Third country laws – more than meets the eye. In practice – problematic legislation in disguise.

The European Data Protection Board has issued a “Transformers” style plan for assessing whether or not you can transfer information to a third country.

  • Controllers and processors are to conduct a thorough risk assessment of the laws of the third country that are not essentially equivalent to the protection provided by the EU.
  • Even if the laws are seemingly fine, controllers need to see whether the public authorities actually breach the laws in their practice.
  • Finally, they are to review a slew of documentation, including case law, ACLU reports, NSA reports, and warrant canaries – and put them all in a detailed report to be used against them by the supervisory authority.

In the words of Megatron and Optimus Prime: Controllers, rise up and risk assess…

Deeper dive in this article from OneTrust DataGuidance with comments from David Dumont, Laura Léonard, Jimmy Orucevic, Dr. Carlo Piltz and me.