International Data Transfers: Guide for UK, EU, and US Businesses
What Are Data Transfers
A “data transfer” under the UK and EU General Data Protection Regulation (GDPR) is not just about data moving across a server. You make a “restricted transfer” whenever you send personal data, or even make it accessible, to a separate legal entity located outside of your jurisdiction. This includes sending data to a subsidiary, vendor, or cloud service provider in another country.
The rules are triggered the moment personal data protected by UK or EU GDPR is sent to a legally distinct organisation outside the UK or European Economic Area (EEA). This applies to all transfers, regardless of their size or frequency. You might think that “data transfer” only occurs when you email a file, but the rules are much broader. If your US-based parent company can log in and view the HR records of your UK subsidiary, that access itself is considered a restricted transfer under the UK GDPR, even if no data is downloaded. This is a critical point many businesses miss.
Getting these rules wrong exposes your business to severe consequences. International data flows are the lifeblood of modern business, enabling everything from cloud computing to global customer support. However, failing to comply can result in substantial financial penalties, regulatory orders to cease transfers (which can disrupt your operations), and significant reputational damage.
Jurisdictional Challenges
A common mistake is assuming that politically linked territories are “domestic” for the purposes of data protection. The legal reality is far more complex and is based on formal legal assessments, not political geography.
UK to Gibraltar
Under the UK GDPR, Gibraltar is legally classified as a “third country.” Although it is a British overseas territory, it is not considered part of the UK for data protection purposes.
However, the UK has granted Gibraltar an “adequacy decision.” This is a formal recognition that Gibraltar’s data protection law, the Gibraltar GDPR, which is nearly identical to the EU’s version, provides a level of protection equivalent to that of the UK.
This adequacy decision acts as a green light. You can transfer personal data from the UK to Gibraltar without requiring additional safeguards, such as an International Data Transfer Agreement (IDTA) or a Transfer Risk Assessment (TRA). This makes it the simplest of all UK-to-third-country transfers. Still, you remain responsible for ensuring the data is processed lawfully and securely once it’s there; your core UK GDPR obligations do not disappear. Transfers from Gibraltar back to the UK are also permitted under local Gibraltar rules that recognise the UK as adequate.
UK to Other British Overseas Territories (BOTs)
All other British Overseas Territories (BOTs), including major financial hubs such as the Cayman Islands, Bermuda, and the British Virgin Islands (BVI), are also considered “third countries” under the UK GDPR.
Here is the essential difference: unlike Gibraltar, none of these other territories has a UK adequacy decision in place. This means you cannot freely transfer data to them. A transfer from the UK to these BOTs is a restricted transfer and legally requires you to take specific steps:
1. Use an Appropriate Safeguard: Establish a formal legal mechanism. For transfers within a corporate group, this will typically be the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU’s Standard Contractual Clauses (SCCs). UK Binding Corporate Rules (BCRs) are another option.
2. Conduct a Transfer Risk Assessment (TRA): You are legally required to assess whether your chosen safeguard (like the IDTA) will be effective in practice. This involves analysing the local laws and government surveillance powers in the destination territory to ensure they don’t undermine the protections you’re trying to put in place with the contract. This is a mandatory, risk-based assessment that you must document.
While many of these territories have modern data protection laws, the UK has not formally deemed them adequate.
• Bermuda: The Personal Information Protection Act (PIPA) 2016 became fully effective on January 1, 2025. It is a comprehensive law with principles inspired by the GDPR, requiring the appointment of a privacy officer and the implementation of robust security safeguards. However, the UK does not consider it adequate.
• Cayman Islands: The Data Protection Act (DPA), 2017, is also based on GDPR-like principles such as fair use, purpose limitation, and data minimisation, but it lacks a UK adequacy decision.
• British Virgin Islands (BVI): The Data Protection Act, 2021, aims for alignment with EU/UK standards. Notably, it lacks a “legitimate interest” basis for processing, relying heavily on express consent, and is not deemed adequate.21
Data Transfers from the US to Its Overseas Territories
The United States does not have a single, comprehensive federal law governing privacy. Instead, there is a complex patchwork of federal sector-specific laws and a growing number of state-level laws.
