Whatsapp
Cross-Border Data Transfers: Sovereignty Meets the Borderless Internet
The flow of data across international borders has become the lifeblood of the modern digital economy, yet this seamless transfer of information increasingly collides with national sovereignty concerns and divergent regulatory frameworks. As nations grapple with protecting their citizens’ privacy while maintaining economic competitiveness, a complex web of regulations has emerged that fundamentally reshapes how organizations handle cross-border data transfers.
The Emergence of Cross-Border Data Transfer Regulation
Cross-border data transfers involve the movement of personal or sensitive information from one jurisdiction to another for processing, storage, or operational purposes. These transfers enable everything from cloud computing and international commerce to healthcare research and financial services. However, the borderless nature of the internet has created jurisdictional tensions as governments seek to assert control over data originating within their territories.
The regulatory landscape governing these transfers has evolved dramatically over the past decade. Different nations have adopted varying approaches based on their unique political, economic, and security considerations. Some jurisdictions emphasize protecting individual privacy rights through strict consent requirements and adequacy assessments, while others prioritize national security through data localization mandates or blacklist approaches. This divergence has created significant compliance challenges for multinational organizations that must navigate multiple, sometimes conflicting, regulatory regimes simultaneously.
European Union’s Framework Under GDPR
The European Union established one of the most influential regulatory frameworks for cross-border data transfers through the General Data Protection Regulation. Chapter V of the GDPR, specifically Articles 44 through 50, creates a structured system for regulating how personal data can be transferred outside the European Economic Area [1]. This framework establishes a hierarchical approach with three primary mechanisms for lawful data transfers.
The highest tier involves adequacy decisions issued by the European Commission under Article 45 GDPR. When the Commission determines that a third country ensures an adequate level of protection essentially equivalent to that guaranteed within the EU, personal data can flow to that jurisdiction without requiring specific authorization [1]. The Commission must consider various factors when assessing adequacy, including the rule of law, respect for human rights and fundamental freedoms, relevant legislation concerning public security and national security, data protection rules, professional standards, security measures, and the existence of effective independent supervisory authorities [2].
The concept of “essential equivalence” rather than identical protection was crystallized through landmark litigation. In Data Protection Commissioner v. Facebook Ireland Limited, commonly known as Schrems II, the Court of Justice of the European Union invalidated the EU-US Privacy Shield framework on July 16, 2020 [3]. The Court held that surveillance programs operated by United States intelligence agencies, particularly those authorized under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, were not limited to what is strictly necessary and constituted disproportionate interference with the rights to data protection and privacy. The judgment emphasized that the level of protection afforded to data transferred outside the EU must be essentially equivalent to that guaranteed by the GDPR when read in light of the Charter of Fundamental Rights of the European Union.
The Schrems II decision fundamentally altered the compliance landscape by invalidating adequacy decisions and placing greater scrutiny on alternative transfer mechanisms. Standard Contractual Clauses, which are pre-approved contractual terms that data exporters and importers can use to legitimize transfers, remained valid under Article 46 GDPR. However, the Court imposed stricter requirements, mandating that organizations using SCCs must conduct case-by-case assessments to ensure that the data importer’s jurisdiction provides essentially equivalent protection, supplementing the clauses with additional safeguards where necessary [3]. This requirement forces organizations to evaluate the laws and practices of destination countries, particularly regarding government surveillance and data access powers, and implement technical, organizational, or contractual measures to compensate for any deficiencies.
Following the Schrems II invalidation, the United States and European Union negotiated a new framework. In July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework, which established new protections for personal data transferred from the EU to participating US organizations [4]. This framework was built upon Executive Order 14086, signed by President Biden in October 2022, which strengthened privacy safeguards governing signals intelligence activities and created a new redress mechanism through the Data Protection Review Court. In September 2025, the General Court dismissed a challenge to this adequacy decision in Case T-553/23, affirming that the DPRC provided sufficient independence and impartiality despite being established by executive action rather than congressional legislation [5].
United States National Security Approach
Unlike the EU’s comprehensive data protection regime, the United States historically lacked federal legislation specifically governing cross-border personal data transfers. However, national security concerns prompted a significant shift in American policy. On February 28, 2024, President Biden issued Executive Order 14117 titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” [6]. This executive order marked the most significant federal action to regulate outbound data flows, representing a departure from the traditionally open approach the United States maintained toward international data transfers.
