In this comprehensive episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan dive deep into the complex world of international data transfers, one of the most technical and misunderstood areas of privacy compliance.

Kellie du Preez is a privacy compliance leader and former litigation attorney who transitioned from defending banks in Boston to focusing on global privacy compliance. With experience as both an IP litigator and privacy professional, she brings a unique perspective on balancing practical business needs with regulatory requirements. As a Data Protection Officer and privacy consultant at VeraSafe, Kellie helps organizations navigate complex privacy challenges with a focus on creating workable, cost-effective solutions.

Danie Strachan is a privacy professional who began his career in South African legal practice, where he developed deep experience in data protection law during the implementation of South Africa's Protection of Personal Information Act (POPIA). As a senior privacy counsel at VeraSafe, he specializes in helping organizations understand and implement privacy requirements across multiple jurisdictions, including the EU. Danie brings valuable insight into the evolution of privacy regulations and practical approaches to compliance.

If you enjoyed this episode, make sure to subscribe, rate, and review it.

[00:01:41] What Qualifies as an International Data Transfer: The biggest misconception about international data transfers is that they require physical movement of data. Kellie explains that data transfers can happen whenever someone in one country accesses, views, or processes data hosted in another country. This includes cloud hosting, API calls, website plugins, and even employee access during travel. Understanding this broader definition is important because many organizations unknowingly trigger data transfer requirements through routine business operations. Privacy professionals need to look beyond obvious data exports to identify hidden data transfers through embedded tools, analytics platforms, and vendor relationships that span multiple countries.

[00:04:20] The GDPR Data Transfer Framework: Adequacy, SCCs, and Beyond: Under the GDPR, transfers of personal data outside the EEA require a valid transfer mechanism before they can occur. This isn't something you can retrofit after the fact. Danie explains that adequacy decisions (such as those for the UK or Japan) provide the simplest path, while countries without adequacy require additional safeguards like Standard Contractual Clauses (SCCs). The EU-U.S. Data Privacy Framework offers an option for certified U.S. companies, but many organizations also implement SCCs as a fallback. Privacy teams must understand that SCCs alone aren't sufficient—they trigger additional obligations like Transfer Impact Assessments to evaluate the receiving country's legal environment and potential government access to data.

[00:12:15] Learning from Major Data Transfer Violations: The TikTok and Uber cases demonstrate how data transfer violations can result in massive fines and other enforcement actions. TikTok's €530 million fine stemmed from two critical failures: inadequate safeguards when Chinese employees accessed EU user data, and lack of transparency about these data transfers in privacy notices. Similarly, Uber faced €290 million in fines for transferring French driver data to the U.S. without proper protections. These cases highlight that data transfer compliance requires both technical safeguards (encryption, access controls) and transparency (clear disclosure in privacy notices). Privacy professionals must ensure that users understand not just what data is collected, but where it goes and who can access it.

[00:27:20] Transfer Impact Assessments: Simply signing SCCs doesn't complete your data transfer compliance—you must also conduct a Transfer Impact Assessment (TIA) to evaluate real-world risks in the destination country. This involves analyzing local laws, government access powers, legal remedies available to data subjects, and the practical ability of recipients to resist data requests. The French data protection authority (CNIL) has issued updated guidance with six steps for conducting effective TIAs. Privacy professionals should view TIAs as living documents that require regular updates as laws and geopolitical situations change, not one-time compliance exercises.

[00:32:55] Global Data Transfer Requirements Beyond the GDPR: Other jurisdictions impose their own rules for cross-border transfers of personal data, and the specifics vary widely. Brazil, for example, has introduced new Standard Contractual Clauses that must be in place by August 2025, while Canada and Australia take a more general approach by requiring organizations to ensure the protection of personal data without prescribing specific contract language. China enforces stricter requirements, such as CAC-conducted security assessments and official certifications, and some countries, including South Africa in certain cases, require explicit regulator approval before a transfer can take place. These examples highlight the importance of assessing not only where data is going, but also whose data is being processed and the unique legal frameworks that may apply.

[00:37:53] U.S. Data Transfer Rules and Certification Options: Kellie and Danie discuss the bulk data transfer rule and explore various certification programs that can help organizations manage cross-border data flows such as the EU-U.S. Data Privacy Framework, the APEC CBPR and PRP Systems, Global CBPR, and other tools. 

[00:43:42] Myth-Busting and Common Misconceptions: In a rapid-fire Q&A, Kellie and Danie tackle widespread misunderstandings about international data transfers. They explain why ISO 27001 certification doesn’t eliminate the need for SCCs, how cloud-hosted data can still count as a transfer if accessed abroad, and why pseudonymized or hashed data may still be considered personal data. They also clarify that “GDPR-compliant” vendors still require legal safeguards, that website plugins, APIs, and SDKs can create hidden transfers, and that even large, well-known vendors often use subprocessors—sometimes requiring their own TIAs.