Cross-Border Data Transfers: Navigating Conflicting Jurisdictions Under the GDPR, India’s Digital Personal Data Protection Act, 2023, the CLOUD Act, and China’s Data Export Pathways
By Guru Legal
Keywords
cross-border data transfers; GDPR; Schrems II; Digital Personal Data Protection Act 2023; CLOUD Act; data localisation; adequacy decision; standard contractual clauses; data sovereignty; China PIPL; jurisdictional conflict; personal data; privacy
Abstract
Cross-border data transfers sit at the fault line between market integration and regulatory sovereignty, forcing organisations to reconcile divergent public-law controls on surveillance, fundamental rights, and law-enforcement access with private-law duties arising from contracts and corporate governance. The resulting tension is most acutely visible in the post-Schrems II EU regulatory architecture, India’s new Digital Personal Data Protection Act, 2023 (DPDP Act) framework, China’s data export pathways under the Personal Information Protection Law (PIPL), and the United States’ Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which together create overlapping and sometimes colliding obligations for the same data flows. This article maps the key legal regimes governing cross-border data transfers, analyses the principal points of conflict, and proposes a framework for organisational compliance.
I. Introduction
Data has become the most consequential asset of the digital economy, and the ability to transmit, store, and process it across borders is a prerequisite for cloud computing, global supply chains, digital financial services, and multinational corporate governance. Yet data is simultaneously one of the most heavily regulated commodities in international commerce, subject to a proliferating array of national and regional frameworks that diverge in their substantive requirements, their jurisdictional reach, and their enforcement posture. The resulting compliance challenge for multinational organisations is formidable: a single data flow a HR database mirrored from an Indian subsidiary to a US parent, or a customer dataset shared between a European controller and a Chinese processor may be simultaneously subject to four or more overlapping regulatory regimes, some of which impose irreconcilable obligations.
II. The EU Framework After Schrems II
In Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18, 2020) commonly known as Schrems II the Court of Justice of the European Union invalidated the EU-US Privacy Shield adequacy decision, holding that US surveillance law, particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, did not provide a level of data protection essentially equivalent to that guaranteed in the EU under the GDPR. The ruling placed enormous pressure on transatlantic data flows, which had previously relied on the Privacy Shield as the primary legal basis. While standard contractual clauses (SCCs) and binding corporate rules (BCRs) remained available as transfer mechanisms, organisations relying on them were required to conduct transfer impact assessments (TIAs) to verify that the law and practice of the destination country offered essentially equivalent protection.
The EU-US Data Privacy Framework, adopted in 2023 following an adequacy decision by the European Commission, provides the current legal basis for transatlantic data transfers from the EU to participating US organisations. However, the Framework faces a potential third Schrems challenge, and organisations cannot rely on it as a permanent solution without monitoring developments in EU-US surveillance law reform.
III. India’s DPDP Act Framework for Cross-Border Transfers
India’s Digital Personal Data Protection Act, 2023 adopts a government-controlled adequacy approach to cross-border transfers. Section 16 of the Act empowers the Central Government to notify countries to which personal data may be transferred by Indian data fiduciaries; transfers to non-notified countries are implicitly prohibited. The Act does not prescribe the criteria by which countries will be assessed for adequacy notification, leaving this to executive discretion. The Digital Personal Data Protection Rules, 2025 (notified by MeitY on 13 November 2025) provide further procedural detail but do not resolve the fundamental question of how India will conduct adequacy assessments.
The DPDP Act’s approach is more restrictive than the EU’s GDPR in one respect the EU maintains a default of free transfers within the EU and provides multiple legal bases for transfer to third countries, whereas the DPDP Act places all countries not on the notification list in a restricted category. This could create significant compliance challenges for multinational organisations operating in India, depending on which countries India chooses to whitelist.
IV. The CLOUD Act and Jurisdictional Conflicts
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) empowers US law enforcement authorities to compel US-based technology companies to provide access to data stored outside the United States, subject to certain procedural protections and an executive agreements framework for bilateral data access. The CLOUD Act creates a direct conflict with the data protection laws of countries including EU member states, India, and China that prohibit the transfer of personal data to foreign governments or courts without complying with the receiving country’s applicable legal procedure.
An organisation that is simultaneously a US cloud service provider subject to a CLOUD Act order and a GDPR-regulated controller or processor faces an irreconcilable conflict: compliance with the CLOUD Act order may constitute a violation of GDPR Article 48, which prohibits the enforcement of foreign court orders or decisions requiring transfer of personal data in the absence of an applicable international agreement. Navigating this conflict requires careful legal analysis of the specific circumstances, the availability of challenge mechanisms under US law, and the adequacy of cooperation agreements between the US and the relevant country.
V. Compliance Framework for Multinational Organisations
Multinational organisations can manage the cross-border data transfer compliance challenge through a combination of data mapping, legal basis selection, contractual protections, and technical safeguards. Data mapping a comprehensive inventory of all personal data flows, including the categories of data, the parties involved, and the countries of origin and destination is the essential foundation of a compliance programme. Legal basis selection requires choosing, for each data flow, the most appropriate and robust transfer mechanism available in the applicable regulatory framework. Contractual protections through SCCs, data processing agreements, and intragroup transfer agreements provide a legal basis for transfers and allocate risk between the parties. Technical safeguards including encryption, pseudonymisation, and data minimisation reduce the privacy risk of cross-border transfers and may support a finding of essentially equivalent protection in transfer impact assessments.
VI. Conclusion
Cross-border data transfer regulation reflects the fundamental tension between the global character of the digital economy and the territorial basis of legal sovereignty. The proliferation of national data protection regimes each with its own substantive requirements, jurisdictional reach, and enforcement posture creates a compliance landscape of formidable complexity for multinational organisations. Achieving a more coherent global framework for cross-border data flows will require sustained multilateral engagement, mutual recognition of equivalent protection standards, and a willingness by major regulatory blocs to accommodate legitimate regulatory diversity while maintaining core privacy protections.
Bibliography
Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (CJEU, 2020) (Schrems II).
EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
Digital Personal Data Protection Act, 2023 (India).
Digital Personal Data Protection Rules, 2025 (India).
Clarifying Lawful Overseas Use of Data Act (CLOUD Act, 2018) (United States).
China Personal Information Protection Law (PIPL, 2021).
EU-US Data Privacy Framework (Adequacy Decision, 2023).
