Cross-border data transfer refers to the movement of personal data across national borders — from the jurisdiction where it was collected to another jurisdiction for processing, storage, or other use. In the legal AI context, the most significant cross-border data transfer scenario is EU personal data (including EU clients' legal information) being transferred to US-based AI vendors for processing.
Under the GDPR, cross-border data transfers are not automatically permitted. GDPR Chapter V (Articles 44-49) establishes a set of conditions that must be satisfied before EU personal data may be transferred to a country outside the European Economic Area (EEA). The fundamental concern is that EU data subjects' personal data should not lose its GDPR protections simply because it is transferred to a country with weaker data protection laws.
The historical legal basis for EU-US data transfers was the Privacy Shield framework, which the Court of Justice of the European Union invalidated in the Schrems II decision (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18, July 2020). The court found that US surveillance law — particularly Section 702 of FISA and Executive Order 12333 — provided inadequate protection for EU data subjects' rights because US authorities could access EU personal data transferred to the US without equivalent legal remedies available to EU data subjects.
Following Schrems II, the European Commission and US government negotiated a successor framework — the EU-US Data Privacy Framework (DPF), effective July 2023 — which provides an adequacy decision for DPF-certified US companies. The DPF enables EU data transfers to certified US companies on the same basis as transfers within the EEA. For US AI vendors that are not DPF-certified, the primary compliance mechanism is Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment (TIA).
For law firms, cross-border data transfer compliance is directly implicated every time EU client personal data is submitted to a US-based AI tool — which includes most of the major legal AI platforms (Harvey AI, CoCounsel, Westlaw Precision AI, Lexis+ AI).
Cross-border data transfer compliance is a mandatory legal obligation, not a best practice, for law firms that process EU client personal data. Non-compliance can result in GDPR enforcement by EU data protection authorities, with fines reaching 4% of global annual turnover or €20 million. The Irish Data Protection Commission and French CNIL have been particularly active in cross-border transfer enforcement, and the legal sector has not been immune from scrutiny.
Beyond direct enforcement risk, clients impose cross-border data transfer compliance obligations on their outside counsel through outside counsel guidelines. Many EU corporations require their law firms to certify that they do not transfer client data to third-country AI vendors without adequate safeguards. These client requirements create contractual obligations for law firms that use non-compliant AI tools.
The professional responsibility dimension also applies. Submitting EU client data to a US AI vendor without adequate transfer safeguards may constitute a breach of the attorney's confidentiality obligations under ABA Model Rule 1.6 — if the transfer lacks legal authorization, the disclosure of client personal data to the AI vendor's US-based systems is effectively an unauthorized disclosure. The GDPR violation and the professional responsibility violation are two aspects of the same underlying problem.
For US law firms representing non-EU clients, cross-border data transfer concerns may still arise if the clients operate in EU markets, if counterparties to transactions are EU-based, or if the matters involve EU-regulated industries. The EU's broad extraterritorial scope of GDPR means that EU data appears in more US law firm matters than a purely territorial analysis would suggest.
How It Works
GDPR cross-border transfer compliance for law firms using US AI vendors proceeds through a structured analysis.
Step 1: Identify whether EU personal data is present. The first question is whether the specific data being submitted to the AI tool includes personal data of EU data subjects. Not all legal AI use involves EU personal data — purely domestic US matters with no EU connection may involve no EU personal data at all. If the matter has no EU connection, GDPR cross-border transfer rules do not apply.
Step 2: Identify the transfer mechanism. For transfers that do involve EU personal data, identify which transfer mechanism applies. Three main options:
- EU-US Data Privacy Framework (DPF) adequacy decision. If the US AI vendor is certified under the DPF, the transfer is permitted on the basis of the adequacy decision — the simplest compliance path. Check the DPF list at dataprivacyframework.gov.
- Standard Contractual Clauses. If the vendor is not DPF-certified, verify that the vendor's DPA incorporates the current 2021 European Commission SCCs, Module 2 (controller to processor). The SCCs must be in their original form — they cannot be modified except where the clauses expressly permit modification.
