Data privacy and digital sovereignty: where the regulatory momentum is heading next

Why It Matters

By the end of 2025, over 160 countries had enacted comprehensive data protection legislation, up from just 58 a decade earlier, according to the United Nations Conference on Trade and Development (UNCTAD, 2025). Global enforcement fines for privacy violations surpassed $4.5 billion cumulatively under the GDPR alone (European Data Protection Board, 2025), and regulators from Brazil to South Korea are now issuing penalties that rival European precedents. At the same time, the concept of digital sovereignty has moved from academic discourse to state policy: at least 62 nations now impose some form of data localisation requirement (Backer McKenzie, 2025), and sovereign cloud investments exceeded $38 billion globally in 2024 (IDC, 2025). For enterprises operating across borders, the regulatory landscape is not converging toward a single standard but fragmenting into overlapping, sometimes contradictory, regimes. Understanding where the momentum is heading is essential for compliance strategy, infrastructure planning, and competitive positioning.

Key Concepts

Regulatory proliferation and pattern convergence. While no global privacy treaty exists, a recognisable pattern has emerged across new and revised laws. GDPR-style principles of purpose limitation, data minimisation, consent, and data subject rights appear in India's Digital Personal Data Protection Act (DPDPA, 2023), Saudi Arabia's Personal Data Protection Law (2024), and Vietnam's revised Decree 13 (2025). The pattern is not identical replication: each jurisdiction adds local requirements around government access, cross-border transfer mechanisms, and sectoral carve-outs. The net effect is a patchwork that demands granular, jurisdiction-by-jurisdiction compliance rather than a single global programme (Greenleaf, 2025).

Data localisation as industrial policy. Data localisation requirements have evolved beyond privacy protection into instruments of economic strategy. India's DPDPA empowers the government to designate "significant data fiduciaries" subject to local storage mandates. Indonesia's Government Regulation 71 (2024) requires public-sector data to reside on domestic servers. Russia and China continue to enforce strict localisation, while the EU's proposed European Health Data Space and Financial Data Access framework embed sectoral data residency conditions. The Atlantic Council (2025) notes that data localisation increasingly serves triple objectives: privacy, national security, and support for domestic cloud industries.

Enforcement escalation. Regulatory teeth have sharpened considerably. Meta's record GDPR fine of EUR 1.2 billion in 2023 set a high-water mark, but the European Data Protection Board (EDPB, 2025) reported that average penalty amounts across all EU data protection authorities rose 34% year-on-year in 2024. Beyond Europe, Brazil's ANPD issued its first significant fines in 2024, South Korea's Personal Information Protection Commission levied KRW 75.6 billion (approximately $55 million) against technology platforms in 2024, and India began enforcement proceedings under its DPDPA in early 2025 (IAPP, 2025). Cross-border enforcement cooperation through the Global Privacy Assembly and bilateral mutual legal assistance treaties is also accelerating.

AI governance and privacy intersections. The EU AI Act, which entered phased application from August 2024, introduces obligations that overlap with GDPR in areas such as biometric data processing, automated decision-making, and training data transparency. The intersection creates dual compliance requirements: AI systems classified as high-risk must meet both AI Act and GDPR standards. Similar convergence is emerging in Canada's proposed Artificial Intelligence and Data Act (AIDA) and Brazil's AI regulatory framework (PL 2338/2023). The OECD (2025) projects that by 2027, over 40 jurisdictions will have enacted AI-specific legislation with embedded privacy provisions.

Privacy-enhancing technologies (PETs) as compliance enablers. The technical response to regulatory fragmentation includes growing adoption of privacy-enhancing technologies. Techniques such as homomorphic encryption, secure multi-party computation, differential privacy, and federated learning allow organisations to extract value from data while limiting exposure to regulatory breach. The UK Information Commissioner's Office (ICO, 2025) released updated PET guidance encouraging their adoption as a means of demonstrating data protection by design. Gartner (2025) estimates that by 2027, 60% of large enterprises will deploy at least one PET in production workloads, up from 25% in 2024.