Executive Order 14117 authorized the Department of Justice to issue regulations under the International Emergency Economic Powers Act to prohibit or restrict certain transactions that would grant countries of concern access to Americans’ bulk sensitive personal data or US government-related data [6]. The order identified China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern. The regulatory framework distinguishes between prohibited transactions, which include data brokerage involving covered data and all transactions involving bulk human genomic data, and restricted transactions, which encompass vendor agreements, employment agreements, and investment agreements that must comply with specific security requirements.
On December 27, 2024, the DOJ issued its final rule implementing Executive Order 14117, which took effect on April 8, 2025 [7]. The rule establishes the Data Security Program, creating a comprehensive regulatory structure that requires US persons to take reasonable steps to determine whether their data transactions involve countries of concern or covered persons. Covered persons include foreign entities organized under the laws of countries of concern, entities that are fifty percent or more owned by such countries, foreign individuals primarily resident in these countries, and employees or contractors of covered entities [7]. The program imposes strict due diligence, audit, and reporting requirements, with violations subject to civil penalties up to $368,136 or twice the transaction amount, and criminal penalties including imprisonment up to twenty years for willful violations.
The DOJ rule defines bulk sensitive personal data to include precise geolocation data, biometric identifiers, human genomic data, personal health data, personal financial data, and certain categories of personally identifiable information when they exceed specified quantitative thresholds [7]. Data brokerage is defined broadly to include the sale of data, licensing of access to data, or similar commercial transactions where the recipient did not collect the data directly from the individuals to whom it relates. The rule provides exemptions for certain transactions, including those required by federal law, clinical trials regulated by the FDA, provision of telecommunications services, financial services transactions subject to existing banking frameworks, and official US government activities.
India’s Blacklist Approach
India enacted the Digital Personal Data Protection Act in August 2023, establishing the nation’s first comprehensive data protection statute [8]. The DPDPA applies extraterritorially to any entity processing personal data of individuals resident in India in connection with offering goods or services to Indian residents. This legislation represents a significant departure from earlier draft bills that proposed stringent data localization requirements for sensitive personal data.
The DPDPA adopts what is termed a blacklist or negative list approach to cross-border data transfers under Section 16. Unlike the EU’s system that requires affirmative adequacy determinations, the DPDPA permits data transfers to any country except those specifically restricted by the central government [8]. The Act grants the government discretionary authority to prohibit transfers to specified countries or territories through notification, without requiring transparency regarding the criteria used for such determinations or providing alternative transfer mechanisms like standard contractual clauses. No countries have been blacklisted as of the regulation’s implementation, leaving significant uncertainty for organizations planning international data operations.
The Digital Personal Data Protection Rules 2025, notified on November 13, 2025, operationalize the DPDPA’s provisions and establish a phased implementation timeline extending twelve to eighteen months [9]. Under the rules, data fiduciaries may transfer personal data to other data fiduciaries or data processors only under valid contracts, though the legislation does not prescribe specific contractual requirements. The DPDPA designates certain entities as Significant Data Fiduciaries, which face heightened obligations including appointing India-based data protection officers, conducting annual audits, and implementing additional security measures. Rule 12 of the draft rules indicates that SDFs may face restrictions on transferring certain categories of personal data outside India, though the exact scope remains subject to government notification.
Importantly, Section 16(2) of the DPDPA specifies that it does not restrict the applicability of other sectoral laws that provide higher degrees of protection [8]. This provision means that sector-specific regulations issued by authorities such as the Reserve Bank of India and the Securities Exchange Board of India continue to operate alongside the DPDPA. For instance, RBI regulations mandate that all payment system providers ensure that data relating to payment systems are stored only in India, effectively requiring data localization for the financial sector. For cross-border transactions involving both foreign and domestic components, data pertaining to the foreign leg may be stored outside India, but domestic transaction data must remain within the country.
The DPDPA provides specific exemptions from standard data transfer requirements under Section 5. These include situations where the transfer is necessary for signing or performing a contract to which the individual is a party, such as cross-border e-commerce, courier services, payment processing, and travel bookings [9]. Transfers necessary to safeguard an individual’s life, health, or property in emergencies are also exempted. Additionally, outbound transfers of employee personal information necessary for cross-border human resource management in accordance with labor rules and collective contracts are permitted without additional compliance requirements.
