EU: Stability and stricter scrutiny

The EU's international data transfer regime is increasingly defined by two conflicting realities. On the one hand, stability comes from developments such as the (temporary) confirmation of the EUUS Data Privacy Framework by the General Court and progress towards new adequacy decisions – for the UK and potentially Brazil. On the other hand, transfers of personal data to countries without an EU adequacy decision are facing a harsher climate, as regulators adopt a stricter stance. High-profile enforcement – including the Irish data protection authority’s fine against TikTok over transfers to China and the European Data Protection Supervisor’s decision to block transfers to India – underlines this trend. Looking ahead, 2026 may bring fresh scrutiny of the EU-US Data Privacy Framework, given the low procedural barriers for challenging adequacy decisions identified by the General Court, and ongoing legislative shifts in the US.

Despite this, organizations should not adopt an unworkable strategy of excluding every hypothetical risk of governmental access from General Data Protection Regulation (GDPR)-covered transfers. Experience with supervisory authorities shows that the use of the approved standard contractual clauses, backed by a well-documented transfer impact assessment, can still be considered robust – especially where the risk of governmental access is minimal and transfers are shielded by strong technical and organizational measures. Encouragingly, the European Commission is exploring ways to ease GDPR compliance burdens regarding data transfers. Its multi-stakeholder expert group has acknowledged that transfer impact assessments are ‘burdensome, costly and time-consuming.’ In addition, a recent judgment of the Court of Justice (SRB v. EDPS) – signaling a broader interpretation of what is understood as ‘anonymized’ data – could have welcome spillover effects, particularly on the requirement for additional technical and organizational measures to safeguard transferred personal data (see also Chapter 7 on anonymization).

 

UK: Risk-based test signals divergence

The EU GDPR has not applied in the UK for almost five years, yet so far there has been little divergence between the EU and UK approaches. The DUAA may change that, especially in relation to international personal data transfers once its key provisions come into force.

A centerpiece of the DUAA is a new ‘data protection test.’ This applies both to: (i) the Secretary of State, when making adequacy decisions; and (ii) businesses, when exporting data to third countries using standard contractual clauses or other safeguards. The test requires an assessment of whether the third country or organization offers protection that is ‘not materially lower’ than UK standards.

For businesses, this means that reliance on alternative transfer mechanisms will be sufficient if they can show that protections for a data subjects are not materially lower than under UK law. When in force – likely by 2026, if not earlier – the new test will move the UK away from the EU’s binary ‘adequate/inadequate’ model, replacing it with a risk-based, comparative approach. The DUAA also introduces continuous monitoring of thirdcountry regimes, replacing the previous four-year adequacy review cycle.

In practice, this gives the UK government discretion to adjust or withdraw transfer permissions at any time, in response to changing legal or geopolitical conditions. It remains unclear, however, whether this discretion will result in real divergence from the EU’s adequacy list, or in the creation of ‘UK-only’ adequacy decisions.

 

US: National security drives new restrictions

In the US, the legacies of Executive Order 14117 and PADFAA continue to shape the regulatory landscape in 2026. While distinct, both frameworks share a common goal: preventing foreign adversaries from accessing sensitive US data in the name of national security. PADFAA specifically prohibits data brokers from transferring sensitive personal data to designated ‘foreign adversaries’. Executive Order 14117, by contrast, is a broader presidential directive that created a Department of Justice program restricting bulk transfers of sensitive personal and government related data to ‘countries of concern’ such as China and Russia.

Initially established under the Biden administration, both frameworks have been retained – and in some areas expanded – under the Trump administration. The focus remains firmly on national security, with regulation aimed at data brokers, vendor relationships and industries handling genomic, biometric, health, and geolocation data.

These measures are fundamentally reshaping US data transfer risk. Organizations with US operations or reliance on US vendors must assess their data flows to identify areas likely to attract increased scrutiny. Agility will be essential as regulatory classifications shift quickly. Sectors such as healthcare, telecoms and finance face particularly acute compliance burdens. As US enforcement agencies operationalize these rules and regulations, companies should expect increased scrutiny and prepare for a heavier compliance and governance workload around international data exports.

 

China: Free Trade Zone reforms ease rules – but enforcement ramps up

China has made progress in detailing its outbound data transfer regime, most notably through the introduction of ‘negative lists’ applicable to designated Free Trade Zones (FTZs), including those in Beijing and Shanghai. Under this model, within certain sectors (e.g., life sciences, automotive, retail and hospitality, and AI) data categories that are explicitly listed as ‘negative’ are subject to security assessments for government approvals, standard contracts, or certification prior to export (including highly-sensitive ‘important data’ and high volume of personal data). All sectors (including these) are subject to general ‘reference rules’ that apply universally, and which impose additional controls on data such as high-value, sensitive data related to the competitiveness or safety standards or related to supply chains that impact national security. Outside of this framework, nonpersonal data can be freely exported.

Volume thresholds that trigger additional controls within FTZs are set higher than those prescribed by national regulations. For example, Shanghai’s Negative List only requires a standard contract filing for international transfers of certain non- sensitive personal data of between one and ten million individuals (after which a security assessment must be completed), such as loyalty program data in retail and hospitality. National regulations, by contrast, set the limit at 100,000 to one million individuals.

The result is a two-tier compliance environment: FTZs may provide meaningful clarity (and flexibility) in sectors such as life sciences, AI and automotive, but other sectors will continue to face uncertainty and tougher restraints. FTZ rules are also likely to evolve in line with geopolitical and sector-specific needs.

At the same time, China is moving from rulemaking to enforcement. In September 2025, regulators fined the Shanghai subsidiary of a multinational for transferring customer data to its French headquarters without implementing an approved data transfer mechanism or obtaining proper consents. The case also highlights the risks of underlying non-compliance surfacing through an authority’s investigation of a reported data breach.

 

Continuing developments in other APAC countries

Vietnam has taken steps to implement a new legal system for data control – according to its Law on Data (in effect since 1 July 2025) and its implementing decree, ‘core data’ and ‘important data’ that may affect national security, public benefits and legitimate interests of relevant individuals and organizations cannot be exported without government approval (for core data) and the filing of an impact assessment (for important data). As an initial step for implementation, the government has released a list of 26 types of ‘core data’ and 43 types of ‘important data,’ but some of these appear highly broad and ambiguous—such as ‘data on organizations and citizens that has not been made public.’

South Korea continues its strict enforcement against unlawful cross-border data transfers. Two Chinese e-commerce platforms were recently fined the equivalent of US$930,000 and US$1.43m. Additionally, Deepseek was ordered to implement corrective measures to rectify future transfers of personal data abroad - as a condition for being permitted to return to South Korean app stores.