What Is the International Data Transfer Risk Index? (Direct Answer)
The International Data Transfer Risk Index 2026 ranks 30 countries by how severely European data protection authorities (DPAs) are enforcing against international personal data transfers to that destination — based on adequacy status, documented enforcement actions, supplementary measure requirements, and the destination country's own surveillance and data-access laws.
Key term defined: A third-country data transfer under GDPR Chapter V is any movement of personal data from the EEA to a country outside it — including cloud storage, remote employee access, and intra-group data sharing. Every such transfer requires one of three legal bases: an EU adequacy decision (Art. 45), appropriate safeguards like Standard Contractual Clauses or Binding Corporate Rules (Art. 46), or a narrow derogation (Art. 49). The Index ranks destinations by how exposed an organization is to enforcement risk regardless of which legal basis it uses — because, as the €530 million TikTok decision demonstrated in 2025, having signed SCCs does not protect an organization if the destination country's laws can override them in practice.
The Index groups 30 destinations into five risk tiers, from Tier 1 (Adequacy-Protected) through Tier 5 (Active Enforcement Target) — reflecting where DPAs have already taken action, where they are actively investigating, and where the destination's domestic surveillance or data-access laws create structural risk that no amount of contractual paperwork can fully close.
Why a Transfer Risk Index Matters in 2026
The legal landscape for international transfers has hardened considerably since the 2020 Schrems II ruling. As one major law firm's 2026 trends analysis puts it: organizations should not adopt an unworkable strategy of excluding every hypothetical risk of governmental access from GDPR-covered transfers — but the same analysis is explicit that transfers to countries without an EU adequacy decision are facing a harsher enforcement climate, with regulators adopting a visibly stricter stance.
Three enforcement actions define the current moment:
- TikTok — €530 million (Irish DPC, May 2025): the largest transfer-specific fine in GDPR history, for failing to verify that Standard Contractual Clauses and supplementary measures actually protected EEA user data from access under China's Anti-Terrorism Law, Cybersecurity Law, Counter-Espionage Law, and National Intelligence Law — despite TikTok having implemented Project Clover, a €12 billion data security initiative, and having prepared Transfer Risk Assessments.
- The European Data Protection Supervisor's block on transfers to India — a direct EU-institution-level decision to halt a transfer outright rather than require remediation, signaling that some destinations are now treated as categorically high-risk regardless of contractual safeguards.
- South Korea's PIPC ordering Alipay-linked data and algorithm deletion (2026): after finding a digital wallet provider sent 40 million users' data to Alipay, which built credit-style "NSF scores" without notice or consent, the PIPC didn't just fine the companies (KRW 8.3 billion) — it ordered the algorithm itself erased, eliminating the asset the violation was built to create.
The throughline across all three: regulators are no longer satisfied by paperwork. A Transfer Impact Assessment that doesn't engage with the destination country's actual surveillance laws, an SCC that the destination's domestic law can simply override, or a transfer mechanism that ignores how local algorithms repurpose the data — all of these are now active enforcement targets, not theoretical risks.
How the Index Is Scored
Each of the 30 destination countries is scored across four factors:
| Factor | What It Measures |
|---|---|
| Adequacy Status | Does the destination hold a current EU adequacy decision (Art. 45), and if so, is that decision stable, under review, or facing legal challenge? |
| Enforcement History | Has any EU DPA taken a documented enforcement action — fine, transfer suspension order, or formal block — against transfers to this destination? |
| Domestic Access Law Risk | Does the destination have surveillance, national security, or data-localization laws that could compel disclosure of EEA personal data to government authorities in ways inconsistent with GDPR's "essential equivalence" standard? |
| Trajectory | Is enforcement and regulatory scrutiny toward this destination increasing, stable, or decreasing over the past 12 months? |
A destination's risk tier reflects the combination of these four factors, not any single one. A country can hold adequacy status and still carry meaningful risk if that decision is under active legal challenge — the EU-US framework is the clearest example of this dynamic.
