Legal protection of personal data that are transferred or processed outside the EU’s territorial boundaries has been strengthened in recent years, both in the GDPR and by the Court of Justice. The main mechanisms for guarding against data protection threats originating from outside the EU’s borders are rules on the territorial scope of EU data protection law (Article 3 GDPR), which allow its application to data processing by non-EU parties, and data transfer restrictions (Chapter V GDPR), which protect personal data that are transferred to third countries. The GDPR does not indicate how these two mechanisms interact, which has led to initiatives to disapply data transfer rules when data processed outside the EU are already subject to it. However, there has been little transparency about these initiatives or explanation of their rationale, despite their significance for the protection of EU data and their impact on the GDPR’s global reach. For the protection of EU data against external threats to be both legally sound and effective in practice, it is necessary to examine the nature and interaction of rules on territorial scope and data transfers, in order to determine how the EU’s vision of cross-border data protection can be realised.