The EU adopted in May 2016 new data protection legislation called the General Data Protection Regulation (GDPR). The GDPR entered into force in May 2016 and will be applicable after a two year transition period, i.e. as of May 25, 2018. This legislation has a very broad scope and applies extraterritorially to U.S. companies regardless of their sector and regardless of whether they have physical presence in Europe - as long as they collect, transfer and/or process European personal data. Relevant aspects for businesses could be in relation with the product/service itself (because its operation requires the use of data defined as personal data under EU law) and/or in relation with clients/business partners’ personal data management (e.g. HR data of European employees, clients’ information etc.).

More information on the EU legislative framework: http://ec.europa.eu/justice/data-protection/reform/index_en.htm

The GDPR also requires compliance for international personal data transfers. The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

More information on Privacy Shield: https://www.privacyshield.gov/welcome

For general inquiries about EU data privacy legislation, please send an email to: office.brusselsec@trade.gov.

Print | Last Updated: 2/28/17 9:57 AM