Data is crucial to most companies’ operations. It often includes personal information such as names, addresses, credit card numbers, bank account numbers, and other information on suppliers, customers or employees. U.S. companies that receive this type of personal data from the European Union (EU) may need to comply with EU-wide data privacy legislation (the General Data Protection Regulation or GDPR) that establishes how personally identifiable data can be lawfully collected, stored, processed and transferred. This report examines EU data protection provisions as they relate to data transfers to the United States. It outlines the obligations facing U.S. companies in this area and the compliance options available to them. For more comprehensive information on the GDPR, see
Last Published: 2/28/2019
The EU General Data Protection Regulation (GDPR), which governs how personal data of individuals in the EU may be processed and transferred, went into effect on May 25, 2018. The GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It replaces the Data Protection Directive 1995/46. The overall objectives of the measures are the same – laying down the rules for the protection of personal data and for movement of data. The GDPR contains many new requirements for companies but the principles governing international data transfers remain similar to what they were under the previous Directive.  This report lays down the obligations regarding data transfers to the U.S.
For more information about GDPR, see  

 Main principles
The GDPR sets out obligations on data controllers (
i.e., the companies that define the way data is collected, processed, etc.), on data processors ( i.e. the companies that execute instructions from the data controller regarding how data is processed) and gives rights to data subjects (the individuals to whom the data relates).  These rules are designed to provide a high level of privacy protection for personal data and are complemented by measures to ensure the protection is maintained when data leaves the region, whether it is transferred to controllers, processors or to third parties (e.g. subcontractors).  The GDPR restricts transfers of personal data outside of the EU, specifying that such data can only be exported if “adequate protection” is provided in the destination country.  
In the case of the U.S., U.S.-based companies can only receive personal data from the EU if they use of the following main mechanisms:
  • Join the EU-U.S. Privacy Shield program, or
  • Provide appropriate safeguards (e.g. contractual clauses, binding corporate rules), or
  • Refer to one of the GDPR’s derogations.
The GDPR also offers the possibility to use codes of conduct and certification mechanisms.  However, to this day, these options have yet to be put in practice.
Important note: at present, there are separate legal challenges to contractual clauses and to the EU-U.S. Privacy Shield.  The outcome of these litigation procedures could have far reaching implications for international data transfers. We urge companies to monitor the situation.
European Commission’s webpage on transfers outside the EU and all mechanisms outlined below:
The EU-U.S. Privacy Shield Framework

The EU-U.S. Privacy Shield Framework (Privacy Shield) was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.  Privacy Shield provides a set of robust and enforceable protections for the personal data of EU individuals. It provides transparency regarding how participating companies use personal data, strong U.S. government oversight, and increased cooperation with EU data protection authorities (DPAs).
The European Commission has deemed the Privacy Shield Framework adequate to enable data transfers under EU law. Commerce began accepting certifications as of August 1, 2016. 
The full text of the Privacy shield and a FAQ document can be found here:
Key new requirements for participating companies
Companies that self-certify to the framework must match these cumulative requirements:
  • Inform individuals about their privacy policy and data processing,
  • Provide free and accessible dispute resolution,
  • Maintain data integrity, purpose limitation and respect the data retention principle,
  • Ensure accountability for data transferred to third parties (controller or processor),
  • Make public any related enforcement actions,
  • Ensure commitments are kept as long as data is held,
  • Cooperate with the Department of Commerce.
Note that the framework is subject to joint EU-U.S. an annual review which may bring adjustments to the above-mentioned requirements. 
How to join the framework?
To join the Privacy Shield Framework, a U.S.-based company is required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, the commitment is enforceable under U.S. law. All companies interested in joining the Privacy Shield Framework should review its requirements in their entirety. 
The five steps to certifying are as follows:
  • Confirm your organization’s eligibility to participate in the Privacy Shield,
  • Develop a Privacy Shield-compliant privacy policy statement,
  • Identify your organization's independent recourse mechanism,
  • Ensure that your organization's verification mechanism is in place,
  • Designate a contact within your organization regarding Privacy Shield.
For more detailed information on these five steps, please review the guide to self-certification:  
Providing appropriate safeguards

In the absence of an adequacy decision, or for companies that do not wish to certify to the Privacy Shield, Article 46 of the GDPR lists a set of appropriate and enforceable safeguards which, when put in place, provide the level of protection required by the legislation.  The primary options for companies are the following:
  • Binding corporate rules,
  • Standard contractual clauses (as adopted by public authorities).
The GDPR states that any arrangement made under the 1995 Directive using any of these safeguards will remain valid once the GDPR becomes applicable and therefore does not need to be renegotiated, provided it matches the other requirements under GDPR.

Binding Corporate Rules (BCRs)
Binding Corporate Rules are an international code of practice followed by a multinational corporation for transfers of personal data between the companies belonging to that corporation (worldwide intra-group transfer).   BCRs can be a tool for a controller as well as for a processor.  Detailed guidance and a Standard Application for Approval of BCRs have been developed at EU level. 

BCRs are suitable for closely-knit, highly hierarchically structured multinational companies but not for loose conglomerates or smaller companies, both for operational reasons but also because the approval process can be time-consuming and require costly legal fees. As of 2018, about 100 global companies had adopted BCRs.  
More information:

 Contractual Clauses
Companies can include data privacy clauses in their contracts.  These clauses can either be based on “standard” or “model” clauses.  These clauses must be pre-approved by the European Commission or the company’s lead DPA but do not require specific authorization provided they are not modified significantly by the company.  To facilitate this process, as of yet the EC has approved two sets of standard clauses for companies to use: on set for transfers between data controllers and one set for transfer between a data controller and a data processor.  
Companies can also draft their own data privacy clauses, in which case they need prior authorization by the DPA on a case-by-case basis before they serve as a legal base for transfer.  
More: information: 

Referring to one of the GDPR’s exceptions
Transfers of data may also be possible through one of the GDPR’s derogations in case the company is not using the adequacy decision’s mechanism or any of the available appropriate safeguards.  The two main derogations of interest to companies listed under Article 49 are the following:
  • The data subject is informed of possible risks attached to the transfer and gives explicit consent,
  • The transfer is necessary for the completion of a contract between the controller and the data subject or in his/her interest. 
The first derogation may, for example, apply to a transfer by a travel agent of personal data concerning an individual client to hotels involved in the organization of these clients’ stay, or transfer of personal data necessary for a credit card payment.  Companies should be mindful of the fact that what constitutes ‘explicit consent’ is in fact quite narrow.  Silence, pre-ticked boxes or inactivity do not constitute consent.  As such, this method cannot be used for repetitive and bulk transfers. 
The second derogation may be relevant for instance as a mechanism to transfer human resources data. 


Prepared by our U.S. Embassies abroad. With its network of 108 offices across the United States and in more than 75 countries, the U.S. Commercial Service of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide. Locate the U.S. Commercial Service trade specialist in the U.S. nearest you by visiting

European Union 28 Business to Business Business to Consumer eCommerce Information Technology Legislation