International telehealth, GDPR, and cloud AI scribes: what US-licensed therapists treating clients abroad need to know about cross-border data exposure

International telehealth's post-COVID expansion and the compliance gap it exposed

The COVID-19 pandemic normalized telehealth in ways that the US regulatory framework had not anticipated. Within the US, PsyPACT and state telehealth practice laws created a framework — imperfect, uneven, but identifiable — for multistate practice. What did not develop at the same pace was regulatory clarity for therapists treating clients who were physically located outside the United States.

The population of US clients physically located abroad is substantial and growing. US military dependents stationed in Germany, Japan, South Korea, and elsewhere have limited access to CONUS-trained English-speaking mental health providers. American expatriates working for multinationals, NGOs, the State Department, USAID, defense contractors, and international organizations represent tens of thousands of people who maintain relationships with US-licensed therapists — some initiated before the overseas assignment, some sought specifically because the client trusts a US-trained clinician. Digital nomads, US-citizen international students, retirees abroad, and returning missionaries are further segments seeking care from providers they know.

For the US-licensed therapist, the international telehealth session looks operationally identical to a domestic one: video platform, session notes, AI scribe. The documentation workflow is the same. The clinical workflow is the same. The HIPAA obligations are the same — the client is a US person, the therapist is a US covered entity, and the vendor BAA governs. What is categorically different is the additional compliance layer that activates when the client is physically located in the European Union, the United Kingdom, Canada, or another jurisdiction with comprehensive data protection law: a second privacy framework applies to the same session's data, governed by a different legal authority with distinct enforcement tools, and a HIPAA BAA does not satisfy it.

How GDPR reaches cloud AI scribe sessions with EU-resident clients

GDPR's territorial scope is defined by Article 3. Article 3(1) applies GDPR to processing by controllers or processors established in the EU. Article 3(2) — the provision that matters for most US-based cloud AI scribe vendors — extends GDPR's reach to processing by non-EU-established entities when the processing relates to the offering of goods or services to data subjects in the EU, or to the monitoring of their behavior within the EU.

A US cloud AI scribe vendor that processes audio recordings, transcripts, and session notes generated from telehealth sessions with EU-resident clients is processing the personal data of EU data subjects. The data processed — audio recordings of therapy sessions — is health data, classified under GDPR Article 9 as a special category of personal data requiring heightened protection. The ordinary lawful bases for processing under Article 6 are supplemented by the Article 9(2) conditions for special-category data, of which only a narrow set apply to health data held by a commercial vendor.

The cross-border transfer dimension arises from GDPR Chapter V. Chapter V restricts the transfer of personal data to third countries (countries outside the EU/EEA) unless specific conditions are met: an adequacy decision by the European Commission, appropriate safeguards (standard contractual clauses, binding corporate rules), or derogations. Following the invalidation of Privacy Shield in Schrems II (Data Protection Commissioner v. Facebook Ireland, Case C-311/18, 2020), transfers from the EU to the US require either standard contractual clauses (SCCs) supplemented by transfer impact assessments, or another Chapter V mechanism. A HIPAA BAA does not constitute an SCC. It does not constitute adequate safeguards under Chapter V. It does not provide data subjects with the Chapter V protections.

When a US-licensed therapist's cloud AI scribe vendor processes EU-resident session data without a valid Chapter V transfer mechanism, the transfer is an unlawful cross-border transfer. The violation belongs to the processing arrangement — not to whether the therapist signed a BAA or whether the vendor's HIPAA compliance is otherwise exemplary. For a baseline on what cloud AI scribe vendors actually retain and transmit, see our post on what cloud AI scribes actually send to servers.

HIPAA versus GDPR: why satisfying one does not satisfy the other

The divergence between HIPAA and GDPR is structural, not technical. HIPAA is a sectoral US statute that governs covered entities and their business associates in the US healthcare industry. GDPR is a horizontal EU regulation that governs the processing of personal data of EU residents regardless of industry, sector, or the geographic location of the processor. They are parallel frameworks that may apply simultaneously to the same data processing activity.

