to fight cybercrime will be drafted and what will be the exact impli­
cations for human rights and the private sector.

3.3. CLOUD act agreements

In March 2018 the US Congress adopted the Clarifying Lawful Overseas Use of Data Act, or
‘CLOUD Act’.
The first part of this Act rendered moot the then pending Supreme Court case of United
States vs Microsoft, by stating that the kind of compelled disclosure orders at issue in the
 JOURNAL OF CYBER POLICY 107

Microsoft Ireland case (Christakis 2017) apply ‘regardless of whether such communication,
record, or other information is located within or outside of the United States’.
The second part of the CLOUD Act created a new mechanism for other countries to
access the content of communications held by US service providers. It enables the US
to reach ‘executive agreements’ with certain ‘qualified’ foreign governments, permitting,
subject to a number of baseline substantive and procedural requirements, the lifting of
blocking provisions imposed due to the Electronic Communications Privacy Act (ECPA)
and enabling the law enforcement agencies of these countries to request the communi­
cations content of non-US citizens and residents directly from service providers. The
CLOUD Act thus permits ‘trusted’ foreign partners of the United States, that have
robust protections around privacy and civil liberties, to enter into bilateral agreements
with the US in order to obtain direct access to electronic evidence, wherever it
happens to be located, in order to fight serious crime and terrorism (CLOUD Act (Clarifying
Lawful Overseas Use of Data Act) 2018).
The first such ‘CLOUD Act executive agreement’ was concluded between the US and
the UK in October 2019 (CLOUD Act Agreement 2019; Daskal and Swire 2019; Christakis
2019a), while the second was concluded with Australia in December 2021 (CLOUD Act
Agreement 2021). These CLOUD Act executive agreements clearly fulfil the Vienna Con­
vention on the Law of Treaties requirements and can be characterised as binding inter­
national agreements.15 The US and Canada are about to negotiate another CLOUD Act
executive agreement while important negotiations about law enforcement access to
data are also currently taking place between the US and the EU.

3.4. The current EU/US negotiations: seeking an e-evidence agreement.16

The EU and the US kicked off negotiations in September 2019 about concluding a very
important agreement on law enforcement access to data.
The reasons that compelled the EU and the US to launch negotiations on this new
transatlantic agreement are explained in detail in the Commission’s Memorandum to
the Council requesting a negotiation mandate (European Commission 2019a; European
Commission 2019b). The most important reasons were the following two17:
Firstly, an EU-US agreement would significantly speed up procedures and ensure
efficient prosecution of criminals in the digital age. While acquiring e-evidence via
Mutual Legal Assistance takes on average 10 months, under a bilateral agreement
which allows data to be requested directly from service providers, this could take just a
few days.
Secondly, there was a need ‘to avoid conflicting obligations between the European
Union and the United States of America’. The risks of conflicts of laws in this field are
twofold.
On the one hand, under the Stored Communications Act and the ECPA, US-based com­
panies are prohibited from disclosing content data directly to foreign governments,
whereas non-content data can be provided on a voluntary basis. This is very problematic
for European LEAs as the major US Communication Service Providers (CSPs) usually hold
critical evidence about European criminal investigations. The E-Evidence regulation,
adopted by the EU in July 2023, authorises European LEAs to directly request content
and non-content data from CSPs regardless of whether such data is located within or
108 T. CHRISTAKIS

outside Europe (Regulation EU E-Evidence 2023; Christakis 2024b). This will only accent­
uate the risks of conflicts of laws. An EU-US Agreement (whether based on the CLOUD Act
or not) could enable this problem to be addressed and minimise or even eliminate
conflicts of laws by allowing US service providers to deliver content data directly to EU
LEAs.
On the other hand, the first part of the CLOUD Act, authorising US LEAs to request data
relevant to criminal investigations from CSPs ‘regardless of whether such communication,
record, or other information is located within or outside of the United States’, might
conflict with existing European law (including the GDPR or national blocking statutes)
in certain situations and especially when the requests concern the personal data of Eur­
opeans. This issue has been analyzed by legal scholars (Christakis 2019b), while the Euro­
pean Data Protection Board (EDPB) and the EDPS have also published a joint position on
this (EDPB–EDPS 2019).
The conclusion of an EU-US Agreement thus appears the only way to resolve the
problem of conflicts of laws in the interests of the EU and its Members States, the US
and US and European CSPs.
However, as analyzed elsewhere (Christakis and Terpan 2021), there were strong diver­
gences between the EU and the US about what the scope and the architecture of this
agreement should be.18 There were also a lot of extremely important and challenging
issues of substance to be resolved during the EU-US negotiations.19
Four rounds of negotiations took place between September 2019 and March 2020.
However, the Covid-19 crisis put the formal negotiations on hold and then the nego­
tiations stalled due to the EU needing time to finalise the e-evidence regulation, which
was adopted, as mentioned previously, in July 2023 (Regulation EU E-Evidence 2023).
The fact that the EU now has a common standard for access to stored data for criminal
investigations in the form of the e-evidence regulation, has permitted the negotiations
to resume. The US Department of Justice and the European Commission announced
indeed in March 2023 the resumption of negotiations on an EU-US agreement to facilitate
access to electronic evidence in criminal investigations.
It seems that this new round of negotiations has yielded significant progress. More
precisely, it seems that some of the difficulties related to the scope and the architecture
of the agreement, mentioned above, are about to be resolved. Negotiators are moving
away from the concept of a ‘framework agreement’ with the EU, followed by bilateral
agreements with EU Member States. Instead, they are transitioning towards a compre­
hensive, EU-wide agreement. This strategy might include a system of certifications and
a potential suspension mechanism for EU Member States raising rule of law/human
rights concerns.20
If this is true, Law Enforcement Agencies (LEAs) across the EU have every reason to be
optimistic. Should these negotiations reach a successful conclusion, they will be posi­
tioned to mirror the achievements of their UK counterparts. It is reported that UK LEAs
have efficiently managed thousands of requests to US companies, leveraging the US/
UK Cloud Act Agreement to great effect in order to resolve criminal investigations.21
Nonetheless, experts voiced reservations about the applicability of the US/UK Cloud
Act Agreement as a blueprint for the forthcoming US/EU E-Evidence Agreement.22 The
EU/US negotiations for an E-Evidence/Cloud Act agreement are much more complex
than those with the UK, Australia or Canada because of the interests of the 27 member
 JOURNAL OF CYBER POLICY 109

