Regimes: Current Landscape and Outlook Ahead
S. Yash Kalash
Cross-Border Data Transfer Regimes: Current Landscape and Outlook Ahead
S. Yash Kalash
About CIGI
The Centre for International Governance Innovation (CIGI) is an independent, non-partisan think tank whose peer-reviewed research and trusted analysis influence policy makers to innovate. Our global network of multidisciplinary researchers and strategic partnerships provide policy solutions for the digital era with one goal: to improve people’s lives everywhere. Headquartered in Waterloo, Canada, CIGI has received support from the Government of Canada, the Government of Ontario and founder Jim Balsillie.
À propos du CIGI
Le Centre pour l’innovation dans la gouvernance internationale (CIGI) est un groupe de réflexion indépendant et non partisan dont les recherches évaluées par des pairs et les analyses fiables incitent les décideurs à innover. Grâce à son réseau mondial de chercheurs pluridisciplinaires et de partenariats stratégiques, le CIGI offre des solutions politiques adaptées à l’ère numérique dans le seul but d’améliorer la vie des gens du monde entier. Le CIGI, dont le siège se trouve à Waterloo, au Canada, bénéficie du soutien du gouvernement du Canada, du gouvernement de l’Ontario et de son fondateur, Jim Balsillie.
Credits
President, CIGI Paul Samson
Senior Fellow S. Yash Kalash
Director, Programs Dianna English
Program Manager Grace Wright
Publications Editor Lynn Schellenberg
Publications Editor Susan Bubak
Graphic Designer Abhilasha Dewan
Copyright © 2026 by the Centre for International Governance Innovation
The opinions expressed in this publication are those of the author and do not necessarily reflect the views of the Centre for International Governance Innovation or its Board of Directors.
For publications enquiries, please contact publications@cigionline.org.
The text of this work is licensed under CC BY 4.0. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
For reuse or distribution, please include this copyright notice. This work may contain content (including but not limited to graphics, charts and photographs) used or reproduced under licence or with permission from third parties. Permission to reproduce this content must be obtained from third parties directly.
Centre for International Governance Innovation and CIGI are registered trademarks.
67 Erb Street West Waterloo, ON, Canada N2L 6C2 www.cigionline.org
1 Executive Summary
1 Introduction
Conceptual and Legal Foundations
5 The 2025 Global Landscape 18 Comparative Analysis: Convergence or Fragmentation? 21 Emerging Trends and Future Outlook
Works Cited
About the Author
S. Yash Kalash is a CIGI senior fellow and an expert in strategy, public policy, digital technology and financial services. He has experience in emerging markets across India, the Middle East and North Africa (MENA) and the Asia-Pacific and a distinguished track record advising governments and the private sector on emerging technologies. His expertise spans various industries, including fintech, AI and digital assets, and their impact on geopolitics. His career includes key roles at Roland Berger, the Government of India, Adani Group and KPMG, where he spearheaded strategic digital projects, advised clients on their digital assets and AI strategy, and informed policy and regulatory developments. With an M.Sc. in management from Imperial College London and a B.Sc. in international relations and politics from the University of Bath, Yash combines deep strategic insight with strong training, making him a versatile and impactful leader in the field of digital economy.
Acronyms and Abbreviations
AfCFTA African Continental Free Trade Area
AI artificial intelligence
ANPD Agência Nacional de Proteção de Dados
APAC Asia-Pacific region
APEC Asia-Pacific Economic Cooperation
ASEAN Association of Southeast Asian Nations
BCRs binding corporate rules
CAC Cyberspace Administration of China
CBPR Cross-Border Privacy Rules [APEC]
CCPA California Consumer Privacy Act
CJEU Court of Justice of the European Union
CPPA Consumer Privacy Protection Act [Canada]
CPRA California Privacy Rights Act
CSL Cybersecurity Law of the People’s Republic of China
CUSMA Canada-United StatesMexico Agreement
DEFA Digital Economy Framework Agreement [ASEAN]
DEPA Digital Economy Partnership Agreement
DFFT data free flow with trust
DMF Data Management Framework [ASEAN]
DPA Data Protection Act
DPBI Data Protection Board of India
DPDP Act Digital Personal Data Protection Act [India]
DSL Data Security Law of the People’s Republic of China
EDPB European Data Protection Board
EU-US DPF EU-US Data Privacy Framework
G7 Group of Seven
G20 Group of Twenty
GDPR General Data Protection Regulation
GLBA Gramm-Leach-Bliley Act
GPAI Global Partnership on AI
HIPAA Health Insurance Portability and Accountability Act
IPEF Indo-Pacific Economic Framework for Prosperity
JSI Joint Statement Initiative
LGPD Lei Geral de Proteção de Dados Pessoais [Brazil]
MCCs model contractual clauses
OECD Organisation for Economic Co-operation and Development
PDP personal data protection
PDPA PDP Act [Thailand]
PDPC Personal Data Protection Commission [Singapore]
PETs privacy-enhancing technologies
PIPA Personal Information Protection Act [South Korea; Alberta; British Columbia]
PIPEDA Personal Information Protection and Electronic Documents Act [Canada]
PIPL Personal Information Protection Law of the People’s Republic of China
POPIA Protection of Personal Information Act [South Africa]
RCEP Regional Comprehensive Economic Partnership
RIPD Red Iberoamericana de Protección de datos
SCCs standard contractual clauses
SMEs small and medium-sized enterprises
WTO World Trade Organization
Executive Summary
Cross-border data transfers underpin the modern digital economy, enabling global trade, innovation and collaboration in an increasingly interconnected world. Yet, by 2025, regulatory regimes governing these transfers had become more complex and fragmented, shaped by competing imperatives of privacy, security and economic growth. This paper provides a comprehensive examination of cross-border data-transfer frameworks as they stood in 2025, analyzing key jurisdictions including the European Union, United States, China, India and emerging economies in Asia, Africa and Latin America alongside multilateral initiatives and regional trade agreements. Drawing on comparative legal analysis, policy review and case studies, the paper highlights how divergent regulatory philosophies produce both innovation and friction in global data flows.
Beyond mapping the current landscape, the paper explores emerging trends such as privacy-enhancing technologies, data intermediaries and the growing
role of geopolitics in shaping data governance. It projects plausible scenarios for the evolution of cross-border data regimes through 2030 and offers actionable policy recommendations for governments, international organizations and enterprises seeking to navigate this shifting terrain. In doing so, it argues that the future of cross-border data transfers will hinge on achieving greater interoperability while safeguarding fundamental rights and national security interests.
This paper focuses on the overall legal and policy architecture of cross-border data transfer regimes and their geopolitical implications. While economic themes such as data valuation, taxation and rents are acknowledged, they fall outside this study’s scope. Readers interested in the economics of data governance are referred to recent (2025) works by the UN Statistical Commission, the International Monetary Fund and the Organisation for Economic Co-operation and Development (OECD).
Introduction
In the twenty-first century, data has emerged as both a critical economic resource and a strategic asset. From cloud computing and global supply chains to artificial intelligence (AI) models and digital financial services, the modern economy relies fundamentally on the ability to transfer data seamlessly across borders. Cross-border data transfers are estimated to contribute US$2.8 trillion to global GDP, a share that exceeds the global trade in goods and is expected to grow to $11 trillion by 2025.1 This value is shared by traditional industries such as agriculture, logistics and manufacturing, which realize 75 percent of the value of the data transfers enabling businesses,2 particularly small and medium-sized enterprises (SMEs) to reach customers and partners in foreign markets, while simultaneously empowering governments and international organizations to coordinate responses to issues ranging from public health to cybersecurity.
However, the growing dependence on data flows has been accompanied by a mounting set of regulatory, political and ethical challenges. Over
1 See https://iccwbo.org/global-insights/data-governance/.
2 Ibid.
the last decade, countries have begun to assert greater sovereignty over the data generated within their territories, often through privacy and security laws that restrict or condition the transfer of personal and non-personal data abroad. By 2025, this dynamic had given rise to a patchwork of cross-border data-transfer regimes, some grounded in privacy rights and fundamental freedoms, others in national security, economic protectionism or industrial policy.
The tension between data mobility and data sovereignty is not new, but it has reached a critical inflection point. The European Union’s General Data Protection Regulation (GDPR), implemented in 2018, set a high benchmark for cross-border data protection, requiring mechanisms such as adequacy decisions, standard contractual clauses (SCCs) and binding corporate rules (BCRs) for international data flows.3 In contrast, jurisdictions such as the United States have historically favoured sector-specific, market-driven approaches, while China’s cybersecurity and data security laws impose strict outbound transfer assessments to protect national interests. India’s Digital Personal Data Protection (DPDP) Act, operationalized in the mid-2020s, adopts a hybrid approach that permits cross-border transfers to whitelisted jurisdictions under defined safeguards. In parallel, emerging economies in Africa, Latin America and Southeast Asia are crafting their own rules, often influenced by regional trade agreements and international development priorities.
This diversity has created significant operational complexity for multinational corporations, cloud providers and data-intensive industries. A company operating across the European Union, the United States, China and India in 2025 must navigate not only divergent legal requirements but also the uncertainty of ongoing reforms and legal challenges, such as the ramifications of court decisions in Europe following privacy violation cases brought against Facebook by Austrian lawyer Max Schrems,4 debates over a potential US federal privacy law and evolving positions on data localization in developing
3 See EC, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [2016] OJ, L 119/1 [GDPR]
4 Data Prot Comm’r v Facebook Ireland Ltd & Schrems, C-311/18, [2020] ECR I-0000, ECLI:EU:C:2020:559, online: <https://curia.europa.eu/juris/ liste.jsf?num=C-311/18>.
economies. The result is a global environment where cross-border data transfers are simultaneously indispensable and fraught with compliance risk.
Beyond legal fragmentation, geopolitics has amplified the stakes. Data is increasingly recognized as a lever of state power: governments frame data flows in the context of national security, technological competition and economic resilience. Initiatives such as the Group of Seven’s (G7’s) “data free flow with trust,” or DFFT, agenda and the Association of Southeast Asian Nations (ASEAN) Digital Economy Framework Agreement (DEFA) illustrate how states are both collaborating and competing to shape global data norms (ASEAN 2023). The ongoing rise of AI technologies further complicates the picture, as training large models often requires access to diverse data sets sourced from multiple jurisdictions, raising new concerns over privacy, bias and intellectual property.
Against this backdrop, 2025 represents a pivotal moment to assess where cross-border data transfer regimes stand and where they are headed. This paper seeks to address three interrelated research questions:
→ What is the current global landscape of cross-border data-transfer regimes in 2025, and how do leading jurisdictions approach data mobility and protection?
→ To what extent are these regimes converging toward interoperable frameworks, or fragmenting into incompatible regulatory silos?
→ What future scenarios and policy options might shape the evolution of cross-border data transfers through 2030?
Methodologically, this research draws on comparative legal analysis, secondary literature review and illustrative case studies of key jurisdictions and trade agreements. It considers statutory texts, regulatory guidance, multilateral instruments and industry reports to map trends and distill implications for stakeholders.
Ultimately, this paper argues that cross-border data transfers will remain a cornerstone of the digital economy, but their governance will demand creative policy solutions that reconcile divergent national interests with the imperatives of global interoperability. Achieving this balance is not merely a legal challenge; it is also a geopolitical, economic and ethical one.
Conceptual and Legal Foundations
Understanding cross-border data transfer regimes requires first unpacking the underlying concepts, principles and historical evolution that shape contemporary frameworks. This section sets out a shared vocabulary and traces the key legal mechanisms developed over the past decades.
