If you want to use the best data processing tools out there, then you have to use those made by US companies. If you want to use these tools, then you likely need to send the personal data of your EU users to the US.
And this is where things become tricky for businesses. This is also where users’ GDPR rights could be violated.
This article will explore why you cannot transfer data freely to the United States and how to do so lawfully.
Online businesses need data processing tools of US companies. It is also in EU users’ best interest to have their data processed as long as it is lawful.
However, before handing your users’ data to these tools, you have to ensure that you comply with the law. And the law says that you need a legal basis for transferring data to which GDPR applies to them.
Why These Supplementary Measures
The EU and the US companies could once freely transfer data to each other based on the Safe Harbour Privacy Principles.
And then Max Schrems appeared.
Maximillian Schremms is a data privacy activist from Austria. He is one of the founders of None of Your Business, a non-profit that fights large companies that handle personal data for profits.
Facebook is one such company. They’ve got his data and transferred it to the US. He complained that the US, as a country, does not provide sufficient protection to the personal data of EU citizens.
The Court of Justice of the EU (CJEU) ruled in his favor and annulled the Principles in 2016. The judgment was called the Schrems decision.
A year later, in 2016, the US and the EU signed the Privacy Shield, an agreement between the EU and the US that allowed:
- Every US company to transfer personal data to Europe
- Every EU company to transfer personal data to US companies certified under the Privacy Shield.
Data flows were rather free again and Facebook transferred Max Schremms to the US again, so he showed up one more time. He complained that the Privacy Shield does not provide sufficient protection of the personal data of EU citizens.
The CJEU ruled in his favor again, this time annulling the Privacy Shield. This judgment was called the Schrems II decision.
What is the Schrems II Decision?
The Schrems II decision annulled the Privacy Shield between the EU and the US companies, therefore they cannot transfer EU users’ data freely to the US.
The reason why they cannot do so are two controversial US laws:
The Foreign Intelligence Surveillance Act (FISA) 1978 is the law that allows the US government to spy on foreign nationals and governments. It contains the procedures for collecting information on “foreign powers and their agents suspected of espionage and terrorism”.
Basically, if the US government thinks that someone may be involved in espionage and terrorism, they can collect information about them.
The EDPB guidelines explicitly mention this act as an example of a law that is an obstacle for transferring data to a third country (check out page 15).
The Clarifying Overseas Use of Data Act (CLOUD Act) 2018 allows the US government to request any personal information stored on servers operated or owned by US companies.
Basically, this means that if your personal data is stored on the servers of Amazon Web Services (AWS), and the US authorities issue a warrant for disclosure of such information, AWS has no choice but to hand over the information to them.
It doesn’t matter where the servers are located – whether in the US, EU, Asia, or somewhere else. Every US company must obey the request.
It is worth mentioning that governments help each other in criminal cases, but there is a lot of bureaucracy involved, which makes the process very slow. As a result, authorities are often late in the reaction to criminal offenses. The US government wants to streamline the process with the CLOUD Act, but the EDPB is not happy with that.
To sum it up, the US authorities can at any time spy on foreigners who may be involved in espionage and terrorism, as well as request personal data stored on any servers operated by US companies around the world (which is a large chunk of the servers around the world).
That’s why the EDPB is concerned about you sending EU users’ data to the US.
Do You Transfer Data to the US?
If you were wondering whether you transfer personal data to the US or not, check out if you use third-party tools for processing data to which the GDPR applies.
GDPR applies to:
- Personal data collected by EU company and
- Personal data of EU users collected by anyone.
Third-party tools for data processing may be Amazon Web Services, Mailchimp, Convertkit, Facebook, Google Analytics, and whatever tool that does anything to your data.
When you collect some personal data, you need to process it in order to get certain results. For example, you use Convertkit to collect email addresses and then segment users and send them personalized emails.
That means that Convertkit processes your data. That also means that you transfer data to a US data processor.
The only case where you do not transfer data of EU users
This doesn’t mean that every piece of EU users’ personal data sent to a US data processor is subject to the supplementary measures.
