Privacy and Artificial Intelligence - 1.6 Cross-Border Data Transfers and Compliance Risks

1.6 Cross-Border Data Transfers and Compliance Risks

Introduction

Imagine you have a secret message that you want to send to a friend who lives in another country. You want your message to stay safe and private while it travels across the world. In the world of artificial intelligence (AI), something similar happens with personal data—information about people can travel from one country to another. This is called a cross-border data transfer, and it can sometimes make it hard to keep people’s information safe and private (Kuner, 2020).

Technical or Conceptual Background

Cross-border data transfers happen when AI systems collect, store, or process personal data in countries other than where the data was originally collected. Think of it like having a special notebook with your secrets written inside. If you give your notebook to a friend in another country, your secrets are now in a new place. In the digital world, AI systems can send your information—like your name, age, or where you live—to computers in other countries. This means your information can travel far away, sometimes to places where the rules about keeping secrets are different (Greenleaf, 2018).

Different countries have different rules about privacy and security. For example, the European Union has strict rules to protect your information, but other countries might not have the same rules. This can make it tricky to keep your information safe when it travels across borders (European Parliament, 2016).

Companies often use big computers called cloud services or data centers that are located in many countries. This means your information can move around the world without you even knowing it (Bradshaw, Millard, & Walden, 2011). The risk is that someone in another country might see your information or use it in a way that is not fair or safe.

Current Trends and Challenges

With the growth of AI and digital services, cross-border data transfers have become very common. Many organizations use AI to offer products and services around the world, so they need to send information across borders (Kuner, 2020). However, this is not always easy. In 2020, a big court decision called Schrems II made it harder for companies to send information from Europe to the United States, because the rules in the US were not strong enough to protect privacy (Schrems II, 2020).

The Court of Justice of the European Union (CJEU) found that U.S. law—especially Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333—did not limit the collection of personal data to what is strictly necessary and proportional, as required by Article 52 of the EU Charter of Fundamental Rights (European Union, 2012). The court also said that under U.S. law, people in the EU did not have a way to go to court to protect their data from U.S. authorities, which is required by Article 47 of the EU Charter of Fundamental Rights (European Union, 2012). This means that if your personal data was sent to the US, U.S. government agencies could access it without strong protections or ways for you to complain or get help if your privacy was violated.

Now, companies have to use special legal agreements called Standard Contractual Clauses (SCCs) to make sure your information is protected when it travels (European Commission, 2021). But these rules can be complicated and hard to follow, especially when different countries have different laws.

Another challenge is that countries like China, Brazil, and India have their own rules about data protection, which can be very different from the rules in Europe or the US. For example, China’s Personal Information Protection Law (PIPL), which took effect in 2021, requires companies to complete a security assessment before transferring personal data outside China if the transfer involves important data or large volumes of data, as stated in Article 38 (Skadden, 2021). The Cybersecurity Law (CSL) and Data Security Law (DSL) also set strict rules for data security and localization, especially for “core data” and “important data,” as detailed in Article 21 of the DSL (Skadden, 2021). In Brazil, the Lei Geral de Proteção de Dados (LGPD) allows international data transfers if the recipient country offers an adequate level of protection or if the data controller provides appropriate safeguards, as outlined in Article 33 (CookieBot, 2025). The LGPD also gives data subjects strong rights, such as access, correction, and deletion of their data, as described in Article 18 (CookieBot, 2025). In India, the Digital Personal Data Protection Act (DPDPA) of 2023 permits cross-border data transfers to countries notified by the government as permissible, but restricts transfers to countries on a government blacklist, as specified in Section 17 (ITIF, 2025). Unlike the EU, India’s law does not require standard contractual clauses or binding corporate rules, and the government can restrict transfers without clear criteria (ITIF, 2025). This patchwork of regulations creates compliance risks and operational difficulties for companies using AI globally.

Mitigation Challenges and Shortcomings

Even though it is important to protect your information when it travels across borders, many companies find it hard to follow all the rules. One reason is that there are so many different laws in different countries, and sometimes they do not agree with each other (Bradshaw, Millard, & Walden, 2011).

Another challenge is keeping your information safe while it is being sent and stored in other countries. Some countries have stronger security rules than others, and hackers might try to steal your information if it is not protected well (Greenleaf, 2018). Companies also have to check the risks and make sure they are using the right tools, like encryption and special codes, to keep your information safe.

