Top
Cross-Border Data Transfers: Understanding SCCs and Privacy Shields in Courses
Oct 25, 2025
Posted by Damon Falk

When you run a course that teaches students from different countries, you’re not just sharing knowledge-you’re moving personal data across borders. That’s not a technical issue. It’s a legal one. And if you’re not handling it right, you could be breaking the law-even if you’re not based in Europe.

What Exactly Are Cross-Border Data Transfers?

Any time student data-names, emails, grades, payment details, even IP addresses-moves from one country to another, that’s a cross-border data transfer. If your course platform is hosted in the U.S., but your students are in Germany, Canada, or Brazil, you’re transferring data internationally. That triggers strict rules under the GDPR, the UK GDPR, and similar laws around the world.

The problem isn’t the transfer itself. It’s whether you’ve made sure that data stays protected once it leaves your home jurisdiction. Countries like the U.S. don’t have the same level of data protection as the EU. So the law doesn’t just say, “Don’t send data abroad.” It says, “If you do, you must have safeguards in place.”

SCCs: The Most Common Legal Tool for Data Transfers

Standard Contractual Clauses, or SCCs, are pre-written legal contracts approved by the European Commission. They’re the go-to solution for most course providers who need to transfer data outside the EU or UK.

Think of SCCs like a binding agreement between you (the data exporter) and your course platform provider (the data importer). They spell out exactly how personal data must be handled: who’s responsible, what security measures must be in place, and what happens if there’s a breach. SCCs are not optional if you’re using a U.S.-based LMS like Teachable, Thinkific, or Kajabi-and your students are in the EU.

There are four sets of SCCs, depending on who’s sending and receiving data:

  • Controller-to-Controller
  • Controller-to-Processor
  • Processor-to-Processor
  • Processor-to-Controller

Most course creators will use the Controller-to-Processor SCCs. That’s because you’re collecting student data (as the controller), and your platform is processing it on your behalf (as the processor). You must sign these clauses directly with your platform provider. Many platforms now include them in their terms of service-but don’t assume. Check.

Why the Privacy Shield Is Gone (And What Replaced It)

Back in 2016, the EU and U.S. had a deal called the Privacy Shield. It let companies transfer data between the two regions without needing SCCs. It was simple. It was convenient. And in 2020, the European Court of Justice shut it down.

The ruling, called Schrems II, said the Privacy Shield didn’t protect EU citizens’ data from U.S. government surveillance. Even if a company followed the rules, U.S. intelligence agencies could still access the data-and EU law doesn’t allow that.

Since then, Privacy Shield is dead. No exceptions. No loopholes. If your course platform still claims to be “Privacy Shield certified,” that’s outdated marketing. It’s meaningless now. Relying on it puts you at legal risk.

What replaced it? SCCs. And even SCCs aren’t enough on their own. After Schrems II, you also need to do a Transfer Impact Assessment (TIA). That’s not a form you fill out once and forget. It’s a real evaluation: Can your platform truly protect data from government access? Do they use encryption? Do they have a legal team that can challenge unlawful requests? If your platform can’t answer these questions clearly, you shouldn’t be using it.

Diverse students in a classroom with crumbling Privacy Shield and data streams above, teacher holding compliance checklist.

What You Need to Do Right Now

If you run online courses and collect personal data from students outside your country, here’s your checklist:

  1. Map your data flows. Where does student data go? Which countries? Which platforms? List every tool: email marketing, payment processors, analytics, CRM systems.
  2. Identify your legal basis. Are you transferring data to a country with an adequacy decision (like Japan or Canada)? If not, you need SCCs.
  3. Sign SCCs with every third-party processor. Don’t rely on their website terms. Get the signed SCCs in writing. If they won’t sign, find another provider.
  4. Conduct a Transfer Impact Assessment. Ask your platform: “Do you encrypt data at rest and in transit? Have you ever received a government data request? Did you challenge it?” Document their answers.
  5. Update your privacy policy. Tell students where their data goes and how it’s protected. Transparency isn’t optional-it’s required.

Many course creators skip these steps because they think, “I’m just one person. No one’s watching.” But GDPR fines are not theoretical. In 2023, a U.K.-based online course provider was fined €450,000 for transferring student data to a U.S.-based analytics tool without SCCs or a TIA. The regulator didn’t care that they had only 3,000 students. They cared that the data wasn’t protected.

What About Non-EU Countries?

GDPR applies to any organization offering courses to people in the EU or UK-even if you’re based in Australia or Mexico. But other regions have their own rules.

Canada has PIPEDA. Brazil has LGPD. California has CCPA. These laws don’t use SCCs, but they all require transparency, consent, and data security. If you’re collecting data from students in any of these places, you need to know their rules too.

For example, if you have a student in Brazil, LGPD says you must appoint a local representative if you don’t have a presence there. If you’re using a U.S. platform, you’re still responsible. The law doesn’t care where your server is-it cares where your student is.

Signed SCC document placed in a secure vault while U.S. server glows red, global compliance mural on wall.

