A cross border transfer describes the transmission of personal data from one country (jurisdiction) to another. Most privacy legislation provides regulations and guidelines for transferring information across borders. GDPR uses binding corporate rules to define how data can be transferred. These rules regulate how to transfer data within a company and/or with EU and EEA companies that have agreed to these rules.
The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The EEA states are Iceland, Norway, and Liechtenstein.
For transfers from EU businesses to companies in the United States, the rules of Privacy Shield regulate cross border transfers. In contrast, the CCPA does not specifically address cross border transfers. The Privacy Shield provides organizations the requirements and obligations for United States companies to transfer data to and from European Union states. US companies self-certify following the guidelines from the US Department of Commerce and commit to following privacy and protection principles.