What's Working

Interoperable transfer mechanisms. The EU-US Data Privacy Framework, adopted in July 2023 and reviewed positively by the European Commission in October 2024, has reduced legal uncertainty for transatlantic data flows. Over 2,800 US organisations self-certified under the framework by mid-2025 (US Department of Commerce, 2025). The UK Extension to the framework and the UK's own adequacy decisions with Japan, South Korea, and several other jurisdictions demonstrate that bilateral arrangements, while imperfect, provide workable pathways for cross-border data movement. APEC's Cross-Border Privacy Rules (CBPR) system, now operating as the Global CBPR Forum with members from all major trading regions, offers an additional multilateral channel.

Sectoral codes of conduct. Industry-specific privacy codes are proving effective at bridging regulatory gaps. The EU Cloud Code of Conduct, accredited under GDPR Article 40, has been adopted by major cloud providers including Google Cloud, Oracle, IBM, and SAP. The code provides standardised contractual safeguards and audit mechanisms that simplify procurement decisions for enterprise customers. In healthcare, the European Health Data Space regulation is driving adoption of technical and governance standards that enable secondary use of health data for research while maintaining GDPR compliance (European Commission, 2025).

Regulatory sandboxes and innovation offices. Several data protection authorities have established innovation hubs to help organisations test novel data-processing approaches under supervised conditions. The ICO's Regulatory Sandbox has supported 45 projects since its inception, covering AI diagnostics, smart-city data, and financial crime analytics (ICO, 2025). Singapore's Personal Data Protection Commission (PDPC) operates a similar programme, and France's CNIL launched an AI sandbox in 2024 focused on generative AI training data compliance. These mechanisms reduce the chilling effect of regulation on innovation.

What's Not Working

Fragmented cross-border transfer rules. Despite progress on bilateral adequacy decisions, no universal transfer mechanism exists. Companies operating in 30+ jurisdictions must navigate a maze of standard contractual clauses, binding corporate rules, adequacy decisions, and localisation requirements. A survey by the IAPP and EY (2025) found that 68% of multinational privacy officers consider cross-border data transfer compliance the single most resource-intensive aspect of their programmes. The Schrems litigation legacy continues to create uncertainty, and the EU-US Data Privacy Framework faces a potential challenge before the Court of Justice of the EU by 2027.

Enforcement inconsistency. While headline fines grab attention, enforcement capacity varies wildly. The EDPB's own assessment (2025) found that smaller EU data protection authorities lack the staff and budget to process complex cross-border cases within mandated timelines. Ireland's Data Protection Commission, which oversees most major US tech platforms due to their EU headquarters location, has faced sustained criticism for processing delays despite increased resources. Outside Europe, many data protection authorities in Africa, Southeast Asia, and Latin America remain under-resourced, creating de facto enforcement gaps.

Compliance cost burden on SMEs. Privacy regulation imposes disproportionate costs on small and medium enterprises. The European Commission's own impact assessment for GDPR estimated compliance costs at EUR 200 per employee per year, but a 2025 survey by the Federation of Small Businesses (UK) found actual costs for SMEs averaging GBP 12,000 to GBP 30,000 annually when legal advice, technology, and staff training are included. Tools and templates designed for large enterprises are poorly suited to smaller organisations, and regulatory guidance often assumes institutional capacity that SMEs lack.

Localisation-driven inefficiencies. Strict data localisation mandates increase infrastructure costs without always improving privacy outcomes. The Information Technology and Innovation Foundation (ITIF, 2025) estimates that data localisation requirements add 30% to 60% to cloud computing costs in affected markets. In Indonesia, government data localisation has fragmented cloud deployments and limited access to global-scale AI services. India's evolving localisation requirements have prompted hyperscalers to invest in domestic data centres, but smaller firms face higher costs and reduced service quality.

Key Players

Established Leaders

• European Data Protection Board — Coordinates enforcement across 30 EU/EEA data protection authorities and issues binding consistency decisions.
• UK Information Commissioner's Office — Regulates data protection for 67 million residents and leads on PET guidance and innovation sandboxes.
• CNIL (France) — Issued major GDPR fines and operates an AI regulatory sandbox; influential in shaping EU enforcement norms.
• Microsoft — Invested $3.3 billion in EU sovereign cloud infrastructure and developed EU Data Boundary to process and store EU data within the bloc.

Emerging Startups

• Enveil — Privacy-enhancing computation platform enabling encrypted data search and analytics across jurisdictions.
• Duality Technologies — Homomorphic encryption platform for secure data collaboration in financial services and healthcare.
• Transcend — Data privacy infrastructure automating data mapping, consent management, and subject access requests at scale.
• Skyflow — Data privacy vault providing tokenisation and governance for sensitive data across multi-cloud environments.