If you are a non-EU company, the GDPR applies to you only to your relationship with EU users.
This means that you are obliged to comply with the law only when interacting with someone from an EU member-state. So, you do not need supplementary measures if you:
- Collect their consent for the processing lawfully, and
That way, you’ll get consent for the transfer on collection. If the user consents to the processing in the US, you are free to process it in the States.
The Six-Steps Process for Data Transfers to the US According to the GDPR
If you found that you transfer data of EU users from the EU to the US, then you have to implement the six-step process for data transfers recommended by the EDPB and you’re okay to keep transferring the data.
Until complying with it, though, you must cease with the data transfers.
So, the good news is that you could keep using your valuable data processing tools provided by US companies. The bad news is that you have to do some work before continuing to do that.
This process is as follows:
1. Assess Your Data Transfers
If you went through the process of figuring out whether you transfer data to the US as described above, you may be done with this step.
You have to be aware of your data transfers. This means that you have to know from whom you collect the data, and then where do you transfer it for processing.
If your data transfers involve sending data to the US, keep reading.
2. Verify the Transfer Tools Your Transfers Rely On
Now when you’re sure that you send data to a third country, you have to assess your transfer tools.
The GDPR defines transfer tools as the legal basis for transferring data to a third country. They include:
- Adequacy decision
- Standard contract clauses (SCCs)
- Binding corporate rules (BCRs)
- User’s consent
- Public interest and other exceptions explicitly mentioned in the GDPR.
The Privacy Shield was kind of a pseudo-adequacy decision between the EU and the US that enabled the free flow of personal data, but now it is non-existent.
That means that you have to rely on SCCs, BCRs, or user’s consent (other bases are unlikely in most scenarios).
3. Assess the Risks that the US Laws Bring
The third step requires you to assess the risks that the national legislation brings to your data transfers.
In the case of the transfers to the US, this includes the risk of disclosure of your data by your US data processors upon request of the US authorities.
If you transfer data to other countries, too, do not assess the risks associated with their laws as well.
4. Identify and Adopt Supplementary Measures to Protect Your Data
This step includes most of the hard work. Now when you know that you transfer data to a risky country, you have to implement safety measures for protecting your data.
The EDPB provides guidelines on these measures. They give businesses an idea of what they could do to protect users’ data and remain compliant with the GDPR.
There are two cases in which no measures are good enough for a lawful data transfer:
- Transferring data in clouds in the clear where authorities have access to the data in a way that is not expected in a democratic society, or
- Remote access to data in a third country, where authorities have access to the data in a way that is not expected in a democratic society.
In all other cases, you can rely on appropriate safety measures.
These measures can be technical, organizational, and contractual. Here is a summary of them:
Your technical measures would work if they ensure data protection in the third country adequate to the one provided in the EU.
In other words, technical measures should ensure that US authorities cannot get their hands on your users’ personal data.
Here are some examples of what makes an appropriate technical measure:
Data encryption is an effective technical measure as long as it meets the following requirements:
- The personal data is encrypted before submission to the data processing tools. This means that you have to send the data encrypted and not rely on the data processor to encrypt your data.
- Only you control the encryption keys, which means that the data processor cannot access the data without you granting them access. This should ensure that when your data processor is faced with a request by an authority that they must abide by, they will have no way of providing the data to them because you’ll be the only one that holds the encryption keys.
- The encryption has to be state-of-art.
Encryption of data merely transiting to third countries
You may want to transfer data to an adequate country, but first, it has to transit to an unsafe country. In that case, you can consider state-of-art encryption, so that:
- Data can be decrypted only in the destination country
- The transfer is state-of-art
- You are the only one controlling the decryption keys.
Pseudonymized personal data is not an as good measure as encryption of data, but it is good enough if it meets the following requirements:
- A single person cannot be identified without the use of additional information
- That additional information must be stored in the European Union
- A single person cannot be identified by cross-referencing data possessed by a third country
- Only you possess the pseudonymization algorithm
Split or multi-party processing
You can split your data in a way that a single person cannot be identified and transfer it to multiple data processors without disclosing them the data other processors got.
