BifröstIndex
United States · International Data Transfers

United States — International Data Transfers

Practitioner reference for International Data Transfers in United States (federal). Each section cites primary authority inline. The icons on every section show who drafted it and who has confirmed or modified it.

2 sections · Last updated 2026-07-03 · 0 pageviews · 1 AI indexing crawl (last 30 days)

Scope of U.S. Privacy Laws for International Data Transfers

Originated by BifröstIndex bot on Jul 3, 2026.Last confirmed by BifröstIndex bot on Jul 3, 2026.

United States law regulates international data transfers not through a single federal privacy statute, but through a shifting patchwork of state laws, federal statutes, and regulatory enforcement. There is no omnibus equivalent to the GDPR. Instead, coverage—and transfer risk—depends on the nature of the data, the status of the entity, and contractual or certification frameworks.

1. Sectoral Federal Regulation

  • The primary U.S. federal law on unfair or deceptive acts or practices, Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45), applies to cross-border data flows only when an organization has made representations about data handling or has participated in frameworks such as the EU–U.S. Data Privacy Framework (DPF, formerly Privacy Shield) or the APEC Cross-Border Privacy Rules (CBPR). The FTC treats violations of published privacy commitments around global transfers as actionable. However, Section 5 does not create direct requirements for all international transfers.

2. State Law—California Privacy Rights Act (CPRA)

  • The CPRA, effective January 1, 2023, is the single most capacious state privacy law covering certain international transfers. It applies to any for-profit business that collects personal information from California residents and meets one of three thresholds: $25 million annual revenue; buys, sells, or shares personal information of 100,000+ consumers; or derives 50%+ of revenue from selling/sharing personal information. The law governs “selling,” “sharing,” or disclosing personal information—including to entities outside California. There is no general geographic carve-out for cross-border transfers, but businesses must ensure contracts and onward transfers limit the use and disclosure of data, and provide equivalent protection. (Cal. Civ. Code § 1798.140; § 1798.100 et seq.)

3. Recent Federal Restriction: PADFAA (2024)

  • The Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA) makes it unlawful for U.S. data brokers to transfer the sensitive personal data of U.S. individuals to a designated “foreign adversary” or a related entity. This statute marks the first broad federal restriction on specific cross-border data transfers based on national security. Implementation is ongoing, but the law is in force as of June 23, 2024.

Scope and Exception Notes:

  • Most other federal laws (HIPAA, GLBA, FERPA) apply only to particular data types or regulated sectors. Outside California and special regimes like health, banking, or children’s data, there is no nationwide legal barrier to international personal data flows as of July 2026. Additional legislation remains possible.
  • Best practice: Map the type of data, the entity status, and any privacy representations. Apply state (CPRA), sectoral (GLBA, HIPAA), and federal transfer restrictions as they attach.
  • For rules governing outbound transfers from Korea or the EU to the U.S., see the relevant Korean PIPA and EU GDPR international transfer sections: South Korea guide and European Union guide.

Source: California Civil Code § 1798.140 Source: FTC guidance on Data Privacy Framework Source: Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA)

Spot something off?✎ Suggest an edit0 suggested edits

Federal framework for U.S. international data transfers — FTC enforcement of Data Privacy Framework & APEC CBPR

Originated by BifröstIndex bot on Jul 3, 2026.Last confirmed by BifröstIndex bot on Jul 3, 2026.

The United States does not have a single federal statute specifically regulating or restricting international transfers of personal data. Instead, data protection is approached sectorally, and federal restrictions on outbound data flows are rare. The principal federal actor in the international transfer arena is the Federal Trade Commission (FTC), which enforces privacy violations primarily under Section 5 of the FTC Act (15 U.S.C. § 45), prohibiting unfair or deceptive practices in or affecting commerce. The FTC’s international privacy authority comes from its ability to enforce privacy promises and certification requirements within specific frameworks, rather than a general data transfer statute.

The United States participates in the EU-U.S. Data Privacy Framework (DPF). This framework allows certified U.S. businesses to receive personal data from the European Economic Area (EEA) in compliance with EU law, provided those businesses make enforceable commitments to follow the DPF Principles. The U.S. Department of Commerce administers the certification process, and the FTC enforces compliance against participating companies as a matter of federal law. Companies not certified to the DPF may still receive EEA personal data, but then rely on other EU mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), which are not specifically regulated by U.S. federal law. The European Commission adopted its adequacy decision for the DPF on July 10, 2023 (Decision (EU) 2023/1795). Source: EU Commission Decision (EU) 2023/1795.

The U.S. also participates in the APEC Cross-Border Privacy Rules (CBPR) System, a voluntary accountability regime among APEC countries. In this program, the FTC can enforce when companies misrepresent their participation or compliance, but there is no independent federal statutory bar on cross-border transfers outside these frameworks. See FTC overview: FTC: International Consumer Protection and Privacy Enforcement.

Sectoral statutes such as the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. § 6801 et seq.), the Health Insurance Portability and Accountability Act (HIPAA, 45 CFR Parts 160, 164), and the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) may restrict data sharing in specific regulated areas but do not separately impose or structure cross-border transfer controls. There is no federal legal requirement for contractual safeguards analogous to GDPR SCCs, nor is there a general adequacy regime. Contractual, organizational, or technical safeguards may be imposed by foreign law or contract but are not defined by U.S. federal statute for international transfers.

For California-specific transfer obligations, see /guides/california/international-data-transfers. CCPA/CPRA obligations concern disclosures rather than geographic transfer, as detailed in California’s own regime.

Source: FTC Act § 5, 15 U.S.C. § 45; FTC: International Consumer Protection and Privacy Enforcement Source: EU Commission Decision (EU) 2023/1795 on the adequacy of the protection provided by the EU-U.S. Data Privacy Framework

Spot something off?✎ Suggest an edit0 suggested edits