If you want to use the best data processing tools out there, then you have to use those made by US companies. If you want to use these tools, then you likely need to send the personal data of your EU users to the US.
And this is where things become tricky for businesses. This is also where users’ GDPR rights could be violated.
This article will explore why you cannot transfer data freely to the United States and how to do so lawfully.
Online businesses need data processing tools of US companies. It is also in EU users’ best interest to have their data processed as long as it is lawful.
However, before handing your users’ data to these tools, you have to ensure that you comply with the law. And the law says that you need a legal basis for transferring data to which GDPR applies to them.
The EU and the US companies could once freely transfer data to each other based on the Safe Harbour Privacy Principles.
And then Max Schrems appeared.
Maximillian Schremms is a data privacy activist from Austria. He is one of the founders of None of Your Business, a non-profit that fights large companies that handle personal data for profits.
Facebook is one such company. They’ve got his data and transferred it to the US. He complained that the US, as a country, does not provide sufficient protection to the personal data of EU citizens.
The Court of Justice of the EU (CJEU) ruled in his favor and annulled the Principles in 2016. The judgment was called the Schrems decision.
A year later, in 2016, the US and the EU signed the Privacy Shield, an agreement between the EU and the US that allowed:
Data flows were rather free again and Facebook transferred Max Schremms to the US again, so he showed up one more time. He complained that the Privacy Shield does not provide sufficient protection of the personal data of EU citizens.
The CJEU ruled in his favor again, this time annulling the Privacy Shield. This judgment was called the Schrems II decision.
The Schrems II decision annulled the Privacy Shield between the EU and the US companies, therefore they cannot transfer EU users’ data freely to the US.
The reason why they cannot do so are two controversial US laws:
The Foreign Intelligence Surveillance Act (FISA) 1978 is the law that allows the US government to spy on foreign nationals and governments. It contains the procedures for collecting information on “foreign powers and their agents suspected of espionage and terrorism”.
Basically, if the US government thinks that someone may be involved in espionage and terrorism, they can collect information about them.
The EDPB guidelines explicitly mention this act as an example of a law that is an obstacle for transferring data to a third country (check out page 15).
The Clarifying Overseas Use of Data Act (CLOUD Act) 2018 allows the US government to request any personal information stored on servers operated or owned by US companies.
Basically, this means that if your personal data is stored on the servers of Amazon Web Services (AWS), and the US authorities issue a warrant for disclosure of such information, AWS has no choice but to hand over the information to them.
It doesn’t matter where the servers are located – whether in the US, EU, Asia, or somewhere else. Every US company must obey the request.
It is worth mentioning that governments help each other in criminal cases, but there is a lot of bureaucracy involved, which makes the process very slow. As a result, authorities are often late in the reaction to criminal offenses. The US government wants to streamline the process with the CLOUD Act, but the EDPB is not happy with that.
To sum it up, the US authorities can at any time spy on foreigners who may be involved in espionage and terrorism, as well as request personal data stored on any servers operated by US companies around the world (which is a large chunk of the servers around the world).
That’s why the EDPB is concerned about you sending EU users’ data to the US.
If you were wondering whether you transfer personal data to the US or not, check out if you use third-party tools for processing data to which the GDPR applies.
GDPR applies to:
Third-party tools for data processing may be Amazon Web Services, Mailchimp, Convertkit, Facebook, Google Analytics, and whatever tool that does anything to your data.
When you collect some personal data, you need to process it in order to get certain results. For example, you use Convertkit to collect email addresses and then segment users and send them personalized emails.
That means that Convertkit processes your data. That also means that you transfer data to a US data processor.
This doesn’t mean that every piece of EU users’ personal data sent to a US data processor is subject to the supplementary measures.
If you are a non-EU company, the GDPR applies to you only to your relationship with EU users.
This means that you are obliged to comply with the law only when interacting with someone from an EU member-state. So, you do not need supplementary measures if you:
That way, you’ll get consent for the transfer on collection. If the user consents to the processing in the US, you are free to process it in the States.
If you found that you transfer data of EU users from the EU to the US, then you have to implement the six-step process for data transfers recommended by the EDPB and you’re okay to keep transferring the data.
Until complying with it, though, you must cease with the data transfers.
So, the good news is that you could keep using your valuable data processing tools provided by US companies. The bad news is that you have to do some work before continuing to do that.
