Navigating privacy laws is particularly challenging for multinational companies with affiliates in the European Economic Area (EEA) that share personal information with service providers outside the EEA. All EEA member countries impose restrictions on the sharing of personal information outside the EEA because their laws all derive from the Data Protection Directive 95/46 (the “Directive”). The Directive sets a high threshold for the personal information protection and privacy in the EEA and extends that threshold to any location where personal information is transferred. The General Data Protection Regulation (GDPR) contains data transfer restrictions that are equivalent to the Directive and will become applicable as of May 25, 2018, replacing the Directive.
Organizations sharing personal information collected in the EEA with service providers based outside the EEA must find ways to comply with EEA privacy laws while also effectively utilizing service providers internationally. To ensure compliance, it’s important to understand high-level data flow so that the proper compliance mechanisms can be implemented. Companies should consider all available mechanisms, make informed choices, and tailor their compliance actions accordingly.