Data is crucial to most companies’ operations. It often includes personal information such as names, addresses, credit card numbers, bank account numbers, and other information on suppliers, customers or, employees. U.S. companies that receive this type of personal data from the European Union (EU) need to comply with EU-wide data privacy legislation that establishes how personally identifiable data can be collected, stored, processed and transferred. This report examines EU data protection provisions as they relate to data transfers to the United States. It sets out the obligations facing U.S. companies in this area, and outlines the compliance options available to them.
Last Published: 7/27/2016
Introduction
 
The EU data privacy legislative framework is currently going through a transition that will come to a close on May 25, 2018 when the new more stringent General Data Privacy Regulation comes into force .
 
Current state of play
The EU Directive 95/46/EC (“Directive”) on “the protection of individuals with regard to the processing of personal data and on the free movement of such data” spells out strict rules concerning the processing of personal data.  Businesses must tell consumers that they are collecting data, what they intend to use it for, and to whom it will be disclosed.  Data subjects must be given the opportunity to object to the processing of their personal details and to opt-out of having them used for direct marketing purposes. This opt-out should be available at the time of collection and at any point thereafter.
 
The new General Data Protection Regulation (GDPR) was approved on April 27, 2016.  The GDPR replaces the Directive.  However, there  is a two-year transition period to allow companies and organizations (including those U.S. entities that receive data from European customers) to comply with the numerous new requirements introduced.  The transition period will end on May 25, 2018.
 
For more information about the GDPR and its main requirements, please refer to the Market Research MR-xxx.
 
Disclaimer:
The GDPR contains many new requirements for companies but the principles governing international data transfers remain similar to what they were under the Directive.  This report lays down the obligations regarding data transfers to the U.S. as they will be as off May 2018.  Even if the GDPR becomes applicable only in May 2018, we urge companies to start the compliance process as soon as possible.  Non-compliant companies could be subject to significant fines. 
 
 
Main principles
 
The GDPR (Chapter 5 - Article 44 onwards) sets out obligations on data controllers (those in charge of deciding what personal data is collected and how/why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (the individuals to whom the data relates).  These rules were designed to provide a high level of privacy protection for personal data, and were complemented by measures to ensure the protection is maintained when data leaves the region, whether it is transferred to controllers, processors or to third parties (e.g. subcontractors).  EU legislators put restrictions on transfers of personal data outside of the EU, specifying that such data could only be exported if “adequate protection” is provided.  
 
The European Commission (EC) is responsible for assessing whether a country outside the EU has a legal framework that provides sufficient protection for it to issue an “adequacy finding” to that country.  The U.S. has never sought to be found adequate by the EC.  This means that U.S. companies can only receive personal data from the EU if they:
 
  1. The EU-U.S. Privacy Shield  Framework
 
The EU-U.S. Privacy Shield Framework (Privacy Shield) was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.  Privacy Shield provides a set of robust and enforceable protections for the personal data of EU individuals. It provides transparency regarding how participating companies use personal data, strong U.S. government oversight, and increased cooperation with EU data protection authorities (DPAs).
 
The European Commission has deemed the Privacy Shield Framework adequate to enable data transfers under EU law. Commerce began accepting certifications as of August 1, 2016.
 
The full text of the Privacy shield and a FAQ document can be found here: https://www.commerce.gov/privacyshield
 
Key new requirements for participating companies
 
Companies that self-certify to the framework must match these cumulative requirements:
  • Inform individuals about their privacy policy and data processing,
  • Provide free and accessible dispute resolution,
  • Maintain data integrity, purpose limitation and respect the data retention principle,
  • Ensure accountability for data transferred to third parties (controller or processor),
  • Make public any related enforcement actions,
  • Ensure commitments are kept as long as data is held,
  • Cooperate with the Department of Commerce.
 
Note that the framework will be subject to joint EU-U.S. an annual review which may bring adjustments to the above-mentioned requirements.
 
For more information, please refer to the official Privacy Shield factsheet; https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/fact_sheet-_eu-us_privacy_shield_7-16_sc_cmts.pdf
 
How to join the framework?
 
To join the Privacy Shield Framework, a U.S.-based company will be required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework will be voluntary, the commitment will become enforceable under U.S. law. All companies interested in joining the Privacy Shield Framework should review its requirements in their entirety.
 
