From GDPR to Global CBPR: The New Era of Data Transfer Compliance

The global game of data governance has changed

In 2025, cross-border data transfers have become one of the most complex and high-stakes challenges for legal and compliance teams. Regulatory fragmentation, evolving national security concerns, and the rise of AI-driven processing have transformed data transfers from a compliance afterthought into a strategic risk category.

This isn’t a hypothetical problem. It’s happening now. Between the U.S. Department of Justice’s sweeping new restrictions on data transfers to countries of concern and the European Data Protection Board’s clarified stance on AI model training, organizations must now evaluate international transfers with a new level of rigor across jurisdictions, technologies, and use cases.

If your organization transfers personal data across borders, whether directly, via vendors, or as part of machine learning workflows, your exposure has likely increased.

What’s making cross-border transfers more difficult?

1. The U.S. DOJ final rule on sensitive data transfers

In April 2025, the U.S. Department of Justice implemented a rule under Executive Order 14117 that introduces strict limits on outbound transfers of sensitive personal data to “countries of concern” including China, Russia, Iran, and others. Covered data categories include biometric, genomic, health, geolocation, and financial data.

Implications for compliance programs include:

• Threshold-based restrictions for data related to more than 100 to 10,000 U.S. individuals, depending on data type.
• Obligations to conduct risk-based due diligence on recipients, including downstream data flows.
• Mandatory implementation of cybersecurity controls, encryption, and recordkeeping.
• Prohibitions on certain types of transactions (e.g., data brokerage, access to biospecimens).

This regulation introduces national security as a legal basis for restricting international transfers, requiring privacy, security, and legal teams to reevaluate contracts, vendors, and internal data flows through an entirely new lens.

2. AI model training and the long arm of the GDPR

In a 2024 opinion, the European Data Protection Board confirmed that training AI models on EU personal data, regardless of where the model is hosted, constitutes processing under the GDPR. This means cross-border transfers in the context of AI must now satisfy lawful processing requirements, complete with data transfer safeguards.

Organizations training or fine-tuning models on data sets that may include EU personal data must:

• Establish a valid legal basis for training (e.g., consent or legitimate interest).
• Assess whether transfers occur during model development.
• Conduct Transfer Impact Assessments (TIAs).
• Implement appropriate contractual and technical safeguards.

Gartner projects that by 2027, over 40% of privacy violations in AI contexts will involve unintentional cross-border exposure. Regulatory guidance is no longer theoretical. It’s actionable and enforceable.

3. Enforcement actions are accelerating

Regulators across jurisdictions are increasing enforcement activity related to international transfers. Recent examples include:

• A €290 million GDPR fine against Uber by the Dutch Data Protection Authority for unlawful transfers of driver data to the United States.
• A €30.5 million fine against Clearview AI for scraping and transferring biometric data without a legal basis or sufficient transparency.

These actions reflect a tightening of regulatory tolerance for vague or insufficient safeguards. Organizations that cannot demonstrate documented, lawful, and secure transfer mechanisms face a heightened risk of fines, injunctions, and reputational damage.

Operational risk requires operational visibility

For legal and compliance teams, addressing cross-border transfer risk starts with visibility. It is impossible to mitigate what is not documented.

Fundamental questions include:

• What data qualifies as personal or sensitive under applicable laws?
• Where is the data stored, processed, and accessed?
• Who has access—internally, via vendors, or through affiliated entities?
• What jurisdictions are implicated at each stage of the data lifecycle?

TrustArc recommends embedding transfer risk management directly into your existing privacy governance workflow. Solutions like TrustArc’s Data Mapping & Risk Manager help automate the identification of high-risk flows by analyzing processing purpose, system geography, and applicable laws.

How to build a defensible cross-border transfer program

1. Identify and classify transfers

Use a structured system inventory to pinpoint:

• Data subject location
• Processing location(s)
• Vendors and subprocessors
• Transfer mechanisms already in place (SCCs, consent, certifications)

This foundational step is critical for prioritizing remediation.

2. Apply appropriate legal mechanisms

Each transfer scenario demands a tailored compliance mechanism. Options include:

• Adequacy decisions (e.g., EU–Japan, EU–U.S. Data Privacy Framework)
• Standard Contractual Clauses (SCCs) for jurisdictions lacking adequacy
• Binding Corporate Rules (BCRs) for intra-group transfers
• Certification mechanisms, such as Global CBPR and PRP
• Explicit consent, used judiciously and only when scalable

For AI-related transfers, organizations must also consider how data used in model training may cross jurisdictions, often inadvertently, and whether additional controls are necessary.

3. Leverage certification for global assurance

Certifications such as the Global Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) provide a structured, third-party validated approach to transfer compliance.

Key benefits:

• Simplified vendor management through pre-vetted privacy credentials.
• Enhanced credibility with regulators, customers, and partners.
• Public listing and certification seal to demonstrate accountability.
• Alignment with GDPR (CBPR maps to approximately 61% of UK GDPR requirements).

TrustArc’s TRUSTe certification program currently supports over 50% of APEC CBPR and PRP-certified entities, including Apple, Salesforce, Cisco, and Adobe.

Strategic takeaways for legal and compliance leaders

Organizations must now manage cross-border data transfers as an integrated component of enterprise risk governance. Key imperatives include:

• Stay ahead of regulatory fragmentation by adopting transfer mechanisms that scale across jurisdictions. Certification frameworks like Global CBPR provide structure, efficiency, and interoperability.
• Strengthen AI-related controls, especially around data used in model training. Legal teams must ensure that transfer rules are met, even in experimental or developmental workflows.
• Ensure continuous enforcement readiness by maintaining audit-ready documentation, updating contracts, and verifying lawful bases for all transfers.
• Address vendor ecosystem risk by vetting third parties for compliance and requiring demonstrable privacy credentials. In 2024, 35.5% of data breaches were linked to third-party access, with the most frequently compromised vendors offering IT services, cloud platforms, and software solutions. File transfer software vulnerabilities were the most exploited attack vector, and 41.4% of ransomware attacks involved third-party access, underscoring the critical need for enhanced vendor oversight and transfer governance.

Cross-border transfers are a compliance competency

In 2025, managing cross-border data transfer risk is no longer a matter of best practice. It’s a baseline expectation. Legal and compliance teams must now demonstrate not only knowledge of the rules but also the operational capacity to comply with them at scale.

Organizations that treat data transfer governance as an extension of their enterprise risk program—integrated, proactive, and well-documented—will be better positioned to avoid fines, build trust, and unlock global opportunities.

The laws may be fragmented, but your strategy doesn’t have to be.

Certified to Cross Borders. Trusted Around the World.

Simplify global data transfers with Global CBPR and PRP certifications. Build trust and meet regulatory requirements across the U.S., Singapore, Korea, Australia, and beyond.

Get certified

Intelligent Mapping. Instant Insights.

Automatically map data flows, flag risks, and generate audit-ready reports in seconds. TrustArc’s Data Mapping & Risk Manager makes it easy to meet compliance requirements and uncover hidden vulnerabilities.

Map smarter