Cross-Border Transfers

Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate. 

This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. Continue Reading Roundup of Cross-Border Data Transfer Developments

On September 5, 2025, the European Commission announced the launch of the process to adopt an adequacy decision for Brazil under the General Data Protection Regulation (GDPR), involving an assessment of whether Brazil ensures an adequate level of personal data protection comparable to that in the EU. Once adopted, the decision would permit personal data to flow freely between Brazil and the EU without the need for additional safeguards, covering flows from businesses, public authorities, and research projects.

The Brazilian federal government, through the National Data Protection Authority (ANPD), announced that it is simultaneously considering adopting an equivalent adequacy decision to facilitate the uninterrupted flow of data from Brazil to the EU. The parallel initiatives highlight a mutual commitment to aligning privacy and data protection standards across the Atlantic, and take place in a context of closer bilateral relations and increased U.S. scrutiny of Brazilian and European digital policies.Continue Reading European Commission and Brazil Advance Towards Mutual Adequacy Decision

On 15 July 2025, the European Commission adopted an adequacy decision for the European Patent Organisation (EPO).  This marks the first time such a decision has been granted to an international organisation.  From now on, personal data can be transferred from the EU to the EPO based on this decision, without the need for additional safeguards such as Standard Contractual Clauses (SCCs).Continue Reading Adequacy Decision for the European Patent Organisation

On June 2, 2025, the Global Cross-Border Privacy Rules (“CBPR”) Forum officially launched the Global CBPR and Privacy Recognition for Processors (“PRP”) certifications.  Building on the existing Asia-Pacific Economic Cooperation (“APEC”) CBPR framework, the Global CBPR and PRP systems aim to extend privacy certifications beyond the APEC region.  They will allow controllers and processors to voluntarily undergo certification for their privacy and data governance measures under a framework that is recognized by many data protection authorities around the world.  The Global CBPR and PRP certifications are also expected to be recognized in multiple jurisdictions as a legitimizing mechanism for cross-border data transfers.Continue Reading Global CBPR and PRP Certifications Launched: A New International Data Transfer Mechanism

On March 17, 2025, the Finnish Supervisory Authority (“SA”) announced that it is investigating the transfer of personal data related to human research samples by a Finnish university to a Chinese company for genetic analysis services.  Continue Reading Finnish Supervisory Authority Investigates Health Data Transfers to China

On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.Continue Reading EDPB adopts draft guidelines on requirements when responding to requests from non-EU public authorities

On September 12, 2024, the European Commission announced that it will launch a public consultation on additional standard contractual clauses for international transfers of personal data to non-EU controllers and processors that are subject to the EU GDPR extra-territorially (“Additional SCCs”), something that has been promised by the European Commission as far back as 2022.  The public consultation is planned for the last quarter of 2024.Continue Reading EU Commission Announces New SCCs for International Transfers to Non-EU Controllers and Processors Subject to the GDPR

After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here).  The Provisions take effect immediately.  

The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime.  These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations.  Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification.  As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers.  Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.Continue Reading China Eases Restrictions on Cross-Border Data Flows

On January 15, 2024, the European Commission released its report on the first review of the functioning of the existing eleven adequacy decisions adopted under the pre-GDPR framework.  

The Commission concluded that personal data transferred from the European Economic Area to any of Andorra, Argentina, Canada (for PIPEDA-regulated entities), the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to receive an adequate level of protection.Continue Reading European Commission Retains Adequacy Decisions for Data Transfers to Eleven Countries

On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued draft Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) (规范和促进数据跨境流动规定(征求意见稿)) (draft “Provisions”) (Chinese version available here) for a public consultation, which will conclude on October 15, 2023. 

The draft Provisions propose significant changes to the existing cross-border data transfer regime established under China’s Personal Information Protection Law (“PIPL”).  Specifically, the draft Provisions provide certain exemptions to the requirement to adopt a transfer mechanism under Article 38 of the PIPL. In addition, the draft Provisions significantly lower the thresholds that trigger the obligation to undergo a government-administered security assessment or adopt Standard Contracts.  Moreover, in the event of a conflict between the draft Provisions and the PIPL’s implementing regulations (including the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer), the draft Provisions would prevail.Continue Reading China Proposes Significant Changes to Cross-Border Transfer Rules