[Silhouette]

I don’t think the GDPR is as difficult as you suggest. The biggest problem companies seem to struggle with is this idea that the personal data they keep isn’t theirs and they need to protect it like anything else in their possession that isn’t theirs.

You keep writing things like this, and I'm not going to just post the same reply every time, so let's try another one here.

Let us assume for the sake of debate that Privacy Shield will at some point be struck down by the courts, like Safe Harbor before it, since the fundamental objections involving US government access have not changed.

At that point, please explain the conditions under which an EU business can share PII with a US business without violating the GDPR.

[smu]

Sure thing, that's described in articles 44-50. In short:

1) if the EU has declared a country "adequate", you can transfer data (there is a list of adequate countries. Canada is on it, the US with Privacy Shield too)

2) in absence of an adequacy decision, there are other possibilities: binding corporate rules (internal rules for data transfers within multinational companies[1]), contractual arrangements (for example, the EU approved clauses), adherence to a code of conduct with a binding commitment (look at this like some kind of "privacy certification")

3) Finally, if the above are not possible, a transfer is still possible if the subject gives consent after being informed of all risks.

So, for the sake of debate: I would go with either binding corporate rules (in case of a multinational) or contractual arrangements.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/data...