Privacy & Government Restrictions
Two questions decide most cross-border technology risk: what are you allowed to do with personal data, and is a government going to block, screen, or unwind your investment. Both answers differ sharply across the United States, the European Union, Pakistan, India, China, Russia and the Middle East.
Jurisdiction scorecard — privacy & government restrictions
| Jurisdiction | Comprehensive privacy law | Data localisation | Investment / tech screening |
|---|---|---|---|
| United States | No federal law, 20+ states | Sector-specific only | CFIUS + outbound screening (2025) |
| European Union | GDPR, since 2018 | Transfer rules, not localisation | FDI Screening Regulation |
| Pakistan | Bill stalled since 2005 | None | Open, case-by-case |
| India | DPDP Act, rules 2025, phasing to 2027 | Sensitive categories only | Sectoral FDI caps |
| China | PIPL + CSL, strict | Mandatory, security assessments | Security reviews, VIEs required |
| Russia | 242-FZ, mandatory since 2015 | Mandatory for all citizen data | Sanctioned, largely closed |
| Middle East (UAE/Saudi lead) | New PDPLs, 2021–24 | Sector-specific (finance, health) | Opening, strategic-sector review only |
Green generally favourable · Amber developing or mixed · Red restrictive or high-risk. Indicative summary only, not legal advice.
Data privacy by jurisdiction
The EU's GDPR remains the global benchmark — opt-in consent, extraterritorial reach, fines up to 4% of global revenue — and a 2026 "Digital Omnibus" is set to trim some paperwork for smaller organisations without touching the core rules. The US has no federal comprehensive privacy law; more than 20 states now have their own (led by California's CCPA), which means a US-facing product's obligations depend on which states its users are in. Pakistan still has no enacted data protection law at all — a Personal Data Protection Bill has been drafted, redrafted and stalled since 2005, with the current 2023 version approved by Cabinet but not passed by Parliament as of mid-2026. In its place, PECA 2016, amended 29 January 2025 in a package widely criticised (including by Human Rights Watch and Pakistani journalist bodies) as draconian, does double duty as the main cybercrime statute and the closest thing the country has to a data-enforcement regime. The 2025 amendment created the National Cyber Crime Investigation Agency (NCCIA), giving its Director-General Inspector-General-level powers to investigate, arrest and prosecute online conduct with no judicial warrant requirement, and added data-relevant provisions (sections 2Q, 2S and 2U) that force social media platforms to remove government-flagged "unlawful" or "offensive" content and build complaint-handling infrastructure to do so. India's DPDP Act 2023 finally got its implementing rules finalised in 2025, with obligations phasing in through 2027 — global companies serving Indian users are building compliance programmes now, ahead of full enforcement. China's PIPL (often called "China's GDPR") goes further than the EU original in places, mandating security assessments and localisation for cross-border transfers of certain data; it works alongside the Data Security Law and a newly amended Cybersecurity Law (passed 28 October 2025, effective 1 January 2026). Russia's Federal Law 242-FZ has required personal data on Russian citizens to be stored on servers physically inside Russia since 2015 — one of the world's strictest localisation mandates. The UAE (Federal Decree-Law No. 45 of 2021) and Saudi Arabia (PDPL, in force since September 2023, compliance required from September 2024) both now have GDPR-influenced comprehensive laws, administered by dedicated regulators (the UAE Data Office; Saudi's SDAIA).
Government restrictions and investment screening
Screening of foreign technology investment has intensified almost everywhere in the past two years. The US Treasury's Outbound Investment Security Program took effect 2 January 2025, restricting US investment into Chinese companies in semiconductors, quantum computing and AI; the Comprehensive Outbound Investment National Security Act (COINS Act), signed December 2025, further expanded that regime, and pending 2026 defence legislation would add high-performance computing and hypersonic systems to the covered list. The EU's FDI Screening Regulation lets member states (and the Commission, via a cooperation mechanism) review foreign investment in critical sectors. China requires foreign investors in restricted sectors to pass security reviews and often to use VIE structures rather than direct ownership. Russia is effectively closed to new Western technology investment under sanctions, and existing investors have frequently been forced into discounted, government-approved exits. The Gulf states are the clearest outlier moving toward openness: the UAE and Saudi Arabia have both introduced 100% foreign ownership in most mainland sectors, reserving screening for a narrower list of strategic industries (defence, energy, some financial services).
Evolutions and trends
144 countries now have some form of national data privacy law, and the trend line only points toward more jurisdictions, not fewer. Two things are converging: privacy regulation and national-security investment screening are increasingly the same conversation, especially for AI, semiconductors and cloud infrastructure — where a data-localisation requirement and an investment-screening rule can produce the same practical outcome (you must build local, not just comply locally).
Applicable laws by jurisdiction
US: CCPA/CPRA and 20+ state privacy laws, CFIUS (Exon-Florio), Outbound Investment Security Program · EU: GDPR, FDI Screening Regulation (2019/452), AI Act · Pakistan: PECA 2016 (amended 29 Jan 2025, NCCIA established), draft Personal Data Protection Bill (not enacted) · India: Digital Personal Data Protection Act 2023 + 2025 Rules, IT Act 2000, FDI Policy (DPIIT) · China: PIPL, Data Security Law, Cybersecurity Law (amended Oct 2025, effective Jan 2026), Foreign Investment Law · Russia: Federal Law 242-FZ (localisation), Federal Law 152-FZ (personal data) · Middle East: UAE Federal Decree-Law No. 45/2021, Saudi PDPL (2023/2024)
Talk to us before you move data across a border
A cross-border data transfer, a new privacy policy, or a technology investment into a screened sector is one of the easiest places to create liability without realising it — and one of the cheapest to get checked in advance.
References
US Treasury — Outbound Investment Security Program · Saudi Arabia PDPL overview · Pakistan data privacy law status · India DPDP Rules 2025
This page is general information, not legal advice, and not a substitute for advice on your specific situation. Privacy and investment-screening law changes frequently and varies by jurisdiction — always confirm the current position with local counsel and contact us before acting. ← Back to IT, IP & Compliance overview