That way you could get your data processed by processors in third countries without the possibility of identifying any natural person.
The split data processing shall meet the following requirements:
- The separate batches of data should be sent to separate entities in separate jurisdictions
- No single person can be identified with the split data
- The processing algorithm is safe
- There is no evidence to reasonably believe that authorities from both (or all) jurisdictions cooperate in accessing the data
- A single person cannot be identified by cross-referencing data possessed by a third country
Protected recipient of personal data
You can freely transfer data to protected recipients of personal data, such as lawyers or doctors, if:
- The third country protects the privilege of communication with them
- That privilege includes all kinds of information, including encryption keys, passwords, etc.
- They won’t be obliged to disclose personal data to authorities in any case
- The encryption is state-of-art
- Only you control the encryption keys
Organizational measures should help your organization implement your technical measures flawlessly. They complement each other. Implementing organizational measures without technical ones is useless.
The most common organizational measures include:
- Internal policies for implementation of the technical measures (as long as they are compatible with the EU laws)
- Organization methods
- Data minimization methods
- Transparency and accountability measures
- Adoption of standards and best practices
Do not limit yourself to these measures. Adjust them to your organization accordingly.
Use contractual measures only in combination with technical and organizational measures. If you include contractual measures in your contracts with US data processors, but you don’t implement the necessary technical and organizational measures, you are not compliant with the GDPR.
The EDPB recommendations list plenty of contractual clauses to enrich your contracts with data processors in order to meet the transfer requirements.
5. Take the Necessary Procedural Steps
The fifth step requires you to take necessary procedural steps for implementing the measures from the fourth step.
6. Re-Evaluate the Protection at Appropriate Intervals
Review your transfers, your transfer tools, and the risks of relevant national legislations at appropriate intervals to ensure that you are compliant at all times.
In practice, this would mean making such an assessment every 6 to 12 months, where you would check out how and where you transfer data, the legal basis to do so, and any new risks.
The new risks would usually involve changes in laws and regulations, changes in the political environment, changes in processor server locations, and so on.
The Process Step-by-Step
To sum it all up, here’s a process that you could follow for compliant data transfers:
- 1. Ensure that the GDPR applies to you
- 2. If it applies, assess your data processors
- 3. Check out where your processors process data
- 4. Assess your data transfer tools
- 5. If you transfer data to the US (or other third countries with similar risks), acknowledge that you need supplementary measures
- 6. Assess your specific situation and decide which technical, organizational, and contractual measures you need. If you need help, it is wise to talk to a data protection lawyer and IT personnel.
- 7. Implement the measures
- 8. Include the measures in your policies, contracts, and other documents where necessary
- 9. Keep an eye on any changes in relevant laws that could affect your data transfers.
Do You Think that a Company Unlawfully Transfers Your Data to the US?
If you are just a regular website or app user whose data is being transferred to the US in a way that is against the principles of the GDPR, your GDPR rights may be violated.
To figure out if it really is the case, you need to submit a data subject request. But, not any data subject request.
Submit a request to get information on the data processing. When submitting it, do not forget to request information on data transfers and the legal basis of the transfers.
If the data controller receives the requests through a contact form that does not allow customization of the requests, just wait for their answer. If it does not contain details on the transfers, then submit an additional request by email.
If they transfer data to the US but have no legal basis to do so or they have not implemented sufficient measures, you have a couple of choices:
- Let them know, ask them to comply with the law, and wait to see what happens
- Lodge a complaint to the relevant data protection authority.
If the data controller has been transferring data to the US against the GDPR but has not been aware of it, they may be willing to change that.
In any other case, involving the data protection authority may be necessary.
If you are a company that processes personal data, you should understand that the transfers of data to the US are a risky business.
While many see this as yet another burden imposed by the EU on businesses worldwide, you should know this is being done for the good of users. They need to have their personal data protected.
The technical measures are not that hard to implement. If you don’t know where to start, reaching out for help from an IT professional and a lawyer is a wise move.