How to Transfer Data to the US in Compliance with the GDPR

Why These Supplementary Measures

The EU and the US companies could freely transfer data to each other based on the Safe Harbour Privacy Principles.

And then Max Schrems appeared.

Maximillian Schremms is a data privacy activist from Austria. He is one of the founders of None of Your Business, a non-profit that fights large companies that handle personal data for profits.

Facebook is one such company. They’ve got his data and transferred it to the US. He complained that the US, as a country, does not provide sufficient protection to the personal data of EU citizens.

The Court of Justice of the EU (CJEU) ruled in his favor and annulled the Principles in 2016. The judgment was called the Schrems decision.

A year later, in 2016, the US and the EU signed the Privacy Shield, an agreement between the EU and the US that allowed:

• Every US company to transfer personal data to Europe
• Every EU company to transfer personal data to US companies certified under the Privacy Shield.

Data flows were relatively free again, and Facebook transferred Max Schremms to the US again, so he showed up one more time. He complained that the Privacy Shield does not provide sufficient protection for the personal data of EU citizens.

The CJEU ruled in his favor again, annulling the Privacy Shield. This judgment was called the Schrems II decision.

What is the Schrems II Decision?

The Schrems II decision annulled the Privacy Shield between the EU and the US companies. Therefore they cannot transfer EU users’ data freely to the US.

The reason why they cannot do so are two controversial US laws:

The Foreign Intelligence Surveillance Act (FISA) 1978 is the law that allows the US government to spy on foreign nationals and governments. It contains the procedures for collecting information on “foreign powers and their agents suspected of espionage and terrorism”.

If the US government thinks that someone may be involved in espionage and terrorism, they can collect information about them.

The EDPB guidelines explicitly mention this act as an example of a law that is an obstacle to transferring data to a third country (check out page 15).

The Clarifying Overseas Use of Data Act (CLOUD Act) 2018 allows the US government to request any personal information stored on servers operated or owned by US companies.

This means that if your data is stored on Amazon Web Services (AWS) servers, and the US authorities issue a warrant for disclosure of such information, AWS has no choice but to hand over the information to them.

It doesn’t matter where the servers are located – whether in the US, EU, Asia, or elsewhere. Every US company must obey the request.

It is worth mentioning that governments help each other in criminal cases, but there is a lot of bureaucracy involved, which makes the process very slow. As a result, authorities are often late in reacting to criminal offenses. The US government wants to streamline the process with the CLOUD Act, but the EDPB is not happy with that.

To sum it up, the US authorities can spy on foreigners who may be involved in espionage and terrorism and personal request data stored on any servers operated by US companies around the world (which is a large chunk of the servers around the world).

That’s why the EDPB is concerned about you sending EU users’ data to the US.

Do You Transfer Data to the US?

If you were wondering whether you transfer personal data to the US or not, check out if you use third-party tools for processing data to which the GDPR applies.

GDPR applies to:

• Personal data collected by EU company and
• Personal data of EU users collected by anyone.

Third-party tools for data processing may be Amazon Web Services, Mailchimp, Convertkit, Facebook, Google Analytics, and whatever tool that does anything to your data.

When you collect personal data, you need to process it to get specific results. For example, you use Convertkit to collect email addresses, segment users, and send them personalized emails.

That means that Convertkit processes your data. That also means that you transfer data to a US data processor.

The only case where you do not transfer data of EU users

This doesn’t mean that every piece of EU users’ data sent to a US data processor is subject to supplementary measures.

If you are a non-EU company, the GDPR applies only to your relationship with EU users.

This means that you must comply with the law only when interacting with someone from an EU member-state. So, you do not need supplementary measures if you:

• Collect their consent for the processing lawfully, and
• Inform them through the privacy policy that you use third-party processing tools that process data in the US.

That way, you’ll get consent for the transfer on collection. If the user consents to the processing in the US, you are free to process it in the States.

