Cross-Border Data Transfer Guidelines

On 29 Apr 2025, Malaysia's Personal Data Protection Commissioner issued the Cross Border Personal Data Transfer (CBPDT) Guidelines v1.0. It's a sizeable document that "serves as guidance on compliance" with s129 of the PDPA. In some cases it goes into quite some depth on the conditions to using a particular legal basis, and chunks of this didn't appear in the public consultation paper so it's advisable to read the Guidelines in full. This unexpectedly made my Substack analysis and discussion quite long. The Guidelines remind me of the EDPB's Guidelines 2/2018 on derogations of Article 49. The complexity may lead to companies relying more heavily on consent because they think it's easier to manage. Here are some key points that companies should take note of: 1. Data controllers (DCs) must keep records that sufficiently prove each transfer complies with s129 e.g. Transfer Impact Assessments (TIAs), notices to data subjects and records of consent, copies of transfer agreements, BCRs. 2. Unlike the EU and UK, it appears that the Malaysia gov will not be publishing a list of countries that have "substantially similar" laws or offer an "adequate level of protection", and will let companies make this assessment e.g. through TIAs. Even though TIAs are not mandatory, because of #1 I'd suggest just doing them. 3. IRT having "substantially similar" laws, the Guidelines say this means that the content of the law is similar to the PDPA's. It lists factors to be considered e.g. if there are similar data subject rights and data breach notification requirements. It's not clear to me if it's about similarity in form or substance, and what level of granularity applies. As comparison, when the UK was conducting adequacy assessments under the Boris Johnson government (and I had worked with them on their assessment of Singapore), they announced that they were not doing a textual comparison of laws but an assessment of real-world outcomes of data protection regimes. 4. What are measures that support the DC having taken reasonable precautions and due diligence to ensure that PD processed overseas will not breach the PDPA? Here, the Guidelines recognise: - BCRs - "Recognised Certification" - contractual clauses (CCs) containing security measures to provide an adequate level of protection, and clauses that require PD processing to comply with the PDPA IRT CCs, it's good news that Malaysia's recognised the ASEAN MCCs and EU SCCs (though requires DCs to assess if additional clauses are needed), and has not come up with its own version of SCCs. 5. DCs must keep records of the Receiver, including name of the Receiver, company rego no. if any, contact details of the Receiver's DPO or similar person, country that the PD is being transferred to, type of PD transferred, purposes of transfer. If your data inventory doesn't already capture this information, you might want to add questions to collect it. https://lnkd.in/gBnyZHVj

📌 Data Transfers: GDPR vs. U.S. law: Why Moving Data Across the Atlantic Still Feels Like Walking a Tightrope. You’ve collected personal data in Europe. Now your vendor, cloud service, or analytics tool is in the U.S. Can you just send it over? Here’s why transatlantic data transfers remain one of the most complex - and controversial - issues in global privacy law 👇 🇪🇺 GDPR: Transfers Must Be Justified and Protected Under the GDPR, sending data outside the EU is a restricted act - and only allowed when certain safeguards are in place. ✅ You need an approved mechanism: – Standard Contractual Clauses (SCCs) – Data Privacy Framework (DPF) – Binding Corporate Rules (BCRs), etc. ✅ You must do a Transfer Impact Assessment (TIA) → Especially if using SCCs, to assess whether the destination country (e.g. U.S.) provides equivalent protection ✅ You must monitor and revisit the safeguards over time 🧪 Example: An Irish SaaS company uses a U.S.-based cloud provider. → It signs SCCs, conducts a TIA, and applies extra encryption + access controls - all documented in case of regulatory scrutiny. 💡 Bottom Line: Data transfers from the EU require legal safeguards and documented risk assessments. 🇺🇸 U.S: No General Data Export Law — But the CCPA Adds Pressure The U.S. doesn’t have a GDPR-style restriction on sending data abroad. But California’s CCPA and other state laws are starting to inch closer to cross-border accountability. 📋 Under CCPA, if a transfer counts as a “sale” or “sharing”, you must: – Provide notice – Allow opt-outs – Ensure contractual restrictions on the recipient 🛑 No Transfer Impact Assessment requirement 🛡️ Security and purpose limitation clauses are critical 🧪 Example: A California-based retailer uses a processor in India to handle customer support. → The contract must restrict use to the business purpose and prohibit secondary use. → If not, it could be treated as a “share” under CCPA - triggering opt-out rights. 💡 Bottom Line: CCPA law doesn’t block transfers, but it’s building up consumer control and contractual responsibility around them. 🎯 The Core Difference GDPR → “You can’t send data unless safeguards are in place - and you’ve assessed the risk.” CCPA → “You can send it - but watch what you promise, how it’s used, and whether the consumer can say no.” 🌍 What This Says About Privacy Culture 🇪🇺 “We protect personal data even after it leaves Europe.” 🇺🇸 “We focus on control and transparency - wherever the data goes.” Same cloud. Different storm warnings. 👇 Want a follow-up post on: 🔹 The Transfer Impact Assessment - and what it actually looks like in practice? 🔹 The Data Privacy Framework (DPF) - is it a fix or a band-aid? #GDPR #CPRA #DataTransfers #TIA #SCCs #DataPrivacyFramework #GlobalPrivacy #CIPPUS #CIPPE #PrivacyProfessional #EUUSPrivacySeries #InfoSec #DataProtection #LinkedInLearning