This process is as follows:
If you went through the process of figuring out whether you transfer data to the US as described above, you may be done with this step.
You have to be aware of your data transfers. This means that you have to know from whom you collect the data, and then where do you transfer it for processing.
If your data transfers involve sending data to the US, keep reading.
Now when you’re sure that you send data to a third country, you have to assess your transfer tools.
The GDPR defines transfer tools as the legal basis for transferring data to a third country. They include:
The Privacy Shield was kind of a pseudo-adequacy decision between the EU and the US that enabled the free flow of personal data, but now it is non-existent.
That means that you have to rely on SCCs, BCRs, or user’s consent (other bases are unlikely in most scenarios).
The third step requires you to assess the risks that the national legislation brings to your data transfers.
In the case of the transfers to the US, this includes the risk of disclosure of your data by your US data processors upon request of the US authorities.
If you transfer data to other countries, too, do not assess the risks associated with their laws as well.
This step includes most of the hard work. Now when you know that you transfer data to a risky country, you have to implement safety measures for protecting your data.
The EDPB provides guidelines on these measures. They give businesses an idea of what they could do to protect users’ data and remain compliant with the GDPR.
There are two cases in which no measures are good enough for a lawful data transfer:
In all other cases, you can rely on appropriate safety measures.
These measures can be technical, organizational, and contractual. Here is a summary of them:
Your technical measures would work if they ensure data protection in the third country adequate to the one provided in the EU.
In other words, technical measures should ensure that US authorities cannot get their hands on your users’ personal data.
Here are some examples of what makes an appropriate technical measure:
Data encryption is an effective technical measure as long as it meets the following requirements:
Encryption of data merely transiting to third countries
You may want to transfer data to an adequate country, but first, it has to transit to an unsafe country. In that case, you can consider state-of-art encryption, so that:
Pseudonymized personal data is not an as good measure as encryption of data, but it is good enough if it meets the following requirements:
Split or multi-party processing
You can split your data in a way that a single person cannot be identified and transfer it to multiple data processors without disclosing them the data other processors got.
That way you could get your data processed by processors in third countries without the possibility of identifying any natural person.
The split data processing shall meet the following requirements:
Protected recipient of personal data
You can freely transfer data to protected recipients of personal data, such as lawyers or doctors, if:
Organizational measures should help your organization implement your technical measures flawlessly. They complement each other. Implementing organizational measures without technical ones is useless.
The most common organizational measures include:
Do not limit yourself to these measures. Adjust them to your organization accordingly.
Use contractual measures only in combination with technical and organizational measures. If you include contractual measures in your contracts with US data processors, but you don’t implement the necessary technical and organizational measures, you are not compliant with the GDPR.
The EDPB recommendations list plenty of contractual clauses to enrich your contracts with data processors in order to meet the transfer requirements.
The fifth step requires you to take necessary procedural steps for implementing the measures from the fourth step.
Review your transfers, your transfer tools, and the risks of relevant national legislations at appropriate intervals to ensure that you are compliant at all times.
In practice, this would mean making such an assessment every 6 to 12 months, where you would check out how and where you transfer data, the legal basis to do so, and any new risks.
The new risks would usually involve changes in laws and regulations, changes in the political environment, changes in processor server locations, and so on.
To sum it all up, here’s a process that you could follow for compliant data transfers:
If you are just a regular website or app user whose data is being transferred to the US in a way that is against the principles of the GDPR, your GDPR rights may be violated.
To figure out if it really is the case, you need to submit a data subject request. But, not any data subject request.
Submit a request to get information on the data processing. When submitting it, do not forget to request information on data transfers and the legal basis of the transfers.
If the data controller receives the requests through a contact form that does not allow customization of the requests, just wait for their answer. If it does not contain details on the transfers, then submit an additional request by email.
If they transfer data to the US but have no legal basis to do so or they have not implemented sufficient measures, you have a couple of choices:
If the data controller has been transferring data to the US against the GDPR but has not been aware of it, they may be willing to change that.
In any other case, involving the data protection authority may be necessary.
If you are a company that processes personal data, you should understand that the transfers of data to the US are a risky business.
While many see this as yet another burden imposed by the EU on businesses worldwide, you should know this is being done for the good of users. They need to have their personal data protected.
The technical measures are not that hard to implement. If you don’t know where to start, reaching out for help from an IT professional and a lawyer is a wise move.