The Six-Steps Process for Data Transfers to the US According to the GDPR

If you found that you transfer data of EU users from the EU to the US, you have to implement the six-step process for data transfers recommended by the EDPB, and you’re okay to keep transferring the data.

Until complying with it, though, you must cease with the data transfers.

So, the good news is that you could keep using your valuable data processing tools provided by US companies. The bad news is that you have to do some work before continuing to do that.

This process is as follows:

1. Assess Your Data Transfers

If you went through figuring out whether you transfer data to the US as described above, you might be done with this step.

You have to be aware of your data transfers. This means that you have to know from whom you collect the data and then where you transfer it for processing.

If your data transfers involve sending data to the US, keep reading.

2. Verify the Transfer Tools Your Transfers Rely On

When you’re sure that you send data to a third country, you have to assess your transfer tools.

The GDPR defines transfer tools as the legal basis for transferring data to a third country. They include:

• Adequacy decision
• Standard contract clauses (SCCs)
• Binding corporate rules (BCRs)
• User’s consent
• Public interest and other exceptions explicitly mentioned in the GDPR.

The Privacy Shield was a pseudo-adequacy decision between the EU and the US that enabled the free flow of personal data, but now it is non-existent.

That means that you have to rely on SCCs, BCRs, or users’ consent (other bases are unlikely in most scenarios).

3. Assess the Risks that the US Laws Bring

The third step requires you to assess the national legislation’s risks to your data transfers.

In the case of the transfers to the US, this includes the risk of disclosing your data by your US data processors upon request of the US authorities.

If you transfer data to other countries, too, do not assess the risks associated with their laws.

4. Identify and Adopt Supplementary Measures to Protect Your Data

This step includes most of the hard work. When you know that you are transferring data to a risky country, you must implement safety measures to protect your data.

The EDPB provides guidelines on these measures. They give businesses an idea of what they could do to protect users’ data and remain compliant with the GDPR.

There are two cases in which no measures are good enough for a lawful data transfer:

• Transferring data in clouds in the clear where authorities have access to the data in a way that is not expected in a democratic society, or
• Remote access to data in a third country, where authorities have access to the data in a way that is not expected in a democratic society.

In all other cases, you can rely on appropriate safety measures.

These measures can be technical, organizational, and contractual. Here is a summary of them:

Technical measures

Your technical measures will work if they ensure data protection in the third country is adequate to the one provided in the EU.

In other words, technical measures should ensure that US authorities cannot get their hands on your users’ data.

Here are some examples of what makes an appropriate technical measure:

Data encryption

Data encryption is an effective technical measure as long as it meets the following requirements:

• The personal data is encrypted before submission to the data processing tools. This means that you have to send the data encrypted and not rely on the data processor to encrypt your data.
• Only you control the encryption keys, which means that the data processor cannot access the data without you granting them access. This should ensure that when your data processor is faced with a request by an authority that they must abide by, they will have no way of providing the data to them because you’ll be the only one that holds the encryption keys.
• The encryption has to be state-of-art.

Encryption of data merely transiting to third countries

You may want to transfer data to an adequate country, but it has to transit to an unsafe country. In that case, you can consider state-of-art encryption so that:

• Data can be decrypted only in the destination country
• The transfer is state-of-art
• You are the only one controlling the decryption keys.

Data pseudonymization

Pseudonymized personal data is not an as good measure as encryption of data, but it is good enough if it meets the following requirements:

• A single person cannot be identified without the use of additional information
• That additional information must be stored in the European Union
• A single person cannot be identified by cross-referencing data possessed by a third country
• Only you possess the pseudonymization algorithm

Split or multi-party processing

You can split your data so that a single person cannot be identified and transfer it to multiple data processors without disclosing the data other processors got.

That way, you could get your data processed by processors in third countries without the possibility of identifying any natural person.

