International Data Transfer and AI: Compliance for Global Nonprofits

The General Data Protection Regulation (GDPR) applies globally to any organization processing personal data of EU residents, regardless of where the organization is located. This means if your nonprofit has donors, volunteers, or beneficiaries in the EU, GDPR applies to you. The regulation treats international data transfers with particular scrutiny because data leaving the EU moves beyond the reach of EU data protection authorities.

When you use an AI tool hosted in another country, share beneficiary data with an international partner, or store donor information on cloud servers located outside the EU, you're engaging in an international data transfer. The GDPR requires specific legal mechanisms to legitimize these transfers, with the choice of mechanism depending on the destination country and the nature of the data being transferred.

Understanding GDPR is essential not just for compliance, but because many other countries have modeled their data protection laws on similar principles. By getting GDPR compliance right, you're often well positioned to meet requirements in other jurisdictions as well. The framework includes requirements for explicit consent, data minimization, purpose limitation, and breach notification within 72 hours of discovery.

An adequacy decision from the European Commission determines that a country provides an "essentially equivalent" level of data protection to the EU. When an adequacy decision is in place, data can flow freely between the EU and that country without additional safeguards. This is the simplest and most straightforward transfer mechanism available.

As of 2026, thirteen jurisdictions have adequacy decisions, including the United Kingdom, Canada, Japan, and the United States under the Data Privacy Framework (upheld by the September 2025 General Court judgment). The European Commission has also adopted a draft adequacy decision for Brazil, with the European Data Protection Board finding Brazil's framework closely aligned with GDPR requirements.

However, adequacy decisions can be challenged and revoked. The Schrems I decision invalidated the Safe Harbor framework, and Schrems II invalidated Privacy Shield. While the current Data Privacy Framework has withstood initial challenges, nonprofits should stay informed about potential legal developments. Even with an adequacy decision in place, organizations must ensure their specific data processing activities comply with underlying requirements.

• Countries with adequacy decisions allow data transfer without additional mechanisms
• The US-EU Data Privacy Framework covers organizations that self-certify
• Monitor adequacy decision status as legal challenges can change the landscape
• Adequacy decisions don't exempt you from all GDPR obligations, only from transfer restrictions

Standard Contractual Clauses (SCCs) are pre-approved contract templates issued by the European Commission that provide appropriate safeguards for international data transfers. When transferring data to countries without adequacy decisions, SCCs are the most accessible mechanism for most nonprofits. The European Commission released updated SCCs on June 4, 2021, incorporating requirements from both GDPR and the Schrems II decision.

The Schrems II decision in July 2020 fundamentally changed how SCCs work. The Court found that SCCs alone aren't sufficient if the destination country's laws (particularly regarding government surveillance) undermine the data protection guarantees. This means organizations must assess the legal environment in the destination country and implement supplementary measures when necessary to achieve an adequate level of protection.

The new SCCs require data exporters and importers to jointly assess the transfer, considering the details of the transfer (length of processing chain, transmission channels, types of data, purpose), the laws and practices of the destination country (especially regarding government access), and any supplementary safeguards beyond the SCCs themselves. This assessment must be documented, creating what's known as a Transfer Impact Assessment.

For nonprofits, this means you can't simply sign SCCs and assume compliance. If you're using an AI vendor that processes data in a country without an adequacy decision, you need to understand how that country's laws might impact data protection, whether the vendor can actually comply with the SCC obligations, and what additional technical or organizational measures might be needed. Common supplementary measures include encryption, pseudonymization, data minimization, and contractual commitments beyond the standard clauses.

The EU AI Act creates a parallel compliance framework that intersects with data transfer obligations. As of August 2, 2026, organizations using high-risk AI systems must comply with core requirements in Articles 9-49, including risk management, data governance, and conformity assessment. These obligations apply to AI system providers (developers) and deployers (users), with the majority of requirements falling on providers.

For nonprofits, the critical question is whether your AI use cases fall into high-risk categories. The Act defines high-risk AI systems in Annex III, including systems used for biometric identification, critical infrastructure, education and vocational training, employment management, access to essential services, law enforcement, migration and border control, and administration of justice. Many nonprofit applications, such as using AI for donor communications or basic program management, won't be classified as high-risk.

However, if you're using AI for decision-making about access to your services, for evaluating program participants, or in ways that could significantly affect individuals' opportunities or rights, your system might be classified as high-risk. In these cases, you need to ensure training datasets are representative, maintain technical documentation, design systems for human oversight, and provide clear instructions to users. These requirements intersect with data transfer obligations because demonstrating compliance may require documenting where data processing occurs and what safeguards are in place.

The AI Act compliance landscape is still evolving. Some member states have struggled to appoint enforcement authorities, and standardization bodies missed initial deadlines for developing technical standards. Nonprofits should monitor developments and, if using high-risk AI systems, begin planning for compliance now rather than waiting until August 2026. Consult with AI compliance specialists if you're uncertain whether your systems are classified as high-risk.

Beyond GDPR, some countries impose data localization requirements that mandate certain types of data must be stored within their borders. These requirements can conflict with AI vendors' global infrastructure, creating compliance challenges for nonprofits operating in multiple countries. Understanding the distinction between data residency (where data is physically stored), data localization (requirements that data remain within a jurisdiction), and data sovereignty (which nation's laws apply) is essential.

Russia's Federal Law 242-FZ requires personal data about Russian citizens to be stored first on servers inside Russia, a "mirroring" requirement where the principal copy must be in Russia but other copies can exist elsewhere. Russia has wielded these laws against international organizations, including action against the Jewish Agency for Israel in 2022, accusing the nonprofit of violating privacy laws in how it stored data about Russian citizens.

