When you run a course that teaches students from different countries, you’re not just sharing knowledge-you’re moving personal data across borders. That’s not a technical issue. It’s a legal one. And if you’re not handling it right, you could be breaking the law-even if you’re not based in Europe.
What Exactly Are Cross-Border Data Transfers?
Any time student data-names, emails, grades, payment details, even IP addresses-moves from one country to another, that’s a cross-border data transfer. If your course platform is hosted in the U.S., but your students are in Germany, Canada, or Brazil, you’re transferring data internationally. That triggers strict rules under the GDPR, the UK GDPR, and similar laws around the world.
The problem isn’t the transfer itself. It’s whether you’ve made sure that data stays protected once it leaves your home jurisdiction. Countries like the U.S. don’t have the same level of data protection as the EU. So the law doesn’t just say, “Don’t send data abroad.” It says, “If you do, you must have safeguards in place.”
SCCs: The Most Common Legal Tool for Data Transfers
Standard Contractual Clauses, or SCCs, are pre-written legal contracts approved by the European Commission. They’re the go-to solution for most course providers who need to transfer data outside the EU or UK.
Think of SCCs like a binding agreement between you (the data exporter) and your course platform provider (the data importer). They spell out exactly how personal data must be handled: who’s responsible, what security measures must be in place, and what happens if there’s a breach. SCCs are not optional if you’re using a U.S.-based LMS like Teachable, Thinkific, or Kajabi-and your students are in the EU.
There are four sets of SCCs, depending on who’s sending and receiving data:
- Controller-to-Controller
- Controller-to-Processor
- Processor-to-Processor
- Processor-to-Controller
Most course creators will use the Controller-to-Processor SCCs. That’s because you’re collecting student data (as the controller), and your platform is processing it on your behalf (as the processor). You must sign these clauses directly with your platform provider. Many platforms now include them in their terms of service-but don’t assume. Check.
Why the Privacy Shield Is Gone (And What Replaced It)
Back in 2016, the EU and U.S. had a deal called the Privacy Shield. It let companies transfer data between the two regions without needing SCCs. It was simple. It was convenient. And in 2020, the European Court of Justice shut it down.
The ruling, called Schrems II, said the Privacy Shield didn’t protect EU citizens’ data from U.S. government surveillance. Even if a company followed the rules, U.S. intelligence agencies could still access the data-and EU law doesn’t allow that.
Since then, Privacy Shield is dead. No exceptions. No loopholes. If your course platform still claims to be “Privacy Shield certified,” that’s outdated marketing. It’s meaningless now. Relying on it puts you at legal risk.
What replaced it? SCCs. And even SCCs aren’t enough on their own. After Schrems II, you also need to do a Transfer Impact Assessment (TIA). That’s not a form you fill out once and forget. It’s a real evaluation: Can your platform truly protect data from government access? Do they use encryption? Do they have a legal team that can challenge unlawful requests? If your platform can’t answer these questions clearly, you shouldn’t be using it.
What You Need to Do Right Now
If you run online courses and collect personal data from students outside your country, here’s your checklist:
- Map your data flows. Where does student data go? Which countries? Which platforms? List every tool: email marketing, payment processors, analytics, CRM systems.
- Identify your legal basis. Are you transferring data to a country with an adequacy decision (like Japan or Canada)? If not, you need SCCs.
- Sign SCCs with every third-party processor. Don’t rely on their website terms. Get the signed SCCs in writing. If they won’t sign, find another provider.
- Conduct a Transfer Impact Assessment. Ask your platform: “Do you encrypt data at rest and in transit? Have you ever received a government data request? Did you challenge it?” Document their answers.
- Update your privacy policy. Tell students where their data goes and how it’s protected. Transparency isn’t optional-it’s required.
Many course creators skip these steps because they think, “I’m just one person. No one’s watching.” But GDPR fines are not theoretical. In 2023, a U.K.-based online course provider was fined €450,000 for transferring student data to a U.S.-based analytics tool without SCCs or a TIA. The regulator didn’t care that they had only 3,000 students. They cared that the data wasn’t protected.
What About Non-EU Countries?
GDPR applies to any organization offering courses to people in the EU or UK-even if you’re based in Australia or Mexico. But other regions have their own rules.
Canada has PIPEDA. Brazil has LGPD. California has CCPA. These laws don’t use SCCs, but they all require transparency, consent, and data security. If you’re collecting data from students in any of these places, you need to know their rules too.
