Client Alert

Cross-Border Information Sharing for Effective Services

January 2017

Navigating privacy laws is especially challenging for multinational companies with affiliates in the European Economic Area (EEA)[1] that share personal information with service providers outside the EEA. Data flows are complex and companies will need to ensure compliance with cross-border transfer restrictions. All member countries of the EEA impose restrictions on the sharing of personal information outside the EEA because their laws derive from the same instrument, the Data Protection Directive 95/46 (the “Directive”)[2]. The Directive aims to set a high threshold for the protection of personal information and privacy in the EEA, and extend that threshold to any location where personal information is transferred. Organizations sharing personal information collected in the EEA with service providers based outside the EEA (often in the United States or India) must find ways to comply with EEA privacy laws while at the same time effectively utilizing service providers around the globe. This challenge will not disappear in the years to come. As of May 25, 2018, the General Data Protection Regulation (GDPR)[3] will become applicable, and replace the Directive. The GDPR contains data transfer restrictions that are equivalent to the Directive[4].

Companies must first consider whether these cross-border restrictions are relevant to their business. Generally speaking, in order for the EEA laws and regulations to apply, an organization must be established in an EEA country.That means the organization must be incorporated in an EEA country, have a stable and permanent presence there, or use equipment located in an EEA country to process personal information. The obligations that constrain how information can be shared across borders turn on how personal information flows from entities in the EEA to service providers. While this is counterintuitive, how the data actually flow matters in determining how the cross-border rules apply and what mechanisms are necessary to meet those obligations.

In many instances, multinational companies share personal information first with an affiliate in the United States and then transfer the personal information to a service provider. For example, a French company or employees of a French company may send personal information relating to the employees first to its U.S.-based parent company, and then the U.S. parent company will provide the information to a service provider. In other instances, and as cloud-based services become ubiquitous, information from an EEA company may be shared directly with a U.S.-based service provider, such as personal information provided by employees of a French affiliate via phone or through a website hosted or run by a service provider in the United States.

We will examine each of these types of data flows and discuss what mechanism is required to legitimize each transfer.

Indirect Transfers to Service Providers

Personal information often flows indirectly between the location where the information is collected and a service provider who will ultimately handle the personal information. One common occurrence is a transfer of information from a company in the EEA to its U.S.-based parent company that then shares the personal information with a U.S.-based service provider. For example, a multinational company that establishes a centralized human resources (HR) system will host it at its U.S. headquarters. The U.S. headquarters then shares certain HR information with a service provider in the United States in order to provide benefit services to the company’s global workforce.

The restrictions imposed on information sharing with a service provider in the United States depend in part on the transfer mechanism chosen by the EEA affiliate and the U.S. parent to transfer the information between the EEA affiliates and the U.S. parent company.

Indirect Transfers to Service Providers

The Directive and the GDPR restrict any transfers of personal information to countries outside the EEA, unless the recipient country has been found to ensure an “adequate” level of protection. The question of whether adequate protection exists is generally decided by the European Commission (EC). Very few adequacy decisions have been made, however, since the EU data protection obligations were enacted in 1995. So far, only the laws of Andorra, Argentina, Canada (Federal Act), the Channel Islands (Guernsey and Jersey), the Faroe Islands, the Isle of Man, Israel, New Zealand, Switzerland, and Uruguay have been recognized as adequate.

There are essentially five mechanisms for transferring personal information from an EEA affiliate to a parent company in the United States:

  • the U.S. parent has been certified to the U.S.-EU Privacy Shield;
  • the individual has given his or her unambiguous consent;
  • the transfer is necessary for the performance of a contract with, or concluded in the interests of, an individual;
  • the EEA affiliates and the U.S. parent have entered into an appropriate contract which, if individually negotiated, may require approval of the EU member state authorities (“ad hoc contracts”), or which incorporates certain Standard Contractual Clauses that have been approved by the European Commission (EC); or
  • the customer and the affiliates receive the information subject to an approved set of Binding Corporate Rules (BCRs), which also require the approval of the EU member state authorities.

We will discuss each in turn and look at the effects that the chosen adequacy mechanism has on the transfer of personal information to a service provider.

Privacy Shield

Privacy Shield

The U.S.-EU Privacy Shield Framework is the successor to the U.S.-EU Safe Harbor Framework. The Safe Harbor was invalidated by the European Court of Justice (ECJ) in October 2015 (Case C-362/14, “Schrems”) due mainly to the lack of judicial redress for EU citizens against the U.S. government. The U.S. and the EU renegotiated a deal to address those shortcomings and adopted the Privacy Shield in July 2016.

