Last Published: 6/5/2016

Current Situation: the New General Data Privacy Regulation

The EU data privacy framework is currently going through a legislative transition.  
The EU’s general data protection Directive (95/46/EC) adopted in 1995 spells out strict rules concerning the processing of personal data.  Businesses must tell consumers that they are collecting data, what they intend to use it for, and to whom it will be disclosed.  Data subjects must be given the opportunity to object to the processing of their personal details and to opt-out of having them used for direct marketing purposes. This opt-out should be available at the time of collection and at any point thereafter.

On May 4th 2016, the new General Data Protection Regulation (GDPR) was published in the EU Official Journal.  The text was initially proposed in 2012.  The GDPR will replace the 1995 Data Privacy Directive.  However, there will be two-year transition period to allow companies and organizations (including those U.S. entities that receive data from European customers) to comply with the numerous new requirements introduced.  The transition period will end on May 25, 2018. Among the many requirements are the mandatory appointments of a Data Protection Officer in organizations that fill certain criteria and an obligation to report personal data breaches. 

The main benefit businesses expect is the ability to operate under a harmonized legal regime across the 28 Member States.  This is viewed as an improvement, although less so than the originally envisioned cornerstone concept of one-stop-shop, i.e. companies dealing with one main Data Protection Authority for all their operations in Europe.  

For more information: 
Full GDPR text: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN  
Official press release: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm 


Transferring Customer Data to Countries outside the EU

The EU's current Data Protection Directive, which will be fully replaced by the General Data Protection Regulation (GDPR) as of May 25, 2018, provides for the free flow of personal data within the EU but also for its protection when it leaves the region’s borders.  The Safe Harbor Framework between the United States and the EU was negotiated in response to the European Union’s 1995 Data Privacy Directive, which prohibits companies from transferring personal data of EU citizens to countries which have not been deemed to provide an “adequate” level of data protection, as determined by the European Commission, unless one of several limited exceptions applies.  While the United States has never sought to be deemed adequate as a general matter, Safe Harbor was a self-certification program administered by the U.S. Department of Commerce (USDOC) that allowed for certified companies to transfer a limited category of commercial data to the United States in compliance with EU law. However, on October 6, 2015 the European Court of Justice handed down a ruling in Schrems vs. Data Protection Commissioner that invalidated the U.S.-EU Safe Harbor Framework as a means to legally transfer commercial data from the EU to the United States.   

Current legal alternatives to the Safe Harbor Framework are limited.  EU-based exporters or U.S.-based importers of personal data can also satisfy the adequacy requirement by using appropriate safeguards, for instance by including data privacy clauses in the contracts they sign with each other. To fast track this procedure the European Commission has approved sets of model clauses for personal data transfers that can be inserted into contracts between data importers and exporters.  The most recent were published at the beginning of 2005, and were complemented in 2010 by contractual clauses on “sub-processing” (outsourcing by an EU based exporter of its processing activities to other sub-processors outside the EU).  Companies must bear in mind that the transfer of personal data to third countries is a processing operation that is subject to EU data protection legislation.

EU countries’ Data Protection Authorities (DPAs) and large multinational companies have also developed “binding corporate rules” (BCRs).  A BCR is the international code of practice that a multinational corporation follows for transfers of personal data between the companies belonging to that corporation (worldwide intra-group transfer).  BCRs are suitable for closely-knit, highly hierarchically structured multinational companies but not for loose conglomerates.  The process of negotiation and approval of the BCRs is currently lengthy and complex, and has not yet been attempted by small or medium-sized companies.

The legal environment for data transfers to the United States continues to evolve and so companies that transfer EU citizen data to the United States as part of a commercial transaction should consult with an attorney, who specializes in EU data privacy law, to determine what options may be available for a particular transaction.   

For more information, go to http://www.export.gov/safeharbor/


The EU-U.S. Data Privacy Shield 

In February 2016, the United States and European Commission reached a political agreement on the new EU-U.S. Data Privacy Shield.  If approved by the EU, the new agreement will be the successor to the U.S.-EU Safe Harbor Framework and will impose obligations on company participants to ensure that EU citizen data transferred to the United States for commercial purposes is transferred and protected in a manner consistent with EU law.  Before the agreement can go into effect, the EU must complete its internal approval process.  Once in place, the Privacy Shield will allow certified program participants to transfer commercial data to the United States.  The EU hopes to have completed its internal approval process sometime in 2016.  Until such time as the agreement is approved by the EU and the Privacy Shield program is officially launched companies cannot rely on it as a means to transfer commercial data from the EU to the United States.   

For more information on the EU-U.S. Privacy Shield, go to https://www.commerce.gov/privacyshield or http://ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm.

Prepared by our U.S. Embassies abroad. With its network of 108 offices across the United States and in more than 75 countries, the U.S. Commercial Service of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide. Locate the U.S. Commercial Service trade specialist in the U.S. nearest you by visiting http://export.gov/usoffices.



European Union 28 Information Management Market Access