states and the unique structure of the EU. The EU/US agreement should also tackle the
pivotal issues surrounding GDPR art. 48’s conflict of laws, as well as data protection
and sovereignty concerns, in order to create legal certainty (CSIS/CBDF 2024).
Achieving a successful outcome to these negotiations is of paramount importance in
terms of facilitating law enforcement access to data, while providing adequate protec­
tions around human rights and sovereign concerns and also fostering legal certainty
for companies in Europe and the US who often find themselves trapped in difficult
conflict of laws situations. A successful outcome to these negotiations should also cer­
tainly be a big boost for the concept of Data Free Flow with Trust (DFFT).

4. Conclusions and recommendations

The free flow of data with trust has been described as ‘the bedrock of the global digital
economy (G7 2021). In recent years, significant efforts have been dedicated to advancing
the concept of Data Free Flow with Trust (DFFT). However, despite these endeavours, it is
evident that achieving widespread acceptance and implementation of DFFT will be a long
journey, fraught with challenges and obstacles.

4.1. Challenges and obstacles

While historically both the US and the EU have championed the importance of free inter­
national data flows for the expansion of trade and cooperation,23 and have adopted
strong positions against data localisation,24 recent developments have seen a shift
towards more cautious approaches.
In the EU, there has been a notable surge in calls for stringent data localisation
measures, propelled by three main factors: Firstly, the Schrems II judgment (Schrems II
case 2020; Christakis 2020b), followed by subsequent guidance from the European
Data Protection Board (EDPB (European Data Protection Board) 2021) and decisions
from Data Protection Authorities, which have advocated for a ‘zero risk’ approach. Sec­
ondly, concerns have arisen regarding extraterritorial access to EU-localized data by
countries like the US, particularly under laws such as the CLOUD Act. Thirdly, political
initiatives have emerged, advocating for the incorporation of ‘sovereignty’ and ‘immunity
from foreign laws’ prerequisites within national or European cybersecurity certification
schemes for Cloud providers (Christakis 2020a).25
In the US side there have been several recent events indicating more cautious
approaches to data flow policies governed by national security concerns.
The first event showing a change in US data flow policy came last fall when the US
removed proposals in WTO e-commerce negotiations and supported a pause in work
on digital issues in the Indo-Pacific Economic Framework. As Ken Propp remarked, this
showed that ‘the US government’s enthusiasm for promoting and protecting digital
trade has waxed and waned’. He added that ‘the change in position at the WTO and
IPEF runs contrary to a long-held US position, dating back to the Clinton administration,
favoring free data flows as recently restated in the 2022 Declaration for the Future of the
Internet’ (Propp 2024).
The second event was a new executive order (EO) issued on February 28, 2024 by Pre­
sident Biden, which contains multiple restrictive provisions, most notably limiting bulk
110 T. CHRISTAKIS

sales of personal data to ‘countries of concern’. A key rationale for the order is to prevent
China, Iran, North Korea, or other ‘countries of concern’, from amassing sensitive infor­
mation about Americans. The EO notes that:
The continuing effort of certain countries of concern to access Americans’ sensitive personal
data and United States Government-related data constitutes an unusual and extraordinary
threat, which has its source in whole or substantial part outside the United States, to the
national security and foreign policy of the United States. Access to Americans’ bulk sensitive
personal data or United States Government-related data increases the ability of countries of
concern to engage in a wide range of malicious activities. Countries of concern can rely on
advanced technologies, including artificial intelligence (AI), to analyse and manipulate bulk
sensitive personal data to engage in espionage, influence, kinetic or cyber operations, or
to identify other potential strategic advantages over the United States. Countries of
concern can also use access to bulk data sets to fuel the creation and refinement of AI and
other advanced technologies, thereby improving their ability to exploit the underlying
data and exacerbating the national security and foreign policy threats.26

A third US policy initiative came in the January 29 proposed rule from the Commerce
Department, entitled ‘Infrastructure as a Service Providers’ Responsibility To Verify the
Identity of Their Customers, Special Measures, and the Use of Their Products for Large
AI Model Training.’ As Peter Swire and Samm Sacks note, the rule is designed in part to
implement President Trump’s 2021 executive order designed to address ‘significant mal­
icious cyber-enabled activities’. The proposed rule would impose Know Your Customer
(KYC) requirements for cloud sales to non-US customers, whether those customers are
in allied nations or in countries of concern such as China. The proposed Commerce
rule also would target non-US purchasers who use cloud services for training of large
AI models. Cloud providers would be required to monitor use of cloud services and
report to the government activity that meets this text: ‘could result in the training of a
large AI model with potential capabilities that could be used in malicious cyber-
enabled activity’. As Swire and Sacks (2024) emphasise:
In the current state of the art, where essentially every line of business is developing AI models,
this language would seem to apply to a very wide range of normal business activity. […] AI
reporting requirements also would appear to require more intrusive monitoring by cloud pro­
viders of their customers’ activities.27

