In 2025, cross-border data transfers are becoming harder to manage—not because there are no rules, the regulatory environment has become increasingly complex. Legal obligations vary by jurisdiction, and risk factors include national security, AI, and vendor exposure. Some of the examples of the recent developments that are reshaping how organizations must approach transfer governance: - The U.S. DOJ’s new rule restricts the outbound transfer of sensitive personal data to foreign adversaries countries of concern, introducing national security-based exposure that privacy teams must now assess. ​​- The EDPB confirmed that GDPR applies to AI model training — meaning any model trained on EU personal data, regardless of location, must meet lawful processing and cross-border transfer standards. - Recent enforcement — such as a €290 million GDPR fine against Uber for unlawful transfers and a €30.5 million fine against Clearview AI for scraping biometric data signals growing regulatory intolerance for cross-border data misuse, especially when transparency and lawful basis are lacking. - Gartner forecasts that by 2027, over 40% of AI-related privacy violations will result from unintended cross-border data exposure via GenAI tools. Together, these developments reflect a new era of privacy risk: not just legal exposure—but operational fragility. Privacy programs must/can now defend transfers at the system, vendor, and use-case level—with documentation, certification, and proactive governance. The session blends policy/regulatory events and risk framing with practical enablement, using these developments to explain how TrustArc’s Data Mapping & Risk Manager, Assessment Manager and Assurance Services help organizations build defensible, scalable cross-border data transfer programs. This webinar is eligible for 1 CPE credit.

1. © 2025 TrustArc Inc. Proprietary and Confidential Information.
Cross-Border Data Transfers in 2025:
Regulatory Changes, AI Risks, and
Operationalization

2. 2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.

3. 3
Speakers
Maciej Piszcz
Senior Assurance Program Manager,
AI & Global Privacy
TrustArc
Joanne Furtsch
VP, Privacy Knowledge
TrustArc

4. Agenda
1. Regulatory updates: Cross-border data flows.
Global context.
2. Complex regulatory environment and privacy
departments
3. TrustArc DM&RM: Visibility, risk, and
documentation
4. Certification as a strategy: How can Assurance
help?
5. Final takeaways and actions

5. 5
United States:
New DOJ Rules on Sensitive Data
Rule Effective Date: April 8, 2025
Reporting Requirements Effective Date: after October 8, 2025
Scope: Transfer and exploitation of sensitive data concerning U.S, citizens by
countries of concern
● Covered personal identifiers: e.g., names linked to device IDs, Social Security
numbers, and government IDs.
● Precise geolocation data: e.g., GPS coordinates.
● Biometric identifiers: e.g., facial images, voice prints, and retina scans.
● Human genomic data: e.g., DNA and genetic test results.
● Personal health data: e.g., vital signs, test results, and diagnoses.
● Personal financial data: e.g., credit card details and bank account
information.
Key Prohibited Transactions:
● Data brokerage: The sale or licensing of access to sensitive data where the
recipient didn't directly collect it.
● Access to bulk human genomic data or biospecimens. .
💡Know where the data flows and understand the requirements for each jurisdiction.

6. 6
Ireland:
TikTok enforcement
Date: May 2, 2025
Investigation: Irish Data Protection Commission (DPC).
Period: 2021-2023. Review of practices.
Fine: €530 million. Potential suspension of data transfers
Scope:
● Lawfulness of data transfers of the EEA residents
● Transparency
Timeline: Six months to bring TikTokʼs operations into
compliance
💡Tools such as a transfer impact assessment (TIA) remain critical
for data transfers.

7. 7
Canada:
The Global Cross-Border Privacy Rules (CBPR) Consultation
Paper
● Public Consultation: Comments due June 30, 2025
● Implementation of the Global CBPR Forum and privacy
certifications
● Canada: a founding member of the APEC CBPR and the
Global CBPR
● Benefits for Canadian companies
● Implementation models
💡Privacy certifications as an important tool in the data transfer
strategy.

8. 8
Thailand: Guidance Document on the Global CBPR
● Date: February 3, 2025
● Thailand - an APEC member, not participating in APEC CBPR
● Guidance document: Comprehensive information on the
APEC and Global CBPR principles, requirements, certification
process, and potential benefits for Thai companies.
💡Global CBPR as a transfer tool in a global economy.

9. 9
United Kingdom:
EDPB Opinion on Adequacy Extension
UK Adequacy under review by EDPB
● EDPB monitoring changes in UK data protection laws
for divergence from EU laws
Adequacy Extended until December 27, 2025 following
introduction of the UK's Data (Use and Access) Bill
Objectives of the UK Data Bill
● Enhance transparency and trust in data handling.
● Support innovation and market competition.
● Provide clear rules for data access and verification
services.
● Strengthen safeguards for sensitive data and
automated decision-making.
💡Know where the data flows and understand the requirements
for each jurisdiction.

10. 10
South Korea:
DeepSeek cross-border data enforcement
Date: April 30, 2025
Authority: The Personal Information Protection Commission
(PIPC)
Findings:
● Transfer without userʼs consent or disclosure in the privacy
notice
● Insufficient transparency in the privacy notice
● No opt-out for AI development and training.
💡Know where the data flows and understand the requirements
for each jurisdiction.

