Operating in multiple countries at the same time can bring complex data issues. I help companies navigate legal issues concerning international data transfers including data residency restrictions, contractual safeguards on data transfers, and other compliance concerns. These include:
Data Localization Requirements
Data sovereignty, localization and residency are key issues for interactions around the world. The European Union, China, the Middle East and other areas place restrictions on where data can be located and/or the safeguards needed to move data between countries.
The Schrems II decision and Transfer Impact Assessments are the focus for many European Union companies, but not the only major one. China and its Personal Information Protection Law include local storage requirements, restrictions on data transfers, and compliance requirements. Data residency and transfer requirements are also common in many countries in the Middle East.
GDPR Personal Data Transfers
GDPR
Adequacy Decisions
One avenue for moving the personal data of European Union residents between Europe and other countries is an adequacy decision. An adequacy decision is a determination by the European Commission that a country’s laws provides an equivalent amount of data protection to the European Union. Canada, the United Kingdom and Japan all benefit from adequacy decisions with the EU.
Data Privacy Framework
In 2022 the United States and European Union announced the DPF to allow US companies that have certified to the privacy principles of the Data Privacy Framework to receive personal data without signing the Standard Contractual Clauses or another avenue to establish appropriate safeguards on EU personal data transfers. The predecessors of the Data Privacy Framework were the Privacy Shield, and before that, the Safe Harbor Agreement
Standard Contractual Clauses
Standard Contractual Clauses (SCCs) are legal safeguards designed to protect personal data when transferred outside the European Economic Area (EEA). They are pre-approved contractual terms issued by the European Commission, ensuring that businesses comply with GDPR and other data protection regulations. With increasing concerns over data privacy, SCCs provide a structured framework for companies to transfer personal data internationally while maintaining legal compliance.
Europe first adopted Standard Contractual Clauses (SCCs) in 2001 under the EU Data Protection Directive 95/46/EC. Since then, SCCs have evolved, with modernized versions introduced in 2021 to align with the General Data Protection Regulation (GDPR).
The 2021 Standard Contractual Clauses (SCCs) introduced a modular approach to accommodate different types of data transfers. Each module serves a distinct purpose:
Module 1: Controller to Controller (C2C) – Used when both parties are data controllers.
Module 2: Controller to Processor (C2P) – Applies when a data controller transfers personal data to a data processor.
Module 3: Processor to Processor (P2P) – Used when a data processor transfers data to a sub-processor.
Module 4: Processor to Controller (P2C) – Applies when a processor transfers data to a controller outside the EU.
Other countries with similar model clauses include the United Kingdom, Switzerland and Brazil.
GDPR Article 49 (Derogations) – Alternatives to the above options which are typically reserved for occasional transfers.
Other Cross-Border Data Transfer Concerns
U.S. Sensitive Personal Data
Executive Order 14117, signed by President Biden in February 2024, aims to prevent foreign access to Americans’ bulk sensitive personal data and U.S. government-related data by countries of concern. The order establishes restrictions on data transactions involving nations such as China, Russia, Iran, North Korea, Cuba, and Venezuela. The DOJ issued a final rule in December 2024, outlining compliance measures and enforcement mechanisms. The rule took effect on April 8, 2025, with additional compliance provisions phased in by October 6, 2025.
Key Provisions include (i) prohibitions or restrictions on transactions involving bulk sensitive personal data with designated countries; (ii) targets data brokers selling U.S. citizens’ personal information to foreign entities; (iii) Expands national security protections for government-related data, including geolocation and biometric information.
The law authorizes the Department of Justice (DOJ) to enforce compliance and issue regulations.
CFIUS
The Committee on Foreign Investment in the United States (CFIUS) was established in 1975 by President Gerald Ford through Executive Order 11858. Initially, its role was to study and provide policy recommendations regarding foreign investment, but over time, its authority expanded to include national security reviews of foreign transactions. Foreign Investment Risk Review Modernization Act (FIRRMA) and its implementing regulations (31 CFR Parts 800 and 802) have greatly strengthened the ability of the US to review foreign investments for national security concerns.
A CFIUS notice is required in certain transactions involving foreign investment in U.S. businesses, particularly when national security concerns may arise. A few cases of mandatory notice requirements in transactions involve foreign persons relate to critical technology transactions, foreign government involvement in the acquiring entity, and certain sensitive personal data on U.S. citizens. Even in cases where notice is not legally required, many entities consider whether a voluntary notification is prudent.
Failing to adhere to CFIUS requirements can result in substantial fines and enforcement actions, including:
– Failure to File – Certain transactions require a mandatory CFIUS declaration. Missing this filing can lead to penalties.
– Breach of Mitigation Agreements – If CFIUS imposes security requirements on a transaction, violating these terms can trigger enforcement actions.
– False or Misleading Information – Providing inaccurate or incomplete data during a review process may result in fines.
Avoiding penalties requires a proactive approach to CFIUS compliance. Businesses should:
✔ Assess transactions early for potential CFIUS scrutiny.
✔ File declarations and notices when required.
✔ Ensure accuracy in all filings and communications