VoxEU Column Industrial organisation International trade

Cross-border data transfers under new regulations: Findings from a survey of Japanese firms

Cross-border data flows are becoming increasingly important in the modern economy. In response, many countries have introduced regulations to control data transfers. This column discusses the firm-level response to such regulations using a recent survey of Japanese firms. Firms react by changing the location of data storage and processing, as well as by tightening data protection. However, these responses vary significantly depending on where the regulations originate. 

The rapid development of artificial intelligence (AI), combined with the accumulation of Big Data, is accelerating the expansion of business activities in many countries around the globe. We have long monitored trade data to understand international trade in goods and services, but now are required to expand our scope to trade in data to capture cross-border economic activities in the digital age. As new data-driven business often requires consumers to hand over their personal data to oligopolistic global firms, some governments have begun to regulate data transfers to protect privacy. The EU’s General Data Protection Regulation (GDPR) is one example of such regulation. 

Beyond the EU, a number of other countries intervene in cross-border data flows for national security or other unspecified purposes. As firms increasingly depend on data flows, we need to evaluate the impact of such regulations on cross-border data flows.1 The OECD has examined this issue, for example, by collecting information on related regulations across several countries and conducting a survey (OECD 2018). The investigations of firms’ activities in cross-border data transmissions have mainly been constrained by the paucity of economic data on data flows.  To fill in part of this gap, we conducted a survey of Japanese firms (Tomiura et al. 2019). In this column, we briefly report some findings from the survey and discuss policy implications and other remaining issues.

Despite its importance in economic analyses, it is practically impossible for an academic researcher to collect direct data on cross-border data transmissions by individual firms, especially in terms of economic values.2 E-commerce transaction volume may be a useful measure, but firms transmit data across national borders for many other purposes including contracting with outsourcing suppliers or sharing personnel data with offshore affiliates established through foreign direct investment (FDI). We distributed a questionnaire in 2019 on data transfers and data-related activities to essentially all Japanese medium-sized or large firms in manufacturing, wholesale and information-related service industries, and collected responses from more than twenty percent of them, with the total exceeding 4,000 firms.3

We first asked firms about the impacts of regulations on cross-border data transfers. Under GDPR, Japan has been declared ‘adequate’ by the EU, indicating that the transmission of personal data to Japan occurs under a comparable treatment with that within the EU. In our sample, less than 5% of the surveyed firms report impacts of GDPR.

Some countries outside of Europe impose tight regulations on data flows, especially those across national borders, not necessarily limited to personal data. Cyber security regulations in China and Russia are prime examples, but other countries such as Vietnam and India have followed suit. These countries require firms to locate certain categories of data (categories wider than personal data) within the host countries. Goldfarb and Trefler (2019) argue that “data localisation is a privacy policy that could favour domestic firms” (p. 486). Data localisation measures could be labelled as a new form of protectionism in the era of AI and Big Data, or digital protectionism. 

The share of firms affected by the regulations imposed by China and other emerging countries is nearly twice as high as that affected by GDPR, exceeding 8% in our sample. This finding might be an indirect indication that these firms transfer vast amounts of (sensitive) data across national borders. Furthermore, especially among the firms actively collecting data overseas through the Internet of Things (IoT), as shown in Figure 1, the number of affected firms exceeds the number of firms reporting no impact. Although the share of firms recognising these impacts is not found to be overwhelming among our sample (which omits small-sized firms that tend to operate domestically), many firms that are active in digital data activities, through means such as IoT, are affected by the regulations. 

Figure 1 Impact of regulations imposed by emerging countries

Notes: Figure shows are the shares among firms collecting data overseas through IoT. See Tomiura et al. (2019).

Our survey also asked firms about their responses to such regulations. The first point to note in the results relates to locations and boundaries. Around 30% of the firms that reported impacts of the regulations have changed the location of data storage and/or data processing in response to regulations by EU and emerging countries, indicating a non-negligible impact on the geography of data-related activities. On the other hand, as shown in Figure 2, more than half of the firms engaged in cross-border data transfers are also transmitting data to/from their own offshore affiliates within a multinational enterprise group.4 In other words, some of these data flows are international but intra-firm. 

Figure 2 With whom do you transfer data across borders? 

Notes: Figure shows are the percentages among firms transferring data across borders. See Tomiura et al. (2019).

Second, we find that the firms’ responses to regulations vary substantially. More than 40% of the respondents have tightened data protection to meet the EU’s requirement in response to GDPR. In contrast, more than half of the surveyed firms have not taken any measures against the cyber security regulations of China and other emerging countries, despite their recognition of the impacts of these regulations. Their inaction could possibly be due to the uncertainty associated with new regulations based on the lack of transparency in the rules created by these emerging countries. Our survey also finds that only a limited fraction of firms changed the persons responsible for cross-border data transfers within their corporate hierarchy (from lower-level staff to managers, or from managers to executives including the Chief Information Officer). Additionally, we find that less than 8% of the surveyed firms have increased spending on data security in response to the new regulations. All these findings could be consistent with the interpretation that these firms had sufficiently prepared for the regulations in advance, but they might indicate that firms have not yet adapted to regulations despite their potential impacts.

While we have not yet tested it econometrically, firms actively transmitting data across borders are likely to be globalised. Accumulated studies of theories of heterogeneous firm trade since the turn of the century in international economics have established that globalised firms tend to be large, productive, capital-intensive, innovative, and to possess many other characteristics distinct from domestic firms.5 If this is the case, we should not underestimate the impact of new regulations on data flows as it would spill over to a wide range of firms and consumers through their transactions with global firms. We are currently working on a project linking these survey results with firm-level longitudinal data derived from official mandatory statistics. Such data linkage will help us not only evaluate the impact of regulations but also explore how cross-border data flows shape our economies.

Editors' note: The main research on which this column is based first appeared as a RIETI Discussion Paper.


Goldfarb, A and D Trefler (2019), “Artificial intelligence and international trade”, in A Agrawal et al. (eds), The Economics of Artificial Intelligence, University of Chicago Press, Chapter 19, pp. 463-492.

OECD – Organisation for Economic Co-operation and Development (2018), "Trade and cross-border data flows", Working Party of the Trade Committee, TAD/TC/WP(2018)19/FINAL, Paris, France. 

Tomiura, E (2007), “Foreign outsourcing, exporting, and FDI: A productivity comparison at the firm level”, Journal of International Economics 72: 113-127.

Tomiura, E, B Ito, and B Kang (2019), “Effects of regulations on cross-border data flow: Evidence from a survey of Japanese firms”, Discussion Paper 19-E-088, RIETI.

Zhuo, R, B Huffaker, KC Claffy, and S Greenstein (2019), “The impact of the General Data Protection Regulation on Internet interconnection,” NBER Working Paper 26481.


1 Researchers have previously analysed this issue only indirectly due to the lack of available data on data flows. For instance, Zhuo et al. (2019) report that GDPR has virtually no effect on interconnection behaviours of internet network operators and argue that costs of the regulation are concentrated at the application layer.

2 We often hear about the explosion of cross-border information flows in bits or tera-bytes, but it is extremely difficult to translate it directly into economic values.

3 The selection of firms for our survey is based on the list for official statistics and basically covers firms with fifty or more employees. The sample size of our survey is much larger than a similar survey of firms by OECD (2018).

4 The share of firms directly transmitting data to/from individual consumers is low in our sample, which does not include retailers.

5 Tomiura (2007) is an early firm-level study finding that FDI firms are more productive than foreign outsourcers or exporters, which in turn are more productive than domestic firms.

3,150 Reads