The Privacy Shield was designed by the U.S. Department of Commerce in cooperation with the EC, and consists of 7 Privacy Shield Principles, 16 Supplemental Principles and an Annex I setting out a binding arbitration mechanism (as a final recourse mechanism for individuals against Privacy Shield certified U.S. organizations) (collectively, “Principles”).[5] To take advantage of the Privacy Shield, a U.S. company must elect to comply with the Principles, identify in its privacy policies that it adheres to the Privacy Shield (and adapt those policies to comply with notice requirements of the Privacy Shield), and certify its compliance with the U.S. Department of Commerce.

Where a U.S. parent company has elected to join the Privacy Shield, personal information from its EEA affiliates can be transferred to the U.S. parent company.[6] The U.S. parent company then must comply with the “Accountability for Onward Transfer” principle when it elects to share the information with a service provider.

This principle basically requires the U.S. parent company to: (i) set up an onward transfer agreement with the service provider to downstream the relevant Principles to it (and require it to notify the U.S. parent company if it cannot comply with the Principles); (ii) monitor the service provider’s compliance with the Principles; (iii) only share information with the service provider in line with the purposes detailed in the notice given to individuals; and (iv) remediate any unauthorized processing.[7]

It should be noted that the Privacy Shield is more complicated than the Safe Harbor. For example, the liability regime for a U.S. parent company in relation to its service provider’s non-compliance has increased. The U.S. parent company is now responsible by default, whereas under Safe Harbor it was not responsible unless it knew of the service provider’s failure and did nothing about it. [8] Also, the Privacy Shield is subject to heightened regulatory scrutiny[9] and notice requirements, and multiple redress avenues[10] are now offered to individuals (more so than under the Standard Contractual Clauses or under BCRs). Onward transfer agreements will also need to be more sophisticated to account for the new requirements.

Moreover, the Privacy Shield is being challenged in the EU for not addressing all of the shortcomings identified in the Schrems case. The Article 29 Working Party has expressed certain concerns[11], although it agreed to reserve these issues until the first annual review of the Privacy Shield. Irish privacy advocate ‘Digital Rights Ireland’ lodged a complaint with the ECJ to challenge the Privacy Shield on September 16, 2016[12]. It is difficult to anticipate the outcome of these initiatives, which creates uncertainty for companies having been certified or seeking to be certified to the Privacy Shield.

Companies, especially those that previously relied on the Safe Harbor, now need to carefully consider the opportunity to sign up to be certified to the Privacy Shield, as compared to other options.



Obtaining individuals’ unambiguous consent may authorize the transfer of personal information under most EU member state laws.  There has been a great deal of attention paid to the statements by some data protection authorities regarding the use of consent.  Debate continues in the EEA as to whether it is appropriate to rely on consent obtained from employees as a legal basis for transfer. The concern is that employees cannot freely consent to such transfers due to the perceived imbalance of power between employers and employees. In order for consent to be valid, individuals must be permitted to withdraw their consent without suffering adverse consequences.  [What does GDPR say about consent?]

Despite the fact that consent is said to be “invalid” to permit information sharing in the employment context, most EU member states require an opt-in consent for the sharing of “sensitive” information (e.g., health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual) with a third party, even with an affiliate. Thus, although consent may in theory not be valid, it is still required in many instances.

What this means in practice is not always clear. In the data protection context, consent must be “informed,” which means it is based on a notice explaining in detail what information is collected, how the information will be used and shared, the potential recipients, and how individuals can exercise their rights of access and correction in relation to their personal information. Thus, in order for consent to be valid, the individual must be provided with these details. A high-level notice in which an employee simply agrees to participate in a benefit plan or a stock option plan would not be enough. Conversely, if a notice were sufficiently detailed about the collection, use, and disclosure of personal information, and the individual truly had a choice as to whether or not to share his or her personal information, consent would be valid in most countries.

If employees of an EEA company are provided with a clear and detailed choice concerning whether or not their information will be shared with a U.S. parent company and they consent to that sharing (for example, to participate in a stock option plan), there is generally no need to obtain further consent in order for the U.S. parent company to share the information with a service provider. In most EEA countries, individuals must be informed that personal information will be shared with a service provider, but consent is not required for that sharing. In some EEA countries, the EEA company may be required to disclose the specific name of the service provider, not just the type of service provider or country. These requirements are usually addressed in the notice and consent for the initial sharing with the U.S. parent company, and there is no additional compliance step to then share the information with the service provider if the initial consent was sufficiently broad and valid, and individuals are aware that their information will be shared with service providers in the United States.

