Whether your business is multinational or not, it’s likely that at some point information containing personal data will need to be transferred from Europe or Switzerland to the United States. Personal data is defined broadly to include any information which is related to an identified or identifiable natural person. For instance, a U.S.-based online business which is collecting or processing names, addresses, and credit card information to fulfill orders for its products from European or Swiss persons must be familiar with the rules governing cross-border transfer. The same applies to a U.S.-based service business which is collecting or processing names and health information to track outbreaks of COVID-19 globally.
Over the last 20 years, there have been two government approved frameworks implemented to control data transfer, namely the U.S.-EU Safe Harbor Framework (Safe Harbor) and Privacy Shield. Both were invalidated by the Court of Justice of the European Union (CJEU) based on lawsuits brought by Maximilian Schrems. On March 25, 2022, President Joseph R. Biden and European Commission (EC) President Ursula von der Leyen jointly announced an agreement in principle for a new Trans-Atlantic Data Privacy Framework (Framework) that has the potential to establish the rules of European to U.S. data transfer.