The fourth and most important recent event in the US has been the bipartisan bill
passed by the House of Representatives on March 13, 2024, on a lopsided vote of
352–65, that would force ByteDance to sell its hugely popular video app TikTok or
be banned in the United States. The bill, entitled ‘Protecting Americans From
Foreign Adversary Controlled Applications Act’ claims that TikTok is controlled by a
foreign adversary and poses a threat to US national security and to the data of
millions of Americans. They claim that ByteDance could be subject to China’s national
security legislation, particularly the 2017 National Security Law that requires Chinese
companies to ‘support, assist and cooperate’ with national intelligence efforts.28 Presi­
dent Biden signed this bill after its adoption by the US Congress. As a result, TikTok
and its parent company ByteDance filed on May 7, 2024 a petition with the US Court
of Appeals for the District of Columbia Circuit in order to challenge this ban. In this
petition they argue that the new US Act violates the First Amendment rights of its
170 million American users and that the law shuts down the platform based on
 JOURNAL OF CYBER POLICY 111

‘speculative and analytically flawed concerns about data security and content manipu­
lation’ (Han 2024).
This significant move by a prominent democracy like the US not only validates similar
bans adopted by other countries29 but also emboldens activists and proponents of ‘digital
sovereignty’ within the EU who advocate for stringent data localisation measures. While
the US may argue that the above-mentioned measures target ‘adversaries’ rather than
allies, activists and proponents of ‘digital sovereignty’ contend that the paramount
concern is safeguarding EU citizens’ and governments’ data from access by governments
with extensive intelligence capabilities. For them, the threat of data access is not exclusive
to China; rather, they perceive countries like the US as equally eager to gain access to
European data.

4.2. Strengthening trust in government access among democracies

All these events show how important it is for democracies to re-establish trust on the way
they access data.
By 2016, the European Court of Human Rights had already observed that government
surveillance had reached a complexity that was ‘hardly conceivable for the average
citizen’ (ECtHR 2016, para. 68). Today, this observation carries even graver implications
due to rapid technological advancements. This includes a significant increase in requests
for forced disclosures, as shown in transparency reports from leading tech companies; the
expansion of advanced spyware; extensive automated and systematic data collection by
governments; and the adoption of AI tools for surveillance purposes. As the February 28,
2024 executive order adopted by President Biden noted, countries ‘can rely on advanced
technologies, including artificial intelligence (AI), to analyse and manipulate bulk sensitive
personal data to engage in espionage, influence, kinetic, or cyber operations or to identify
other potential strategic advantages’.
All these developments underscore a deepening concern about the scope and depth
of surveillance in modern society. And such concerns are likely to intensify over time, as
the demand for government access to data held by private entities shows no signs of
diminishing in the foreseeable future.
Indeed, intelligence agencies in democratic nations claim that they legitimately need
access to data to protect national security and counteract external threats, terrorism and
other dangers. This necessity has become more pronounced following events such as the
Russian invasion of Ukraine and the intelligence failures prior to the October 7, 2023 ter­
rorist attacks by Hamas on Israel. Law enforcement also requires access to digital evidence
for criminal investigations, a need intensified by the rise in cyberattacks and cybercrime,
as acknowledged by the EU’s 2023 E-Evidence Regulation. In this environment, it is essen­
tial for democratic countries to implement stringent human rights protections, ensuring
that government access to data is balanced by necessary checks to prevent the emer­
gence of a surveillance state. Moreover, democratic governments must cooperate to
ensure that their data access practices respect human rights and consider the sovereignty
of the nations involved.
Governments must persist and intensify efforts to promote ‘data free flow with trust’
and advance the concept of ‘trusted government access’. This necessitates the collabor­
ation of democratic states globally, sharing similar human rights values. The OECD serves
112 T. CHRISTAKIS

as a highly suitable platform for such endeavours. As mentioned earlier, the process of
government officials responsible for national security and law enforcement from 33
countries (among the 38 OECD members) convening multiple meetings to discuss their
domestic practices and safeguards regarding government access to data for national
security and law enforcement purposes was arguably as significant as the final
outcome: the Declaration on Government Access to Personal Data Held by Private
Sector Entities adopted on December 14, 2022.
It is crucial that the OECD continues this process through the ‘Institutional Arrange­
ment for Partnership’ (IAP). The ongoing establishment of an ‘expert community’ could
enable the continuation of the initiatives started by the OECD TGA declaration. This com­
munity could focus on identifying and promoting good practices, engaging in discussions
with all stakeholders, and further refining the TGA principles. Such a process could lead to
the development of a global repository of policies and regulations on government access
and cross-border data transfers, facilitating the adoption of best practices worldwide.
Moreover, this initiative could foster connectivity, engagement, and the sharing of
experiences among data protection authorities and the broader law enforcement and
intelligence community. This would promote mutual understanding and facilitate the
integration of privacy considerations more effectively into the broader framework of gov­
ernment access requests. By encouraging collaboration and knowledge-sharing, the
expert community under the OECD’s IAP could play a pivotal role in advancing trust
and accountability in data governance on a global scale.
Additionally, establishing secure channels to facilitate the exchange of experiences
among independent bodies responsible for intelligence oversight in democratic nations
could prove immensely valuable. These oversight bodies frequently encounter similar chal­
lenges and often find themselves reinventing solutions in isolation. Enabling the sharing of
best practices and solutions could yield significant benefits across the board.
The suggestion of the UK to ‘lead by example by publishing – in plain and accessible
terms – how the UK meets the TGA Principles, encouraging other countries to do similar’
(UK IDTEC 2023, art. 5) is also very interesting and should be followed by the other OECD
members. Democratic governments should also explore, as the UK suggested, how they
could create a ‘library’ of such disclosures, which would promote transparency and trust
(UK IDTEC 2023, art. 5).
While expediting progress among the original authors of the TGA Principles is crucial,
achieving the full dissemination of these principles and maximising the benefits of enhan­
cing global data standards requires the OECD and its member countries to prioritise the
inclusion, in this field, of nations beyond their traditional membership. It is worth noting
that the TGA principles are open to non-OECD members, and the OECD has a wealth of
experience in engaging with non-member countries.
Therefore, it would be highly beneficial for democracies like Argentina, Brazil, Uruguay and
others, to participate in the work of the 38 OECD member states on these significant issues.
Their involvement would enrich discussions, bring diverse perspectives to the table, and
ensure that the principles are more representative and applicable on a global scale.
While multilateral initiatives are undeniably important, fostering transatlantic progress
on these issues holds even greater significance. Establishing trust regarding government
access to data between the EU and the US is a critical foundational step that could serve as
a catalyst for global advancements in this arena.
 JOURNAL OF CYBER POLICY 113

