This section provides an overview of the changes in the EU data privacy framework, and how it may impact U.S. industry.
Last Published: 7/19/2017
Current Situation: the New General Data Privacy Regulation
The EU data privacy framework is currently going through a legislative transition. 

The currently applicable legislation is the Data Protection Directive (95/46/EC) adopted in 1995.  It spells out strict rules concerning the processing of personal data.  Businesses must tell consumers that they are collecting data, what they intend to use it for, and to whom it will be disclosed.  Data subjects must be given the opportunity to object to the processing of their personal details and to opt-out of having them used for direct marketing purposes. This opt-out should be available at the time of collection and at any point thereafter.

On May 4, 2016, the EU adopted a new piece of legislation called the General Data Protection Regulation (GDPR).  The GDPR will replace the 1995 Data Privacy Directive.  However, there will be two-year transition period to allow companies and organizations (including those U.S. entities that receive data from European customers) to comply with the numerous new requirements introduced.  The transition period will end on May 25, 2018.

The GDPR is broad in scope and applies to all companies who collect, process, and/or store the personal data of European citizens regardless of whether or not a company has a physical presence in Europe or directly provides goods or services to European customers. 

Among the many requirements are: erasure for data subjects, an obligation for organizations to obtain “affirmative and unambiguous” consent for processing personal data, an obligation to report personal data breaches, the requirement under certain circumstances to conduct a privacy impact assessment before processing personal data, and for organizations that fill certain criteria, the mandatory appointment of a Data Protection Officer.
Companies are strongly encouraged to do due diligence and seek legal advice from an attorney specializing in European data privacy law to ensure they comply with this legislation.  Fines in case of non-compliance could reach four percent of the annual global revenue of the company.

For more information:
Full GDPR text
Official Press Release

Transferring Customer Data to Countries outside the EU
The EU's current Data Protection Directive, which will be fully replaced by the General Data Protection Regulation (GDPR) as of May 25, 2018, provides for the free flow of personal data within the EU but also for its protection when it leaves the region’s borders. 

The GDPR (Chapter 5 - Article 44 onwards) sets out obligations on data controllers (those in charge of deciding what personal data is collected and how/why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data, and were complemented by measures to ensure the protection is maintained when data leaves the region, whether it is transferred to controllers, processors or to third parties (e.g. subcontractors).  EU legislators put restrictions on transfers of personal data outside of the EU, specifying that such data could only be exported if “adequate protection” is provided.
The European Commission (EC) is responsible for assessing whether a country outside the EU has a legal framework that provides sufficient protection for it to issue an “adequacy finding” to that country. The U.S. has never sought to be found adequate by the EC. This means that U.S. companies can only receive personal data from the EU if they:
  • Join the EU-U.S. Privacy Shield program, or
  • Provide appropriate safeguards (e.g. contractual clauses, binding corporate rules), or,
  • Refer to one of the GDPR’s derogations,
European Commission’s webpage on transfers outside the EU and all mechanisms outlined below:
Data Transfers Outside of EU

Important note:
The legal environment for data transfers to the United States continues to evolve. Companies that transfer EU citizen data to the United States as part of a commercial transaction should consult with an attorney, who specializes in EU data privacy law, to determine what options may be available for a particular transaction.

About the EU-U.S. Privacy Shield
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. 
For more information on the EU-U.S. Privacy Shield

For more information about other mechanisms of transfer, please refer to:
Transferring Personal Data from EU to U.S.


Prepared by our U.S. Embassies abroad. With its network of 108 offices across the United States and in more than 75 countries, the U.S. Commercial Service of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide. Locate the U.S. Commercial Service trade specialist in the U.S. nearest you by visiting

European Union 28 Information Management Market Access