Thus, depending on the circumstances and the country, consent may be a valid alternative for sharing personal information with a U.S. parent company and then with service providers.

Contractual Necessity

Contractual Necessity

Data protection authorities in the EEA also allow transfers of personal information where the information is necessary for the performance of a contract with an individual, or for the performance of a contract between a transferring entity and a third party which benefits the individual. In some instances, the U.S. entity enters into a direct contractual relationship with the individual. Thus, for example, if a company in the United States wishes to provide stock options to its employees in the EEA, certain personal information must be transferred to the U.S. The employer in the EEA could rely on contractual necessity to transfer the needed information. This would cover both transfers to the U.S. parent company as well as to a service provider.  Similarly, sharing information with a service provider to provide employee benefits would be covered by the contractual necessity exception.

Although this may seem to be the most straightforward basis on which to rely when transferring personal information, the information that can be transferred under this approach is quite limited and such a transfer must be truly “necessary” to meet contractual obligations. Several EEA member states view information that is “necessary to complete a contract” narrowly, i.e., it is limited to that which is “indispensable.” For example, German authorities argue that where a German employer transfers specific employee data to U.S.-based insurance providers and the insurance contract provides for third-party beneficiary rights for the employee, such transfer is permitted because of contractual necessity.[13]  However, cost-cutting or centralizing data to create greater efficiency would not generally be recognized as sufficient grounds to justify or necessitate a transfer based on contractual necessity.[14]

Thus, for limited sets of data that are truly needed in order to fulfill a contractual agreement with employees, contractual necessity may be a valuable and viable alternative.

Transfer Contracts

Transfer Contracts

Transfers are also allowed where an EEA company enters into a data transfer contract with a U.S. parent company. Contracts tailored to the parties’ needs (i.e., ad hoc contracts) must generally be pre-approved by all data protection authorities in all of the countries through which information is transferred. Thus, ad hoc contracts are expensive and difficult to implement and are rarely used. Alternatively, the EEA company and the U.S. parent company may enter into the Standard Contractual Clauses adopted by the EC. These clauses were intended to streamline the process, and thus no approval of the actual substantive provisions of the clauses is required. The reason that there are no approval requirements for the substantive provisions is that the clauses cannot be altered.  In order for them to be valid, nothing can be modified or changed in the substantive provisions. There are a few different versions of the clauses, but for transfers from an EEA affiliate to a U.S. parent company, the “Controller to Controller” set of clauses is generally set forth in the relevant contract.[15]

Contracts can be very difficult to administer. Information flows do not always follow along neat or well-established paths and may move along a multitude of paths and channels through email exchanges, information bases, and intranets. Global organizations have complex structures that can change frequently. Unless regularly revised, contracts will not reflect the changes in usage of information in organizations as required under the EC contract law regime.

Under Controller to Controller clauses, a U.S. parent company may share information with a service provider if “procedures” are in place to ensure that the service provider will “respect and maintain the confidentiality and security of the personal data.”[16] In other words, as long as the U.S. parent company has an agreement with the service provider that requires the service provider to maintain appropriate data security standards and confidentiality protections, and limits the service provider to using the personal information only as instructed by the U.S. parent company, the obligations of the U.S. parent company are satisfied.[17]  Also, this agreement does not need to be in a set form and can be different from the Standard Contractual Clauses; it can also be kept in a flexible state.

Binding Corporate Rules for Controllers

Some organizations elect to adopt a set of BCRs to enable transfers from EEA affiliates to other members of the corporate family. BCRs allow companies to establish safeguards without the administrative, legal, and organizational complexities of implementing standard contracts. A set of BCRs can be tailored to the specific needs of each organization but must limit the sharing of information to members of the corporate family.

Adopting a set of BCRs does not alter the need for an adequacy mechanism for sharing information with service providers. As a result, any restrictions imposed on sharing personal information with service providers is often addressed in the BCRs, but one of the other adequacy mechanisms, such as Standard Contractual Clauses, BCRs for data processors, Privacy Shield certification, or contractual necessity, will be required.