In the realm of access to data for national security purposes, it is imperative to closely
monitor how the CJEU will evaluate the recent reforms of US surveillance laws, aimed at
addressing concerns raised by the Court in the Schrems II case (Schrems II case 2020). The
critical question is: will the latest US adequacy decision, adopted by the Commission in
July 2023, endure scrutiny by the CJEU? In the event of a negative assessment, it
becomes essential for the EU and the US to swiftly address any remaining issues. The
ability of both sides to promptly address any shortcomings will be pivotal in maintaining
trust and facilitating continued data transfers between the EU and the US.
In the realm of access to data for law enforcement purposes, the ongoing nego­
tiations between the EU and the US regarding the e-evidence agreement hold para­
mount importance. It is imperative for both sides to exert every effort to surmount
the challenges and reach a successful conclusion to these negotiations. Indeed, such
a favourable outcome is essential for facilitating streamlined law enforcement access
to data while simultaneously upholding robust safeguards for human rights and sover­
eign concerns. Moreover, the successful conclusion of these negotiations will play a
pivotal role in fostering legal certainty for Cloud service providers and other companies
operating in Europe and the US. It will help resolve complex conflicts of law situations,
providing clarity and coherence in the regulatory landscape. Thus, achieving a mutually
beneficial agreement will not only enhance law enforcement capabilities but also
promote trust, facilitate cross-border cooperation, and strengthen fundamental rights
while addressing sovereign concerns.
International negotiations, be they multilateral or bilateral in nature, thus arise as the
primary, if not the sole, avenue for reaching consensus on protocols governing access to per­
sonal data that have implications for the rights and interests of individuals in other nations.

Notes
1. ‘Subscriber data’ means any data held by a service provider relating to the subscription to its
services, pertaining to: (a) the identity of a subscriber or customer, such as the provided name,
date of birth, postal or geographic address, billing and payment data, telephone number or
email address; (b) the type of service and its duration, including technical data and data iden­
tifying related technical measures or interfaces used by or provided to the subscriber or custo­
mer at the moment of initial registration or activation, and data related to the validation of the
use of the service, excluding passwords or other authentication means used instead of a pass­
word that are provided by a user, or created at the request of a user. Regulation (EU) 2023/1543
of the European Parliament and of the Council on European Production Orders and European
Preservation Orders for electronic evidence in criminal proceedings and for the execution of
custodial sentences following criminal proceedings, [2023] OJ L191/118, 12 July 2023 Art. 5
(6). (Regulation (EU) 2023/1543). Regulation EU E-Evidence 2023, Article 3(9).
2. ‘Traffic data’ means data related to the provision of a service offered by a service provider
which serve to provide context or additional information about such service and are gener­
ated or processed by an information system of the service provider, such as the source and
destination of a message or another type of interaction, the location of the device, date, time,
duration, size, route, format, the protocol used and the type of compression, and other elec­
tronic communications metadata and data, other than subscriber data, relating to the com­
mencement and termination of a user access session to a service, such as the date and time of
use, the log-in to and log-off from the service. Regulation EU E-Evidence 2023, Article 3(11).
3. ‘Content data’ means any data in a digital format, such as text, voice, videos, images and
sound, other than subscriber data or traffic data. Regulation EU E-Evidence 2023, Article 3(12).
114 T. CHRISTAKIS

4. As an example, the European Court of Human Rights has often found that the surveillance
laws of State parties to the European Convention of Human Rights violate Article 8 of the con­
vention and the right to privacy. For a review of some important cases, see for instance ECtHR
(2024) and Ni Loideain (2025).
5. The CJEU has an important case law on data retention by national security and law enforce­
ment agencies of EU Member States, but also on issues concerning international data trans­
fers and foreign surveillance. Among the most important judgments in this field is the
SchremsII judgment issued by the CJEU in July 2020 which invalidated the US adequacy
decision based on the Privacy Shield arrangement, considering that the US system of intelli­
gence did not include protections equivalent to the ones required by EU law (Schrems II case
2020).
6. The fear that foreign governments might access sensitive data or data of public authorities or
critical infrastructures has led to the introduction of ‘sovereignty requirements’ and the
concept of ‘immunity for foreign laws’ in important texts concerning cloud computing.
France, for instance, adopted in March 2022 the final version of SecNumCloud, a certification
and labelling programme, granted by the French National Cybersecurity Agency (ANSSI), to
cloud providers that fulfil a series of safety requirements, and used by French public entities
procuring cloud services to host data and information systems. Section 19.6 of SecNumCloud
is entitled ‘Protection against non-European laws’. It requires that a ‘service provider’s regis­
tered office, central administration and principal place of business must be in a Member State
of the European Union’. It also introduces immunity requirements based on ownership and
data localisation. France, with the help of other member states, have asked ENISA to intro­
duce an ‘immunity from foreign laws’ requirement (i.e., one that is not subject to the laws
of a foreign State) as a prerequisite to CSPs seeking ‘high level’ assurance certification in
the context of the ongoing negotiations concerning the EU Cybersecurity Certification
Regime for Cloud Services (EUCS) within the European Union Agency for Cybersecurity
(ENISA). For a discussion on all this see Christakis (2024a). See also (Cory and Dascoli 2021;
Cory 2021; Cory 2023). In the United States, the recent adoption, by the House of Represen­
tatives, of a bill that would require China’s ByteDance to divest TikTok in order to avoid a ban
of the video app in the US, is one of several recent measures, discussed at the conclusions of
this paper, expressing such ‘sovereign concerns’.
7. To the extent that companies fall under the personal jurisdiction of foreign countries, they
could be subject to extraterritorial requests by their governments (see Christakis 2024a).
8. See for instance (CIPL 2023; Swire and Kennedy-Mayo 2023; OECD 2023a).
9. The third US adequacy decision is already facing legal challenges. French MP Philippe
Latombe has asked for the invalidation of this new adequacy decision, but, for the time
being, the European Union General Court ruled against his request for interim measures
(IAPP 2023) and there are good reasons to believe that his might be declared inadmissible
(Jones 2023b). Predictably, Max Schrems has also announced that he will file a legal challenge
against the new adequacy decision (NoyB 2023).
10. This number is of course an exaggeration for several reasons, including the fact that the 27
Member States of the EU are in reality covered by the EU adequacy decisions. It highlights,
nonetheless, the excessive ‘bureaucracy’ created by the adequacy model.
11. The United States, Canada, Japan, the Philippines, Singapore, South Korea and Taiwan estab­
lished the Global CBPR Forum in 2022 to ‘promote interoperability and help bridge different
regulatory approaches to data protection and privacy’. See US Department of Commerce
(2022).
12. Summary drawn from UK IDTEC (2023, 21).
13. For a presentation of the main novelties see Council of Europe (n.d.a).
14. For an overview see the factsheet on mass surveillance prepared by the press unit of the
Court: ECtHR (2024).
15. For an analysis see Christakis and Propp (2020).
16. The following section is in part drawn by Christakis and Terpan (2021) – which permits a
deeper dive into these important negotiations.
 JOURNAL OF CYBER POLICY 115

