Every time a visitor lands on your website and a cookie fires from a server in another country, a cross-border data transfer may be taking place. Under GDPR, that transfer is only lawful if the destination country protects personal data to a standard the European Commission considers equivalent to EU law - or if you have put specific legal safeguards in place. Get it wrong, and the consequences are severe. In May 2025, the Irish Data Protection Commission fined TikTok €530 million for transferring EEA user data to China without adequate protections. A year earlier, Meta had been hit with the largest GDPR fine in history - €1.2 billion - for the same category of violation involving transfers to the United States.
These are not edge cases. They reflect a regulatory environment where cross-border data flows are treated as a frontline compliance concern, not a background technicality.
What Counts as a Cross-Border Data Transfer Under GDPR
Chapter V of the GDPR (Articles 44-50) governs transfers of personal data to third countries - meaning any country outside the European Economic Area. The EEA includes all 27 EU member states plus Norway, Liechtenstein, and Iceland. A transfer occurs whenever personal data is sent to, accessed from, or stored in a location outside this zone.
For website owners, this happens more often than you might expect. If your site uses Google Analytics and the data is processed on servers in the United States, that is a transfer. If your customer support tool routes ticket data through a provider in India, that is a transfer. If a developer in Brazil accesses your database remotely, that too qualifies. Even cookies set by third-party scripts hosted on non-EEA servers can trigger transfer obligations.
Article 44 GDPR sets the general principle: a transfer may only take place if the conditions laid down in Chapter V are met. There are three main routes to lawful transfers, each with distinct requirements and limitations.
Route 1: Adequacy Decisions - The Simplest Path
An adequacy decision is a formal determination by the European Commission that a country's data protection framework provides a level of protection "essentially equivalent" to that guaranteed within the EU. When a country holds an adequacy decision, personal data can flow there as freely as it moves between EU member states - no additional safeguards required.
Article 45 GDPR sets out the criteria the Commission must assess: the rule of law, respect for human rights, relevant legislation, the existence and effective functioning of an independent supervisory authority, and the country's international commitments regarding data protection.
As of early 2026, the Commission has granted adequacy to the following jurisdictions:
| Country / Territory | Adequacy Status | Notes |
|---|---|---|
| Andorra | Active | Reviewed and confirmed in January 2024 |
| Argentina | Active | Reviewed 2024; Commission recommended legislative reform |
| Brazil | Active | Adequacy decision adopted December 2025 |
| Canada | Active (commercial organisations under PIPEDA) | Reviewed 2024 |
| Faroe Islands | Active | Reviewed 2024 |
| Guernsey | Active | Reviewed 2024 |
| Israel | Active | Reviewed 2024; Commission noted gaps between GDPR and Israeli law |
| Isle of Man | Active | Reviewed 2024 |
| Japan | Active | Reviewed 2023; mutual adequacy arrangement in place |
| Jersey | Active | Reviewed 2024 |
| New Zealand | Active | Reviewed 2024 |
| Republic of Korea | Active | Adequacy granted 2022 |
| Switzerland | Active | Reviewed 2024 |
| United Kingdom | Active | Renewed December 2025; extended until 2031 |
| United States | Active (DPF-certified companies only) | EU-US Data Privacy Framework adopted July 2023; first review completed October 2024 |
| Uruguay | Active | Reviewed 2024 |
Adequacy decisions are not permanent. The Commission must periodically review them, and it can amend, suspend, or withdraw a decision if conditions deteriorate. The January 2024 review of 11 legacy adequacy decisions confirmed their continuation but flagged areas of concern in Argentina, Canada, and Israel where legislation has not yet caught up with GDPR-era expectations.
The EU-US Data Privacy Framework: A Fragile Bridge
The US adequacy decision deserves separate attention because of its complexity and political sensitivity. The EU-US Data Privacy Framework (DPF), adopted in July 2023, is the third attempt at creating a stable legal basis for transatlantic data flows. Its predecessors - Safe Harbor (2000-2015) and Privacy Shield (2016-2020) - were both struck down by the Court of Justice of the European Union in the Schrems I and Schrems II rulings.
The DPF is built on Executive Order 14086, signed by President Biden in October 2022, which introduced the principles of necessity and proportionality into US signals intelligence law and established a Data Protection Review Court (DPRC) for EU citizens to challenge surveillance activity. US companies must self-certify their participation in the framework through the Department of Commerce. By the time of the first periodic review in July 2024, more than 2,800 companies had joined - 70% of them small and medium-sized businesses.
The European Commission's October 2024 review report concluded the framework was functioning effectively. The EDPB's own November 2024 report largely concurred, but raised concerns about oversight of onward transfers and monitoring of compliance by US entities.
Trouble arrived from a different direction. In January 2025, President Trump dismissed the three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), a body the Commission had referenced 31 times in its adequacy decision as a key oversight mechanism. With only one Republican member remaining and no quorum, the PCLOB cannot take formal action. Several EU data protection authorities - including those in Germany and Sweden - have publicly questioned whether the adequacy decision can survive without a functioning PCLOB. Privacy activist Max Schrems, whose legal actions brought down the previous two frameworks, has signalled that a "Schrems III" challenge remains a possibility.
The DPF remains in force for now. The EU Commission has indicated it will continue to monitor developments. For website owners relying on US-based services, the practical advice is straightforward: verify that your US service providers are DPF-certified, but also have Standard Contractual Clauses in place as a fallback.
The UK Adequacy Decision: Renewed, but Watched Closely
The United Kingdom received its original adequacy decision in June 2021, following Brexit. That decision was set to expire in June 2025. After a six-month technical extension, the Commission renewed UK adequacy in December 2025 and extended it until 2031.
The EDPB's October 2025 opinion supported the renewal, concluding that the UK's data protection regime remains essentially equivalent to the GDPR. It did, however, flag concerns about the UK's evolving surveillance laws, the Data Use and Access Act, and the broader discretion given to the Secretary of State to alter transfer rules through secondary legislation. The EDPB recommended ongoing monitoring.
For practical purposes, UK adequacy means your website can transfer data to UK-based processors without additional safeguards - but this is a space worth watching as the UK continues to diverge from EU data protection standards.
Route 2: Standard Contractual Clauses (SCCs)
When no adequacy decision covers the destination country, the most commonly used safeguard under Article 46 GDPR is Standard Contractual Clauses. SCCs are pre-approved contractual templates issued by the European Commission that impose binding data protection obligations on both the data exporter (in the EEA) and the data importer (outside the EEA).
The current SCC framework, adopted in June 2021, replaced the older 2001/2010 clauses and introduced a modular structure with four distinct configurations:
| Module | Transfer Scenario | Common Example |
|---|---|---|
| Module 1 | Controller to Controller | Sharing customer data with a non-EEA business partner |
| Module 2 | Controller to Processor | Using a non-EEA cloud hosting or analytics provider |
| Module 3 | Processor to Processor | Your EU processor engaging a sub-processor outside the EEA |
| Module 4 | Processor to Controller | A non-EEA entity retrieving data it controls from an EEA processor |
Choosing the wrong module is a common mistake. If your analytics provider in the US engages a sub-processor in Singapore, Module 3 applies to that second hop - not Module 2.
SCCs are not a rubber stamp. Since the Schrems II ruling in July 2020, anyone relying on SCCs must also conduct a Transfer Impact Assessment (TIA). A TIA requires you to evaluate the laws and practices of the destination country - particularly regarding government access to data - and determine whether the SCCs alone provide sufficient protection. If they do not, you must implement supplementary measures such as encryption, pseudonymisation, or contractual restrictions on data access.
The TikTok decision demonstrated what happens when this assessment is skipped. The Irish DPC found that TikTok had relied on SCCs but failed to conduct the assessments required by the Schrems II ruling. A particularly damaging revelation emerged during the investigation: TikTok had told the DPC that it did not store EEA data on Chinese servers, only to disclose in April 2025 that limited EEA data had in fact been stored there - contradicting its own sworn evidence.
Route 3: Binding Corporate Rules (BCRs)
Binding Corporate Rules are internal data protection policies adopted by multinational corporate groups to govern transfers of personal data within the organisation. Under Article 47 GDPR, BCRs must be approved by the competent supervisory authority and must include legally binding obligations on every member of the group.
BCRs are powerful but resource-intensive. The approval process, though simplified somewhat in recent years, still involves detailed documentation, a consistency mechanism across multiple DPAs, and ongoing monitoring. They are typically used by large enterprises - companies like Accenture, Siemens, and Unilever - rather than small or mid-sized website operators.
If your organisation operates across multiple countries and regularly transfers employee or customer data between subsidiaries, BCRs can provide a single, unified compliance framework. For most website owners, SCCs are the more practical option.
Derogations: Limited Exceptions Under Article 49
Article 49 GDPR provides a narrow set of derogations that allow one-off transfers without an adequacy decision or safeguards. These include explicit consent of the data subject, transfers necessary for the performance of a contract, and transfers necessary for important reasons of public interest.