Defining Cross‑Border Data Transfers
According to the UN Capital Development Fund, cross-border data flows encompass any transfer of data or information across sovereign boundaries (Keck et al. 2022). Thus, a cross-border data transfer occurs when personal or non-personal data is transmitted, accessed or otherwise made available from one jurisdiction to another. Unlike the physical movement of goods, data flows are instantaneous and often invisible, taking place through cloud infrastructures, distributed servers or remote access by foreign entities. Cross-border transfers may involve:
→ direct transfer, in which data is sent from one data controller or processor in country A to another in country B;
→ remote access, which enables users, employees or partners in a foreign jurisdiction to access data stored domestically; and
→ processing in multi-jurisdictional cloud environments, where data may be mirrored or cached across multiple data centres worldwide.
These transfers are vital for global commerce, yet they raise risks: privacy violations, loss of regulatory control and exposure to foreign surveillance regimes. As a result, many countries impose conditions on such transfers, balancing the economic imperative of data mobility against sovereign interests.
Key Principles Governing Cross-Border Transfers
Despite divergent national approaches, several shared principles have emerged as anchors for cross-border data-governance regimes, as follows.
Adequacy and Equivalence
Some jurisdictions, notably the European Union, allow outbound data flows only to countries deemed to provide an “adequate” level of protection.5 Adequacy decisions involve holistic assessments of a country’s legal framework, enforcement capacity and redress mechanisms.
Safeguards and Accountability
Where no adequacy finding exists, businesses may rely on legally prescribed safeguards such as SCCs, BCRs or approved codes of conduct.6 These instruments allocate responsibility and ensure protection travels with the data.
Purpose Limitation and Data Minimization
Data transfers must align with specified purposes and use minimal data necessary to achieve them.7 These principles aim to mitigate risks in jurisdictions with weaker protections.
Data Sovereignty and Localization
Some countries condition or restrict transfers by requiring data to be stored or processed locally (Zedroit Articles 2023). This reflects growing concerns over foreign surveillance, cybersecurity and economic development, but often at the cost of efficiency and innovation.
Evolution of Cross-Border Data Transfer Mechanisms
The legal architecture for cross-border data flows did not emerge overnight. Instead, it evolved alongside the rise of the global internet and the information economy.
Early Soft-Law Instruments (1980s–2000s)
In 1980, the OECD issued Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which were among the first international attempts to reconcile data mobility with privacy protection (OECD 2002). These
5 See https://commission.europa.eu/law/law-topic/data-protection/ international-dimension-data-protection/adequacy-decisions_en.
6 See www.edpb.europa.eu/sme-data-protection-guide/internationaldata-transfers_en#:~:text=Standard%20contractual%20clauses%20 (SCCs)%20are,controller%20in%20a%20third%20country.
7 See “Purpose Limitation” at www.dataprotection.ie/en/individuals/ data-protection-basics/principles-data-protection.
voluntary guidelines inspired national laws but lacked enforceable obligations. Similarly, the 1995 EU Data Protection Directive introduced restrictions on transfers but allowed certain derogations through contractual mechanisms.8
The GDPR Era (2018 Onward)
The European Union’s GDPR revolutionized the field by introducing extraterritorial scope, harmonized rules and robust enforcement (Gstrein and Zwitter 2021). Articles 44–50 of the GDPR codified mechanisms for lawful cross-border transfers, including:
→ adequacy decisions by the European Commission;
→ standard contractual clauses as default safeguards;
→ binding corporate rules for multinational groups; and
→ limited derogations for specific cases (for example, explicit consent or public interest).9
Rise of Localization and National Security Concerns (2015–2025)
As data became recognized as a strategic asset, countries such as China, Russia and India introduced localization mandates and stringent security assessments. China’s Personal Information Protection Law (PIPL) and Data Security Law (DSL) require security assessments before exporting certain categories of data.10 Russia’s Federal Law No. 242-FZ mandates that personal data of Russian citizens be stored on servers located within Russia (World Intermediary Liability Map 2014). India’s DPDP Act adopts a selective approach, allowing cross-border transfers only to a list of “trusted” jurisdictions notified by the government (Sangwan and Husain 2024).
Regional and Multilateral Developments
In parallel, regional groupings have pursued interoperable mechanisms:
→ The Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system, a certification mechanism adopted by several Asia-Pacific (APAC) economies, promotes accountability and trust in data flows (APEC 2019).
→ The ASEAN Data Management Framework provides guidance for member states and businesses, encouraging alignment of transfer practices (Watanabe, Ogura and Oikawa 2025).
→ Trade agreements such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (Fujii and Muromachi 2024) and the Digital Economy Partnership Agreement (DEPA) include commitments to “allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.”11
→ The World Trade Organization’s (WTO’s) Joint Statement Initiative (JSI): One of the most ambitious multilateral efforts to regulate crossborder data flows remains the WTO’s JSI on e-commerce, launched in 2019 and supported by 91 WTO members as of June 2024 (Jose and Kaukab 2024, 2). The JSI aims to develop binding global rules on digital trade, including provisions related to data flows, data localization, sourcecode disclosure and consumer protection (Digital Trade Alliance 2023). After nearly five years of negotiation, the participants crossed an important milestone on July 26, 2024: they delivered a “stabilized text,” that is, a largely final version of the agreement’s legal text (Jose 2024).
Core Legal Instruments and Mechanisms
A comparative analysis (see Tables 1 and 2) reveals several common tools embedded in diverse regimes:
8 See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ, L 281/1, 23.11.1995 at 31–50, online: <https://eur-lex.europa.eu/eli/dir/1995/46/oj/eng>.
9 See https://gdpr-info.eu/chapter-5/.
10 See https://personalinformationprotectionlaw.com/ and Junck et al. (2021).
→ SCCs: Pre-approved templates that establish obligations on data importers and exporters to
11 See Digital Economy Partnership Agreement, 12 June 2020, [2020] NZTS 4, art 4.3(2).
protect data subject rights. These templates are widely used but require adaptation to local law.12
→ BCRs: Internal policies approved by regulators, allowing multinationals to transfer data within their corporate group (PwC 2019).
→ Codes of conduct and certifications: Mechanisms such as APEC’s CBPR or EU certifications provide scalable compliance pathways (OneTrust 2021).
→ Security assessments and permits: Used by China and others, these require regulators to
vet data exports based on categories, volume or sensitivity (Baig and Sattar 2023).
The 2025 Global Landscape
Cross-border data-transfer regimes have moved from being niche regulatory issues to central pillars of national digital strategies. By 2030, every major
Mechanism Description Key Jurisdictions Using It Advantages Limitations
Adequacy decisions Regulatory determination that a foreign jurisdiction provides an “adequate” level of data protection
SCCs Pre-approved contractual terms binding exporters and importers to GDPR-equivalent protections
BCRs Internal policies for intra-group transfers approved by regulators
European Union (GDPR), United Kingdom, Japan, several others
European Union, adopted/replicated by others
Simplifies compliance; no additional safeguards needed
Flexible; widely used by multinationals
Slow political process; can be revoked (e.g., Schrems II invalidating Privacy Shield)
Must be customized; risk assessments needed; subject to evolving jurisprudence
European Union, United Kingdom, some APAC jurisdictions
Codes of conduct and certifications
Security assessments and permits
Source: Author.
12
Sector-specific or general frameworks endorsed by regulators (e.g., APEC CBPR)
Governmental review before data export based on sensitivity or volume
APEC members, European Union (article 40/42 certifications)
China (PIPL, DSL), Russia, some Gulf states
See https://commission.europa.eu/law/law-topic/data-protection/ international-dimension-data-protection/new-standard-contractual-clausesquestions-and-answers-overview_en.
Enables large multinational coroporations to streamline internal transfers; strong accountability framework
Scalable and transparent; fosters trust in specific industries
Protects national security; context-specific
Lengthy approval process; applies only within a corporate group
Limited global recognition; few mature schemes
Burdensome process; may deter investment; limited predictability
Table 1: Overview of Key Cross-Border Data Transfer Mechanisms
Table 2: Comparison of Key Mechanisms at a Glance
Nature Regulatory determination
Scope Country-wide
Approval needed By data protection authority/government
Ease of use
Flexibility
Global recognition
Contractual safeguard
Entity-to-entity
No prior approval; use templates
High (if adequacy exists) Moderate (requires customization and risk assessment)
Low (limited to approved countries)
Limited (mostly EU and UK decisions)
Examples EU-Japan adequacy, EU-UK adequacy
Source: Author.
High (can be tailored to specific transfers)
Broadly recognized and emulated
EU SCCs (2021 versions)
economy will have established its own rules, creating a landscape that is both dynamic and fragmented. While some jurisdictions have chosen to prioritize the free flow of data to stimulate trade and innovation, others have tightened controls in the name of privacy, security or sovereignty. This divergence means that multinational organizations must now navigate a complex web of overlapping obligations and restrictions, often with significant operational and legal risk.
In recent years, the geopolitical dimension of data governance has intensified. Policy makers increasingly view data as a strategic asset — one that can fuel domestic innovation ecosystems, shape national security postures and influence global economic competition. As a result, frameworks for cross-border data transfers are no longer purely technical or legal instruments; they are manifestations of deeper political, cultural and economic priorities.
This section examines the key jurisdictions and regions that have shaped the global conversation in 2025. It examines how their regimes function in practice, the mechanisms they rely on and the pressures, both domestic and international,
Internal compliance policy
Intra-group (multinational)
Formal approval by regulators
Low (lengthy, resource-intensive)
Medium (applies only within group)
Growing but still EU-centric
Approved BCRs by France’s Commission Nationale de l’Informatique et des Libertés, the UK Information Commissioner’s Office, etc.
that influence their policy choices. While each jurisdiction is unique, common themes emerge: the ongoing quest to balance economic openness with data protection, the search for interoperable standards, and the role of trade agreements and diplomatic initiatives in bridging regulatory gaps.
The analysis proceeds through individual subsections that focus on:
→ the European Union and its post-Schrems regulatory recalibration;
→ the United States and the interplay between federal initiatives and state-level privacy laws;
→ China and its security-driven outbound transfer controls;
→ India and its emerging selective-transfer framework under the DPDP Act;
→ APAC and ASEAN countries as laboratories for interoperability and business-friendly certifications; and
→ Africa and Latin America as rising players whose regimes reflect both global trends and local priorities.
Each subsection will outline the jurisdiction’s legal architecture, highlight recent developments up to 2025, and identify key challenges and opportunities for cross-border data flows. Together, these case studies paint a comprehensive picture of the current state of global data transfer governance and lay the foundation for the comparative analysis in the following section.
The European Union:
A Rights-Driven Anchor in Cross-Border Data Governance
The European Union remains the most influential jurisdiction in shaping global norms for cross-border data transfers. By 2025, the European Union’s data-protection framework, centred on the GDPR, continued to serve as a benchmark for other countries. Yet the European Union itself has undergone significant recalibration, in response to legal developments, geopolitical pressures and the practical challenges of enforcing its high standards in a fragmented digital ecosystem.
Legal Architecture and Transfer Mechanisms
The GDPR’s provisions on international data transfers (articles 44–50) remain the cornerstone of the EU regime.13 Transfers of personal data outside the European Economic Area are lawful only under one of three conditions:
→ Adequacy decisions: The European Commission may declare that a third country offers an “adequate level of protection,” permitting free flows of data without additional safeguards. By 2025, the European Union will have adequacy arrangements with more than a dozen jurisdictions, including Japan, South Korea and the United Kingdom (Sørensen 2024).
→ SCCs: For countries lacking adequacy, organizations rely on SCCs updated in 2021 to reflect post-Schrems II requirements as a baseline safeguard (Cookiebot by Usercentrics 2024). These clauses bind both parties to GDPR-equivalent protections and require risk assessments, particularly in light of potential foreign surveillance practices.