17. Other reasons include the need to inject some order into the practice of ‘voluntary
cooperation’ with service providers for LEAs access to non-content data. The Commission
notes that the scale of direct cooperation requests on a voluntary basis has rapidly increased
with more than 124,000 in 2017. However, direct cooperation on a voluntary basis for non-
content data ‘can be unreliable, it may not ensure respect of the appropriate procedural safe­
guards, is only possible with a limited number of service providers which all apply different
policies, is not transparent and lacks accountability’. The resulting fragmentation ‘may gen­
erate legal uncertainty, raise questions on the legality of prosecution as well as concerns
on the protection of fundamental rights and procedural safeguards for the persons related
to such requests’ (see European Commission 2019a). An EU-US Agreement could enable
these issues to be addressed.
18. For instance, as explained in Christakis and Terpan (2021), the US government supported the
conclusion of a ‘framework agreement’ with the EU to be followed by bilateral agreements
with EU Member States – in order to satisfy CLOUD Act requirements. The EU wished to
arrive at a self-standing, EU-wide comprehensive agreement and is opposed to solutions
that might lead to fragmentation and unequal treatment between EU Member States.
19. These include: the procedural and fundamental rights safeguards that should be introduced
in the agreement in order to comply with European Human Rights Law (for instance: ensuring
that data cannot be requested for use in criminal proceedings that could lead to the death
penalty); the eagerness of the EU to introduce clauses that complement the EU-US Umbrella
Agreement by adding data protection safeguards; the determination of the EU to conclude
an agreement that will be entirely reciprocal in terms of the rights and obligations of the
parties and the categories of people whose data must not be sought pursuant to the agree­
ment; the eventual mechanisms that need to be introduced in order to resolve the conflict of
laws problems; and other issues.
20. See especially the explanations of Kenneth Propp in CSIS/CBDF (2024).
21. See for instance US Department of Justice (2023).
22. See Christakis (2019a). See also the interventions of Theodore Christakis and Norm Barbosa in
CSIS/CBDF (2024).
23. See for instance Recital 101 of the GDPR.
24. In a famous 2016 speech the then-EU Commissioner for Trade Cecilia Malmström said for
instance that some data restrictions adopted by foreign countries (such as data localisation
requirements) ‘often have no justification, other than to inhibit market access by overseas
companies’ and are a reflection of ‘our trade partners not playing fair (see Christakis 2020a).
25. For all these issues see Christakis (2024a).
26. US President (2024). For an analysis see Swire and Sacks (2024).
27. Ibid.
28. TikTok has repeatedly rejected all these claims and has put in place ‘Project Texas’ in the US
(and ‘Project Clover’ in the EU) to address national security concerns through data localisation
and independent oversight. See TikTok (n.d.a.).
29. India, for instance, banned TikTok in mid-2020, as the government cracked down on 59
Chinese-owned apps, claiming that they were secretly transmitting users’ data to servers
outside India (Zhong and Schultz 2020). Authoritarian regimes, on the other hand, have
often banned western social media citing their own ‘sovereign concerns’ (often linked to
the fear of using these media for free speech and as a platform to criticise the government).

Acknowledgments and disclaimers

The author has served as an expert for the OECD in the process which led to the adoption,
in December 2022, of the OECD Declaration on Government Access to Personal Data Held
by Private Sector Entities. He is currently serving as a member of the International Data
Transfers Experts Council of the UK Government and an expert for the High-Level
116 T. CHRISTAKIS

Expert Group on Access to Data for Effective Law Enforcement created by the European
Commission and the Council of the European Union. The statements in this article are
solely by the author and should not be attributed to any organisation for which the
author has served as an expert.

Disclosure statement
No potential conflict of interest was reported by the author(s).

Funding
This work was supported by Chatham House; Cross-Border Data Forum.

Notes on contributor
Theodore Christakis is Professor of International, European and Digital Law at University Grenoble
Alpes (France), Director of Research for Europe with the Cross-Border Data Forum, Member of the
Board of Directors of the Future of Privacy Forum and a former Distinguished Visiting Fellow at the
New York University Cybersecurity Centre.

