The policy states that personal information may be transferred to and stored on computers outside a user's home jurisdiction, including to jurisdictions with less protective privacy laws, without specifying the transfer mechanisms used to safeguard EEA personal data.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy's disclosure of cross-border data transfers without specifying the legal mechanism used for EEA transfers, such as Standard Contractual Clauses or an adequacy decision, creates a compliance documentation gap relevant to GDPR Chapter V requirements enforced by EU supervisory authorities.
Interpretive note: The policy does not specify which GDPR-compliant transfer mechanism is relied upon for EEA personal data transferred to the United States, creating ambiguity about the legal basis for such transfers.
Simplified provision by removing company headquarters/operations details and broadening from US-specific focus to any cross-border transfer with weaker privacy protections.
View full change record →The agreement establishes that personal information including identifiers and behavioral data may be transferred and stored outside a user's home jurisdiction; for EEA users, the applicable transfer safeguard mechanism is not specified in the policy text.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.— Excerpt from Medium's Medium Privacy Policy
1. REGULATORY LANDSCAPE: GDPR Chapter V (Articles 44-49) requires that transfers of personal data to third countries be subject to an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism. The Schrems II judgment (CJEU C-311/18) invalidated Privacy Shield and requires case-by-case assessment of transfer mechanisms to the United States. The EU-US Data Privacy Framework (DPF), adopted in 2023, provides an adequacy basis for transfers to certified US organizations but remains subject to legal challenge. 2. GOVERNANCE EXPOSURE: Medium. The policy's generic cross-border transfer disclosure without specifying the mechanism used for EEA transfers is a recognized transparency gap under GDPR Articles 13 and 14, which require disclosure of the transfer mechanism or adequacy basis. EU supervisory authorities have issued enforcement actions against organizations for inadequate transfer mechanism disclosure. 3. JURISDICTION FLAGS: EEA users have primary exposure. UK users are subject to equivalent requirements under UK GDPR and the UK-US Data Bridge. Swiss users are subject to nFADP requirements regarding cross-border transfers. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations subject to GDPR that use Medium as a processor or sub-processor should request confirmation of the transfer mechanism relied upon for EEA personal data and update Data Processing Agreements accordingly. 5. COMPLIANCE CONSIDERATIONS: EU data protection officers should request Medium's transfer impact assessment documentation and confirm which transfer mechanism is relied upon for US data transfers. If Medium relies on SCCs, organizations should verify that the SCCs are the current 2021 European Commission-approved versions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy's disclosure of cross-border data transfers without specifying the legal mechanism used for EEA transfers, such as Standard Contractual Clauses or an adequacy decision, creates a compliance documentation gap relevant to GDPR Chapter V requirements enforced by EU supervisory authorities.
The agreement establishes that personal information including identifiers and behavioral data may be transferred and stored outside a user's home jurisdiction; for EEA users, the applicable transfer safeguard mechanism is not specified in the policy text.
ConductAtlas has identified this type of provision across 55 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.