The Geopolitics of Data: Cross-Border Data Flows and Data Protection in Modern Free Trade Agreements

The international economic order is undergoing a structural transformation as the physical movement of goods is increasingly superseded by the intangible exchange of data. Digital trade, defined as trade that is digitally enabled via the internet and associated technologies—whether ordered or delivered—has rendered the governance of cross-border data flows (CBDF) indispensable to modern trade policymaking. As data becomes the primary factor of production in the twenty-first century, the legal frameworks governing its movement across national boundaries have become the new frontier of international trade law. The core challenge for contemporary negotiators lies in reconciling the fundamental principle of the free flow of information, which is essential for innovation and economic efficiency, with the sovereign necessity to protect personal privacy, ensure national security, and maintain regulatory space for domestic public policy.

The Fragmentation of Global Data Governance

The current global landscape of data governance is characterized by a high degree of fragmentation, primarily due to the historical inability of multilateral institutions to keep pace with technological advancement. The World Trade Organization (WTO) currently lacks specialized, comprehensive regulations specifically addressing cross-border data flows. While the WTO Dispute Settlement Body has concluded that existing general rules apply to digital services, the absence of clear, modernized disciplines on data localization and mandatory transfers has created a regulatory vacuum. This stalemate at the multilateral level has led to the proliferation of Preferential Trade Agreements (PTAs) and a new class of treaties known as Digital Economy Agreements (DEAs), which have emerged as the primary instruments for governing the digital economy.

Between January 2000 and September 2025, approximately 74 of the 248 PTAs containing digital trade provisions specifically codified rules on CBDF. These agreements generally adopt a “principle plus exception” model, which combines a commitment to the free movement of data with specific exceptions designed to preserve the regulatory sovereignty of signatory states. However, the nature and enforceability of these principles and exceptions vary significantly across different regional blocks, leading to a “noodle bowl” of conflicting standards that increase compliance costs for businesses, particularly small and medium-sized enterprises (SMEs).

Developmental Phase of Data Rules	Key Instrument/Agreement	Primary Characteristic	Legal Status of Flow
Phase 1: Emergence (Pre-2010)	GATS / Early Bilateral FTAs	General service obligations	Implicit/Unregulated
Phase 2: Formalization (2012)	KORUS FTA	E-commerce chapters introduced	“Shall endeavor” (Soft)
Phase 3: Binding Obligations (2018)	CPTPP	Prohibitions on localization	“Shall” (Binding)
Phase 4: Specialized Governance (2020+)	DEAs (DEPA, UK-Singapore)	Modular architecture	Interoperability-focused
Phase 5: Regional Sovereignty (2024-2026)	ASEAN DEFA / AfCFTA DTP	Development-centric models	Sovereignty-balanced

Comparative Paradigms in Mega-Regional Agreements

The global governance of data is currently dominated by three distinct paradigms: the high-standard liberalization model led by the United States and codified in the CPTPP and USMCA; the state-centric, flexible “Asian paradigm” exemplified by the RCEP; and the fundamental rights-based adequacy model of the European Union.

The Liberalization Standard: CPTPP and USMCA

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) represents a milestone in digital trade rulemaking. Article 14.11 of the CPTPP explicitly prohibits member states from restricting cross-border data transfers for business purposes, while Article 14.13 prohibits requirements to localize data storage or computing facilities. The agreement allows for restrictions only when they are necessary to achieve a “legitimate public policy objective,” provided the measure is not an arbitrary or unjustifiable discrimination or a disguised restriction on trade.

The United States-Mexico-Canada Agreement (USMCA) builds upon the CPTPP template but introduces even stricter disciplines. Notably, the USMCA removes the “legitimate public policy” exception for data localization requirements, effectively creating an absolute ban on forced localization for private firms within the bloc. Furthermore, the USMCA adds a “proportionality” requirement, stipulating that any restriction on data transfers must be necessary and proportionate to the risks presented. This reflects an evolution toward a more rigid liberalization framework that prioritizes the operational efficiency of multinational corporations over regulatory flexibility.

The RCEP and the Asian Paradigm of Sovereignty

The Regional Comprehensive Economic Partnership (RCEP), which entered into force in 2022, offers a starkly different approach. While the RCEP nominally supports the principle of free data flows, its digital trade chapter (Chapter 12) includes broad, self-judging exceptions. A member state can unilaterally decide that a data restriction is necessary for national security or public policy, and this determination is not subject to dispute settlement.

