Category Archives: Cross-Border Data Transfers

White House’s AI Action Plan: Winning the Race in a Patchwork Regulatory Era

By Joshua Ashley Klayman, Ieuan JollyJeffrey Cohen, and Caitlin Potratz Metcalf

Left to right: Joshua Ashley Klayman, Ieuan Jolly, Jeffrey Cohen, and Caitlin Potratz Metcalf (photos courtesy of Linklaters)

On July 23, 2025, the White House published Winning the AI Race: America’s AI Action Plan (the AI Action Plan), a comprehensive effort aimed to solidify United States leadership in artificial intelligence. The AI Action Plan acknowledges the U.S.’ uniquely complex—and, at times, conflicting—regulatory landscape, including the patchwork of state-level laws that impact innovation, compliance, and policy predictability. The Action Plan calls for national leadership and seeks a unified, pro-innovation regulatory approach, with an understanding that states will continue to develop their own laws. Businesses should prepare for both the opportunities and the compliance challenges that will arise as the Action Plan is implemented.

Continue reading

Maturing Compliance with the Bulk Sensitive Data Rule before the July 8, 2025 Safe Harbor Expires

by Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu

Top left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu (photos courtesy of Debevoise & Plimpton LLP)

All eyes are on the DOJ Bulk Sensitive Data Rule (28 C.F.R. Part 202) and July 8, 2025, when the recently announced good-faith safe harbor expires. The rule, which the Department of Justice now refers to as the Data Security Program (the “DSP”), creates a comprehensive export control regime to restrict the transfer of bulk sensitive personal and government-related data to foreign adversaries deemed threats to U.S. national security. On April 11, 2025, shortly after the first effective date of the DSP, the National Security Division (“NSD”) of DOJ issued a suite of three policy and guidance documents to facilitate compliance with the DSP, including a 90-day civil enforcement safe harbor for good-faith compliance. As previously discussed, the DSP seeks to address the bipartisan concern that sensitive datasets could be exploited by foreign adversaries for espionage, cyberattacks, malign influence, and coercion, which would undermine the United States’ national security interests.

Continue reading

EU Court Upholds Commission’s Power To Demand Data Held by Foreign Companies

by Bill Batchelor, Ryan D. Junck, David A. Simon, Nicola Kerr-Shaw, Bora P. Rawcliffe, and Margot Seve

Photos of the authors

Top left to right: Bill Batchelor, Ryan D. Junck, and David A. Simon. Bottom left to right: Nicola Kerr-Shaw, Bora P. Rawcliffe, and Margot Seve (Photos courtesy of authors)

Summary

In Nuctech Warsaw (T-284/24), the EU Court of Justice held that EU subsidiaries can lawfully be required to provide access to email accounts and data held by their overseas parent company. The ruling involved the following framing:

  • Broad reach of EU extraterritorial investigative powers: The order interprets the European Commission’s (EC’s) investigative powers broadly. EU law applies to conduct with significant effects in the EU, even if the conduct occurs outside the EU. Consequently, the EC may request information from non-EU companies to assess potential EU law violations.
  • Implications for other EU enforcement regimes: The investigation was carried out under the EU Foreign Subsidies Regulation (FSR), but the ruling has implications for the EC’s powers under general antitrust rules and other regulations such as the Digital Markets Act or the Digital Services Act. The judgment follows divergent rulings in the UK that limited the extraterritorial reach of UK regulators’ enforcement powers in fraud and antitrust cases. (See our February 2021 alert “English Supreme Court Limits Serious Fraud Office’s Extraterritorial Reach” for more details.)
  • Siloing access to data within a corporate organization: The ruling held that there was no evidence local subsidiaries could not access China-held data, or that compliance with the EC’s inspection decision would compel the applicants and the group to infringe Chinese law, including criminal law. Therefore, companies should consider:
    • If their IT environment and procedures can be siloed to enable the company to demonstrate that accessing parent company data from the EU is not technically feasible without cooperation from the non-EU entities.
    • Whether law and regulation applicable to a company would prevent it from sharing this data with an EU regulator. If so, this should be well-documented in advance, potentially with external legal counsel validation, so that any refusal to comply with a request for data could be quickly substantiated with specific reference to other applicable laws.

Continue reading

Dutch Data Protection Authority Imposes a Fine of 290 Million Euros on Uber

by Sarah Pearce and Ashley Webber

Photos of authors.

