By using X, you are treated as having consented to your data being sent to and stored in the US, Ireland, and other countries, even if you live somewhere with stricter privacy laws.
This analysis describes what X's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The terms use continued service use as the mechanism for consenting to international data transfers, including transfers to the United States, Ireland, and unspecified other countries; for EU and UK users, this mechanism may not satisfy GDPR Chapter V transfer requirements, which generally require specific transfer safeguards rather than consent-by-use.
Interpretive note: The legal effect of consent-by-use for international data transfers varies significantly by jurisdiction; for EU/UK users this mechanism is unlikely to satisfy GDPR Chapter V requirements without additional transfer safeguards.
User data including account information, content, and usage data may be transferred to and processed in the US, Ireland, and other countries as a condition of using X. Users in jurisdictions with strong data localization or transfer restriction requirements should note that this consent mechanism may have different legal effect depending on applicable law.
How other platforms handle this
Zendesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When Zendesk transfers personal data from the EU, UK, or Switzerland to the United ...
Datadog complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Datadog has certified to the U.S. Department of Commerce that it adheres to the EU-...
If you would like to opt out of the disclosure of your personal information for purposes that could be considered "sales" for those third parties' own commercial purposes, or "sharing" or processing for purposes of targeted advertising, please visit the following link, which is also available in the...
Monitoring
X has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You understand that through your use of the Services you consent to the collection and use (as set forth in the Privacy Policy) of this information, including the transfer of this information to the United States, Ireland, and/or other countries for storage, processing and use by us and our affiliates.— Excerpt from X's X Terms of Service
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (international data transfers), UK GDPR, and CCPA. For EU and UK users, consent-by-continued-use is not a recognized legal basis for international data transfers under GDPR; transfers require adequacy decisions, standard contractual clauses, or binding corporate rules. The EU-US Data Privacy Framework may provide a transfer mechanism for US transfers. The relevant enforcement authority is the Irish Data Protection Commission (as X's EU lead supervisory authority) and the UK Information Commissioner's Office. GOVERNANCE EXPOSURE: High for EU and UK users. The consent-by-use framing is inconsistent with GDPR transfer requirements and may create regulatory exposure. For US users, this provision is more operationally standard and less likely to create immediate regulatory conflict under current federal law. JURISDICTION FLAGS: EU/EEA users are subject to GDPR Chapter V, which requires specific transfer mechanisms not satisfied by contractual consent-by-use. California users may have rights under CCPA regarding disclosure of data transfers. The UK GDPR imposes similar transfer safeguard requirements. CONTRACT AND VENDOR IMPLICATIONS: Organizations using X to process employee or customer personal data subject to GDPR should assess whether X's DPA and transfer mechanisms (standard contractual clauses, Data Privacy Framework) are adequately documented and whether this ToS provision aligns with their data processing agreements. COMPLIANCE CONSIDERATIONS: Data protection officers should map personal data flows to the US, Ireland, and 'other countries' referenced in this clause and confirm that adequate transfer safeguards are in place beyond this ToS consent mechanism. A review of X's current DPA and transfer impact assessments is recommended for EU/UK processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The terms use continued service use as the mechanism for consenting to international data transfers, including transfers to the United States, Ireland, and unspecified other countries; for EU and UK users, this mechanism may not satisfy GDPR Chapter V transfer requirements, which generally require specific transfer safeguards rather than consent-by-use.
User data including account information, content, and usage data may be transferred to and processed in the US, Ireland, and other countries as a condition of using X. Users in jurisdictions with strong data localization or transfer restriction requirements should note that this consent mechanism may have different legal effect depending on applicable law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by X.