To date, about 90 companies have adopted BCRs[18]. These are predominantly large multinationals, given the cost and time involved in establishing such a framework and obtaining the necessary approvals from the data protection authorities.  For most BCRs, the approval process takes a substantial amount of time and resources, and requires much internal realignment of policies and procedures. However, BCRs offer a flexible and coherent mechanism to share data within the corporate family. They can be tailored to the specific needs of each organization (e.g., taking into account the corporate structure, culture, procedures, and other needs). Also, if suitably implemented, companies can readily enter and exit the group without needing to amend the BCRs.

Binding Corporate Rules for Controllers

Direct Transfers to Service Providers

In some cases, companies in the EEA may share information directly with a U.S.-based service provider. These data flows often occur when individual employees interact with a service provider directly. Such interactions may include entering data into a web-based self-service tool or providing information directly to customer service representatives of the service provider. Similarly, personal information flows directly from EEA affiliates to service providers when an EEA affiliate uploads personal information relating to employees directly onto a service provider’s system, which may occur during centralized hosting of employee data or for benefits service providers.

Often, once a service agreement is signed, a U.S.-based parent will then provide an initial set of data to the service provider’s system and, subsequently, EEA affiliates and the EEA-based employees will access the service provider’s system and provide data directly to the U.S.-based service provider. For example, a U.S.-based benefits provider enters into a master agreement with a U.S.-headquartered company to provide services globally. Certain employee information is provided by the U.S.-headquartered operations and, subsequently, additional personal information is provided to the service provider directly by the EEA affiliates and by individual employees who work for the EEA affiliates. Set forth below is an example showing how personal information flows directly from EEA affiliates or employees of the EEA affiliates to the U.S. service provider.

Direct Transfers to Service Providers

Privacy Shield

Privacy Shield

U.S. service providers may elect to be certified to the Privacy Shield. When a service provider has been certified, the service provider is considered adequate by the EC with respect to the cross-border transfer of personal information and must act on the instructions of the EEA affiliate when handling personal information received from the EEA affiliate pursuant to a data processing agreement.[19]

Just as not all companies using service providers are eligible to be certified to the Privacy Shield, not all U.S.-based service providers are eligible for certification. Only providers subject to the Federal Trade Commission’s and Department of Commerce’s jurisdiction qualify at present for the Privacy Shield. Therefore banks, federal branches and agencies of foreign banks, member banks of the Federal Reserve System, and savings and loan institutions are not eligible for the Privacy Shield.

Thus, if an EEA company or its employees provide information directly to a U.S. service provider that has been certified to the Privacy Shield, then the cross-border transfer mechanism obligation is satisfied with respect to the data flowing from the EEA affiliate to the U.S.-based service provider.[20]

Certifications have been available since August 1, 2016. In practice, it is mainly service providers that are signing up to the Privacy Shield. The increased burden (e.g., notification requirements and regulatory scrutiny) and current uncertainty around the validity of the Privacy Shield (see information above) seem to be discouraging other types of companies from applying for certification.



An EEA affiliate may obtain individuals’ consent to permit the transfer of their personal information directly from the EEA affiliate to a service provider. Alternatively, the service provider, in the context of providing a service, may obtain individuals’ consent on behalf of the EEA affiliate. This often happens in the context of service providers conducting voluntary surveys or providing other services in which employees may elect to participate. In this scenario, consent may be obtained relatively easily because of the direct interaction between the U.S. service provider and the employees based in the EEA, for example, through the provider’s website or user interface. In order to provide additional safeguards, the U.S. parent may contractually require the U.S. service provider to obtain consent as part of its  service.

Relying on consent, however, may not be practical, depending on the service model being offered. Consent can also be challenging because individuals must be permitted to be able to withdraw their consent at any time. While this ability to rescind consent strengthens the argument that individuals have genuine free choice, it also weakens the effectiveness of consent as a viable option. In many instances, however, where employee information is shared for benefits purposes, employees will have little to no incentive to withdraw consent.

Contractual Necessity

Contractual Necessity

A service provider may receive information when necessary (i.e., “indispensable” information) for the performance of a contract with an individual, or for the performance of a contract in the interests of the individual. For example, under this approach, an EEA affiliate may transfer information to payroll and benefits providers directly when necessary to provide benefits and compensation for employees. Information may also be transferred when it is necessary for investments undertaken for individuals or required for direct deposits or bank transfers on behalf of the individual.

