Cross-Border Data Transfers & Regulatory Compliance

Cross-border data transfers also support efforts to comply with various regulatory requirements relating to the protection of health, privacy, security, safety, consumers, and the environment, as summarized below.
  • Data Transfers & Financial Services Regulatory Compliance. In the financial services sector, cross-border data transfers support compliance with governmental rules designed to prevent consumer fraud, securities and financial crimes (e.g., insider trading), money laundering, and corrupt practices. For example, fraud detection models are typically built on global transaction data or transaction data collected from multiple countries because fraud patterns are not limited by national boundaries. Fraud trends that appear in one region or country may apply in others as cardholders travel to different countries, cardholders transact online with merchants in different countries, and the perpetrators of fraud do not respect any national boundary lines. Thus, to build effective fraud models and to gain the necessary insights into fraudulent activity in order to help prevent it, these models must be built off of global or multi-country data sets, based both on the location of the merchant and the location of the cardholder.
  • Data Transfers & Government Investigations. Some claim that data localization and data transfer restrictions are necessary to ensure that authorities will have access to data relevant to conduct investigations. The location of the data, however, is not the determining factor. Indeed, financial service regulators and enforcement authorities from countries including Australia, Canada, Japan, Mexico, Singapore, the UK, and the US have agreed that financial services data should not be subject to localization requirements in one country, provided that financial regulatory authorities have ready access for regulatory and supervisory purposes to information stored in any other territory. This is in part due to the recognition, as explained by some of these authorities, that “data localization requirements can increase…operational risks, hinder risk management and compliance, and inhibit financial regulatory and supervisory access to information.” 1
  • Data Transfers & Multi-Jurisdictional Law Enforcement Access. Responsible private sector service providers work to respond to lawful requests for data consistent with their obligations to their customers and to protect consumer privacy. As reflected in the Organisation for Economic Co-operation and Development’s (OECD) Declaration on Government Access to Data Held by the Private Sector, like-minded governments are working to define their core principles and common values when accessing personal data for national security and law enforcement purposes. The principles help increase trust in cross-border data transfers. Generally speaking, if the service provider has a conflicting legal obligation not to disclose data, law enforcement has several options. International agreements—including Mutual Legal Assistance Treaties (MLATs) or Agreements (MLAAs), multilateral treaties, and other agreements, such as those authorized by the United States Clarifying Lawful Overseas Use of Data (CLOUD) Act—can establish foundations for mutual legal assistance and reciprocal transfers of law enforcement data. Courts may also issue requests to authorities abroad for the transfer of data through letters rogatory.

1See e.g., United States-Singapore Joint Statement on Financial Services Data Connectivity,