This “looser” framework is often described as the “Asian paradigm,” designed to accommodate the diverse development levels and political systems of the Asia-Pacific region. By prioritizing national security and domestic regulatory space, the RCEP allows developing nations to participate in digital trade while retaining the power to implement data localization measures if deemed strategic. However, critics argue this renders the agreement “toothless” in terms of providing legal certainty for international firms.

The European Union’s Adequacy and Fundamental Rights

The European Union operates under a framework where data protection is not merely a trade concern but a fundamental right. Under the General Data Protection Regulation (GDPR), personal data transfers to third countries are prohibited unless the European Commission issues an “adequacy decision,” verifying that the recipient jurisdiction ensures a level of protection “essentially equivalent” to that of the EU.

Historically, the EU excluded data flow provisions from its trade agreements to safeguard the GDPR’s autonomy. This changed significantly with the EU-Japan Economic Partnership Agreement (EPA). In 2023, the EU and Japan concluded an amendment to the EPA to include binding disciplines on cross-border data flows, creating the world’s largest area of free and safe data movement. This evolution suggests that the EU is increasingly using its trade agreements to export its privacy standards, creating a “global data protection bar” that partners must meet to gain privileged market access.

Interoperability and Trust Mechanisms in Digital Trade

As the global digital economy fragments along regional lines, the focus of trade negotiations has shifted toward “interoperability”—the ability of different legal systems to interact without creating friction for data transfers.

The Global CBPR Forum

The Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system was the first major international attempt to create an interoperable privacy framework based on organizational accountability rather than geographic adequacy. In 2022, this regional initiative was expanded into the Global CBPR Forum, which now includes members such as Australia, Canada, Japan, Singapore, and the United States, with the United Kingdom joining as an associate member.

The Global CBPR system relies on third-party “Accountability Agents” to certify that an organization’s privacy policies meet international standards. This provides a scalable mechanism for businesses, particularly SMEs, to operate across multiple jurisdictions without undergoing separate compliance processes for every country. In 2025, the Forum launched its official certifications, signaling a move toward a truly global, industry-led standard for data privacy that complements existing national laws.

Modular Architecture in Digital Economy Agreements

Digital Economy Agreements (DEAs), pioneered by the Digital Economy Partnership Agreement (DEPA) between Chile, New Zealand, and Singapore, have introduced a “modular” approach to digital trade. Instead of a single, monolithic treaty, DEPA consists of discrete modules covering issues like e-invoicing, digital identity, data innovation, and AI ethics. This architecture allows countries to join specific modules as their domestic regulations mature, reducing the barriers to entry for international digital cooperation.

The modular design also facilitates the rapid creation of cutting-edge rules. For instance, DEPA includes modules on emerging technologies like artificial intelligence and digital identity that are entirely absent from older agreements like the CPTPP. This “living agreement” model is now being emulated by other nations, including the United Kingdom in its standalone DEAs with Singapore and Ukraine.

Agreement Type	Interoperability Mechanism	Focus Area	Key Benefit
Adequacy (EU)	Geographically-based	National Law Equivalence	High-level protection; Market Access
CBPR (APEC/Global)	Organizationally-based	Corporate Accountability	Reduced compliance costs for SMEs
DEPA (Modular)	Component-based	Specific Policy Blocks	Flexibility; Speed of Negotiation
ASEAN DEFA	System-based	Regional Interoperability	Large-scale market integration

The ASEAN Digital Economy Framework Agreement (DEFA)

Southeast Asia is currently at the center of the world’s most ambitious regional digital integration project. The ASEAN Digital Economy Framework Agreement (DEFA), negotiations for which began in late 2023, is set to become the first region-wide agreement exclusively focused on digital economy governance.

Economic Growth and Integration Goals

The stakes for DEFA are massive. The ASEAN digital economy is projected to reach $1 trillion by 2030, but successful implementation of DEFA could double this figure to $2 trillion. The agreement aims to harmonize rules for cross-border data flows, digital payments, and e-commerce across ten diverse economies. By reducing regulatory divergence—which currently costs ASEAN businesses $15–20 billion annually in compliance overhead—DEFA seeks to create a seamless, interoperable digital ecosystem.