Several specific divergences matter for cloud AI scribe use in international telehealth:

Lawful basis for processing health data. HIPAA authorizes a covered entity to use and disclose PHI for treatment, payment, and healthcare operations without patient authorization. GDPR Article 9 requires a specific condition from Article 9(2) for processing special-category health data. For a commercial vendor processing therapy session audio from EU-resident clients, the applicable Article 9(2) conditions are narrow: explicit consent of the data subject (who would need to provide GDPR-compliant consent, not just HIPAA authorization), necessity for medical diagnosis or treatment by a health professional (arguably applicable to the therapist's own processing, but its extension to a commercial vendor's retained archive is contested), or substantial public interest under EU or member state law (not applicable to a commercial vendor). A BAA does not resolve the Article 9 lawful basis question.

Data subject rights. GDPR Articles 15–22 grant EU-resident data subjects specific enforceable rights: the right to access their data, the right to erasure ("right to be forgotten"), the right to data portability, and the right to object to processing. HIPAA gives patients rights of access to their designated record set — a narrower and differently structured right. A cloud AI scribe vendor holding EU-resident therapy session archives must respond to GDPR data subject rights requests, including erasure requests, from those clients. HIPAA obligations regarding patient access to records do not exhaust GDPR obligations.

Data protection by design and by default. GDPR Article 25 requires controllers to implement data protection principles at the design stage of processing activities and by default. A cloud architecture that transmits and retains session audio by default — the standard architecture of all cloud AI scribes — does not satisfy data protection by design requirements for special-category health data of EU-resident data subjects without additional technical and organizational measures. For a foundational analysis of what a BAA actually commits a vendor to, see our post on what is a BAA and what it doesn't cover.

Five adversarial proceedings that international telehealth uniquely creates

1. EU data protection authority enforcement investigation

EU supervisory authorities — national data protection authorities such as Germany's BfDI, Ireland's Data Protection Commission, France's CNIL, or any of the other 27 EU member state DPAs — have enforcement powers under GDPR Article 58: the authority to conduct investigations, access premises and data, issue warnings, impose temporary or permanent bans on processing, and levy administrative fines under Article 83 of up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious violations including unlawful cross-border transfers.

A complaint by an EU-resident therapy client — for example, a US expat in Germany who becomes aware that their therapy sessions were processed by a US cloud vendor without a valid transfer mechanism — activates the DPA's investigative jurisdiction. The DPA can investigate the vendor directly under GDPR Article 3(2), issue corrective orders, and impose fines. The therapist, if found to be a joint controller in the processing arrangement, may face separate DPA investigation. Neither the HIPAA BAA nor the therapist's US licensure status provides a defense to GDPR enforcement.

DPA investigations also follow high-profile enforcement actions and sectoral sweeps. EU DPAs have conducted coordinated enforcement actions targeting specific industries and technologies. Health data is consistently identified as a high-priority enforcement area. A cloud AI scribe vendor with EU-resident health data processed without adequate safeguards is a GDPR enforcement target regardless of whether a specific complaint triggers the investigation. For more on how cloud AI scribe vendor archives become independently reachable, see our post on whether an AI therapy note can be subpoenaed.

2. State licensing board investigation of cross-border practice

US state professional licensing boards assert jurisdiction based on the location of the client at the time of service, not the location of the therapist. This principle, applied domestically in the context of interstate telehealth, extends — with added complexity — to international telehealth. A California-licensed LCSW treating a client who is physically located in France is practicing mental health care on a client in France. France's own mental health professional licensing framework — overseen by the Conseil national de l'Ordre des médecins for psychiatrists and analogous bodies for psychologists — governs who is authorized to practice on its soil.

US state licensing boards have investigated and disciplined therapists for practicing in states where they are not licensed through cross-border telehealth. The same jurisdictional logic applies to international practice. The licensing board's concern is the practice itself — providing clinical services without authorization — not the documentation technology. But the documentation technology creates the evidence. A cloud AI scribe vendor's archive of sessions conducted with a France-resident client is a timestamped, session-by-session record of the therapist's practice activity in that jurisdiction. In a licensing board investigation, the vendor archive is the documentation of exactly what the board is investigating. For a parallel domestic analysis, see our post on PsyPACT, telehealth, and cloud data custody.

