Editor's Note: This article is the eighth installment in an ongoing RANE series on the shifting patterns of global trade. The first installment provided a broad overview of the geopolitical and economic implications of these shifts. Other installments have examined trade patterns in the Americas, the Strait of Hormuz, Japan and South Korea, India, Turkey and ASEAN countries.

Rising impediments to digital trade and cross-border data flows are leading to increasingly complex and costly regulations that could slow economic gains and potentially hinder global innovation, with smaller companies generally at greatest disadvantage. At least three distinct but related sets of data, cybersecurity and digital services regulations are increasingly impeding cross-border data flows, posing challenges to both traditional and digital trade, and effectively functioning as nontariff barriers. First, most governments worldwide are progressively enacting data localization rules, which mandate that data collected within a certain country or region be stored and processed within national borders. Many of these policies also combine local storage requirements with restrictions or full prohibitions on data outflows. Second, countries are adopting varying cybersecurity requirements — such as encryption standards, specific security certifications or security mandates for data storage — that can impede cross-border data flows or digital trade more broadly. Third, digital service taxes, which tax the revenues derived from providing a particular digital service to users within a specific jurisdiction regardless of where the company is based, are also becoming increasingly common. Though often justified with legitimate policy goals or concerns like privacy or national security, these moves can also be designed to bolster domestic industries and limit the influx of foreign competition. 

• According to data from the Organization for Economic Cooperation and Development, or OECD, nearly 100 data localization measures were in place across 40 countries by early 2023, with the majority emerging within the last decade. The OECD also found that the measures were becoming increasingly restrictive, with more than two-thirds involving the combination of a storage requirement with a data flow prohibition. 
• In recent years, China has developed a robust framework for restricting and regulating cross-border data flows through its Cybersecurity Law, Data Security Law and Personal Information Protection Law, with regulations primarily applying to personal data and "important data." For these types of data to be transferred abroad, entities must undergo a security assessment by authorities that considers whether the transfer is necessary, whether the number of individuals impacted is proportionate to the purpose and whether the scope of information collected and processed is appropriately limited. 
• In April, the U.S. Department of Justice's new rule, "Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons," entered into effect. The rule prohibits or restricts certain transactions involving bulk U.S. sensitive personal data or government-related data with designated countries of concern, which include China, Russia, Cuba, Iran, North Korea and Venezuela. 
• The European Union has positioned itself as a global leader in digital regulations, with its proactive legislative efforts aiming to shape global digital standards. EU legislation like the General Data Protection Regulation (GDPR), Digital Services Act and Digital Markets Act, along with the novel Artificial Intelligence Act, sets high standards for digital rules, which various jurisdictions around the world have sought to emulate. 

The accelerating digitization of the global economy and increasing reliance on digital services have incentivized many countries to assert greater control over data for a variety of reasons, including through the implementation of digital services taxes. The advent of the internet age has not only made it vastly easier for businesses to provide services (like software programs, social media platforms, streaming services or e-commerce platforms) beyond borders, but also made offering services beyond borders a necessity for a company that wants to scale and become multinational. As digital services become increasingly common, a growing number of governments have implemented digital service taxes to tax the revenues that these services generate from users within their jurisdiction, irrespective of where the company is based. This concept has garnered significant backlash from U.S. companies that say they are unfairly targeted. Beyond digital trade, the collection, analysis, storage and transfer of data is now inherently part of not only digital services, but also of nearly any type of digital infrastructure. This data is becoming increasingly valuable as a critical corporate and strategic asset for businesses and governments, respectively, making cross-border data flows a key part of many types of global trade. As the global economy increasingly relies on data to operate in a wide array of industries, it has driven the proliferation of restrictive policies rooted in economic protectionism, national security, geopolitical tensions and/or privacy concerns. Oftentimes, these motivations are deeply intertwined and used to justify economic protectionism. Many countries see data flow restrictions as a tool to bolster domestic economies by fostering job creation and nurturing homegrown digital infrastructure while also stimulating domestic industries by providing them with an advantage over foreign industries. Geopolitical competition, such as between the United States and China, and national security concerns also serve as an impetus for data flow regulations as countries seek to retain data within national borders to mitigate risks of foreign surveillance or other unauthorized access to sensitive data. Other jurisdictions focus more on individual data privacy rights, like the European Union with its GDPR, which effectively restricts data export through its "adequate protection" mandate that requires comparable data protections in the recipient country for the free flow of data. 

• The concept of data essentially serving as a currency in the digital age is gaining traction. Research commonly finds that platforms like Meta, Amazon, Alphabet and ByteDance maintain dominance in the market because they are the main collectors of digital advertising revenue. This collection creates a phenomenon where the more users there are, the more robust the data will be, improving the quality of the service and attracting more users. 
• In June 2024, Canada passed its Digital Services Tax Act, which entered into force the same month. The act required large technology companies with global revenues exceeding CA$1.2 billion (about US$820 million) and revenue in Canada of more than CA$20 million to pay a 3% tax on certain digital service revenues earned in Canada. While the tax had been in force since June 2024, payments were not due until June 30, 2025, and required companies to retroactively pay, going back to Jan. 1, 2022. Because the tax effectively only impacted U.S. companies, since those are the main companies that meet the stated threshold, there was considerable backlash in the United States, with President Donald Trump briefly calling off trade negotiations with Canada on June 27 in retaliation for the levy. As a result, Canada announced it would cancel the tax, restarting trade talks with the United States. 
• According to a January 2025 report from the U.S. Congressional Research Service, 19 countries, including major economies like India, Indonesia and the United Kingdom, have issued taxes on foreign digital service providers. 

