GDPR Regulations on Personal Data Transfers Outside the EEA and Data Transfer Mechanisms to the US

Question

Can you explain how the GDPR regulates personal data transfers outside the EEA? What is a data transfer? Can I find a definition in the GDPR? What mechanisms can be used to make them legal? What's the difference between these mechanisms and who can use them? How does the European Commission assess the adequacy of protection in a given third country? Are there any exceptions to these rules? If my company uses servers which are located in the US, how can I ensure that this data transfer is compliant with the EU law?

What is the best mechanisms to transfer data to the US?

Executive Summary

In response to the complexities of transferring personal data outside the EEA under GDPR, this summary provides key insights for compliance:

  • Definition and Scope of Data Transfer: Transferring personal data to a non-EEA country falls under ‘processing’ activities, requiring adherence to GDPR protection standards.
  • Legal Framework for Transfers: Data transfers to countries with an EU Commission adequacy decision don’t need specific authorization; otherwise, alternative mechanisms like standard contractual clauses or binding corporate rules must be employed.
  • Mechanisms to Ensure Compliance:
    • Adequacy Decisions provide a streamlined data transfer process, but are subject to periodic review.
    • Binding Corporate Rules (BCRs) facilitate intra-group international data transfers within multi-national companies, with regulatory oversight.
    • Standard Contractual Clauses (SCCs) are a common tool for legal data transfer where no adequacy decision exists, customizable to specific transfer scenarios.
  • Transferring Data to the US: Post the invalidation of the EU-US Privacy Shield, businesses must use alternative mechanisms with more stringent checks to ensure GDPR compliance.

Entrepreneurs should conduct a thorough assessment and implement the most suitable data transfer solution to meet the strict GDPR standards when dealing with transfers to the US or other non-EEA countries.

Assumptions

  1. The company operates within the jurisdiction of the GDPR, either as a data controller or processor, impacting European data subjects.
  2. The “data transfer” in question involves both automated and manual transfers of personal data to the US.
  3. The company currently has no established mechanism for data transfer to the US or seeks to verify the legality of existing practices.
  4. The personal data processed by the company are subject to GDPR without any exclusions or sector-specific conditions.
  5. The company’s activities are commercial and involve systematic and regular data transfers to the US.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

In light of the complexity surrounding the transfer of personal data from the EU to third countries, particularly to the US, a supplemental answer is provided to enhance understanding of the mechanisms available to ensure such transfers remain compliant with the EU's GDPR. It focuses on the supplementary measures recommended by the European Data Protection Board (EDPB) for instances where adequacy decisions are lacking or other legal frameworks are challenged.

Legal trace

The following measures are examples of supplementary measures you could consider when you reach Step 4 “Adopt supplementary measures”. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 28

The EDPB provides a practical approach to ensuring compliance with the GDPR during the transfer of personal data outside the EEA. This quote introduces the concept of ‘Step 4’ where entities need to consider adopting supplementary measures to provide additional protection to data transfers. These measures assist in addressing risks that are not mitigated by the absence of an adequacy decision or other standard mechanisms.

Addressing Deficiencies Through Specific Supplementary Measures

Any supplementary measure may only be deemed effective in the meaning of the CJEU judgment “Schrems II” if and to the extent that it - by itself or in combination with others - addresses the specific deficiencies identified in your assessment of the situation in the third country as regards its laws and practices applicable to your transfer. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 28

This statement is essential as it underlines the GDPR’s requirement for tailored supplementary measures to compensate for the gaps in protection offered by third-country legal regimes, such as those in the US. It directly relates to ensuring that international data transfers are specifically fashioned to address the unique challenges posed by the destination country’s laws and practices concerning personal data protection.

The contract could oblige the importer and/or the exporter to notify promptly the data subject of the request or order received from the public authorities of the third country. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 42

The above quote is pivotal as it signifies one of the contractual measures an entity could enforce to augment the protection of personal data transferred to the US. It hinges on transparency, ensuring that data subjects are immediately informed of any access requests by public authorities, thereby aligning with GDPR’s emphasis on data subject rights and informed consent.

Organizational Measures and Internal Policies

Additional organisational measures may consist of internal policies, organisational methods, and standards controllers and processors could apply to themselves and impose on the importers of data in third countries. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 43

This quote signifies the broad scope of organizational measures that entities should consider to fortify GDPR compliance in cross-border data transfers. It points out that internal governance, including policies and standards, plays a significant role in ensuring that data importers in third countries uphold the level of data protection mandated by the GDPR.

Conclusion and Practical Guidance for US Data Transfers

The recommendations from the EDPB, as highlighted throughout the quotes, provide a comprehensive playbook for entities to enhance their GDPR compliance strategy. These supplementary measures fill the necessary gaps where other transfer mechanisms might fall short, particularly in the ever-evolving legal landscape post ‘Schrems II’. Adherence to these recommended practices equips your company with a robust framework to negotiate the complexities of transatlantic data transfers and ensures ongoing compliance with EU data protection requirements.