International transfers of personal data
EU data protection rules apply to the European Economic Area (EEA), which includes all EU countries and non-EU countries Iceland, Liechtenstein and Norway.
When personal data is transferred outside the European Economic Area, special safeguards are foreseen to ensure that the protection travels with the data.
The reform of EU data protection legislation adopted in 2016 offers a diversified toolkit of mechanisms to transfer data to third countries: adequacy decisions, standard contractual clauses, binding corporate rules, certification mechanism, codes of conduct, so-called "derogations" etc.
While the architecture of the international transfers' regime is similar to that under the 1995 Data Protection Directive, the reform simplifies and expands the use of existing mechanisms and introduces new tools for international transfers.
Having completed the reform of EU data protection legislation, the Commission has adopted a strategy on international data flows. Its Communication of 10 January 2017 presents its approach in developing adequacy decisions as well as other tools for transfers and international data protection instruments.
The EU has developed specific provisions concerning cross-border data flows and privacy protections to be tabled in international trade negotations.
Transfers in certain sectors are based on specific international agreements. Examples of international agreements involving the transfer of personal data are:
- the Passenger Name Records (PNR)
- the Terrorist Financing Tracking Programme (TFTP)