EU data protection law generally prohibits the transfer of personal data outside of the EU unless the transfer (1) is to a jurisdiction that is deemed by the EC to provide an adequate level of protection for EU personal data, (2) falls within one of the few exceptions, or (3) is made in accordance with one of a small number of legal data transfer mechanisms. There are few adequate jurisdictions globally and the U.S. is not one of them. The exceptions, which include consent of the relevant individual, are ill-suited to routine and systematic business transfers. With respect to legal mechanisms for transferring EU personal data, the Privacy Shield is one of the few methods available, along with standard contractual clauses and binding corporate rules, by which personal data can be legally transferred from the EU to the U.S. Unlike standard contractual clauses and binding corporate rules, the Privacy Shield is available only to companies in the U.S. and applies only to data transfers from the EU to the U.S.
