The Transfer Problem: Why It Matters Now
Every technology company that operates across borders, which is to say virtually every technology company, transfers personal data internationally. Customer records flow from India to cloud servers in the US. Employee data moves between offices in London and Bangalore. Analytics platforms aggregate user behaviour across dozens of countries simultaneously.
Until recently, these transfers operated in a regulatory grey zone. That era is over.
In 2026, technology companies face a convergence of regulatory pressures:
- India's DPDPA empowers the government to restrict transfers to specific countries via a "blacklist" mechanism, and the first restricted country list is expected imminently
- The EU continues to tighten adequacy assessments, with several existing adequacy decisions under review
- The UK has diverged from the EU post-Brexit, creating its own adequacy framework with different criteria
- China's PIPL requires security assessments for significant cross-border transfers, with enforcement actions increasing
- ASEAN member states are implementing the ASEAN Model Contractual Clauses, adding another layer of regional requirements
The result is a patchwork that no single transfer mechanism can satisfy. Companies need a multi-layered strategy.
The Major Transfer Frameworks
1. EU: Standard Contractual Clauses and Adequacy
The EU's transfer framework remains the most influential globally. Following the Schrems II decision, transfers to countries without an adequacy decision require:
- Standard Contractual Clauses (SCCs): The European Commission's modular SCCs (adopted June 2021) remain the primary transfer mechanism. They cover four scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller
- Transfer Impact Assessments (TIAs): Required alongside SCCs to evaluate whether the destination country's legal framework provides "essentially equivalent" protection. This is where most companies struggle, as the assessment requires analysis of surveillance laws, judicial remedies, and enforcement practices
- Supplementary measures: Where TIAs identify gaps, technical measures (encryption, pseudonymisation, split processing) and organisational measures (access restrictions, transparency reporting) must bridge the protection gap
The EU-US Data Privacy Framework, adopted in July 2023, provides an adequacy mechanism for US companies that self-certify. However, its durability remains uncertain. Challenges are expected, and companies should maintain SCC-based transfer mechanisms as a fallback.
2. India: The DPDPA's Blacklist Approach
India's DPDPA takes a fundamentally different approach to cross-border transfers. Rather than requiring an adequacy finding for permitted destinations (the EU's "whitelist" model), the DPDPA allows transfers to all countries except those specifically restricted by the Central Government.
Key features:
- Transfers are permitted by default until a country is placed on the restricted list
- The government may restrict transfers based on national security, public order, or sovereignty concerns
- Sectoral regulators (RBI, SEBI, IRDAI) retain authority to impose additional data localisation requirements
- The draft DPDPA Rules introduce additional safeguards: data fiduciaries must ensure the recipient provides equivalent protection, and certain categories of data (to be specified) may face stricter transfer conditions
For Indian technology companies, the practical implication is this: while the blacklist approach is more permissive than the EU model, the uncertainty about which countries will be restricted, and when, creates planning challenges. Companies should map their transfer flows now and identify dependencies on jurisdictions that may be at risk of restriction.
3. UK: Independent Adequacy and the Data Bridge
Post-Brexit, the UK has pursued its own adequacy framework. The UK has granted adequacy to several countries independently of the EU, and has established "data bridges," bilateral arrangements that facilitate transfers.
Notable developments:
- The UK-US Data Bridge extends the EU-US Data Privacy Framework to UK personal data
- The UK has granted adequacy to countries not recognised by the EU, including South Korea and Japan under independent assessments
- The UK's International Data Transfer Agreement (IDTA) and International Data Transfer Addendum provide alternatives to EU SCCs
Companies processing both EU and UK personal data need separate transfer mechanisms for each, a common compliance gap.
