GDPR Regulations on Personal Data Transfers Outside the EEA and Data Transfer Mechanisms to the US

Question

Can you explain how the GDPR regulates personal data transfers outside the EEA? What is a data transfer? Can I find a definition in the GDPR? What mechanisms can be used to make them legal? What's the difference between these mechanisms and who can use them? How does the European Commission assess the adequacy of protection in a given third country? Are there any exceptions to these rules? If my company uses servers which are located in the US, how can I ensure that this data transfer is compliant with the EU law?

What is the best mechanisms to transfer data to the US?

Executive Summary

In response to the complexities of transferring personal data outside the EEA under GDPR, this summary provides key insights for compliance:

  • Definition and Scope of Data Transfer: Transferring personal data to a non-EEA country falls under ‘processing’ activities, requiring adherence to GDPR protection standards.
  • Legal Framework for Transfers: Data transfers to countries with an EU Commission adequacy decision don’t need specific authorization; otherwise, alternative mechanisms like standard contractual clauses or binding corporate rules must be employed.
  • Mechanisms to Ensure Compliance:
    • Adequacy Decisions provide a streamlined data transfer process, but are subject to periodic review.
    • Binding Corporate Rules (BCRs) facilitate intra-group international data transfers within multi-national companies, with regulatory oversight.
    • Standard Contractual Clauses (SCCs) are a common tool for legal data transfer where no adequacy decision exists, customizable to specific transfer scenarios.
  • Transferring Data to the US: Post the invalidation of the EU-US Privacy Shield, businesses must use alternative mechanisms with more stringent checks to ensure GDPR compliance.

Entrepreneurs should conduct a thorough assessment and implement the most suitable data transfer solution to meet the strict GDPR standards when dealing with transfers to the US or other non-EEA countries.

Assumptions

  1. The company operates within the jurisdiction of the GDPR, either as a data controller or processor, impacting European data subjects.
  2. The “data transfer” in question involves both automated and manual transfers of personal data to the US.
  3. The company currently has no established mechanism for data transfer to the US or seeks to verify the legality of existing practices.
  4. The personal data processed by the company are subject to GDPR without any exclusions or sector-specific conditions.
  5. The company’s activities are commercial and involve systematic and regular data transfers to the US.

Legal trace

Having gathered and analyzed the necessary information from the GDPR articles and recitals, I will now compile the findings into a comprehensive advisory report as per the senior lawyer’s plan. This will culminate in a thorough response to the user’s legal question, encompassing all the necessary aspects of the GDPR pertaining to data transfers outside the EEA.

Understanding GDPR Data Transfers

’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); Article 4(1)

Personal data encompasses a wide array of information that can be linked to an individual. For GDPR to apply to data transfers, the data involved must fit this definition.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Article 4(2)

Data transfer falls under the broad category of ‘processing’, particularly implying the ‘disclosure by transmission’ of data outside the EEA. This interpretation bridges the gap for the undefined term ‘data transfer’ within GDPR.

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined. Article 44

The cornerstone principle of GDPR regarding international data transfers is that they must uphold the same level of protection as data processing within the EEA. Compliance with GDPR’s defined conditions is a fundamental requirement.

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. Article 45(1)

The most seamless approach for legal data transfers is when the EU Commission recognizes the third country as presenting an adequate level of data protection. This simplification underpins the importance of adequacy decisions in streamlining compliance.

Alternative Transfer Mechanisms and Adequacy Assessment

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Article 46(1)

Without an adequacy decision, controllers or processors must resort to other appropriate safeguards such as standard contractual clauses or binding corporate rules, ensuring enforceable rights and legal remedies for data subjects are in place.

The Commission … shall decide that a third country, a territory or specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection … if it no longer meets the requirements … this decision shall repeal, replace or amend any existing decision on adequacy … Article 45(5)

Article 45, clause 5, underlines the dynamic nature of adequacy decisions. Given the constantly evolving legal and technological landscape, an ongoing assessment is required to maintain the validity of these decisions.

The Role of Binding Corporate Rules

The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they … fulfil the requirements … Article 47(1)

BCRs offer a robust framework for multinational enterprises to ensure GDPR-compliant data transfers within their global operations, subject to stringent regulatory approval.

Exceptions and Practical Implications

In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: … Article 49(1)

Article 49 lays out specific scenarios where data can still be transferred under exceptional circumstances. Such cases are subject to strict conditions reflecting the need for continuity of trade and cooperation, while still prioritizing the protection of personal data.

Reflecting on EU-US Data Transfers

Given the invalidation of the EU-US Privacy Shield, entities engaging in data transfers to the US must be cognizant of the heightened scrutiny on alternative legal mechanisms post Schrems II. This situation underscores the need for active compliance strategies that adapt to legal developments and maintain data protection at their core.