A central feature of DEFA is its focus on inclusivity. With 97% of ASEAN businesses being SMEs, the agreement incorporates provisions for digital literacy, skills development, and simplified cross-border transaction processes. The goal is to transform ASEAN from a “rule-taker” in the global digital economy into a “rule-shaper” that advances a homegrown, pragmatic approach to digital trade.

Case Study: Indonesia’s Personal Data Protection Law and Geopolitical Pressures

As the largest digital economy in ASEAN, Indonesia’s domestic policy shifts provide a critical look at the tensions between trade and data protection. In 2022, Indonesia enacted Law No. 27/2022 on Personal Data Protection (PDP Law), establishing a comprehensive legal structure largely aligned with the GDPR. The law establishes robust rights for data subjects, including the right to data portability and the right to erasure.

However, Indonesia’s efforts to align with international standards have faced internal and external challenges. In July 2025, Indonesia and the United States concluded a reciprocal trade arrangement that included a controversial recognition of the US as an “adequate” jurisdiction for personal data protection. This move, taken before Indonesia had established its own Personal Data Protection Authority (PDPA) or finalized its adequacy criteria, has been criticized as a “shortcut” that undermines the legal legitimacy of Indonesia’s privacy framework.

This decision has been challenged in the Indonesian Constitutional Court, with petitioners arguing that Article 56 of the PDP Law, as applied in the US-Indonesia deal, violates citizens’ constitutional rights to privacy and national sovereignty. This case highlights a broader global trend: the risk that trade convenience may lead governments to bypass rigorous data protection due diligence, potentially exposing citizens’ data to misuse or foreign surveillance.

Indonesia’s PDP Law Key Provisions	Status (as of 2026)	Enforcement / Authority
DPO Appointment	Mandatory for high-risk/large-scale processing	Interpretation clarified by Court (2025)
Cross-Border Transfer	Adequacy, SCCs, or Explicit Consent	Subject to Constitutional Review (2025)
Data Subject Rights	Erasure, Portability, Non-discrimination	Active; Empowered by PDP Law
Criminal Liability	Fines and imprisonment for disclosure	Defined in Articles 65 and 67

Economic Realities and the Cost of Data Localization

The move toward data localization—regulations requiring that data be stored or processed within a country’s borders—is driven by concerns over national security and law enforcement access. However, the economic impact of these measures is profound and often counterproductive to digital development goals.

Impact on Investment and SMEs

Data localization mandates often act as a significant deterrent to foreign direct investment (FDI). For example, Indonesia’s 2023 experiment with localized data rules resulted in $2.1 billion of tech investment being diverted to regional competitors like Singapore and Malaysia. Localization requirements create a “huge burden” for businesses, increasing costs by 30% to 60% as firms are forced to build or rent local data centers rather than utilizing global cloud infrastructure.

SMEs are the most vulnerable to these costs. Approximately 70% of ASEAN’s 71 million SMEs lack the resources to navigate the patchwork of conflicting national data rules. Agreements like the DEFA, which aim to ban data localization and harmonize standards, are projected to cut cross-border transaction costs by 30%, enabling small businesses to compete on a global scale for the first time.

The Data Center Investment Boom of 2025-2026

Despite the trade-related push against localization, the demand for local digital infrastructure is surging, driven by the needs of artificial intelligence and cloud computing. UNCTAD reports that in 2025, announced FDI in data centers exceeded $270 billion, representing more than 20% of all global greenfield investment.

This investment is heavily concentrated in developed economies like France, the United States, and South Korea, which capture the majority of strategic, technology-driven FDI. Developing countries face a risk of being “sidelined” in this new investment landscape if they fail to provide a stable, interoperable regulatory environment. The “servicification” of trade is accelerating this shift; digitally deliverable services now account for 56% of global services exports, yet this share is only 16% in least developed countries, reflecting a widening digital divide.

Geopolitical Shifts: UK Accession and the Future of CPTPP

The entry of the United Kingdom into the CPTPP in late 2024 and its full integration through 2025 marks a new chapter in the geopolitics of digital trade. As the first non-founding and first European member, the UK is positioning itself as a “bridge” between the European fundamental rights approach and the Pacific liberalization approach.