→ BCRs: Multinational corporations may adopt binding corporate rules for intra-group transfers,
provided they obtain approval from EU data-protection authorities.14
Supplementary measures such as encryption, pseudonymization and data minimization are often required to ensure that transferred data remains secure against unlawful access.
Post-Schrems Developments
The EU landscape in 2025 was shaped profoundly by the aftermath of the CJEU’s Schrems II decision (2020), which invalidated the EU-US Privacy Shield (Hunt 2020). In response, the EU-US Data Privacy Framework (EU-US DPF) was negotiated and implemented, coming into effect in 2023.15 While the framework restored a pathway for transatlantic data flows, it remains under close scrutiny from privacy advocates and is expected to face further legal challenges.
Meanwhile, the European Data Protection Board ([EDPB] 2021) has issued extensive guidance on transfer impact assessments, instructing companies to evaluate foreign surveillance laws and implement supplementary measures before relying on SCCs. This guidance has forced organizations to adopt more sophisticated compliance programs and invest heavily in privacy-enhancing technologies.
Interactions with Broader EU Digital Policy
The European Union’s cross-border transfer rules do not exist in isolation; they interact with a broader digital policy agenda. The Digital Markets Act16 and the Digital Services Act (Wolf Theiss 2023), both operational by 2024, impose obligations on large online platforms that indirectly affect data flows. The EU Data Act17 and the EU AI Act (European Parliament [2023] 2025) introduce new rules for data access, portability and governance, which will further influence how and where data can be processed.
Notably, the European Union is also championing international initiatives such as the DFFT framework discussed at the G7 and OECD levels,
14 See https://commission.europa.eu/law/law-topic/data-protection/ international-dimension-data-protection/binding-corporate-rules-bcr_en.
15 See www.dataprivacyframework.gov/Program-Overview.
16 See https://digital-markets-act.ec.europa.eu/index_en.
13 See https://gdpr-info.eu/chapter-5/.
17 See https://digital-strategy.ec.europa.eu/en/factpages/ data-act-explained.
signalling a willingness to engage in multilateral solutions while maintaining its rights-centric stance.
Challenges and Opportunities
Despite its sophistication, the EU regime faces several challenges:
→ Legal uncertainty: Constant litigation and evolving adequacy reviews create uncertainty for businesses, particularly regarding data flows to the United States and emerging markets.
→ Compliance costs: SMEs often struggle with the resource burden of conducting transfer impact assessments and implementing supplementary safeguards.
→ Geopolitical tensions: The European Union’s insistence on high standards sometimes clashes with trading partners who perceive these requirements as protectionist or overly stringent.
However, opportunities abound:
→ The European Union’s regulatory clarity and enforcement rigour make it a trusted hub for global data processing.
→ Adequacy decisions and participation in frameworks such as the EU-US DPF can expand safe channels for data mobility.
→ The European Union’s leadership in privacy-enhancing technologies (PETs) and certifications (such as EU-approved codes of conduct) positions it as a global innovator in privacy-friendly data governance.
Key Takeaways
The European Union’s approach to cross-border data transfers in 2025 exemplifies a rights-driven model that prioritizes individual privacy and robust safeguards. While it creates friction in some international contexts, it also sets a high benchmark and drives global discourse toward greater accountability and trust in data flows. For multinational organizations, navigating the EU framework remains a complex but indispensable exercise in ensuring lawful and ethical cross-border operations.
The United States: A Market-Driven Yet Evolving Approach
The United States has historically taken a more market-driven and sector-specific approach to data governance. By the end of 2025, the United States remained a critical node for global data flows, home to many of the world’s largest cloud providers, social media platforms and AI firms. Yet the absence of a single comprehensive federal privacy law continues to create a patchwork regulatory environment, with significant implications for cross-border data transfers.
Legal Architecture and Transfer Mechanisms
Unlike the European Union, the United States does not impose broad restrictions on outbound data flows. Data can generally move freely from the United States to other jurisdictions, subject to specific sectoral rules (DLA Piper 2025c) such as those under the Health Insurance Portability and Accountability Act (HIPAA)18 for health data or the Gramm-Leach-Bliley Act (GLBA) for financial data.19 Instead, the US regulatory landscape focuses on the following:
→ Federal sectoral laws: Rules vary by data type and industry.
→ State-level privacy laws: Notably, the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), have created de facto national standards due to the size of California’s market (Bonta 2024). By the end of 2025, other states, including Virginia, Colorado, Connecticut and Utah, will most likely have also implemented similar laws.
→ Self-regulation and industry standards: Many US firms rely on internal compliance frameworks and certifications to demonstrate responsible data handling to international partners.
Transfers from the European Union or other strict jurisdictions into the United States are subject to those jurisdictions’ export rules, leading to mechanisms such as the following:
18 See www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/ index.html.
19 See www.ftc.gov/business-guidance/privacy-security/ gramm-leach-bliley-act.
→ The EU–US DPF: Operational since 2023, this mechanism allows certified US companies to receive personal data from the European Union under enhanced safeguards.
→ SCCs: US companies routinely enter into SCCs with foreign partners to meet foreign legal requirements.
→ Ad hoc agreements: These are negotiated clauses or supplementary measures, often involving encryption and pseudonymization, tailored to the data and jurisdiction.
The Push for a Federal Privacy Law
The absence of a federal privacy statute has long been viewed as a gap in US data governance. In 2023 and 2024, significant congressional debate centred on the American Data Privacy and Protection Act, a proposed federal law that would harmonize standards and address cross-border data issues (Kerry 2024). While political divisions delayed its passage by early 2025, the momentum for a federal baseline has grown stronger, driven by:
→ pressure from trading partners (particularly the European Union) for greater legal certainty;
→ the operational burden on companies navigating inconsistent state laws; and
→ heightened public concern over AI training data, biometric information and children’s privacy.
Although a comprehensive federal law was not yet in force at time of writing (December 2025), many analysts expect movement by 2026, which could create clearer frameworks for international data flows.
National Security, Surveillance and Trust
A persistent challenge for US data-transfer relationships is foreign concern over US surveillance practices. Programs authorized under Section 702 of the Foreign Intelligence Surveillance Act (Federal Bureau of Investigation 2024) and Executive Order 12333 (Mann 2014) have been focal points in European court cases (such as Schrems II) and broader debates over trust.
In response, the US government has undertaken reforms to strengthen oversight and transparency:
→ Executive Order 14086 (2022) and subsequent regulations introduced enhanced redress mechanisms for non-US persons and increased proportionality checks on intelligence collection (Office of Civil Liberties, Privacy and Transparency, n.d.).
→ The EU-US DPF incorporates these safeguards, offering independent redress through the Data Protection Review Court for EU citizens whose data is transferred to the United States.
These reforms have improved perceptions but not eliminated skepticism, making trust building an ongoing task.
Emerging Trends and Industry Adaptation
The US private sector remains at the forefront of PETs and compliance innovation. By 2025:
→ Major cloud providers were offering “regional data zones” that allow customers to restrict storage and processing to certain geographies.20
→ AI companies were increasingly adopting federated learning and synthetic data generation to reduce reliance on sensitive cross-border data sets (Moran 2025; Wissen Technology Team 2025).
→ Certification schemes aligned with international standards (for example, ISO/IEC 27701) are gaining traction as signals of accountability.
Trade agreements such as the Canada-United States-Mexico Agreement (CUSMA) and the Indo-Pacific Economic Framework (IPEF) incorporate provisions favouring cross-border data flows and prohibiting data-localization mandates, underscoring the US commitment to an open data economy.
Challenges and Opportunities
Challenges:
→ The lack of a comprehensive federal framework continues to create uncertainty and complexity for global partners.
20 See https://cloud.google.com/compute/docs/regions-zones; https://azure.microsoft.com/en-us/explore/global-infrastructure/ geographies.
→ Ongoing legal challenges to the EU-US DPF or surveillance reforms could reignite transatlantic friction.
→ Diverging state laws risk further fragmentation if federal harmonization is delayed.
Opportunities:
→ The United States’ innovation-driven ecosystem positions it as a leader in privacy technology and interoperable compliance solutions.
→ Trade diplomacy allows the United States to shape emerging digital norms, particularly in the Indo-Pacific and the Americas.
→ Movement toward federal privacy legislation could reduce barriers and build global trust.
Key Takeaways
The United States in 2025 exemplifies a pragmatic, market-driven approach to data governance, tempered by increasing recognition of the need for harmonization and trust. Its role as a global hub for data processing and innovation makes it indispensable in any discussion of cross-border data transfers, yet its patchwork regulatory structure and surveillance legacy remain sources of friction. For multinational organizations, proactive engagement with evolving US standards and participation in frameworks such as the EU-US DPF are essential strategies for maintaining lawful and resilient data flows.
China: Security -Driven Controls and Strategic Data Sovereignty
China’s approach to cross-border data governance is among the most restrictive globally, reflecting its dual objectives of protecting national security and asserting technological sovereignty. By 2025, China had implemented a layered regulatory framework that conditions outbound data transfers on stringent security assessments, industry-specific approvals and government oversight. These measures are deeply embedded in China’s broader vision of data as a strategic resource underpinning economic development, social stability and geopolitical influence.
Legal Architecture and Transfer Mechanisms
China’s framework for cross-border data transfers rests on three key statutes:
→ Cybersecurity Law of the People’s Republic of China (CSL), 2017: The CSL introduced initial data-localization mandates for critical information infrastructure operators, requiring them to store data domestically and undergo security assessments before exporting personal or “important” data (InCountry Staff 2024).
→ Data Security Law of the People’s Republic of China (DSL), 2021: The DSL established a national security lens for all data activities, classifying data by importance and implementing stricter controls for “important” and “core” data.21
→ Personal Information Protection Law of the People’s Republic of China (PIPL), 2021: The PIPL is China’s first comprehensive privacy law, modelled in part on the GDPR, but with unique Chinese characteristics. The PIPL requires personal information handlers to meet one of several conditions for outbound transfers (DLA Piper 2025a), including:
– passing a government security assessment organized by the Cyberspace Administration of China (CAC);
– obtaining certification from an accredited institution;
– entering into a standard contract with the overseas recipient based on CAC templates; or
– meeting other conditions prescribed by laws or regulations.
As of 2023–2025, the CAC’s Measures on Security Assessment for Outbound Data Transfer were in full effect. These measures obligate companies transferring data above certain thresholds (for example, one million individuals’ personal information) to submit to formal security reviews (Bird and Li 2024).
21 Data Security Law of the People’s Republic of China (Adopted at the 29th Meeting of the Standing Committee of the Thirteenth National People’s Congress on June 10, 2021), Order of the President of the People’s Republic of China No. 84, online: <www.npc.gov.cn/englishnpc/ c2759/c23934/202112/t20211209_385109.html>.
Implementation and Regulatory Environment
Implementation has been deliberate and tightly managed. By 2025:
→ Multinational corporations operating in China (for example, cloud providers, automotive firms, e-commerce platforms) must conduct data mapping and classify information according to sensitivity before initiating exports.
→ Security assessments require detailed submissions covering data types, transfer purposes, overseas recipient profiles and risk mitigation measures. The CAC’s approval process is often lengthy and, in some cases, opaque, leading to business uncertainty.
→ The standard contract mechanism introduced in 2023 has seen cautious adoption, but organizations remain wary of regulatory interpretation and enforcement practices.
China’s legal environment also prioritizes local storage and processing, incentivizing companies to invest in onshore data centres. Foreign firms often partner with domestic cloud providers (via joint ventures or licensing arrangements) to comply with these rules.
Data Sovereignty and Geopolitics
China’s restrictive stance is not purely regulatory; it is tied to broader geopolitical strategy. Data is viewed as a national resource, critical to:
→ national security, by preventing foreign access to sensitive information on citizens, infrastructure and supply chains;
→ economic development, through supporting domestic AI training, analytics and big-data ecosystems through localized data pools; and
→ technological self-reliance, by reducing dependence on foreign platforms and enhancing control over digital infrastructure.