US territories, such as Puerto Rico, Guam, the U.S. Virgin Islands, and American Samoa, exist in a legal grey area. Most comprehensive state privacy laws, like the California Consumer Privacy Act (CCPA), do not apply to them. Federal laws apply inconsistently; for example, the Health Insurance Portability and Accountability Act (HIPAA) explicitly includes these territories in its definition of a “State,” meaning healthcare data transfers are subject to its rules.
However, most of these territories lack their own robust, comprehensive privacy laws. Puerto Rico and Guam have data breach notification laws, but neither has an overarching privacy framework that provides GDPR-level rights and protections.
The real risk here is not from local enforcement but from foreign regulations. If your US business has customers in the UK and you outsource their data processing to a vendor in Puerto Rico, you are making a restricted transfer under the UK GDPR. You must therefore comply with all UK transfer rules, including the use of an IDTA and conducting a TRA. The lack of strong local privacy laws in Puerto Rico makes passing that risk assessment very challenging.
EU to All Overseas Territories (BOTs & US Territories)
Under the EU GDPR, every single UK and US territory is a “third country”. The European Commission has only granted an adequacy decision to Gibraltar (by virtue of its adequacy for the UK). No other BOT or US territory is considered adequate by the EU.
This means that for any transfer from the EU to these non-adequate territories, you are legally required to follow the strict process mandated by the Court of Justice of the European Union in its landmark Schrems II ruling:
1. Use an Article 46 Transfer Tool: For most businesses, this means using the EU’s Standard Contractual Clauses (SCCs).
2. Conduct a Transfer Impact Assessment (TIA): The Schrems II decision made it clear that simply signing SCCs is not enough. You must conduct and document a TIA to assess whether the laws of the destination country (e.g., Bermuda, Puerto Rico) could compel the data importer to hand over data to its government in a manner that violates EU fundamental rights.
3. Implement Supplementary Measures: If your TIA identifies risks, you must implement extra safeguards to mitigate them. These can be technical (like strong encryption), contractual, or organisational. If you cannot find effective measures, the transfer is illegal.
The legal frameworks create a hierarchy of difficulty for data transfers that is counterintuitive to business logic. Transferring data to Gibraltar from a UK company is straightforward, but transferring it to Bermuda is more complex. From an EU perspective, transferring data to the BVI involves the same legal hurdles as transferring it to mainland China. Both are non-adequate third countries requiring SCCs and a TIA. Assumptions based on political ties are dangerous; you must follow the legal checklist for every destination.
Table 1: UK/EU Data Transfer Rules for Overseas Territories at a Glance
| Territory | Status under UK GDPR | UK Transfer Requirement | Status under EU GDPR | EU Transfer Requirement |
| Gibraltar | Third Country | Adequacy Decision (No extra steps) | Third Country | Adequacy Decision (No extra steps) |
| Bermuda | Third Country | IDTA + TRA Required | Third Country | SCCs + TIA Required |
| Cayman Islands | Third Country | IDTA + TRA Required | Third Country | SCCs + TIA Required |
| British Virgin Islands | Third Country | IDTA + TRA Required | Third Country | SCCs + TIA Required |
| Puerto Rico | Third Country | IDTA + TRA Required | Third Country | SCCs + TIA Required |
| Guam | Third Country | IDTA + TRA Required | Third Country | SCCs + TIA Required |
Toolkit for Lawful Data Transfers
To legally make a restricted transfer, you must use one of the mechanisms provided by the GDPR. The right one depends on your destination, your relationship with the recipient, and the nature of the transfer.
Adequacy Decisions
An adequacy decision is a formal finding by the UK Government or European Commission that a third country’s legal system provides a level of data protection that is “essentially equivalent” to that in the UK or EU.
If a country has an adequacy decision, you can transfer personal data to that country without any further transfer-specific safeguards. It is treated almost like a transfer within the UK or EEA. Countries with adequacy include the EEA member states, Gibraltar, Japan (with some limitations), New Zealand, South Korea, and Switzerland, among others. The UK and EU have also recognised each other as adequate, allowing data to flow freely between them in most cases.
Standard Contractual Clauses (SCCs) & the UK’s IDTA
This is the most common tool for transfers to countries that are not covered by an adequacy decision.
• EU SCCs: The European Commission provides pre-approved model contract clauses that the data exporter and importer sign. There are different “modules” for various transfer scenarios, such as from a controller to a processor or from one processor to another. You must use these clauses without modification.
