In 1995 the EU issued Directive 95/46/EC which addressed the processing of personal data belonging to private individuals.
Chapter IV of the Directive concerns the transfer or personal data to 'third countries' [such as the United States], and consists of Articles 25 and 26. Article 25 provides that personal data can only be transferred to a third country if it "ensures an adequate level of protection." This level is evaluated with respect to the nature of the data, the purpose & duration of the processing of the data, and the law & security measures in the third country.
Article 26 states conditions in which personal data can be transferred to a third country even if it doesn't provide an adequate level of protection. There are six possibilities under paragraph 1 of this Article:
1. Unambiguous consent.
2. It's necessary to the performance of a contract.
3. It's necessary for the conclusion of a contract.
4. It's necessary on public interest grounds or legal claims
5. It's necessary for the vital interests of the person whose data is requested.
6. The transfer is from a register which by law provides information to the public.
Paragraph 2 of Article 26 is frequently cited in guides to electronic discovery. It allows for personal data to be transferred so long as it's determined that there are adequate safeguards for privacy protection, fundamental rights and the freedom of the individual. The safeguards can be guaranteed by contracts.