Our latest Global Trends benchmark compares key aspects of the regulation of cross-border personal data transfers across 14 jurisdictions, by analysing in each:

• General rules on cross-border personal data transfers.
• Countries and regional blocs to which data can be transferred without restrictions.
• Specific rules in the finance and health sectors.

Key takeaways
 

• Most jurisdictions analysed restrict cross-border personal data transfers unless pre-authorised safeguards are in place, such as consent, adequacy decisions, use of a standard contract, certifications or government approvals. Australia and Canada instead rely on open safeguards such as accountability measures and contractual protections, while the US lacks a comprehensive federal framework governing privacy.
• Only five jurisdictions analysed have operational adequacy regimes, allowing unrestricted transfers to destinations formally recognised as providing adequate data protection. Four others recognise adequate or equivalent protection in law but have not adopted adequacy decisions or regulations, while the remainder rely on other transfer mechanisms.
• Cross-border data flows are also facilitated through bilateral and multilateral free trade agreements that include provisions on personal data transfers (e.g. the EU-Singapore Digital Trade Agreement).
• Sector-specific restrictions remain widespread. Nine jurisdictions analysed have adopted cross-border transfer rules for banking or financial data, while eight have adopted (or are proposing) similar rules for health data.

Covered jurisdictions in this benchmark: Australia, Brazil, Canada, China, the EU, India, Indonesia, Japan, Kenya, Korea, Singapore, South Africa, the UK and the US.

For more information and to access the full report, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to the Global Trends service.