New Rules for Personal Data Transfer to the US – Privacy Shield Knocked Down, Again!

US Eagle

If you are in the e-commerce business, if you provide and offer online services and cooperate with companies from the USA, or you simply use servers which are located in the USA, this piece of information about new rules regarding the data you transfer or share with American entities will be significant for you.

Namely, on July 16, 2020, by the verdict of the EU Court of Justice, the EU-US Privacy Shield was invalidated. This agreement represented a legal framework for personal data transfer from the EU to the USA. The consequences of this decision will affect European as well as domestic entities that transfer personal data to American companies and other entities. The importance of the implications that this verdict is going to have is shown in the survey sample by the UCL European Institute which found that almost 1600 companies (which makes up 30% of the total number), use mechanisms of Privacy Shield to return data about the employees back into the USA.

What Exactly Is the EU-US Privacy Shield and How Did It Get Invalidated?

When data is transferred between the members of the EU countries, i.e., to countries which by definition offer an adequate level of data protection[1]the transfer is done smoothly and additional requirements or approvements are not necessary when it comes to this kind of transfer.

However, the USA is not listed as one of the countries that offer an adequate level of personal data protection, which is not strange, when we take into consideration the scandals revolving around the National Security Agencies and Facebook. Also, the right to privacy is not in the rank with Constitutional Rights in the USA, while in the EU, the right to privacy and personal data protection is a fundamental right of every EU citizen. Apart from that, American entities can by default process personal data, while for every personal data processing in the EU, entities must have legitimate legal ground.

Because of all the reasons listed, the USA now belongs to a category of the so-called, third countries, so the prerequisite for legal data transfer to American data processors is to form mechanisms that would guarantee that the transferred data would be protected.

Text in English

By adoption of the EU-US Privacy Shield, data transfer has become much easier. It is enough if an entity from the USA registers and coordinates their business with the rules of the aforementioned mechanism pays a certain fee and then, data transfer will be completed smoothly.

Still, the question of how secure these kinds of transfers are was set into motion only at the initiative of Max Schrems, an activist for rights of privacy who is behind the whole case of the Privacy Shield invalidation.

The initiative ended with the verdict of the Court after it was determined that the EU-US Privacy Shield does not offer protection to the citizens of the EU whose data is transferred to the USA, at least not in the scope that is necessary in order to protect their right to privacy.

Besides the countries that are members of the EU, the effect of the GDPR (General Data Protection Regulation), extends to non-member countries as well. This means that the consequences of the strike down of Privacy Shield will be noticeable in relation to the data controllers and data processors of personal data protection who transfer data from Serbia to the USA.

What Are the Consequences and the New Rules?

With the invalidation of the EU-US Privacy Shield, the USA now has the status of the third country meaning that personal data can be transferred to these countries only if it is determined that they are ’adequate’ for the data transfer from European countries. One of the mechanisms which provide an adequate level of protection during data transfer are the Standard Contractual Clauses (SCC) adopted by the EU Committee.

More specifically, this means that all the entities from the EU that transfer personal data to entities from the USA will have to conclude appropriate contracts using the Standard Contractual Clauses.

The main drawback of the Standard Contractual Clauses is the fact that in practice, it is extremely difficult to check whether both parties are being compliant. Specifically, this would include an active role of the entity which transfers the data to the USA to inspect in detail whether the data recipient (located in the USA) complies with the protection conditions, which in practice is almost undoable.

Still, even though the Clauses formally represent a valid basis for the data transfer into third countries, when it comes to the USA, their use is not unlimited any more. While reaching the verdict, the Court has concluded that from now on, the Clauses cannot be used during personal data transfer to the USA without additional review by the data controller.

image with a long text in English

If we take into account the following two facts – firstly, the fact that the controller of personal data is responsible for the selection of data processor and potential data leaks which could happen in the USA, and secondly that entities whose data was breached can directly request an explanation from the controller – this leads us to a conclusion that an inadequate choice of a processor from the USA could cost you a fortune.

What Does this Mean for Serbia?

If you believe that the new obligations and rules will not affect you because your business is Serbia-based, well – you are mistaken.

Namely, as the domestic Personal Data Protection Act (hereinafter: PDPA) has taken over almost all of the rules from the GDPR (we have discussed this in our blog 9 most common misconceptions of employers on personal data protection) all the consequences regarding data protection from the EU will be noticeable, even when it comes to data transfer from Serbia to the USA.

