No. 39: Cross Border Data Transfers Under the GDPR: The Example of Transferring Data from the EU to the US

Details

Author(s):
Publish Date:
September 4, 2018
Publication Title:
TTLF Working Papers
Publisher:
Stanford Law School
Format:
Working Paper
Citation(s):
  • Nikolaos I. Theodorakis, Cross Border Data Transfers Under the GDPR: The Example of Transferring Data from the EU to the US, TTLF Working Papers No. 39, Stanford-Vienna Transatlantic Technology Law Forum (2018).
Related Organization(s):

Abstract

The General Data Protection Regulation recognizes specific options for data transfers between the EU and the US. Since the European Commission does not fully consider the US a data “adequate” country because of its lack of comprehensive privacy legislation, different instruments need to be in place for a legitimate data transfer. Such instruments include Binding Corporate Rules, European Commission model clauses, certification mechanisms, codes of conduct, and other recognized adequacy mechanisms. One of them is the EU-US Privacy Shield Framework.

The EU-US Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The European Commission deemed the Framework adequate to enable data transfers under EU law in July 2016. To join the program, a US based organization needs to self-certify and publicly commit to comply with the Framework’s requirements.

This paper investigates the various cross-border data transfer mechanisms provided in the GDPR and discusses how organizations in the US can use them to transfer data from the EU.