China requires Critical Information Infrastructure Operators and entities processing large volumes of personal information to store data gathered in China on Chinese servers. Cross-border transfers require security assessments, government approval, or signing government-issued Standard Contractual Clauses. For nonprofits working in China, this can severely limit which international AI tools can be used, particularly for processing beneficiary or program participant data.

When evaluating AI vendors, ask explicitly about data localization capabilities. Can they process and store your data exclusively within required jurisdictions? What additional costs are involved? Some vendors offer region-specific deployments, while others have global infrastructure that may not be compatible with localization requirements. For nonprofits with operations in countries with strict data localization laws, this may be a determining factor in vendor selection.

A particularly complex issue arises when AI vendors use customer data to train or improve their models. If your nonprofit's data, which may include information about EU residents, is used for training an AI model that's then deployed globally, you've potentially facilitated an international data transfer with unpredictable downstream uses. This creates both compliance and ethical concerns.

Many AI service agreements include clauses allowing the vendor to use submitted data for model improvement. While vendors typically claim data is anonymized before use in training, the adequacy of anonymization techniques for AI training data remains debated. Advanced AI models can sometimes infer personal information from patterns in supposedly anonymized data, a risk that's especially concerning with sensitive nonprofit data.

Carefully review AI vendor terms regarding data use. Look for "opt-out" provisions that allow you to prevent your data from being used for training. Understand where training happens and what safeguards are in place. Some vendors offer enterprise plans with enhanced data protection, including contractual commitments not to use customer data for training. While these plans typically cost more, they may be necessary for compliance when processing sensitive personal data.

Consider implementing data governance policies that explicitly address AI training data. What types of data can be submitted to AI systems that use it for training? What approval processes are required before using such systems? How do you document the legal basis for any international transfers involved? These policies help ensure consistent, compliant decision-making across your organization.

Your US-based nonprofit uses an AI writing assistant to help draft donor communications. Some of your donors are in the EU. When you input donor names and giving history to generate personalized messages, you're potentially transferring EU residents' personal data internationally, depending on where the AI service processes data.

Compliance approach: First, verify where the AI service processes data. If the vendor is US-based and participates in the Data Privacy Framework, transfers from the EU to that vendor are covered by the adequacy decision, simplifying compliance. Ensure your contract includes standard data protection terms. Update your privacy policy to inform donors that their data may be processed using AI tools, and consider implementing data minimization by removing unnecessary identifying information before using AI assistance.

If the AI vendor processes data in countries without adequacy decisions, you'll need Standard Contractual Clauses and a Transfer Impact Assessment. However, for this use case, you might instead choose to work with vendors that have simpler compliance paths, or use AI tools deployed locally rather than cloud-based services that involve international transfers.

Your nonprofit works with partner organizations in multiple countries to deliver programs. You share beneficiary data with partners so they can coordinate services, track outcomes, and report to funders. This involves regular data transfers to countries with varying levels of data protection.

Compliance approach: Map all partner countries and assess their data protection frameworks. For partners in countries with adequacy decisions, data sharing is relatively straightforward, though you still need appropriate data sharing agreements addressing purpose limitation, security, and data subject rights. For partners in countries without adequacy decisions, implement Standard Contractual Clauses and conduct Transfer Impact Assessments.

Pay special attention to data localization requirements in partner countries. Some countries may require beneficiary data to be stored locally, potentially limiting which systems you can use for shared databases. Consider whether federated approaches (where each partner maintains their own data locally, with aggregated analysis rather than raw data sharing) might reduce compliance complexity while still enabling program coordination.

You want to use AI to analyze program outcomes, identifying patterns in what works for different beneficiary populations. The AI tool you're considering is cloud-based, with data processing occurring across the vendor's global infrastructure. Your program serves participants in the EU, and some of the data is considered sensitive (health information, information about vulnerable populations).

Compliance approach: This scenario requires careful assessment because it involves sensitive data and potentially high-risk AI applications. Start by questioning whether this specific AI approach is necessary or whether alternative analytical methods might achieve similar insights with less compliance complexity. If you proceed with AI, the combination of sensitive data and EU data subjects means you need robust safeguards.

Seek AI vendors that offer EU-specific deployments where data doesn't leave the EU, eliminating international transfer issues for EU participant data. Implement strong pseudonymization or anonymization techniques before data enters the AI system. Conduct a thorough Transfer Impact Assessment that addresses the sensitivity of the data and potential harms from disclosure. Consider whether this use case might qualify as high-risk under the EU AI Act, requiring additional safeguards. Given the complexity, consulting with specialized legal counsel is advisable before proceeding.

Your nonprofit is launching a global fundraising campaign using an AI-powered donor management platform. You'll be collecting donor information from supporters in multiple countries, including the EU, UK, Canada, and countries without comprehensive data protection laws. The platform uses AI for donor segmentation, predictive analytics about giving likelihood, and campaign optimization.

Compliance approach: This scenario demonstrates the complexity of truly global operations. You need to comply with data protection laws in all countries where you collect donor data, not just GDPR. Create a comprehensive privacy notice that addresses all relevant jurisdictions, explaining how donor data will be used (including AI-powered analytics), where it will be processed, and what rights donors have.

For the donor management platform, ensure it supports compliance with multiple regulatory frameworks. Look for platforms that allow region-specific configurations, enabling you to handle EU data with GDPR-compliant settings while managing data from other regions according to their requirements. Implement role-based access controls so staff only access donor data from regions they're working with. Document your legal basis for processing in each jurisdiction, as this varies (consent in some places, legitimate interests in others, contractual necessity in yet others).