• UK IDTA & Addendum: After Brexit, the UK’s Information Commissioner’s Office (ICO) issued its transfer tools. The International Data Transfer Agreement (IDTA) is a standalone contract governing transfers subject to UK law. The UK Addendum is a more flexible option that you can “bolt on” to the EU SCCs, allowing you to use one core contract for both EU and UK transfers by adding the necessary UK-specific protections.
• Crucial Caveat: Remember, these contracts are not a check-box exercise. The Schrems II ruling requires that they be accompanied by a documented Transfer Risk Assessment (TRA) or Transfer Impact Assessment (TIA).
Binding Corporate Rules (BCRs)
BCRs are a set of internal data protection policies used by a multinational corporate group to legitimise transfers of personal data between its own companies and entities worldwide.
BCRS are designed for large, sophisticated organisations with regular, high-volume, and complex internal data flows. They are considered the gold standard for compliance, but they require a significant investment. BCRs must be formally approved by a data protection authority, such as the UK’s ICO, a process that can be lengthy and resource-intensive.
Derogations
Article 49 of the GDPR outlines a list of specific exceptions, or “derogations,” that can be applied to occasional and non-repetitive transfers when no other mechanism is suitable.
These include situations where the data subject has given explicit consent to the specific transfer after being fully informed of the risks, or where the transfer is necessary for the performance of a contract or the defence of legal claims. Regulators interpret these derogations very narrowly. They are not a valid solution for systematic, ongoing business processes, such as using a permanent cloud provider or outsourcing a business function to a third country.
Table 2: Data Transfer Mechanisms Compared
| Mechanism | Best For | Key Requirement(s) | Complexity |
| Adequacy Decision | Transfers to pre-approved countries | Confirm the destination is on the adequacy list. | Low |
| SCCs / IDTA | Transfers to any non-adequate country (vendors, partners, etc.) | Signed contract + mandatory TIA/TRA. | Medium to High |
| BCRs | Internal transfers within a large multinational group | DPA approval of internal policies + TIA/TRA. | Very High |
| Derogations | One-off, exceptional, non-repetitive transfers | Meeting strict, narrow criteria (e.g., explicit consent for a single transfer). | Low (but very limited use) |
Transfer Risk Assessments (TRAs & TIAs)
The single most important development in data transfer law in recent years was the Schrems II ruling. It fundamentally changed the compliance landscape and placed a new, significant burden on every organisation that transfers data outside the UK and EU.
Schrems II
In its 2020 Schrems II judgment, the Court of Justice of the EU invalidated the EU-US Privacy Shield framework. It found that US surveillance laws did not provide EU citizens with protections “essentially equivalent” to their fundamental rights under EU law.
The court upheld the validity of SCCs but added a critical new obligation: the company sending the data (the exporter) must verify, on a case-by-case basis, that the laws in the destination country do not prevent the recipient (the importer) from complying with its contractual promises in the SCCs. This mandatory verification process is the
Transfer Impact Assessment (TIA) for EU GDPR transfers or the Transfer Risk Assessment (TRA) for UK GDPR transfers.
How to Conduct a Transfer Assessment (TIA/TRA)
This is not just paperwork; it is a formal, documented risk analysis. The European Data Protection Board (EDPB) and the UK’s ICO have laid out a multi-step process that you must follow.
• Step 1: Know Your Transfer. You must map the data flow in detail. Document what data is being sent, who the importer is, where they are located, the purpose of the transfer, and whether there will be any “onward transfers” to other countries.
• Step 2: Identify Your Transfer Tool. Confirm that you are relying on an appropriate safeguard, such as SCCs, the IDTA, or BCRs.
• Step 3: Assess the Laws of the Destination Country. This is the core of the assessment. You must research and document whether the country’s laws on government access to data (e.g., for national security or criminal investigations) are problematic. The key question is whether these laws could compel the importer to disclose data in a manner that overrides the protections in your contract.
• Step 4: Identify and Adopt Supplementary Measures. If your assessment in Step 3 reveals risks, you must identify, implement, and document additional measures to bring the level of protection up to the required standard.
• Step 5: Take Procedural Steps. This involves formalising the supplementary measures in your contract and finalising your documentation of the entire assessment.
• Step 6: Re-evaluate. Data protection is not a one-time task; it is an ongoing process. You must monitor for legal or practical changes in the destination country and re-evaluate your assessment at appropriate intervals.