3. US counterintelligence and security clearance investigation

US clients physically located abroad frequently include individuals with US security clearances: government employees on overseas assignments, military personnel and their dependents, intelligence community contractors, State Department and USAID staff, defense contractor personnel. Clients in these categories are subject to ongoing DCSA personnel security adjudication, including periodic reinvestigations, continuous evaluation monitoring, and specific-incident investigations that may be triggered by foreign contacts, foreign travel, or counterintelligence concerns arising from the overseas assignment itself.

When a clearance-holder seeks mental health treatment from a US-licensed therapist while abroad, the therapy sessions contain disclosures that the DCSA personnel security adjudication process treats as relevant: mental health diagnoses, medication, treatment history, disclosure of stressors related to the overseas assignment (financial, marital, security-related), foreign national contacts, and the details of the overseas work environment. A cloud AI scribe vendor holds a verbatim archive of those disclosures as a US-based commercial business record. DCSA's authority to seek records from US commercial vendors as part of a personnel security investigation is not geographically limited by the client's physical location during treatment. For the domestic security clearance analysis, see our post on security clearance, therapy records, and the SF-86.

4. Foreign court proceedings and MLAT requests

When a therapy client is physically located in a foreign country — whether as an expat, a resident, or during a temporary posting — civil and family law proceedings initiated in that country's courts may seek the therapy records. Divorce and custody proceedings are the most common context: if a US expat couple separates while posted to France, French family court proceedings may involve discovery requests directed at records held in the US.

Mutual legal assistance treaties (MLATs) are the formal mechanism for cross-border criminal legal process. In civil litigation, foreign courts may issue letters rogatory seeking evidence in the US through the Hague Convention on the Taking of Evidence Abroad (Hague Evidence Convention, 1970), to which the US is a party. A US-based cloud AI scribe vendor holding therapy session archives of a France-resident client is a US entity holding potentially relevant evidence in a French civil proceeding. The foreign court's MLAT or Hague Convention request directed at the US Department of Justice or issued through US district court to the vendor creates a legal process that reaches the vendor archive from a foreign jurisdiction, without involving the therapist.

In EU jurisdictions with strong GDPR implementation, this dynamic creates a conflict of laws: the foreign court seeks the records through MLAT; the vendor is simultaneously subject to GDPR restrictions on disclosing EU-resident health data outside the EU's legal framework for lawful cross-border transfers. The intersection of MLAT process and GDPR Chapter V is an unresolved area of EU data protection law that creates significant uncertainty for vendors and their legal counsel.

5. Employer and agency duty-of-care investigation

Multinational employers, US government agencies, NGOs, international organizations, and defense contractors that deploy employees abroad have recognized duty-of-care obligations for employee health and safety in overseas postings. When an employee's mental health deteriorates during an overseas assignment — whether through occupational stress, trauma, family crisis, or clinical deterioration — employers face scrutiny about what they knew, when they knew it, and what support was made available.

In employer negligence and wrongful death litigation arising from overseas mental health crises, plaintiff attorneys seek evidence of the employer's knowledge of the employee's mental health condition and the adequacy of the employer's response. The employee's therapy records — specifically, the content of sessions in which the employee discussed workplace stressors, mental health symptoms, and functional deterioration — are directly relevant to both the damages analysis and the employer's prior knowledge. A cloud AI scribe vendor holding a verbatim archive of those sessions is a third-party record custodian in employer liability proceedings. Rule 45 subpoena authority in US federal court reaches domestic vendors regardless of where the underlying therapy sessions were conducted.