In an opinion issued in 2005, the EEA data protection regulators stated that, in order to rely on the contractual necessity approach, a close and substantial connection between the individual or the individual’s interests and the purposes of the contract is required.[21] The opinion stated that no such connection existed, for example, where an international group centralized or outsourced its payment and HR functions.[22] For these projects, there was no sufficient “direct and objective link” between the employees and the data transfers.

The opinion also examined stock option schemes involving transfers to U.S.-based financial service providers. Here the regulators stated that the contractual necessity test may be met, provided that the sets of data transferred and access rights were limited to what was strictly required for the stock option scheme.[23] Transfers required to provide an employee with benefits (which are clearly for the benefit of the employee based in the EEA) are another example of a situation in which contractual necessity is likely to legitimize the transfer of personal information of employees in the EEA to a service provider in the United States.

Thus, for certain types of services which are essential to a contractual relationship that is beneficial to the individual, contractual necessity can serve to legitimize the cross-border transfer of personal information.

Transfer Contracts

Transfer Contracts

EEA entities may also enter into Standard Contractual Clauses directly with service providers. In 2010, the EC issued a new set of Standard Contractual Clauses to legitimize the transfer of personal information to service providers outside the EEA (“Controller to Processor” clauses).[24] The Controller to Processor clauses reflect the reality that organizations subcontract to outside service providers.

As with other Standard Contractual Clauses, the substantive provisions of the Controller to Processor clauses cannot be modified. Additional obligations are imposed on a U.S. service provider, particularly if it elects to subcontract to other service providers. For example, the U.S. service provider needs to inform the EEA affiliate of its intention to subcontract all or part of the processing and obtain the EEA affiliate’s prior approval. The U.S. service provider would be obligated to enter into a written contract with the subprocessor, which would impose the same obligations on the subprocessor as those of the U.S. service provider, including the incorporation of third-party beneficiary rights against the subprocessor (which would allow individuals to establish contractual claims directly against the subprocessor, but would be limited to the subprocessor’s own processing operations). The U.S. service provider must give copies of its contracts with the subprocessor to the EEA affiliate, and the EEA affiliate is obligated to retain and annually update a list of subprocessing agreements. Another substantial drawback of the clauses is the liability imposed on the exporting entity, and that the clauses provide individuals to whom the personal information relates with a direct right of action. Only in environments where the data flow is stable and fairly limited would such limitations work. Also, any amendments to the clauses would need to be approved by all of the information protection authorities in all of the countries from which data are transferred, just as ad hoc contracts would also need to be approved.

The use of Standard Contractual Clauses poses many challenges for companies. Unless the Standard Contractual Clauses are used as-is and unmodified (and are thus not tailored to the company’s needs), approval is required from all data protection authorities in the EEA member states from which personal information is transferred. For multinationals with dozens or hundreds of affiliates in the EEA and dozens of service providers, the operational process of signing contracts can be daunting.

Binding Corporate Rules for Processors

Where a service provider’s group has adopted BCRs for processors, its EEA affiliate may transfer personal information directly to a U.S. service provider. Initially, BCRs were only open to controllers. However, in the last few years[25], the EU has recognized the use of BCRs for processors (now legally enshrined in Article 47 of the GDPR).

If a service provider has adopted BCRs for processors, then transfers from an EEA affiliate customer to a U.S. service provider can occur directly (subject to other EEA law requirements, such as having a data processing agreement with the service provider).

The BCRs must be made public. An EEA affiliate may request a copy of the BCRs to verify the scope and content, and ensure that they cover the personal information that the EEA affiliate intends to provide to a U.S. service provider.


Companies may not be aware that they have several choices to lawfully transfer personal information from the EEA to U.S.-based service providers. Companies often become overwhelmed by the choices relating to cross-border transfers. Information transfers happen with great frequency and speed; transfer mechanisms need to facilitate compliance but should reflect the company’s business needs, including rapid access to and sharing of personal information, often via complex data flows. To ensure compliance, it is important to understand the high-level data flow so that the appropriate compliance mechanisms can be implemented. To date, no true one-size-fits-all solution exists for organizations operating globally that wish to comply with all applicable information protection regimes. But there are in fact many methods by which personal information from the EEA can be transferred to U.S.-based service providers. Companies need to consider all available mechanisms, make informed choices, and tailor their compliance actions accordingly. Companies are not limited to a choice of signing Standard Contractual Clauses. Today, any of the methods described in this article can both meet legal requirements and aid a company’s business objectives if designed and implemented properly.

[1] The EEA includes all EU member states, plus Iceland, Liechtenstein, and Norway.