Tier 1: Adequacy-Protected — Lowest Transfer Risk
These 17 jurisdictions hold a current European Commission adequacy decision under Article 45, meaning personal data can flow from the EEA without additional safeguards. This is the full, current list as of 2026.
| Rank | Destination | Adequacy Basis | Risk Notes |
|---|---|---|---|
| 1 | Switzerland | Federal Act on Data Protection (revised) | Most stable adequacy relationship; periodically reaffirmed |
| 2 | United Kingdom | UK GDPR / Data Protection Act 2018 | Renewed to 2031 per EDPB Opinion 2025/26 (October 2025); EDPB flagged ongoing concern about evolving UK surveillance law and the Data (Use and Access) Act 2025's new "data protection test," which could create future divergence |
| 3 | New Zealand | Privacy Act 2020 | Commission's 2024 periodic review confirmed continued adequacy; well-functioning independent supervisory authority cited favorably |
| 4 | Japan | Act on Protection of Personal Information (APPI) + Supplementary Rules | Adequacy accompanied by negotiated "Additional Safeguards" beyond domestic law |
| 5 | South Korea | Personal Information Protection Act (PIPA) | Adequacy holds, but South Korea's own PIPC is simultaneously the most aggressive enforcer in Asia against transfers leaving Korea — relevant for any EU organization with Korean operations sending data onward |
| 6 | Canada (commercial only) | PIPEDA | Adequacy limited strictly to commercial organizations; does not cover federal public sector; Commission flagged ongoing PIPEDA reform (Bill C-27) as relevant to future review |
| 7 | Israel | Privacy Protection Act | Commission noted ongoing legislative reform; scope of reform will affect future adequacy assessment |
| 8 | Argentina | Personal Data Protection Act (Law 25,326) | Commission's 2024 review urged completion of legislative modernization and appointment of a permanent AAIP head |
| 9 | Uruguay | Data Protection Law | Confirmed adequate in 2024 periodic review |
| 10 | Andorra | Qualified Law on Personal Data Protection | Confirmed adequate in January 2024 review |
| 11 | Brazil | LGPD (mutual adequacy) | Newest decision (January 26, 2026) and the first mutual adequacy arrangement — both sides recognized each other's regime simultaneously |
| 12 | Guernsey | Data Protection (Bailiwick of Guernsey) Law | Pre-GDPR decision, confirmed in 2024 review |
| 13 | Jersey | Data Protection (Jersey) Law | Pre-GDPR decision, confirmed in 2024 review |
| 14 | Isle of Man | Data Protection Act | Pre-GDPR decision, confirmed in 2024 review |
| 15 | Faroe Islands | Act on Processing of Personal Data | Pre-GDPR decision, confirmed in 2024 review |
| 16 | United States (DPF-certified entities only) | EU-US Data Privacy Framework | Conditional adequacy — applies only to the roughly 5,300 organizations actively certified; non-certified US recipients require SCCs |
| 17 | European Patent Organisation | N/A (international organization) | First-ever adequacy decision for an international body rather than a country (July 2025) |
The critical caveat for Tier 1: adequacy is not permanent, and two entries in this tier carry materially higher latent risk than the others.
United States (#16): the EU-US Data Privacy Framework was upheld by the EU General Court, but legal challenge continues. The Latombe v. CNIL ruling (September 2025) found that national DPAs have discretion not to investigate complaints about the DPF — a procedural shield for now, but one description of the 2026 outlook specifically flags that the General Court's identification of low procedural barriers for future challenges, combined with ongoing US legislative shifts, makes 2026 the year most likely to bring fresh scrutiny of the framework. Organizations relying solely on DPF certification without a documented fallback to SCCs are carrying concentration risk on a single legal mechanism that has already been struck down once before (Privacy Shield, 2020).
United Kingdom (#2): the UK's Data (Use and Access) Act 2025 introduces a new "data protection test" that will eventually replace the EU's binary adequate/inadequate model with a risk-based comparative standard — for both UK government adequacy decisions and businesses relying on SCCs. The practical effect for EU-to-UK transfers is currently negligible, but the EDPB's own opinion explicitly recommends "ongoing monitoring and periodic review" rather than treating the relationship as settled.
