The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission pre-approved model contractual clauses with the data recipient, (2) sends data to a corporate affiliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework...

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-byside comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons has already included a Privacy Shield/Safe Harbor side-by-side comparison and a Privacy Shield/Controller-Processor Clauses side-by-side comparison.

The final part of our series, is a side-by-side comparison of Privacy Shield and the express obligations contained in the controller-controller model clauses (Set II)...