The five steps to certifying are as follows:
  • Confirm your organization’s eligibility to participate in the Privacy Shield
  • Develop a Privacy Shield-compliant privacy policy statement
  • Identify your organization's independent recourse mechanism
  • Ensure that your organization's verification mechanism is in place
  • Designate a contact within your organization regarding Privacy Shield
 
For more detailed information on these five steps, please review the guide to self-certification: https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/how_to_join_privacy_shield_sc_cmts.pdf
 
For more background information: http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm
 
 
  1. Providing appropriate safeguards
 
In the absence of an adequacy decision, of for companies that do not wish not certify to the Privacy Shield, Article 46 of the GDPR lists a set of appropriate and enforceable safeguards which, when put in place, provide the level of protection required by the legislation.  The primary options for companies are the following:
  • Binding corporate rules,
  • Model standard data protection clauses (as adopted by public authorities). 
    The GDPR states that any arrangement made under the 1995 Directive using any of these safeguards will remain valid once the GDPR becomes applicable and therefore does not need to be renegotiated, provided it matches the other requirements under GDPR.
     
    1. Binding Corporate Rules (BCRs)
 
Binding Corporate Rules are an international code of practice followed by a multinational corporation for transfers of personal data between the companies belonging to that corporation (worldwide intra-group transfer).   BCRs can be a tool for a controller as well as for a processor.  Detailed guidance and a Standard Application for Approval of BCRs have been developed at EU level.  BCRs are suitable for closely-knit, highly hierarchically structured multinational companies but not for loose conglomerates or smaller companies, both for operational reasons but also because the approval process can be time-consuming and require costly legal fees. As of 2015, 30 U.S.-based companies had adopted BCRs. 
 
More information: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm
 
  1. Contractual Clauses
 
Companies can include data privacy clauses in their contracts.  These clauses can either be based on “standard” or “model” clauses.  These clauses must be pre-approved by the European Commission or the company’s lead DPA but do not require specific authorization.  To facilitate this process, as of yet the EC has approved two sets of standard clauses for companies to use: on set for transfers between data controllers and one set for transfer between a data controller and a data processor. 
 
Companies can also draft their own data privacy clauses, in which case they need prior authorization by the DPA on a case-by-case basis before they serve as a legal base for transfer. 
 
Important note: at present, there is a legal challenge to model contractual clauses before the Irish High Court.  The outcome of this litigation could have far reaching implications for contractual clauses. We urge companies to monitor the situation and seek legal advice.
 
More: information: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm
 
 
  1. Referring to one of the GDPR’s exceptions
 
Transfers of data may also be possible through one of the GDPR’s derogations in case the company is not using the adequacy decision’s mechanism or any of the available appropriate safeguards.  The two main derogations of interest to companies listed under Article 49 are the following:
  • The data subject is informed of possible risks attached to the transfer and gives explicit consent,
  • The transfer is necessary for the completion of a contract between the controller and the data subject or in his/her interest. 
    The first derogation may, for example, apply to a transfer by a travel agent of personal data concerning an individual clients to hotels involved in the organization of these clients’ stay, or transfer of personal data necessary for a credit card payment.  Companies should be mindful of the fact that what constitutes ‘explicit consent’ is in fact quite narrow.  Silence, pre-ticked boxes or inactivity do not constitute consent.  As such, this method cannot be used for repetitive and bulk transfers.
     
    The second derogation may be relevant for instance as a mechanisms to transfer human resources data.
     
     
     
                                

For More Information:

 
The U.S. Commercial Service at the U.S. Mission to the European Union is located at Boulevard du Regent 27, Brussels 1000, Belgium, and can be contacted at Office.BrusselsEC@trade.gov and +32 2 811 4817. See also: www.export.gov/europeanunion.
 
The U.S. Commercial Service — Your Global Business Partner
 
With its network of offices across the United States and in more than 80 countries, the U.S. Commercial Service of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide.  Locate the U.S. Commercial Service trade specialist in the U.S. nearest you by visiting http://www.export.gov/.
 
To the best of our knowledge, the information contained in this report is accurate as of the date published. However, the Department of Commerce does not take responsibility for actions readers may take based on the information contained herein. Readers should always conduct their own due diligence before entering into business ventures or other commercial arrangements. The Department of Commerce can assist companies in these endeavors.
 

INTERNATIONAL COPYRIGHT, U.S. DEPARTMENT OF COMMERCE, 2011. ALL RIGHTS RESERVED OUTSIDE OF THE UNITED STATES.

Prepared by our U.S. Embassies abroad. With its network of 108 offices across the United States and in more than 75 countries, the U.S. Commercial Service of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide. Locate the U.S. Commercial Service trade specialist in the U.S. nearest you by visiting http://export.gov/usoffices.



European Union 28 Intellectual Property