2025 Data law trends

The DPF is a landmark mechanism negotiated between the EU and the US which entered into force in 2023 to facilitate the transfer of personal data from the European Economic Area (EEA) to eligible US companies that choose to participate in the DPF (see here for further detail). The two predecessors to the DPF were each invalidated by the Court of Justice of the EU (CJEU) following concerns raised by privacy activist Max Schrems that the schemes did not appropriately protect European’s personal data. Max Schrems and other activists have indicated they will challenge the DPF in the CJEU given similar concerns.

While 2024 did not see any actions from these privacy activists regarding the DPF, 2025 may be the year for Max Schrems or others to start the third (and final?) round of battle over data transfers from the EU to the US.

Since the EU-US DPF’s adoption, many US organizations have decided to participate:

The UK agreed a UK Extension to the DPF shortly after the DPF entered force and, in 2024, Switzerland joined the UK in allowing the transfer of personal data to US-based recipients that are certified under the DPF without the need for other transfer safeguards to be implemented under national data protection laws (see here).

The UK is no longer subject to the jurisdiction of the CJEU, which means any successful challenge against the DPF would not immediately affect the UK Extension. However, any successful challenge might be considered by the UK in determining whether to amend or revoke the UK Extension or renew it when it comes up for review.

2025 might also see an extension of the list of ‘adequate’ locations personal data can be transferred to without the need for additional transfer safeguards under EU data protection law. In this respect, the EU Commission is currently in discussion with Brazil and California, each of which applies high privacy safeguards similar to the GDPR.

The EU Commission’s review of the UK’s adequacy decision is expected to be completed in June 2025 and it currently seems likely that this decision will be renewed.

In August 2021, the UK government hailed its ability to make use of its new, post-Brexit, powers to issue equivalent adequacy regulations independent of the EU. However, the UK government is yet to issue any new adequacy regulations in respect of countries that are not already the subject of EU adequacy decisions. 2025 might see the UK government forge a separate path and issue adequacy regulations for additional countries.

The EU Commission has announced work on a new set of Standard Contract Clauses (SCCs) for international data transfers to address the situation where a data importer of GDPR personal data is in a third country but also subject to the GDPR. It remains to be seen whether and to which extent these SCCs deviate from the existing SCCs and whether other jurisdictions might (again) follow this approach.

The EU will introduce data localization requirements as part of the European Health Data Space (EHDS) Regulation. The EHDS Regulation aims to establish an EU data space for health data and includes dedicated rules on the primary and secondary use of health data. In particular, given the sensitivity of health data, the EHDS Regulation proposes that certain stakeholders may only store and process health data within the EU or, as an exception, in third countries providing an adequate level of data protection. In addition, EU Member States may impose data localization rules at a national level. The EU may apply similarly strict standards in other data spaces involving sensitive data in the future.

In 2024, President Biden issued an Executive Order (EO) restricting the bulk transfer of sensitive data to certain countries. EO 14117, signed on February 28, 2024, represents a major shift in US data regulation, particularly regarding sensitive personal and government-related data. The EO aims to address concerns about potential exploitation of such data by ‘countries of concern’ through new prohibitions and restrictions. By empowering the Attorney General to implement regulations, the EO seeks to prevent the transfer of bulk sensitive personal data to adversarial countries, including China, Russia and others. The scope of this regulatory framework is significant, as it targets not only data transactions but also data brokerage and vendor agreements, further strengthening the national security shield around US sensitive data. See here for further background.

The proposed regulations outlined in the Advance Notice of Proposed Rulemaking highlight efforts by the US Department of Justice (DOJ) to classify certain transactions into prohibited and restricted categories. Prohibited transactions include those involving data brokerage or access to human genomic data, while restricted transactions may proceed if security measures are in place. These rules will require companies engaged in international data transfers to review and potentially overhaul their compliance programs. For businesses involved in sensitive sectors like healthcare, finance or telecommunications, these new regulations may significantly impact their operations and necessitate additional compliance diligence.

Given the far-reaching nature of these proposed regulations, businesses that handle or process large volumes of US personal data must act swiftly to assess their risk exposure. The expansive definitions of ‘bulk sensitive personal data’ and ‘data brokerage’ increase the number of companies that will be subject to these regulations. While certain exemptions are proposed, such as for personal communications and financial services, the overarching authority of the DOJ to regulate sensitive data transfers remains a critical concern. As this regulatory framework develops, it is likely to reshape the way US businesses engage in international data transfers, influencing their global operations and partnerships.

China’s strict data transfer regulations have proven to be a significant burden for many multinational companies. New rules relaxing certain of these requirements were introduced in March 2024 – most notably, the exemption of transfers of the personal data of fewer than one million individuals a year from the requirement to undergo security assessment with the Cybersecurity Administration (see here for further detail).

While a large proportion of international companies operating at scale in China will still need to put in place (and file) a standard contract and security impact assessment, complete exemptions have usefully also been introduced for transfers of HR data and to facilitate individual cross-border commerce. A simplified form of standard contract has also been introduced for transfers of personal data within the Greater Bay Area (also without an obligation to file an impact assessment with the contract filing).

Within the last year, Thailand and Indonesia have both either introduced or proposed cross-border data transfer mechanisms that are structurally very similar to those under the GDPR. Thailand and the Philippines (among others) are actively promoting the adoption of the Association of Southeast Asian Nations (ASEAN) model contractual clauses (ASEAN and the EU have also recently published a joint guide to their respective contractual clauses).

On the other hand, Vietnam has adopted a modified version of China’s process for approving personal data exports, allowing for the government to intervene based on security assessment dossiers to be filed within 60 days of the transfer.

In the past few months, Australia has proposed introducing a ‘whitelist’ (without SCCs) while Malaysia has proposed removing its own whitelist regime (having never issued a list). The Digital Personal Data Protection Act in India will empower the government to issue a ‘blacklist’.

Another proposed new Vietnamese law will restrict outbound transfers of categories of non-personal data: ‘important data’ and ‘core data’, with these terms defined in a way that approximates to the definitions of the synonymous concepts under China’s Data Security Law. It appears that government approval will be required to transfer either category of data out of Vietnam. The equivalent restrictions on transfers of ‘important/core data’ from China have brought about pre-emptive localization of many operations and systems there.

However, on this topic as well, the past few months have seen a generally more business-friendly approach being taken, especially in the catalogues of ‘important data’ and approval mechanisms of free trade zones (in Shanghai, Tianjin and Beijing). Some of those rules were developed with the participation of resident international businesses. The EU and China also began discussing a mechanism to facilitate flows of non-personal data in August 2024.

Like the EU and UK GDPR, various international jurisdictions may require data exporters to conclude SCCs to safeguard certain transfers of personal data to data importers in third countries. For example, in 2024, the Turkish and Brazilian authorities each published a set of updated SCCs including similar provisions as in the EU SCCs for data transfers. Therefore, international organizations must be prepared to both update intra-group agreements and address requests from third-party organizations to enter into such SCCs.