In multilateral fora, China advocates for a vision of “cyber sovereignty,” emphasizing each state’s right to control information flows within its borders. This vision contrasts with Western concepts of open data flows, contributing to competing models in global governance discussions.
Industry Adaptation and Emerging Trends
Operating under China’s regime in 2025 requires significant adaptation:
→ Localization strategies: Many global firms now maintain separate China-specific data infrastructures and compliance teams to meet regulatory demands.
→ PETs: To minimize outbound transfer needs, firms may need to deploy technologies that enhance privacy, such as through federated learning (that is, training AI models locally while sharing only parameters) and differential privacy techniques.
→ Sectoral nuances: Certain industries such as health care, mapping and finance face additional export restrictions, while others benefit from pilot programs encouraging secure data sharing for research and innovation.
Challenges and Opportunities
Challenges:
→ High compliance costs and procedural uncertainty deter some foreign investment and innovation.
→ Fragmentation within Chinese regulations (overlapping CSL, DSL, PIPL requirements) creates legal complexity.
→ Tensions between China’s restrictive approach and global interoperability limit the scalability of cross-border operations.
Opportunities:
→ Companies that successfully localize and integrate into China’s ecosystem gain access to one of the world’s largest digital markets.
→ Participation in Belt and Road digital initiatives may offer pathways for data sharing with partner states under Chinese standards.
→ Emerging guidance from regulators and evolving standard contract mechanisms may gradually provide greater predictability.
Key Takeaways
China’s cross-border data transfer regime in 2025 is defined by caution, control and strategic
intent. While the PIPL and related measures formally allow outbound transfers under specific conditions, the practical reality is one of limited and carefully scrutinized data flows. For multinational enterprises, operating in China requires a fundamentally different compliance mindset, one that prioritizes localization, anticipates regulatory reviews and aligns with China’s vision of data sovereignty. As China’s digital economy continues to grow, its approach will remain a powerful counterpoint to more open, interoperability-driven regimes elsewhere.
India: A Selective and Pragmatic Approach Under the DPDP Act
India has emerged as one of the most closely watched jurisdictions in global data governance. With a rapidly digitizing economy, a burgeoning tech sector and ambitions to position itself as a trusted partner in global digital trade, India’s approach to cross-border data transfers in 2025 reflects a delicate balancing act, one of enabling global integration while safeguarding domestic interests. The DPDP Act, enacted in 2023 and operational by November 2025, forms the backbone of this approach.
Legal Architecture and Transfer Mechanisms
The DPDP Act replaced India’s earlier draft frameworks, many of which contained sweeping data localization mandates. The final version adopts a more pragmatic stance, allowing cross-border transfers but subject to government oversight and selective conditions. Key features include:
→ Permitted jurisdictions (“whitelist”): The central government, in consultation with the Data Protection Board of India (DPBI), notifies specific countries or territories to which personal data may be transferred. By 2025, India had issued an initial whitelist comprising jurisdictions with comparable data-protection standards and strong enforcement regimes (including the European Union, Japan, Singapore and the United Kingdom) (Data Secure 2025).
→ General permission subject to safeguards: For data flows to whitelisted jurisdictions, businesses must ensure compliance with the DPDP Act’s broader principles, including purpose limitation, data minimization and security safeguards.
→ Prohibition or restriction for non-whitelisted destinations: Transfers to non-whitelisted jurisdictions are generally prohibited, unless specifically exempted for reasons such as public interest, contractual necessity or international agreements.
The DPDP Act does not (as of 2025) mandate universal data localization but allows sector-specific localization rules under separate regulations, particularly in sensitive domains such as payments and health data.
Implementation and Regulatory Environment
The DPBI, constituted in 2024, is the primary regulator overseeing compliance and enforcing cross-border transfer rules (Software Freedom Law Center 2025). Early implementation has seen:
→ guidelines for identifying “adequate” jurisdictions based on data-protection laws, reciprocity and enforcement capabilities;
→ industry consultations to clarify documentation and notification requirements for outbound transfers; and
→ a phased enforcement approach, giving businesses, in particular, SMEs, time to adapt through awareness campaigns and regulatory sandboxes.
The DPBI has also encouraged the use of contractual clauses and technical measures aligned with global best practices, signalling India’s intention to harmonize with international standards while retaining sovereign control.
Strategic Context and Policy Drivers
India’s selective approach reflects its twin objectives:
→ Economic ambition: As a hub for information technology services, cloud computing and business process outsourcing, India depends on cross-border data flows for revenue and global competitiveness. Restrictive localization could harm these industries and deter foreign investment.
→ Sovereignty and trust: At the same time, India is keen to protect its citizens’ data from misuse or foreign surveillance and to retain leverage in global data negotiations. The whitelist mechanism allows flexibility to condition
transfers on reciprocity and evolving diplomatic relationships.
India’s position also aligns with its broader role in global digital policy. In discussions and fora such as the Group of Twenty (G20) and the Global Partnership on AI (GPAI), India has advocated for DFFT, but with a strong emphasis on data sovereignty tempered by national interest.
Industry Adaptation and Market Implications
Businesses operating in and from India have responded by:
→ reviewing transfer chains: mapping cross-border data flows to ensure destinations are whitelisted and compliant;
→ adopting contractual safeguards: incorporating data-protection addenda modelled on SCCs to demonstrate due diligence; and
→ investing in regional infrastructure: exploring hybrid strategies, such as hosting sensitive data sets in India while using anonymization or tokenization for analytics abroad.
The DPDP Act also encourages innovation in PETs and has spurred growth in domestic data-protection service providers.
Challenges and Opportunities
Challenges:
→ Uncertainty remains around how quickly and comprehensively the government will expand the whitelist.
→ Sector-specific regulators (for example, the Reserve Bank of India for financial data) may impose additional restrictions, creating overlap or confusion.
→ Compliance costs for smaller firms, especially for exporters of information technology services, remain a concern.
Opportunities:
→ India’s pragmatic approach positions it as an attractive jurisdiction for foreign investment and a potential bridge between restrictive and liberal regimes.
→ Clearer rules create opportunities for compliance consultancies, privacy tech start-ups and certification schemes.
→ India’s active participation in trade agreements (such as negotiations around the IPEF’s digital trade pillar) could lead to new interoperable transfer mechanisms.
Key Takeaways
India’s cross-border data transfer regime in 2025 reflects a selective openness: a framework that permits data mobility to trusted jurisdictions while preserving sovereignty and security interests. Through the DPDP Act and the emerging whitelist mechanism, India aims to position itself as both a guardian of its citizens’ data and a facilitator of global digital commerce. For multinational organizations, success in India hinges on proactive compliance planning, continuous monitoring of whitelist updates and alignment with India’s broader digital trade strategy.
APAC and ASEAN: Laboratories of Interoperability
APAC presents one of the most diverse yet innovation-driven landscapes for cross-border data governance. Within the region, ASEAN has taken a particularly proactive role in fostering interoperable data transfer regimes to enable regional digital trade. By 2025, the APAC and ASEAN economies illustrate a spectrum of approaches ranging from rights-driven frameworks, such as Japan’s, to trust-building certification systems in Singapore and South Korea, bound together by shared commitments to economic growth and regional integration.
Regional Frameworks and Mechanisms
→ APEC CBPR system: A cornerstone of the Asia-Pacific approach is the CBPR system, originally launched by the APEC forum. The CBPR is a voluntary, accountability-based certification mechanism that allows participating economies to recognize each other’s privacy certifications (APEC 2019). By 2025, the CBPR had evolved into CBPR+, incorporating new standards for AI governance and data protection accountability. Economies such as Japan, Singapore, South Korea, the Philippines and Mexico (outside ASEAN) actively participate (Choi, Ryoko and Young 2025).
→ The ASEAN Data Management Framework (DMF) and the ASEAN Model Contractual Clauses for Cross Border Data Flows (MCCs): ASEAN member states Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam have taken steps toward harmonization through the DMF (ASEAN 2021a), which provides best-practice guidelines on internal data governance, data-sharing policies and security measures, and MCCs, published in 2021 (ASEAN 2021b) and updated in 2024, which enable cross-border transfers by providing standardized legal terms similar to the European Union’s SCCs but tailored to the ASEAN context (Parson and Liu 2021).
These mechanisms are designed to promote trust while avoiding unnecessary data localization barriers, thereby stimulating cross-border e-commerce and cloud services within the region.
Jurisdictional Snapshots
→ Singapore: Singapore’s Personal Data Protection Act (PDPA) allows international transfers if organizations ensure comparable protection abroad (DLA Piper 2025b). The Personal Data Protection Commission (PDPC) of Singapore actively promotes CBPR participation and has published detailed guidance on using ASEAN MCCs (PDPC of Singapore 2021). Singapore serves as a regional data hub, offering legal clarity and strong infrastructure.
→ Japan: Japan has an EU adequacy decision (since 2019) and aligns closely with GDPR principles.22 It participates in CBPR and has established an independent Personal Information Protection Commission that works with global regulators (FPF Staff 2014).
→ South Korea: South Korea secured an EU adequacy decision in 2022 and has embraced CBPR. Its Personal Information Protection Act (PIPA) is among the strictest in Asia, with robust enforcement (Psomiadi 2025).
→ Indonesia and Thailand: Both have enacted comprehensive personal data protection (PDP)
22 Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, [2019] OJ, L 76, online: <https://eur-lex.europa.eu/eli/dec_impl/2019/419/oj/eng>.
laws (Indonesia’s PDP Law in 2022, Thailand’s PDP Act [PDPA] in 2021) that allow outbound transfers subject to “adequate protection” in the destination country or contractual safeguards (Deradjat et al. 2025, para. 1; Paiboon et al. 2024).
→ Vietnam and Malaysia: These jurisdictions are developing updated guidance on cross-border transfers, with Vietnam introducing amendments to cybersecurity law in 2023 to clarify localization exemptions (Dinh 2025).
Regional Integration and Digital Trade
A defining feature of ASEAN’s approach is its emphasis on regional integration. Digital trade agreements and cooperation platforms encourage member states to adopt consistent practices. For example:
→ The ASEAN DEFA, under negotiation in 2024–2025, seeks to establish common rules on data flows, digital identities and cybersecurity, including commitments to avoid unnecessary data localization measures (Hourn 2025).
→ The RCEP, in force since 2022, includes provisions promoting cross-border data flows and discouraging barriers (Reza 2024).
These agreements build on ASEAN’s long-standing principle of “open regionalism,” which aligns with global norms while retaining flexibility for national differences.
Challenges and Opportunities
Challenges:
→ Legal fragmentation persists: Despite regional initiatives, national laws vary in scope, definitions and enforcement intensity, requiring businesses to tailor compliance strategies.
→ Enforcement disparities: Some ASEAN states have nascent regulatory authorities, creating uncertainty about practical oversight.
→ Geopolitical pressures: US-China tensions and differing approaches to cybersecurity influence national policies, occasionally slowing harmonization.
Opportunities:
→ Model for interoperability: ASEAN’s MCCs and the CBPR system demonstrate scalable,
business-friendly approaches that other regions are beginning to emulate.
→ Hub for digital trade: Singapore, Japan and South Korea position the region as a testbed for privacy-enhancing technologies and data trust models.
→ Growing influence in multilateral fora: ASEAN economies are active in OECD, G20 and WTO e-commerce negotiations, advocating balanced frameworks.
Key Takeaways
The APAC and ASEAN landscape in 2025 illustrate a pragmatic, innovation-oriented path for cross-border data governance. Through mechanisms such as CBPR+ and ASEAN MCCs, the region fosters trusted data flows while avoiding the heavy localization mandates seen elsewhere. While challenges remain, particularly in harmonizing enforcement and bridging geopolitical divides, APAC and ASEAN countries stand out as laboratories for interoperability, offering valuable lessons for other parts of the world.