The split data processing shall meet the following requirements:

• The separate batches of data should be sent to separate entities in separate jurisdictions
• No single person can be identified with the split data
• The processing algorithm is safe
• There is no evidence to reasonably believe that authorities from both (or all) jurisdictions cooperate in accessing the data
• A single person cannot be identified by cross-referencing data possessed by a third country

Protected recipient of personal data

You can freely transfer data to protected recipients of personal data, such as lawyers or doctors, if:

• The third country protects the privilege of communication with them
• That privilege includes all kinds of information, including encryption keys, passwords, etc.
• They won’t be obliged to disclose personal data to authorities in any case
• The encryption is state-of-art
• Only you control the encryption keys

Organizational measures

Organizational measures should help your organization implement your technical measures flawlessly. They complement each other. Implementing organizational measures without technical ones is useless.

The most common organizational measures include:

• Internal policies for implementation of the technical measures (as long as they are compatible with the EU laws)
• Organization methods
• Data minimization methods
• Transparency and accountability measures
• Adoption of standards and best practices

Do not limit yourself to these measures. Adjust them to your organization accordingly.

Contractual measures

Use contractual measures only in combination with technical and organizational measures. If you include contractual actions in your contracts with US data processors but don’t implement the necessary technical and organizational measures, you are not compliant with the GDPR.

The EDPB recommendations list many contractual clauses to enrich your contracts with data processors to meet the transfer requirements.

5. Take the Necessary Procedural Steps

The fifth step requires you to take necessary procedural steps for implementing the measures from the fourth step.

This means including your supplementary measures in your SCCs or BCRs, and in the privacy policy, if needed.

6. Re-Evaluate the Protection at Appropriate Intervals

Review your transfers, your transfer tools, and the risks of relevant national legislation at appropriate intervals to ensure that you are compliant.

In practice, this would mean making such an assessment every 6 to 12 months, where you would check out how and where you transfer data, the legal basis to do so, and any new risks.

The new risks would usually involve changes in laws and regulations, changes in the political environment, changes in processor server locations, etc.

The Process Step-by-Step

To sum it all up, here’s a process that you could follow for compliant data transfers:

• 1. Ensure that the GDPR applies to you
• 2. If it applies, assess your data processors
• 3. Check out where your processor’s process data
• 4. Assess your data transfer tools
• 5. If you transfer data to the US (or other third countries with similar risks), acknowledge that you need supplementary measures
• 6. Assess your specific situation and decide which technical, organizational, and contractual measures you need. If you need help, it is wise to talk to a data protection lawyer and IT personnel.
• 7. Implement the measures
• 8. Include the measures in your policies, contracts, and other documents where necessary
• 9. Keep an eye on any changes in relevant laws that could affect your data transfers.

Do You Think that a Company Unlawfully Transfers Your Data to the US?

If you are just a regular website or app user whose data is being transferred to the US in a way that is against the principles of the GDPR, your GDPR rights may be violated.

To figure out if it is the case, you need to submit a data subject request. But, not any data subject request.

Submit a request to get information on the data processing. When submitting it, do not forget to request information on data transfers and the legal basis of the transfers.

If the data controller receives the requests through a contact form that does not allow customization of the recommendations, just wait for their answer. If it does not contain details on the transfers, submit an additional request by email.

If they transfer data to the US but have no legal basis for doing so or they have not implemented sufficient measures, you have a couple of choices:

• Let them know, ask them to comply with the law, and wait to see what happens
• Lodge a complaint to the relevant data protection authority.

If the data controller has been transferring data to the US against the GDPR but is unaware of it, they may be willing to change that.

In any other case, involving the data protection authority may be necessary.

A company can also receive a hefty GDPR fine for not respecting EU regulations.

The Takeaways

If you are a company that processes personal data, you should understand that data transfers to the US are a risky business.

While many see this as yet another burden imposed by the EU on businesses worldwide, you should know this is being done for users’ good. They need to have their data protected.

The technical measures are not that hard to implement. If you don’t know where to start, reaching out for help from an IT professional and a lawyer is wise.