Tier 2: Adequacy Pending or Functionally Low-Risk — Moderate-Low Risk
These destinations do not hold a current adequacy decision but show no documented adverse DPA enforcement action and have data protection regimes broadly aligned with GDPR principles, making SCC-based transfers comparatively low-friction in practice.
| Rank | Destination | Status | Risk Notes |
|---|---|---|---|
| 18 | Indonesia | No adequacy; bilateral commitments | 2025 US trade agreement included commitments to free data flow to the US consistent with Indonesia's 2022 Personal Data Protection Law; EU transfers still require SCCs |
| 19 | Malaysia | No adequacy | Similar bilateral US trade-linked commitments in 2025; no adverse EU enforcement record |
| 20 | Thailand | No adequacy | Same pattern; Personal Data Protection Act provides a domestic framework broadly compatible with SCC-based transfer structures |
| 21 | Singapore | No adequacy | Mature, well-regarded domestic data protection regime (PDPA); frequently used as a regional data hub with no adverse EU enforcement history |
Tier 3: Adequacy Discussions Active or Stalled — Moderate Risk
| Rank | Destination | Status | Risk Notes |
|---|---|---|---|
| 22 | Kenya | Discussions reported as paused/ongoing | No EU enforcement record; regulatory framework still maturing |
| 23 | Colombia | Discussions reported as paused/ongoing | Same profile |
| 24 | UAE / GCC states (grouped) | Active or paused discussions reported | Years-long negotiation timelines with no guarantee of outcome; treat as SCC-dependent indefinitely |
Tier 4: Structural Legal-Access Risk — Elevated Risk
These destinations have no adequacy decision and carry documented structural risk from domestic surveillance, data-access, or localization laws that make supplementary measures genuinely difficult to design and defend.
| Rank | Destination | Key Risk Driver | Risk Notes |
|---|---|---|---|
| 25 | Vietnam | National security data transfer controls | Vietnam has implemented specific controls over data transfers that touch national security and state interests, layered on top of standard SCC requirements |
| 26 | India | EDPS enforcement block | The European Data Protection Supervisor's decision to block transfers to India outright — not merely require remediation — is one of only a handful of cases where an EU institution has stopped a transfer rather than impose a fine. India also lacks an EU adequacy decision, requiring SCCs plus a comprehensive Transfer Impact Assessment for any transfer to Indian processors, and current guidance specifically notes that India's developing data protection compliance framework means TIAs will likely surface areas requiring supplementary measures |
| 27 | South Korea (as a downstream transfer risk, distinct from #5 above) | PIPC cross-border enforcement aggression | While South Korea holds EU adequacy (Tier 1, #5), South Korea's own regulator is simultaneously among the most aggressive globally against transfers leaving Korea — the KakaoPay (KRW 5.9 billion) and Apple Distribution International (KRW 2.4 billion) penalties in January 2025, both for cross-border transfer notice failures, and the Alipay algorithm-deletion order in 2026, are directly relevant for any EU group with a Korean subsidiary in its onward-transfer chain |
Tier 5: Active Enforcement Target — Highest Risk
These two destinations carry the most severe, directly documented enforcement actions in current GDPR transfer history.
| Rank | Destination | Defining Enforcement Action | Risk Notes |
|---|---|---|---|
| 28 | China | TikTok — €530 million (Irish DPC, May 2025) | The largest transfer-specific GDPR fine ever issued. The DPC found that China's Anti-Terrorism Law, Cybersecurity Law, Counter-Espionage Law, and National Intelligence Law do not allow for a conclusion that data receives protection essentially equivalent to the EEA — meaning the structural legal barrier exists regardless of how well-resourced an organization's compliance program is. Critically, the DPC also found that general security measures alone — encryption, access controls — are insufficient if they don't address the specific risk of government access under problematic law. TikTok's €12 billion Project Clover initiative was found not to cure this. The case also established that remote access from a third country counts as a transfer even when data never physically leaves EEA servers — meaning any organization with personnel in China remotely accessing EEA-stored data is in scope, regardless of data residency. |
| 29 | Russia | Joint Dutch/Finnish/Norwegian €100M Yango decision (2026) | The Netherlands' AP fined Yango's European operator €100 million for transferring Finnish and Norwegian users' driver's license scans, banking details, and location data to Russia without adequate safeguards — explicitly citing Russian government access powers as the core risk, in a joint investigation across three regulators. Fine calculated against the Russian parent group's global turnover (over €12 billion), not just the EU subsidiary — a calculation method that materially raises the stakes for any group structure with a Russian-linked parent. |
| 30 | Countries designated under US Executive Order 14117 / PADFAA ("countries of concern") | US extraterritorial restriction, not EU enforcement | Distinct from DPA enforcement, but directly relevant for any EU organization with US operations: Executive Order 14117 restricts bulk transfers of sensitive personal and government-related US data to designated "countries of concern" including China and Russia, and PADFAA separately prohibits data brokers from transferring sensitive personal data to designated foreign adversaries. An EU group with US subsidiaries handling US person data faces a second, independent layer of transfer restriction on top of GDPR Chapter V — the two regimes do not always align on which destinations are restricted. |
What the Two Worst-Case Destinations Have in Common
China and Russia sit at the bottom of the Index for structurally similar reasons, and the pattern is instructive for any organization assessing a destination not explicitly listed here.
