Data Privacy Law: The Enforcement Crackdown on Cross-Border Data Transfers

The Core Issue: Restricting how multinational corporations move citizen data across international borders.

Through late 2024 and beyond, global data privacy authorities shifted their focus from how data is collected to exactly where it is sent, resulting in massive fines and new compliance frameworks.

Legal Analysis:

Several major actions highlighted this tightening of digital borders:

• The €290 Million Uber Fine: The Netherlands' Data Protection Authority levied a massive fine against Uber for transferring the personal data of European drivers (including location, payment, and criminal records) to U.S. servers without adequate safeguards. This occurred during the legal "gap" between the invalidation of the old Privacy Shield and the adoption of the new EU-U.S. Data Privacy Framework.
• Brazil's New Transfer Rules: Brazil's National Data Protection Authority (ANPD) introduced strict new regulations (Resolution CD/ANPD No. 19/2024) under their General Data Protection Law (LGPD). U.S. and multinational companies are now legally required to execute approved Standard Contractual Clauses (SCCs) to move Brazilian consumer data out of the country, facing heavy operational penalties if they fail to comply.