Thus, from here forward, whenever you transfer data from Serbia to the USA, it is necessary to provide an appropriate level of personal data protection[2]. Since Privacy Shield was invalidated, you are required to apply other mechanisms which are at your disposal.

The Commissioner spoke about the aforementioned situation highlighting that in accordance with the decision of the European committee, the USA does not provide an appropriate level of protection under the Privacy Shield framework or under the Personal Data Protection Act.

The Commissioner pleaded to all the controllers and processors that it is necessary to find other data transfer mechanisms to the USA prescribed by the PDPA. Also, the Commissioner directed an official notice to the Government of the Republic of Serbia with the purpose to sync the Decision of the Government about the list of countries which are considered to provide an appropriate level of personal data protection, i.e. the removal of the USA from the said list.

Which are the other mechanisms?

Similarly, as in the EU, you have the Standard Contractual Clause at your disposal, but which was declared by the Commissioner for Information of Public Importance and Personal Data Protection (hereinafter: Commissioner). In other words, you are obliged to conclude appropriate contracts with your contractors from the USA if you want to be sure that you are acting in accordance with the PDPA.

For example:

Text in English

or

Text in English image

or

Text in English picture

you must conclude appropriate contracts with the American company and regulate the questions regarding data transfer to the USA.

On the other hand, if GDPR applies to you extraterritorially (we have written about this in Territorial Scope of GDPR in Serbia), all the obligations and rules apply to you, the same as when data is transferred from the EU to the USA.

Therefore, the same rules apply for all Serbian employers as for the rest of the European Union: during the conclusion of the agreement with processors from the USA, it will be inevitable to enforce the appropriate checks to determine whether all the conditions regarding personal data transfer were fulfilled. Otherwise, you are facing financial fines prescribed under the PDPA’s penalty clauses, as well as penalties prescribed by the GDPR (if there are conditions for extraterritorial use of GDPR). It is certain that the question of what these ’additional checks’ will look like in practice, remains unanswered.

If all of this seems too complicated, the alternative is to look for the approval of the Commissioner for each data transfer to the USA. In comparison to this option, you will agree that the Standard Contractual Clauses do not seem that bad.

Yet, There Are Exceptions

The exception from the new rules which are the consequence of the EU Court of Justice’s verdict are the situations where the cross-border transfer to the USA is allowed without fulfillment of the additional conditions (such as enforcing of Clauses or approvements from Commissioners) and they are prescribed by the PDPA or GDPR explicitly. Therefore, in certain cases, data transfer to the USA will still be allowed, regardless of the non-existence of the EU-US Privacy Shield.

According to the PDPA, data transfer to the USA can be done as if the Privacy Shield still exists, and without applying specific precautions, in the following situations:

  • You have given explicit consent for your personal data transfer to the USA, and you were informed of the risks beforehand, given that there is no Privacy Shield Law or any other protection mechanism. You can always take back your consent.
  • The transfer is essential for the completion of an agreement between the data subject and the data controller, i.e. for the conclusion of the agreement – for example, you have ordered goods from the USA and in order for the goods to be delivered, you have to disclose your address. Given that the agreement cannot be concluded without this, PDPA allows an exception from the aforementioned rules.
  • When the transfer is essential to submit, obtain, or defend your legal request – for example, you are asking for a refund from an American company, data transfer is allowed.

Other exceptions include the fulfillment of important public interest for the Republic of Serbia, protection of vital importance for the natural person, and also the transfer of certain personal data kept in the public register, but which is rarely used in practice.

Surely, entities that transfer data to the American IT companies or store gathered data on American servers will notice the consequences of the EU-US Privacy Shield strike down the most, which will lead to many European, American, and Serbian firms having to adapt their whole business to these new circumstances.

[1] On the level of the EU, it is considered that an adequate level of protection exists when the transfer is done between the members of the EU. The European Commission decides which countries outside the EU offer an adequate level of protection. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[2]
In Serbia, the Government decides about the list of countries that offer an appropriate level of protection during international data transfer (website of the Commissioner: https://www.poverenik.rs/en/home.html)

Latest News

STAY TUNED

Stay in the loop with the most important updates

NOVI SAD

BELGRADE

NOVI SAD

BELGRADE