In both the TikTok and Yango decisions, the enforcing DPA explicitly rejected the idea that strong technical security measures — encryption, access controls, even billion-euro security investment programs — can substitute for addressing the specific legal-access risk created by the destination country's domestic law. The Yango decision's reasoning, in the Dutch AP's own words, was that personal data is "not as well protected" in Russia because the government may compel access regardless of contractual or technical safeguards. The TikTok decision reached functionally the same conclusion about China's four named surveillance statutes.
The practical lesson for any organization assessing transfer risk to a country not in this Index: a Transfer Impact Assessment that evaluates encryption strength and contractual terms but does not engage with the destination's actual surveillance and government-access laws is the exact analytical gap that produced both of the largest fines in this ranking.
Real-World Example: How One Organization's Transfer Risk Changes Across the Index
A mid-sized SaaS company with EU customers operates a support function in the Philippines (Tier 2-equivalent, no adverse record), uses a US-based cloud provider certified under the DPF (Tier 1, #16), and recently opened a small engineering office in China to access local talent (Tier 5, #28).
Philippines support team: low friction. SCCs in place, no adverse enforcement history for this destination, straightforward Transfer Impact Assessment.
US cloud provider: moderate latent risk despite Tier 1 placement. The company should verify the provider's DPF certification is current and active — not assume certification once granted is permanent — and should maintain SCCs as a documented fallback given the DPF's ongoing legal exposure.
China engineering office: the highest-risk link in the chain, and the one most likely to be invisible to compliance teams. If Chinese engineers can remotely access EEA customer data for support or debugging purposes — even without that data ever being stored on Chinese servers — the TikTok precedent establishes that this constitutes a transfer requiring full Chapter V compliance. A general security review focused on encryption and access logging would miss the actual issue: whether Chinese national security law could compel disclosure regardless of those technical controls.
This is precisely the structure the DPC's TikTok decision targeted — and it is a common architecture pattern, not an unusual one, which is why China sits at the bottom of this Index rather than being treated as a one-company problem.
How to Use This Index for Your Own Transfer Risk Assessment
- Map every destination in your actual data flows — not just where data is stored, but everywhere it can be remotely accessed, including by offshore support, engineering, or outsourced processing teams. The TikTok precedent makes remote access itself a transfer trigger.
- Locate each destination's tier in this Index and treat Tier 4 and Tier 5 destinations as requiring board-level risk sign-off, not a standard SCC template.
- For Tier 1 destinations, confirm the specific adequacy basis still applies — particularly for the US (verify DPF certification is current and active, not just that the framework exists) and Canada (verify the adequacy decision's commercial-only scope actually covers the specific data flow).
- For any Tier 3–5 destination, build a Transfer Impact Assessment that names the specific domestic laws that could compel government access — the DPC's TikTok decision explicitly faulted TikTok's TRA for relying on high-level descriptions of Chinese law rather than detailed analysis against the European Essential Guarantees.
- Treat consent management and data minimization as transfer-risk controls, not just collection-stage controls. The less personal data that needs to flow to a high-risk destination in the first place, the smaller the enforcement surface — and verifying that consent withdrawal actually halts an active cross-border data flow, not just a marketing database update, is exactly the kind of control regulators are now checking for.
Secure Privacy's consent management and privacy governance platform helps organizations map where personal data actually flows internationally, connect consent records to the international transfer mechanisms that depend on them, and maintain audit-ready documentation as DPA enforcement against specific destinations continues to evolve. Explore Secure Privacy's GDPR compliance tools →
Frequently Asked Questions About International Data Transfer Risk
What is the highest-risk country for GDPR data transfers in 2026?
