Huge amounts of personal data are circulating daily around the world. The European data protection rules provide specific requirements for the transfer of personal data outside of the EU and notably to the U.S. Therefore, U.S. companies importing personal data from Europe need to identify and carefully analyze the personal data flows involved and, where necessary, put in place the safeguards or obtain the authorizations allowing them to transfer personal data out of Europe in compliance.
WHAT ARE THE CATEGORIES OF DATA COVERED?
Under the Data Protection Directive 95/46/EC (DPD), personal data is a broad concept. It includes not only sensitive data (data revealing notably ethnic origin, philosophical beliefs, health status, sex orientation) but also any information relating to an identified or identifiable natural person. This may include email addresses, Social Security numbers, bank accounts, professional assessments, fingerprints, etc.
WHAT IS AN INTERNATIONAL TRANSFER?
International transfers of personal data involve the physical transfer of data abroad, including any situations where personal data is made available in a country other than the country where the personal data was originally collected. This is the case, for example, when a multinational company allows remote access to its central database from its worldwide subsidiaries, when cloud computing services involve a user in the EU and data storage in the U.S., and when data from an EU subsidiary is transferred to its U.S. parent company (HR management, e-discovery procedure, etc.).
WHAT ARE THE AVAILABLE OPTIONS?
International transfer is one sort of processing that follows other sorts of processing such as collection, recording and storage. Therefore, the data processing in the country of origin, prior to the transfer, must be compliant with the requirements of the national data protection rules applicable to the data controller (being the person who, alone or jointly with others, determines the purposes and means of the data processing).
An EU entity that intends to transfer personal data abroad needs to follow a step-by-step analysis in order to know whether it has to comply with specific obligations with respect to the transfer and, if so, what the requirements are.
Situation 1 — The personal data is transferred within the European Economic Area
If the data is to be transferred to an entity located in the EEA (27 EU member states plus Norway, Iceland and...