Article 1(3) of the General Data Protection Regulation (GDPR) ensures that the free movement of personal data within the European Union (EU) is neither restricted nor prohibited on grounds related to the protection of personal data. This provision primarily targets Member States, which might otherwise be inclined to enact data localisation laws that could impede the free flow of data.

The scope of this free movement is confined to the European Economic Area (EEA), which encompasses all EU Member States along with Iceland, Liechtenstein, and Norway. It is important to note that the status of various special territories associated with EU Member States requires careful consideration, as some are included within the EEA while others are not.

Countries outside the EU/EEA do not enjoy the benefits of the free flow of personal data. The Court of Justice of the European Union (CJEU) has established stringent standards for international data transfers. The free flow of personal data is explicitly limited to the EEA, with rules governing transfers to non-EU/EEA countries, referred to as ‘third countries,’ detailed in Chapter V of the GDPR.

For instance, when a data controller based in Italy stores personal data with a cloud service provider in Norway, there are no concerns regarding international data flows because the GDPR prohibits restrictions on such flows within the EEA. Conversely, if the Italian data controller utilises a service provider in the UK, an additional legal basis is required to legitimise these data flows.

There is an ongoing debate regarding whether the free flow of personal data solely applies to data transfers between systems located within the EEA or if it also extends to systems outside the EEA that are under the effective control of an EEA-based controller or processor. The European Commission has recently adopted an entity-based approach, focusing on whether the controlling entity falls within the territorial scope outlined in Article 3 of the GDPR, rather than a data-based approach, which would consider whether the data remains physically within the EEA. However, the wording of the GDPR does not appear to support this entity-based approach. Nevertheless, the definition of the GDPR’s territorial scope of application is explicitly decoupled from the question of whether the data processing occurs within the Union or not, as stated in Article 3(1).