China’s Evolving Cross-Border Data Transfer Regime
China established a multifaceted legal framework for cross-border data transfers through three foundational laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. These statutes created three primary mechanisms for lawful data transfers: security assessments conducted by the Cyberspace Administration of China, standard contracts based on Chinese templates, and certification programs demonstrating compliance with data protection requirements. The comprehensive documentation requirements and extended timescales for obtaining CAC approval presented significant compliance challenges for multinational corporations operating in China.
On March 22, 2024, the CAC issued final Regulations on Promoting and Regulating Cross-Border Data Flows, which took immediate effect and substantially relaxed previous requirements [10]. The regulations introduce three categories of exemptions from the standard legal mechanisms. First, transfers necessary for contract performance, such as those required for cross-border shopping, courier services, payment processing, hotel and flight bookings, visa applications, and examination services, are exempted. Second, transfers necessary to protect life, health, or property in emergency situations do not require compliance with standard mechanisms. Third, employee data transfers necessary for cross-border human resource management conducted according to applicable labor rules and collective contracts are exempt.
The CBDT Regulations also raise thresholds that trigger mandatory compliance, significantly reducing the number of transactions requiring CAC oversight [10]. Organizations not designated as Critical Information Infrastructure Operators that have processed personal information of fewer than one million individuals are exempted from security assessment requirements. Similarly, entities that have not transferred personal information of more than one hundred thousand individuals or sensitive personal information of more than ten thousand individuals to foreign destinations since January 1 of the previous year are exempt from filing standard contracts or obtaining certification.
An innovative provision allows each free trade zone within China to establish a negative list specifying data transfers subject to standard legal mechanisms [10]. Data transfers not included in the negative list are not required to undergo security assessments, standard contract filing, or certification. Such negative lists must receive approval from provincial CAC authorities and be filed with both the central CAC and the National Data Bureau. This approach provides significant flexibility for multinational corporations operating within designated FTZs, potentially enabling more streamlined data operations aligned with international business practices.
Practical Compliance Challenges and Solutions
Organizations conducting cross-border data transfers face numerous operational challenges in maintaining compliance across multiple jurisdictions. Data mapping emerges as the foundational requirement, requiring companies to comprehensively document what data is collected, where it is stored, how it flows across borders, and which entities have access. This process must account for both structured transfers governed by formal contracts and unstructured flows such as employee access to cloud-based systems, internal communications platforms, and collaborative tools.
The concept of essentially equivalent protection established in Schrems II requires organizations to conduct transfer impact assessments evaluating whether destination countries provide adequate legal protections. These assessments must analyze the laws and practices of receiving jurisdictions, particularly regarding government surveillance powers, mandatory data disclosure requirements, and available legal remedies for individuals. Where gaps exist, organizations must implement supplementary measures, which can include technical safeguards like encryption, pseudonymization, or data minimization; organizational measures such as limiting data categories transferred or restricting access rights; and contractual provisions establishing clear data processing limitations and audit rights.
Vendor due diligence has become increasingly complex under the new regulatory frameworks. Organizations must screen business partners against sanctions lists, verify ownership structures to identify connections to restricted countries or entities, and ensure contractual agreements include appropriate data protection terms. The DOJ’s Data Security Program requires annual independent audits by qualified entities that are not covered persons, imposing ongoing verification obligations. Similarly, entities designated as Significant Data Fiduciaries under India’s DPDPA must conduct regular compliance audits and maintain detailed processing records.
Privacy-enhancing technologies offer promising solutions for maintaining data utility while addressing cross-border transfer restrictions. Techniques such as fully homomorphic encryption enable computation on encrypted data without requiring decryption, potentially allowing organizations to process data across borders while maintaining confidentiality. Differential privacy adds mathematical noise to datasets to protect individual privacy while preserving statistical accuracy for analysis. Secure multi-party computation allows multiple parties to jointly compute functions over their inputs while keeping those inputs private. Regulators including Singapore’s Infocomm Media Development Authority and the European Data Protection Board have recognized PETs as valuable tools for facilitating compliant cross-border data flows.
Strategic Implications for Global Business
The fragmentation of cross-border data transfer regimes creates strategic challenges for multinational enterprises. Organizations must design data architectures that accommodate varying requirements across jurisdictions, which may necessitate regional data centers, hybrid cloud configurations separating data by geography, or sophisticated access controls limiting which personnel can view data from specific jurisdictions. The costs associated with duplicating infrastructure, implementing multiple compliance programs, and managing legal risks across diverse regulatory systems can be substantial, particularly for small and medium-sized enterprises lacking dedicated compliance resources.
