Cross-border data transfers post-Schrems II: are you still using SCCs for AI training data, or have you shifted to adequacy-only jurisdictions?

Schrems II invalidated Privacy Shield and raised the bar for Standard Contractual Clauses (SCCs) — requiring transfer impact assessments (TIAs) that consider the destination country's surveillance laws. For AI/ML teams that rely on training data from multiple jurisdictions, this creates real operational friction. Three scenarios I'm seeing: 1. **SCCs + TIA route**: Teams continue using SCCs but invest significant legal overhead in transfer impact assessments for each data source. The problem: TIAs for training data pipelines are inherently speculative — you can't predict which country's intelligence services might request data from your cloud provider. 2. **Adequacy-only sourcing**: Some teams now restrict training data collection to countries with EU adequacy decisions. This severely limits dataset diversity and introduces geographic bias into models. 3. **On-sovereign processing**: Keeping all data processing within EU borders using EU-based cloud regions. But even then, underlying infrastructure (e.g., AWS, GCP, Azure) may still be subject to CLOUD Act requests. For teams running production ML pipelines: - What's your actual data transfer strategy for training data? - How are you handling the tension between model performance (needs diverse data) and compliance (needs controlled transfers)? - Has any DPA actually enforced against an AI company specifically for data transfer violations (as opposed to general GDPR violations)? The EDPB's recommendations 01/2020 and 02/2020 provide supplementary measures, but applying them to ML training data flows is still largely uncharted territory.