If you want to use the best data processing tools, you have to use those made by US companies. If you’re going to use these tools, you likely need to send the personal data of your EU users to the US.
And this is where things become tricky for businesses. This is also where users’ GDPR rights could be violated.
This article will explore why you cannot transfer data freely to the United States and how to do so lawfully.
Online businesses need data processing tools from US companies. It is also in EU users’ best interest to have their data processed as long as it is lawful.
However, before handing your users’ data to these tools, you must comply with the law. And the law says that you need a legal basis for transferring data to which GDPR applies to them.
Article summary and 2023 update:
EU businesses utilizing data processing tools from US companies must navigate the complex landscape of data protection and privacy laws.
The Schrems II decision annulled the Privacy Shield agreement between the EU and the US due to concerns over controversial US laws, namely the Foreign Intelligence Surveillance Act (FISA) and the Clarifying Overseas Use of Data Act (CLOUD Act).
These laws allow US authorities to access personal data stored on servers operated or owned by US companies, regardless of location.
In order to transfer data to the US lawfully, businesses must implement the six-step process for data transfers recommended by the European Data Protection Board (EDPB).
Steps include assessing data transfers, verifying transfer tools, assessing the risks of US laws, and adopting supplementary measures to protect the data.
These supplementary measures can be technical, organizational, and contractual, such as data encryption, pseudonymization, split or multi-party processing, and protected recipient measures.
Organizational measures should complement technical ones and may include internal policies, organization methods, data minimization methods, transparency and accountability measures, and adoption of standards and best practices.
It is crucial for businesses to understand these processes and measures to ensure GDPR compliance while using US data processing tools.
The EU and the US companies could freely transfer data to each other based on the Safe Harbour Privacy Principles.
And then Max Schrems appeared.
Maximillian Schremms is a data privacy activist from Austria. He is one of the founders of None of Your Business, a non-profit that fights large companies that handle personal data for profits.
Facebook is one such company. They’ve got his data and transferred it to the US. He complained that the US, as a country, does not provide sufficient protection to the personal data of EU citizens.
The Court of Justice of the EU (CJEU) ruled in his favor and annulled the Principles in 2016. The judgment was called the Schrems decision.
A year later, in 2016, the US and the EU signed the Privacy Shield, an agreement between the EU and the US that allowed:
Data flows were relatively free again, and Facebook transferred Max Schremms to the US again, so he showed up one more time. He complained that the Privacy Shield does not provide sufficient protection for the personal data of EU citizens.
The CJEU ruled in his favor again, annulling the Privacy Shield. This judgment was called the Schrems II decision.
The Schrems II decision annulled the Privacy Shield between the EU and the US companies. Therefore they cannot transfer EU users’ data freely to the US.
The reason why they cannot do so are two controversial US laws:
The Foreign Intelligence Surveillance Act (FISA) 1978 is the law that allows the US government to spy on foreign nationals and governments. It contains the procedures for collecting information on “foreign powers and their agents suspected of espionage and terrorism”.
If the US government thinks that someone may be involved in espionage and terrorism, they can collect information about them.
The EDPB guidelines explicitly mention this act as an example of a law that is an obstacle to transferring data to a third country (check out page 15).
The Clarifying Overseas Use of Data Act (CLOUD Act) 2018 allows the US government to request any personal information stored on servers operated or owned by US companies.
This means that if your data is stored on Amazon Web Services (AWS) servers, and the US authorities issue a warrant for disclosure of such information, AWS has no choice but to hand over the information to them.
It doesn’t matter where the servers are located – whether in the US, EU, Asia, or elsewhere. Every US company must obey the request.
It is worth mentioning that governments help each other in criminal cases, but there is a lot of bureaucracy involved, which makes the process very slow. As a result, authorities are often late in reacting to criminal offenses. The US government wants to streamline the process with the CLOUD Act, but the EDPB is not happy with that.
To sum it up, the US authorities can spy on foreigners who may be involved in espionage and terrorism and personal request data stored on any servers operated by US companies around the world (which is a large chunk of the servers around the world).
That’s why the EDPB is concerned about you sending EU users’ data to the US.
If you were wondering whether you transfer personal data to the US or not, check out if you use third-party tools for processing data to which the GDPR applies.
GDPR applies to:
Third-party tools for data processing may be Amazon Web Services, Mailchimp, Convertkit, Facebook, Google Analytics, and whatever tool that does anything to your data.
When you collect personal data, you need to process it to get specific results. For example, you use Convertkit to collect email addresses, segment users, and send them personalized emails.
That means that Convertkit processes your data. That also means that you transfer data to a US data processor.
This doesn’t mean that every piece of EU users’ data sent to a US data processor is subject to supplementary measures.
If you are a non-EU company, the GDPR applies only to your relationship with EU users.