The trend toward data localization requirements and national security-based restrictions on data flows represents a departure from the historically open internet architecture that enabled global digital commerce. Proponents of localization argue that keeping data within national borders enhances security by reducing exposure to foreign surveillance and cyberattacks, enables more effective enforcement of data protection laws, and supports domestic technology industries by requiring local infrastructure investment. Critics contend that localization increases costs without meaningfully improving security, creates inefficiencies by preventing optimization of global data processing, and fragments the internet into isolated spheres that undermine the network effects driving digital innovation.
For organizations developing compliance strategies, several principles emerge from the evolving regulatory landscape. First, compliance programs must be dynamic rather than static, with mechanisms for monitoring regulatory developments and adjusting practices accordingly. The invalidation of adequacy decisions through litigation and the discretionary blacklisting powers granted to governments mean that previously compliant data flows may become restricted with limited notice. Second, a risk-based approach that prioritizes resources based on data sensitivity, transfer volumes, and regulatory scrutiny enables more effective compliance within resource constraints. Third, engaging with policymakers through industry associations and public comment processes provides opportunities to shape emerging regulations and advocate for workable standards that balance privacy, security, and commercial interests.
The geopolitical dimensions of cross-border data regulation merit particular attention. Restrictions on data flows to countries of concern reflect broader tensions between Western democracies and authoritarian regimes regarding technology governance, human rights, and national security. The designation of China, Russia, and other nations as jurisdictions requiring heightened scrutiny for data transfers has significant implications for companies with global operations. Organizations must navigate these geopolitical realities while maintaining business relationships and complying with potentially conflicting legal requirements across jurisdictions.
Conclusion
Cross-border data transfers exist at the intersection of technology, law, commerce, and geopolitics. The regulatory frameworks governing these transfers reflect fundamental tensions between the borderless nature of digital information and the territorial boundaries of national sovereignty. As the volume and importance of international data flows continue to grow, the challenge of creating interoperable regulatory standards that protect individual rights, enable legitimate business activities, and address national security concerns becomes increasingly urgent.
Organizations conducting cross-border data transfers must approach compliance as a strategic imperative rather than a purely legal exercise. Success requires not only understanding the technical requirements of various regulatory frameworks but also anticipating how geopolitical developments and technological changes will reshape the landscape. The investment in robust data governance programs, including mapping, impact assessments, contractual safeguards, technical measures, and ongoing monitoring, positions organizations to adapt to evolving requirements while minimizing operational disruptions. As nations continue developing their approaches to cross-border data regulation, the organizations that can navigate this complexity will gain significant competitive advantages in the global digital economy.
References
[1] European Parliament and Council of the European Union. Regulation (EU) 2016/679 (General Data Protection Regulation), Articles 44-50. https://gdpr-info.eu/art-45-gdpr/
[2] European Data Protection Board. Guidelines on the Transfer of Personal Data under Article 45 GDPR. https://gdprhub.eu/Article_45_GDPR
[3] Court of Justice of the European Union. Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), July 16, 2020. https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf
[4] European Commission. Commission Implementing Decision (EU) 2023/1795 on the adequate protection of personal data under the EU-US Data Privacy Framework, July 10, 2023. https://laweconcenter.org/resources/schrems-iii-gauging-the-validity-of-the-gdpr-adequacy-decision-for-the-united-states/
[5] General Court of the European Union. Case T-553/23, Latombe v Commission, September 3, 2025. https://eucrim.eu/news/general-court-confirms-adequacy-of-us-data-protection/
[7] U.S. Department of Justice. Final Rule Implementing Executive Order 14117, December 27, 2024, effective April 8, 2025. https://www.hoganlovells.com/en/publications/new-doj-rule-limits-crossborder-data-transfers-to-protect-national-security
[8] Government of India. Digital Personal Data Protection Act, 2023, enacted August 11, 2023. https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf
[9] Government of India, Ministry of Electronics and Information Technology. Digital Personal Data Protection Rules 2025, notified November 13, 2025. https://www.hoganlovells.com/en/publications/indias-digital-personal-data-protection-act-2023-brought-into-force-
[10] Cyberspace Administration of China. Regulations on Promoting and Regulating Cross-Border Data Flows, March 22, 2024. https://www.whitecase.com/insight-alert/china-released-new-regulations-ease-requirements-outbound-cross-border-data-transfers
