Transferring personal data from Europe to the United States

EU General Data Protection Regulation (GDPR) and Swiss Federal Data Protection Act (DPA)

In the EU and in Switzerland, processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal bases for processing personal data, consent is only one of six bases mentioned in the General Data Protection Regulation (GDPR). The others are: contract, legal obligations, vital interests of the data subject, public interest and legitimate interest as stated in Article 6(1) GDPR.

The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR. Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.

For consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent. Where relevant, the controller also has to inform about the use of the data for automated decision-making, the possible risks of data transfers due to absence of an adequacy decision or other appropriate safeguards.

The consent must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimise the processing of special categories of personal data, the data for the data subject must expressly refer to this. There must always be a clear distinction between the data needed for the informed consent and data about other contractual matters.

EU General Data Protection Regulation (GDPR) and Swiss Federal Data Protection Act (DPA) compliance require data controllers to sign a data processing agreement with any parties that act as data processors on their behalf. Typically, a data processor is another company used to help store, analyse, or communicate personal data.

Data processing agreement

When personal data is transferred from the EU to the United States only for processing purposes, a data processing agreement will be required, regardless of participation by the processor in the Privacy Shield. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether the processor participates in the Privacy Shield. 

Privacy Shield Principles

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Privacy Shield Framework provides a method for companies to transfer personal data to the United States from Europe in a way that is consistent with European law. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes, like in the case of the cooperation between PON and ECDC. It allows the free transfer of data to companies that are certified in the US under the Privacy Shield.

How to join the Privacy Shield Framework

To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the Privacy Shield Principles. A company’s failure to comply with the Principles is enforceable under Section 5 of the FTC Act prohibiting unfair and deceptive acts. The FTC has committed to make enforcement of the Framework a high priority, and will work together with EU privacy authorities to protect consumer privacy on both sides of the Atlantic. The Department of Commerce has created a Fact Sheet with an overview of the protections provided and how the program works. More detailed data is available at the Department of Commerce Privacy Shield Website.

EU court invalidates EU-US Data Protection Shield due to US surveillance laws

Recently, the European Court has overruled an EC decision for the second time in two days, concluding that US surveillance means that EU data is not safe if transferred across the Atlantic.

According to the Court of Justice of the European Union press announcement, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.

Companies transferring large amounts of data from the EU to the US must find a new agreement to do so. However, the Court has upheld the validity of Decision 2010/87 establishing standard contractual clauses for certain categories of transfers of personal data to processors established in third countries – not finding it in breach the Charter of Fundamental Rights, and therefore not taking issue with the use of contractual clauses for such data transfers out of the EU to occur (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (C-311/18)).

The Court raised the fact that its provisions do not enable data subjects to commence legal proceedings based on actionable rights before the courts against the US authorities.

Links