Sometimes, countries do not enforce their data protection laws well. For example, in some countries, government agencies or companies may collect or use personal data without following the law, and there are few consequences for breaking the rules. In 2023, a report found that in certain regions, companies were not being fined or punished for mishandling personal data, even when clear violations occurred (Privacy International, 2023). In other cases, people who try to complain about privacy violations may find it difficult to get help, because the authorities do not investigate or respond to their concerns (Privacy International, 2023). This can make it easier for people to misuse your information and harder for you to protect your privacy.

If companies do not follow the rules, they can get in trouble, have to pay big fines, or lose the trust of their customers. But in some countries, these consequences do not happen often or are not strong enough to stop bad behavior.

Glossary

Term	Meaning and Example Sentence
Cross-Border Data Transfer	Moving personal data from one country to another. Example: "The company’s AI sends data across borders to process it in different countries."
Compliance Risk	The chance of breaking laws or rules. Example: "Not following privacy laws creates compliance risks for companies."
GDPR	A European law that protects personal data and controls its transfer. Example: "GDPR requires companies to protect data when it crosses borders."
Standard Contractual Clauses (SCCs)	Legal agreements used to protect data transferred internationally. Example: "The company uses SCCs to comply with EU data transfer rules."
Data Protection Law	Rules that tell companies how to keep personal data safe. Example: "Data protection laws vary between countries."

Questions

1. What is cross-border data transfer, and why does it create privacy risks?

2. How do different countries’ privacy laws affect cross-border data transfers?

3. What was the impact of the Schrems II decision on data transfers between the EU and the US?

4. What are Standard Contractual Clauses (SCCs), and why are they important?

5. What are some examples of countries not enforcing their data protection laws well?

Answer Key

1. Suggested Answer: Cross-border data transfer is when personal data moves from one country to another. It creates privacy risks because different countries have different laws and protections, which can lead to misuse or unauthorized access to data (Kuner, 2020).

2. Suggested Answer: Different countries have different privacy laws, which can make it complicated to protect personal data when it moves across borders. Some countries have strict laws like the EU’s GDPR, while others have weaker protections, creating compliance challenges (Greenleaf, 2018).

3. Suggested Answer: The Schrems II decision made it harder for companies to send information from Europe to the United States, because the rules in the US were not strong enough to protect privacy. The Court of Justice of the European Union found that U.S. law (especially Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333) did not limit data collection to what is strictly necessary and proportional, as required by Article 52 of the EU Charter of Fundamental Rights (European Union, 2012), and did not give people in the EU a way to go to court to protect their data, as required by Article 47 of the EU Charter of Fundamental Rights (European Union, 2012).

4. Suggested Answer: Standard Contractual Clauses are special legal agreements that companies use to protect data when it is sent to other countries. They are important because they help make sure your information is kept safe (European Commission, 2021).

5. Suggested Answer: Examples include countries where government agencies or companies collect or use personal data without following the law, and there are few consequences for breaking the rules. In some regions, companies are not fined or punished for mishandling personal data, even when clear violations occur. People who try to complain about privacy violations may also find it difficult to get help, because authorities do not investigate or respond to their concerns (Privacy International, 2023).

References

Bradshaw, S., Millard, C., & Walden, I. (2011). Contracts for clouds: Comparison and analysis of the terms and conditions of cloud computing services. International Journal of Law and Information Technology, 19(3), 187–223. https://doi.org/10.1093/ijlit/eaq017
CookieBot. (2025). LGPD Data Protection Law in Brazil. https://www.cookiebot.com/en/lgpd/
European Commission. (2021). Standard contractual clauses for international transfers of personal data. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
European Parliament. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
European Union. (2012). Charter of Fundamental Rights of the European Union. Official Journal of the European Union, C 326/391. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12012P/TXT
Greenleaf, G. (2018). Global data privacy laws 2017: 120 national data privacy laws, including Indonesia and Turkey. Privacy Laws & Business International Report, 147, 10–13.
Information Technology and Innovation Foundation (ITIF). (2025). India’s Cross-Border Data Transfer Regulation. https://itif.org/publications/2025/06/09/india-cross-border-data-transfer-regulation/
Kuner, C. (2020). Transborder data flows and data privacy law. Oxford University Press.
Privacy International. (2023, March 15). Enforcement of data protection laws around the world. https://privacyinternational.org/long-read/4837/enforcement-data-protection-laws-around-world
Schrems II, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, Case C-311/18, Court of Justice of the European Union (2020). https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=123456
Skadden. (2021). China’s New Data Security and Personal Information Protection Laws. https://www.skadden.com/insights/publications/2021/11/chinas-new-data-security-and-personal-information-protection-laws