State licensing jurisdiction for out-of-country sessions: a distinct compliance layer

The PsyPACT interstate compact for psychologists and analogous state-level telehealth practice acts address the domestic version of this problem: how does a licensed therapist in one US state provide services to a client in another state without holding a license in the client's state? PsyPACT's answer is a multistate compact with participating states that grants a compact privilege. But PsyPACT — and every current multistate licensure solution — is geographically bounded to the United States. No compact provides a license to practice in France, Germany, or Australia.

This creates a structural gap for therapists serving internationally mobile US clients. The therapist's US license authorizes practice in the US. The client's physical location in a foreign country activates the foreign country's professional practice framework. Most foreign jurisdictions have not enacted frameworks accommodating US-licensed telehealth providers. The default position in most foreign jurisdictions is that providing mental health services to residents requires domestic licensure.

Some US state licensing boards have issued guidance acknowledging that treating US clients temporarily abroad (military deployments, short business trips) may not constitute unauthorized practice in the foreign jurisdiction — but explicitly decline to provide definitive guidance on longer-term expatriate practice. The documentation technology — specifically, the cloud AI scribe vendor archive — creates the evidentiary record of practice activity that both US and foreign licensing authorities rely on when practice questions arise. For a baseline on the domestic interstate telehealth analysis, see our post on telehealth therapy notes across state lines.

On-device processing eliminates the cross-border data transfer exposure

The GDPR cross-border data transfer exposure created by cloud AI scribe use in international telehealth has a straightforward technical resolution: eliminate the cross-border transfer. When a therapist uses an on-device AI scribe — audio captured and transcribed locally on the therapist's Mac, session notes drafted locally by a locally running model, no session content transmitted to or retained by a cloud vendor — there is no transfer of EU-resident personal data to a US-based commercial processor. GDPR's Chapter V restrictions do not apply because no transfer occurs.

The EU DPA enforcement exposure disappears: there is no vendor processing EU-resident health data in the US without a Chapter V transfer mechanism, because there is no vendor processing at all. The foreign court MLAT proceeding exposure disappears: there is no US vendor holding session archives that a Hague Convention letters rogatory request can reach. The employer duty-of-care subpoena finds no third-party vendor archive. DCSA's counterintelligence investigation finds no US commercial business records of the overseas therapy sessions beyond what the therapist maintains in their own clinical records.

On-device processing does not affect the quality or completeness of clinical documentation. The therapist's session notes are generated with the same quality as cloud-processed notes. The clinical record held by the therapist — the progress notes, treatment plans, assessment documentation — remains the documented record of treatment, subject to HIPAA and the applicable psychotherapist-patient privilege. What does not exist is the separately held, independently subpoenable commercial vendor archive that GDPR Chapter V's cross-border transfer restrictions were designed to address and that each of the five adversarial proceedings described in this analysis reaches by a different legal route.

For therapists serving internationally mobile clients — US expats, military dependents, government employees abroad, digital nomads — on-device processing closes the cross-border compliance gap that cloud AI scribe use creates. The architectural guarantee that session content never leaves the therapist's device is not a GDPR compliance argument; it is the precondition that makes GDPR's cross-border transfer framework irrelevant, because there is no transfer to regulate.

Conclusion

International telehealth creates a compliance landscape that is meaningfully more complex than domestic practice. A HIPAA BAA is necessary but not sufficient. GDPR's territorial reach under Article 3(2) extends to US-based cloud AI scribe vendors processing EU-resident clients' health data regardless of where the vendor is established or whether the therapist's HIPAA compliance is complete. The five adversarial proceedings that international telehealth uniquely creates — EU DPA enforcement, state licensing board investigation, DCSA counterintelligence review, foreign court MLAT proceedings, and employer duty-of-care litigation — each reach the cloud AI scribe vendor archive through a different legal channel, none of which require going through the therapist.

The cross-border exposure is not a hypothetical risk for therapists with occasional international clients. It is the standard risk profile for any US-licensed therapist who regularly serves US clients physically located abroad — a population that has grown substantially and has no obvious reason to contract as remote work, expatriate assignments, and international mobility continue. On-device processing eliminates this exposure at the architectural level: no transfer, no cross-border restriction, no vendor archive for five distinct adversarial proceedings to find.