---
name: data-sovereignty-patterns
description: Navigate cross-border data transfer rules — Schrems II, EU SCCs, adequacy decisions, data localization requirements for EU, US, Brazil, and other jurisdictions.
version: "1.0.0"
last-updated: "2026-04-22"
model_tested: "claude-sonnet-4-6"
category: sovereignty
platforms: [claude-code, codex, gemini-cli, cursor, copilot, windsurf, cline]
language: en
geo_relevance: [global, eu]
priority: medium
dependencies:
  mcp: []
  skills: [gdpr-data-protection]
  apis: []
  data: []
update_sources:
  - url: "https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en"
    check_frequency: "quarterly"
    last_checked: "2026-04-22"
license: MIT
---

# Data Sovereignty Patterns

> **DISCLAIMER**: Guidance only. Cross-border data transfers require legal assessment specific to your situation.

## When to Use

- Choosing cloud providers (data residency requirements)
- Using AI APIs that process data outside the EU
- Designing data architecture for multi-region deployments
- Assessing compliance for international data flows
- Responding to data localization requirements

## EU → Non-EU Transfer Mechanisms

After Schrems II (CJEU C-311/18), transferring personal data outside the EEA requires:

### 1. Adequacy Decisions (Easiest)
Countries deemed adequate by the European Commission:

| Country | Decision Date | Notes |
|---------|--------------|-------|
| UK | 2021 (renewed) | Post-Brexit, includes sunset clause |
| Japan | 2019 | Mutual adequacy |
| South Korea | 2022 | Comprehensive |
| USA | 2023 (EU-US DPF) | Data Privacy Framework, requires self-certification |
| Canada | 2001 | Commercial only (PIPEDA) |
| Switzerland | 2000 | Comprehensive |
| Israel | 2011 | Comprehensive |
| New Zealand | 2012 | Comprehensive |
| Argentina | 2003 | Comprehensive |
| Uruguay | 2012 | Comprehensive |

For adequate countries: transfer freely, no additional mechanism needed.

### 2. Standard Contractual Clauses (SCCs)
For non-adequate countries, use EU-approved SCC templates:

| Module | Scenario |
|--------|----------|
| Module 1 | Controller → Controller |
| Module 2 | Controller → Processor (most common: you → cloud provider) |
| Module 3 | Processor → Sub-processor |
| Module 4 | Processor → Controller |

**Required**: Transfer Impact Assessment (TIA) evaluating recipient country laws.

### 3. Binding Corporate Rules (BCRs)
For intra-group transfers within multinational companies. Complex, expensive, long approval (~18 months).

## Data Localization by Region

| Region | Requirement | Affected Data |
|--------|-------------|---------------|
| EU/EEA | Transfer mechanism required for export | Personal data (GDPR) |
| Russia | Localization of Russian citizens' data | Personal data |
| China | Security assessment for cross-border transfers | Personal data + "important data" |
| India | Proposed localization (DPDP Act 2023) | Sensitive personal data |
| Brazil | Similar to GDPR (LGPD) | Personal data, adequacy or SCCs |
| Saudi Arabia | Localization for certain sectors | Government, health, finance |
| Turkey | Explicit consent or BCR for transfers | Personal data |

## Architecture Patterns

### Pattern 1: EU-Only Deployment
Deploy all infrastructure in EU. Simplest compliance.
- Cloud: eu-west-1, eu-central-1, eu-north-1
- AI APIs: Use EU-hosted endpoints (Anthropic EU, Azure EU OpenAI)
- Database: Supabase EU, Neon EU, PlanetScale EU

### Pattern 2: Data Residency with Global Compute
- Store personal data in EU
- Process with EU-hosted compute
- Non-personal data can be global
- Use anonymization/pseudonymization before cross-border transfer

### Pattern 3: Multi-Region with SCCs
- SCCs in place with all non-EU processors
- TIA completed per destination country
- Regular review of adequacy decisions
- Data mapping documenting all flows

## AI-Specific Considerations

| AI Service | Data Flow | Mechanism Needed |
|-----------|-----------|-----------------|
| Claude API (Anthropic) | EU → US | EU-US DPF (if Anthropic self-certified) or SCCs |
| OpenAI API | EU → US | EU-US DPF or SCCs |
| Ollama (local) | No transfer | None (local processing) |
| Azure OpenAI (EU) | EU → EU | None (intra-EEA) |
| Google Vertex (EU) | EU → EU | None (if EU region selected) |

## What This Skill Does NOT Do

- Does not draft SCCs or BCRs (use lawyer)
- Does not perform Transfer Impact Assessments
- Does not track adequacy decision changes in real-time
- Does not cover sector-specific rules (health, finance, defense)