The third country problem under the GDPR: enhancing protection of data transfers with technology

Abstract

The overall objective of the General Data Protection Regulation (GDPR)1 is two-fold: To contribute to the protection of privacy and personal data and to promote the free flow of personal data within the protected area2 through uniform regulations and homogenized interpretations of those regulations.<p>

<p>If a controller or processor in the protected area (the exporter) transfers personal data to a country, region, or international organization outside the EEA, the exporter gets the advantage of the free flow of personal data to an area without homogenized data protection rules and interpretations. Under such circumstances, it is imperative to establish requirements that contribute to the initial objective of the GDPR, the protection of privacy and personal data. In EU data protection law, this requirement is known as the ‘essentially equivalent’ requirement.4 If personal data are to be transferred outside the protected area, the receiving country must have a level of personal data protection ‘essentially equivalent’ to the protected area.