AI systems frequently require data to cross borders: training data collected in one jurisdiction processed in another, cloud infrastructure spanning multiple regions, and model inference serving global users. GDPR Chapter V governs transfers of personal data outside the EU/EEA and imposes specific requirements that AI teams must address.

Transfer Mechanisms

GDPR permits international transfers of personal data through several mechanisms. Adequacy decisions allow free data flow to countries the European Commission has determined provide adequate data protection. As of 2026, adequate countries include the UK, Japan, South Korea, and the US (under the EU-US Data Privacy Framework). Standard Contractual Clauses (SCCs) are pre-approved contract templates that bind the data importer to GDPR-equivalent protections. They are the most commonly used mechanism for AI cloud services. Binding Corporate Rules (BCRs) allow multinational corporations to transfer data within their group based on internally approved policies. Derogations (consent, contract necessity, public interest) are available for specific situations but cannot be the basis for systematic, large-scale transfers.

Transfer Impact Assessments

Following the Schrems II ruling, organizations using SCCs must conduct a Transfer Impact Assessment (TIA) evaluating whether the destination country’s laws (particularly government surveillance laws) undermine the protections in the SCCs. If they do, supplementary measures are required. For AI workloads, the TIA should consider whether government authorities could compel access to training data, model weights, or inference logs.

Cloud Architecture Considerations

When designing AI systems on cloud infrastructure, consider these transfer implications. Training - If training data contains EU personal data, training should ideally occur in EU regions. If training must happen outside the EU (for GPU availability, for example), ensure appropriate transfer mechanisms and supplementary measures are in place. Model storage - Model weights trained on personal data may themselves constitute personal data (particularly if memorization has occurred). Store models in EU regions or ensure transfer mechanisms cover model artifacts. Inference - If inference requests contain personal data, the inference endpoint should be in a region where the transfer mechanism applies. Use regional deployments to keep data close to its origin.

Practical Steps

Map your data flows - Document where personal data originates, where it is processed (training, inference), and where results are stored. Identify every cross-border transfer. Select transfer mechanisms - For each transfer, determine the appropriate mechanism. Adequacy decisions are simplest. SCCs are most common for cloud providers. Conduct TIAs - For transfers to non-adequate countries, assess the legal environment and document supplementary measures. Implement supplementary measures - Encryption in transit and at rest with keys controlled by the EU entity, pseudonymization before transfer, contractual commitments from the cloud provider to challenge government access requests, and technical measures to prevent unauthorized access. Review regularly - Adequacy decisions can be invalidated. Transfer mechanisms must be reassessed when laws change.

Common AI Scenarios

US cloud providers - The EU-US Data Privacy Framework covers transfers to certified US companies. Verify your provider is certified. Consider supplementary measures given ongoing legal uncertainty. Global model training - If you use globally distributed GPU clusters, implement data residency controls to keep EU personal data in EU regions, or use federated learning to avoid transferring raw data. Third-party AI APIs - When sending data to external AI APIs (OpenAI, Anthropic, etc.), verify where data is processed and ensure appropriate transfer mechanisms. Check whether the provider uses your data for model training.