References
APEC (Asia-Pacific Economic Cooperation). 2005. “APEC Privacy Framework.” December. https://
www.apec.org/publications/2005/12/apec-privacy-framework.
Bannelier, Karine. 2023. “The UN Cybercrime Convention Should Not Become a Tool for Political
Control or the Watering Down of Human Rights.” January 31. https://www.lawfaremedia.org/
article/the-u.n.-cybercrime-convention-should-not-become-a-tool-for-political-control-or-the-
watering-down-of-human-rights.
Chander, Anupam, and Paul Schwartz. 2023. “Privacy and/or Trade.” University Chicago Law Review
90:49. https://ssrn.com/abstract=4038531.
Christakis, Theodore. 2017. “Data, Extraterritoriality and International Solutions to Transatlantic
Problems of Access to Digital Evidence. Legal Opinion on the Microsoft Ireland Case (Supreme
Court of the United States).” In The White Book: Lawful Access to Data: The US v. Microsoft Case,
Sovereignty in the Cyber-Space and European Data Protection, CEIS & The Chertoff Group White
Paper. https://ssrn.com/abstract=3086820.
Christakis, Theodore. 2019a. “21 Thoughts and Questions about the UK-US CLOUD Act Agreement.”
European Law Blog, October 17. https://europeanlawblog.eu/2019/10/17/21-thoughts-and-
questions-about-the-uk-us-cloud-act-agreement-and-an-explanation-of-how-it-works-with-
charts/.
Christakis, Theodore. 2019b. “Transfer of EU Personal Data to US Law Enforcement Authorities After
the CLOUD Act: Is There a Conflict with the GDPR?” In Cybersecurity and Privacy in a Globalized
World – Building Common Approaches, edited by Randal Milch, Sebastian Benthall, and
Alexander Potcovaru, 60–76. (e-book). New York: New York University School of Law. Available
at SSRN: https://ssrn.com/abstract=3397047.
Christakis, Théodore. 2020a. “‘European Digital Sovereignty’: Successfully Navigating Between the
‘Brussels Effect’ and Europe’s Quest for Strategic Autonomy.” December 7. https://papers.ssrn.
com/sol3/papers.cfm?abstract_id=3748098.
Christakis, Théodore. 2020b. “After Schrems II: Uncertainties on the Legal Basis for Data Transfers and
Constitutional Implications for Europe.” European Law Blog. July 21. https://europeanlawblog.eu/
2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitution
al-implications-for-europe/.
 JOURNAL OF CYBER POLICY 117

Christakis, Théodore. 2024a. “The ‘Zeo-Risk’ Fallacy: International Data Transfers, Foreign
Governments’ Access to Data and the Need for a Risk-Based Approach.” CIPL-CBDF White
Paper. SSRN: https://ssrn.com/abstract=4732294.
Christakis, Theodore. 2024b. “From Mutual Trust to the Gordian Knot of Notifications: The EU E-
Evidence Regulation and Directive.” In The Cambridge Handbook of Digital Evidence in Criminal
Matters, edited by Vanessa Franssen and Stanislaw Tosza, 28. Cambridge University Press.
Available at SSRN: https://ssrn.com/abstract=4306874.
Christakis, Theodore, and Ken Propp. 2020. “The Legal Nature of the UK-US CLOUD Agreement.”
Cross Border Data Forum 20 April. https://www.crossborderdataforum.org/the-legal-nature-of-
the-uk-us-cloud-agreement/.
Christakis, Theodore, Ken Propp, and Peter Swire. 2021. “Towards OECD Principles for Government
Access to Data: Can Democracies Show the Way?” Lawfare 20. December. https://www.
lawfareblog.com/towards-oecd-principles-government-access-data-can-democracies-show-way.
Christakis, Theodore, and Fabien Terpan. 2021. “EU-US Negotiations on Law Enforcement Access to
Data: Divergences, Challenges and EU Law Procedures and Options.” International Data Privacy
Law 11 (2): 81–106. https://doi.org/10.1093/idpl/ipaa022.
CIPL (Centre for Information Policy Leadership). 2023. “The ‘Real Life Harms’ of Data Localization
Policies.” March. https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl-tls_
discussion_paper_paper_i_-_the_real_life_harms_of_data_localization_policies.pdf.
CLOUD Act Agreement. 2019. “Agreement between the Government of the United Kingdom of
Great Britain and Northern Ireland and the Government of the United States of America on
Access to Electronic Data for the Purpose of Countering Serious Crime.” October 3.
CLOUD Act Agreement. 2021. “Agreement between the Government of the United States of
America and the Government of Australia on Access to Electronic Data for the Purpose of
Countering Serious Crime.” December 15. https://www.justice.gov/criminal/criminal-oia/cloud-
act-agreement-between-governments-us-and-australia.
CLOUD Act (Clarifying Lawful Overseas Use of Data Act). 2018. Contained in Consolidated
Appropriations Act, 2018, P.L. 115–141, div. V. <Text in http://www.crossborderdataforum.org/
wp-content/uploads/2018/07/Cloud-Act-final-text.pdf>.
Cory, Nigel. 2021. “‘Sovereignty Requirements’ in French – and Potentially EU – Cybersecurity
Regulations: The Latest Barrier to Data Flows, Digital Trade, and Digital Cooperation Among
Likeminded Partners.” Information Technology & Innovation Foundation. December 10. https://
itif.org/publications/2021/12/10/sovereignty-requirements-france-and-potentially-eu- cyberse­
curity/.
Cory, Nigel. 2023. “Europe’s Cloud Security Regime Should Focus on Technology, Not Nationality.”
Information Technology and Innovation Foundation. March 27. https://itif.org/publications/2023/
03/27/europes-cloud-security-regime-should-focus-on-technology-not-nationality/.
Cory, Nigel, and Luke Dascoli. 2021. “How Barriers to Cross-Border Data Flows are Spreading
Globally, What They Cost, and How to Address Them.” Information Technology & Innovation
Foundation. July 19. https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-
flows-are-spreading-globally-what-they-cost/.
Council of Europe. 1981. “Convention for the Protection of Individuals with Regard to Automatic
Processing of Personal Data, better known as ‘Convention 108’.” https://rm.coe.int/1680078b37.
Council of Europe. 2021. “Report on the Need for a Guidance Note on Article 11 of the Modernized
Convention 108 Prepared by Dr. Thorsten Wetzling and Charlotte Dietrich.” https://rm.coe.int/t-
pd-2021-6-draft-guidance-note-on-exceptions-under-article-11-of-the-/1680a2d512.
Council of Europe. 2022. “Second Additional Protocol to the Cybercrime Convention on Enhanced
Co-operation and Disclosure of Electronic Evidence (CETS No. 224). https://www.coe.int/en/web/
cybercrime/second-additional-protocol.
Council of Europe. n.d.a. “The Modernized Convention 108: Novelties in a Nutshell.” https://rm.coe.
int/modernised-conv-overview-of-the-novelties/16808accf8.
CSIS/CBDF. 2024. “CLOUD Act Agreements, EU-US e-Evidence Negotiations and Beyond”, CSIS/CBDF
Online Workshop, YouTube, April 3. https://www.youtube.com/watch?feature=shared&v=
dU2HlSnLkeo.
118 T. CHRISTAKIS

