Data Privacy & Cross-Border Transfers: 2026 Update.
Post-Schrems III Landscape
The Schrems III ruling by the Court of Justice of the European Union has fundamentally reshaped international data transfers. While the EU-US Data Privacy Framework (DPF) provides a transfer mechanism for certified organizations, the Court has signaled continuing scrutiny of surveillance practices. Organizations that relied on Standard Contractual Clauses (SCCs) must now conduct and document transfer impact assessments (TIAs) that evaluate the surveillance regime of the destination country — a requirement that has proven particularly challenging for transfers to the US, India, and China.
Global Privacy Regulation Expansion
Privacy regulation continues to expand globally. India's Digital Personal Data Protection Act (DPDPA) came into effect in 2025, introducing significant cross-border transfer restrictions, data fiduciary obligations, and penalties of up to INR 250 crore. Brazil's LGPD enforcement has intensified, Saudi Arabia's PDPL is now in force, and Australia is undertaking its most significant privacy reform in a decade. In the US, comprehensive state privacy laws now cover over 35% of the population, with federal privacy legislation gaining bipartisan momentum.
Enforcement and Penalties
Privacy enforcement is at an all-time high. In 2025, regulatory authorities worldwide imposed over $4.5B in privacy-related fines, with the EU's GDPR accounting for the largest share. The Irish DPC alone issued fines exceeding $1.2B against major technology companies. Beyond fines, regulators have increasingly issued orders to suspend data transfers, delete unlawfully processed data, and appoint independent monitors. Class action litigation based on privacy violations has also increased significantly, particularly in the US under state privacy laws.
Building a Resilient Data Governance Framework
Organizations should: (1) map all cross-border data flows and document the legal basis for each transfer; (2) implement a data inventory and classification system that teams can maintain as the regulatory landscape evolves; (3) develop a robust vendor risk management program that includes privacy due diligence for all data processors; (4) invest in privacy-enhancing technologies (PETs) such as anonymization, pseudonymization, and differential privacy; and (5) establish a cross-functional data governance committee with representation from legal, compliance, IT, and business teams.