EDPB Clarifies Rules on Personal Data Transfers to 3rd-Country Authorities
The European Data Protection Board (EDPB) Thursday clarified how organizations can best respond to requests for personal data transfers from non-European countries.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The board also agreed that it and the European Data Protection Supervisor would issue a joint opinion on the European Commission's proposal to revise General Data Protection Regulation record-keeping rules for small and medium-sized companies, and announced training materials on AI and data protection.
The EDPB's final guidelines on data transfers to third-country authorities state that judgments or decisions from such authorities can't be automatically recognized or enforced in Europe. As a general rule, the board said, an international agreement might provide a legal basis and a ground for transfer, but if there's no agreement, or if it doesn't provide a legal basis or safeguard, other legal bases could be considered "in exceptional circumstances and on a case-by-case basis."
The main goal of the board's new "upskilling and reskilling on AI and data protection" projects is to address "the critical shortage of skills in AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI."
A report, "Law & Compliance in AI Security & Data Protection," is addressed to professionals such as data protection officers and privacy professionals. The second, "Fundamentals of Secure AI Systems with Personal Data," is for professionals with a technical focus, such as cybersecurity experts and developers and deployers of high-risk AI systems, the board said.