Navigating Data Privacy Obligations in Cross-Border Technology Agreements

A practical guide for businesses operating across multiple jurisdictions to understand and comply with the data privacy obligations that govern cross-border technology transactions.

Written By Adv. Ayushi Goyal  (Corporate & Technology Practice) · 

Practice Area: Technology Law    | Sub-Practice: Data Privacy & Data Protection    | Industry: Technology, SaaS, Cloud Computing, Digital Platforms

Read Time – 20 min read

ABSTRACT

With the advent of technological advancements, commercial transactions globally involve a massive amount of cross-border data transfers. These transfers are significant part of data privacy obligations; they are embedded within the global technology agreements of businesses operating in multiple jurisdictions. Businesses face complex data privacy obligations while operating in multiple jurisdictions due to fragmented global privacy regulations, strict localization mandates and third-party vendor liabilities. Therefore, this article provides a practical framework for understanding the principal regulatory regimes—including the EU General Data Protection Regulation, US state privacy statutes, and key Asia-Pacific frameworks—and examines how those obligations translate into concrete contractual requirements for businesses. Regulatory landscape of different jurisdictions has been surveyed to comprehend the available legal transfer mechanisms, identified the key clauses that must appear in cross-border technology agreements, and a comparative reference table has been provided as compliance guidance for technology agreements to avoid non-compliance risks.

I. Introduction

The movement of personal data across national borders is no longer an incidental feature of international business it is the mechanism by which key modern technology agreements operate. Cloud services, SaaS platforms, managed IT infrastructure, and AI-driven analytics all depend on the ability to collect, process, store, and transfer personal data in ways that routinely cross multiple legal jurisdictions. ¹

 The legal landscape governing these cross – border data transfers is fragmented, rapidly evolving, and, in several respects, mutually inconsistent. Varied laws by multiple jurisdictions on cross border data flows is acting as a barrier to enforce the public policy goals effectively and uniformly across jurisdictions as well as for firms to operate across global markets. The emphasis in this area has mostly been on an adopting a differentiating approach and less emphasis has been given to identifying common elements that may serve as building blogs in bridging these different approaches. [i]

A data processing agreement that satisfies the requirements of the EU General Data Protection Regulation (“GDPR”) may not address the consent and opt-out rights mandated by the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”). A standard contractual clause approved by the European Commission may be insufficient standing alone to satisfy the data localisation requirements imposed by certain jurisdictions in the Asia-Pacific region.

This article is addressed to advise businesses on the structure of cross-border technology transactions. The article aims to equip practitioners with a working map of the compliance obligations most likely to be encountered when running business practices across multiple jurisdictions, and to comprehensively comprehend those obligations to be compliant with the contractual provisions that give them effect.

II. The Regulatory Landscape

In, this section of the article principal regulatory frameworks pertaining to cross border data privacy of few major jurisdictions are discussed, that shape the data privacy obligations globally along with play a major role in cross-border technology agreements. Understanding the scope, enforcement posture, and extraterritorial reach of each is essential before drafting or reviewing any agreement that involves the processing of personal data across borders.

A. The EU/EEA Framework: GDPR and Its Sequelae

The GDPR² remains the most substantial data privacy regulation in the world, both in terms of its substantive requirements and its extraterritorial reach. By virtue of Article 3(2), the GDPR establish its extra – territorial reach as it applies to any controller and processor established outside the EU/EEA that processes personal data of data subjects who are in the Union in connection with the offering of goods or services, or the monitoring of their behaviour. In absence of it the genuine link between the processing activities and the union as per Art 3(1) or 3(2) of the GDPR, the regulation then may nevertheless apply to Art. 3(3) of the GDPR i.e. ‘in a place where member state laws apply by virtue of public international law’. Further, as per Public international law an EU regulation is a directly applicable as law in domestic legal systems governed by international law for instance, EU embassies, overseas territories. Hence, by virtue of Art 3 the GDPR extraterritorial reach is extended via international law as it applies as a domestic law beyond the EU territory of a member state, and by virtue of international agreement as the EEA agreement which makes it completely applicable even in Non – EU states like Iceland, Norway, and Liechtenstein.[ii]

