Includes information on transferring customer data to countries outside EU that U.S. firms should be aware of when exporting to the market.
Last Published: 8/29/2019
The General Data Protection Regulation (GDPR) provides for the free flow of personal data within the EU but also for its protection when it leaves the region’s borders.
GDPR sets out obligations on data controllers (those in charge of deciding what personal data is collected and how/why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure the protection is maintained when data leaves the region, whether it is transferred to controllers, processors or to third parties (e.g. subcontractors).  EU legislators put restrictions on transfers of personal data outside of the EU, specifying that such data could only be exported if “adequate protection” is provided.
The European Commission (EC) is responsible for assessing whether a country outside the EU has a legal framework that provides enough protection for it to issue an “adequacy finding” to that country. The U.S. has never sought to be found adequate by the EC. This means that U.S. companies can only receive personal data from the EU if they:
  • Join the EU-U.S. Privacy Shield program, or
  • Provide appropriate safeguards (e.g. contractual clauses, binding corporate rules), or,
  • Refer to one of the GDPR’s derogations,
For more information, consult the European Commission’s webpage on data transfers outside the EU https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en
Important note:
The legal environment for data transfers to the United States continues to evolve. Companies that transfer EU citizen data to the United States as part of a commercial transaction should consult with an attorney, who specializes in EU data privacy law, to determine what options may be available for a transaction.
About the EU-U.S. Privacy Shield
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
For more information on the EU-U.S. Privacy Shield
For more information about other mechanisms of transfer, please refer to:
https://www.export.gov/article?id=European-Union-Transferring-Personal-Data-From-the-EU-to-the-US
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en

 

Prepared by the International Trade Administration. With its network of more than 100 offices across the United States and in more than 75 markets, the International Trade Administration of the U.S. Department of Commerce utilizes its global presence and international marketing expertise to help U.S. companies sell their products and services worldwide. Locate the trade specialist in the U.S. nearest you by visiting http://export.gov/usoffices.