Africa and Latin America: Emerging Regimes and Regional Ambitions
Africa and Latin America have historically been seen as “rule takers” in global data governance, often aligning with frameworks set by larger economies. By 2025, however, both regions were emerging as active shapers of cross-border data transfer regimes, balancing global integration with local development priorities. Their regulatory landscapes remain varied, but they share a growing commitment to embedding privacy and data sovereignty in law while seeking interoperability with international partners.
Africa: Continental Momentum with National Diversity
Legal architecture: Across Africa, a wave of data protection legislation has taken hold in the last decade, inspired by the European Union’s GDPR and regional initiatives:
→ African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention): Adopted in 2014, it provides a template for national data laws. By 2025, more
than 20 African countries have ratified or aligned their domestic frameworks with its principles.23
→ National examples:
– Kenya’s DPA, 2019 creates a regime similar to that of the GDPR, with provisions for cross-border transfers subject to adequacy assessments or contractual safeguards.24
– The Nigeria Data Protection Act 2023 empowers the Nigeria Data Protection Commission to approve mechanisms for outbound flows.25
– South Africa’s Protection of Personal Information Act (POPIA) restricts transfers to countries with “adequate” protections, or otherwise requires contractual safeguards (Sulaiman 2022).
Regional integration efforts: The Smart Africa Alliance (African Development Bank Group 2023) and African Continental Free Trade Area (AfCFTA) have introduced initiatives to harmonize data policies and facilitate digital trade (Lemma, Agarwal and te Velde 2025). Pilot projects focus on interoperability across national frameworks and the potential for a pan-African adequacy model, though full implementation remains nascent.
Challenges:
→ Enforcement capacity is uneven; many data protection authorities lack resources.
→ Diverging interpretations of adequacy and a cautious stance on foreign access create uncertainty for multinationals.
Opportunities:
→ Africa’s alignment with GDPR principles makes it easier for firms already compliant with EU standards to expand operations.
23 African Union Convention on Cyber Security and Personal Data Protection, 27 June 2014 (entered into force 8 June 2019) [Malabo Convention], online: <https://au.int/en/treaties/african-union-conventioncyber-security-and-personal-data-protection>.
24 Kenya, The Data Protection Act, No. 24 of 2019, 8 November 2019 (entered into force 25 November 2019), online: <www.kenyalaw.org/kl/ fileadmin/pdfdownloads/LegalNotices/2021/LN263_2021.pdf>.
25 Nigeria Data Protection Act, 2023, 12 June 2023, online: <https://cert.gov.ng/ngcert/resources/Nigeria_Data_Protection_ Act_2023.pdf>.
→ Participation in cross-border projects (for example, health data sharing for pandemic preparedness) is driving practical cooperation.
Latin America: Building on Brazil’s General Personal Data Protection Law and Regional Networks
Legal architecture: Latin America has witnessed similar momentum, with Brazil leading the way:
→ Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD, or general personal data protection law26), in force since 2020, mirrors GDPR principles. Cross-border transfers require adequacy decisions by its national data protection authority, Agência Nacional de Proteção de Dados (ANPD), contractual clauses or specific consent. By 2025, Brazil was actively negotiating mutual adequacy with the European Union and key trade partners.27
→ Argentina’s long-standing data law (2000) was updated in 2023 to align with modern adequacy standards, maintaining EU adequacy status.28
Regional coordination: Organizations such as Red Iberoamericana de Protección de datos (RIPD) foster collaboration among Latin American data authorities.29
Challenges:
→ Enforcement maturity varies; some regulators (for example, Brazil’s ANPD) are robust, while others lack resources.
→ Economic constraints and political shifts can delay regulatory development and cross-border agreements.
Opportunities:
→ Alignment with the GDPR and international standards opens pathways for adequacy decisions and interoperability.
→ Regional trade agreements, including Mercosur’s digital-trade chapters and Chile’s involvement in the DEPA, create new opportunities for harmonized transfer rules (Taheri, Adams and Stern 2021).
Shared Themes Across Africa and Latin America
Privacy as a development tool: Both regions view data governance not only as a rights issue but also as a foundation for building trust in digital markets. Local tech ecosystems depend on clear, internationally compatible transfer rules.
Data sovereignty and geopolitics: Policy makers are cautious about foreign access to sensitive data, particularly in sectors of national significance such as finance, health and natural resources. Some countries have considered or implemented selective localization requirements while still allowing outbound transfers under safeguards.
Emerging multilateral voices: African and Latin American states are increasingly vocal in fora such as the G20 Digital Economy Working Group, OECD discussions on CBPR expansion and WTO e-commerce talks, advocating for frameworks that consider the needs of developing economies.
Key Takeaways
Africa and Latin America in 2025 represent emerging yet diverse data transfer ecosystems. While neither region has a single binding cross-border framework, both are building on GDPR-inspired principles, adopting contractual safeguards and exploring regional interoperability tools.
For organizations, the key is to monitor country-specific requirements while leveraging shared standards (for example, SCCs, certifications) to streamline compliance. For policy makers, these regions offer fertile ground for experimentation — where capacity building, regional coordination and multilateral engagement can lay the foundation for more seamless cross-border data flows in the future.
26 See Brazilian Data Protection Law (LGPD), Law No 13,709 of 14 August 2018 (as amended by Law No 13,853/2019), online: www.gov.br/anpd/ pt-br/centrais-de-conteudo/outros-documentos-e-publicacoes-institucionais/ lgpd-en-lei-no-13-709-capa.pdf.
27 Ibid.
28 See https://digitalpolicyalert.org/change/3392.
29 See https://dig.watch/actor/red-iberoamericana-de-proteccion-de-datos.
Canada: A Hybrid Model
Between EU Adequacy and North American Integration
Canada represents a unique and strategically significant player in the global cross-border data transfer landscape. As of 2025, it operated a hybrid governance model, balancing strong privacy principles aligned with the European Union’s standards while maintaining deep economic and data infrastructure integration with the United States. This dual alignment positions Canada as both a policy bridge and a potential model for other mid-sized digital economies navigating between divergent regulatory spheres.
Legal Architecture and Transfer Mechanisms
Canada’s current federal data protection framework is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in force since 2001. PIPEDA is a principles-based regime centred on accountability and consent and includes provisions for cross-border transfers via contractual or organizational safeguards (Sahnoune 2024). Importantly, PIPEDA forms the basis for Canada’s EU adequacy decision, first granted in 2001, which permits personal data to be transferred from the European Union to Canada without additional safeguards (Koczerginski 2024, paras. 10–11).
However, this adequacy status has come under increasing scrutiny in recent years. To address evolving standards, particularly under the GDPR, Canada introduced Bill C-27, the Digital Charter Implementation Act, in 2022. This legislation was intended to replace parts of PIPEDA with the Consumer Privacy Protection Act (CPPA) and establish a new enforcement body, the Personal Information and Data Protection Tribunal. The CPPA was designed to enhance individual rights, clarify consent requirements and strengthen enforcement through increased fines (Wasser et al. 2022).
In early 2025, Bill C-27 died on the table following Parliament’s prorogation. The core provisions of the CPPA remain under active consideration, potentially influencing policy design and commercial compliance strategies.
Geopolitical and Economic Positioning
Canada’s regulatory positioning reflects its dual orientation:
→ Toward the European Union, it maintains adequacy through strong data governance, transparency obligations and independent oversight mechanisms.
→ Toward the United States, it remains part of the broader North American data ecosystem, including participation in CUSMA, which restricts data localization requirements and mandates open cross-border data flows for covered sectors (Business Software Alliance 2020).
Subnational Variation
Canada’s cross-border data governance is also influenced by provincial regimes. Provinces such as British Columbia (Finite State Team 2024) and Alberta30 have enacted their own PIPAs, which must be considered in any national compliance strategy. Quebec’s Law 25, implemented in phases beginning in 2022, significantly strengthens consent, breach notification and rights of access and is often cited as the most GDPR-like of Canada’s provincial laws (Hiscock, n.d.).
This federal-provincial mosaic requires careful coordination by organizations engaging in data transfers, especially those operating nationally or across sectors with heightened sensitivity.
Challenges and Opportunities
Challenges:
→ Canada’s pending legislative reforms and long delays in updating PIPEDA create uncertainty around the future of its EU adequacy status.
→ The coexistence of multiple provincial laws adds compliance complexity, particularly for SMEs.
→ As global debates over digital sovereignty and AI intensify, Canada may face pressure to more clearly articulate its long-term data strategy beyond its current middle-power positioning.
30 Personal Information Protection Act, SA 2003, c P-6.5, online: <https://kings-printer.alberta.ca/1266.cfm?page=P06P5.cfm&leg_ type=Acts&isbncln=9780779856701>.
Opportunities:
→ Canada’s legal structure offers a template for interoperability, combining GDPR-compatible safeguards with open transfer commitments.
→ Its participation in multilateral efforts such as DFFT and the GPAI positions it to shape emerging norms on trustworthy data sharing and cross-border AI governance.
→ As countries seek models that balance sovereignty, rights and trade openness, Canada’s hybrid regime provides a pragmatic reference point.
Key Takeaways
Canada in 2025 represented a middle path in crossborder data governance committed to upholding strong privacy standards while maintaining open engagement with global data flows. With one foot in the GDPR zone and another in the North American market-driven model, it serves as both a testbed and a bridge for international cooperation. For businesses, Canada provides a strategically valuable jurisdiction for routing compliant data flows. For policy makers, it offers insights into how legal interoperability can be pursued without sacrificing either sovereignty or competitiveness.
Comparative Analysis: Convergence or Fragmentation?
The cross-border data-transfer regimes mapped in the previous section reveal a world of both common principles and sharp divergences (see Table 3). In 2025, there were clear signs of convergence around certain baseline safeguards, yet significant fragmentation persists, driven by geopolitical, economic and cultural differences. This section compares the key regions along three dimensions: normative orientation, legal mechanisms and interoperability. It then distills the implications for global data flows.
Normative Orientation: Competing Philosophies
A first layer of analysis considers the values underpinning each regime:
→ European Union — rights and fundamental freedoms: The European Union remains the archetype of a rights-based framework, where data protection is treated as a fundamental right. Adequacy decisions and SCCs are designed to ensure that personal data receives GDPR-equivalent protection wherever it travels.
→ United States — market-driven innovation: The United States prioritizes economic growth and innovation. Its sectoral rules and reliance on industry self-regulation reflect confidence in market incentives. Privacy is framed as a consumer protection issue rather than a fundamental right, leading to lighter outbound controls but greater reliance on negotiated frameworks such as the EU-US DPF.
→ China — security and sovereignty: China’s framework is state-centric, treating data as a strategic asset tied to national security and industrial policy. Strict outbound controls and security assessments reflect an intent to maintain sovereign oversight over information flows.
→ India — selective and strategic: India straddles these approaches, pursuing pragmatic selectivity. Its whitelist system balances economic openness with the ability to exercise sovereign discretion over destinations deemed trustworthy.
→ APAC/ASEAN — interoperability and trade: APAC states, particularly ASEAN member countries, adopt a business-friendly and trade-oriented philosophy. Through mechanisms such as CBPR+ and ASEAN MCCs, these jurisdictions emphasize mutual recognition and harmonization while avoiding unnecessary barriers.
→ Africa and Latin America — emerging rights-based approaches: Inspired by the GDPR, many African and Latin American regimes are rights-oriented but adapted to local contexts. Their challenge is to ensure institutional capacityensuring principles on paper translate into effective enforcement.