Under Chapter V, transfers of personal data to third countries are prohibited unless an appropriate safeguard is in place most commonly an adequacy decision under Article 45, standard contractual clauses (“SCCs”) under Article 46(2)(c) and (d), or binding corporate rules (“BCRs”) under Article 47.  However, following the invalidation of Privacy Shield in Data Protection Commissioner v. Facebook Ireland (“Schrems II”) ³[iii] the European Commission adopted revised SCCs in June 2021, as per which these clauses are not sufficient as they do not inherently bind the intelligence and Law enforcement agencies of third countries and thus exporters as well as importers of data must also implement “Supplementary measures” to ensure equivalence to the GDPR protections. [iv]

“The transfer of personal data to a third country may take place where the Commission has decided that the third country ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.”

— GDPR, Article 45(1)

B. US State Privacy Statutes

The United States lacks a comprehensive federal data privacy law, but a growing patchwork of state statutes creates compliance obligations that must be addressed in cross-border technology agreements. As of June 2026, twenty-two states have enacted comprehensive consumer privacy legislation, with the CCPA/CPRA, Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), and Texas Data Privacy and Security Act among the most significant.[v]

Key obligations common to most state statutes include: the right to access, correct, delete, and port personal data; opt-out rights for the sale or sharing of personal data and for targeted advertising; data minimisation and purpose limitation requirements; and the obligation to enter into data processing agreements with service providers.

C. Asia-Pacific Frameworks

Unlike Europe, Asia does not have a broad regional directive with core principles that all member states are required to follow. Instead, Asia has the Asia–Pacific Economic Cooperation (APEC) Privacy Framework (2005), which may act as a guiding framework for local statutes specific to each country. Thus, the corporations should consider specific laws of each country and how they protect local information. The APEC framework encourages the “the development of appropriate information privacy protections ensuring the free flow of information in the Asia-Pacific region.”. The framework principles are mainly consistent with the OECD Guidelines of Protection of privacy and Trans – Border Flows of Personal Data (1980) [vi]

The Asia-Pacific region encompasses a wide spectrum of data privacy regimes, from the comparatively liberal framework of Singapore’s Personal Data Protection Act (“PDPA”) to the strict data localisation requirements imposed by China’s Personal Information Protection Law (“PIPL”)[vii] and the Data Security Law (“DSL”). India’s Digital Personal Data Protection Act 2023 (“DPDPA”) introduces a further significant compliance layer for businesses processing the personal data of Indian residents.

China’s PIPL is of particular note for technology agreements: it requires that personal information transferred out of China either pass a security assessment conducted by the Cyberspace Administration of China (“CAC”), be subject to a standard contract filed with the CAC, or comply with an approved certification scheme.

III. Legal Mechanisms for Cross-Border Data Transfers

Selecting the appropriate legal transfer mechanism is one of the most consequential decisions in structuring a cross-border technology agreement. The choice affects the contractual documentation required, the ongoing compliance programme, the risk allocation between the parties, and the potential exposure to regulatory enforcement action.

A. Standard Contractual Clauses and Adequacy Decisions

SCCs remain the most widely used mechanism for transfers of personal data from the EEA to third countries. The 2021 SCCs introduced a modular structure and added a mandatory Transfer Impact Assessment (“TIA”) requirement that obliges the parties to assess whether the laws and practices of the destination country enable compliance with the SCCs in practice. ⁶

Adequacy decisions offer a simpler route: where the European Commission has determined that a third country ensures an adequate level of protection, data may flow freely without additional safeguards. Current adequacy decisions cover, among others, the UK, Japan, Canada (commercial organisations), and the United States under the EU-US Data Privacy Framework for certified organisations.

B. Binding Corporate Rules and Article 49 Derogations

BCRs provide a transfer mechanism for intra-group transfers within multinational enterprises and require approval from the competent supervisory authority. Given the significant time and resource investment required, they are most appropriate for large multinationals with complex intra-group data flows.

Article 49 GDPR provides a limited set of derogations—including explicit consent, contractual necessity, and compelling legitimate interests—but the EDPB has consistently emphasised that these derogations must be interpreted restrictively and cannot substitute for a systematic transfer mechanism in the context of ongoing commercial data flows.

IV. Key Contractual Obligations

A well-drafted cross-border technology agreement must translate the applicable regulatory requirements into precise contractual obligations. The following provisions are commonly required or strongly recommended across the principal regulatory regimes.

