Coinbase transfers your personal data to the United States and other countries that may have weaker privacy laws than your home country, relying primarily on Standard Contractual Clauses for EU users.
Current version adds explicit 'consent by using our Services' language and emphasizes data protection disparity, while removing specific mention of EEA, UK, and Switzerland.
View full change record →Your personal and financial data is transferred internationally to the United States and potentially other countries, which may provide fewer privacy protections than your home jurisdiction, affecting EU/EEA users' ability to enforce their GDPR rights.
Cross-platform context
See how other platforms handle Cross-Border International Data Transfers and similar clauses.
Compare across platforms →If you are in the EU/EEA, your data being transferred to the US means it may be subject to US government surveillance programs, and your GDPR rights may be harder to enforce against a US-based company.
REGULATORY FRAMEWORK: GDPR Chapter V (Arts. 44-49) governs international transfers of personal data from the EEA; valid transfer mechanisms include adequacy decisions (EU-US Data Privacy Framework effective July 2023), Standard Contractual Clauses (SCCs — Commission Decision 2021/914), Binding Corporate Rules, and Art. 49 derogations. Schrems II (C-311/18) requires transfer impact assessments (TIAs) for SCCs. UK GDPR and the UK-US data bridge apply for UK users. Swiss Federal Act on Data Protection (nFADP) applies for Swiss users. GDPR Art. 49(1)(a) consent as a transfer basis requires explicit, informed consent and is permissible only for non-repetitive transfers — reliance on user consent in a ToS for routine transfers is unlikely to withstand DPA scrutiny. Enforcement authorities: EU/EEA national DPAs, EDPB, ICO (UK), and Swiss FDPIC.
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.