For example, if you have a student in Brazil, LGPD says you must appoint a local representative if you don’t have a presence there. If you’re using a U.S. platform, you’re still responsible. The law doesn’t care where your server is-it cares where your student is.
Common Mistakes Course Creators Make
Here are the top three errors I see again and again:
- Using free tools without checking compliance. Google Analytics, Hotjar, Mailchimp-many of these tools are not GDPR-compliant by default. You need to configure them properly or replace them.
- Assuming “we’re small, so we’re safe.” Regulators don’t care about your size. They care about risk. One complaint from a student can trigger an audit.
- Thinking “we only collect emails.” An email address is personal data. So is a name, a course progress record, a payment ID, or even a device fingerprint. Everything counts.
And here’s the hard truth: if you’re using a platform that won’t sign SCCs or won’t answer your TIA questions, you’re not being compliant. You’re gambling. And the cost of losing isn’t just a fine-it’s your reputation, your ability to teach internationally, and your peace of mind.
What Are Your Alternatives?
You don’t have to use U.S.-based platforms. There are GDPR-compliant alternatives:
- LearnWorlds (based in Cyprus, EU-compliant)
- Podia (U.S.-based but offers SCCs and full TIA documentation)
- Teachfloor (EU-hosted, no U.S. data transfers)
- Thinkific (U.S.-based, but offers SCCs and public TIA reports)
Some platforms even let you choose where your data is stored. If you’re teaching mostly EU students, choose EU-hosted servers. It reduces risk and simplifies compliance.
Don’t just pick the cheapest platform. Pick the one that respects your legal obligations.
Final Thought: Compliance Is Part of Teaching
Teaching isn’t just about content. It’s about trust. When students give you their personal information, they’re trusting you to protect it. If you ignore data protection laws, you break that trust-even if you never meant to.
SCCs and the end of Privacy Shield aren’t bureaucratic hurdles. They’re reminders that data has value-and rights. Your course isn’t just a product. It’s a relationship with your students. And relationships require responsibility.
Are SCCs mandatory for all cross-border data transfers?
Yes, if you’re transferring personal data from the EU or UK to a country without an adequacy decision (like the U.S., India, or Brazil), you must use SCCs or another approved transfer mechanism. There are no exceptions for small businesses or non-profits.
Can I still use U.S.-based platforms like Teachable or Thinkific?
Yes, but only if they provide signed SCCs and a documented Transfer Impact Assessment. Many do now, but you must confirm it in writing. Don’t rely on their marketing claims-ask for the legal documents.
What happens if I don’t use SCCs?
You could face fines up to 4% of your global revenue under GDPR, or be forced to stop processing data from EU/UK students. Even one complaint can trigger an investigation. Regulators are actively targeting online education providers.
Do I need a Data Protection Officer (DPO) for my course?
Only if your core activities involve large-scale monitoring of individuals or processing sensitive data (like health or racial info). Most course creators don’t need a DPO-but you still need to follow GDPR rules.
How do I know if my platform is GDPR-compliant?
Ask for their Data Processing Agreement (DPA) with SCCs attached. Check if they offer a Transfer Impact Assessment. Look for statements about data localization (e.g., “EU data stored in EU servers”). If they can’t provide this, they’re not compliant.
If you’re building a course for international students, compliance isn’t a side task-it’s part of your curriculum. Get it right, and you build trust. Skip it, and you risk everything you’ve built.
Comments (14)
kelvin kind October 30 2025
Just signed SCCs with Teachable yesterday. Took 3 emails but worth it.
michael Melanson October 31 2025
I used to think this was overkill until a student in Germany asked why their data was being sent to AWS in Virginia. Now I check every platform before onboarding.
lucia burton November 1 2025
Let’s be real-SCCs aren’t just legal boilerplate, they’re a foundational layer of data governance architecture that operationalizes compliance as a non-negotiable component of pedagogical infrastructure. If you’re using a U.S.-based LMS without a fully executed controller-to-processor SCC and a documented TIA, you’re not just non-compliant-you’re exposing your entire pedagogical ecosystem to existential legal risk. And don’t get me started on how Google Analytics 4 still scrapes IP addresses and device fingerprints under the guise of ‘anonymized metrics’-it’s not anonymized, it’s pseudonymized with a side of wishful thinking.
