• >
• GDPR & Personal Data
• >
• International transfers of personal data – can we transfer personal data the EU to the US?

International transfers of personal data – can we transfer personal data the EU to the US?

In order for personal data to leave the EU, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”) requires compliance with certain conditions that make such international transfers of personal data legally possible. However, following several conceptual changes, it is currently unclear whether risk-free transfers of personal data from the EU to the US can be implemented. In terms of legal regulation, the transfer of personal data to the US is currently the subject of numerous negotiations by the relevant EU authorities.

Under the GDPR, personal data can only be transferred from the EU to non-EU countries in accordance with specific data transfer mechanisms. In the words of the European Commission: “When personal data are transferred outside the European Economic Area, specific safeguards are foreseen to ensure that protection travels with the data. “[1] One possible mechanism that enables the transfer of personal data between the EU and third countries is a decision by the European Commission that the third country provides an adequate level of protection to EU data, i.e. an adequacy decision within the meaning of Article 45 of the GDPR.

The transfer of personal data from the EU to the US within the meaning of Article 45 of the GDPR previously occurred mainly on the basis of European Commission decision 2016/1250 of 12 July 2016, which reflected the legal framework between the EU and the US referred to as the so-called Privacy Shield. This allowed US companies to transfer personal data from the EU to the US in a relatively convenient way, as long as they were certified under Privacy Shield.[2] Simply put, during the operation of Privacy Shield, all that was needed was for the company concerned to be on a list established by the US Department of Commerce and, as a result, the transfer of personal data was perceived as a transfer of personal data made in accordance with EU law. However, on 16 July 2020, Privacy Shield was repealed following the decision of the Court of Justice of the EU (“CJEU“) in Case C-311/18 (“Schrems II“). In general terms, in this decision, the CJEU stated that Privacy Shield gives the US government authorities the ability to obtain data on a broad scale from private US companies and that EU entities do not have sufficiently effective legal protection against the US authorities in relation to the transfer of personal data, thus the US has failed to ensure an equivalent level of data protection and privacy in light of the EU Charter of Fundamental Rights. In order to continue to lawfully transfer personal data to the US, companies have been forced to resort to alternative data transfer mechanisms.

EU-US Data Privacy Framework

Given that the US and the EU are very important trading partners, the disruption of bilateral data flows has had and continues to have a major impact on digital trade, as alternative mechanisms for transferring personal data are no longer as easy to implement as the transfer of personal data under the European Commission’s adequacy decision.

The European Commission has therefore initiated discussions with the relevant US authorities on further steps to update or create a Privacy Shield equivalent in line with the requirements contained in the Schrems II decision. In October 2022, a regulation was issued in the US to introduce a new framework for the protection of personal data shared between the US and the EU, which is intended to replace the aforementioned Privacy Shield and which addresses the shortcomings of Privacy Shield identified in the Schrems II decision.[3] The issuance of the Regulation has started a process within the European Commission to assess the new regime introduced by the Regulation and, in this context, to prepare an appropriate decision confirming the adequacy of the level of protection of personal data in the US. The aim of the process is to bring certainty and clarity to transatlantic flows of personal data.

At the end of 2022, European Commissioner Didier Reynders sent the long-awaited draft decision of the European Commission on the adequacy of the level of data protection ensured by the EU-US Data Privacy Framework to the President of the European Data Protection Board (the “Board“), Andrea Jelinek.[4] The Board subsequently issued an opinion on 28 February 2023, in which it expressed its satisfaction that many elements of the EU-US Data Privacy Framework represent a substantial improvement over the Privacy Shield (for example, the establishment of a data protection review tribunal to investigate and resolve complaints regarding access to personal data by US national security authorities, or allowing US intelligence agencies access to personal data only in necessary situations, in particular in the event of a threat to national security). However, despite these positives, the Board notes some concerns in its opinion and asks the European Commission to clarify certain aspects of the EU-US Data Privacy Framework.[5]

However, the EU Member States and the European Parliament will still have to comment on the EU-US Data Privacy Framework before the European Commission can adopt an appropriate decision on adequate protection to allow the free and secure flow of personal data between the EU and the US.

So how to transfer personal data between the EU and the US before the European Commission’s adequacy decision is adopted?

Until the above-mentioned adequacy decision is adopted by the European Commission, other means should be used to transfer personal data between the EU and the US. These include the so-called appropriate safeguards under Article 46 GDPR and the so-called exemptions under Article 49 GDPR.

In relation to the transfer of personal data on the basis of exceptions under Article 49 of the GDPR, the Board has adopted Guidelines on derogations to Article 49 of the GDPR.[6] In particular, the Guidelines emphasise that the exceptions must be interpreted restrictively and sparingly so that they do not become the rule. Moreover, regarding the application of the exception, the exception can only be applied if the rules set out in the GDPR are complied with, which include the condition of occasional non-recurring transfers and the impossibility of basing any transfer on any of the provisions of Article 45 or 46 of the GDPR.

