Does your business have multiple locations, subsidiaries, or affiliates outside the U.S.? If so, you may be legally required to have a mechanism in place to support international, cross-border transfers of personal data within your global enterprise. Here, mature privacy and compliance programs may consider approaches such as an Enterprise Data Transfer Agreement (EDTA) or other frameworks to support such transfers.
An EDTA can serve as a single contract, executed between affiliates, that allows a business to assess the legal requirements for personal data transfer across multiple jurisdictions and tailor internal commitments based on risk. Failure to address data transfer requirements between affiliated entities could result in regulatory or other legal action impacting the provision of services, reputation, and internal operations (not to mention the bottom line). (Remember: fines under EU law can approach 4% of global revenue.)
Intra-company data transfer obligations can be triggered by transfers of many kinds of personal data, including:
- Prospect and website visitor data;
- Customer contact data utilized for sales / account management purposes;
- Customer-provided data input into product or service platforms;
- Human resources data for company employees;
- Any other personal data shared between affiliated entities across borders.
In a world where a significant number of countries now regulate personal data transfers – and especially personal data transfers to the United States – mature (and maturing) compliance programs must remember to address intra-group transfers.
Taft | Morris Manning has experience in this area. Partner Michael Young and Senior Associate Beau Braswell are happy to discuss defensive strategies.
