Third country laws – more than meets the eye. In practice – problematic legislation in disguise.
The European Data Protection Board has issued a “Transformers” style plan for assessing whether or not you can transfer information to a third country.
- Controllers and processors are to conduct a thorough risk assessment of the laws of the third country that are not essentially equivalent to the protection provided by the EU.
- Even if the laws are seemingly fine, controllers need to see whether the public authorities actually breach the laws in their practice.
- Finally, they are to review a slew of documentation, including case law, ACLU reports, NSA reports, and warrant canaries – and put them all in a detailed report to be used against them by the supervisory authority.
In the words of Megatron and Optimus Prime: Controllers, rise up and risk assess…
Deeper dive in this article from OneTrust DataGuidance with comments from David Dumont, Laura Léonard, Jimmy Orucevic, Dr. Carlo Piltz and me.