These differing philosophies create fault lines. Rights-driven regimes impose stricter requirements
Table 3: Cross-Border Data Transfer Regimes Across Key Regions (2025)
Region Core Legal Frameworks
European Union GDPR (articles 44–50), adequacy decisions, SCCs, BCRs
United States Sectoral laws (HIPAA, GLBA, etc.), state privacy laws (CCPA/CPRA); DPF with European Union
China CSL, DSL, PIPL; CAC oversight
Approach to Outbound Transfers
Rights-driven, transfer allowed only with safeguards
Market-driven, largely unrestricted outbound transfer controls
Key Mechanisms Opportunities Challenges
Adequacy decisions, SCCs, BCRs, certifications
India DPDP Act 2023; DPBI oversight
Security-driven, strict outbound transfer controls
Selective openness via whitelist of trusted jurisdictions
APAC/ ASEAN
CBPR+, ASEAN MCCs, national laws (e.g., PDPA, PIPA)
Africa National laws (POPIA, Kenya’s DPA), African Union Malabo Convention
Latin America LGPD (Brazil), Argentine law, national frameworks
Canada PIPEDA (federal); CPPA (pending reintroduction); provincial laws (e.g., Quebec Law 25)
Source: Author.
Interoperabilitydriven, generally allows transfers with safeguards
GDPR-inspired, requires adequacy or safeguards
GDPR-aligned, adequacy or safeguards required
Hybrid approach: open data flows plus GDPR adequacy alignment
High trust, global benchmark, mature enforcement
EU-US DPF, SCCs, trade agreements Innovation hub; trade agreements favour open flows
Security assessments, government permits, standard contracts
Governmentnotified “whitelist,” contracts, sectoral rules
APEC CBPR+, ASEAN MCCs, adequacy in some states
Adequacy decisions, contractual clauses and emerging African Union frameworks
Adequacy, SCCs, certifications, regional collaboration (RIPD)
EU adequacy, accountability principle, contractual clauses, CPPA (pending reintroduction)
Huge digital market; encourages onshore infrastructure
Balanced model; growing digital trade ambitions
Businessfriendly; regional integration (DEFA, RCEP)
Growing harmonization (AfCFTA, Smart Africa); alignment with GDPR
Active regulators (Brazil ANPD); potential Latin America deal
Bridge between GDPR and North America; model for midsized digital economies
Complex assessments (e.g., post-Schrems); compliance costs
Lack of comprehensive federal law; surveillance concerns
High compliance burden; opacity of reviews; data sovereignty focus
Uncertainty over whitelist updates; sectoral overlap
Varying enforcement capacities; legal fragmentation
Weak enforcement capacity; patchwork regulations
Uneven regulatory maturity; economic/ political variability
Legislative uncertainty (CPPA pending); provincial fragmentation; adequacy status under review
on data recipients, while market-driven or sovereignty-focused regimes may resist such constraints, complicating interoperability.
Legal Mechanisms: Similar Tools, Different Implementations
Across regions, certain legal tools recur, but their use and scope vary, as outlined in Table 4.
Observations:
→ Convergence: SCC-type contractual mechanisms are broadly recognized; certifications are growing.
→ Fragmentation: Adequacy decisions and whitelist approaches are uneven, and security assessments (China) or localization mandates deviate from open-flow norms.
Interoperability: Toward a Global “Common Language”?
Efforts toward interoperability are evident but incomplete.
→ Positive developments:
– The EU-US DPF represents a high-profile bridge between two major markets.
– CBPR+ and ASEAN MCCs provide scalable templates for regional mutual recognition.
– The G7’s DFFT and the OECD frameworks are pushing toward global baselines.
→ Barriers:
– China’s model, emphasizing data sovereignty and government vetting, remains fundamentally incompatible with open transfer regimes.
–
Fragmentation in US state laws creates uncertainty for foreign partners.
– Africa and Latin America, while aligning with GDPR principles, lack the institutional weight to influence global norms, leading to slow adoption of mutual adequacy agreements.
The result is clusters of interoperability rather than a single global regime. The European Union, Japan, South Korea and some ASEAN economies form one cluster; China remains largely separate; India remains an anomaly deeply entrenched in the notion of data and digital sovereignty with selective international engagement; and the United States is a necessary but complicated partner.
Fragmentation and Its Costs
Fragmentation imposes tangible costs:
→ Compliance burden: Multinationals must maintain parallel data governance frameworks, increasing legal and operational expenses.
→ Innovation constraints: Start-ups and SMEs face barriers to scaling across borders due to uncertainty and resource demands.
Source: Author.
Table 4: Comparison of Legal Mechanisms Across Regions
→ Trade friction: Divergent rules create non-tariff barriers, undermining digital trade agreements and slowing economic growth.
For example, a cloud service provider operating in the European Union, China and India must segregate data infrastructure, conduct extensive transfer impact assessments and continuously monitor whitelist updates or CAC rulings — an expensive and resource-intensive exercise.
Signs of Convergence
Despite these challenges, convergence is emerging in several areas:
→ Shared privacy principles: Almost all major regimes incorporate core privacy concepts — purpose limitation, data minimization, security safeguards, even if enforcement varies.
→ Use of standard clauses: SCC-style templates, whether EU-approved, ASEAN MCCs or CAC contracts, demonstrate a shared reliance on contractual solutions.
→ Growing recognition of certification: From CBPR+ in APAC to EU codes of conduct, certification mechanisms are gaining traction as trust-building tools.
Strategic Implications
For policy makers:
→ There is a growing need for bridging frameworks that allow divergent regimes to recognize each other’s protections without requiring identical laws.
→ Regional organizations (ASEAN, the African Union, Mercosur) can play pivotal roles by creating interoperable subsystems that feed into global negotiations.
For businesses:
→ A multi-track compliance strategy is essential — one that combines contractual clauses, certifications and technical safeguards such as encryption and localization where required.
→ Engaging early with regulators and industry associations can help shape emerging standards and reduce uncertainty.
For international organizations:
→ Fora such as the G20, the OECD and the WTO must advance concrete proposals such as global adequacy principles or a model cross-border data agreement to prevent further fragmentation.
Key Takeaways
Cross-border data governance in 2025 was neither fully harmonized nor entirely balkanized. Instead, it was a patchwork of interoperable clusters, with bridges being built but gaps remaining. The challenge for the coming years will be to expand those bridges and ensure that the benefits of data flows can be realized without sacrificing fundamental rights, security or national interests.
Emerging Trends and Future Outlook
The governance of cross-border data transfers in 2025 was defined not only by existing regulatory regimes but also by powerful technological, geopolitical and economic forces that are already reshaping the global landscape. As these trends unfold, they are setting the stage for different potential futures. This section examines the most salient developments of today and explores plausible scenarios for the global data transfer regime by 2030.
Current Emerging Trends
One of the most visible trends is the integration of PETs into core business operations. Organizations are increasingly relying on federated learning, which allows machine-learning models to be trained locally in multiple jurisdictions while only sharing anonymized parameters. This innovation reduces the need for sensitive data to cross borders. Similarly, advances in homomorphic encryption and secure multi-party computation enable computations to be performed on encrypted data, facilitating cross-border analytics without exposing underlying information. Synthetic data generation has also matured into a standard tool for training algorithms, providing privacy-preserving alternatives to real data sets.
Together, these technologies allow businesses to innovate while respecting legal restrictions.
By 2025, the concept of a “sovereign cloud” — cloud infrastructure that is localized and certified to comply with national data laws — had become central to the policy discourse (Osborne 2025). Countries such as Germany (Federal Ministry of the Interior 2025), India (Imran 2025) and Indonesia (Indonesia Data Center Provider 2025) are pursuing national cloud strategies as part of their digitalsovereignty agendas, shaping how data is processed and stored across borders. Simultaneously, the rapid diffusion of generative AI tools has renewed interest in the quality, provenance and jurisdictional origin of training data. While not the focus of this paper, these dynamics underscore the growing entanglement of cross-border data governance with infrastructure and compute policy.
In parallel, governments and industry coalitions are establishing new institutional mechanisms to build trust across jurisdictions. Data intermediaries, such as regulated trusts and exchanges, are emerging to facilitate secure data sharing under strict oversight. Certification schemes, such as the evolution of APEC’s rules for cross-border privacy into the enhanced CBPR+ framework and new EU-endorsed codes of conduct, are helping organizations demonstrate compliance and gain access to foreign markets. These initiatives suggest a future where trust frameworks, rather than pure localization mandates, become central to international data flows.
Geopolitical considerations remain a decisive factor. Many states continue to view data as a strategic resource, driving policies that combine privacy protection with economic and national security goals. China’s sovereignty-focused model, the European Union’s rights-driven regime and the United States’ market-oriented approach exert different gravitational pulls on smaller economies, leading to clusters of regulatory alignment rather than global uniformity. The interplay of these models is further complicated by sector-specific rules that overlay general privacy laws. Financial data, genomic information and critical infrastructure data often face additional safeguards or restrictions before they can be transferred abroad.
Multilateral trade agreements are increasingly serving as vehicles for harmonization. DEPA sets modular standards for data governance, while
the IPEF seeks to establish common rules for cybersecurity and data flows among diverse economies. In Africa, the development of a digital trade protocol under the AfCFTA reflects a growing awareness that cross-border data governance is integral to regional integration. These efforts, while still nascent, illustrate how trade diplomacy can foster practical pathways for data mobility.
Possible Scenarios for 2030
The trends observed in 2025 can plausibly evolve in multiple directions. Three scenarios illustrate potential trajectories for cross-border data governance by 2030.
Scenario One: A Globally Interoperable Framework
In the most optimistic scenario, governments converge around interoperable frameworks that build on initiatives such as CBPR+ and the EU-US DPF. Mutual adequacy agreements and certification systems proliferate, creating a global ecosystem where trusted data flows are the norm. Organizations benefit from reduced compliance costs and greater legal certainty, while individuals enjoy strong protection regardless of where their data travels. In this world, PETs complement, rather than compensate for, regulatory alignment, and data-intensive industries thrive in an environment of predictable, rules-based openness.
Scenario Two: Regional Clusters with Partial Bridges
A more moderate scenario envisions a world of interconnected yet distinct regulatory blocs. The European Union, Japan, South Korea and other GDPR-aligned countries form one cluster; ASEAN members and APAC participants in CBPR+ form another; and African and Latin American nations coalesce around their own frameworks. These blocs are connected through bilateral or multilateral agreements, but significant differences remain, requiring companies to maintain parallel compliance strategies. In this scenario, innovation continues, but compliance remains resource-intensive, and smaller enterprises often struggle to meet divergent requirements.
Scenario Three: A Balkanized Data Environment
The most pessimistic scenario is one of deep fragmentation, driven by geopolitical rivalry and heightened security concerns. Data localization becomes widespread, with states mandating that critical data sets be stored and processed entirely within national borders. Cross-border transfers are permitted only in exceptional cases, subject to stringent oversight and prolonged approval processes. The economic costs are considerable: global supply chains are disrupted, cloud services become less efficient and smaller markets find themselves isolated from global innovation. In such a world, PETs may offer partial workarounds, but they cannot fully substitute for the benefits of open data flows.
Navigating the Path Ahead
These scenarios underscore that the future of cross-border data governance is neither predetermined nor unidirectional. It will depend on the collective choices of governments, businesses and international organizations over the next five years. The emerging trends in 2025 show that technology and institutional innovation can help bridge gaps, but geopolitical considerations and sectoral sensitivities will continue to shape the regulatory environment. Whether the global community moves toward interoperability or deeper fragmentation will hinge on the willingness of stakeholders to engage in meaningful cooperation, craft flexible frameworks, and invest in the infrastructure and trust mechanisms needed to support secure and lawful data mobility. In navigating these currents, the balance between privacy, security and economic growth will remain at the heart of the global debate.
