In the normal world, you can transfer PII of a data subject in several ways outside of the EU to another country.
Countries Designated by the EU which provide an adequate level of protection.
Binding Corporate Rules
Agreements are governing data transfers between organization within a corporate group.
EU-US Privacy Shield
Transfers to US companies that are self-certified under the Privacy Shield framework.
Standard Contractual Clauses
Transfers using the EU commission approved model contracts transfer terms
Approved Codes of Conduct/Certification
Certification under an approved certification mechanism as outlined in the GDPR
Data transfer with the explicit consent of the data subject
In the ICANN world, you can only use consent (more or less) because the domain name registration system is still very ancient and has not changed the last 30 years or so.
This causes issues. I have written an article for the company I work for called Consent is not the silver bullet.
And consent is really not suited for data transfers. Consent can be used when you are close to your customers or when you have a small customer base. Registrars with tons of domain names, well consent is not suitable for them. Better is to avoid consent all in all together as it has many requirements.
SCC’s and Privacy Shield might not last long given the fact the Irish DPC has some real concerns.
In short, the road to hell is paved with good intentions.
Theo Geurts RySG/RrSG GDPR task force member.