Businesses get fresh guidance on EU-US personal data transfers

The European Data Protection Board (EDPB) clarified the requirement in a new information note (3-page / 185KB PDF) on data transfers to the US under the EU General Data Protection Regulation (GDPR).

The transfer of personal data across borders is common in the everyday operations of multinational businesses, but strict rules govern such transfers in many jurisdictions. In the EU, the restrictions apply to transfers from the EU to jurisdictions outside of the European Economic Area (EEA) and are outlined under Chapter V of the EU GDPR.

Chapter V provides legal bases – or transfer tools – for businesses to transfer personal data outside of the EEA. These include adequacy decisions; standard contractual clauses (SCCs) and other “appropriate safeguards”; binding corporate rules; and derogations for specific situations.

Adequacy decisions are decisions the European Commission can issue that essentially declare that a country, territory, or specified sector provides an adequate level of protection for personal data. Where businesses are relying on an adequacy decision to transfer personal data, they do not need to apply additional safeguards in respect of those arrangements.

The Commission has issued an adequacy decision in respect of data transfers to the US. The EU-US Data Privacy Framework (DPF), colloquially known as Privacy Shield 2.0, is in effect a part-adequacy decision because the mechanism is not open to all business sectors – currently, it is only open to organisations regulated by the US Federal Trade Commission or US Department of Transportation, so excludes US financial services institutions and telecommunication companies, for example.

Eligible businesses can self-certify against privacy principles to enable transfers under the DPF. The framework provides limits on US intelligence agencies’ scope to access EU citizens’ data when transferred to the US and provides EU citizens with scope to raise complaints about the way their data is handled before a Data Protection Review Court (DPRC).

In its new information note, the EDPB confirmed that equivalent measures provided for under the DPF have to be provided for in the context of other EU-US data transfer arrangements that do not involve a US entity that has certified under the DPF. Those measures are “appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects”, it said.

A ruling by the EU’s highest court clarified that an assessment of the laws of the third country to which personal data is being exported needs to be undertaken in the context of the transfer to confirm whether the data would receive essentially equivalent protection to the protection provided in the EU after it is exported. These assessments are sometimes called transfer impact assessments or data transfer impact assessments.

According to the EDPB, businesses seeking to transfer personal data to the US outside the scope of the DPF should refer to the European Commission’s adequacy decision for the DPF when conducting transfer impact assessments in respect of the effectiveness of the safeguards they are implementing. It said this is possible since the safeguards that the US government was prompted to put in place to underpin the DPF, in respect of the processing of EU citizens’ data for national security purposes, “apply to all data transferred to the US” regardless of the transfer tool used to facilitate the transfer.

Data protection law expert Andre Walter of Pinsent Masons in Amsterdam said: “It had been clear that companies certified under the DPF enjoy unrestricted data flows to the US, and it had also been clear that not being certified under the DPF requires appropriate data protection safeguards to be put in place, such as SSCs. What hadn't been so clearly stated – until now – was that the transfer impact assessment in respect of those safeguards should be based on the Commission's adequacy decision assessment for the DPF.”