This means that you must comply with the law only when interacting with someone from an EU member-state. So, you do not need supplementary measures if you:
That way, you’ll get consent for the transfer on collection. If the user consents to the processing in the US, you are free to process it in the States.
If you found that you transfer data of EU users from the EU to the US, you have to implement the six-step process for data transfers recommended by the EDPB, and you’re okay to keep transferring the data.
Until complying with it, though, you must cease with the data transfers.
So, the good news is that you could keep using your valuable data processing tools provided by US companies. The bad news is that you have to do some work before continuing to do that.
This process is as follows:
If you went through figuring out whether you transfer data to the US as described above, you might be done with this step.
You have to be aware of your data transfers. This means that you have to know from whom you collect the data and then where you transfer it for processing.
If your data transfers involve sending data to the US, keep reading.
When you’re sure that you send data to a third country, you have to assess your transfer tools.
The GDPR defines transfer tools as the legal basis for transferring data to a third country. They include:
The Privacy Shield was a pseudo-adequacy decision between the EU and the US that enabled the free flow of personal data, but now it is non-existent.
That means that you have to rely on SCCs, BCRs, or users’ consent (other bases are unlikely in most scenarios).
The third step requires you to assess the national legislation’s risks to your data transfers.
In the case of the transfers to the US, this includes the risk of disclosing your data by your US data processors upon request of the US authorities.
If you transfer data to other countries, too, do not assess the risks associated with their laws.
This step includes most of the hard work. When you know that you are transferring data to a risky country, you must implement safety measures to protect your data.
The EDPB provides guidelines on these measures. They give businesses an idea of what they could do to protect users’ data and remain compliant with the GDPR.
There are two cases in which no measures are good enough for a lawful data transfer:
In all other cases, you can rely on appropriate safety measures.
These measures can be technical, organizational, and contractual. Here is a summary of them:
Your technical measures will work if they ensure data protection in the third country is adequate to the one provided in the EU.
In other words, technical measures should ensure that US authorities cannot get their hands on your users’ data.
Here are some examples of what makes an appropriate technical measure:
Data encryption is an effective technical measure as long as it meets the following requirements:
Encryption of data merely transiting to third countries
You may want to transfer data to an adequate country, but it has to transit to an unsafe country. In that case, you can consider state-of-art encryption so that:
Pseudonymized personal data is not an as good measure as encryption of data, but it is good enough if it meets the following requirements:
Split or multi-party processing
You can split your data so that a single person cannot be identified and transfer it to multiple data processors without disclosing the data other processors got.
That way, you could get your data processed by processors in third countries without the possibility of identifying any natural person.
The split data processing shall meet the following requirements:
Protected recipient of personal data
You can freely transfer data to protected recipients of personal data, such as lawyers or doctors, if:
Organizational measures should help your organization implement your technical measures flawlessly. They complement each other. Implementing organizational measures without technical ones is useless.
The most common organizational measures include:
Do not limit yourself to these measures. Adjust them to your organization accordingly.
Use contractual measures only in combination with technical and organizational measures. If you include contractual actions in your contracts with US data processors but don’t implement the necessary technical and organizational measures, you are not compliant with the GDPR.
The EDPB recommendations list many contractual clauses to enrich your contracts with data processors to meet the transfer requirements.
The fifth step requires you to take necessary procedural steps for implementing the measures from the fourth step.
Review your transfers, your transfer tools, and the risks of relevant national legislation at appropriate intervals to ensure that you are compliant.
In practice, this would mean making such an assessment every 6 to 12 months, where you would check out how and where you transfer data, the legal basis to do so, and any new risks.
The new risks would usually involve changes in laws and regulations, changes in the political environment, changes in processor server locations, etc.
To sum it all up, here’s a process that you could follow for compliant data transfers:
If you are just a regular website or app user whose data is being transferred to the US in a way that is against the principles of the GDPR, your GDPR rights may be violated.
To figure out if it is the case, you need to submit a data subject request. But, not any data subject request.
Submit a request to get information on the data processing. When submitting it, do not forget to request information on data transfers and the legal basis of the transfers.
If the data controller receives the requests through a contact form that does not allow customization of the recommendations, just wait for their answer. If it does not contain details on the transfers, submit an additional request by email.
If they transfer data to the US but have no legal basis for doing so or they have not implemented sufficient measures, you have a couple of choices:
If the data controller has been transferring data to the US against the GDPR but is unaware of it, they may be willing to change that.
In any other case, involving the data protection authority may be necessary.
A company can also receive a hefty GDPR fine for not respecting EU regulations.
If you are a company that processes personal data, you should understand that data transfers to the US are a risky business.
While many see this as yet another burden imposed by the EU on businesses worldwide, you should know this is being done for users’ good. They need to have their data protected.
The technical measures are not that hard to implement. If you don’t know where to start, reaching out for help from an IT professional and a lawyer is wise.