COMPLIANCE CHECKLIST: CROSS-BORDER DATA PROCESSING AGREEMENT

  1. Identification of controller and processor roles — including equivalent roles under applicable law (Data Fiduciary under India DPDP Act 2023; entrusted party under China PIPL), with clear allocation of compliance obligations[viii]
  2. Description of processing activities — subject matter, duration, nature, purpose, data types, and categories of data subjects, with a separate flag for special category data or children’s personal data where applicable
  3. Processor to act only on documented instructions from the controller — with an obligation to notify the controller immediately if any instruction infringes applicable law[ix]
  4. Confidentiality obligations binding all personnel authorised to process personal data, supported by regular data protection training, and surviving termination of the agreement
  5. Technical and organisational security measures (TOMs) — encryption in transit and at rest, access controls, pseudonymisation, resilience, and regular testing, with reference to applicable standards (ISO/IEC 27001:2022, SOC 2 Type II, NIST CSF) — TOMs to be specified in full in Annex II of the SCCs, not merely cross-referenced
  6. Sub-processor management — prior written authorisation requirement, minimum 30-day controller objection window for new sub-processors, equivalent flow-down obligations, processor liability for sub-processor acts and omissions, and specific listing of hyperscale cloud sub-processors where applicable
  7. Assistance obligations covering — data subject rights requests (with pass-on timeframe of 3–5 business days), DPIAs, prior consultation with supervisory authorities, and maintenance of Records of Processing Activities (RoPA) under Art. 30(2) GDPR
  • Data breach notification — processor to notify controller within 24–48 hours of becoming aware, with jurisdiction-specific timelines to be observed by the controller:
  1. EU / EEA and UK — 72 hours to supervisory authority
  2. India (DPDP Act 2023) — as soon as reasonably possible to the Data Protection Board
  3. Singapore (PDPA) — 3 calendar days to PDPC
  4. Australia (NDB Scheme) — as soon as practicable to OAIC
  5. China (PIPL) — immediately to competent authority
  6. USA / California (CCPA) — without unreasonable delay
  • Return or deletion of all personal data on termination — including copies held by sub-processors — to recognised secure deletion standards (NIST SP 800-88), with written certification within 30 days and legal hold exceptions documented
  • Audit rights — minimum annual audit on reasonable notice, full cooperation with supervisory authorities, and acceptable alternatives (ISO 27001 certificate, SOC 2 Type II report) where on-site audit is not practicable
  • Data localisation compliance — written confirmation of processor’s data centre locations and confirmation that data subject to localisation requirements (China, India financial/health data) will not be transferred outside the required territory. [x]
  • Governing law, jurisdiction, and applicable transfer mechanism — with confirmation of the relevant SCC module (EC Decision 2021/914), adequacy decision, BCR approval, or jurisdiction-specific mechanism (UK IDTA, India DPDP permitted country list, China Standard Contract filed with CAC), supported by a completed Transfer Impact Assessment on file
  • Regulatory change management — obligation on both parties to review and amend the DPA within 60 days of any material change in applicable data protection law, with a specific trigger for India upon notification of DPDP Rules
  • DPO or designated privacy contact — processor to confirm DPO appointment where required and provide contact details, with notification of any change within 5 business days
  • Cyber liability insurance — processor to maintain adequate coverage throughout the term and provide evidence on request

V. Comparative Jurisdiction Reference

The table below provides a comparative overview of the key data privacy requirements across the principal jurisdictions relevant to cross-border technology agreements.