Key Investors/Funders

• European Commission — Allocated EUR 1.3 billion under Digital Europe Programme for data spaces and sovereign cloud infrastructure (2024-2027).
• a16z (Andreessen Horowitz) — Led funding rounds for privacy-tech startups including Transcend and data governance platforms.
• Paladin Capital Group — Cybersecurity and privacy-focused investor with $3 billion+ under management.

Real-World Examples

Microsoft's EU Data Boundary. In January 2025, Microsoft completed the rollout of its EU Data Boundary, ensuring that all personal data from European enterprise and public-sector customers is stored and processed within the EU. The initiative required engineering changes to over 50 cloud services across Azure, Microsoft 365, and Dynamics 365. Microsoft invested over $3.3 billion in European data centre capacity to support the boundary (Microsoft, 2025). The move was driven by regulatory pressure from European data protection authorities and customer demand for contractual assurances of data residency. It demonstrates how sovereignty requirements are reshaping cloud architecture and competitive positioning.

India's Digital Personal Data Protection Act enforcement. India's DPDPA, passed in August 2023, entered its enforcement phase in early 2025 with the notification of implementation rules. The act applies to an estimated 1.4 billion data subjects and covers domestic and extraterritorial processing. In its first enforcement action, the Data Protection Board of India issued compliance notices to e-commerce platforms processing children's data without verifiable parental consent (Economic Times, 2025). The act's "significant data fiduciary" classification triggers additional obligations including mandatory data protection impact assessments, local data protection officer appointments, and algorithmic auditing. The Indian enforcement model is being closely watched as a template for other large developing economies.

South Korea's cross-border data hub ambitions. South Korea's Personal Information Protection Commission secured an EU adequacy decision in 2024, becoming one of the first Asian nations to achieve this status. The government then launched a strategy to position the country as a data hub for the Asia-Pacific region, leveraging its adequacy status to attract multinational data-processing operations. Samsung SDS and KT Cloud launched sovereign cloud offerings certified under both Korean and EU standards, and several European pharmaceutical companies have begun routing clinical trial data processing through Korean facilities (PIPC, 2025). The model illustrates how privacy regulation can become a competitive advantage when combined with infrastructure investment.

Brazil's ANPD enforcement maturation. Brazil's Autoridade Nacional de Proteção de Dados issued its first significant sanctions in late 2024 after a cautious three-year ramp-up. Notable actions included penalties against a telecommunications company for data breaches affecting 100 million customers and enforcement against a fintech for excessive biometric data collection. By early 2025, the ANPD had processed over 3,000 complaints and established bilateral cooperation agreements with data protection authorities in Portugal, Argentina, and Uruguay (ANPD, 2025). Brazil's trajectory confirms that enforcement maturation in large markets follows a predictable pattern: legislation, capacity building, guidance, and then escalating penalties.

Action Checklist

• Map all data flows across jurisdictions and identify localisation, transfer mechanism, and consent requirements for each.
• Conduct a gap analysis between current compliance posture and emerging requirements in key markets including India's DPDPA, the EU AI Act's privacy provisions, and updated APEC CBPR standards.
• Evaluate privacy-enhancing technologies such as homomorphic encryption, federated learning, and differential privacy for high-risk cross-border processing use cases.
• Establish a regulatory monitoring function that tracks enforcement actions, adequacy decisions, and new legislation across priority jurisdictions.
• Invest in automated data mapping and consent management platforms to reduce manual compliance burden and scale to new regulatory requirements.
• Engage with regulatory sandboxes and innovation offices in jurisdictions where novel data-processing approaches are planned.
• Build sovereignty-ready cloud architecture by negotiating data residency contractual clauses with cloud providers and evaluating sovereign cloud options in key markets.

FAQ

Will data privacy regulation converge into a global standard? Convergence toward a single global standard is unlikely in the medium term. While GDPR-influenced principles appear in most new legislation, each jurisdiction retains unique provisions driven by local legal traditions, economic objectives, and security concerns. The most realistic path is interoperability through mutual adequacy decisions, transfer frameworks like the Global CBPR system, and sectoral codes of conduct. Organisations should plan for sustained fragmentation with pockets of bilateral harmonisation (Greenleaf, 2025).