The DOJ just dropped a cross-border data transfer rule—and if your business handles sensitive data like it’s part of your daily intake… it's time to check where that data’s going. As of April 8, the U.S. Department of Justice’s “Countries of Concern” rule is in effect. It targets bulk transfers of U.S. sensitive personal data—think biometrics, health info, geolocation, financials, genetic data—to entities tied to China, Russia, Iran, North Korea, Cuba, or Venezuela. If your business touches national security, healthcare, defense, infrastructure—this rule probably applies to you. What’s restricted or outright prohibited? - Selling or licensing covered data to companies in these countries - Using vendors, employees, or investors linked to them without heavy-duty due diligence - Sharing “bulk” data without CISA-grade safeguards in place Yes, it’s live now. Yes, enforcement gets real on October 6 (audits, documentation, attestations, the whole works). No, “we didn’t know” isn’t a defense. So what should companies do? Map your data flows (especially across borders) - Review vendor and third-party ties - Upgrade your security protocols to DOJ/CISA expectations - Loop in legal, privacy, and security now—before the rule becomes a headline in your incident response plan Bottom line: This isn’t just another “update your privacy policy” moment. It’s the national security version of a data transfer restriction—with serious reach. Consider this your early compliance memo.

As a veteran SaaS lawyer, I've watched Data Processing Agreements (DPAs) evolve from afterthoughts to deal-breakers. Let's dive into why they're now non-negotiable and what you need to know: A) DPA Essentials Often Overlooked: -Subprocessor Management: DPAs should detail how and when clients are notified of new subprocessors. This isn't just courteous - it's often legally required. -Cross-Border Transfers: Post-Schrems II, mechanisms for lawful data transfers are crucial. Standard Contractual Clauses aren't a silver bullet anymore. -Data Minimization: Concrete steps to ensure only necessary data is processed. Vague promises don't cut it. -Audit Rights: Specific procedures for controller-initiated audits. Without these, you're flying blind on compliance. -Breach Notification: Clear timelines and processes for reporting data breaches. Every minute counts in a crisis. B) Why Cookie-Cutter DPAs Fall Short: -Industry-Specific Risks: Healthcare DPAs need HIPAA provisions; fintech needs PCI-DSS compliance clauses. One size does not fit all. -AI/ML Considerations: Special clauses for automated decision-making and profiling are essential as AI becomes ubiquitous. -IoT Challenges: Addressing data collection from connected devices. The 'Internet of Things' is a privacy minefield. -Data Portability: Clear processes for returning data in usable formats post-termination. Don't let your data become a hostage. -Privacy by Design: Embedding privacy considerations into every aspect of data processing. It's not just good practice - it's the law. In 2024, with GDPR fines hitting €1.4 billion, generic DPAs are a liability, not a safeguard. As AI and IoT reshape data landscapes, DPAs must evolve beyond checkbox exercises to become strategic tools. Remember, in the fast-paced tech industry, knowledge of these agreements isn't just useful – it's essential. They're not just legal documents – they're the foundation for innovation and collaboration in our digital age. Pro tip: Review your DPAs quarterly. The data world moves fast - your agreements should keep pace. Pay special attention to changes in data protection laws, new technologies you're adopting, and shifts in your data processing activities. Clear, well-structured DPAs prevent disputes and protect all parties' interests. What's the trickiest DPA clause you've negotiated? Share your war stories below. #legaltech #innovation #law #business #learning

