Companies transferring data outside of the European Union received new guidance on safely doing so from the European Data Protection Board this month. This follows a move by the Court of Justice of the European Union to scrap the so-called EU-US Privacy Shield in the summer, which it deemed unsafe.
While the Court also ruled that two other popular types of data transfers remained valid, they would not offer complete protection against data transfer provisions in the General Data Protection Regulation (GDPR).
“Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the European Economic Area,” the guidance says. “The Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent.”
The EDPB advises exporters to follow six steps to ensure compliance with GDPR: