On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment.  The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to JUST-ARTICLE29WP-SEC@ec.europa.eu.

Like the current EU Data Protection Directive, the GDPR prohibits the onward transfer of Personal Data to: (1) a country that has not been deemed to provide an adequate level of protection (e.g. the U.S.); and (2) where the entity therein has committed to handle the Personal Data of European data subjects applying appropriate safeguards in accordance with Article 46 of the GDPR.  For example, organizations comply with Article 46 by implementing Binding Corporate Rules (BCRs) or Standard Contractual Clauses or by participating in a recognized certification mechanism such as the EU-US Privacy Shield Framework.  However, Article 49 of the GDPR provides for transfers to entities in a country without an adequate level of protection under a series of narrowly tailored exceptions called derogations.