Cross-Border Data Transfers and SCCs

What it is

Personal data about EU, UK, and Swiss users is controlled by Okta's Irish entity and transferred to the US using Standard Contractual Clauses, which are the EU-approved contracts that allow this kind of international data transfer.

Why it matters (compliance & governance perspective)

EU, UK, and Swiss users' personal data is being transferred to the United States, and the legal validity of that transfer depends on Okta's correct implementation of the current SCCs, which were updated in 2021 and require accompanying transfer impact assessments.

Consumer impact (what this means for users)

If you are based in the EU, UK, or Switzerland, your personal data is transferred to the United States under Standard Contractual Clauses. This provides a legal framework for the transfer but does not eliminate the risk that US intelligence laws could affect access to your data; the practical adequacy of this protection depends on Okta's implementation of required safeguards.

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision engages GDPR Chapter V (international data transfers), the European Commission's 2021 Standard Contractual Clauses, UK GDPR and the UK's International Data Transfer Agreement, and the Swiss Federal Act on Data Protection. The Irish Data Protection Commission is the lead supervisory authority for Okta Ireland Limited. Post-Schrems II requirements mandate that SCCs be accompanied by a transfer impact assessment where applicable; this policy does not describe whether such assessments are conducted. GOVERNANCE EXPOSURE: Medium. SCCs are a recognized transfer mechanism, but regulatory scrutiny of US-based cloud providers receiving EEA data remains elevated. The adequacy of Okta's transfer impact assessments and supplementary measures (if any) is not described in this policy and would need to be confirmed through the DPA. JURISDICTION FLAGS: EU/EEA organizations have heightened exposure given DPC enforcement activity and the ongoing scrutiny of US data transfers. UK organizations must separately confirm that UK-specific transfer mechanisms (IDTA or addendum to EU SCCs) are in place, as the UK is no longer covered by EU SCCs alone. Swiss organizations should confirm alignment with the revised Swiss FADP effective September 2023. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request copies of Okta's executed SCCs and confirm they reflect the 2021 modular versions. Transfer impact assessments should be requested or conducted for high-risk processing. Organizations subject to sector-specific transfer restrictions (financial services, health) should confirm that cross-border transfer documentation covers all relevant data categories. COMPLIANCE CONSIDERATIONS: Legal teams should confirm that Okta's DPA includes the 2021 EU SCCs with the appropriate module, that a UK IDTA or addendum is in place for UK data, and that transfer impact assessments addressing US surveillance law risks have been conducted. Annual review is advisable given the evolving adequacy landscape.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Controller-Processor Bifurcation high
• Third-Party Data Enrichment and Purchase medium
• Cookie and Tracking Technology Disclosure medium
• California Consumer Privacy Rights and Opt-Out of Sharing medium
• Data Retention low
• Sharing with Business Partners and Third Parties medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.