Jurisdiction Primary Law Transfer Mechanism Localisation Regulator Max Penalty
EU / EEA[xi] GDPR (applicable from 2018) Adequacy, SCCs, BCRs, derogations (Art.49) No (general) Lead DPA (per one-stop-shop mechanism) Standard Tier: Up to €10 million or 2% Higher Tier: Up to €20 million or 4%  
United Kingdom UK GDPR / DPA 2018[xii] Adequacy, IDTAs, BCRs No (general) ICO – Information commissioner’s office Severe Infringement – £17.5M or 4% global turnover whichever is higher   Lesser infringement – £8.7 million or 2% of turnover.
United States[xiii] Sector specific laws – HIPAA, GLBA (sector), COPPA For EU – U.S.  – Data Privacy Framework (DPF) or SCCs.   National Security and sensitive data – DOJ Rules pertaining to bulk transfer of Americans sensitive personal data   No Some sector-specific data (e.g., certain government or critical infrastructure data) and specific state requirements might necessitate in-country or on-premise processing. Federal Level -FTC – Federal sector regulators State Level – State Attorney Generals FTC Act: roughly $51,744 per violation   State Variations: range from $5,000 to $20,000 per offense depending on the state (e.g., Connecticut and Colorado).   DOJ Bulk Data Rules: Violations for improperly transferring restricted bulk sensitive data can result in up to $1,000,000 per violation and imprisonment
California[xiv] CCPA / CPRA Contractual (DPA req.) No CPPA – California Privacy Protection Agency And California Attorney General $2,663 per unintentional violation / $7,988 per intentional violation
China[xv] PIPL (2021) + DSL (2021) + Cybersecurity law (2017) CAC security assessment (mandatory above data volume thresholds); Standard Contract; PIC Certification Yes — critical information infrastructure operators (CIIOs)and Organizations processing personal data which is exceeding a certain threshold is mandated to be kept on servers within mainland China only CAC- Cyberspace Administration of China MPS High Tier: ¥50M or 5% revenue
lower tier: up to ¥1M for general violations.
India[xvi] DPDPA (2023) Government-approved countries list (negative/positive list under DPDP Rules — pending full notification) No general localisation; sectoral requirements apply (RBI, IRDAI for financial/health data) DPBI – Data Protection Board of India ₹250 crore approx. (~$30M USD)
Singapore[xvii] PDPA (rev. 2021) Contractual obligations, adequacy, BRCs, equivalent assessment No PDPC – Personal Data Protection Commission S$1M or 10% of annual turnover whichever is higher per breach
Australia [xviii] Privacy Act 1988 + Australian Privacy Principles (APP 8 — cross-border disclosure) Contractual accountability; adequacy-equivalent assessment No OAIC – Office of the Australian Information Commissioner OAIC (Office of the Australian Information Commissioner) Up to A$50M or 30% of adjusted turnover (enhanced penalties since 2022)
Japan[xix] APPI (rev. 2023) For transfers from Japan outward the mechanism. Explicit Consent Equivalent standards Adequacy Recognition     No PPC – Personal Information Protection Commission Administrative – up to ¥100M for corporate entity Criminal penalties – up to 1 year or fines of up to 1 million JPY Egregious offences – Imprisonment up to years or fines up to ¥ 1 Million

Table 1 — Comparative data privacy obligations across key jurisdictions (June 2026). Penalty figures reflect maximum statutory amounts.

VI. Practical Guidance for Businesses Operating Across Jurisdictions

Given the complexity and multiple obligations varying over different jurisdictions as surveyed above, businesses entering cross-border technology agreements should approach compliance as a structured programme rather than a one-time exercise.

Map your data flows before drafting. No compliance programme can be effective without a clear understanding of what type of personal data is being collected and processed, what is the specific purpose of its collection, where it originates, where it is transferred, and who has access to it, specifying by what time period they require this data. A data flow mapping exercise conducted before the agreement is drafted will identify the applicable regulatory regimes, the appropriate transfer mechanisms, and the contractual provisions required.

Adopt a layered contractual structure. Where an agreement spans multiple jurisdictions, consider forming a master data processing agreement supplemented by jurisdiction-specific schedules. This approach facilitates maintenance and reduces the risk that parties might miss jurisdiction-specific obligations and will also prevent confusion that might arise in the process.

Conducting document Transfer Impact Assessments. Since Schrems II and the adoption of the 2021 SCCs, TIAs are not optional for EEA transfers. It is crucial for businesses to maintain a TIA for the destination country of each respective data transfer and review them periodically to observe when there is a material change in the legal or factual circumstances.

Business should try to have built audit and review phases into the agreement. Agreements should include provisions requiring the parties to review and update their compliance arrangements at defined intervals or upon a material change in law, and should include clear audit rights enabling the controller to verify the processor’s compliance.

