Transfers of personal data outside of EEA; What is the status today?

Transfers of personal data outside of EEA; What is the status today?

In principle, transfer of personal data to a third country is prohibited. However, there are some exceptions from this rule. A transfer can take place if the conditions laid down in the provisions of the GDPR relating to the transfer of personal data to third countries are complied with by the controller or the processor. The GDPR provides different transfer mechanisms for transfers of personal data from the EEA to a third country. In the Schrems II judgement handed down by the Court of Justice of the European Union (CJEU) on 16 July 2020 , the CJEU declared that the transfer mechanism Privacy Shield for transfers between the EEA and the U.S was no longer lawful.

The Schrems II judgement has had significant impact on international data transfers, and we will look at how the judgement has affected the use of the transfer mechanism Standard Contractual Clauses.

On 10 July 2023, the European Commission adopted its much-awaited adequacy decision for the framework replacing the Privacy Shield, the EU-U.S. Data Privacy Framework. This decision concludes that the U.S ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from the EU to U.S. companies certified under the new framework. We will look at key differences between the old and new framework, and criticism from advocates for digital privacy rights stating that the EU-U.S. Data Privacy Framework is largely a copy of the Privacy Shield.

About Ane Rode

Ane is affiliated with Schjødt's IP & Technology Practice Group and specialises in IT- and technology contracts, data protection and intellectual property. Ane graduated from the University of Bergen where she wrote her master thesis on who is responsible for personal data on a blockchain.