Daskal, Jennifer, and Swire Peter. 2019. “The UK-US CLOUD Act Agreement is Finally Here, Creating
New Safeguards.” Lawfare and Just Security blogs. October 8. https://www.justsecurity.org/66507/
the-uk-us-cloud-act-agreement-is-finally-here-containing-new-safeguards/.
Directive 95/46/EC of the European Parliament and the Council of 24 October. 1995. https://eur-lex.
europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046.
ECtHR (European Court of Human Rights). 2016. Szabó and Vissy v. Hungary. Judgment 12. January.
ECtHR (European Court of Human Rights). 2024. “Factsheet - Mass Surveillance.” June. https://www.
echr.coe.int/documents/d/echr/FS_Mass_surveillance_ENG.
EDPB (European Data Protection Board). 2020. “Recommendations on the European Essential
Guarantees for Surveillance Measures.” EEG Recommendations. November. https://www.
edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-022020-
european-essential-guarantees_en.
EDPB (European Data Protection Board. 2021. “Recommendations 01/2020 on Measures that
Supplement Transfer Tools.” June 18. https://edpb.europa.eu/system/files/2021-06/edpb_
recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.
EDPB–EDPS. 2019. “Joint Response to the LIBE Committee on the Impact of the US Cloud Act on the
European Legal Framework for Personal Data Protection.” July 10. < https://edpb.europa.eu/our-
work-tools/our-documents/letters/edpb-edps-joint-response-libe-committee-impact-us-cloud-
act_fr >.
European Commission. 2019a. “Recommendation for a Council Decision Authorizing the Opening of
Negotiations in View of an Agreement Between the European Union and the United States of
America on Cross-border Access to Electronic Evidence for Judicial Cooperation on Criminal
Matters.” COM/2019/70 final, Brussels. February 5.
European Commission. 2019b. “Questions and Answers: Mandate for the EU-US Cooperation on
Electronic Evidence.” February 5. https://ec.europa.eu/commission/presscorner/detail/en/
MEMO_19_863.
European Commission. 2024a. “Report on the First Review of the Functioning of the Adequacy
Decisions Adopted Pursuant to Article 25(6) of Directive 95/46/EC.” January 15.
European Commission. 2024b. “Didier Reynders’ Opening Remarks at the European Commission’s
High-level Roundtable on Safe Data Flows.” March 4. https://ec.europa.eu/commission/
presscorner/detail/en/speech_24_1310.
European Commission. 2024c. “Commission to Host First International High-level Meeting on Safe
Data Flows.” March 4. https://ec.europa.eu/commission/presscorner/detail/en/mex_24_1307#11.
European Commission. 2024d. “Adequacy Decisions.” https://commission.europa.eu/law/law-topic/
data-protection/international-dimension-data-protection/adequacy-decisions_en.
G20. 2019. “G20 Osaka Leaders’ Declaration.” https://www.mofa.go.jp/policy/economy/g20_
summit/osaka19/en/documents/final_g20_osaka_leaders_declaration.html.
G7. 2021. “G7 Trade Ministers’ Digital Trade Principles.” October 22. https://www.gov.uk/
government/news/g7-trade-ministers-digital-trade-principles.
G7. 2023a. “G7 Hiroshima Leaders’ Communiqué.” May 20. https://www.g7hiroshima.go.jp/
documents/pdf/Leaders_Communique_01_en.pdf.
G7. 2023b. “Vision for Operationalizing DFFT and its Priorities.” https://g7g20-documents.org/
database/document/2023-g7-japan-ministerial-meetings-ict-ministers-ministers-annex-g7-
digital-and-tech-track-annex-1-g7-vision-for-operationalising-dfft-and-its-priorities.
GPA (Global Privacy Assembly). 2021. “Resolution on Government Access to Data, Privacy and the
Rule of Law: Principles for Governmental Access to Personal Data held by the Private Sector
for National Security and Public Safety Purposes.” October. https://globalprivacyassembly.org/
wp-content/uploads/2021/10/20211025-GPA-Resolution-Government-Access-Final-Adopted_.
pdf.
Han, Hyemin. 2024. “TikTok Sues Over Divestment Bill.” May 7. https://www.lawfaremedia.org/
article/tiktok-sues-over-divestment-bill.
IAPP. 2023. “EU General Court Denies Interim EU-US Data Privacy Framework Halt.” October 12.
https://iapp.org/news/a/eu-general-court-denies-interim-eu-us-data-privacy-framework-halt/.
 JOURNAL OF CYBER POLICY 119

