Article 96: The Facts
This part of the GDPR covers agreements made between EU and non-EU countries, pre-GDPR (i.e. before 24-May-2016), which concern the transfer of personal data to those non-EU countries. Such agreements will stay in effect until they are changed or revoked.
International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to 24 May 2016, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.
Is this a major hole in GDPR?
Let’s say EU Country A and Non-EU Country B have a legal agreement to share data on their citizens that dates back to before 2016.
“We agree to swap lists of our citizen’s names and addresses by carrier pigeon every year.” [agreement dated 2015]
This Article implies – or rather, states categorically – that personal data can be transferred without the safeguards of GDPR. So long as the agreement was OK when it was signed, the two countries can carry on as before? OK, the example above would not have been legal in 2015, but swap ‘carrier pigeon’ for ‘unencrypted email’…
I think that in practice it would be a brave government who relied on the existence of pre-GDPR legislation to justify sharing personal data in a non-GDPR compliant way. That “it was alright in the eighties” isn’t much of a defence – at least, I suspect, not in the eyes of the public or a government opposition party.