Companies that transfer personal data across country or jurisdictional borders can face strict requirements—such as those that apply in the European Union (EU)—as well as stiff penalties for violating these requirements.
For example, the EU’s General Data Protection Regulation (GDPR) imposes restrictions on a company that transfers personal data (such as personal data of employees, customers, or patients) from the EU to the United States. And if the company doesn’t comply with those restrictions, in some cases, it could face fines of up to the greater of €20 million or 4 percent of its worldwide annual revenue from the preceding financial year.
Knowing and complying with the GDPR and other ex-U.S. data protection laws is essential to a company’s transnational business operations.
Domestic and multinational companies and vendors across industries rely on Epstein Becker Green’s Privacy, Cybersecurity & Data Asset Management team—which includes industry-recognized privacy and security professionals, litigators, transactional lawyers, and a member of the privacy and security and government relations working groups of the ISAO Standards Organization—to keep them in compliance when making cross-border data transfers.
How We Help
Clients turn to us to help them navigate international data transfer restrictions to facilitate cross-border transactions. We prepare multinational data protection policies and draft and review vendor and data processor agreements for compliance with data transfer standards and safeguards under the GDPR (including Standard Contractual Clauses (SCCs) and Binding Corporate Rules), the EU-U.S. Data Privacy Framework and the U.K. and Swiss extensions thereto, the APEC Cross-Border Privacy Rules System, and other international frameworks. We also analyze what supplementary measures certain data transfers might call for, handle derogations under Article 49 of the GDPR, and conduct data transfer impact assessments. In addition, we keep clients informed about other international cooperation mechanisms to protect personal data that may become enforceable.
Clients value our sound data protection guidance, which helps them minimize the risk of data protection violations.
- Preparation and review of SCCs and International Data Transfer Agreements.
- Preparation and review of Data Protection Addendums that address international data privacy requirements.
- Advice and counsel to organizations concerning extraterritoriality impact under international data privacy standards.
- Advice and counsel concerning website collection and use of personal data through cookies and other technologies.
- Licensing of software and platforms in compliance with international data privacy requirements.