This chapter examines how data flows are managed by the General Data Protection Regulation. Strict rules of equivalency manage transfers for non-EEA states and recent challenges to agreed data equivalency rulings, in particular, in the case of Maximillian Schrems v Data Protection Commissioner decision have proven challenging for regulators. This chapter will examine these challenges and what GDPR says is permissible and what is not in relation to transfers to third countries. In addition to the Schrems decision, the chapter also examines the more recent Digital Rights Ireland Ltd v European Commission and Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems cases.
Chapter
This chapter examines how data flows are managed by GDPR and UK GDPR. Strict rules of adequacy manage transfers between EEA and non-EEA states (including the UK) and recent challenges to agreed data equivalency rulings, in particular in the case of Maximillian Schrems v Data Protection Commissioner decision have proven challenging for regulators. This chapter will examine these challenges and what GDPR and UK GDPR says is permissible and what is not in relation to transfers to third countries. In addition, to the Schrems I decision the chapter also examines the more recent Digital Rights Ireland Ltd v European Commission and Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II) challenges to both adequacy rulings and standard contractual clauses. The chapter also examines the current state of UK adequacy and what challenges it might face.
