Two decades ago, the European Union enacted a legislative time bomb—the EU Data Protection Directive—placing significant restrictions on the collection, use and disclosure of personal data, including its transfer outside of the EU. In recent years, Europe’s threatened and actual data protection enforcement actions targeting U.S.-based companies, and the rollback of hard-fought accommodations that the United States and EU reached to ease the directive’s burdens have threatened to bring to a standstill the cross-border flow of personal information that now powers the digital economy.
The directive restricts the transfer of personal data outside of Europe unless the country to which the data is exported offers an “adequate level” of privacy protection. Countries that have received this designation are few and include: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Absent from the list are many major economies, including the United States and Japan, that in practice arguably offer greater privacy protections to individuals than Europe. For companies operating out of such countries, the EU regime obstructs movement of personal data among affiliates and with customers, creating logistical headaches, expense, compliance risk and business uncertainty. Many of these companies are U.S.-based multi-nationals and B2B cutting edge technology providers. Complying with the directive by keeping data in the EU is costly and ineffective, as the simple act of accessing the data from the United States may be considered a “transfer” of the data.