Appropriate safeguards within the meaning of Article 46 of the GDPR include various alternative instruments for the transfer of personal data, including the so-called standard contractual data protection clauses adopted by the European Commission. These are model modular contract texts which, due to their relative simplicity, are a widely used means of providing data protection safeguards when drafting relevant data protection contracts. The 2021 version of the standard contractual clauses is currently in use, replacing the original standard contractual clauses which were adopted before the GDPR came into force and did not respond adequately to technological and societal advances in the area of data protection. The new standard contractual clauses are better suited to the diverse business relationships between data controllers and their suppliers as they are to some extent variable.

Although standard contractual clauses are a relatively simple solution for ensuring data protection safeguards, they cannot simply be copied at the end of the relevant contractual documentation without being modified by the parties. As it is not possible to define in general terms all the possible foreseeable situations for which the parties conclude standard contractual clauses, they require the parties to intervene in certain parts of them. For example, it is necessary to specify the categories of personal data to be transferred, the frequency of the transfer (e.g. whether the data are transferred on a one-off basis or on an ongoing basis), the period for which the personal data will be retained or, if this cannot be determined, the criteria used to determine this period.

Given that the CJEU emphasised in the above-mentioned Schrems II decision, in several points of the reasoning of the decision, that, since the mere conclusion of standard contractual clauses may not be sufficient for the lawful transfer of personal data, it is necessary for the contracting parties themselves to assess whether the conclusion of standard contractual clauses constitutes a sufficient means in a given case to ensure the effective protection of the personal data transferred and whether the contracting parties are able to implement the rights and obligations agreed upon in the contract in practice.[7] In particular, the data exporter must verify whether the current legislation of the country to which the personal data are transferred allows for the fulfilment of the individual provisions of the standard contractual clauses. At the same time, it is necessary to monitor the evolution of the regulation in the country in question, as a situation could arise where, for example, the data importer is not able to implement the standard contractual clauses properly due to the new legislation, in which case the transfer of personal data would have to be paused or stopped.

In the context of all the above, the contracting parties should also ensure not only appropriate technical measures (e.g. proper encryption of data in transit, storage of data and relevant metadata within data centres in the EU Member State, pseudonymisation, etc.) but also organisational measures (periodic training of staff, establishment of internal rules on access to personal data, etc.), all of which should be properly addressed in the contractual documentation.[8] However, some parts of the standard contractual clauses should remain completely intact, as otherwise the standard contractual clauses risk losing their purpose of providing data protection safeguards. In this respect, the model standard contractual clauses are relatively indicative.

Conclusion

Although work is underway to make the EU-US Data Privacy Framework operational as soon as possible, it is clear from the current situation that many aspects of the Framework will need to be clarified and further developed. Even though the legal issues are not yet completely resolved, in our experience transfers to the US continue to operate, especially under the standard contractual data privacy clauses adopted by the European Commission. In view of the rather general opinion of the Data Protection Authority[9] , we do not expect a widespread sanctioning practice in the Czech Republic. Indeed, we do not consider it appropriate given the state of legal regulation and the partial degree of uncertainty. On the other hand, the recommendations regarding contractual grounds as well as technical and organisational data security are well known and in our opinion, it is therefore essential that they are implemented in the practice of any transfer of personal data.

[1] International transfers of personal data [online]. [cit. 2023-03-29]. Available from: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en

[2] WIGAND Christian et al. European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows. 2016-07-12 [online]. [cit. 2023-03-29]. Available from: https://ec.europa.eu/commission/presscorner/detail/en/IP_16_2461

[3] Cooper Dan et al. President Biden Signs Executive Order to Implement EU-U.S. Data Privacy Framework. 2022-10-14 [online]. [cited 2023-03-29]. Available from: https://www.insideprivacy.com/eu-data-protection/president-biden-signs-executive-order-to-implement-eu-u-s-data-privacy-framework/

[4] EU – US Data Privacy Framework and European Commission proposal. 2022-12-20 [online]. [cited 2023-03-29]. Available from: https://www.uoou.cz/eu-us-data-privacy-framework-a-navrh-evropske-komise/d-56714

[5] Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework. 2023-02-28 [online]. [cit. 2023-03-29]. Available from: https://edpb.europa.eu/system/files/2023-02/edpb_opinion52023_eu-us_dpf_en.pdf

[6] Guidance Note 2/2018 on exemptions under Article 49 of Regulation (EU)

2016/679. 2018-05-25 [online]. [cited 2023-03-29]. Available from: https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=33546

[7] In particular, points 126, 128, 130 to 134.

[8] Opinion of the OFO on the use of cloud services from the perspective of personal data protection and the obligations of the controller and processor under the General Regulation. [online]. [cited 2023-03-29]. Available from: https://www.mvcr.cz/soubor/vyjadreni-uoou-k-vyuzivani-cloudovych-sluzeb-z-pohledu-ochrany-osobnich-udaju-a-povinnostem-spravce-a-zpracovatele-podle-obecneho-narizeni.aspx

[9] Statement of the ÚOOÚ on the transfer of personal data to third countries in the Frequently Asked Questions section [online]. [cited 2023-03-29]. https://www.uoou.cz/k-predavani-osobnich-udaju-do-tretich-zemi/ds-5296.