Department of Commerce Safe Harbor program to comply with EU
                  data protection laws. However, the European Court of Justice

                  invalidated that program in 2015. Instead, companies were
                  required to comply with the (now-defunct) European Data
                  Protection Directive (Directive 95/46/EC). The GDPR (Regulation
                  EU 2016/679) replaced Directive 95/46/EC, and it became
                  enforceable on May 25, 2018. It applies to all EU member states
                  and to all countries doing business with the EU involving the
                  transfer of data.



               As an example, a company that collects personal information on

               employees for payroll is a data controller. If they pass this information
               to a third-party company to process payroll, the payroll company is the
               data processor. In this example, the payroll company (the data
               processor) must not use the data for anything other than processing
               payroll at the direction of the data controller.

               The GDPR restricts data transfers to countries outside the EU.
               Organizations must comply with all of the requirements within the

               GDPR. Companies that violate privacy rules in the GDPR may face
               fines of up to 4 percent of their global revenue. Unfortunately, it is
               filled with legalese, presenting many challenges for organizations. As
               an example, clause 107 includes this statement:

                   “Consequently the transfer of personal data to that third country or

                   international organisation should be prohibited, unless the
                   requirements in this Regulation relating to transfers subject to
                   appropriate safeguards, including binding corporate rules, and
                   derogations for specific situations are fulfilled.”

               The European Commission and the U.S. government developed the

               EU-US Privacy Shield program to replace a previous program, which
               was known as the Safe Harbor program. Similarly, Swiss and U.S.
               officials worked together to create a Swiss-US Privacy Shield
               framework. Both programs are administered by the U.S. Department
               of Commerce’s International Trade Administration (ITA).

               Organizations can self-certify, indicating that they are complying with
               the Privacy Shield principles through the U.S. Department of