Whilst GDPR awareness and enforcement have increased during the third year of the GDPR being in force, Y3 has also marked by data transfer uncertainties following the landmark Schrems II case, in which the European Court of Justice ruled that the EU-US Privacy Shield framework was invalid.

That ruling has required EU companies to assess if any country to which data is transferred provides adequate protection - bringing further challenges to the tech sector now companies have to determine how national laws are exercised in practice, and how likely they are to be exercised in relation to a data transfer (read more).

The fourth year of the GDPR is likely to be as interesting as Y3 in terms of data transfers. The European Commission has just released new standard contractual clauses (SCCs) requiring a repapering exercise to take place as companies have been given few months to replace all the SCCs in place (read more).

On the other hand, some help should come from the regulators in the coming months: an adequacy decision for South Korea and the UK are due, soon allowing the free flow of personal data from the EU to South Korea and allowing the continuation of data flows from the EU to the UK post Brexit. 

The US Department of Commerce and the European Commission have also initiated discussions to evaluate the potential for an enhanced Privacy Shield framework - although any new framework for transfers of personal data between the EU and the US could take some time to agree.

Read more in our Digilinks post EU: Three years of GDPR - a rocky journey