4. China: Security Assessments and Localisation
China's Personal Information Protection Law (PIPL) imposes the most restrictive transfer regime among major economies:
- Security assessment: Mandatory for critical information infrastructure operators, companies processing personal information of more than 1 million individuals, or cumulative transfers exceeding 100,000 individuals' data
- Standard contracts: For transfers below the security assessment threshold, standard contracts filed with the Cyberspace Administration of China (CAC) may be used
- Certification: An alternative mechanism through certified bodies, though adoption remains limited
- Data localisation: Certain categories of data (financial, health, government) must be stored within China, with only "necessary" data permitted for transfer after security assessment
5. Emerging Frameworks: ASEAN, Middle East, Africa
The transfer landscape is expanding rapidly beyond the established regimes:
- ASEAN: The ASEAN Model Contractual Clauses provide a regional transfer mechanism, though implementation varies by member state. Singapore's approach is the most mature, while Indonesia and Vietnam impose additional localisation requirements
- Middle East: The UAE (DIFC and ADGM), Saudi Arabia, and Qatar have adopted transfer frameworks broadly aligned with EU principles but with local variations
- Africa: The African Union Convention on Cyber Security (Malabo Convention) provides a continental framework, with Kenya, Nigeria, and South Africa leading national implementation
Building a Transfer Compliance Strategy
Given the complexity of the current landscape, a systematic approach is essential. The following framework applies regardless of company size or sector.
Step 1: Map Your Data Flows
Before you can comply with transfer restrictions, you need to know what data goes where. This mapping should identify:
- Categories of personal data transferred (customer data, employee data, analytics data)
- Source and destination countries for each transfer
- Legal entities involved (your subsidiaries, processors, sub-processors)
- The legal basis for each transfer under each applicable framework
- Technical infrastructure: which cloud regions store and process the data
Step 2: Identify Applicable Frameworks
For each transfer flow, determine which regulations apply. A transfer of EU customer data to an Indian processor for analysis, stored on AWS servers in the US, potentially engages:
- GDPR (data originates in the EU)
- DPDPA (data processed in India)
- US state privacy laws (data stored in the US)
- Sector-specific regulations (depending on the data type)
Step 3: Implement Layered Transfer Mechanisms
No single mechanism covers all scenarios. Build a layered approach:
- Primary: SCCs or equivalent contractual mechanisms for each jurisdiction pair
- Secondary: Adequacy decisions and data bridges where available
- Technical: Encryption, pseudonymisation, and access controls that provide supplementary protection
- Organisational: Policies governing who can access transferred data, under what circumstances, and with what oversight
Step 4: Document and Monitor
Transfer compliance is not a point-in-time exercise. Establish processes for:
- Regular review of Transfer Impact Assessments (at minimum annually, and whenever the legal landscape changes)
- Monitoring regulatory developments in destination countries
- Updating contractual mechanisms when new SCCs or equivalent instruments are published
- Maintaining records of processing activities that reflect current transfer flows
Practical Considerations for Technology Companies
Cloud Infrastructure Decisions
Your choice of cloud regions has direct compliance implications. Multi-region deployments offer flexibility but increase the number of applicable regulations. Consider:
- Deploying regional instances where data residency requirements exist (India, China, certain EU member states)
- Using cloud provider tools for data residency controls (AWS Regions, Azure Geographies, GCP locations)
- Documenting that sub-processing by your cloud provider constitutes a transfer and requires appropriate safeguards
Vendor and Sub-Processor Management
Every third-party service that accesses personal data is a potential transfer point. Your analytics platform, customer support tools, email service provider, and monitoring solutions all require assessment:
- Maintain a sub-processor register and notify customers of changes (required under GDPR SCCs)
- Conduct due diligence on each sub-processor's data handling practices and jurisdictional exposure
- Include transfer-specific obligations in vendor agreements
Customer Transparency
Enterprise customers increasingly demand visibility into where their data flows. Proactive transparency, publishing sub-processor lists, providing data flow diagrams, and offering regional deployment options, builds trust and accelerates procurement.
What Happens When Transfers Are Restricted
Companies should prepare contingency plans for scenarios where a transfer mechanism becomes unavailable, as happened overnight when the EU-US Privacy Shield was invalidated by Schrems II:
- Data localisation fallback: Ensure your infrastructure can support processing within the source jurisdiction if cross-border transfer becomes impermissible
- Alternative transfer mechanisms: Maintain parallel mechanisms (SCCs alongside adequacy, Binding Corporate Rules alongside standard contracts) so that the failure of one does not halt operations
- Customer communication: Have templated communications ready to inform customers of changes to data processing locations and the safeguards in place