Denise Young November 2 2025
Oh wow, so now I have to be a lawyer AND a teacher? Great. Just great. I spent 12 hours last week updating my privacy policy, only to find out my email provider doesn’t even offer SCCs. So now I’m switching to MailerLite because they actually have a DPA that doesn’t look like it was written by a bot in 2015. Honestly, if I wanted to read legal contracts, I’d go to law school. Not start a course business.
Sam Rittenhouse November 3 2025
This isn’t about fear. It’s about respect. When a student in Brazil gives you their name, their payment info, their progress data-they’re trusting you. Not the server. Not the platform. You. And if you cut corners because you’re ‘just one person,’ you’re not being small-you’re being careless. I’ve seen too many creators lose everything over one complaint. Don’t be that person.
Peter Reynolds November 4 2025
i use podia and they sent me the scc docs last year. no big deal. just read the fine print and move onFred Edwords November 6 2025
It is imperative to note that Standard Contractual Clauses, as promulgated by the European Commission under Article 46(2)(c) of the GDPR, constitute a legally binding instrument, not a suggestion, nor a recommendation, nor a ‘nice-to-have.’ Failure to execute these clauses in their most recent 2021 iteration-complete with the modular appendices, and with appropriate supplementary measures documented in a Transfer Impact Assessment-constitutes a material breach of Article 44 and may trigger enforcement actions under Article 83(5). Furthermore, reliance upon outdated Privacy Shield certifications, which were invalidated in Case C-311/18, is not merely negligent-it is legally indefensible. Please, for the love of all things lawful, verify your DPA.
Sarah McWhirter November 8 2025
Let’s be honest-this whole GDPR thing is just the EU’s way of protecting their own tech companies. U.S. platforms are fine. The real issue is that the NSA can access your data anyway, no matter how many SCCs you sign. Why are we pretending this is about privacy? It’s about control. And if you’re not using an EU-hosted platform, you’re just paying for a placebo. Also-did you know Teachable uses Cloudflare? That means your data goes through servers in 20+ countries. You think SCCs fix that? LOL.
Ananya Sharma November 8 2025
You’re all missing the point. This isn’t about SCCs or Privacy Shield-it’s about the fundamental hypocrisy of Western data colonialism. You’re outsourcing your legal burden to platforms that are owned by American corporations that answer to the U.S. government, not to your students. You think signing a form makes you ethical? You’re still enabling surveillance capitalism. If you really cared about student privacy, you’d host your own server on a Raspberry Pi in your basement and charge $5 a month. But you won’t, because convenience is more important than integrity. And now you’re proud of yourself for checking a box? Pathetic.
Kenny Stockman November 8 2025
I switched to LearnWorlds last year. Paid a little more, but now I sleep better. My EU students don’t have to worry, and I don’t have to Google ‘GDPR fine calculator’ at 2 a.m. Worth every penny.
Antonio Hunter November 8 2025
I used to think compliance was a chore-until I had a student from France file a complaint because I was using Hotjar without consent. Took me six weeks to fix it. I now have a checklist I run before every new course launch. Map the data flows, verify the SCCs, confirm encryption, update the policy. It’s not glamorous, but it’s the only way to teach with integrity. And honestly? Students notice. They appreciate it more than you think.
Paritosh Bhagat November 9 2025
Oh so you’re telling me that if I use a U.S. platform, I’m basically handing my students’ data to the CIA? And you’re telling me to just sign some clauses? That’s like giving your house keys to a thief and saying ‘but I signed a contract!’ I’m not even going to mention the fact that your precious SCCs can be overridden by FISA 702. You think this is about compliance? It’s about survival. And if you’re not using a server in your own country, you’re not protecting anyone-you’re just delaying the inevitable.
Ben De Keersmaecker November 10 2025
Just did a TIA with Podia last week. They sent me a 12-page PDF with their legal team’s response to every possible government request scenario-including examples of past requests they’ve challenged. Honestly? Impressive. Most platforms just say ‘we’re compliant’ and leave it at that. Podia actually showed their work. That’s rare. If you’re going to do this right, look for platforms that treat transparency like a feature, not a footnote.
Zach Beggs November 10 2025
My course is in Spanish but my students are in Spain and Mexico. I use a local host now. No cross-border transfers. No SCCs. No stress. Sometimes the simplest solution is the best one.