The EU General Data Protection Regulation (GDPR) aims to protect personal data outside EU borders by its rules on territorial scope and its restrictions on international data transfers. Despite its importance in EU fundamental rights law, the purpose and interaction of the GDPR’s protections of cross-border data processing have long been shrouded in confusion. Initiatives of EU bodies to interpret the GDPR’s safeguards illustrate the need for EU law to demonstrate clarity and consistency in defending fundamental rights outside EU borders. Only by maintaining the high level of protection required by the GDPR and the Court of Justice, can the EU’s ambitions of cross-border data protection be realized and the GDPR’s influence in third countries be maintained.