𝐀𝐈 𝐂𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 & 𝐃𝐚𝐭𝐚 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐋𝐚𝐰𝐬 𝐟𝐨𝐫 𝐆𝐞𝐧𝐀𝐈 𝐀𝐩𝐩𝐬 Building GenAI Apps for a Global Audience?  Understanding Regional Data Protection and AI laws is not optional, it is foundational. Here is what you need to know: 1. UNDERSTANDING GLOBAL REGULATORY VARIANCE Building GenAI for a global audience requires understanding regional data protection and AI laws. Key Regulations by Region: • EU AI Act: Risk-based AI obligations for certain AI systems and transparency use cases • GDPR (EU): Transparency & Consent • DPDP (India): Digital Personal Data Protection • PIPL (China): Strict Data Localization • CCPA (California): Data Access & Opt-Out • LGPD (Brazil): Local Compliance Rules 2. IMPACT OF THESE REGULATIONS ON YOUR AI TRAINING DATA To build compliant GenAI apps,  Ensure that data used for training AI models follows the regional rules: Data Collection → Processing → Model Training → Deployment Three Core Requirements: a. User Consent: Obtain explicit consent for data collection and use b. Data Minimization: Collect only necessary data for the intended purpose c. Anonymization: Remove personally identifiable information from training data 3. MITIGATING AI ETHICS AND BIAS RISKS AI systems must be fair and ethical, particularly in high-risk areas: a. Fairness: Ensure your AI models don't discriminate, especially in areas like recruitment or finance. b. Bias Mitigation: Regularly test and adjust your models to reduce bias in the outputs. 4. ENSURING TRANSPARENCY IN AI MODEL DEVELOPMENT Transparency is a cornerstone of compliance, especially when your AI impacts users directly: a. Explainability: Protect data in transit and at rest. b. Consent Management: Collect, track, and manage user consent. c. Privacy by Design: Embed privacy into every system layer. 5. MANAGING CROSS-BORDER DATA FLOW GenAI apps often rely on data from various regions, so it's critical to understand data sovereignty laws: a. Data Sovereignty: Follow local laws on where data is stored and processed. b. Data Transfer Agreements: Use SCCs or BCRs for compliant cross-border transfers. THE COMPLIANCE CHECKLIST Before launching GenAI globally, verify: 1. Regional Compliance: • GDPR for EU? (Transparency & Consent) • DPDP for India? (Data Protection) • PIPL for China? (Data Localization) • CCPA for California? (Access & Opt-Out) • LGPD for Brazil? (Local Rules) 2. Training Data: • User consent obtained? • Data minimized? • PII anonymized? 3. Ethics & Bias: • Fairness tested? • Bias mitigation in place? 4. Transparency: • Explainability documented? • Consent management system? • Privacy by design? 5. Cross-Border: • Data sovereignty compliance? • Transfer agreements (SCCs/BCRs)? Each region has different requirements.  Build for the strictest, adapt for the rest. Which regulation applies to your GenAI app?

We're less than a week until new U.S. cross-border data rules take effect. Here's three actions U.S. companies should take to stay out of scope. ⬇️   The U.S. Department of Justice's new cross border data rules take effect on April 8. They will impact most U.S. companies--not just those with employees or operations in #China. If the goal is staying out of scope, here are three actions to take:   1️⃣ Update vendor contracting processes 🔸Update vendor contract templates to add commitments that the vendor isn't, and won't become by change in control, a "covered person" 🔸Revise contract review processes to look for these commitments or to confirm the vendor is incorporated in the U.S.   If the vendor is incorporated outside of the U.S., and it gets or has access to in-scope data, your company may have civil or criminal liability if the vendor is a "covered person" under the DOJ rules.    2️⃣ Enhance tracking technology governance processes 🔸Update review processes before third-party targeted #advertising cookies, pixels, SDKs, or other trackers are added to websites or mobile apps to identify ones from entities incorporated outside the U.S.  🔸If any are provided by a non-U.S. entity, it will likely be illegal to use them unless your company: 🔹confirms the third parties are not "covered persons" under the DOJ rules (reviews of public info, and contractual reps and warranties can help); and 🔹includes the DOJ rules' required contractual provisions for any third parties incorporated outside of the U.S.   The DOJ rules make clear that using third-party cookies, pixels, SDKs, and tracking technologies for targeted #DigitalAdvertising purposes can constitute data brokerage, which is prohibited with non-U.S. entities when in-scope data is involved. These processes can help make sure your company doesn't violate the DOJ rules in this space.   3️⃣Revise privacy and security assessment processes. 🔸Determine which assessment processes should identify whether in-scope data is going to non-U.S. entities or individuals; security or privacy assessment processes may be a natural place to identify these data flows 🔸Update the assessment processes to identify in-scope data flows, and to prevent them or do them in compliance with the DOJ rules.   The DOJ rules focus on data flows with a company's own employees, contractors, investors, and vendors, as well as to customers and partners. With the broadest definition of "sensitive personal data" that we have in the U.S.--which can include purchase or transaction histories, IP addresses and device identifiers, names and contact info, and other data that most companies deal with on a regular basis--it's important to have processes to flag and address data flows that will banned by these rules. By leveraging existing #privacy and #security assessment processes, companies have a scalable way to stay in-line with the rules.  