- Binding Corporate Rules, Article 49 derogations. These mechanisms are generally less applicable to law firms' AI tool relationships and are not addressed in detail here.
Step 3: Conduct a Transfer Impact Assessment. Post-Schrems II, the law firm (as controller) must conduct a Transfer Impact Assessment (TIA) for transfers based on SCCs. The TIA assesses whether the legal transfer mechanism (SCCs) is actually effective given the specific circumstances of the transfer — particularly the risk of US government access to the transferred data under US surveillance law. For most standard commercial legal AI use cases, a standard TIA template addressing the relevant factors is sufficient. The TIA must be documented.
Step 4: Verify subprocessor transfer compliance. The cross-border transfer analysis must extend to the AI vendor's subprocessors. If the primary vendor is DPF-certified or uses SCCs, but relies on subprocessors whose transfers are not adequately covered, the overall transfer chain may be non-compliant. Review the vendor's subprocessor list and DPA provisions covering subprocessor transfers.
Step 5: Implement supplementary technical measures where appropriate. For high-sensitivity transfers, technical measures may supplement the legal transfer mechanism. These include: encryption with keys held only by the law firm (preventing vendor access to plaintext data), pseudonymization before transfer (reducing the identifiability of transferred data), and data residency requirements restricting EU data to EU-located servers.
Key Considerations for Law Firms
The DPF's legal durability. The EU-US Data Privacy Framework is the third attempt at a stable EU-US transfer framework following Safe Harbor (invalidated 2015) and Privacy Shield (invalidated 2020). There is active litigation challenging the DPF's legal basis — privacy advocates have already indicated plans to challenge the DPF in the CJEU on the same grounds that invalidated Privacy Shield. Law firms should have contingency plans (SCCs and TIA readiness) in case the DPF is invalidated, rather than treating DPF certification as permanently reliable.
TIA documentation matters. The TIA is not just a compliance exercise — it is a risk assessment that must be documented in the firm's data protection record. The TIA should be proportionate to the sensitivity of the data and the scale of the transfer. For routine transfers of non-highly-sensitive commercial legal data to major US AI vendors with established security practices, a standard TIA template adapted to the specific vendor is typically sufficient. For transfers of highly sensitive data (criminal defense, whistleblower matters, sensitive M&A), more detailed TIA analysis is warranted.
Multi-cloud AI processing creates complex transfer chains. Many AI platforms process data across multiple geographic regions as part of their standard operation — routing requests to the closest available inference server, replicating data across geographic regions for resilience. This geographic distribution creates complex transfer chains that may include transfers to countries other than the US. Law firms should require AI vendors to specify the complete geographic scope of their data processing and confirm that all relevant transfers are covered by adequate transfer mechanisms.
Brexit creates a distinct UK transfer analysis. Following Brexit, the UK is no longer part of the EEA. Transfers of EU personal data to UK-based AI vendors or UK-based AI processing require a separate transfer mechanism — currently, the EU has issued an adequacy decision for the UK (renewable). UK-based AI vendors are not within the scope of the EU-US DPF. Law firms with UK operations or UK-based AI tools must maintain a distinct UK transfer analysis.
Limitations and Risks
Political risk to transfer frameworks. The EU-US DPF, like its predecessors, depends on the maintenance of the political commitments made by the US government about surveillance law limitations. Changes in US government policy or legislation affecting US intelligence access to EU data could destabilize the DPF. Law firms relying on the DPF as their primary transfer mechanism should maintain SCC and TIA capability as a contingency.
Vendor representations about data residency may not be accurate. AI vendors may represent that EU data is processed only within the EU, but their subprocessors — particularly cloud infrastructure providers — may route processing through global infrastructure. Verifying the complete geographic scope of data processing for a complex AI platform is technically challenging and depends substantially on vendor disclosure.
TIA determinations involve legal judgment under uncertainty. The TIA requires a legal assessment of the risk of US government access to transferred data. This assessment involves applying evolving legal standards to facts about how surveillance law operates in practice — areas of genuine legal uncertainty. Firms should document their TIA analysis and legal reasoning, accepting that the assessment involves judgment calls that regulators may ultimately view differently.