The Deep Blue Sea of Global Data Flows. Implications of the Convergence of Privacy Regimes for Overseas Transfer of Personal Data

After the General Data Protection Regulation (GDPR) entered into force, the topic of overseas transfer of personal data for purposes of storage and processing has gained visibility and prominence in both the privacy impact assessments and the informed consent forms issued by EEA based organisations. Related compliance issues have been exacerbated by a 2020 ruling of the European Court of Justice, which upheld the adoption by US based providers of Standard Contract Clauses to safeguard the data subjects' rights of EEA citizens whose personal data is stored or processed on their platforms. A little explored set of privacy issues materializes when data flows take the opposite direction: i.e. gathered/stored outside and shared/processed inside the EEA space. This paper takes such perspective to examine, in a comparative fashion, the similarities and distinctions between the GDPR provisions and the privacy regimes of China, US and UK (after Brexit), each of them undertaking a process of transformation, and convergence towards GDPR, although with different approaches and pathways. The topic can be of interest for research or service teams engaged in multi-country data gathering, a trend one may expect to grow in the future.