The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission pre-approved model contractual clauses with the data recipient, (2) sends data to a corporate affiliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data processors (e.g., service providers) that were based in the US complied with the Directive by entering the pre-approved controller-processor model clause or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-processor model clauses; the use of those clauses became far and away the most popular way to comply with the Directive.