1. Home
  2. |Experience
  3. |Privacy and Cybersecurity
  4. |Cross-Border Data Flows

Cross-Border Data Flows

Overview

Given the presence of cross-border transfer restrictions in the majority of the personal data laws globally, along with the increasing emergence of laws restricting exports of certain categories of data, companies operating internationally must remain vigilant to stay on top of this changing landscape. Crowell & Moring provides this resource on legal issues encountered by international businesses in connection with cross-border data flows, featuring webinars, blog posts, legal alerts, and podcasts.

Our team of attorneys provides practical advice on cross-border data flow issues such as:

  • EU standard contractual clauses
  • Company group data transfer agreements
  • Binding corporate rules
  • Data export controls applicable to government contractors
  • Data transfers to cross-border vendors
  • Assessment of local laws in the U.S., Asia-Pacific, and the Middle East for purposes of transfers of personal data from the European Economic Area
  • Data transfers and data localization in the Asia-Pacific region
  • Data transfers from the United Kingdom
  • Supplementary measures
  • Cross-border information security requirements
  • Privacy Shield-related questions
  • Data assessments for compliance risk identification
  • Data mapping
  • Addressing cross-border transfers in online and mobile privacy notices
  • U.S. Cloud Act

Contacts

See All Professionals

Insights

Client Alert | 13 min read | 06.12.26

EU Cyber Resilience Act Countdown: 11 September 2026 Incident/Vulnerability Reporting Deadline Less Than 100 Days Away

The EU Cyber Resilience Act (CRA) is an EU product cybersecurity law for connected products (formally, “products with digital elements” under the CRA) commercialized in the EU; it entered into force on 10 December 2024, with direct application across the EU. Full application begins 11 December 2027, but one of its most operationally demanding provisions takes effect in just under 100 days, on 11 September 2026: the mandatory vulnerability and incident reporting under Article 14 CRA....

View All Insights

Insights

Client Alert | 13 min read | 06.12.26

EU Cyber Resilience Act Countdown: 11 September 2026 Incident/Vulnerability Reporting Deadline Less Than 100 Days Away

Firm News | 1 min read | 06.11.26

Crowell & Moring Partner Emma Wright Appointed to UK Government's Digital ID Advisory Group

Firm News | 7 min read | 06.04.26

Crowell & Moring Secures Top Rankings in Chambers USA 2026

Client Alert | 5 min read | 06.16.25

Cross-Border Data, Rising Risks: How International Arbitration Can Help

View All Insights

Professionals

View All Professionals

Insights

Client Alert | 13 min read | 06.12.26

EU Cyber Resilience Act Countdown: 11 September 2026 Incident/Vulnerability Reporting Deadline Less Than 100 Days Away

The EU Cyber Resilience Act (CRA) is an EU product cybersecurity law for connected products (formally, “products with digital elements” under the CRA) commercialized in the EU; it entered into force on 10 December 2024, with direct application across the EU. Full application begins 11 December 2027, but one of its most operationally demanding provisions takes effect in just under 100 days, on 11 September 2026: the mandatory vulnerability and incident reporting under Article 14 CRA....

View All Insights