Although no major legislative milestones for the EU Data Protection Regulation have occurred since March 2014 (see status update here), there has been some progress over the late spring and early summer of 2014. One key item that will be of interest to US companies is the Council's compromise position on a key piece of the Regulation, the rules for the transfer of personal data to countries outside of the European Economic Area (EEA), published on May 28, 2014.
The current mechanisms for legitimizing such transfers, including adequacy assessments, Binding Corporate Rules, model contracts, and express consent, are retained. Also, an important "derogation" for infrequent, small transfers has been endorsed.
The Council's full wording for the infrequent, small transfer derogation is as follows:
. . . the transfer, which is not large scale or frequent, is necessary for the purposes of legitimate interests pursued by the controller which are not overridden by the interests or rights...