Every Indian fintech faces the same tension. "Can I use global tools and still stay compliant here?" Because on one side, you need global infrastructure. Cloud services. Scalable vendors. Speed. On the other side: • You’ve got RBI. • You’ve got data localization. • You’ve got laws that don’t bend just because AWS is faster in Singapore. That’s the tension every Indian fintech founder faces. Go global too fast -> you risk breaking the law. Play it too safe -> you fall behind competitors. Here’s how this really works: 1// RBI Mandates • All payment-system data (KYC, Aadhaar, PAN, transactions) must be stored in India • Any offshore processing? Data must be deleted abroad + synced back to India within 24 hours • Lending data now also covered under RBI’s 2025 Digital Lending Directions • Non-compliance = frozen services or penalties 2// DPDP Act 2023 • Generally allows cross-border transfers • But explicitly preserves RBI/SEBI/IRDAI sectoral rules • Meaning: RBI’s localization requirements still stand • Transfers abroad require contracts, safeguards, and explicit user consent 3// KYC & AML Compliance • RBI mandates strict KYC/AML under PMLA + Master Directions  • Aadhaar e-KYC (OTP/biometric) + video KYC = valid onboarding • Non-resident clients require certified docs (notary, embassy, bank) • Records must be retained 5+ years + suspicious transactions reported to FIU 4// Cross-Border Payment Aggregators (2023 framework) • RBI license required for import/export payment facilitation • Merchant + buyer due diligence mandatory • Maintain KYC + transaction records for 5 years • Must comply with FEMA + forex reporting rules And the key takeaways are simple: • Localize all Indian-user payment + personal data • Draft robust cross-border data transfer agreements • Use RBI-approved e-KYC methods for onboarding • Outsource carefully - liability stays with you • Monitor RBI circulars + DPDP notifications for blacklists The pattern ultimately is VERY clear:  Fintech in India lets you think global But only if you stay rooted in compliance at home. That’s the only way to scale without gambling your future. --- ✍ Tell me below: What’s the biggest compliance challenge your fintech team faces right now - data, KYC, or cross-border rules?

DOJ Crackdown: Privacy Teams must restrict data flows before April 8, 2025! The U.S. Department of Justice (DOJ) has finalized a sweeping ban on data transactions that expose Americans' sensitive personal data and government-related data to foreign adversaries. This is one of the most aggressive data security moves in recent years. What’s covered? a) Prohibited data transactions: Selling, licensing, or sharing sensitive U.S. data with countries of concern or covered persons is now restricted. b) Data brokers in the crosshairs: The rule bans U.S. persons from selling or licensing access to bulk personal data to specific countries. This also applies to cloud, fintechs, health tech, and adtech vendors. c) Vendor & employment agreements are impacted: The rule imposes security requirements on vendors, employment agreements, and investments to prevent indirect data access. Which data elements are protected? The DOJ has identified specific high-risk data types that are now restricted: - Precise Geolocation Data (Within 1,000 meters, tracking patterns of life) - Personal Financial Data (Bank accounts, card details, investment records) - Human ‘Omic Data (Genomic, epigenomic, proteomic - critical for biometric surveillance & biosecurity threats) - Biometric Identifiers (Facial images, voiceprints, retina scans, fingerprints) - Listed Identifiers (Social Security numbers, driver’s licenses, MAC addresses, IMEIs, SIM card numbers, advertising IDs, IP addresses) - Government-Related Data (Employee records, security clearances, government contractors’ data) What should privacy professionals do? With April 8, 2025 as the enforcement deadline, privacy teams need to track and restrict cross-border data flows while ensuring compliance: 1) Scan websites & mobile apps - Identify third-party integrations, tracking pixels, SDKs, and APIs that collect protected data types and transmit them internationally. 2 ) Monitor network traffic for cross-border data flows -Analyze where sensitive data is sent, including cloud providers, analytics tools, and ad networks. 3) Review vendor & employee agreements - Ensure third-party vendors, foreign employees, and offshore teams cannot access restricted data or transfer it to high-risk jurisdictions. 4) Block unauthorised data transfers - Implement geo-blocking, access controls, and encryption to restrict data sharing with countries of concern. How prepared is your organization for these changes? What challenges do you foresee in tracking data flows? #privacy #datasecurity #DOJ #databrokers #AI

