Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand and be prepared to navigate. 

This blog post provides a brief summary of these developments and key takeaways for companies transferring personal data to or from these jurisdictions. 

(1)  EU–U.S. DPF: Latombe Decision and PCLOB Staff Report

On September 3, 2025, the General Court of the Court of Justice of the European Union (“CJEU”) held in Latombe v. CNIL that national supervisory authorities have discretion not to investigate complaints brought under the General Data Protection Regulation (“GDPR”) about a transfer framework that has been deemed adequate by the European Commission. The Court’s decision relates to the EU-US Data Privacy Framework (“DPF”), which went into effect in July 2023. The DPF enables certified U.S. organizations to receive personal data from the EU without implementing additional safeguards, such as the EU-approved standard contractual clauses (“SCCs”), provided that they adhere to the DPF’s principles and related requirements. Notably, the Court made some positive statements in its decision about the independence of the data protection review court set up under the DPF, as well as limitations on U.S. signals intelligence activities. Latombe has now appealed this decision to the CJEU’s Court of Justice. 

Separately, on September 25, 2025, the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”) issued a “staff report” assessing the U.S. intelligence community’s compliance with Executive Order 14086, which underpins the DPF. The report concluded that U.S. intelligence agencies have successfully updated their policies and procedures to ensure the compliance, review, and oversight of signals intelligence activities consistent with EO 14086, and did not identify any instances of material non-compliance. However, PCLOB currently consists of a single Republic member after its three Democrat members were forced out by President Trump earlier this year. While the status of those members on the Board remains the subject of litigation, PCLOB continues to lack a quorum (at least three of its five members) to issue official reports or engage in other official acts. Accordingly, the latest staff report issued by PCLOB lacks official legal status.

While these developments arguably help reinforce the DPF as a lawful transfer mechanism for EU-originating personal data to the U.S, they also illustrate some ongoing uncertainties surrounding the framework and its constituent parts.

(2) EU–UK Adequacy Decision Moves Forward

On October 20, 2025, the European Data Protection Board (“EDPB”) announced the formal adoption of its Opinion 2025/26 on the European Commission’s proposal to extend the UK’s adequacy decision until 2031. The UK was initially granted adequacy status in 2021 following Brexit, enabling the free flow of personal data from the EU to the UK without added safeguards.

The EDPB’s opinion concludes that the UK continues to maintain a data protection regime that is “essentially equivalent” to the GDPR, including independent oversight, robust enforcement powers, and legal remedies for individuals. However, the EDPB flagged concerns regarding the UK’s evolving surveillance laws and potential future divergence from EU standards, and recommends ongoing monitoring and periodic review to ensure continued alignment.

The adoption of the EU’s adequacy extension for the UK helps provide legal certainty for EU-based organizations transferring personal data to the UK going forward.

(3) EU–Brazil Draft Adequacy Decision and Positive EDPB Opinion

The European Commission and Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (“ANPD”), have recently taken major steps towards mutual adequacy recognition. As we previously reported, on September 5, 2025, the Commission published a draft adequacy decision finding that Brazil’s privacy framework provides an adequate level of protection. More recently, on October 5, 2025, the EDPB adopted a positive opinion of the draft adequacy decision for Brazil, concurring with the Commission’s adequacy finding while also identifying a few areas for clarification and ongoing review. 

Once  finalized, a mutual adequacy decision between the EU and Brazil would facilitate the free flow of personal data between Europe and the largest market in Latin America, and streamline contractual steps and privacy compliance processes for companies engaged in such data flows. 

(4) U.S. Signs Bilateral Trade and Data Deals with Three APAC Countries

Over the last few months, the U.S. has signed bilateral trade agreements with Indonesia, Malaysia, and Thailand which included commitments from those countries to ensure the free flow of personal data to the U.S. The agreement with Indonesia, for example, establishes a legal basis for the transfer of personal data from Indonesia to the U.S., subject to safeguards consistent with Indonesia’s Personal Data Protection Law (“PDPL”), which was enacted in 2022. Further, U.S. entities receiving Indonesian personal data must adhere to specified privacy and security standards, cooperate with Indonesian authorities in the event of complaints or investigations, and facilitate a dispute resolution mechanism.

These agreements are significant in that the U.S. has managed to secure commitments on the free flow of personal data from three countries that have GDPR-like laws and similar cross-border transfer restrictions. While there are some specifics that companies transferring data from those regimes to the U.S. will need to address, it is expected that these diplomatic efforts will help lighten compliance burdens and reduce privacy regulatory risks in relation to such data.

(5) U.S. DOJ’s DSP Goes Into Full Effect

On October 6, 2025, the U.S. Department of Justice’s (“DOJ”) Data Security Program (“DSP”), codified at 28 C.F.R. Part 202, went into full effect. As we have previously reported (see here and here, for example), the DSP imposes restrictions and prohibitions on access (including the possibility of access) to “bulk sensitive personal data” and “U.S. government-related data” by any “covered person” associated with six designated “countries of concern”: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The DSP also sets out requirements for certain scenarios involving transfers of such data to parties in any non-U.S. party where there may be a risk of onward transfer to covered persons and/or countries of concern.

Many U.S. organizations have been in the process of verifying the extent to which their operations are subject to the DSP and, if so, taking steps to address its requirements—such as, for example, updating vendor screening processes and contractual terms. Those efforts should continue to progress as the DOJ now sets its sights on enforcement, which may provide greater clarity on the scope of the DSP and the DOJ’s interpretation of certain obligations thereunder.      

*          *          *

The Covington team is closely monitoring and regularly advises clients on cross-border data transfer rules and related issues.  Please get in touch with a member of our team if you have any questions.

Tags: APAC, Brazil, Court of Justice of the European Union (CJEU), Cross-border Data Transfer, EU-US. Data Privacy Framework, General Data Protection Regulation (GDPR), Indonesia, Latin America, Malaysia, Thailand, UK
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan CooperEmail
Show more Show less
Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Read more about Nicholas ShepherdEmail
Show more Show less