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281/31), available at
. The Directive applies to all EEA member states.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), available at The Regulation will apply directly in EEA countries, meaning there will not be a need for those countries to implement the rules into their national legislation as is the case for Directives.

[4] Moreover, the Regulation’s jurisdictional scope is broader than the Directive. It will also apply to companies that are fully outside the EEA (i.e., with no affiliate or other form of establishment in the EEA) but that offer goods or services to the EU market, or monitor EU residents’ behavior (e.g., through profiling or behavioral advertising). Those companies will need to appoint a local representative in the EEA and comply with EEA transfer restrictions as if the personal information originated from an EEA affiliate.

[5] U.S. Dep’t of Commerce, Privacy Shield Framework (July 12, 2016), available at; European Commission, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (C(2016) 4176), available at 12, 2016).

[6] Not all U.S. organizations may certify their adequacy according to the Privacy Shield. For a U.S. organization to be eligible to join the Privacy Shield, it must be subject to the jurisdiction of a government body such as the Federal Trade Commission (FTC) which is empowered to investigate complaints and to obtain relief against unfair and deceptive practices. At present, only the FTC (under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45) and the Department of Transportation (under 49 U.S.C. § 41712, which covers air carriers) satisfy this requirement. As a result, only organizations subject to the jurisdiction of either of those two agencies are eligible to join the Privacy Shield. Thus, financial institutions, for example, are not eligible for the Privacy Shield.

[7] The Accountability for Onward Transfer principle states that: “To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.”

[8] Under the Privacy Shield, the U.S. parent company is liable for the service providers’ actions that are inconsistent with the Principles, unless it can prove that it is not responsible for the event giving rise to the damage.  Under the Safe Harbor, the U.S. parent company would have only been liable if it knew or should have known that the service provider would process the data in such a contrary way, and failed to take reasonable steps to prevent or stop such processing.

[9] For example, Privacy Shield compliance will be directly monitored by a wide array of authorities in the U.S. and the EU (by the Department of Commerce, the FTC, EU regulators, etc.). The Department of Commerce will be carrying out ex officio compliance reviews, as well as investigations of companies that withdraw from the program or fail to recertify. Also, certified organizations must provide a summary or representative copy of their onward transfer agreement to the Department of Commerce upon request.

[10] The U.S. parent company must have both internal and external recourse mechanisms available. The external mechanism must either be an independent Alternative Dispute Resolution provider or an EU data protection authority panel.  For HR-related complaints, a data protection authority panel must be used. Individuals in the EEA may file complaints directly with the U.S. parent company, the Department of Commerce, or their local data protection authority. They also have the right to utilize binding arbitration and have the right to file a claim for damages in court.

[11] Article 29 Working Party, Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision, WP 238, (April 13, 2016), available at

[12] Action brought on September 16, 2016:  Digital Rights Ireland v Commission,  Case T-670/16, available at

[13] See Arbeitsbericht der ad-hoc-Arbeitsgruppe “Konzerninterner Datentransfer”.

[14] Id.

[15] Commission Decision of 27 Dec. 2004 Amending Decision 2001/497/EC as Regards the Introduction of an Alternative Set of Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (L 385/74), available at

[16] Id. at 5.

[17] This is considerably less than under the Privacy Shield, which requires compliance with all relevant Principles from the service provider (see above).

[18] The EU Commission keeps a list of companies with EU approved BCRs, available at

[19] See Supplemental Principles, 10.a.ii: “Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: 1. acts only on instructions from the controller; 2. provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and understands whether onward transfer is allowed; and 3. taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles.”

[20] Although personal information will be covered by the Privacy Shield when it is being handled by a U.S.-based service provider, the U.S.-based service provider will not be able to rely on an onward transfer agreement with the U.S.-based parent because the U.S.-based parent is not acting as an agent of the service provider. See Privacy Shield “Accountability for Onward Transfer” principle above.

[21] Article 29 Working Party, Working Document on a Common Interpretation of Article 26(1) of Directive 95/46/EC of 24 Oct. 1995, WP114 (Nov. 25, 2005), available at (4 PVLR 1495, Dec. 12, 2005).

[22] Id. at 13.

[23] Id. at 14.

[24] Commission Decision of 5 Feb. 2010 on Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries Under Directive 95/46/EC of the European Parliament and of the Council (L 39/5), available at

[25] The first official Article 29 Working Party document on BCRs for processors dates from 2012 (see WP195).



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.