How does the EU AI Act interact with GDPR? The EU AI Act creates additional obligations for AI systems that process personal data, particularly in high-risk categories such as biometric identification, employment screening, and credit scoring. Compliance requires meeting both GDPR requirements for lawful data processing and AI Act requirements for transparency, human oversight, risk management, and conformity assessment. In practice, organisations deploying high-risk AI in the EU need integrated compliance frameworks that address both regimes simultaneously (European Commission, 2025).

What is the business case for privacy-enhancing technologies? PETs reduce regulatory risk by enabling data analysis without exposing raw personal data, potentially avoiding fines that now reach hundreds of millions of euros. They also unlock new revenue opportunities: financial institutions using secure multi-party computation can conduct joint anti-money-laundering analysis without sharing customer records, and healthcare organisations can collaborate on research datasets without transferring patient data across borders. Gartner (2025) estimates that PET adoption will shift from a compliance cost to a competitive differentiator by 2028.

Are data localisation requirements likely to increase or decrease? The trend points firmly toward increase. The Atlantic Council (2025) identifies digital sovereignty as a top-five geopolitical priority across all major blocs. Even jurisdictions historically supportive of free data flows, such as Japan and the UK, are introducing sectoral localisation for critical infrastructure, financial services, and health data. The key variable is whether localisation mandates are accompanied by interoperability mechanisms that allow controlled cross-border data use, or whether they evolve into protectionist barriers.

How should SMEs approach cross-border privacy compliance? SMEs should focus on risk-based prioritisation rather than attempting comprehensive global compliance. Identify the jurisdictions where the organisation has the greatest data-processing exposure and regulatory risk, adopt standardised transfer mechanisms such as standard contractual clauses, and leverage automated compliance tools designed for smaller organisations. Industry associations and chambers of commerce increasingly offer shared compliance resources and templates. The UK ICO and several EU authorities provide dedicated SME guidance and simplified compliance pathways (ICO, 2025).

Sources

• UNCTAD. (2025). Data Protection and Privacy Legislation Worldwide. United Nations Conference on Trade and Development.
• European Data Protection Board. (2025). Annual Enforcement Report 2024. EDPB.
• Baker McKenzie. (2025). Global Data Localization Guide: 2025 Edition. Baker McKenzie.
• IDC. (2025). Worldwide Sovereign Cloud Forecast, 2024–2028. International Data Corporation.
• Greenleaf, G. (2025). Global Data Privacy Laws 2025: 162 National Laws and Counting. Privacy Laws & Business International Report, 183.
• Atlantic Council. (2025). Digital Sovereignty Index: Mapping Data Localization and Infrastructure Policy. Atlantic Council GeoTech Center.
• IAPP. (2025). Global Privacy Enforcement Tracker. International Association of Privacy Professionals.
• OECD. (2025). AI Policy Observatory: Governance of AI and Data Protection Intersections. Organisation for Economic Co-operation and Development.
• Gartner. (2025). Market Guide for Privacy-Enhancing Technologies. Gartner, Inc.
• UK Information Commissioner's Office. (2025). Privacy-Enhancing Technologies: Updated Guidance and Sandbox Outcomes. ICO.
• US Department of Commerce. (2025). EU-US Data Privacy Framework: Self-Certification Statistics. International Trade Administration.
• IAPP and EY. (2025). Annual Privacy Governance Report: Cross-Border Transfer Compliance Survey. IAPP.
• ITIF. (2025). The Cost of Data Localization: Updated Estimates for Cloud Computing Markets. Information Technology and Innovation Foundation.
• Federation of Small Businesses. (2025). Data Protection Compliance Costs: SME Survey. FSB.
• Microsoft. (2025). EU Data Boundary: Implementation Report. Microsoft Trust Center.
• Economic Times. (2025). India Data Protection Board Issues First DPDPA Enforcement Notices. The Economic Times.
• PIPC. (2025). Cross-Border Data Strategy and Adequacy Outcomes Report. Personal Information Protection Commission, Republic of Korea.
• ANPD. (2025). Annual Activity Report 2024. Autoridade Nacional de Proteção de Dados, Brazil.
• European Commission. (2025). European Health Data Space: Implementation Progress Report. European Commission.