The Data Never Stops Moving: How Cross-Border AI Flows Are Breaking Privacy Law

In 2020, the European Court of Justice struck down the EU-US Privacy Shield framework in Schrems II, ruling that U.S. surveillance law made it impossible to guarantee EU citizens' data rights when their information crossed the Atlantic. Thousands of companies found themselves in legal limbo overnight — processing European data in American infrastructure, suddenly without a legal basis for doing so. The EU and U.S. negotiated a replacement: the Data Privacy Framework, operational since July 2023. By early 2025, Schrems III was in the courts. The cycle had begun again. Data doesn't respect borders. AI doesn't respect borders. The trillion-dollar AI industry is built on data flows that cross jurisdictions constantly — training data scraped from a hundred countries, models trained on American infrastructure, inference delivered globally, behavioral data flowing back to wherever the company is incorporated. Privacy law, built on territorial jurisdiction, struggles fundamentally to keep up.