Common Mistakes Course Creators Make

Here are the top three errors I see again and again:

  • Using free tools without checking compliance. Google Analytics, Hotjar, Mailchimp-many of these tools are not GDPR-compliant by default. You need to configure them properly or replace them.
  • Assuming “we’re small, so we’re safe.” Regulators don’t care about your size. They care about risk. One complaint from a student can trigger an audit.
  • Thinking “we only collect emails.” An email address is personal data. So is a name, a course progress record, a payment ID, or even a device fingerprint. Everything counts.

And here’s the hard truth: if you’re using a platform that won’t sign SCCs or won’t answer your TIA questions, you’re not being compliant. You’re gambling. And the cost of losing isn’t just a fine-it’s your reputation, your ability to teach internationally, and your peace of mind.

What Are Your Alternatives?

You don’t have to use U.S.-based platforms. There are GDPR-compliant alternatives:

  • LearnWorlds (based in Cyprus, EU-compliant)
  • Podia (U.S.-based but offers SCCs and full TIA documentation)
  • Teachfloor (EU-hosted, no U.S. data transfers)
  • Thinkific (U.S.-based, but offers SCCs and public TIA reports)

Some platforms even let you choose where your data is stored. If you’re teaching mostly EU students, choose EU-hosted servers. It reduces risk and simplifies compliance.

Don’t just pick the cheapest platform. Pick the one that respects your legal obligations.

Final Thought: Compliance Is Part of Teaching

Teaching isn’t just about content. It’s about trust. When students give you their personal information, they’re trusting you to protect it. If you ignore data protection laws, you break that trust-even if you never meant to.

SCCs and the end of Privacy Shield aren’t bureaucratic hurdles. They’re reminders that data has value-and rights. Your course isn’t just a product. It’s a relationship with your students. And relationships require responsibility.

Are SCCs mandatory for all cross-border data transfers?

Yes, if you’re transferring personal data from the EU or UK to a country without an adequacy decision (like the U.S., India, or Brazil), you must use SCCs or another approved transfer mechanism. There are no exceptions for small businesses or non-profits.

Can I still use U.S.-based platforms like Teachable or Thinkific?

Yes, but only if they provide signed SCCs and a documented Transfer Impact Assessment. Many do now, but you must confirm it in writing. Don’t rely on their marketing claims-ask for the legal documents.

What happens if I don’t use SCCs?

You could face fines up to 4% of your global revenue under GDPR, or be forced to stop processing data from EU/UK students. Even one complaint can trigger an investigation. Regulators are actively targeting online education providers.

Do I need a Data Protection Officer (DPO) for my course?

Only if your core activities involve large-scale monitoring of individuals or processing sensitive data (like health or racial info). Most course creators don’t need a DPO-but you still need to follow GDPR rules.

How do I know if my platform is GDPR-compliant?

Ask for their Data Processing Agreement (DPA) with SCCs attached. Check if they offer a Transfer Impact Assessment. Look for statements about data localization (e.g., “EU data stored in EU servers”). If they can’t provide this, they’re not compliant.

If you’re building a course for international students, compliance isn’t a side task-it’s part of your curriculum. Get it right, and you build trust. Skip it, and you risk everything you’ve built.

Tags:
Damon Falk

Author :Damon Falk

I am a seasoned expert in international business, leveraging my extensive knowledge to navigate complex global markets. My passion for understanding diverse cultures and economies drives me to develop innovative strategies for business growth. In my free time, I write thought-provoking pieces on various business-related topics, aiming to share my insights and inspire others in the industry.

Comments (1)

64x64
kelvin kind October 30 2025

Just signed SCCs with Teachable yesterday. Took 3 emails but worth it.

Write a comment

Categories
Latest Post
9Apr
Can I Talk to a Lawyer for Free in the UK?

Posted by Damon Falk

7Apr
Public Liability Insurance Cost for Self-Employed in the UK

Posted by Damon Falk

5Oct
Who Is the CEO of SME Finance Forum? - 2025 Update

Posted by Damon Falk

14May
How to Get Free Legal Advice Online in the UK: What Works and What to Avoid

Posted by Damon Falk

30Sep
How Much Does a $1Million Commercial Insurance Policy Cost in the UK?

Posted by Damon Falk

About

Midlands Business Hub is a comprehensive platform dedicated to connecting UK businesses with international trade opportunities. Stay informed with the latest business news, trends, and insights affecting the Midlands region and beyond. Discover strategic business growth opportunities, valuable trade partnerships, and insights into the dynamic UK economy. Whether you're a local enterprise looking to expand or an international business eyeing the UK's vibrant market, Midlands Business Hub is your essential resource. Join a thriving community of businesses and explore the pathways to global trade and economic success.

Archive
Tags
SME finance customer relationship management UK SEO pricing digital marketing business insurance Zoho CRM pharmacy services commercial insurance cost CRM comparison bicycle-sharing dockless bikes public transport integration bike rentals CRM software website management business loans UK easiest business loan UK small business funding startup loan UK
Menu

© 2025. All rights reserved.