In conclusion, the GDPR provides a multifaceted framework for regulating data transfers outside the EEA, centering on the need to maintain a high level of protection for personal data. Adequacy decisions represent an ideal, but where they do not apply, appropriate safeguards — like BCRs or standard contractual clauses — or exceptions are necessary and must be strictly adhered to. Companies transferring data to the US must particularly be vigilant given recent legal developments affecting commonly used transfer mechanisms. Each entity must evaluate and implement the most suitable transfer solution for its specific situation, ensuring ongoing compliance with GDPR requirements.

PDF Repository

We have searched through the PDF repository of ECJ rulings, European Data Protection Board guidelines, and other documents to provide this supplemental answer.

Details

The following supplemental answer endeavors to elaborate on certain aspects of GDPR as they pertain to the transfer of personal data to third countries, such as the United States. This is intended to further clarify your queries and better equip you with additional insights and guidelines especially in light of recent legal developments and recommendations from the European Data Protection Board (EDPB).

Legal trace

Clarification and Definition of “Data Transfer” under GDPR

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation” and relevant case law is limited. The lack of definition of transfer in the GDPR leads to legal uncertainty about the precise scope of the obligations deriving from Chapter V and the interplay between Article 3 and Chapter V. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, page 6

The EDPB acknowledges the absence of a clear legal definition for “data transfer” within the GDPR, shedding light on the complexities you may be facing when identifying what movements of data actually constitute a transfer subject to GDPR standards, especially relevant when engaging in cross-border data exchanges.

EDPB’s Role in Ensuring Continuity of Data Protection

The EDPB invites the European Commission to pay particular attention to this issue in the context of the report on the evaluation and review of the GDPR as per Article 97. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, page 7

This EDPB’s recommendation for the European Commission to clarify the definition of data transfer under the GDPR indicates an understanding of, and a call for, greater clarity. This should be considered in your company’s data transfer compliance strategy, as it may affect future interpretations and applications of the GDPR’s relevant provisions.

The main types of transfer instruments listed in Article 46 are: […] Standard Contractual Clauses (SCCs); Binding Corporate Rules (BCRs); Codes of conduct; Certification mechanisms; Ad hoc contractual clauses; International agreements/Administrative arrangements. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, page 14

This EDPB guidance enumerates the transfer mechanisms available under Article 46 of the GDPR. It brings specificity to your inquiry about different available legal mechanisms for transferring data outside the EEA, particularly when evaluating the best approach for data transfers to the US.

Transfer Tools and Their Effectiveness

The selected Article 46 GDPR transfer tool must be effective in ensuring that the level of protection guaranteed by the GDPR is not undermined by the transfer in practice. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 14

The EDPB stresses the essential condition that transfer tools must preserve the data protection level guaranteed within the EEA. This consideration is vital for your company when selecting transfer mechanisms to the US to ensure that your cross-border data flows meet the required GDPR standards in practice.

Supplementary Measures for Data Transfers Post-Schrems II

To help exporters … with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the European Data Protection Board (EDPB) has adopted these recommendations. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 3

Following the Schrems II decision, understanding the necessity and scope of supplementary measures is now pivotal for GDPR compliance in the context of data transfers to third countries like the US. This recommendation by the EDPB provides a starting point for the kind of due diligence and additional safeguards that may be needed in the absence of an adequacy decision.

Ongoing Obligations and Continuous Assessment

You must monitor, on an ongoing basis, and where appropriate in collaboration with data importers, developments in the third country to which you have transferred personal data that could affect your initial assessment of the level of protection and the decisions you may have taken accordingly on your transfers. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 25

The proactive responsibility addressed by the EDPB to regularly review and adapt to changes in the third country’s data protection framework is significant. This quote should foreground the importance of consistent vigilance and reassessment for your company to ensure continued compliance with GDPR for data transfers to the US.

additional safeguards as long as the identified supplementary measures do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 24

The integration of supplementary measures with SCCs necessitates a careful balancing act to ensure that the protective standards of GDPR are upheld and not contradicted. This is particularly relevant for your company in determining a secure and lawful pathway for data transfers to the US.

Accountability and Documentation of Data Transfers

You will need to document appropriately this assessment and the supplementary measures you select and implement and make such documentation available to the competent supervisory authority upon request. Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, page 10

The EDPB highlights the importance of maintaining documentation regarding the adequacy of protection assessments and implementation of supplementary measures. This not only reinforces the GDPR principle of accountability but also aligns with the need for transparency and readiness to demonstrate compliance with the data protection standards for your US data transfers.

Conclusion:

The insights provided by the European Data Protection Board (EDPB) furnish your company with nuanced guidance on transferring personal data outside the EEA, ensuring an understanding of the sufficiency of protection mechanisms, the continuous obligations attached to such transfers, and the documentation required for accountability. These recommendations serve as a means to fortify your existing strategy for GDPR compliance, particularly when dealing with data transfers to the US. It is advisable to incorporate these EDPB guidelines into your data protection practices to navigate the complex legal landscape effectively and securely.