Though there will likely be efforts to simplify and streamline certain data transfers and digital trade requirements, the global AI race and diverging national digital governance models will contribute to an increasingly fragmented regulatory environment for both digital trade and cross-border data flows. As more countries continue to introduce data localization laws or other regulations that limit data flows and/or drive up costs of digital trade, the global regulatory landscape for data will become increasingly fragmented, making it more difficult for multinational companies to operate in various jurisdictions. Though some jurisdictions will try to facilitate cross-border data flows and digital trade to reap economic benefits (particularly with allied countries), heightened geopolitical tensions, trade disputes and the global AI competition will exacerbate growing fragmentation. As AI development inherently relies on access to vast datasets, it creates tension between national interests in implementing personal data protection measures and accessing extensive and diverse troves of data to train models and bolster domestic economies, either through building up AI sectors or increasingly incorporating AI into business practices. Moreover, global powers have adopted specific approaches to data flows, which could ultimately result in spheres of influence in cyberspace, with smaller powers aligning their policies to those of major powers. For example, the United States, which has historically refrained from data flow restrictions, is now shifting to implement data controls regarding certain countries in the name of national security. Meanwhile, China seeks to assert control over data flow and usage, while the European Union emphasizes privacy and individual rights in its approach. As smaller powers adopt approaches that align with such spheres, data flows will be increasingly dictated by political alliances rather than economic efficiency, further contributing to the growing balkanization of cyberspace. Separately, some states could drastically reduce or wholly eliminate regulations governing data flows and digital trade in efforts to market themselves as appealing places for international businesses to operate and expand. While there are no obvious cases yet, smaller powers would be most likely to pursue this strategy as they seek to compete with larger powers like the United States and China.

• Despite China's strict control over data governance, in November 2024, it announced a cross-border data flow cooperation initiative that could bring BRICS members and developing countries, in which China is bolstering its influence, into Beijing's regulatory sphere for issues like privacy and AI governance. 
• The "adequate protection" clause of the European Union's GDPR only allows data transfers to non-EU countries that implement protections the European Commission has deemed comparable to those within the bloc. This supports the notion of competing spheres of cyberspace, with the European Union enabling free transfer of personal data only to those that align with its approach to data governance. However, this type of approach is not necessarily dependent on having close relations and instead relies strictly on adherence to EU standards, as evidenced by consistent issues in initially implementing an EU-U.S. data transfer agreement and renewed uncertainty about the agreement amid the Trump administration's tariff policy. 
• New GDPR procedural rules agreed upon in June seek to accelerate enforcement and streamline the resolution of cross-border investigations into personal data breaches and violations, which typically focus on Big Tech companies like Meta, X and Google and often take years to complete. The final version of the rules requires one national data protection authority to lead investigations, which will most often be Ireland's Data Protection Commission, since European operations for most Big Tech companies are housed there. It also contains simplified cooperation procedures between national data protection authorities and an overall investigation deadline of 15 months, which can be extended for an additional 12 months in particularly complex cases. Still, rather than facilitating easier data transfers, the changes maintain existing stringent restrictions on data flows outside of the European Union and seek only to streamline the resolution of disputes, not actual transfers. 
• AI's need for expansive access to data can conflict with data localization measures, though global AI leaders could attempt to implement control over data in efforts to gain a competitive edge. For example, U.S. data export restrictions to adversarial countries like China, which remains the United States' largest competitor in AI, are primarily centered on national security concerns but could have the added benefit of restricting the flow of data that could be used to train Chinese AI models.

The growing stratification of data governance will make it more costly to do business across borders, resulting in higher costs, harming smaller companies and potentially slowing innovation. At a base level, these restrictions can impede the free flow of data that props up many modern-day industries, making international operations increasingly challenging for multinational companies. Such regulations inherently complicate and constrain international data exchange by substantially increasing transaction costs for international businesses, which creates a trade barrier for multinational companies and benefits domestic businesses over foreign ones. Factors like needing additional infrastructure and hiring more personnel, as well as a heightened risk of lawsuits and compliance burdens, all contribute to the higher cost of doing business for foreign entities. Data localization may require foreign companies to shift to local servers, invest in new data centers or rent space from local providers, which can come at a higher cost than using global cloud services, for example. Additionally, there are increased operational costs associated with managing multiple data storage and processing sites. Moreover, navigating multiple overlapping or contradicting data requirements across different jurisdictions requires specialized compliance expertise and resources, and can result in fees or legal challenges if companies fail to comply with local regulations, which can create challenges for maintaining operations. Data localization can also thwart the efficiency of operations that come with centralized data storage and processing, reducing economies of scale that would save costs through increased productivity. All of this taken together means higher costs for companies operating in jurisdictions with data restrictions. Small businesses are at a particular disadvantage in participating in international markets with data or digital trade regulations, as larger corporations are better positioned to cover the higher costs of operating. Additionally, these higher costs associated with doing business mean that less business overall is taking place, which, all other things equal, reduces competitiveness and makes businesses less incentivized to find novel ways to improve products and services to gain an advantage over their rivals. Over time, this opens the door to potentially lower rates of innovation than otherwise would be the case over a long time horizon. 

• Illustrating the economic consequences of restrictions on data flows, an OECD report published on Feb. 10 estimated that full fragmentation, where all economies fully restrict their data flows, would result in a global GDP loss of 4.5% and reductions in exports of 8.5%. On the contrary, without any kind of regulation, the OECD estimated that global GDP would still fall by almost 1% due to a loss of trust, as entities would be less inclined to participate in markets without safeguards on data. As such, the report asserted that open regimes that include safeguards could strike a balance between trust benefits and trade costs, with an estimated 1.77% growth in GDP and 3.6% growth in global exports if all economies adopted such approaches.