Providing an overview of the countries having adopted a specific data protection legislation and having data protection authorities in place, the map of the French Data Protection Authority (DPA) classifies the various countries with reference to the EU General Data Protection Regulation (GDPR).
The tool provides quick visual insights into the complex data protection landscape, the help it may bring in practice remains however limited. Indeed, the map reflects a positioning taken by the French DPA, but it does not set out which additional safeguards need to be implemented in practice to ensure international data transfers comply with the GDPR requirements. Therefore, the question of what is concretely to be done by stakeholders to ensure they can transfer personal data remains open.
According to the CNIL, six categories of countries may be distinguished:
- Countries belonging to the European Union (EU) or the European Economic Area (EEA);
- Adequate countries;
- Partially adequate countries;
- Countries with authority and law(s);
- Countries with data protection law(s); and
- Countries with no specific law.
Such an approach translates the GDPR’s spirit as personal data should only be transferred to countries that offer an equivalent protection. However, the issue here is that the map leads to a multitude of countries being categorised as not offering such protection and this without proposing any concrete solutions on what to do in such cases.
In conclusion, if the map helps to get an overview and some more insights into data protection laws around the world, it remains that data transfers outside the EEA still remain a complex topic for stakeholders.