The new European attitude towards personal data transfer to the United States in connection with the invalidation of the personal data “Privacy Shield” between the EU and the US (EU-US Privacy Shield)

The Body responsible for controlling EU public institutions in relation to personal data protection (European Data Protection Supervisor or EDPS) published on 29 October this year а Strategy on personal data transfer by European Institutions, Bodies, Offices and Agencies to third countries and in particular to the United States. The reason behind the EDPS Strategy is the disclosure of information that the European Parliament’s website for coronavirus tests management has been “attacked” with more than 150 requests to track the site’s users, and many of these “trackers” transmit data to US companies.

With this document, the EDPS encourages EU Bodies and Institutions to refrain from and avoid undertaking new activities for the personal data transfer and transmission to the United States. The Strategy also includes short- and medium-term compliance measures and actions, such as the preparation of a Transfer Impact Assessment prepared for each new cross-border data transfer process to the United States. Part of this Impact Assessment should include information on the specific data transmission and whether the country to which the data is intended to be transmitted provides an equivalent level of protection corresponding to that in the EU.

The Strategy prepared by the EDPS is another proof of the change that has occured in the attitude of the European Union regarding personal data transfer. The rules on personal data transfer to third countries outside the EU, and in particular to the United States, have undergone a significant change in light of the Judgement of the Court of Justice of the European Union of July 16 this year in the case, which became known as “Schrems II”. In this case, the Court of Justice annulled the EU Decision on the adequacy of the EU-US “Privacy Shield”, which regulated cross-border personal data transfer between the EU and the US. In its reasoning, the Court held that US law allows authorities to collect personal data of EU data subjects without the appropriate protection measures and legality guarantees which would meet the data protection requirements laid down in EU law. In addition, the Court finds that there is a lack of effective means of seeking compensation against the US Government from EU data subjects.

In the context of the Judgement thus adopted, the other personal data regulator – the European Data Protection Board (EDPB), clarified that there is no planned “transitional period” in which data controllers from the EU would be able to transfer personal data to the US under the “Privacy Shield”.

As a result of this Judgement, all public and private entities from the EU who have relied on this mechanism for cross-border personal data transfer to the US now have to justify another legal basis in cases where they transfer personal data to the US. Otherwise, these entities risk being subject to the severe sanctions defined in the General Data Protection Regulation (GDPR).

EU data controllers can still rely on some alternative legal grounds for cross-border data transfer to the US. Some examples are:

  • Standard contractual clauses. They, however, should be subject to a much stricter assessment, in view of the obligation of controllers to determine whether there is an “equivalence” of the level of personal data protection in the third country, on a case-by-case basis;
  • Binding corporate rules, within a common corporate group, approved by at least one European personal data protection supervising authority, are another legal basis for cross-border data transfer. Identical to the use of standard contractual clauses, there should again be “equivalence” of the level of personal data protection in the third country, on a case-by-case basis, on the grounds of which additional measures should be taken, if necessary.

In conclusion, it can be summarized that the Judgment of the Court of Justice of the EU in the “Schrems II” case will inevitably affect international relations and trade, as a number of questions and risks arise for business. The EDPS Strategy for cross-border personal data transfer to the United States by EU Organizations, Offices and Institutions serves as a clear indication that a new era in personal data transfer has entered, with much stricter rules and restrictions in sight. Currently, both European personal data protection institutions – EDPS and EDPB, have taken the initiative to prepare additional Guidelines on the lawful personal data transfer to the United States, but this process is expected to take months. The need for a business response and the continuity of trade relations and turnover, however, necessitate a rapid alignment of existing data transfer practices in third countries with the new direction, outlined by the Court and the EU Authorities.