Midjourney states that agreeing to this privacy policy and submitting your data constitutes your consent to transferring personal data across borders, including to jurisdictions with different data protection laws.
This analysis describes what Midjourney's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy asserts that consent to cross-border data transfer is established by a user's agreement to the policy itself; whether this mechanism satisfies GDPR Chapter V transfer requirements may require evaluation under applicable law, as the policy separately references use of standard contractual clauses for EEA, Switzerland, and UK users.
Interpretive note: The adequacy of policy-acceptance as a GDPR-compliant cross-border transfer consent mechanism is legally uncertain; the policy also references SCCs for EEA/UK/Switzerland users, creating ambiguity about which mechanism applies in practice.
The updated privacy policy removed language describing how Midjourney shares personal data, the security measures protecting that data, children's privacy safeguards, procedures for notifying users of policy changes, and links to related policies. Users no longer have explicit disclosure of these practices within the privacy policy itself. The removal of language on how policy changes are communicated may mean users have less notice of future privacy modifications than previously stated.
View change record →Personal data may be transferred to and stored in countries with different data protection laws; the policy asserts that accepting the policy constitutes consent to this transfer, though EEA and UK users are also covered by standard contractual clauses as an additional transfer mechanism.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Midjourney has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ from those in Your jurisdiction. Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.— Excerpt from Midjourney's Midjourney Privacy Policy
1) REGULATORY LANDSCAPE: Cross-border data transfers from the EEA, UK, and Switzerland are governed by GDPR Chapter V, UK GDPR, and Swiss Federal Act on Data Protection, which require a lawful transfer mechanism such as adequacy decisions, standard contractual clauses, or binding corporate rules. Consent as a transfer basis under GDPR requires freely given, specific, informed, and unambiguous consent that is separate from acceptance of general terms. The policy separately references SCCs for EEA/UK/Switzerland transfers, which partially mitigates exposure. Enforcement authorities include EU national DPAs, the UK ICO, and the Swiss FDPIC. 2) GOVERNANCE EXPOSURE: Medium. The assertion that acceptance of the privacy policy constitutes consent to cross-border transfer may not satisfy GDPR's standard for consent as a transfer mechanism, which requires the consent to be specific to the transfer and its associated risks. However, the policy's separate reference to SCCs for EEA/UK/Switzerland users provides an alternative lawful basis that reduces overall exposure for those user populations. 3) JURISDICTION FLAGS: EEA, UK, and Switzerland users face heightened exposure because GDPR and equivalent frameworks impose specific requirements for international transfers. US-based users are less affected by this provision. The adequacy of Midjourney's transfer mechanisms should be evaluated against current EU-US data transfer frameworks. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EU or UK should confirm that their data processing agreements with Midjourney include executed SCCs or equivalent transfer mechanisms, and should not rely solely on the policy consent mechanism as the legal basis for transfers. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that SCCs referenced in the policy are executed with all relevant data processors and sub-processors, that transfer impact assessments have been conducted where required, and that the policy's consent-as-transfer-basis assertion does not create a gap in the transfer mechanism documentation for EEA, UK, and Switzerland users.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy asserts that consent to cross-border data transfer is established by a user's agreement to the policy itself; whether this mechanism satisfies GDPR Chapter V transfer requirements may require evaluation under applicable law, as the policy separately references use of standard contractual clauses for EEA, Switzerland, and UK users.
Personal data may be transferred to and stored in countries with different data protection laws; the policy asserts that accepting the policy constitutes consent to this transfer, though EEA and UK users are also covered by standard contractual clauses as an additional transfer mechanism.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Midjourney.