The Deep Blue Sea of Global Data Flows. Implications of the Convergence of Privacy Regimes for Overseas Transfer of Personal Data Francesco Molinari*, Dragan Čišić**, Božidar Kovačić*** University of Rijeka, Department of Informatics, Rijeka, Croatia *Corresponding author: mail@francescomolinari.it **dragan.cisic@uniri.hr ***bkovacic@inf.uniri.hr Abstract - After the General Data Protection Regulation (GDPR) entered into force, the topic of overseas transfer of personal data for purposes of storage and processing has gained visibility and prominence in both the privacy impact assessments and the informed consent forms issued by EEA based organisations. Related compliance issues have been exacerbated by a 2020 ruling of the European Court of Justice, which upheld the adoption by US based providers of Standard Contract Clauses to safeguard the data subjects’ rights of EEA citizens whose personal data is stored or processed on their platforms. A little explored set of privacy issues materializes when data flows take the opposite direction: i.e. gathered/stored outside and shared/processed inside the EEA space. This paper takes such perspective to examine, in a comparative fashion, the similarities and distinctions between the GDPR provisions and the privacy regimes of China, US and UK (after Brexit), each of them undertaking a process of transformation, and convergence towards GDPR, although with different approaches and pathways. The topic can be of interest for research or service teams engaged in multi-country data gathering, a trend one may expect to grow in the future. Keywords – GDPR, China, EU/US Privacy Shield, UK Brexit I. INTRODUCTION With the entry into force of the EU General Data Protection Regulation (henceforth: GDPR) in May 2018 [1], which introduced significant changes to the previous Data Protection Directive 95/46/EC, the level of protection of citizens in relation to the processing of personal data by organisations established in the European Economic Area (henceforth: EEA) has been enhanced considerably. Perhaps the most important provision of all is that to comply with GDPR, some internal policies must be adopted as well as specific technical and organisational measures implemented, to shape data processing activities according to the twin principles of “Data Protection by Design” and “Data Protection by Default”. Examples of such policies and measures are provided in Art. 25 of the GDPR and include, for instance, data anonymization, the use of pseudonyms to dissimulate the real identity of data owners, and data minimisation, or the appropriation of only a subset of personal data which is strictly necessary for a specific purpose. Over the past few years, a plethora of ex-ante privacy impact assessments and informed data subject consent forms have been issued or revised by data controllers and processors, to document their compliance with GDPR provisions. Quite interestingly, this positive trend has not only involved EEA based organisations, but also other entities – acting as service providers – located outside the EEA space. As a result, the topic of overseas transfer of personal data for purposes of storage and processing has gained visibility and prominence in the perspective of data subjects in an unprecedented manner. However, compliance with GDPR provisions of non- EEA based service providers is only a first step, albeit crucial, for safeguarding the data subjects’ rights of EEA citizens and businesses. What needs to be considered in addition is the alignment to GDPR of national rules and regulations in the country of destination – either temporary or permanent – of their personal data flows. Such concern was put to the forefront by the 16 July 2020 ruling of the European Court of Justice (henceforth: ECJ) [2], which upheld the adoption by US based service providers of Standard Contractual Clauses (henceforth: SCCs) to safeguard the data subjects’ rights of EEA citizens whose personal data is stored or processed on their platforms. The case is known: an Austrian privacy advocate, Max Schrems, filed a complaint against Facebook with the Irish Data Protection Commissioner, requesting that the transfer of personal data from Ireland to the US using SCCs would be suspended, with the motivation that the SCCs provided inadequate safeguards compared with the GDPR. Already in 2015, under the previous privacy regime, Mr. Schrems won another case before the ECJ, to nullify the validity of the Safe Harbor Decision taken in the year 2000 by the EC, stating that US based organisations adopting certain policies and measures could be the recipients of personal data flows coming from the EEA space. After the October 2015 ruling of the ECJ, the so-called Privacy Shield was established on 2 February 2016 by an EC decision [3], including a deep revision of the conditions for transfer of personal data from the EEA to the US and introduced better oversight mechanisms on the US government side, somehow anticipating the main lines of thought of the GDPR, which was enacted a few months later. In its judgement the ECJ examined, but not repealed, the validity of the EC adequacy decision 2010/87 on SCCs [4]. Indeed, the validity of that decision is not called into question by the mere reason that, being contractual in nature, SCCs do not bind the competent authorities of the 1730 MIPRO 2021/ICTLAW