VII. Conclusion

Cross-border data privacy compliance is not a problem that can be solved once and set aside. The regulatory landscape will continue to evolve, enforcement activity will intensify, and the technology architectures that underpin commercial agreements will change in ways that create new compliance challenges.

The key practical takeaways from this article are threefold. First, identify all applicable regulatory regimes before the agreement is drafted by mapping data flows. Second, select and implement the appropriate legal transfer mechanism for each data destination, and document that selection in the agreement. Third, adopt a layered, modular contractual structure that can accommodate changes in law without requiring a wholesale renegotiation of the underlying commercial arrangement.


 

Endnotes

[i] Organisation for Economic Co-operation and Development, Mapping Commonalities in Regulatory Approaches to Cross-Border Data Transfers (OECD Publishing, May 2021), available at https://www.oecd.org/content/dam/oecd/en/publications/reports/2021/05/mapping-commonalities-in-regulatory-approaches-to-cross-border-data-transfers_e66a8dc0/ca9f974e-en.pdf.

[ii] Christopher Kuner, Global Applicability of the GDPR in Context, 11 Int’l Data Priv. L. 225 (Oxford Univ. Press 2021), available at https://academic.oup.com/idpl/article/11/3/225/6291338.

[iii] Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), EU:C:2020:559.

[iv] Bradford L, Aboy M, Liddell K. Standard contractual clauses for cross-border transfers of health data after Schrems II. J Law Biosci. 2021 Jun 21;8(1): lsab007. doi: 10.1093/jlb/lsab007. PMID: 34164131; PMCID: PMC8216070.

[v] International Association of Privacy Professionals, US State Comprehensive Privacy Laws Report 2025 (IAPP, 2025), available at https://iapp.org/resources/article/us-state-privacy-laws-overview.

[vi] Asia-Pacific Data Privacy Laws: Model Corporate Privacy Principles, Int’l Ass’n of Privacy Prof’ls (Mar. 1, 2010), available at https://iapp.org/news/a/2010-03-01-asia-pacific-data-privacy-law-model-corporate-privacy-principles.

[vii] Personal Information Protection Law of the People’s Republic of China (adopted 20 August 2021, effective 1 November 2021).

[viii] Ministry of Electronics & Information Technology, Government of India, Data Protection Framework, MeitY, https://www.meity.gov.in/data-protection-framework

[ix] European Data Protection Board, Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (Jan. 2021), available at https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en.

[x] European Data Protection Board, Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data (Final Version, June 2021), available at https://www.edpb.europa.eu/news/news/2021/edpb-adopts-final-version-recommendations-supplementary-measures-letter-eu_en.

[xi] Council Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 (EU).

[xii] UK General Data Protection Regulation, Regulation (EU) 2016/679 as retained in UK law by the European Union (Withdrawal) Act 2018, c. 16 (UK).

[xiii] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 42 U.S.C.).

[xiv] California Privacy Rights Act of 2020, Cal. Civ. Code §§ 1798.100–1798.199.100 (West 2023).

[xv] Personal Information Protection Law (Zhōnghuá Rénmín Gònghéguó Gèrén Xìnxī Bǎohù Fǎ) (promulgated by the Standing Comm. of the Nat’l People’s Cong., Aug. 20, 2021, effective Nov. 1, 2021) (China), translated in DigiChina, Stanford Univ. (Dec. 29, 2021), https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/.

[xvi] The Digital Personal Data Protection Act, No. 22 of 2023, India Code (2023), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf.

[xvii] Personal Data Protection Act, No. 26 of 2012 (Sing.), as amended by Personal Data Protection (Amendment) Act, No. 40 of 2020 (Sing.).

[xviii] Privacy Act 1988 (Cth), Act No. 119 of 1988 (Austl.), as amended by Privacy and Other Legislation Amendment Act 2024 (Cth) (Austl.).

[xix] Act on the Protection of Personal Information, Act No. 57 of 2003 (as amended by Act No. 51 of 2020, effective Apr. 1, 2022) (Japan), translated in Personal Information Protection Commission, https://www.ppc.go.jp/en/legal/.

Legal Disclaimer

This article is provided for informational purposes only and does not constitute legal advice. The views expressed herein are those of the author and do not necessarily represent the views of any firm or its clients. Readers should not act upon the information contained in this publication without seeking professional counsel.