Both within and outside the European Union (EU), large volumes of cross-border transfers of personal data occur daily. Almost every organization has to deal with the transfer of personal data to other countries. However, the protection of personal data is not the same everywhere and data transfers outside the EU are not always permitted. Different rules apply to transfers of personal data to countries within the EU than to transfers to countries outside the EU.(1)
Within the EU, the level of data protection is the same. The General Data Protection Regulation (AVG) applies to all EU member states, allowing the transfer of personal data between member states without the need for additional measures. In addition, the EU has assessed that Liechtenstein, Norway and Iceland also meet an "adequate level of protection. Together with the EU member states, these three countries make up the European Economic Area (EEA).
Different rules apply to transfers of personal data from EU member states to countries outside the EU, so-called third countries. Under the AVG, transfers are only permitted to countries that provide "an adequate level of protection" or under one of the legal provisions in Chapter V of the AVG.(2)
There are four cases is possible to transfer personal data to a third country. This is permitted on the basis of:
an adequacy decision;
appropriate safeguards;
binding corporate rules (BCR);
specific exceptions.(3)
The European Commission (EC) has compiled a list of third countries that have an adequate level of protection. The EC conducts regular discussions with third countries to assess them, as a result of which the list continues to expand.(4)
The United States (US) does not appear on the EC's list. Until recently, transfer to the U.S. was possible under the EU-US privacy shield. However, on July 16, 2020, in the Schrems II ruling, the European Court of Justice declared the privacy shield invalid. This means that since this date, the privacy shield may no longer be used to transfer personal data to the US.(5)
Footnotes
(1) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internationaal/doorgifte-binnen-en-buiten-de-eu
(2) https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX:32016R0679#d1e4216-1-1
(3) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internationaal/doorgifte-binnen-en-buiten-de-eu#wanneer-mag-ik-persoonsgegeven-doorgeven-naar-landen-buiten-de-eu-derde-landen-6551
(4) https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#dataprotectionincountriesoutsidetheeu
(5) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internationaal/doorgifte-binnen-en-buiten-de-eu#wanneer-mag-ik-persoonsgegevens-doorgeven-naar-de-vs-5539
No legal basis for automatic data sharing between government agencies, says minister
News press releaseEDPB makes it easier for organizations to comply with the AVG
News press releaseGuidelines third-country transfer final and new training materials AI & AVG
Policy noteUpdated EU AI model contract provisions now available
News press releaseEU and US strike important data deal: what's in it?
Background articlesEuropean Commission and United States intensify negotiations on transatlantic data flows
NewsSchrems: 'Facebook bypasses AVG with general terms and conditions'
NewsOne change after another in the area of international data transfer - where to go from here?
Article