Policy Recommendations
The evolving governance of cross-border data transfers requires proactive steps from governments, international organizations, businesses and civil society. The analysis of 2025’s regulatory landscape and the scenarios projected for 2030 reveal that fragmentation, while manageable today, could harden into structural barriers if left unaddressed. At the
same time, the opportunities presented by technological innovation and emerging trust frameworks offer a foundation for building a more interoperable global environment. This section sets out recommendations aimed at different stakeholder groups, with the shared goal of fostering secure, rights-respecting and innovation-friendly cross-border data flows.
Governments play the most direct role in shaping the regulatory architecture for data mobility. They should prioritize the pursuit of interoperable frameworks rather than adopt isolationist measures that may hinder their own economic ambitions. Where adequacy determinations or whitelists are used, these should be based on clear, transparent criteria that can be readily assessed by partner jurisdictions. Bilateral agreements and multilateral initiatives should focus on mutual recognition of standards, and on creating bridges rather than walls. Policy makers should also seek to avoid overly broad data localization mandates. While certain sensitive sectors may justify tighter controls, sweeping localization can stifle innovation, increase costs for domestic businesses and reduce access to cutting-edge services. Governments should instead incentivize the adoption of PETs and sector-specific safeguards that allow data to move while maintaining protection.
International organizations have an important convening function. Bodies such as the OECD, the G20 and the WTO should expand their work on model frameworks for cross-border data governance. The OECD’s ongoing efforts on trusted data flows could evolve into a set of internationally recognized adequacy principles, reducing the need for each jurisdiction to independently assess others. The G20 and BRICS groupings should continue to facilitate structured dialogue between divergent regimes, acknowledging geopolitical realities while seeking common ground. Trade agreements should explicitly incorporate data-flow provisions and link them to capacity-building measures, enabling developing countries to implement high-quality frameworks and benefit from global digital trade. Regional organizations, including ASEAN, the African Union and Mercosur, should accelerate the development of their own interoperable systems, providing stepping stones toward wider alignment. One practical mechanism governments and international organizations should consider is the creation of sectoral regulatory sandboxes for crossborder data flows. These pilots could be structured
as temporary and narrowly scoped exemptions or harmonizations, allowing participating jurisdictions to cooperate on pressing global challenges, such as pandemic response or environmental monitoring, without requiring wholesale legal convergence. These sandboxes would function under a common governance framework, supported by PETs, joint oversight bodies and shared audit standards. By demonstrating the feasibility and benefits of coordinated data use, they can generate empirical evidence to inform long-term harmonization efforts and provide a model for interoperability that is respectful of sovereignty. Sandboxes thus serve as bridging institutions, particularly valuable for emerging economies or politically cautious jurisdictions seeking to engage with trusted data flows without compromising regulatory autonomy.
For businesses, cross-border data governance is no longer an issue that can be delegated solely to legal departments. Senior leadership must view compliance as a core strategic capability, and invest in dynamic frameworks that can adapt as laws evolve. Companies should map their data flows meticulously, identifying which jurisdictions and sectors pose the greatest regulatory risks. SCCs, MCCs and certifications should be embedded into supplier agreements and internal policies. Investments in PETs should be prioritized not merely for compliance but as part of broader innovation strategies. Regional data hubs such as EU-only or ASEAN-specific infrastructures should be developed where justified by market size and regulatory requirements, while still preserving efficiency and interoperability wherever possible. Active engagement with regulators and industry associations is essential, allowing businesses to shape emerging rules and avoid last-minute compliance crises.
Civil society organizations and advocacy groups also have a critical role. They can provide informed input during consultations, ensuring that privacy and fundamental rights remain central to any cross-border regime. By monitoring implementation, they can help to hold both governments and corporations accountable, ensuring that data transfers do not lead to exploitation or erosion of individual protections. Civil society should also play a role in public education, equipping citizens to understand how their data moves across borders and what rights they have under different regimes.
Beyond individual stakeholders, there are several cross-cutting themes that should guide all actors. First, transparency is essential. Whether it is a government publishing criteria for adequacy, a company explaining its use of PETs or an international body disclosing the status of trade negotiations, greater openness will build trust. Second, flexibility should be embedded into regulatory and contractual frameworks. The rapid pace of technological change means that overly prescriptive rules can quickly become obsolete, while principle-based approaches can accommodate new solutions. Third, capacity building must not be overlooked. Many developing jurisdictions lack the resources to implement sophisticated data protection regimes or to participate effectively in international negotiations. Targeted technical assistance and knowledge exchange can help ensure that global frameworks are truly inclusive.
Taken together, these recommendations underscore that the future of cross-border data governance will be determined not by any single law or agreement, but by the cumulative actions of a wide range of actors. By pursuing these pathways, the world can move toward a regime in which data flows securely and responsibly, supporting both economic growth and the protection of individual rights.
Conclusion
Cross-border data transfers have become a defining feature of the twenty-first-century digital economy. They underpin global trade, fuel innovation and enable collaboration across jurisdictions and industries. Yet, as this paper has shown, the frameworks that govern these transfers in 2025 remain deeply fragmented. Different regulatory philosophies, whether rights-driven, market-oriented, sovereignty-focused or selectively open, shape the choices made by governments, creating a patchwork of rules that businesses must navigate with care.
Despite this complexity, common threads are emerging. Across the European Union, the United States, China, India, ASEAN, Africa and Latin America, there is a shared acknowledgement that data mobility must be balanced against the protection of privacy and security. Mechanisms
such as SCCs, certification schemes and emerging PETs illustrate that practical tools for trusted data flows are gaining traction. Regional initiatives, whether through the CBPR+ system in APAC or the African Union’s work on harmonized data frameworks, provide promising examples of how interoperable regimes can be built from the ground up.
Looking ahead to 2030, the trajectory is not predetermined. The trends and scenarios outlined in this paper show a world at a crossroads. One path leads to greater convergence, where mutual recognition and trust frameworks reduce compliance burdens and enable seamless data flows. Another path leads to further fragmentation, where geopolitical rivalries, localization mandates and inconsistent standards hinder innovation and impose significant economic costs. A middle path, in which regional clusters develop with partial bridges between them, may well emerge if stakeholders fail to pursue deeper alignment but succeed in avoiding outright isolation.
Ultimately, the governance of cross-border data transfers is no longer merely a technical issue of compliance; it is a fundamental question about how societies balance economic opportunity, individual rights and national security in an era where data is both a commodity and a strategic asset. Realizing the benefits of global data mobility will require more than incremental regulatory adjustments. It demands sustained cooperation between governments, thoughtful engagement by international organizations, active participation by businesses and vigilant oversight by civil society.
If these actors can work together, leveraging technological innovation, building interoperable frameworks and fostering trust, the future of cross-border data transfers can be one in which both economic growth and individual protections are strengthened. The challenge is formidable, but the stakes for the global digital economy make it one that cannot be ignored.
Works Cited
African Development Bank Group. 2023. “African Development Fund, Smart Africa Alliance launch $1.5 million project to enhance digital trade and e-commerce ecosystems across Africa.” Press release, April 26. www.afdb.org/en/newsand-events/press-releases/african-development-fund-smartafrica-alliance-launch-15-million-project-enhance-digitaltrade-and-e-commerce-ecosystems-across-africa-60650.
APEC. 2019. “APEC Cross-Border Privacy Rules System: Policies, Rules and Guidelines.” November 19. https://cbprs.org/ wp-content/uploads/2019/11/4.-CBPR-Policies-Rules-andGuidelines-Revised-For-Posting-3-16-updated-1709-2019.pdf.
ASEAN. 2021a. ASEAN Data Management Framework: Data governance and protection throughout the data lifecycle January. https://asean.org/wp-content/uploads/ 2-ASEAN-Data-Management-Framework_Final.pdf.
———. 2021b. ASEAN Model Contractual Clauses for Cross Border Data Flows. https://asean.org/wpcontent/uploads/3-ASEAN-Model-ContractualClauses-for-Cross-Border-Data-Flows_Final.pdf.
———. 2023. “Digital Economy Framework Agreement (DEFA): ASEAN to leap forward its digital economy and unlock US$2 Tn by 2030.” News, August 19. https://asean.org/asean-defastudy-projects-digital-economy-leap-to-us2tn-by-2030/.
Baig, Anas and Muhammad Faisal Sattar. 2023. “China’s New Measures for Security Assessment of Data Exports: Explained.” Securiti (blog), June 21. https://securiti.ai/blog/ china-new-measures-for-security-assessment-of-data-exports/.
Bird, Richard and Fan Li. 2024. “China introduces revised crossborder data transfer rules.” Freshfields, March 25. https://riskandcompliance.freshfields.com/post/102j3jy/ china-introduces-revised-cross-border-data-transfer-rules.
Bonta, Rob. 2024. ”California Consumer Privacy Act (CCPA).” Attorney General, State of California, Department of Justice, March 13. https://oag.ca.gov/privacy/ccpa.
Business Software Alliance. 2020. “USMCA’s Cross-Border Data Transfer Provisions Enter Into Force, Setting a New Global Standard.” Press release, July 1. www.bsa.org/ news-events/news/usmcas-cross-border-data-transferprovisions-enter-into-force-setting-a-new-global-standard.
Choi, Sam Jungyun, Matsumoto Ryoko and Stacy Young. 2025. “Global CBPR and PRP Certifications Launched: A New International Data Transfer Mechanism.” Inside Privacy, June 4. www.insideprivacy.com/cross-bordertransfers/global-cbpr-and-prp-certifications-launcheda-new-international-data-transfer-mechanism/.
Cookiebot by Usercentrics. 2024. “Schrems II and Beyond: EU-US International Data Transfers.” Blog, August 1. www.cookiebot.com/en/schrems-ii-privacy-shield/.
Data Secure. 2025. “Impact of the Digital Personal Data Protection (DPDP) Act on Cross-Border Data Transfers.” DPO India (blog), March 5. www.dpo-india.com/ Blogs/impact-dpdpa-cross-border/.
Deradjat, Agus Ahadi, Mahiswara Timur, Nina Cornelia Santoso and Dhan Partap Kaur. 2025. “Data Protection & Privacy 2025. Indonesia: Trends and Developments.” Practice Guide, March 11. Jakarta, Indonesia: ABNR Counsellors at Law. https://practiceguides.chambers.com/practice-guides/dataprotection-privacy-2025/indonesia/trends-and-developments.
Digital Trade Alliance. 2023. Understanding the WTO Joint Statement Initiative on E-Commerce. December 7. https://dtalliance.org/2023/09/27/understandingthe-wto-joint-statement-initiative-on-e-commerce-2/.
Dinh, Hoa. 2025. “Vietnam advised to ease up data localization requirements in new cybersecurity law.” MLex, October 3. www.mlex.com/mlex/ articles/2395711/vietnam-advised-to-ease-up-datalocalization-requirements-in-new-cybersecurity-law.
DLA Piper. 2025a. “Transfer of personal data in China.” January 20. www.dlapiperdataprotection.com/?t=transfer&c=CN.
———. 2025b. “Transfer of personal data in Singapore.” January 23. www.dlapiperdataprotection.com/?t=transfer&c=SG.
———. 2025c. “Data protection laws in the United States.” February 6. www.dlapiperdataprotection.com/ index.html?t=law&c=US.
EDPB. 2021. “EDPB adopts final version of Recommendations on supplementary measures, letter to EU Institutions on the privacy and data protection aspects of a possible digital euro, and designates three EDPB Members to the ETIAS Fundamental Rights Guidance Board.” News, June 21. www.edpb.europa.eu/news/news/2021/ edpb-adopts-final-version-recommendationssupplementary-measures-letter-eu_en.
European Parliament. (2023) 2025. “EU AI Act: first regulation on artificial intelligence.” Last updated February 19, 2025. www.europarl.europa.eu/ topics/en/article/20230601STO93804/eu-aiact-first-regulation-on-artificial-intelligence.
