International Data Transfers

What it is

If you are based in the EU, UK, or another country, your personal data is transferred to and stored in the United States, where different privacy laws apply, though Eventbrite states it uses EU-approved Standard Contractual Clauses to make these transfers lawful.

Why it matters (compliance & governance perspective)

EU and UK users' data is processed under US law once transferred, and the adequacy of Standard Contractual Clauses as a transfer mechanism is subject to ongoing regulatory and legal scrutiny.

Consumer impact (what this means for users)

EU and UK users' personal data is transferred to the United States for processing, meaning it is subject to US legal access frameworks, though Eventbrite states it uses Standard Contractual Clauses as a safeguard for these transfers.

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V, which regulates transfers of personal data to third countries. Standard Contractual Clauses (SCCs) are the mechanism cited; the updated SCCs adopted by the European Commission in 2021 are the current standard, and their use must be accompanied by a transfer impact assessment (TIA) evaluating US law's impact on data subject rights. The EU-US Data Privacy Framework may also be relevant if Eventbrite participates, though this is not specified. UK GDPR requires separate transfer mechanisms following Brexit, including the UK's International Data Transfer Agreement (IDTA). 2. GOVERNANCE EXPOSURE: Medium. The use of SCCs is standard practice but not automatically sufficient following the Schrems II ruling by the Court of Justice of the EU, which requires supplementary TIAs. Eventbrite's policy references SCCs but does not disclose whether TIAs have been conducted, creating a compliance gap that EU supervisory authorities may investigate. 3. JURISDICTION FLAGS: EU/EEA and UK users face the most direct exposure. National data protection authorities in EU member states have authority to investigate and suspend transfers where SCCs are deemed inadequate. The adequacy of SCCs for specific categories of data (including behavioral and payment data) may vary depending on the TIA outcomes. 4. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EU or UK using Eventbrite for corporate events should confirm that data transfer mechanisms are documented and up to date, and that Eventbrite has executed the relevant SCC modules appropriate to the controller-processor or controller-controller relationship. Vendor assessments should include a review of Eventbrite's TIA methodology. 5. COMPLIANCE CONSIDERATIONS: Legal teams should verify whether Eventbrite's SCCs reference the 2021 EU standard clauses and whether appropriate UK IDTA or addendum documentation exists for UK data transfers. DPIAs may be required for large-scale transfers of attendee data. Organizations subject to EU data protection law should confirm their own obligations when directing EU employees or customers to register for events on Eventbrite's platform.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Attendee Data Shared With Event Organizers high
• Behavioral Advertising and Data Sale Opt-Out high
• Broad Personal Data Collection Scope medium
• Children's Privacy Restriction medium
• User Privacy Rights (Access, Deletion, Portability, Correction) medium
• Data Retention low

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.