Every day, large amounts of personal data are exchanged between organizations worldwide, both inside and outside the European Union (EU). These cross-border data flows are an essential part of the digital transformation, but also raise complex legal and societal issues. The protection of personal data is a central challenge here: after all, the degree of protection varies significantly by country and region.
Within the EU and European Economic Area (EEA) countries - including Norway, Liechtenstein and Iceland - a uniform and high level of data protection applies through the General Data Protection Regulation (GDPR). Here, personal data can be freely exchanged without additional measures. For transfers outside this area, however, organizations are bound by stricter rules. According to the AVG, transfers are only allowed if the receiving third country has an "adequate level of protection" or when legal instruments such as standard contracts, codes of conduct, binding corporate rules (BCR), or specific legal exceptions are used.
The European Commission maintains a current list of countries (and sometimes sectors) approved through an adequacy decision. It remains crucial for organizations to closely monitor this list and associated conditions. Since July 2023, an adequacy decision for the Data Privacy Framework between the EU and the United States has been in place, formally allowing transfers to participating U.S. organizations once again. Nevertheless, one should keep in mind that this legal framework remains subject to debate: recent rulings by the EU Court confirm the use of the framework for the time being, but legal uncertainties and new appeals remain possible.
What is also new is that as of December 2024/2025, the European Data Protection Board (EDPB) has adopted guidelines for sharing personal data with government authorities outside the EEA, for example in the case of court decisions or international investigations. These guidelines, drafted after public consultation, give organizations more guidance on the complex considerations that international data transfers now demand: personal data protection interests weigh heavily, and transparency to data subjects and regulators is essential.
AP and KNLTB end case surrounding fine
News/press releaseData trading under scrutiny at European Court of Justice
BlogNo legal basis for automatic data sharing between government agencies, says minister
News press releaseEDPB makes it easier for organizations to comply with the AVG
News press releaseEU and US strike important data deal: what's in it?
Background articlesEuropean Commission and United States intensify negotiations on transatlantic data flows
NewsSchrems: 'Facebook bypasses AVG with general terms and conditions'
NewsOne change after another in the area of international data transfer - where to go from here?
Article