Jones, Joe. 2023a. “Global Adequacy Capabilities.” IAPP. April. https://iapp.org/resources/article/

infographic-global-adequacy-capabilities/.
Jones, Joe. 2023b. “EU-US Data Adequacy Litigation Begins.” IAPP. September 3. https://iapp.org/
news/a/eu-u-s-data-adequacy-litigation-begins/.
Ni Loideain, Nora. 2025. “The Approach of the European Court of Human Rights to the Interception
of Communications.” In EU Data Privacy Law and Serious Crime, edited by Ni Loideain. Oxford:
Oxford University Press. forthcoming.
NoyB (None of Your Business). 2023. “New Trans-Atlantic Data Privacy Framework Largely a Copy of
‘Privacy Shield’. NoyB will Challenge the Decision.” July 10. https://noyb.eu/en/european-
commission-gives-eu-us-data-transfers-third-round-cjeu.
OECD (Organisation for Economic Cooperation and Development). (1980) 2013. “Guidelines
Governing the Protection of Privacy and Transborder Flows of Personal Data.” Adopted by the
OECD Council on September 23, 1980, and revised on July 11, 2013. https://legalinstruments.
oecd.org/public/doc/114/114.en.pdf#:~:text=The%20Recommendation%20concerning%
20Guidelines%20Governing%20the%20Protection%20of,development%20of%20economic%
20and%20social%20relations%20among%20Adherents.
OECD (Organisation for Economic Cooperation and Development). 2022. “Declaration on
Government Access to Personal Data Held by Private Sector Entities.” Adopted by Ministers
and High-level Representatives of OECD Members and the European Union. December 14.
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0487#backgroundInformation.
OECD (Organisation for Economic Cooperation and Development). 2023a. “The Nature, Evolution
and Potential Implications of Data Localization Measures.”.
OECD (Organisation for Economic Cooperation and Development). 2023b. “Concept Note
Describing the Objectives and Operation of the OECD Data Free Flow with Trust Expert
Community.” CDEP 92nd session. December 4–5, 2023. Paris. [DSTI/CDEP(2023)27].
Propp, Ken. 2023. “Gentlemen’s Rules for Reading Each Other’s Mail: The New OECD Principles on
Government Access to Personal Data Held by Private Sector Entities.” Lawfare. January 10.
https://www.lawfaremedia.org/article/gentlemens-rules-reading-each-others-mail-new-oecd-
principles-government-access-personal-data-held.
Propp, Ken. 2024. “Transatlantic Digital Trade Protections: From TTIP to ‘Policy Suicide’?” Lawfare.
February 16. https://www.lawfaremedia.org/article/transatlantic-digital-trade-protections-from-
ttip-to-policy-suicide.
Regulation EU E-Evidence. 2023. Regulation (EU) 2023/1543 of the European Parliament and of the
Council on European Production Orders and European Preservation Orders for Electronic
Evidence in Criminal Proceedings and for the Execution of Custodial Sentences Following
Criminal Proceedings. [2023] OJ L191/118, 12 July 2023 Art. 5(6).
Regulation EU GDPR. 2018. Regulation (EU) 2016/679 of the European Parliament of the Council of
27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data
and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data
Protection Regulation) (2016) OJ L 199, Rec. 49.
Schrems I case. 2015. Maximillian Schrems v. Data Protection Commissioner. 2015. (C-362/14) EU:
C:2015:650. October 6. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ
0362.
Schrems II case. 2020. Data Protection Commissioner v. Facebook Ireland & Maximillian Schrems.
2020. C- 311/18. July 16. https://curia.europa.eu/juris/document/document.jsf?text=&docid=
228677&page Index=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9924207.
Swire, Peter, and DeBrae Kennedy-Mayo. 2023. “The Effects of Data Localization on Cybersecurity -
Organizational Effects.” Georgia Tech Scheller College of Business. June 15. https://ssrn.com/
abstract=4030905.
Swire, Peter, and Samm Sacks. 2024. “Limiting Data Broker Sales in the Name of US National Security:
Questions on Substance and Messaging.” Lawfare. February 28. https://www.lawfaremedia.org/
article/limiting-data-broker-sales-in-the-name-of-u.s.-national-security-questions-on-substance-
and-messaging.
TikTok. n.d.a. “About Project Texas.” https://usds.tiktok.com/usds-about/.
120 T. CHRISTAKIS

UK IDTEC (UK Government’s International Data Transfer Expert Council). 2023. “Towards a Sustainable,
Multilateral, and Universal Solution for International Data Transfers.” Report by the UK
Government’s International Data Transfer Expert Council, UK Government Department for Science,
Innovation and Technology. November 23. https://assets.publishing.service.gov.uk/media/
65734b2f33b7f2000db72135/towards_a_sustainable_multilateral_and_universal_solution_for_
international_data_transfers.pdf.
US Department of Commerce. 2022. “Global Cross-Border Privacy Rules Declaration.” https://www.
commerce.gov/global-cross-border-privacy-rules-declaration.
US Department of Justice. 2023. “The CLOUD Act: A New Model for International Law Enforcement
Cooperation.” Remarks of Richard W. Downing, US Deputy Assistant Attorney General, at the
International Symposium on Cybercrime Response, Seoul, Korea. https://www.justice.gov/
criminal/file/1315386/dl?inline.
US President. 2024. “Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal
Data and United States Government-Related Data by Countries of Concern.” February 28.
https://www.whitehouse.gov/briefing-room/presidential-actions/2024/02/28/executive-order-
on-preventing-access-to-americans-bulk-sensitive-personal-data-and-united-states-
government-related-data-by-countries-of-concern/.
WEF (World Economic Forum). 2020. “Data Free Flow with Trust (DFFT): Paths towards Free and
Trusted Data Flows.” May. https://www3.weforum.org/docs/WEF_Paths_Towards_Free_and_
Trusted_Data%20_Flows_2020.pdf.
Zhong, Raymond, and Kai Schultz. 2020. “With India’s TikTok Ban, the World’s Digital Walls Grow
Higher.” New York Times. June 30. https://www.nytimes.com/2020/06/30/technology/india-
china-tiktok.html.