Following a complaint by NYOB in 2021, EDPS sanctioned the European Parliament finding them to have broken EU law regarding cookie consent and data transfers. This was mainly regarding an internal coronavirus testing website. referring to illegal EU-US data transfers as they were ultimately unable to confirm the security of the information passed on at the other side, along with inconsistent and unclear messages in the cookie banners, and lack of ability to properly give consent.

See the NOYB press release: EDPS sanctions Parliament over EU-US Data Transfers to Google and Stripe

Organisations have been faced with challenges in ensuring compliant restricted transfers of personal data. This was brought about by the Schrems II case and the imminent introduction of new Standard Contractual Clauses and the a requirement to complete transfer impact assessments (TIA).

A TIA would identify all third countries and assess at each point of transfer, whether the level of protection in the importing country is equivalent to that guaranteed under the UK GDPR and EU GDPR.

EU: Understanding European Data Protection Law

The Certified Information Privacy Professional / Europe (CIPP/E) ‘Body of Knowledge’ goes beyond the GDPR.

Module 1 introduces the European Data Protection Laws and Module 6 covers ‘International Data Transfer’, which provides different options for lawfully transferring data outside the European Economic Area (EEA).

• Adequacy Decisions
• Appropriate Safeguards
  (Standard Data Protection Clauses, Ad hoc Contractual Clauses, International Agreements, Binding Corporate Rules, Certification mechanism, Codes of Conduct)
• Derogations

Find out more: CIPP/E training and certification

‍