The transfer of personal information from European Union (EU) members to U.S. subsidiaries and other organizations is governed by strict legal requirements imposed by the European Commission, the U.S. Department of Commerce, and the U.S. Federal Trade Commission (FTC), depending on the transfer mechanism implemented. The personal information subject to transfer restrictions includes any information relating to an identified or identifiable natural person. In deciding which transfer mechanism to implement, an organization has to take into account financial and business factors as well as its tolerance for risk.
If a U.S. organization is subject to the jurisdiction of the FTC or the Department of Transportation (DOT), one way the organization can receive personal information from the EU is by certifying the organization’s compliance with the “Privacy Shield.” This process began on August 1, 2016.
Other transfer mechanisms that U.S. organizations can use to legally receive data from the EU are model contractual clauses and binding corporate rules. The model contractual clauses amount to pre-approved adhesion contracts with terms that cannot be negotiated.
The type of model contractual clauses that an organization may use depends on whether the organization receiving the information is a data controller or a data processor. Although the model contractual clauses consist of “boilerplate” language, parties must specify in an appendix the relevant categories of data and types of data processing. For multinational organizations that regularly engage in data transfers among multiple jurisdictions, the use of model contractual clauses is not efficient or cost-effective because the organization would have to enter into multiple contracts.
Binding corporate rules (BCRs) allow multinational organizations to develop and adopt internal privacy policies that mandate EU-style data protections across the entire organization. Once approved by the appropriate privacy authority in each jurisdiction in which the organization transfers data, BCRs allow an organization to transfer data without having to enter into separate model contractual clauses or get approval for each transfer. There is no model form of BCRs-each organization must develop its own specific set of rules to fit its particular needs. BCRs can be used by organizations that are data controllers or data processors.
Each of the three mechanisms has distinct advantages and disadvantages. In determining how best to meet the EU data protection requirements, U.S. organizations should consider those advantages and disadvantages carefully and consult legal counsel experienced with all three mechanisms.