11. Changing
Geopolitical
Environment
Impact on
Privacy Teams
Legal divergence increases risk of fragmentation
Teams must answer:
● Where does data flow today?
● Which flows are legally vulnerable and create
highest level of risk?
● What additional safeguards are needed?
● What is the impact on operational processes?
💡Certification models offer stable governance alternatives

12. Strategies for Tackling Evolving
Data Transfer Requirements

13. 13
International data flow risk management
Systems
Selected
New business
process
Build Data
Flow
Calculate inherent risk (data processing
risk, data transfer risk, AI risk)
Specific Use Cases

14. Data Transfer Risk Rating
Effortlessly streamline data transfer risk assessments 80+ countries. Receive expert-curated country risk analysis and rating overview,
saving you time and work!
Risk scoring by jurisdiction
Problem being solved: when transferring personal data between countries (e.g. server hosted countries and where you are
serving customers). Easily and quickly understand the transfer risk and legal obligations for your business.

15. 15
Assessing Risk High-Level
Determine data transfer risk in DMRM
The TIA is based on the Business Process in
DMRM where applicable.
Task management within Assessment process
are the risk mitigation activities (tasks and
auto-task features).
DMRM & AM “Sandwich”
The Assessment to capture
what safeguards are in place
in AM
Demonstrate risk mitigation via the
residual risk score and reporting in
DMRM

16. 16
Assessment Workflow
Step 1: Identify the risks (in DMRM)
Step 2: Analyze and prioritize the risks (in DMRM)
Step 3: Launch the risk assessment
Step 4: Risk mitigation and treatment - generate tasks for
completion
Step 5: Task completion - people implementing mitigation
strategies
Step 6: Review and approve an assessment
Step 7: Update and review your risk analysis on a
regular basis and generate risk report (in DMRM)
“Can be tailored to
meet needs, easy
rollout when
completing
assessments.”
-Andrea L., Legal
Analyst

17. 17
Consumer trust
By demonstrating adherence to a framework/law, companies can reassure customers that their personal
information is being handled responsibly, leading to increased trust and loyalty.
Complex geopolitical environment
Multiple transfer mechanisms that a company can rely on.
Interoperability
Certifications and verifications based on the recognized principles (DPF, APEC/Global CBPR -> OECD Principles).
Government-backed
Negotiated by governments (i.e. APEC/Global CBPR).
Periodic review of practices
Practices reviewed by a third-party reviewer. A way of enhancing maturity.
Vendor management.
Mechanism to ensure security and data protection.
Why are certifications important for cross border data transfers?

18. 18
Privacy Certifications
RECOGNIZABLE PRIVACY SEAL
TRUSTe has a long reputation as a privacy certification provider.
INTERNATIONAL PRIVACY EXPERTISE
Our privacy team expertise spread out internationally are able to
provide guidance.
STREAMLINED CERTIFICATION PROCESS
Platform-enabled through the TrustArc platform allows you to
quickly and easily provide evidence of compliance.
DISPUTE RESOLUTION
Provide third party dispute resolution.

19. 19
APEC CBPR / Global CBPR
Key benefits of the
APEC / Global CBPR
Certification
● Legal transfer mechanism. A legal transfer
mechanism in selected jurisdictions (Japan,
Singapore, DIFC, Bermuda, USMCA).
● Data transfer strategy. Adds another transfer
mechanism, where applicable.
● Annual review. A way of enhancing the program
management maturity and periodic review of
privacy practices.
● Globally recognized principles. The framework is
based on the globally recognized principles that
serve as the foundation to many privacy laws in the
world.
● Competitive advantage. Join a global elite of
participating companies.
Allows participating companies to demonstrate
their compliance to internationally-recognized
data protection and privacy standards.
Key aspects
● Annual review of policies and
procedures
● Verification by an accountability agent
● 9 Principles
💡Participating Members
Australia
Singapore
United States of America
Republic of Korea
Japan
Mexico
Chinese Taipei
Canada
Philippines
Associate members: the UK, Mauritius, the Dubai
International Financial Centre, Bermuda.

20. 20
APEC/Global PRP
Key benefits of
the APEC /
Global PRP
● Demonstrable accountability.
Recognition by accountability agent.
● Vendor management tool. A number
data controllers in a business to business
relationship require their vendors to be
PRP certified.
● Globally recognized standards. Annual
review of the practices against globally
recognized standards.
● Competitive advantage. Join a global
elite of participating companies.
Key aspects
● Review of data protection and security measures that
are applicable to data processors
● Verification by an accountability agent
● 2 Principles (Security and Accountability)

21. 21
Data Privacy Framework (DPF) Verification
Key benefits
if the Data
Privacy
Framework
Verification
● Independent verification. Provides
an independent third-party
verification of the privacy program
● Legal transfer mechanism.
Adequacy decision for participating
companies.
● Recourse mechanism.
● Preparation and guidance for
self-certification.
DPF is a method for transferring data from the
EU/UK/Switzerland to the USA.
💡Adequacy under Article 45: Companies that
participate in the

22. 22
Final takeaways
● Understand regulatory changes
● Get ahead of regulatory fragmentation
● Prioritize visibility and documentation
● Leverage certifications for transfer strategy
● Start with structured mapping → use pre-populated TIAs → consider certification readiness

23. 23
Thank You!