Do you share anonymous U.S. health, genomic, geolocation or financial data with China (or third parties that share data with China)? What about IP addresses for U.S. government facilities and devices? If so, the DOJ's export rules on Americans' bulk sensitive data could apply to you. In a marked departure from traditional privacy laws, the DOJ seeks to restrict transactions involving anonymized datasets, if this data can be used by American adversaries. In addition to prohibitions on data broker/ data sales relationships with countries of concern, the DOJ’s final rule also requires administrative and technical controls for a wide swathe of “restricted transactions.” These “restricted transactions” include vendor, employment, investment and M&A activity involving individuals and entities located in, or controlled by, Russia, China (including Hong Kong and Macau), Cuba, Iran, North Korea and Venezuela. This could sweep in most midsized and larger companies that have global supply chains and operations. If you are covered, where should you begin? Here’s five tips to get started: 1️⃣ Review access to sensitive personal data including de-identified and anonymized datasets to see if the final rule applies. 2️⃣ Negotiate contractual restrictions with *any* foreign recipients of U.S. sensitive data (including the E.U. and elsewhere) regarding onward transfers of data. 3️⃣ Include countries of concern as part of the KYC process for any partners or targets of investment and M&A activity. 4️⃣ Review and implement the CISA Security Requirements for any restricted data: https://lnkd.in/gcQfAUjh 5️⃣ Document your good faith efforts to comply. Per the enforcement policy “NSD will not prioritize civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time.” Learn more about the DOJ’s final rule and guidance here: https://lnkd.in/gbK_Ej-x   DOJ’s resources are at the links below: ·      Fact Sheet is available here: https://lnkd.in/gHa8wyzV ·      A Compliance Guide is available here: https://lnkd.in/gg8-eJv9   ·      The DOJ’s over 100 FAQs here: https://lnkd.in/gEDF3SDn ·      There’s also an Implementation and Enforcement Policy: https://lnkd.in/gUm63mBM #ExportControls #NationalSecurity #DataPrivacy #Cybersecurity #TradePolicy #Sanctions #KYC #MoreComplicatedROPAs #DataMappingOnSteroids

The U.S. Department of Justice (DOJ) has proposed new rules to limit the bulk transfer of Americans’ sensitive personal data to foreign adversaries. This proposed rule, under Executive Order 14117, aims to safeguard data such as biometrics, health records, and financial details from exploitation by countries of concern, including China, Russia, Iran, and others. Key Highlights: - Protected Data: Categories include biometric identifiers, precise geolocation data, personal health information, and personal financial data. Bulk transfer thresholds are strictly defined, with government-related data regulated regardless of volume. - Countries of Concern: Transfers to entities tied to nations like China, Russia, and North Korea face strict scrutiny. - Exemptions: Certain transactions, such as personal communications and approved corporate agreements, remain unaffected. - Enforcement Tools: The Attorney General may issue licenses for exceptional cases and work with DHS to ensure compliance with security requirements. - This regulation reflects growing concerns about foreign actors exploiting sensitive data for economic espionage and AI-driven intelligence. Compliance will be critical for organizations handling bulk personal data. Who Should Take Action? Data privacy officers, compliance teams, legal professionals, and cybersecurity experts should review their cross-border data policies to ensure alignment with this proposal. Learn More: DOJ Press Release: https://buff.ly/3WfcfM3 Executive Order 14117 Details: https://buff.ly/426nWZb What steps is your organization taking to protect sensitive personal data in cross-border contexts? Share your thoughts below! #DataPrivacy #Cybersecurity #NationalSecurity #DataProtectio