4.4 The Challenge of Cross-Border Data

The internet dös not respect borders. When a European user signs up to a US social media platform, their data may be processed in California, stored in Singapore, backed up in Ireland, and accessed by support staff in the Philippines — all in seconds. This jurisdictional reality creates one of the most complex challenges in modern privacy law.

Why cross-border data flows create problems

Privacy law is inherently territorial: it applies within a jurisdiction and aims to protect people in that jurisdiction. But data about a German user processed by a US company under US law may not receive the same protections as it would under GDPR. Different countries have different standards, different rights, and different enforcement capacities. The question becomes: whose law applies, and how do you protect rights across borders?

For ordinary people, this matters concretely. If your data is transferred to a country without equivalent privacy protections, your rights may be unenforceable in practice. If a company in that country receives a law enforcement request for your data, you may have no legal recourse to challenge it.

Mechanisms for lawful international transfers under GDPR

GDPR Chapter V restricts transfers of personal data to third countries (outside the EU/EEA) unless one of several mechanisms applies:

Adequacy decisions — The European Commission assesses whether a third country's privacy framework offers protection 'essentially equivalent' to the GDPR. Countries with adequacy decisions include the UK (post-Brexit, 2021), Canada (partial), Japan, Switzerland, New Zealand, Israel, and others. Data can flow freely to adequate countries. At the time of writing, the US dös not have a blanket adequacy decision — instead, a specific framework applies (see below).

Standard Contractual Clauses (SCCs) — Pre-approved contract templates issued by the European Commission. If a data exporter (e.g. a European company) and a data importer (e.g. its US cloud provider) sign SCCs, the importer commits contractually to GDPR-equivalent protections. SCCs are the most widely used transfer mechanism globally. The current set was updated in 2021.

EU-US Data Privacy Framework (DPF) — Adopted in 2023 as the successor to Privacy Shield (which was invalidated in 2020). The DPF creates a certification regime allowing US organisations to receive EU personal data, subject to oversight by the US Department of Commerce and Privacy and Civil Liberties Oversight Board (PCLOB). As with its predecessors, the DPF's durability is uncertain and subject to legal challenge.

Other mechanisms — Binding Corporate Rules (BCRs) allow multinational corporations to transfer data within their own group. Codes of conduct and certification schemes are emerging mechanisms under GDPR Art. 40–42.

The Schrems saga: a cautionary tale

Maximilian Schrems, an Austrian privacy activist, has brought two landmark cases to the Court of Justice of the European Union (CJEU) that reshaped international data transfers.

Schrems I (CJEU, 2015): Schrems complained that Facebook transferred his data to the US, where it was accessible to surveillance programmes (exposed by Edward Snowden in 2013). The CJEU invalidated the Safe Harbour agreement — the predecessor to Privacy Shield — finding that US surveillance law did not provide equivalent protection to EU law.

Schrems II (CJEU, 2020): After Safe Harbour was replaced by Privacy Shield, Schrems challenged that too. The CJEU again ruled the framework invalid, finding that US intelligence laws (FISA Section 702, Executive Order 12333) gave US authorities access to EU personal data in ways incompatible with GDPR. SCCs survived but with a caveat: exporters must conduct a Transfer Impact Assessment (TIA) to verify they provide real protection in practice.

The Schrems rulings matter beyond legal professionals. They show that transfer mechanisms can be struck down at any time, leaving organisations relying on them in legal uncertainty overnight. They also illustrate the fundamental tension: the EU's rights-based standard for government access to data is higher than US surveillance law allows.

Why this matters for you

If you are an individual: your data almost certainly crosses borders. Understanding that not all countries offer equivalent protection — and that transfer mechanisms exist to (imperfectly) bridge that gap — helps you ask better questions when you use international services.

If you work in an organisation: international transfers require active compliance. You cannot simply use a cloud provider in the US or store data in Asia without assessing the legal basis for the transfer.

Your takeaway

Cross-border data flows are unavoidable in the modern internet. The regulatory challenge is real, ongoing, and unresolved. Adequacy decisions, SCCs, and the DPF are imperfect tools for an inherently difficult problem — and they can be removed by a single court ruling.