These derogations are narrow by design. The EDPB has repeatedly stated that they cannot be used to justify regular, systematic data flows. If you are transferring analytics data to a US provider on every page load, Article 49 consent is not a viable basis - you need an adequacy decision or SCCs.
Enforcement Is Intensifying: Lessons from Meta and TikTok
Two enforcement actions have defined the regulatory landscape for cross-border transfers.
In May 2023, the Irish DPC fined Meta €1.2 billion for transferring EU Facebook user data to the United States using SCCs, following the CJEU's Schrems II ruling. The EDPB's binding decision found Meta's infringement "very serious" given the systematic, repetitive, and continuous nature of the transfers and the volume of data involved. Meta was ordered to suspend transfers within five months and bring processing into compliance within six months. The case was resolved in practice by the adoption of the EU-US Data Privacy Framework in July 2023, which Meta promptly joined.
In May 2025, TikTok received a €530 million fine - the third-largest in GDPR history - for transferring EEA user data to China. The DPC found that TikTok had relied on SCCs but failed to conduct the assessments required by the Schrems II ruling. A particularly damaging revelation emerged during the investigation: TikTok had told the DPC that it did not store EEA data on Chinese servers, only to disclose in April 2025 that limited EEA data had in fact been stored there - contradicting its own sworn evidence.
The signal from both cases is clear. Regulators expect data exporters to actively verify that their safeguards work. Signing SCCs is not enough. You must assess the destination country's laws, implement supplementary measures where needed, and be transparent with both regulators and data subjects about where data goes.
What This Means for Website Owners
If your website uses any third-party service that processes personal data outside the EEA, you are making cross-border transfers and must comply with Chapter V of the GDPR. Here is a practical framework for getting it right.
Map your data flows. Identify every service, cookie, and script that sends personal data outside the EEA. This includes analytics platforms, advertising pixels, customer chat widgets, CDN providers, email marketing tools, and payment processors. A cookie scanner like the one available through Kukie.io's features page can help identify third-party cookies and the domains they connect to.
Check the legal basis for each transfer. For each destination country, determine whether an adequacy decision exists. If you transfer data to the US, verify that the recipient company is listed on the Data Privacy Framework website. If no adequacy decision applies, ensure you have SCCs in place with the correct module selected.
Conduct Transfer Impact Assessments. For any transfer relying on SCCs, assess whether the laws of the destination country could undermine the protections the clauses provide. Pay particular attention to government surveillance powers and whether law enforcement can compel access to personal data without equivalent judicial oversight.
Implement supplementary measures where needed. If your TIA reveals risks, add technical safeguards. Encryption of data in transit and at rest, pseudonymisation before transfer, and contractual restrictions on sub-processing are all recognised supplementary measures.
Update your privacy notice. Article 13(1)(f) GDPR requires you to inform data subjects about transfers to third countries, including the safeguards relied upon. TikTok's €45 million transparency fine shows that vague or incomplete disclosure is a standalone violation. Name the countries, specify the safeguard mechanism, and link to the relevant SCC or adequacy decision.
Review your cookie consent mechanism. If third-party cookies trigger cross-border transfers, those cookies must be blocked until the user gives informed consent - unless they fall under the strictly necessary exemption. Your cookie consent banner should make clear which cookies involve international transfers and to which countries.
The Bigger Picture: Where Cross-Border Transfers Are Heading
The regulatory landscape is evolving fast. Brazil received its adequacy decision in late 2025, opening the door to freer data flows with the largest market in Latin America. The European Commission also granted its first-ever adequacy decision to an international organisation - the European Patent Organisation - in July 2025, setting a precedent for non-state entities. Discussions with Taiwan and India are reportedly ongoing.
At the same time, enforcement is becoming more assertive. The EDPB has finalised guidelines on Article 48 GDPR, clarifying how controllers should respond to requests from foreign authorities that conflict with EU law. A 2025 judgment by the Bonn Regional Court in Germany took a notably pragmatic approach, holding that when an adequacy decision exists, national courts cannot re-examine the underlying geopolitical assessments. This stands in tension with the more absolutist stance some DPAs have taken, suggesting a growing split between regulatory and judicial approaches to transfer compliance.
For website owners, the practical takeaway is to build flexibility into your compliance strategy. Adequacy decisions can be withdrawn. SCCs require ongoing assessment. The EU-US Data Privacy Framewor
