Samay Jain & Dr. Ananya Sharma | December 5, 2025

The European General Court’s September 3, 2025 decision to  uphold the EU-U.S. Data Privacy Framework (DPF) marks a significant turning point in cross-border data governance. Although the Court rejected the challenges to transatlantic data transfers, it emphasized that jurisdictional concerns remain. These concerns are driven by the conflict between unrestricted data flows and U.S. surveillance laws and regulations, such as Section 702 of the Foreign Intelligence Surveillance Act. The ruling is contested within the debate concerning data sovereignty and privacy rights, and provides an excellent example of how new digital technologies place burdens on traditional patterns of private international law (PIL), which governs rules of jurisdiction, choice of law, and the enforcement of international disputes. 

Moreover, the processing of data through artificial intelligence and cloud-based and tokenized assets (i.e. cloud computing) creates what the Hague Conference on Private International Law (HCCH) describes in its Digital Token Project as “jurisdictional ambiguity.” A recent scholarly  discussion in the Journal of Private International Law points out the influence of artificial intelligence on the principles of conflict of laws because existing PIL application presupposes the existence of a real world loci that cannot exist in a digital cross-border context. 

The consequences of these questions go beyond data sovereignty and privacy rights to impact international trade relations. The U.S.–EU dispute during the aforementioned data transfer shows that traditional PIL tools struggle to address the challenge of digital sovereignty, underscoring the need for substantial structural reforms to ensure fair global governance of data, protect fundamental rights, and encourage innovation rather than impede it.

Core Frameworks and Emerging Challenges in Digital Jurisdiction

The Hague 2005 Choice of Court Agreements Convention and 2019 Judgments Convention, two cornerstones of modern PIL, were established to harmonize jurisdiction and enforcement rules. These conventions provide a uniform system for recognizing and enforcing judgments internationally, reducing conflicts and ensuring legal certainty in cross-border litigation. However, the collaboration between the UNIDROIT and the HCCH to create a governing law on digital assets, i.e. tokenization and distributed ledger technologies, shows the ineffectiveness of classical connecting factors which applied to assets that exist simultaneously across multiple jurisdictions.

Digital issues implicate various forms of jurisdictional complexity. Where extraterritoriality applies, it is often incompatible with local rules like the GDPR, and results in situations where, for example, Uber faces a 290 million dollar fine from the Dutch Data Protection Authority because it unlawfully transferred data to the U.S. Forum shopping creates another issue because companies can set up a virtual place of assets or data processing centers in a way to circumvent unwanted jurisdictions. Enforcement also becomes problematic in decentralized systems where traditional concepts of location and possession fail to function effectively. 

Traditional PIL analysis will follow the standard procedures: settling the domicile of the controller of data, applying the rules of the Hague Convention, settling the extraterritorial application of law including the GDPR or U.S. Department of Justice regulations, and assessing enforcement through bilateral structures. Such step-by-step reasoning fails to operate effectively in the case of distributed systems, where data controllers may be anonymous, processing is typically performed across a large number of jurisdictions simultaneously, and the relevant legal rules are irreconcilable. According to the findings of the June 2025 meeting of the HCCH Experts Group, token-based uncertainties were noted and existing frameworks do not effectively reflect the occurrence of the phenomenon of decentralized digital assets.

Case Studies: U.S.-EU Tensions and Broader Global Implications

The clash between U.S. discovery rules and EU privacy protections exemplifies the modern jurisdictional dilemma facing cross-border businesses: as the Federal Rules of Civil Procedure call for data production incompatible with GDPR safeguards, businesses are forced to choose between inconsistent legal regimes. For example, The Dutch Supervisory Authority imposed a fine of €290 million on Uber in August 2024, for its insecure transmission of sensitive data to servers in the U.S., including including account information, taxi licenses, location information, and in certain instances criminal and medical history without adequate security measures between August 2021 and November 2023. Although the breach was ultimately resolved through mutual assistance between data protection authorities, it exposed significant procedural gaps in global data governance frameworks.

The OpenAI litigation in 2025 provides another paradigmatic example of PIL bias in the age of artificial intelligence. A preservation order by a United States court mandated that user chat data could be retained for an unlimited period despite the GDPR’s right to erasure, with the court categorically denying any deletion of data post-selection despite that violating several articles of the EU’s privacy rules. Such tensions were also observed in the case of the Eaton Corporation, where the U.S. Court of Appeals for the Sixth Circuit upheld IRS access to EU personal data of the Irish subsidiary of the Eaton Corporation, which the company claims violated the provisions of GDPR.

Recent geopolitical conflicts since 2024 have escalated these jurisdictional tensions. The U.S. Department of Justice’s January 2025 Final Rule which limited access to sensitive data by “countries of concern,” notably China and Russia, further complicates compliance efforts for EU companies operating within the United States. 

Emerging Reforms and Scholarly Recommendations

Reform initiatives are emerging across multiple jurisdictions to modernize private international law for the digital age. The U.K. Law Commission of June 5, 2025, of private international law on digital assets, proposes creative solutions such as granting courts the power to utilize free-standing information orders as a means of dealing with disputes in a decentralized environment. The U.K. Information Commissioner’s Office also launched a public consultation, which ended on September 8, 2025, that particularly dealt with the challenges of constructing claims in pseudo-anonymous crypto-token ecosystems and the jurisdictional challenges posed by distributed ledger technology. Similarly, on June 16-18, 2025, the HCCH Digital Tokens Experts Group met to study the priority use cases and the application of existing laws — including the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Transferable Records (MLETR).

The EU’s June 2025 agreement on faster and more coherent cross-border GDPR enforcement was another major development. The new rules standardize complaint validity, enhance co-operation between data protection authorities (DPAs), and address the fragmentation that has weakened enforcement since 2018. Some of the proposals made by academics advise balancing between innovation and protection of rights by integrating innovative and protection measures. Legal experts suggest that the Hague Conventions will also need to be adjusted due to the effects of AI’s impact on data protection and other peculiarities of digital assets as presented in Clifford Chance trend reports. With respect to digital dispute resolution, arbitration is specifically beneficial in case of digital dispute across borders because of its flexibility, confidentiality, and versatility. Though  we must be careful to ensure that reforms do not have a Western bias and that the developing countries play a substantive role in crafting the digital governance regimes of the world. The goal should be to develop adaptive PIL systems that can survive the transformation of the technology without compromising the main principles of equality, foreseeability, and accessibility in the international dispute resolution process.

Conclusion

The September 2025 EU General Court’s Data Privacy Framework ruling and the 2025 OpenAI preservation order show how digital technologies disrupt traditional private international law concepts such as jurisdiction and sovereignty. Attempts to resolve such conflicts through the strict harmonisation of national laws have over and over again been impractical and unproductive. 

In the meantime, a more proactive response has come into view. The Digital Tokens Project by the HCCH, the U.K. Law Commission’s work on digital assets, and the EU’s more assertive enforcement of the GDPR provisions are all steps toward  reducing the uncertainty of cross-border digital regulation. Such initiatives, along with the developing body of literature on how artificial intelligence impacts conflict-of-laws principles and the promise of arbitration as a form of online dispute resolution offer new sources of reform. 

What matters more, however, is transcending the fragmentary responsive strategies which characterized earlier attempts to go on to digital governance. Since the rate of technological change continues to accelerate beyond the capacity of legal systems to keep pace, private international law will need to be reshaped to ensure that it does not only accept the reality of digital transformation but has the capability to balance encouraging innovation with safeguarding privacy rights. With judicious reform and inclusive governance, private international law can serve as a catalyst for opportunity rather than an obstacle in our borderless world.