Left to right: Sarah Pearce and Ashley Webber (Photos courtesy of the Hunton Andrews Kurth LLP)

On August 26, 2024, the Dutch Data Protection Authority (the “Dutch DPA”), as lead supervisory authority, announced that it had imposed a fine of 290 million euros ($324 million) on Uber.  The fine related to violations of the international transfer requirements under the EU General Data Protection Regulation (the “GDPR”). 

The Dutch DPA launched an investigation into Uber following complaints from more than 170 French Uber drivers to the French human rights interest group the Ligue des droits de l’Homme, which subsequently submitted a complaint to the French Data Protection Authority (the “CNIL”).  The CNIL then forwarded the complaints to the Dutch DPA as lead supervisory authority for Uber.

Continue reading

Executive Order Prohibits Transfer of Sensitive Personal Data to “Countries of Concern”

by Patrick J. Austin and John Pilch

Photos of authors

From the left to right: Patrick J. Austin and John Pilch

On February 28, 2024, U.S. President Joe Biden issued Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO), which authorizes the U.S. Attorney General to restrict large-scale transfers of personal data to “countries of concern.” The “countries of concern” identified in the EO include China (along with Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela, according to a summary issued by the White House.

Continue reading

President Biden Issues Executive Order Granting Authorities to Regulate the Transfer of Sensitive U.S. Data to Countries of National Security Concern

by Eric J. Kadel Jr., Sharon Cohen Levin, Nicole Friedlander, Anthony J. Lewis, Andrew J. DeFilippis, Joshua Spiegel, and George L. McMillan

photos of authors

Top left to right: Eric J. Kadel Jr., Sharon Cohen Levin, Nicole Friedlander, Anthony J. Lewis.
Bottom left to right: Andrew J. DeFilippis, Joshua Spiegel and George L. McMillan. (Photos courtesy of Sullivan & Cromwell LLP).

SUMMARY

On February 28, 2024, President Biden issued Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Executive Order”), delegating new authorities to the U.S. Department of Justice (“DOJ”) and other agencies to regulate the transfer of sensitive U.S. data to countries of national security concern. The Executive Order focuses primarily on personal and other sensitive information, such as U.S. persons’ financial information, biometric data, personal health data, geolocation data, and information relating to government personnel and facilities.[1]

Continue reading

U.S. Cybersecurity and Data Privacy Outlook and Review – 2024

by Alexander H. Southwell and Snezhana Stadnik Tapia

Photos of authors

From left to right: Alexander H. Southwell and Snezhana Stadnik Tapia (photos courtesy of Gibson, Dunn & Crutcher LLP)

As with previous years, the privacy and cybersecurity landscape continued to evolve substantially over the course of 2023. We recently provided a review of some of the most significant developments on this topic in the U.S. in the eleventh edition of Gibson Dunn’s U.S. Cybersecurity and Data Privacy Outlook and Review.

Below we summarize the past year’s developments and future prospects, including the wave of new privacy and cyber legal and regulatory advances at the federal and state levels. This past year, states continued to take the lead on enacting privacy legislation and branches of the federal government focused on data security, sensitive data, and artificial intelligence (“AI”). The surge of civil litigation with respect to web-tracking technologies also endured. In 2024, we expect an amplified focus on privacy and cybersecurity issues, as well as with respect to emerging technologies such as AI, to continue.

Continue reading

China Plans to Accelerate Cross-Border Data Transfers by Implementing Trial Rules in Shanghai Pilot Free Trade Zone

by Dora Luo

Photo of author

Dora Luo (photo courtesy of Hunton Andrews Kurth LLP)

Recent developments in the Shanghai Pilot Free Trade Zone to facilitate cross-border data transfers are expected to provide greater flexibility in exporting data from China, which has been stymied by the Cyberspace Administration of China (“CAC”)’s strict cross-border data transfer regulations proposed in December 2023. In recent years, the legal framework and practical enforcement for cross-border data transfers in China have undergone significant developments, especially with respect to the CAC’s cross-border data transfer security reviews and standard contractual clauses. The lack of clarity around the CAC’s strict rules for security assessment reviews appears to have caused significant delays in the approval process for cross-border data transfers and concern among international companies who regularly transfer data outside of China. However, it appears that the Shanghai government is likely to permit international companies to transfer data offshore by leveraging its sprawling free trade zones. Shanghai, for example, has recently unveiled new measures aimed at accelerating cross-border data transfers.

Continue reading