GDPR and Transfer of Data to the US
Law | . 6 min read (1330 words).
Transferring personal data to USA from EU is currently problematic under the GDPR. This post summarises the situation at the moment.
Topics:
Background
For an introduction to the GDPR, read my previous blog post: GDPR for Personal Websites. One of the biggest challenges related to the GDPR at the moment is that of transferring personal data from the EU to the Unites States, which is hard to avoid for anyone who wants to use American cloud or hosting providers such as AWS, GCP, Azure, Netlify, Linode, Digital Ocean, GitHub Pages, etc.
As a quick recap of the linked blog post above, even hosting a static website using an American company’s service will potentially be covered by the GDPR (since IP addresses can be personal data) and if you are yourself located in the EU or you are targetting EU citizen, this would constitute a transfer of personal data to a third country or international organisation under the GDPR. This means that you need to comply with GDPR’s chapter 5 and this is currently complicated.
Grounds for data transfer
There are several different ways for international data transfers to comply with the GDPR. At least one of these must apply:
- Article 45: Transfers on the basis of an adequacy decision
- Article 46: Transfers subject to appropriate safeguards
- Article 47: Binding corporate rules
- Article 49: Derogations for specific situations
An overview of these will be covered in the following.
Transfers on the basis of an adequacy decision
When possible, this is by far the easiest way to fulfil the GDPR’s requirements for data transfers. This is also where the current situation between the EU and the US is complicated. There have been ‘adequacy decisions’ for transfer of personal data to the US previously, but they have been invalidated twice.
Before the GDPR, there was the Safe Harbour decision by the European Commission from 2000. The European Court of Justice declared the Safe Harbour decision to be invalid in a case filed by Max Schrems that is now called Schrems I.
After this, the EU and USA agreed on a new framework for personal data transfer, which was called the EU–US Privacy Shield. The European Commission adopted this on 12 July 2016. This adequacy decision was still present when the GDPR went into force on 25 May 2018 and would in theory enable transfer of personal data between the EU and US.
In another legal case, also initiated by Max Schrems, the European Court of Justice invalidated the EU-US Privacy Shield too. This ruling from 16 July 2020 is usually referred to as Schrems II. It still keeps open the possibility that standard contractual clauses can be used as a ground for data transfer.
Based on these two Schrems rulings, it can be of interest to dive a bit deeper into who Max Schrems is and what his views are on this. He is a European lawyer with a special interest in privacy laws and also the creator of NOYB, a non-profit organisation focused on privacy issues. As such, if we look at what NOYB and Max Schrems are advocating and follow this advice, we would probably achieve at least as good privacy protection as the law demands and possibly better. For anyone who wants to play it safe, this sounds like a good thing.
Here are NOYB’s opinions after Schrems II:
Not surprisingly, NOYB basically argues that EU companies cannot transfer personal data to most American cloud providers at the moment due to US surveillance laws.
Transfers subject to appropriate safeguards
Despite Schrems II, there is still a possibility to justify data transfers on the basis of appropriate safeguards and in particular standard contractual clauses that are approved by the European Commission. This appears to be what most US cloud providers are currently arguing for as their way to comply with the GDPR.
This still requires appropriate data protection. From recital 108:
Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.
In other words, similar problems that caused the EU-US Privacy Shield to be invalidated can be an issue when basing data transfers on this too.
Binding corporate rules are similar to this and will not be discussed.
Other grounds for data transfers
There are some exceptions to the rules described above and these are found in Article 49. These exception seem very useful at first, but an important detail is this:
[…] only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject […]
In practice, these exceptions appear to be useful only in situations such as when you need to contact an American company to deliver a specific e-mail or to make a hotel reservation on behalf of a user. They do not apply when, for example, an American cloud provider was chosen for data processing out of convenience.
What are American Big Tech saying?
Not surprisingly, the big cloud providers argue for full GDPR compliance:
The legal situation is highly uncertain and this is what we should expect. It is clear that Google, Amazon, and others have a sincere focus on privacy protection and I think they deserve recognition for that. What is partially outside of their control is legal requirements from US surveillance laws and this is the main risk.
US surveillance vs EU privacy protection
The basic problem that the European Court of Justice (ECJ) and various commentators (including NOYB) identify is the clash between American surveillance laws and the strict privacy protection requirements in the EU GDPR.
I will not go through all the US surveillance laws here, since I am not an expert and that would be more details than are needed. Let us simply conclude that there are substantial uncertainties and legal risks here at the moment.
What to do?
The situation is quite annoying, since most Europeans similarly to me would like to use American cloud providers without legal risks due to the GDPR or similar.
There are different ways to deal with this right now and overall this is a question of risks and trade-offs. As an individual or organisation located in the EU, one very safe option is to move over to EU providers for now. Another is to try to achieve adequate privacy protection for your users while using American cloud providers, but this is clearly not without risk.
Personally, I have moved my blog to a Swedish hosting provider for now and this both lowers my risks and protects the privacy of my visitors.
However you deal with this right now, hopefully the situation will improve soon!
Future development
Luckily, the EU and US recognise this problem and are working on a new agreement to enable the transfer of personal data between the regions. This is not yet finalised, but the 25th March 2022 the European Commission and United States made a joint statement on Trans-Atlantic Data Privacy Framework.
This new Trans-Atlantic Data Privacy Framework will replace the invalidated EU-US Privacy Shield in the future and we can then expect a new adequacy decision to be made by the European Commission.