Federal Bureau of Investigation. 2024. “Foreign Intelligence Surveillance Act (FISA) and Section 702.” News and Updates, March 22. www.fbi.gov/how-we-investigate/intelligence/ foreign-intelligence-surveillance-act-fisa-and-section-702.
Federal Ministry of the Interior. 2025. “Germany launches government cloud: Milestone for digital sovereignty in Germany.” Press release, March 27. www.bmi.bund.de/ SharedDocs/pressemitteilungen/EN/2025/03/dvc.html.
Finite State Team. 2024. “Personal Information Protection Act — British Columbia.” Finite State (blog), July 24. https://finitestate.io/regulatory-compliance/pipa-britishcolumbia.
FPF Staff. 2014. “Japan Approved to Participate in APEC’s Cross-Border Privacy Rules System.” Future of Privacy Forum, May 1. https://fpf.org/blog/japan-approved-toparticipate-in-apecs-cross-border-privacy-rules-system/.
Fujii, Kojiro and Shunya Muromachi. 2024. “International Rulemaking Concerning the Cross-Border Free Flow of Data.” Japan Economic Foundation. www.jef.or.jp/ en/1-2.2_Kojiro_Fujii&Shunya_Muromachi.pdf.
Gstrein, Oskar J. and Andrej Zwitter. 2021. “Extraterritorial application of the GDPR: promoting European values or power?” Internet Policy Review 10 (3). https://doi.org/10.14763/2021.3.1576.
Hiscock, Robb. n.d. “Quebec’s Law 25: What is it and what do you need to know?” OneTrust (blog), n.d. www.onetrust.com/blog/ quebecs-law-25-what-is-it-and-what-do-you-need-to-know/.
Hourn, Kao Kim. 2025. “Why ASEAN’s new Digital Economy Framework Agreement is a game-changer.” World Economic Forum, May 26. www.weforum.org/stories/2025/05/ asean-digital-economy-framework-agreement-agamechanger/.
Hunt, Kurt R. 2020. “European Court of Justice Invalidates Privacy Shield, Upends Cross-Border Transfers.” The National Law Review, July 16. https://natlawreview.com/article/ european-court-justice-invalidates-privacy-shield-upends-crossborder-transfers.
Imran, Mohamed. 2025. “Sovereign cloud and digital public infrastructure: Building India’s AI backbone.” Express Computer (blog), August 13. www.expresscomputer.in/ guest-blogs/sovereign-cloud-and-digital-publicinfrastructure-building-indias-ai-backbone/127046/.
InCountry Staff. 2024. “China’s digital data sovereignty laws and regulations.” InCountry (blog), August 20. https://incountry.com/blog/chinas-digitaldata-sovereignty-laws-and-regulations/.
Indonesia Data Center Provider. 2025. “Indonesia’s Digital Sovereignty: From Narrative to National Strategy.” Blog, May 13. https://idpro.id/indonesias-digitalsovereignty-from-narrative-to-national-strategy/.
Jose, Rashmi. 2024. “What Developing Countries Should Know About Negotiations for a New Global Agreement on E-Commerce.” Explainer, September 6. International Institute for Sustainable Development. www.iisd.org/ articles/explainer/what-developing-countries-shouldknow-about-negotiations-new-global-agreement-e.
Jose, Rashmi and Rashid S. Kaukab. 2024. WTO Joint Initiative on E-Commerce State of Play: Past, present, and future July. Winnipeg, MB: International Institute for Sustainable Development. www.iisd.org/system/files/2024-07/ wto-joint-initiative-e-commerce-state-of-play.pdf.
Junck, Ryan D., Bradley A Klein, Akira Kumaki, Ken D. Kumayama, Steve Kwok, Stuart D. Levi and Siyu Zhang. 2021. “China’s New Data Security and Personal Information Protection Laws: What They Mean for Multinational Companies.” Memorandum, November 3. New York, NY: Skadden, Arps, Slate, Meagher & Flom LLP. www.skadden.com/ insights/publications/2021/11/chinas-new-datasecurity-and-personal-information-protection-laws.
Keck, Macmillan, Seharish Gillani, Ahmed Dermish, Jeremiah Grossman and Friederike Rühmann. 2022. “The role of cross-border data flows in the digital economy.” Brief, July. Dakar, Senegal: UN Capital Development Fund Policy Accelerator. https:// policyaccelerator.uncdf.org/all/brief-cross-border-data-flows.
Kerry, Cameron F. 2024. “Is there hope for privacy legislation in this Congress?” Commentary, March 27. Washington, DC: Brookings Institution. www.brookings.edu/articles/ is-there-hope-for-privacy-legislation-in-this-congress/.
Koczerginski, Mitch. 2024. “Privacy on Ice: Canada Maintains GDPR Adequacy Status Despite Frozen Privacy Reforms.” McMillan LLP, January 19. https://mcmillan.ca/insights/ publications/privacy-on-ice-canada-maintains-gdpradequacy-status-despite-frozen-privacy-reforms/.
Lemma, Alberto, Prachi Agarwal and Dirk Willem te Velde. 2025. “Implementing the Digital Trade Protocol of the African Continental Free Trade Area: expected impacts, early experiences and challenges ahead.” Working paper, February 20. https://odi.org/en/publications/ implementing-the-afcfta-digital-trade-protocol-expectedimpacts-early-experiences-and-challenges-ahead/.
Mann, Scott F. 2014. “Fact Sheet: Executive Order 12333.” Center for Strategic & International Studies, February 27. www.csis.org/analysis/fact-sheet-executive-order-12333.
Moran, Omer. 2025. “The Role of Federated Learning in Meeting Global Data Sovereignty Regulations.” Duality (blog), June 6. https://dualitytech.com/blog/federated-learningin-meeting-global-data-sovereignty-regulations/.
OECD. 2002. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris, France: OECD Publishing. https://doi.org/10.1787/9789264196391-en.
Office of Civil Liberties, Privacy and Transparency. n.d. “Executive Order 14086: Signals Intelligence Redress Mechanism.” Office of the Director of National Intelligence. www.dni.gov/files/CLPT/documents/Fact_Sheets/ The_Role_of_the_ODNI_CLPO_FAQs.pdf.
OneTrust. 2021. “The APEC CBPR Certification: What is it?” Blog, July 20. www.onetrust.com/blog/apec-cbpr-certification/.
Osborne, Emily. 2025. “What Does a ‘Sovereign Cloud’ Really Mean?” Tech Policy Press, October 20. www.techpolicy.press/ what-does-a-sovereign-cloud-really-mean/.
Paiboon, Pattaraphan, Kritiyanee Buranatrevedhya, Nont Horayangura, Vasan Sun, Aue-angkul Santirongyuth and Phocharaphol Yingamphol. 2024. “Thailand: New cross-border data transfer rules officially published as law.” InsightPlus, February 9. Bangkok, Thailand: Baker McKenzie. https://insightplus.bakermckenzie.com/ bm/data-technology/thailand-new-cross-borderdata-transfer-rules-officially-published-as-law.
Parsons, Mark and Anthony Liu. 2021. “Aspiring for harmonization: ASEAN’s model clauses for data transfers.” Hogan Lovells, May 11. www.hoganlovells.com/en/publications/ aspiring-for-harmonization-aseans-model-clauses-for-datatransfers.
PDPC of Singapore. 2021. “Guidance for Use of ASEAN Model Contractual Clauses for Cross Border Data Flows in Singapore.” January 22. www.pdpc.gov.sg/-/media/files/ pdpc/pdf-files/practical-guidance-provided-by-pdpc/ singapore-guidance-for-use-of-asean-mccs---010921.pdf.
Psomiadi, Andromachi. 2025. “An Overview of South Korea’s Personal Information Protection Act (PIPA).” Pandectes (blog), April 9. https://pandectes.io/blog/an-overview-ofsouth-koreas-personal-information-protection-act-pipa/.
PwC. 2019. “Binding Corporate Rules: The General Data Protection Regulation.” www.pwc.com/m1/en/publications/ documents/pwc-binding-corporate-rules-gdpr.pdf.
Reza, Adelia Putri. 2024. “Cross-Border Data Flows Under RCEP: Striking a Balance Between Security and Competitiveness.” Modern Diplomacy, November 30. https://moderndiplomacy.eu/2024/11/30/cross-borderdata-flows-under-rcep-striking-a-balance-between-securityand-competitiveness/.
Sahnoune, Zakaria. 2024. “What is PIPEDA?” Security Compass (blog), August 13. www.securitycompass.com/blog/ what-is-pipeda/.
Sangwan, Mahek and Sayed Kirdar Husain. 2024. “Guarding The Data Frontier: Navigating Cross-Border Data Transfer Under Digital Personal Data Protection Act.” NLR Blog, October 23. https://nliulawreview.nliu.ac.in/blog/ guarding-the-data-frontier-navigating-cross-border-datatransfer-under-digital-personal-data-protection-act/.
Software Freedom Law Center. 2025. “Data Protection Board of India: A watchdog without teeth.” February 5. New Delhi, India: Software Freedom Law Center. https://sflc.in/ data-protection-board-of-india-a-watchdog-without-teeth/.
Sørensen, Evelyne. 2024. “Adequacy decisions: review of 11 third countries.” activeMind.legal, April 10. www.activemind.legal/guides/adequacy-decision/.
Sulaiman, Shahid. 2022. “Cross-border data transfers under the protection of personal information Act 4 of 2013.” Dentons, October 13. www.dentons.com/en/insights/ articles/2022/october/13/cross-border-data-transfersunder-the-protection-of-personal-information-act-4-of-2013.
Taheri, Rachelle, Olivia Adams and Pauline Stern. 2021. “DEPA: The World’s First Digital-Only Trade Agreement.” Asia Pacific Foundation of Canada, October 7. www.asiapacific.ca/ publication/depa-worlds-first-digital-only-trade-agreement.
Wasser, Lyndsay A., Kristen Pennington, Robbie Grant and Kristen Shaw. 2022. “Privacy Reform is on the Table Once More: Canada Introduces the Digital Charter Implementation Act, 2022.” McMillan LLP, June 22. https://mcmillan.ca/ insights/privacy-reform-is-on-the-table-once-more-canadaintroduces-the-digital-charter-implementation-act-2022/.
Watanabe, Shota, Ema Ogura and Keita Oikawa. 2025. “Current Status of ASEAN Data Governance and Its Implications for the Digital Economy Framework Agreement.” ERIA Discussion Paper No. 539, January. Jakarta, Indonesia: Economic Research Institute for ASEAN and East Asia. www.eria.org/uploads/Current-Status-of-ASEAN-DataGovernance-and-Its-Implications-for-the-DEFA.pdf.
Wissen Technology Team. 2025. “How Synthetic Data is Revolutionizing Privacy by Helping Build Secure and Compliant Models.” Wissen (blog), February 20. www.wissen.com/blog/how-synthetic-data-is-revolutionizingprivacy-by-helping-build-secure-and-compliant-models.
Wolf Theiss. 2023. “Digital Services Act explained: New obligations for online businesses and other digital services.” Articles, December 6. www.wolftheiss.com/ insights/digital-service-act-explained-new-obligationsfor-online-businesses-and-other-digital-services/.
World Intermediary Liability Map. 2014. “Federal Law No. 242-FZ.” July 21. https://wilmap.stanford.edu/entries/ federal-law-no-242-fz.
Zedroit Articles. 2023. “Data Localization And Its Impact on CrossBorder Data Transfers.” July 23. www.zedroit.com/datalocalization-and-its-impact-on-cross-border-data-transfers/.
67 Erb Street West Waterloo, ON, Canada N2L 6C2
www.cigionline.org