Trump’s impact on global data sovereignty

Donald J. Trump is back and is already making waves. The new administration hasn’t yet addressed data sovereignty, but expectations are that cross-border data transfers will become increasingly difficult, particularly for countries outside the U.S. that don’t rely on American-based technology and cloud service providers.

During his previous administration, Trump pursued policies that emphasized national security, economic protectionism, and America-first strategies in technology and trade. It’s likely that his administration would implement policies affecting global data governance, digital trade agreements, and cross-border data flows.

While specific policy changes remain uncertain, several key trends and potential impacts can be anticipated. These include stricter regulations on foreign data storage, increased scrutiny of international technology partnerships, and potential revisions to existing agreements like the CLOUD Act and GDPR-related frameworks. Countries that host major data centers or depend on U.S. tech infrastructure may need to reassess their data security strategies, regulatory frameworks, and compliance measures.

In this blog, we will explore how Trump’s new administration might shape the future of data sovereignty, examining possible shifts in policy, their implications for businesses and governments, and the broader impact on global digital privacy laws.

Global data residency trends by countries 

The Trump administration’s approach to international data agreements has sparked significant tensions, especially with the European Union (EU) and China. A major point of dispute has been the EU-U.S. data privacy framework. Despite initially deciding to uphold the Privacy Shield framework, its invalidation by the Court of Justice of the European Union (CJEU) in 2020 introduced a period of uncertainty.

Regarding China, the Trump administration’s aggressive stance, characterized by trade disputes and strict regulations, has been notable. It has levied tariffs on Chinese imports, labeled China a currency manipulator, and tightened high-tech export controls to China.

These actions, along with the broadening of the Committee on Foreign Investment in the United States (CFIUS) to examine Chinese investments in U.S. technology, have strained international data cooperation with China. The emphasis on national security and safeguarding U.S. technological progress has heightened federal scrutiny and imposed restrictions on data transfers to “countries of concern,” particularly China.

China has recently announced a new “Global Cross-Border Data Flow Cooperation Initiative” in November 2024, which aims to stimulate cross-border data flows. This initiative marks a shift from China’s previous focus on data security towards facilitating international data transfers, possibly to attract foreign investment.

Vietnam implemented a new cybersecurity law requiring businesses to store data locally, which came into effect on October 1, 2022. This law has raised concerns among trade partners, including Canada and Japan, regarding its compatibility with the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).

Brazil’s General Data Protection Law (LGPD) requires explicit consent for data processing. While no specific upcoming changes are mentioned, it’s part of a global trend towards stricter data protection regulations.

Many Canadian companies rely on U.S.-based cloud services (AWS, Microsoft, Google). If Trump introduces policies that allow more government access to foreign data, Canadian businesses may face legal and compliance issues. Canada may push for stricter data localization laws, forcing companies to store and process data domestically instead of in U.S. data centers. Canada has expressed concerns about Vietnam’s data localization laws and continues to urge implementation consistent with CPTPP commitments. Canada is also a member of the Global Cross-Border Privacy Rules (CBPR) system, which facilitates privacy-respecting data flows among member economies.

France and Germany, as part of the European Union, are subject to the GDPR. European leaders have called for both digital protectionism and data sovereignty, with proposals pushing for data localization and asserting the need for cloud providers owned and operated in Europe.

Australia has implemented the Information Security Registered Assessors Program (IRAP), which provides guidelines for secure and compliant cloud resources. Australia is also a member of the Global CBPR system.

It’s important to note that data privacy regulations are continually evolving globally, with an estimated 75% of the world’s population expected to have their personal data covered under modern privacy regulations by 2025, based on global researches.

Executive Orders on Cybersecurity

Under President Trump’s administration, a pivotal move to bolster American cybersecurity was the enactment of Executive Order 13800, entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” on May 11, 2017. This directive sought to enhance the country’s cyber defenses and capabilities amidst growing cybersecurity threats. It highlighted key areas such as upgrading the federal information technology infrastructure, fostering collaboration with state, local governments, and private sector allies to protect critical infrastructure, and building international partnerships with allies to tackle common cybersecurity challenges.

The executive order also underscored the necessity of holding executive department and agency leaders accountable for cybersecurity risk management within their operations. This measure aimed at promoting a cohesive and strong cybersecurity strategy across the federal government, safeguarding sensitive information and critical infrastructure against cyber threats.

Influence on American Tech Companies

The Trump administration’s strategies and executive measures significantly influenced American technology companies, especially in innovation, regulation, and national security domains. The administration’s drive towards deregulation and an “America First” policy fostered a pro-business climate that spurred innovation and investment in key areas like artificial intelligence (AI), digital finance, and cloud computing. This approach was anticipated to lower innovation barriers, enabling U.S. firms to be more competitive internationally.

Yet, this transition also required tech companies to adapt to a shifting regulatory environment. For example, the administration’s reduction in support for initiatives focusing on clean energy, diversity, equity, and inclusion (DEI), and environmental, social, and governance (ESG) posed challenges for technology companies dependent on these initiatives. Despite these hurdles, the overall atmosphere was viewed as supportive of growth and innovation, with numerous tech companies foreseeing new opportunities and enhanced global competitiveness.

Impact on data residency rules for Personal Health Information

President Trump’s administration is likely to have a significant impact on data residency rules for Personal Health Information (PHI) in countries outside the United States. While specific changes are not yet clear, several trends and potential impacts can be identified:

  1. Increased scrutiny on cross-border data transfers: The recent Executive Order from February 28, 2024, directs new regulatory steps to limit the transfer of sensitive personal data, including health care data, outside of the United States to “countries of concern”. This suggests a tightening of regulations around international PHI transfers.
  2. Potential conflicts with existing regulations: The executive order may create conflicts with current HIPAA rules, which do not include specific requirements for electronic PHI processed or stored outside the United States. This could lead to a need for clarification or updates to existing healthcare privacy regulations.
  3. State-level complexity: Trump’s commitment to federal deregulation may lead to more state-level privacy laws, creating a complex patchwork of regulations for organizations operating across multiple states. This could indirectly affect international data residency rules as companies navigate varying state requirements.
  4. Emphasis on national security: The administration’s focus on national security concerns related to data brokers and foreign access to sensitive data may result in stricter controls on PHI transfers to certain countries.
  5. Potential for new international agreements: As the U.S. reevaluates its approach to data privacy and cross-border transfers, there may be a need for new or renegotiated international agreements to ensure the continued flow of PHI while maintaining security and privacy standards.

It’s important to note that while these potential impacts can be inferred from current policies and executive orders, the full extent of changes to data residency rules for PHI in countries outside the United States will likely become clearer as specific policies are implemented and enforced under the Trump administration.

The administration’s tensions with international data agreements, particularly with the EU and China, have led to a more fragmented global data landscape, with increased emphasis on data localization and national security concerns.

Companies and governments must navigate this complex landscape, ensuring compliance with diverse regulations while advocating for balanced and effective data protection laws.

Stakeholders must stay informed and engaged, pushing for policies that balance national security with the need for innovation and global collaboration. By doing so, we can ensure that data sovereignty enhances security without hindering the free flow of information that drives global progress.