In a statement issued Friday, the Norwegian Data Protection Authority, or Datatilsynet, reminded businesses of their obligation to have a lawful basis to transfer personal data to recipients that reside outside the European Economic Area. The EEA comprises the 28 European Union member states, along with Norway, Iceland and Liechtenstein.
The regulator specifically focused on Norwegian companies that "either transfer or have transferred personal data" to Ukraine and Russia for purposes such as outsourcing certain services to data processors that operate in these countries, which have been thrown into turmoil since Russia began its full-scale invasion of Ukraine on Feb. 24.
"Due to the changed security policy situation, we will therefore urge all companies that export personal data from Norway to recipients in Ukraine and Russia to reconsider the legal basis for the data transfers," the authority said.
Under the General Data Protection Regulation, which applies to all countries in the EEA and has been in effect since 2018, companies that want to send personal data to countries that haven't been deemed as having data protections that are on par with the EEA must conduct an assessment to ensure that the transferred data will continue to be equally well-protected once it leaves the region.
The European Court of Justice doubled down on this requirement in a July 2020 decision known as Schrems II. In that ruling, the high court found that while companies could continue to rely on a mechanism called standard contractual clauses to establish a legal basis to transfer data anywhere outside the EEA, companies and national data protection authorities must carefully scrutinize individual exchanges and shut down transfers when the laws of the country where the data is being sent don't provide adequate protections for this information.
The ruling has led to more scrutiny from national data protection regulators, particularly in situations that involve data being transferred to the U.S., where concerns have long swirled over the inability of U.S. law to prevent intelligence officials from broadly accessing EEA citizens' data. It has also prompted companies to undertake more individualized analyses of what data they want to move abroad, who they're sending the information to, why they're making the transfer, where it's going and what protections the recipient has in place.
In pressing companies to reevaluate whether data transferred to Ukraine and Russia could still be adequately protected in light of the current security climate in those countries, the Norwegian regulator additionally flagged companies' obligations under Article 24 of the GDPR, which requires them to implement "appropriate technical and organizational measures" to protect personal data they hold and to review and update these measures as necessary.
"The ongoing war in Ukraine is deeply tragic," the data protection regulator said Friday. "Of course, the privacy of Norwegian citizens ends up in the shadow of human suffering, but the situation means that we encourage all companies that export personal data to make a new assessment."
--Editing by Michael Watanabe.
For a reprint of this article, please contact reprints@law360.com.
