A US company is conducting a global internal investigation. To carry it out, the company plans to transfer documents and emails held by its French subsidiary to the company’s US servers for review and analysis. Aware that Europe has stringent data privacy rules, the US in-house counsel is looking for specific guidance on whether the data transfers contemplated here are subject to those rules.
This scenario likely implicates the General Data Protection Regulation (the “GDPR”), which was implemented on May 25, 2018. In theory, one of the primary goals of the GDPR is to “preserv[e] the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data.” In practice, the GDPR presents a significant compliance obstacle for companies moving data to jurisdictions outside the European Economic Area (the “EEA”), including to the United States.