Database

The EU's General Data Protection Regulation (GDPR), entered into force in May 2018, expands considerably the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extra-territorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3).

The Regulation mandates that data is freely allowed to flow outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions for such a transfer are the following: the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.

The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. Currently, 12 jurisdictions have been deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Jersey, the Isle of Man, Israel, New Zealand, Switzerland and Uruguay. In addition, the EU/US Privacy Shield acts as a self-certification system open to certain US companies for data protection compliance.