When businesses send personal data across borders, they often rely on encryption to make that transfer legally defensible. But what happens when the encryption protecting that data can be broken? Quantum computing is expected to reach that capability within the next decade – and data intercepted today could already be stored for decryption later. That means the quantum threat is not just a future cybersecurity problem. It is a present-day question for any business whose cross-border data transfers depend on encryption holding up over time.
Where quantum meets privacy law
Privacy law is technology-neutral, but not technology-blind. Across jurisdictions, the legal standard is usually framed around measures that are appropriate to the risk and aligned with the state of the art. That gives businesses room to evolve with technology. It also means the legal analysis can change when the threat changes. In that sense, quantum computing is less a brand-new privacy rule than a force that may sharpen existing expectations around security, governance and cross-border transfers, especially for long-life data that could be intercepted today and exposed later.
Data sovereignty is the bridge
The link between quantum and privacy is data sovereignty. Many legal regimes draw a line around a permitted data space and then regulate what happens when data leaves it. Sometimes that line is geographic. Sometimes it is built around “trusted” jurisdictions, approved transfer tools, or sector-specific restrictions. The legal mechanisms vary, but the pattern is familiar: data may move freely within a recognised zone; it may move to other jurisdictions that are officially recognised as adequate; or it may move only if additional legal and practical safeguards are in place. Once encryption becomes part of the answer to why that transfer is acceptable, quantum resilience becomes relevant to the legal analysis.
Europe and the UK: the clearest example
The European Union remains the clearest case study. Under the General Data Protection Regulation, personal data can move freely within the European Economic Area and to certain non-EU jurisdictions recognised by the European Commission as providing adequate protection. For other destinations, businesses typically rely on tools such as standard contractual clauses or binding corporate rules. Since Schrems II, the European Data Protection Board (the EU body that coordinates national privacy regulators) has made clear that exporters may need additional safeguards, and has identified strong encryption as one of the technical measures that can help protect transferred data in higher-risk scenarios. The UK follows a similar structure through its own transfer rules and guidance from the Information Commissioner’s Office, the UK privacy regulator. In both systems, quantum becomes relevant where a transfer depends in practice on encryption remaining effective.
The U.S. position: less transfer law, more sectoral and security law
The United States approaches the issue differently. It does not generally regulate private-sector cross-border data transfers like the European model. The pressure point related to quantum is more likely arise from obligations to secure certain types of data, including pursuant to state laws, sectoral regulation at the state and federal level, or contractual requirements. In healthcare, for example, U.S. guidance permits cloud storage of protected health information, regardless of whether such storage is onshore or offshore, provided the required contractual and security obligations are met. Similarly, regulations governing financial institutions generally permit offshore processing, provided security obligations are met, although for other reasons, such as availability of the data for audits by regulators, some financial institutions require onshore processing.. For U.S. businesses, early legal relevance of quantum is therefore more likely to raise concerns with respect to threats to the security of personal data or regulated data than through a general privacy transfer regime.
Asia: commercial transfer rules on one end, sovereignty-heavy models on the other
Asia shows a similar direction of travel through different legal models. Singapore offers a commercially familiar example: overseas transfers are generally allowed where the recipient is subject to legally enforceable obligations or specified certifications that ensure a standard of protection comparable to Singapore law, with some additional exceptions. That is not the same legal architecture as Europe, but the practical question is similar: whether the transfer structure and the protections supporting it are strong enough to justify sending the data abroad. China illustrates the more sovereignty-focused end of the spectrum. Its cross-border data regime requires the adoption of formal outbound transfer channels based on data category and volume (such as filing standard contracts, or passing a governmental security assessment where transfers involve high volumes of data or sensitives categories that may implicate national security or public interest ), while continuing to require data handlers to take technical and other necessary measures to protect outbound data. For multinational groups, any early quantum issue is most likely to arise where outbound transfers rely heavily on technical controls to remain robust over time.
What businesses should watch now
The immediate issue is not whether privacy law has already created a universal post-quantum deadline. The issue is where quantum may move the legal baseline earlier than businesses expect. That is most likely where data has a long confidentiality life, where transfers cross a hard sovereignty boundary, or where regulation already places a premium on resilient security controls. For EU businesses, that means watching closely which jurisdictions remain within the permitted transfer space – whether because they are inside the EU framework or because they benefit from an adequacy decision. More broadly, international businesses should monitor which countries are recognised as trusted destinations, where transfer tools depend heavily on encryption to remain defensible, and where sectoral or security rules are pulling data governance toward a stricter sovereignty model.
Conclusion
Quantum does not rewrite privacy law overnight. But it does change the risk calculus for cross-border data governance. Where the law allows data to move because it assumes the chosen safeguards will remain effective, the longevity of those safeguards becomes a legal question as well as a technical one. That is why monitoring developments in data sovereignty, adequacy, transfer tools and recognised security standards will be increasingly important. For some businesses, quantum will remain a medium-term planning issue. For others – especially those moving sensitive, high-value or regulated data across borders – It may become a legal priority sooner than expected.