Implementing Supplementary Measures
If your TIA/TRA finds that the destination country’s laws pose a risk, you must implement supplementary measures. These fall into three categories, and you often need a combination of them:
• Technical Measures: These are the most effective. The gold standard is strong, end-to-end encryption where the data importer (and by extension, the foreign government) cannot access the decryption keys. This means data is protected both in transit and at rest. Other measures include robust pseudonymisation.
• Contractual Measures: You can add clauses to your contract that require the importer to be transparent about any government access requests, to challenge requests where possible, and to notify you immediately of any changes in local law that affect their ability to comply with the SCCs.
• Organisational Measures: These include implementing strict internal policies for handling government requests, providing regular staff training on these procedures, maintaining rigorous access controls, and publishing transparency reports.
The TIA/TRA process effectively forces a UK or EU company to become an expert on the surveillance laws of any country to which it sends data. This complex legal and technical analysis goes far beyond typical commercial due diligence and represents a significant, often underestimated, compliance burden.
Common Pitfalls and How to Avoid Them
The complexity of international data transfer rules creates several common traps for businesses. Failing to comply with them can lead to serious consequences.
• Mistake 1: The “Territory” Assumption. The most frequent error is believing that a British Overseas Territory or a US Territory is “domestic” for data transfer purposes. As this guide shows, this is incorrect for every scenario except UK-to-Gibraltar transfers.
• Mistake 2: “Sign and Forget” SCCs. Another major pitfall is treating SCCs or the IDTA as a simple box-ticking exercise. Using these contracts without conducting and documenting a robust TIA/TRA has been explicitly illegal since the Schrems II ruling and is a primary focus for regulators.
• Mistake 3: Failing to Document. Compliance is about demonstrating your work. If a regulator investigates, you must be able to produce records of your data mapping, your TIA/TRA analysis, the justification for your decisions, and the supplementary measures you implemented. A lack of documentation is often treated as a compliance failure in itself.
The risks of getting this wrong are not theoretical; they are real. Regulators are actively enforcing these rules with business-altering penalties. The Irish Data Protection Commission fined Meta a record €1.2 billion for illegal data transfers to the US, specifically for failing to protect data from US surveillance following the Schrems II ruling. More recently, TikTok was fined €530 million for failing to adequately protect EU user data that was transferred to and accessed from China. Beyond fines, regulators can issue suspension orders, compelling you to halt illegal transfers and disrupting critical business operations immediately.
How GDPRLocal Simplifies Global Compliance
GDPRLocal provides the expert support needed to transfer data confidently and compliantly. Our services include:
• Data Flow Mapping and Inventory: We help you “know your transfers” by identifying and mapping all cross-border data flows across your organisation, creating the foundation for your compliance program.
• Drafting and Implementing Transfer Agreements: We ensure you have the correct, up-to-date legal mechanisms in place, whether it’s the EU SCCs, the UK IDTA, or the UK Addendum, tailored to your specific vendor and partner relationships.
• Conducting Transfer Impact/Risk Assessments (TIAs/TRAs): Our team of legal and technical experts conducts the in-depth, jurisdiction-specific analysis required to meet the Schrems II standard, saving you the time and risk of doing it alone.49
• Advising on Supplementary Measures: We provide practical, risk-based advice on the technical, contractual, and organisational measures you need to implement to protect your data and legitimise your transfers.
• Monitoring and Updating: We keep you informed of legal changes in key jurisdictions, ensuring your compliance framework remains current and effective in a rapidly evolving legal landscape.
• Documentation and Record-Keeping: We assist you in building and maintaining comprehensive documentation that demonstrates your due diligence and compliance with regulatory requirements.
Conclusions
Managing international data transfers is no longer a simple contractual matter; it is a core compliance function that demands diligence, expertise, and ongoing attention.
• Never assume: Always treat transfers to another country, including overseas territories, as “restricted” until you have confirmed their legal status. Political or geographical proximity is not a reliable guide.
• Assess Every Transfer: Using SCCs or the IDTA is only the first step. A documented Transfer Impact or Risk Assessment is mandatory for all transfers to non-adequate destinations.
• Prioritise Technical Safeguards: In high-risk destinations, strong technical measures such as end-to-end encryption are the most effective supplementary measures for mitigating surveillance risks.
• Document Everything: Your best defence is your ability to demonstrate your due diligence to regulators. Maintain clear records of your transfer mapping, assessments, and decisions to ensure transparency and accountability.