China and Russia represent the two highest-risk destinations based on documented enforcement, carrying the largest transfer-specific GDPR fine in history (TikTok, €530 million) and the most recent coordinated multi-DPA enforcement action (the Yango decision, €100 million) respectively. Both decisions explicitly found that the destination's domestic surveillance and government-access laws create a structural barrier that technical security measures alone cannot overcome.
Does having Standard Contractual Clauses in place guarantee compliant data transfers?
No. The TikTok decision is the clearest evidence against this assumption: TikTok had SCCs and supplementary measures in place, including a €12 billion security initiative, and was still fined €530 million because the Irish DPC found those measures did not address the specific risk of Chinese government access to the data. SCCs are necessary but not sufficient — they must be backed by a genuine Transfer Impact Assessment that engages with the destination country's actual laws, not a templated risk assessment.
Which countries currently have an EU adequacy decision?
As of 2026, 17 jurisdictions hold adequacy decisions: Andorra, Argentina, Brazil, Canada (commercial organizations only), the European Patent Organisation, the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the United Kingdom, the United States (DPF-certified organizations only), and Uruguay. Brazil's January 2026 decision is the newest and the first mutual adequacy arrangement, where both sides recognized each other's regime simultaneously.
Is remote access to data from a high-risk country considered a "transfer" under GDPR even if the data never leaves Europe?
Yes. The DPC's TikTok decision established this explicitly: when personnel in a third country — in that case, China — remotely access personal data stored in the EEA, that access itself constitutes a transfer under GDPR Chapter V, regardless of where the data is physically stored. This means an organization can have all of its servers in the EU and still be in violation if staff in a high-risk jurisdiction can remotely view or process that data.
How often do EU adequacy decisions change?
Adequacy decisions are reviewed on a four-year cycle under GDPR Article 97, and can be amended, suspended, or revoked if the European Commission finds the destination country's protections have deteriorated — as happened to the US Privacy Shield framework following the 2020 Schrems II ruling. The UK's adequacy decision was extended to 2031 following the EDPB's October 2025 opinion, but the Board explicitly flagged the UK's evolving surveillance laws and potential future divergence as grounds for "ongoing monitoring," meaning even renewed decisions are not guaranteed to remain stable for their full term.
What should an organization do if its data flows include a Tier 4 or Tier 5 destination in this Index?
Treat it as requiring board-level risk sign-off rather than a standard compliance checklist item. Build a Transfer Impact Assessment that specifically names and analyzes the destination's surveillance, national security, and data-access laws — not just its general data protection legislation — and document why the chosen safeguards can withstand a regulator finding that a generic security review cannot substitute for that legal analysis, exactly as occurred in the TikTok decision.
The Bottom Line
The single clearest pattern across the highest-risk tiers of this Index is that DPA enforcement has moved decisively past contractual paperwork. The TikTok and Yango decisions both found that an organization can have SCCs, encryption, access controls, and even billion-euro security programs in place and still face the largest fines in GDPR transfer history — because neither decision turned on whether the company tried hard enough. Both turned on whether the destination country's own laws could compel access to the data regardless of what the company had built around it.
For any organization mapping its own international data flows in 2026, the practical takeaway is structural, not just procedural: know exactly where your data can be accessed from — not just where it's stored — and treat every destination in Tier 4 or Tier 5 of this Index as requiring a transfer risk assessment that engages with the destination's actual government-access laws, not a templated SCC signature.
About Secure Privacy
Secure Privacy is a consent management and privacy governance platform for organizations operating under GDPR, the EU AI Act, CCPA, and global privacy law. The platform helps organizations document data flows, manage Transfer Impact Assessments, and connect consent records to the international transfer mechanisms — SCCs, BCRs, and adequacy reliance — that depend on them.
Related resources:
- GDPR Enforcement Heat Map Q2 2026
- What Are AI Governance Controls?
- How Do Companies Audit AI Data Usage?
- How Do Companies Manage Consent Across Websites and Apps?
- GDPR Fines and Penalties Explained
Start a free trial of Secure Privacy's GDPR compliance platform →