The UK accession is expected to drive a “refit” of the CPTPP’s digital trade chapter. Businesses and negotiators are pushing for the agreement to reflect modern best practices found in more recent DEAs, such as prohibitions on data localization for a broader range of sectors and the inclusion of principles on digital identity and AI governance. This suggests that the CPTPP will continue to evolve as a “living agreement,” adapting its standards to maintain its status as the global benchmark for high-standard digital trade.

Analysis of Global Trade Trends for 2026

As we move into 2026, several key trends are redefining the relationship between data and trade. UNCTAD and OECD reports indicate that while global trade growth is slowing, the digital components of trade are continuing to expand, albeit against a backdrop of rising protectionism.

Rise of Strategic Protectionism: Governments are increasingly using tariffs and data restrictions to pursue industrial and strategic objectives. In 2025, tariffs rose significantly in manufacturing and electronics, driven by geopolitical tensions and supply-chain reconfiguration.
Focus on Supply-Chain Resilience: The OECD’s Supply Chain Resilience Review (2025) emphasizes that “trust” is becoming a primary factor in trade relations. Countries are increasingly aligning their data flow policies with “like-minded” partners to ensure the security and integrity of their digital infrastructure.
The AI-Infrastructure Nexus: Telecommunications and data center investment have, for the first time, surpassed renewable energy in value, signaling that digital infrastructure is now the primary recipient of global project finance. This shift necessitates new trade rules that address the specific needs of AI systems, which require vast, uninterrupted cross-border data flows to function.
WTO Reform and the Plurilateral Path: While the WTO’s 14th Ministerial Conference faces headwinds, the “stabilized text” of the plurilateral Agreement on E-commerce provides a glimmer of hope for a global baseline on data protection, even if it falls short of the binding disciplines found in mega-regional FTAs.

Synthesis and Nuanced Insights

The data collected suggests that the global governance of cross-border data flows is moving away from a single “global” model and toward a system of “fragmented interoperability.” While the dream of a unified WTO framework remains stalled, the emergence of DEAs and the evolution of mega-regional blocks like the CPTPP and ASEAN DEFA are creating overlapping spheres of influence.

The tension between trade liberalization and data protection is being managed through increasingly sophisticated legal tests. We are seeing a move from simple “necessity” tests toward “proportionality” and “adequacy” frameworks that require a high degree of domestic institutional capacity. This has significant implications for developing nations, which may find themselves “rule-takers” in a system where market access is contingent on adopting complex privacy and cybersecurity standards developed in Washington, Brussels, or Tokyo.

Furthermore, the rise of AI is fundamentally changing the stakes of data governance. Data is no longer just “information”; it is the “fuel” for sovereign AI capabilities. As a result, we should expect future trade agreements to move beyond privacy and localization to address the governance of “important” or “sensitive” data through the lens of national security exceptions, potentially leading to a more restricted and scrutinized global data environment.

Conclusions and Recommendations

The research indicates that the future of digital trade will be defined by the ability of nations to build “trust-based” digital corridors. For businesses and policymakers navigating this landscape, the following conclusions are paramount:

Interoperability is the only viable path forward. In a world of divergent legal philosophies (EU vs. US vs. China), frameworks like the Global CBPR Forum and modular DEAs provide the most realistic way to facilitate trade while respecting local privacy laws.
Data protection is now a non-tariff barrier. Jurisdictions that fail to establish robust, transparent, and internationally-recognized data protection authorities will face increased investment diversion and higher compliance costs for their domestic firms.
The “Noodle Bowl” of digital rules requires active management. Firms must invest in sophisticated compliance systems that can map multiple, overlapping FTA provisions to their internal data processing activities to avoid legal and operational risks.
Developmental gaps must be addressed through technical assistance. The widening digital divide between developed and least developed countries poses a risk to the long-term stability of the global digital economy. Future FTAs should incorporate “Digital Development” chapters that provide for skills transfer and infrastructure support.

In summary, the governance of cross-border data flows is no longer a peripheral issue of trade policy; it is the central architecture of the modern global economy. The agreements negotiated in 2025 and 2026 will determine whether the digital world remains open and innovative or becomes a fragmented collection of “data silos” defined by geopolitical boundaries. Successful nations will be those that can master the “principle + exception” model to protect their citizens without alienating the global digital investment that drives growth.

Sources for the article: