GDPR
The EU General Data Protection Regulation, effective since May 25, 2018, establishes standards for transferring personal data to non-EU countries. This overview addresses key requirements and considerations for data transfers to the United States.
WHERE WILL YOU ENCOUNTER DATA TRANSMISSION TO THE US?
Personal information may move to the US through centralized data administration by American parent companies or via US service providers handling HR functions. Data transfers also occur indirectly when companies utilize cloud services with US-based servers. Any situation where personal data becomes accessible from US servers constitutes a data transmission under GDPR.
WHAT MUST BE CONSIDERED WHEN TRANSFERRING DATA?
The GDPR requires a two-tier assessment for third-country transfers. Justification for data processing alone is insufficient. Legal requirements include adequacy decisions, appropriate safeguards, and data subject consent.
TRANSFERS ON THE BASIS OF AN ADEQUACY DECISION, ARTICLE 45 GDPR
The European Commission can designate countries with adequate data protection levels as safe for transfers. Currently, Canada, New Zealand, Argentina, and Switzerland hold this designation. The US lacks a general adequacy decision but meets specific transfer conditions.
APPROPRIATE SAFEGUARDS, ARTICLE 46 GDPR
Without an adequacy decision, transfers require enforceable safeguards protecting data subject rights and legal remedies, such as EU standard contractual clauses or binding corporate rules.
CONSENT
Companies may transfer data with explicit subject consent, though this approach presents practical and legal challenges in employment contexts. German law requires freely given consent with specific written disclosures about processing purposes and withdrawal rights.
WHY DID THE EC NEGOTIATE THE PRIVACY SHIELD?
The Safe Harbour Decision, invalidated in October 2015, allowed US intelligence agencies unrestricted access to personal data from self-certified companies. The European Court of Justice ruled this incompatible with EU privacy protections.
WHAT IS THE PRIVACY SHIELD?
Under Commission Implementing Decision 2016/1250, data transfers to the US became permissible for self-certified companies meeting specific data protection principles. Annual recertification is mandatory. The US Department of Commerce maintains a certification list and monitors compliance. The Privacy Shield includes safeguards against unrestricted processing, though national security exceptions remain. An independent ombudsman addresses EU citizen complaints about national security data access.
WHY SHOULD COMPANIES CONSIDER OTHER OPTIONS?
The Privacy Shield faced immediate criticism regarding vague safeguards against arbitrary access and insufficient protection of foreign nationals’ rights against surveillance.
ESCALATION AND TRANSPOSITION DEADLINE OF 30 OCTOBER 2018
The European Commission reaffirmed adequacy in October 2017 but recommended improvements in compliance monitoring and ombudsman functions. The US failed to implement these recommendations. Congress extended foreign intelligence provisions without granting protections to non-citizens. The European Parliament passed a 2018 resolution questioning Privacy Shield adequacy. EU Commissioner Vera Jourová demanded compliance, warning of potential adequacy withdrawal.
THE CJEU’S RIGHT TO REJECT
The Court of Justice monitors Privacy Shield through preliminary rulings, particularly regarding Facebook Ireland’s data transfers to its US parent. The court previously emphasized that adequate protection requires effective legal remedies. Current US access capabilities mean EU citizens cannot verify data access before seeking ombudsman intervention, potentially undermining protection standards.
WHAT ALTERNATIVES ARE THERE TO THE PRIVACY SHIELD?
If Privacy Shield is revoked or suspended, European companies should explore alternative mechanisms for lawful data transfers.
EU STANDARD DATA PROTECTION CLAUSES, ARTICLE 46 (2) D) GDPR
Model contractual clauses provide standardized frameworks for third-country transfers. Three models exist: one for controller-processor transfers and two for other controller transfers. These clauses cannot be amended; users must accept them entirely as written. Annexes require detailed data and processing purpose specifications. Large corporate groups benefit from incorporating these clauses into comprehensive framework agreements.
BINDING CORPORATE RULES, ARTICLE 47 GDPR
Corporate groups with EU-established members may use binding corporate rules for internal data transfers. These rules apply general data protection principles, create enforceable subject rights through complaint procedures, and mandate employee data protection training. National regulatory authority approval is required before implementation.
CERTIFICATIONS, ARTICLE 46 (2) F) GDPR
Approved certifications enable third-country transfers, though certification details remain unclear pending regulatory guidelines. This approach currently lacks legal certainty.
INDIVIDUAL CLAUSES, ARTICLE 46 (3) A) GDPR
Customized data export agreements address specialized transfer requirements not covered by standard clauses. These cannot provide less protection than EU standards and require supervisory authority approval.
NO ABSOLUTE LEGAL CERTAINTY
Privacy Shield provides insufficient legal certainty for US data transfers. Companies should regularly review international data transmission policies and explore alternative mechanisms to prepare for potential regulatory changes.