Cross Border Data

State of play.

• The EU e-Evidence Regulation is forcing immediate workflow changes for multinational eDiscovery. Implementation deadlines are tight enough that service providers are opening dedicated European offices and firms are reassessing vendor capabilities now .
• CBP device searches at the US border hit a record 55,318 in FY2025, up from 47,047 in FY2024 and 8,503 a decade ago — with no warrant requirement and no settled limit on forensic depth under Merchant v. Mayorkas .
• China's National Data Administration is moving toward national standardization of data-as-property, consolidating fragmented local pilots into a unified registration framework that will directly affect how data assets are valued, transferred, and secured under Chinese law .
• Apple's iOS 26.5 closes a long-standing cross-platform encryption gap, enabling end-to-end encrypted RCS messaging between iPhone and Android users by default — a change that will influence how courts and regulators assess the adequacy of corporate communication security policies .
• For counsel advising multinationals with data crossing US, EU, or Chinese borders, the practical baseline is that three distinct regulatory regimes — EU e-Evidence deadlines, US border search exposure, and China's emerging data property framework — are each generating concrete compliance obligations that cannot be deferred, and that the encryption baseline for cross-platform corporate communications is now shifting in a way that affects litigation hold and security policy assessments.

Where things stand.

• EU e-Evidence Regulation implementation is operationally live as a compliance pressure. The regulation's tight deadlines are already forcing law firms and eDiscovery providers to restructure workflows, reassess vendor capabilities, and build European infrastructure — HaystackID's London and Dublin expansion is a visible market signal .
• CBP border device searches operate under a broad Fourth Amendment exception with no settled warrant requirement. The border search exception permits warrantless manual and forensic review of phones, tablets, and laptops for all travelers including US citizens; Merchant v. Mayorkas is the live federal challenge but courts have not yet imposed a warrant standard .
• China is building a national data property registration system. The NDA's draft guidelines consolidate pilots from Beijing, Shanghai, Tianjin, and Shenzhen into a unified framework targeting a blockchain-based certification system by 2029; the comment period is the current action window .
• The US state privacy patchwork has reached 20 enacted laws with more in progress. Indiana, Kentucky, and Rhode Island regimes are launching; Iowa, Illinois, New Mexico, and New Jersey have measures advancing — each with distinct data-transfer and consent obligations that affect cross-border data flows .
• Federal privacy preemption remains unresolved. Rep. Lofgren's Online Privacy Act — a 151-page bill proposing a new Digital Privacy Agency, data minimization mandates, and consumer rights to access, correct, delete, and port data — frames the preemption question but faces the same structural obstacles that have blocked federal privacy legislation for years .
• Cross-border enforcement coordination in the US-Mexico-China corridor is intensifying. FCPA, Mexico's General Anti-Corruption Law, and China's anti-bribery frameworks are being applied in parallel, with tariff escalations and sanctions realignments adding a compressed enforcement calendar .
• Cross-platform messaging encryption is shifting with iOS 26.5. Apple's adoption of the GSM Association's RCS Universal Profile 3.0 — which uses Messaging Layer Security for E2EE — means iPhone-to-Android communications will be encrypted by default on supported carriers, closing a gap that regulators and privacy advocates have criticized for years .

Latest developments.

• Apple's iOS 26.5 will enable end-to-end encrypted RCS messaging between iPhone and Android devices by default, implementing the GSM Association's RCS Universal Profile 3.0 standard — a development with direct implications for corporate communication security policies, litigation holds, and regulatory adequacy assessments .

Active questions and open splits.

• Warrant requirement for CBP device forensics. Merchant v. Mayorkas is the live vehicle, but courts have not imposed a warrant standard for any category of border device search — the line between permissible "advanced" forensic analysis and a constitutional violation is unsettled, leaving business-traveler device protocols in a legal gray zone .
• EU e-Evidence Regulation compliance timelines vs. US discovery obligations. When a US court order requires production of data held in EU jurisdictions, the e-Evidence Regulation's procedural requirements and tight deadlines create a direct conflict with US discovery timelines — no settled reconciliation mechanism exists .
• China data property registration: transfer and valuation implications. Once the NDA framework is finalized, data assets held by foreign companies operating in China may be subject to registration, valuation, and circulation rules that affect M&A due diligence, licensing, and cross-border transfer structuring — the scope of those obligations is not yet determined .
• Federal preemption vs. state privacy patchwork. The Lofgren bill frames the question but does not resolve it — whether a federal standard will preempt the 20-state patchwork, and on what terms, remains open; companies must currently comply with the most restrictive applicable state regime for cross-border data flows .
• iOS 26.5 E2EE and corporate communication security adequacy. As encrypted RCS becomes the default for cross-platform messaging, the standard for what constitutes adequate communication security in corporate policies, litigation holds, and regulatory compliance frameworks will need to be reassessed — courts and regulators have not yet addressed whether the prior unencrypted baseline created liability exposure .
• Attorney-client privilege and work product at the US border. CBP's border search exception applies to all device contents, including potentially privileged communications and work product on business-traveler devices — no carve-out exists and no court has definitively addressed the privilege question in the border search context .

What to watch.

• Outcome of Merchant v. Mayorkas — any ruling on the scope of permissible forensic analysis at the border will immediately reshape device-protocol advice for business travelers and multinational clients.
• NDA comment period closing and finalization of China's data property registration guidelines — the final framework will determine compliance obligations for foreign companies holding data assets in China.
• Whether the House Commerce Committee takes up the Lofgren Online Privacy Act — any committee action will signal whether federal preemption of the state privacy patchwork is live in the current Congress.
• EU e-Evidence Regulation implementation milestones — as deadlines approach, expect additional practitioner guidance and potential conflicts with US discovery orders to surface in active litigation.
• Carrier-by-carrier rollout of iOS 26.5 E2EE RCS support — the phased deployment means the encryption gap will close unevenly, and corporate device policies will need to account for which employees are covered and when.