Global Privacy Intelligence · AMLEGALS
Nine jurisdictions. Nine distinct statutory frameworks. Each with its own consent model, enforcement machinery, cross-border transfer mechanism, and penalty arithmetic.
“The compliance question is no longer whether you need a programme. It is whether your programme survives contact with six regulators simultaneously.”
A multinational discovered its Indian entity was transferring employee data to a Singapore processor, routed through a UAE free zone, stored on EU-hosted infrastructure. The General Counsel did not know which law applied.
That is the question this page answers. Not in theory. In statutory precision.
Cross-border complexity · AMLEGALS practice noteEach regime decoded with consent model, penalty structure, cross-border mechanism, and enforcement maturity.
India’s first comprehensive data protection statute. 44 sections. Consent Manager architecture. Negative-list transfer model. ₹250 Cr maximum penalty per instance.
The most influential data protection statute globally. 6 lawful bases. Decentralised enforcement across 27+ DPAs. €4.5B+ in cumulative fines since 2018.
Post-Brexit retention of GDPR as domestic law. ICO as sole supervisory authority. UK International Data Transfer Agreement as SCC alternative.
Pragmatic APAC model with 2020 amendments introducing legitimate interests and business improvement bases. 3-day breach notification — the tightest globally.
The Kingdom’s first comprehensive data protection statute. Criminal sanctions for sensitive data violations. Sovereign data localisation requirements.
Federal data protection law with DIFC/ADGM free zone complexity. GDPR-modelled lawful bases. AED 5M penalties plus potential processing prohibition.
“Can our Riyadh office share employee biometric data with the London HR platform using Standard Contractual Clauses?”
The answer involves three separate transfer assessments, a localisation exemption request, and a supplementary measure analysis. That is not a compliance checklist. That is a legal architecture.
Multi-regime transfer question · Practitioner scenarioFour reference tools that operationalise cross-border compliance.
Obligation-by-obligation comparison across 9 jurisdictions. Consent models, transfer mechanisms, penalty structures, enforcement maturity.
Every significant GDPR fine since 2018, with DPDPA compliance lessons extracted from each enforcement action.
Real-time compliance posture assessment. Global landscape mapping. Industry readiness benchmarks and regulatory velocity tracking.
Operational dashboard for cross-border data flows, consent analytics, and breach response metrics across jurisdictions.
If your data touches three jurisdictions, you face three penalty regimes, three breach notification deadlines, and three different definitions of consent.
That exposure compounds with every new market entry. It does not simplify.
Discuss Your Cross-Border Exposure →Conversion point 1 of 3 · AMLEGALS advisoryEvery critical obligation compared across all nine regimes in one reference table.
| Obligation | IN DPDPA | EU GDPR | GB UK GDPR | SG PDPA | SA PDPL | AE Law 45 | CN PIPL | BR LGPD | ZA POPIA |
|---|---|---|---|---|---|---|---|---|---|
| Max Penalty | ₹250 Cr/instance | €20M / 4% turnover | £17.5M / 4% | S$1M / 10% | SAR 5M + prison | AED 5M | 5% annual rev | 2% rev (R$50M cap) | R10M / prison |
| Lawful Bases | Consent + 6 uses | 6 bases (leg. interests) | 6 bases (aligned) | Consent + leg. int. | Consent + 6 (no leg. int.) | 6 bases (GDPR) | 7 bases + consent | 10 lawful bases | 8 conditions |
| Sensitive Data | No separate category | Art. 9 special categories | Art. 9 (UK) | No separate regime | Explicit consent req. | Explicit consent | Separate consent req. | Specific legal bases | Special personal info |
| Cross-Border | Negative list | Adequacy + SCCs/BCRs | UK adequacy + IDTA | Comparable + CBPR | Adequacy + localisation | Adequacy + contract | Security assessment | Adequate protection | Adequate safeguards |
| Breach Notice | 72h to Board + principals | 72h to DPA | 72h to ICO | 3 calendar days | 72 hours | As prescribed | Immediately | “Reasonable time” | As soon as possible |
| DPO Mandate | SDFs only | Public + large-scale | Same as GDPR | S$5M+ orgs (2025) | Where prescribed | Where prescribed | Where threshold met | For all controllers | Where required |
| Data Portability | Not provided | Article 20 | Article 20 (UK) | DPO (2021) | Not expressly | Article 17 | Yes (Article 45) | Yes (Article 18) | Not expressly |
| Children Data | Under 18, parental consent | Under 16 (member state: 13) | Under 13 (UK) | Not specified | Parental consent | Parental consent | Under 14 | Under 12/16 | Competent person |
| Enforcement Body | DPBI | 27+ DPAs | ICO | PDPC | SDAIA/NDMO | UAE Data Office | CAC | ANPD | Information Regulator |
Standard Contractual Clauses are not a checkbox. After Schrems II, every SCC requires a Transfer Impact Assessment, supplementary technical measures, and documented regulatory surveillance analysis.
The clause is the starting point. The compliance architecture is the destination.
Transfer mechanism reality · Post-Schrems IIThe legal basis for every cross-border data movement.
EU Commission certifies that a third country provides an adequate level of data protection. The gold standard for frictionless transfer. Currently covers 15 jurisdictions.
Standard Contractual Clauses (EU) and International Data Transfer Agreements (UK). The most commonly used mechanism globally. Post-Schrems II supplementary measures required.
Intra-group transfer mechanism approved by supervisory authorities. High compliance cost but provides organisation-wide legal certainty for multinational operations.
India’s approach: permit all transfers except to specifically restricted territories. The most permissive default. Sectoral mandates from RBI and IRDAI overlay.
China’s PIPL requires security assessment by the Cyberspace Administration for critical data or large-volume transfers. The most restrictive mechanism analysed.
Asia-Pacific Economic Cooperation Cross-Border Privacy Rules and Privacy Recognition for Processors. Singapore and other APAC jurisdictions recognise this framework.
€4.5 billion in GDPR fines since 2018. India’s DPDPA allows ₹250 crore per instance with no aggregate cap. Singapore can impose 10% of annual turnover. Saudi Arabia adds criminal imprisonment.
The penalty arithmetic is not theoretical. It is the cost of getting the architecture wrong.
Request a Penalty Exposure Audit →Conversion point 2 of 3 · Enforcement intelligenceMaximum statutory exposure across four enforcement regimes.
You will not find the answer to a multi-jurisdictional compliance question in a checklist. You will find it in a conversation with practitioners who have mapped these regimes at the statutory level.
That is what the first conversation is for.
Advisory relationship · AMLEGALSWe map your data flows across jurisdictions, identify the applicable regimes, assess penalty exposure, and design the transfer architecture.
“The first conversation establishes whether your current architecture survives the compliance pressure test. Everything follows from that.”
Schedule a Consultation →