Won’t Someone Think of the Cybersecurity: Recent Agreements and Cross-Border Data Flows
By: Alex Botting & Ines Jordan-Zoob
Both the European Union (EU) General Data Protection Regulation (GDPR) and its UK-equivalent mandate restrictions on the international transfer of personal data. Long-standing negotiations around these data flows have proven complex - especially with thousands of companies doing business on both continents, and transatlantic data flows facilitating over $7 trillion in economic activity.
On July 10, the E.U.-U.S. Data Privacy Framework was adopted by the European Commission. This transatlantic framework is the culmination of a multi-year effort and debate over U.S. intelligence agencies’ ability to access EU citizen data, in which the two prior agreements were annulled by the European Court of Justice. The new framework provides Europeans with a means of redress when their personal data may have been collected improperly by U.S. intelligence agencies, through the newly created Data Protection Review Court. Additionally, the framework builds on the October 2022 signing of U.S. Executive Order 14086, which included necessity and proportionality controls for data gathering by U.S. intelligence agencies, and crucially, met with EU adequacy requirements. For now, the agreement ensures and protects transatlantic data flows, but legal challenges are expected by the beginning of 2024, if not earlier.
In June, the U.S. and the U.K. announced their commitment to developing their own legal framework for a “trusted and secure flow of data”, known as the Data Bridge. The Data Bridge, when adopted, would constitute a UK adequacy decision. Among other things, the Data Bridge will enable the flow of UK-U.S. data while reducing the burdens on companies when sharing data.
Given that there is no multilateral regime on cross-border data flows, the agreements mentioned above may set the precedent for data transfer standards. As this and other data localization laws continue to proliferate, it is important to understand the cybersecurity interests in global data flows, especially in light of regulations that seek to limit data flows under the misconception that data localization enhances security. In reality, global flows of security telemetry enable efforts to discover, identify, track, and disrupt various types of malicious cyber activity from both state and non-state cyber threat actors alike. Earlier this year, The Coalition to Reduce Cyber Risk (CR2) published a white paper with case studies highlighting the ways in which our members rely on global data flows for cybersecurity.
At a high level, data flows enable the integrated management of cybersecurity risk within an organization, as well as the use of cybersecurity service(s) from outside an organization, and information sharing between all those organizations. Cross-border data analysis can enhance the ability to identify malicious cyber activities with an international dimension, and cross-border cloud storage can increase the resilience of systems against targeted physical and digital attacks.
Data localization measures can actually undermine cybersecurity best practices, like “sharding,” where data is spread across multiple data centers to prevent full access by malicious actors. Without an understanding of global security trends and diagnostics, companies can miss the full picture on security vulnerabilities across jurisdictions. Lastly, but by no means least, data localization measures undermine the efficiencies and benefits of a global cybersecurity workforce, disproportionately impacting the countries without enough security experts, separating them from state-of-the-art cybersecurity protection.
We applaud the E.U. and the U.S. for reaching an agreement for the continued transatlantic transfer of data. In the long-term, we must ensure that concerns around where data resides and how it is protected do not unintentionally undermine legitimate cybersecurity activities. Wherever countries place limitations on cross-border data flows, they should look to establish exemptions for legitimate cybersecurity activities.
CR2 continues to support and inform the G7’s implementation of “Data Free Flow with Trust,” an initiative to promote cross-border data flows while protecting individual privacy, national security, and intellectual property. Governments should ensure that any future agreements and legislation on data flows incorporates an understanding of how global security telemetry is critical to enabling cyber defense and resilience, especially given the dynamic threat environment.